Closing open file handles

Every now and then we have problems deleting or changing permissions on a file because it is open by a process. However, we often times have trouble finding that process. There is a neat sysinternals (now MS) utility called “handle” that will show you all open handles on a file, and, more importantly, let you close that handle. Below is the syntax of how to find the handle, and close it:

To find the handle:

O:\Tools>handle C:\Test\Example.dll

Handle v3.31
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

svchost.exe        pid: 1388    240: C:\Test\Example.dll

The above output shows us the name of the process, the pid, and file handle (in hex) and the file name. If we wanted to see all handles by a particular process, we could use the –p option:

O:\Tools>handle -p 1388

Handle v3.31
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

8: File  (—)   C:\WINDOWS\System32
74: File  (—)   C:\WINDOWS\System32\en-US\svchost.exe.mui
194: Section       \BaseNamedObjects\__ComCatalogCache__
198: Section       \BaseNamedObjects\__ComCatalogCache__
1A4: File  (—)   C:\WINDOWS\Registration\R00000000000f.clb
1B0: File  (—)   C:\WINDOWS\System32\en-US\crypt32.dll.mui
1B4: File  (—)   C:\WINDOWS\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_152e7382f3bd50c6
1C0: File  (—)   C:\WINDOWS\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_152e7382f3bd50c6
1CC: File  (—)   C:\WINDOWS\System32\inetsrv\config\schema
1D8: File  (—)   C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\CONFIG
1DC: File  (—)   C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\CONFIG
1E0: File  (—)   C:\WINDOWS\System32\inetsrv\config
1E8: Section       \RPC Control\DSEC56c
1FC: File  (—)   C:\WINDOWS\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_152e7382f3bd50c6
200: Section       \BaseNamedObjects\windows_shell_global_counters
240: File  (—)   C:\Test\Example.dll
264: File  (—)   C:\WINDOWS\System32\en-US\kernel32.dll.mui
284: File  (—)   C:\WINDOWS\System32\inetsrv\config

This happens to be a Windows 2008 box, so I can take it one step further and find the service via task manager:

Process

Since we need to delete or change this file and windows is not allowing me to since it is locked by the FTP service, I can forcefully close the handle by specifying the handle and pid (*Note: This should be used with care as it can cause the process to crash. Consider using this as a last resort instead of restarting a service or rebooting to free the lock):

O:\Tools>handle -c 240 -p 1388

Handle v3.31
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

240: File  (—)   C:\Test\Example.dll
Close handle 240 in svchost.exe (PID 1388)? (y/n) y

Handle closed.

The file can now be modified/deleted.