Hack 22 Get a List of Open Files and Their Owning Processes

Look for suspicious activity by monitoring file accesses.

Suppose you're looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you haven't seen before. Well, what do you do now? If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open. Unfortunately, Windows doesn't provide a tool to do this.

Sysinternals makes an excellent tool called Handle, which is available for free at http://www.sysinternals.com/ntw2k/freeware/handle.shtml. Handle is a lot like lsof [Hack #8], but it can list many other types of operating resources, including threads, events, and semaphores. It can also display open registry keys and IOCompletion structures.

Running handle without any command-line arguments will list all open file handles on the system. You can also specify a filename, which will list the processes that are currently accessing it, by typing this:

C:\> handle  filename

Or you can list only files that are opened by a particular process in this case Internet Explorer:

C:\> handle -p iexplore Handle v2.10 Copyright (C) 1997-2003 Mark Russinovich Sysinternals - www.sysinternals.com ---------------------------------------------------------------------------- IEXPLORE.EXE pid: 688 PLUNDER\andrew    98: Section       \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE    9c: Section       \BaseNamedObjects\MtxWndList   12c: Section       \BaseNamedObjects\__R_0000000000d4_SMem_  _   18c: File          C:\Documents and Settings\andrew\Local Settings\Temporary Internet  Files\Content.IE5\index.dat   198: Section       \BaseNamedObjects\C:_Documents and Settings_andrew_Local  Settings_Temporary Internet Files_Content.IE5_index.dat_3194880   1a0: File          C:\Documents and Settings\andrew\Cookies\index.dat   1a8: File          C:\Documents and Settings\andrew\Local Settings\History\History.IE5\ index.dat   1ac: Section       \BaseNamedObjects\C:_Documents and Settings_andrew_Local  Settings_History_History.IE5_index.dat_245760   1b8: Section       \BaseNamedObjects\C:_Documents and  Settings_andrew_Cookies_index.dat_81920   228: Section       \BaseNamedObjects\UrlZonesSM_andrew   2a4: Section       \BaseNamedObjects\SENS Information Cache   540: File          C:\Documents and Settings\andrew\Application  Data\Microsoft\SystemCertificates\My   574: File          C:\Documents and Settings\All Users\Desktop   5b4: Section       \BaseNamedObjects\mmGlobalPnpInfo   5cc: File          C:\WINNT\system32\mshtml.tlb   614: Section       \BaseNamedObjects\WDMAUD_Callbacks   640: File          C:\WINNT\system32\Macromed\Flash\Flash.ocx   648: File          C:\WINNT\system32\STDOLE2.TLB   6a4: File          \Dfs   6b4: File          C:\Documents and Settings\andrew\Desktop   6c8: File          C:\Documents and Settings\andrew\Local Settings\ Temporary Internet Files\Content.IE5\Q5USFST0\softwareDownloadIndex[1].htm   70c: Section       \BaseNamedObjects\MSIMGSIZECacheMap   758: File          C:\WINNT\system32\iepeers.dll   75c: File          C:\Documents and Settings\andrew\Desktop   770: Section       \BaseNamedObjects\RotHintTable

If you want to find the Internet Explorer process that owns a resource with a partial name of handle, you could type:

C:\> handle -p iexplore handle Handle v2.10 Copyright (C) 1997-2003 Mark Russinovich Sysinternals - www.sysinternals.com IEXPLORE.EXE       pid: 1396   C:\Documents and Settings\andrew\Local Settings\Temporary  Internet Files\Content.IE5\H1EZGFSH\handle[1].htm

Additionally, if you wanted to list all types of resources, you could use the -a option. Handle is quite a powerful tool, and any of its command-line options can be mixed together to quickly narrow your search and find just what you want.