Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Quickly Find Those File Handles part II (Remote Handles)

Posted by William Diaz on April 4, 2012


In addition to local processes locking up files and preventing their usage by other processes, files can also become locked by remote processes, too. Finding the remote system that has a handle(s) on the file can be a little bit more more involved. I mean this literally: a little a bit more involved. Knowing which tools to use or where to look can make this task just as simple as isolating it to a local process as outlined in part I.

This example is a recreation of an issue I encountered while working on a workstation remotely. It manifested itself as a failure to logon as the user: “Windows cannot load the locally stored profile…”

image
This was followed by “Windows cannot find the local profile and is logging you on with a temporary profile…”
image
Normally, a reboot will resolve this issue. But that wouldn’t be any fun. Additionally, we run the User Hive Profile Cleanup service (XP workstations)* to mitigate issues where application or service processes remains hooked to user’s registry, NTUSER.DAT and UsrClass.dat, after log off so I was interested to see what was hooked to either of these files.

Process Explorer is the tool choice again and I am searching for the locked file, NTUSER.DAT:
image
The System process has locked the user’s registry file (this is a recreation so I am the user). Think of the System process in this case as a misnomer for a remote process. Finding who has the handle on it is a simple matter of open the process properties and going to the TCP/IP tab:
image
The lab workstation I tried to logon as the user (myself) has been connected to by another workstation, in this case my primary workstation. This is likely the offending remote system that has locked up the NTUSER.DAT. This is actually enough to jog my memory; I had loaded the user’s NTUSER.DAT (the offline HKCU) remotely into the registry editor via Load Hive from my workstation to examine it a few hours earlier and failed to unload it before closing regedit:
image
After unloading it, the connection closed a minute later (In Process Explorer, red denotes a closing connection or process):
image
Another SysInternals tool you can use is TCPView:
image
And last (but not least) Windows already has the ability to view remote opened file connections and sessions. Open the computer management console  on the workstation where the file is locked and expand Shared Folders > Open Files and Sessions:
image
This will show who is accessing. The Sessions will display from what IP:
image
You can then right-click the open file and/or session to disconnect the remote handle and unlock the file.

You can also use netstat from a command shell to see what remote systems have active connections to the workstation where the file is locked.

Finally, it’s worth mentioning some applications may be hooking files in ways that you cannot determine using the basic methods outlined in Part I or II. These problems are generally more complex to isolate. Here is an example worth reading: The Case of the Temporary Registry Profiles.


*This feature is already part of Windows Vista and 7.

Advertisements

One Response to “Quickly Find Those File Handles part II (Remote Handles)”

  1. […] on the workstation which you loaded their hive. I was both victim and the offender in this example here. In both these cases TEMP profiles protect the integrity of the local […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: