1.6.5 How to Investigate Process Where Volume Is Used

This section describes how to investigate processes using the volume from the output result of "openfiles.exe /query /v".

Specify the process using the following procedures.

Open the save destination file of "openfiles.exe /query /v" in text editor.
Search all lines including drive letters in error volumes or mount point.
Specify the error caused process ID and process name by scrolling up from the each line that is retrieved above 2.

Example

Search the output result of "openfiles.exe /query /v" by the string "X:"

ID    Accessed By     PID      Process Name         Open File (Path\executable)
===== =============== ======== ==================== ==========================================
64    user1           5752     rdpclip.exe          C:\Windows\System32
220   user1           5752     rdpclip.exe          C:\Windows\System32\ja-jp\rdpclip.exe.mui
:
:
72    user1           1884     svchost.exe          X:\$Extend\$ObjId   <= Line containing "X:"
                      ^^^^     ^^^^^^^^^^^
              Process ID and process name using "X:"

In case that the process using the volume is a service, this service is determined by referring to the output result of "tasklist /svc".

Example

Search the output result of "tasklist /svc" by process name:svchost.exe and process ID:1884

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                      1424 N/A
csrss.exe                     1840 N/A
winlogon.exe                  1976 N/A
services.exe                   812 Eventlog, PlugPlay
lsass.exe                      840 HTTPFilter, kdc, Netlogon, NtLmSsp,
                                   PolicyAgent, ProtectedStorage, SamSs
svchost.exe                   1132 DcomLaunch
svchost.exe                   1692 RpcSs
svchost.exe                   1736 Dhcp, Dnscache
svchost.exe                   1808 Alerter, LmHosts, W32Time
svchost.exe                   1884 AeLookupSvc, BITS, Browser, CryptSvc,
                                   dmserver, EventSystem, helpsvc,
                                   lanmanserver, lanmanworkstation, Netman,
                                   Nla, NtmsSvc, Schedule, seclogon, SENS,
                                   ShellHWDetection, TrkWks, winmgmt,
                                   wuauserv, WZCSVC
ccSetMgr.exe                  2036 ccSetMgr
                     :

A process can be used by multiple services like the above example. In this case, determine the service causing the error by stopping each corresponding service one by one. ("TrkWks" service, whose service display name is "Distributed Link Tracking Client", is using "X:\$Extend\$ObjId".)