How to determine the process of accessing it according to the file name

MuYu 41

I want to implement a function that can determine the process accessing it according to the file name。
I found two implementation methods on the network。

1.Use the NtQuerySystemInformation function to find all handles, then filter out file handles from all handles and get the file name.
--However, the instructions for SystemHandleInformation were not found in the NtQuerySystemInformation API doc。
--There seems to be no definition in the SDK header file

2.It seems that I can use Restart Manager to register the file name and get the name of the process or service accessing the file to achieve this effect.
--But I seem to need to use the dynamic link library file rstrtmgr.dll,
--I don't have this DLL in my system, and I can't find a DLL that can be used. I once downloaded one, but when I use it, I am prompted that with "skipping incompatible.. / rstrtmgr.dll when searching for - lrstrtmgr"

Finally, I found the handle.exe tool in Doc / sysinternals, but I don't know how to achieve this effect.

Or there are other ways to enumerate the handles of running processes.
Can someone help me……

Thank you very much! ☆⌒(´▽｀)v THX!!

RLWA32 40,571 Reputation points

2021-11-29T10:07:56.743+00:00

--But I seem to need to use the dynamic link library file rstrtmgr.dll,
--I don't have this DLL in my system, and I can't find a DLL that can be used.

What version of Windows are you using?

The restart manager is a system dll and has been part of Windows since the release of Windows Vista. Have you tried running the System File Checker tool? -- Use the System File Checker tool to repair missing or corrupted system files
MuYu 41 Reputation points

2021-11-30T05:50:28.937+00:00

The system version is 19043.1348. I have searched all the files, but I haven't found it。
I'll try. Thanks for your advice. ☆⌒(^▽^*)))v THX!!
RLWA32 40,571 Reputation points

2021-11-30T08:44:43.923+00:00

Windows 10 21H1 is build 19043.1348 and RstrtMgr.dll should be present in C:\Windows\System32 and C:\Windows\SysWOW64 folders -

and
MuYu 41 Reputation points

2021-12-01T03:55:12.433+00:00

OMG.....I forgot that this directory is not searched by default
After executing the Checker tool, I confirmed that the DLL exists.

Ld.exe doesn't seem to search this directory, but there's no problem when I copy it to the directory.

I have successfully implemented this function using the Restart Manager。☆⌒ヾ(^▽^*)))THX!!
RLWA32 40,571 Reputation points

2021-12-01T08:02:12.42+00:00

Glad you got it sorted out with the Restart Manager.

2 answers

Castorix31 81,741 Reputation points

2021-11-29T08:13:48.777+00:00

You can use IFileIsInUse and GetInfoForFileInUse
I had posted a sample in VB in this thread : How to kill the process which is accessing an image file, so I can delete it in WinForms App.
For SystemHandleInformation, I had posted a sample in C++ in this thread : Finding process holding device reference
Please sign in to rate this answer.

1 person found this answer helpful.
MuYu 41 Reputation points

2021-11-30T05:45:09.267+00:00

Thanks for your answer.
But I encountered some problems when I implemented it:

1.When I try to use IFileIsInUse, when I call the SHCreateItemFromParsingName function, it returns a failure, But I don't know what happened……

2.When I try to use the NtQuerySystemInformation function, it shows that the execution is successful, But there seems to be something wrong with its content

I can't understand why it's like this.

In addition, I have seen the implementation of NtQuerySystemInformation in many places, but I can't find the relevant description in the API document.
I want to know where everyone knows its usage.

This problem seems too difficult for me, but I have learned a lot in the process of continuous exploration.
ヾ(•ω•`)o

Castorix31 81,741 Reputation points

2021-11-30T09:46:50.693+00:00

This test in C++ with a .doc works for me with IFileIsInUse (without app name => exe to simplify):

