question

KarlKunze-8914 avatar image
0 Votes"
KarlKunze-8914 asked KarlKunze-8914 answered

With which tool can I investigate the File Control Block of a loaded application?

Hi, I am investigating a situation on a terminal-server, where we have stability-issues with some applications. Our actual suspects are orphaned fcbs. I would like to nail it down on this, but have no actual clue, with which sysinternal-tool I could possible look on those and check, what is going on. Thanks in advance. Karl

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered

If you are looking for file handles, then Process Explorer would be my first choice.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

You can sort by the handle column or use the Find menu item to search for a file name.


77475-capture.jpg



capture.jpg (161.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

Are you trying to get the file handles opened by the application? If so you can use Handle

https://docs.microsoft.com/en-us/sysinternals/downloads/handle

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlKunze-8914 avatar image
0 Votes"
KarlKunze-8914 answered

Hi,

I want to look at the file-control-block connected to the binary application itself by the redirector

The problem is very likely described in https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/applications-crash-if-another-user-logs-off-session .

From my understanding a look on the file-handles is not what I am looking for.

But what option could it be in the sysinternal-tools?

Regards.

Karl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
2 Votes"
MotoX80 answered

What do you expect to find in this FCB?

I'll ask my favorite question: what's the real problem?

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/the-fcb-structure
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/connection-and-file-structure-management

From reading over the link that you provided and the 2 links that I found, the Sysinternals tool that I would use is LiveKd.

https://docs.microsoft.com/en-us/sysinternals/downloads/livekd

That would allow you to launch a debugger (WinDbg) on a running system and let you to traverse the internal control block structures of the OS. Troubleshooting at this level requires extensive experience.

Are your Paged-pool and Non-paged-pool memory numbers excessive? Are you running out of memory?

Technically the FCB is not owned by any specific user. It's just a shared structure that represents a file. The FCB is created when the first handle to the file is opened, and it's destroyed when the last handle to the file is closed. Therefore, it is not tied to a user.

I would think that an analysis of file handles either with ProcExp or Handle would be your best bet. Or try RamMap and see if the File Summary tab provides any useful info.

https://docs.microsoft.com/en-us/sysinternals/downloads/rammap


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlKunze-8914 avatar image
0 Votes"
KarlKunze-8914 answered

Hi,

that is quite a lot of valuable information to dig through.

I will test with ProcExp and RamMap as advised and give some feedback in a few days.

Thanks so far.

Karl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.