Wednesday, May 23, 2012

"lsof" equivalent for windows


One of my favourite tools for linux is lsof - a real swiss army knife!



Today I found myself wondering which programs on a WinXP system had a specific file open. Is there any equivalent utility to lsof? Additionally, the file in question was over a network share so I'm not sure if that complicates matters.


Source: Tips4all

10 comments:

  1. Use Process Explorer from the Sysinternals Suite, the Find Handle or DLL function will let you search for the process with that file open.

    ReplyDelete
  2. the equivalent of lsof -p pid

    is combined output from sysinternals handle and listdlls, ie

    handle -p pid

    listdlls -p pid

    you can find out pid with sysinternals pslist

    ReplyDelete
  3. Try Handle. Filemon & Regmon are also great for trying to figure out what the duce program foo is doing to your system.

    ReplyDelete
  4. Try Unlocker.

    The Unlocker site has a nifty chart (scroll down after following the link) that shows a comparison to other tools. Obviously such comparisons are usually biased since they are typically written by the tool author, but the chart at least lists the alternatives so that you can try them for yourself.

    ReplyDelete
  5. If the file is a .dll then you can use the TaskList command line app to see whose got it open:

    TaskList /M nameof.dll

    ReplyDelete
  6. If you right-click on your "Computer" (or "My Computer") icon and select "Manage" from the pop-up menu, that'll take you to the Computer Management console.

    In there, under System Tools\Shared Folders, you'll find "Open Files". This is probably close to what you want, but if the file is on a network share then you'd need to do the same thing on the server on which the file lives.

    ReplyDelete
  7. Use Process Explorer to find the process id. Then use Handle to find out what files are open.

    Eg handle -p

    I like this approach because you are using utilities from Microsoft itself.

    ReplyDelete
  8. In OpenedFilesView, under the Options menu, there is a menu item named "Show Network Files". Perhaps with that enabled, the aforementioned utility is of some use.

    ReplyDelete
  9. The equivalent of lsof is combined output from Sysinternals' handle and listdlls, i.e.:

    c:\SysInternals>handle
    [...]
    ------------------------------------------------------------------------------
    gvim.exe pid: 5380 FOO\alois.mahdal
    10: File (RW-) C:\Windows
    1C: File (RW-) D:\some\locked\path\OpenFile.txt
    [...]

    c:\SysInternals>listdlls
    [...]
    ------------------------------------------------------------------------------
    Listdlls.exe pid: 6840
    Command line: listdlls

    Base Size Version Path
    0x00400000 0x29000 2.25.0000.0000 D:\opt\SysinternalsSuite\Listdlls.exe
    0x76ed0000 0x180000 6.01.7601.17725 C:\Windows\SysWOW64\ntdll.dll
    [...]

    c:\SysInternals>listdlls


    Unfortunately, you have to "run as Administrator" to be able to use them.

    Also listdlls and handle do not produce continuous table-like form so filtering filename would hide PID. findstr /c:pid: /c:<filename> should get you very close with both utilities, though

    c:\SysinternalsSuite>handle | findstr /c:pid: /c:Driver.pm
    System pid: 4 \<unable to open process>
    smss.exe pid: 308 NT AUTHORITY\SYSTEM
    avgrsa.exe pid: 384 NT AUTHORITY\SYSTEM
    [...]
    cmd.exe pid: 7140 FOO\alois.mahdal
    conhost.exe pid: 1212 FOO\alois.mahdal
    gvim.exe pid: 3408 FOO\alois.mahdal
    188: File (RW-) D:\some\locked\path\OpenFile.txt
    taskmgr.exe pid: 6016 FOO\alois.mahdal
    [...]


    Here we can see that gvim.exe is the one having this file open.

    ReplyDelete
  10. There is a program "OpenFiles", seems to be part of windows 7. Seems that it can do what you want. It can list files opened by remote users (through file share) and, after calling
    "openfiles /Local on" and a system restart, it should be able to show files opened locally. The latter is said to have performance penalties.

    ReplyDelete