{"id":8283,"date":"2012-02-17T07:00:00","date_gmt":"2012-02-17T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2012\/02\/17\/how-do-i-find-out-which-process-has-a-file-open\/"},"modified":"2012-02-17T07:00:00","modified_gmt":"2012-02-17T07:00:00","slug":"how-do-i-find-out-which-process-has-a-file-open","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20120217-00\/?p=8283","title":{"rendered":"How do I find out which process has a file open?"},"content":{"rendered":"

\nClassically, there was no way to find out which process has a file open.\nA file object has a reference count, and when the reference count drops\nto zero, the file is closed.\nBut there’s nobody keeping track of which processes own how many references.\n(And that’s ignoring the case that the reference is not coming from a\nprocess in the first place; maybe it’s coming from a kernel driver,\nor maybe it came from a process that no longer exists but whose reference\nis being kept alive by a kernel driver that\n\ncaptured the object reference<\/a>.)\n<\/p>\n

\nThis falls into the category of\n\nnot keeping track of information you don’t need<\/a>.\nThe file system doesn’t care who has the reference to the file object.\nIts job is to close the file when the last reference goes away.\n<\/p>\n

\nYou do the same thing with your COM object reference counts.\nAll you care about is whether your reference count has reached zero\n(at which point it’s time to destroy the object).\nIf you later discover an object leak in your process,\nyou don’t have a magic query\n“Show me all the people who called\nAddRef<\/code> on my object”\nbecause you never kept track of all the people who called\nAddRef<\/code> on your object.\nOr even, “Here’s an object I want to destroy.\nShow me all the people who called AddRef<\/code> on it\nso I can destroy them\nand get them to call Release<\/code>.”\n<\/p>\n

\nAt least that was the story under the classical model.\n<\/p>\n

\nEnter the\n\nRestart Manager<\/a>.\n<\/p>\n

\nThe official goal of the Restart Manager is to help make it possible to\nshut down and restart applications which are using a file you want\nto update.\nIn order to do that, it needs to keep track of which processes are\nholding references to which files.\nAnd it’s that database that is of use here.\n(Why is the kernel keeping track of which processes have a file open?\nBecause it’s the converse of the principle of not keeping track\nof information you don’t need:\nNow it needs the information!)\n<\/p>\n

\nHere’s a simple program which takes a file name on the command line\nand shows which processes have the file open.\n<\/p>\n

