Copyright © 1997 Mark Russinovich | ||
Last
Updated July26, 1997, Version 1.0 |
||
Introduction | Ever
wondered which program has a particular file or directory open? Now you
can find out. Handle is a utility that displays information
about open handles for any process in the system. You can use it to see
the programs that have a file open, or to see the object types and names
of all the handles of a program You can also get a GUI-based version of this program, HandleEx for Windows NT, here at NTInternals. |
|
Installation | You run
Handle by typing "nthandle". The driver (handle.sys)
and console program (nthandle.exe) must be located in the same
directory, which must be on a non-network drive. You do not have to be
in the same directory as the files to run Handle, so long as
they are on your executable path. You must have administrative privilge
to run Handle. Handle has been tested on NT 3.51 and NT 4.0. |
|
Usage | Handle
For Windows NT is targetted at searching for open file references,
so if you do not specify any command-line parameters it will list the
values of all the handles in the system that refer to open files and the
names of the files. It also takes several parameters that modify this
behavior. usage: nthandle [-a] [-p process] [name] |
|
-a | Dump information about all types of handles, not just those that refer to files. Other types include ports, Registry keys, synchronization primitives, threads, and processes. | |
-p process | Instead
of examining all the handles in the system, this parameter narrows Handle
For Windows NT's scan to those processes that begin with the name
process. Thus: nthandle -p exp would dump the open files for all processes that start with "exp", which would include Explorer. |
|
name | This
parameter is present so that you can direct Handle to search for
references to an object with a particular name. For example, if you
wanted to know which process (if any) has "c:\winnt\system32"
open you could type: nthandle winnt\system The name match is case-insensitive and the fragment specified can be anywhere in the paths you are interested in. |
|
Handle For Windows NT Output | When not
in search mode (enabled by specifying a name fragment as a parameter),
Handle divides its output into sections for each process it is
printing handle information for. Dashed lines are used as a seperator,
immediately below which you will see the process name and its process id
(PID). Beneath the process name are listed handle values (in
hexadecimal), the type of object the handle is associated with, and the
name of the object if it has one. When in search mode, Handle For Windows NT prints the process names and id's are listed on the left side and the names of the objects that had a match are on the right. |
|
More Information | You can find more information on the Object Manager in Helen Custer's Inside Windows NT, or by browsing the Object Manager name-space with WinObj. I'll also have a column on the Object Manager in the October issue of Windows NT Magazine. | |
Download Handle (18KB) |
||