How do you discover which process has an open handle on a file? Specifically, how do you do this programmaticly?
Exactly, how does it do it?
fryguybob
2009-06-17 18:21:09
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
young
2009-06-17 18:31:25
A:
There may be an API for it, I don't know. If there is, it may an API in the kernel.
Another possibility (sorry to be vague, but I'm answering this now in case no-one else posts a better answer) is that there is no (documented) API, and that the programs which do it do so by using undocumented knowledge of the contents of the handle, and/or of the memory which the handle (when treated as a pointer) is pointing to: for example, I found A Process' Kernel Object Handle Table, and I think that that (people saying that they had reverse-engineered undocumented memory structures) is what I remember reading in the Softice manual years ago.
One place to look for more information might be File System Filter Drivers.
Another (perhaps better) way might be to use depends or dumpbin /imports to try to see what APIs the relevent Sysinternals program is using.
ChrisW
2009-06-17 18:51:11