\n#include <windows.h>\n#include <RestartManager.h>\n#include <stdio.h>\nint __cdecl wmain(int argc, WCHAR **argv)\n{\n DWORD dwSession;\n WCHAR szSessionKey[CCH_RM_SESSION_KEY+1] = { 0 };\n DWORD dwError = RmStartSession(&dwSession, 0, szSessionKey);\n wprintf(L\"RmStartSession returned %d\\n\", dwError);\n if (dwError == ERROR_SUCCESS) {\n   PCWSTR pszFile = argv[1];\n   dwError = RmRegisterResources(dwSession, 1, &pszFile,\n                                 0, NULL, 0, NULL);\n   wprintf(L\"RmRegisterResources(%ls) returned %d\\n\",\n           pszFile, dwError);\n  if (dwError == ERROR_SUCCESS) {\n   DWORD dwReason;\n   UINT i;\n   UINT nProcInfoNeeded;\n   UINT nProcInfo = 10;\n   RM_PROCESS_INFO rgpi[10];\n   dwError = RmGetList(dwSession, &nProcInfoNeeded,\n                       &nProcInfo, rgpi, &dwReason);\n   wprintf(L\"RmGetList returned %d\\n\", dwError);\n   if (dwError == ERROR_SUCCESS) {\n    wprintf(L\"RmGetList returned %d infos (%d needed)\\n\",\n            nProcInfo, nProcInfoNeeded);\n    for (i = 0; i < nProcInfo; i++) {\n     wprintf(L\"%d.ApplicationType = %d\\n\", i,\n                              rgpi[i].ApplicationType);\n     wprintf(L\"%d.strAppName = %ls\\n\", i,\n                              rgpi[i].strAppName);\n     wprintf(L\"%d.Process.dwProcessId = %d\\n\", i,\n                              rgpi[i].Process.dwProcessId);\n     HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,\n                                   FALSE, rgpi[i].Process.dwProcessId);\n     if (hProcess) {\n      FILETIME ftCreate, ftExit, ftKernel, ftUser;\n      if (GetProcessTimes(hProcess, &ftCreate, &ftExit,\n                          &ftKernel, &ftUser) &&\n          CompareFileTime(&rgpi[i].Process.ProcessStartTime,\n                          &ftCreate) == 0) {\n       WCHAR sz[MAX_PATH];\n       DWORD cch = MAX_PATH;\n       if (QueryFullProcessImageNameW(hProcess, 0, sz, &cch) &&\n           cch <= MAX_PATH) {\n        wprintf(L\"  = %ls\\n\", sz);\n       }\n      }\n      CloseHandle(hProcess);\n     }\n    }\n   }\n  }\n  RmEndSession(dwSession);\n }\n return 0;\n}\n<\/pre>\n
\nThe first thing we do is call, no wait, even before we call\nthe Rm­Start­Session<\/code> function, we have the line\n<\/p>\n
\n WCHAR szSessionKey[CCH_RM_SESSION_KEY+1] = { 0 };\n<\/pre>\n
\nThat one line of code addresses two bugs!\n<\/p>\n
\nFirst is a documentation bug.\nThe documentation for the\nRm­Start­Session<\/code> function doesn’t specify\nhow large a buffer you need to pass for the session key.\nThe answer is CCH_RM_SESSION_KEY+1<\/code>.\n<\/p>\n
\nSecond is a code bug.\nThe\nRm­­StartSession<\/code> function doesn’t properly\nnull-terminate the session key, even though the function\nis documented as returning a null-terminated string.\nTo work around this bug, we pre-fill the buffer with null characters\nso that whatever ends gets written will have a null terminator\n(namely, one of the null characters we placed ahead of time).\n<\/p>\n
\nOkay, so that’s out of the way.\nThe basic algorithm is simple:\n<\/p>\n
    \n
  1. Create a Restart Manager session.\n
  2. Add a file resource to the session.\n
  3. Ask for a list of all processes affected by that resource.\n
  4. Print some information about each process.\n
  5. Close the session.\n<\/ol>\n
    \nWe already mentioned that you create the session by calling\nRm­Start­Session<\/code>.\nNext, we add a single file resource to the session by\ncalling Rm­Register­Resources<\/code>.\n<\/p>\n
    \nNow the fun begins.\nGetting the list of affected processes is normally a two-step\naffair.\nFirst, you ask for the number of affected processes\n(by passing 0<\/code> as the nProcInfo<\/code>),\nthen allocate some memory and call a second time to get the data.\nBut this is just a sample program, so I’ve hard-coded a limit\nof ten processes.\nIf more than ten processes are affected, I just give up.\n(You can see this if you ask for all the processes that\nhave open handles to kernel32.dll<\/code>.)\n<\/p>\n
    \nThe other tricky part is mapping the RM_PROCESS_INFO<\/code>\nto an actual process.\nSince process IDs can be recycled,\nthe\nRM_PROCESS_INFO<\/code> structure identifies a process\nby the combination of the process ID and the process creation time.\nThat combination is unique because two processes cannot have the same\nID at the same time.\nWe open the handle to the process via its ID, then confirm that the\nstart times match.\n(If not, then\n\nthe ID refers to a process that exited<\/a>\nduring the\ntime we obtained the list and the time we actually looked at it.)\nAssuming it all matches, we get the image name and print it.\n<\/p>\n
    \nAnd that’s all there is to enumerating all the processes that have\na particular file open.\nOf course, a more expressive interface for managing files in use\nis\nIFileIsInUse<\/code>,\n\nwhich I mentioned some time ago<\/a>.\nThat interface not only tells you the application that has the file open\n(in a friendlier format than just an executable path),\nyou can also use it to switch to the application and even ask it to\nclose the file.\n(Windows 7 first tries IFileIsInUse<\/code>,\nand if that fails, then it goes to the Restart Manager.)<\/p>\n","protected":false},"excerpt":{"rendered":"
    Classically, there was no way to find out which process has a file open. A file object has a reference count, and when the reference count drops to zero, the file is closed. But there’s nobody keeping track of which processes own how many references. (And that’s ignoring the case that the reference is not […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-8283","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
    Classically, there was no way to find out which process has a file open. A file object has a reference count, and when the reference count drops to zero, the file is closed. But there’s nobody keeping track of which processes own how many references. (And that’s ignoring the case that the reference is not […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/8283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=8283"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/8283\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=8283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=8283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=8283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}