IShellItem* psi; IFileIsInUse* pFileIsInUse; WCHAR wsFile[MAX_PATH] = L"E:\\test.doc"; HRESULT hr = SHCreateItemFromParsingName(wsFile, NULL, IID_PPV_ARGS(&psi)); if (SUCCEEDED(hr)) { typedef HRESULT(WINAPI* GIFFIU)(IShellItem* psi, IFileIsInUse** ppof); GIFFIU GetInfoForFileInUse = NULL; HMODULE hDLL = LoadLibrary(TEXT("Windows.storage.dll")); if (hDLL != NULL) { GetInfoForFileInUse = (GIFFIU)GetProcAddress(hDLL, "GetInfoForFileInUse"); if (GetInfoForFileInUse) { hr = GetInfoForFileInUse(psi, &pFileIsInUse); LPWSTR pwsAppName = NULL; hr = pFileIsInUse->GetAppName(&pwsAppName); if (pwsAppName != NULL) { WCHAR wsMessage[255] = L""; wsprintf(wsMessage, L"File %s locked by application : %s\n", wsFile, pwsAppName); MessageBox(NULL, wsMessage, L"Information", MB_OK | MB_ICONINFORMATION); } else { WCHAR wsMessage[255] = L""; wsprintf(wsMessage, L"File %s not locked\n", wsFile); MessageBox(NULL, wsMessage, L"Information", MB_OK | MB_ICONINFORMATION); } pFileIsInUse->Release(); } } psi->Release(); }

MuYu 41 Reputation points

2021-12-01T03:42:52.067+00:00

There still seems to be a problem.
In order to avoid possible errors, I copied the code into vs, and there were problems while the program was running。

This failure also occurs when calling the SHCreateItemFromParsingName function。
I use the fileisuse sample program to lock files，

I implemented this function using Restart Manager
And the program that locks it is correctly displayed in the program that uses Restart Manager

----------------------------------------------------------

SHCreateItemFromParsingName()
This function seems too esoteric to me.

I'm going to give up using IFileIsInUse. It's a little hard for me to use.

Thank you again for your reply。

Finally, I would like to ask how everyone knows to use the NtQuerySystemInformation function to obtain all handle information?
I did not find the relevant API document. On the Internet, it seems to appear out of thin air.

Or is this perhaps the usage summarized by hackers through experience？

Castorix31 81,741 Reputation points

2021-12-01T06:44:37.83+00:00

I would like to ask how everyone knows to use the NtQuerySystemInformation function to obtain all handle information?

Among sources, it was published in ReactOS source
ndk_2extypes_8h_source.html
modules_2rostests_2winetests_2ntdll_2info_8c_source.html
etc...

RLWA32 40,571 Reputation points

2021-12-01T08:42:16.23+00:00

I was fascinated by the GetInfoForFileInUse function exported from windows.storage.dll since I could not find it in the MS documentation. Even more interesting was that after opening a docx file in Microsoft Word 2013 the COM object returned from the ROT for the file did not expose IFileIsInUse. QI for IFileIsInUse on the object's IUnknown from the ROT returned E_NOINTERFACE. So I dug a little deeper into the function and it seemed to me that when the COM object obtained from the ROT does not expose IFileIsInUse then the GetInfoForFileInUse function manufactures an object that exposes IFileIsInUse and returnes that interface pointer to the caller. The same result was observed when opening an rtf file in Wordpad.

Even more unusual was when the target file was NOT open in an application and there was no file moniker for it in the ROT. The GetInfoForFileInUse function still manufactured its own COM object and returned an interface pointer.

Update:
Another possibility is to QI for IOleObject after receiving E_NOINTERFACE for IFileIsInUse. Its possible to retrieve CLSID/PROGID information and then identify the related application with the IQueryAssociations interface.

MuYu 41 Reputation points

2021-12-03T09:50:31.327+00:00

Nice.!(o゜▽゜)o☆

Mike Filatov 1 Reputation point

2022-03-05T00:54:34.553+00:00

To use IFileIsInUse interface the COM libraries must be initialized first by calling CoInitializeEx

// Initialize COM HRESULT hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED); if (SUCCEEDED(hr)) { hr = SHCreateItemFromParsingName(wsFile, NULL, IID_PPV_ARGS(&psi));
Sign in to comment
Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor

2021-12-02T05:54:03.343+00:00

I also found two answers. 1. How to find all processes using a device 2. Get the process which has specific handle of a file(using NtQueryInformationFile, a little tricky)
Please sign in to rate this answer.
MuYu 41 Reputation points

2021-12-03T09:43:33.297+00:00

Thanks for your news

I have successfully implemented this function through Restart Manager.
Other methods are also being tried

Previously, I encountered an incomprehensible error when I used the NtQuerySystemInformation function to get all handles

But I found an amazing way to operate：
-Get the number of handles of the target process, and then directly traverse its handle through the DuplicateHandle function.

This is a new idea, but I haven't tried it yet. I'll try it.
Sign in to comment