One of my favourite tools for linux is lsof - a real swiss army knife!
Today I found myself wondering which programs on a WinXP system had a specific file open. Is there any equivalent utility to lsof? Additionally, the file in question was over a network share so I'm not sure if that complicates matters.
Source: Tips4all
Use Process Explorer from the Sysinternals Suite, the Find Handle or DLL function will let you search for the process with that file open.
ReplyDeletethe equivalent of lsof -p pid
ReplyDeleteis combined output from sysinternals handle and listdlls, ie
handle -p pid
listdlls -p pid
you can find out pid with sysinternals pslist
Try Handle. Filemon & Regmon are also great for trying to figure out what the duce program foo is doing to your system.
ReplyDeleteTry Unlocker.
ReplyDeleteThe Unlocker site has a nifty chart (scroll down after following the link) that shows a comparison to other tools. Obviously such comparisons are usually biased since they are typically written by the tool author, but the chart at least lists the alternatives so that you can try them for yourself.
If the file is a .dll then you can use the TaskList command line app to see whose got it open:
ReplyDeleteTaskList /M nameof.dll
If you right-click on your "Computer" (or "My Computer") icon and select "Manage" from the pop-up menu, that'll take you to the Computer Management console.
ReplyDeleteIn there, under System Tools\Shared Folders, you'll find "Open Files". This is probably close to what you want, but if the file is on a network share then you'd need to do the same thing on the server on which the file lives.
Use Process Explorer to find the process id. Then use Handle to find out what files are open.
ReplyDeleteEg handle -p
I like this approach because you are using utilities from Microsoft itself.
In OpenedFilesView, under the Options menu, there is a menu item named "Show Network Files". Perhaps with that enabled, the aforementioned utility is of some use.
ReplyDeleteThe equivalent of lsof is combined output from Sysinternals' handle and listdlls, i.e.:
ReplyDeletec:\SysInternals>handle
[...]
------------------------------------------------------------------------------
gvim.exe pid: 5380 FOO\alois.mahdal
10: File (RW-) C:\Windows
1C: File (RW-) D:\some\locked\path\OpenFile.txt
[...]
c:\SysInternals>listdlls
[...]
------------------------------------------------------------------------------
Listdlls.exe pid: 6840
Command line: listdlls
Base Size Version Path
0x00400000 0x29000 2.25.0000.0000 D:\opt\SysinternalsSuite\Listdlls.exe
0x76ed0000 0x180000 6.01.7601.17725 C:\Windows\SysWOW64\ntdll.dll
[...]
c:\SysInternals>listdlls
Unfortunately, you have to "run as Administrator" to be able to use them.
Also listdlls and handle do not produce continuous table-like form so filtering filename would hide PID. findstr /c:pid: /c:<filename> should get you very close with both utilities, though
c:\SysinternalsSuite>handle | findstr /c:pid: /c:Driver.pm
System pid: 4 \<unable to open process>
smss.exe pid: 308 NT AUTHORITY\SYSTEM
avgrsa.exe pid: 384 NT AUTHORITY\SYSTEM
[...]
cmd.exe pid: 7140 FOO\alois.mahdal
conhost.exe pid: 1212 FOO\alois.mahdal
gvim.exe pid: 3408 FOO\alois.mahdal
188: File (RW-) D:\some\locked\path\OpenFile.txt
taskmgr.exe pid: 6016 FOO\alois.mahdal
[...]
Here we can see that gvim.exe is the one having this file open.
There is a program "OpenFiles", seems to be part of windows 7. Seems that it can do what you want. It can list files opened by remote users (through file share) and, after calling
ReplyDelete"openfiles /Local on" and a system restart, it should be able to show files opened locally. The latter is said to have performance penalties.