This sub-section describes how to investigate processes using the volume from openfiles.exe output files. (The investigation using openfiles.exe /query /v output file is also same procedure.)
handle.exe -a output format
When handle -a is handle v3.42, it displays information by the following format. In case of other versions, output format cannot be the followings.
The handle information on each section is displayed by processes.
Each section is separated by dashed lines. The process name and the process ID are displayed below dashed line. The handle information that the process uses is displayed below that.
Example
[The output example for handle.exe -a]
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------------------------------------------------------------
System pid: 4 NT AUTHORITY\SYSTEM
4: Process System(4)
8: Thread System(4): 12
:
:
1FF8: File (---) \Device\Tcp
------------------------------------------------------------------------------
smss.exe pid: 1424 NT AUTHORITY\SYSTEM
4: KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
8: Event
:
:
70: Port
------------------------------------------------------------------------------
csrss.exe pid: 1840 NT AUTHORITY\SYSTEM
4: Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
8: KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
:
:
A28: Thread lsass.exe(840): 4084
------------------------------------------------------------------------------
winlogon.exe pid: 1976 NT AUTHORITY\SYSTEM
4: Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
8: KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
:
:
86C: Key HKCR
------------------------------------------------------------------------------
services.exe pid: 812 NT AUTHORITY\SYSTEM
4: KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
8: Event
:
: |
The investigation procedure using handle.exe -a output information
Specify the process using the following procedures.
Open the save destination file of handle.exe -a any in text editor.
Search all lines including drive letters in error volumes or mount point.
Specify the error caused process name and process ID by scrolling up from the each line that is retrieved above 2.
Example
[Example: Retrieve handle.exe -a output information by "X:"]
svchost.exe pid: 1884 NT AUTHORITY\SYSTEM <--The process using "X:"
4: KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
8: Event
:
:
EA0: File (RWD) X:\$Extend\$ObjId <--The line including "X:"
:
: |
In case that the process using the volume is a service, this service is determined by referring to tasklist /svc output information.
Example
[Example: Retrieve tasklist /svc output information by process name:svchost.exe and process ID:1884]
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 1424 N/A
csrss.exe 1840 N/A
winlogon.exe 1976 N/A
services.exe 812 Eventlog, PlugPlay
lsass.exe 840 HTTPFilter, kdc, Netlogon, NtLmSsp,
PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1132 DcomLaunch
svchost.exe 1692 RpcSs
svchost.exe 1736 Dhcp, Dnscache
svchost.exe 1808 Alerter, LmHosts, W32Time
svchost.exe 1884 AeLookupSvc, BITS, Browser, CryptSvc,
dmserver, EventSystem, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, NtmsSvc, Schedule, seclogon, SENS,
ShellHWDetection, TrkWks, winmgmt,
wuauserv, WZCSVC
ccSetMgr.exe 2036 ccSetMgr
:
: |
A process can be used by multiple services like the above example. In this case, determine the service causing the error by stopping each corresponding service one by one. ("TrkWks" service, whose service display name is "Distributed Link Tracking Client", is using "X:\$Extend\$ObjId".)
