We may encounter situations where Windows reports that a file is locked and prevents modification or deletion.
Our goal here is to identify which active process currently has a file opened, called a "handle" (ref 1), then act diligently to solve the issue.
The approach we take is one that supports and aligns with our overall Forensics and incident response practice, where tools are choses for global reasons that may not be apparent at first sight.
Process Hacker to the rescue
Process Hacker is an open source task manager that can be seen as the Windows task manager on steroids, and downloaded from its official page here (ref 2).
At the time of our writing, the alternative of using the renowned Sysinternals Process Explorer from Microsoft (ref 3) did not yield the expected results, especially with drivers (sensitive code at the kernel level).
Note: You can find more practical information on ways to approach the handles identification at ref 4 (external link).
Now, let's pretend that Windows tells us that the following file is locked and cannot be modified or deleted:
C:\Fullblown_Security_Services.pdfLet's find out which process has it opened.
Steps:
Run the Process Hacker program downloaded from the official page above.
Click on the "Hacker" menu, then "Find handles or DLLs..."
Type some words contained in the problematic file name in the "Filter" field then hit "Find".
We could get a result similar to the screenshot below, where we find that Acrobat Reader DC, running as process ID 35160, is holding a handle with ID 0x50c on our file. If there are too many results, try being more specific in your search.
We now know that we need to close Acrobat Reader DC to solve our access issue (or kill it in instances where the program is inaccessible or non-responsive).
It is also then possible to right-click on the results to get more options for information and actions, like advanced properties or access the process from the processes list and act on it (inspect, kill, etc):
Comments