101

One of my favourite tools for linux is lsof - a real swiss army knife!

Today I found myself wondering which programs on a WinXP system had a specific file open. Is there any equivalent utility to lsof? Additionally, the file in question was over a network share so I'm not sure if that complicates matters.

Anderson Green
  • 30,230
  • 67
  • 195
  • 328
Daniel Fone
  • 2,825
  • 2
  • 23
  • 20

10 Answers10

86

Use Process Explorer from the Sysinternals Suite, the Find Handle or DLL function will let you search for the process with that file open.

Jay Hofacker
  • 3,439
  • 20
  • 14
  • 2
    Does this really answer the question? Process Explorer lets you see which files are open for a particular process/handle/dll/whatever, but that's the reverse mapping. See my answer http://stackoverflow.com/questions/15708/lsof-equivalent-for-windows#188337 to this question. – Greg Mattes Oct 09 '08 at 17:37
  • 8
    Yes it does. Click on Find Handle or Dll (or hit Ctrl-F) , type in the name of the file you are searching for, and you end up with a list of processes with that file open. – Jay Hofacker Oct 10 '08 at 00:07
  • Process Explorer has now been renamed and bundled into "Process Monitor". – Matthew McCullough Feb 26 '09 at 15:46
  • 8
    @MatthewMcCullough Any references? You are incorrect, [Process Explorer](http://technet.microsoft.com/en-us/sysinternals/bb896653) and [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645) are two different utilities. – Alois Mahdal Mar 21 '12 at 09:48
  • 3
    Does Process Explorer have a command-line interface? – Anderson Green Feb 22 '13 at 19:44
  • 1
    This was so awesome. I knew about Process Explorer but not the ^F trick, and it just helped me track a bug where my application could not delete its own lock file. (The culprit was "Immunet 3.0 Agent", free antivirus software that is apparently worth every penny.) I really don't understand the obsession with marking tips like this "off topic". Programmers need tools. – Robert Calhoun Jan 17 '14 at 15:19
  • @MatthewMcCullough Correction. FileMon and RegMon are now bundled into [Process Monitor v3.2](https://technet.microsoft.com/en-us/sysinternals/bb896645) on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. – Lucky Aug 17 '15 at 09:39
  • It's working, but very slow. It takes more than 5 minutes to find that on my computer. – oldherl Jul 30 '21 at 07:05
  • It appears on the process explorer web page there is a link to a command line utility "handle" to do this on the command line. – rogerdpack Aug 06 '21 at 19:00
48

The equivalent of lsof -p pid is the combined output from sysinternals handle and listdlls, ie

handle -p pid
listdlls -p pid

you can find out pid with sysinternals pslist.

peterh
  • 11,875
  • 18
  • 85
  • 108
  • Does this come with a standard windows installation like Windows 10? – Morten Sep 22 '20 at 20:09
  • @Morten sysinternals is an external Microsoft package that "every" windows developer installs, but it does not come with the box. but they are small and easily shipped with your application (we do something like that to install our java application as a windows service). – oligofren Jun 02 '21 at 12:42
11

Try Handle. Filemon & Regmon are also great for trying to figure out what the duce program foo is doing to your system.

slipsec
  • 3,004
  • 3
  • 34
  • 46
  • 1
    @slipsec FileMon and Regmon are now replaced by [Process Monitor v3.2](https://technet.microsoft.com/en-us/sysinternals/bb896645) on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. – Lucky Aug 17 '15 at 09:35
  • Thanks, Process Explorer for some reason does not find the handle, but the handle64 does, very helpful. – Rostislav Matl Feb 23 '22 at 12:21
9

One equivalent of lsof could be combined output from Sysinternals' handle and listdlls, i.e.:

c:\SysInternals>handle
[...]
------------------------------------------------------------------------------
gvim.exe pid: 5380 FOO\alois.mahdal
   10: File  (RW-)   C:\Windows
   1C: File  (RW-)   D:\some\locked\path\OpenFile.txt
[...]

c:\SysInternals>listdlls
[...]
------------------------------------------------------------------------------
Listdlls.exe pid: 6840
Command line: listdlls

  Base        Size      Version         Path
  0x00400000  0x29000   2.25.0000.0000  D:\opt\SysinternalsSuite\Listdlls.exe
  0x76ed0000  0x180000  6.01.7601.17725  C:\Windows\SysWOW64\ntdll.dll
[...]

c:\SysInternals>listdlls

Unfortunately, you have to "run as Administrator" to be able to use them.

Also listdlls and handle do not produce continuous table-like form so filtering filename would hide PID. findstr /c:pid: /c:<filename> should get you very close with both utilities, though

c:\SysinternalsSuite>handle | findstr /c:pid: /c:Driver.pm
System pid: 4 \<unable to open process>
smss.exe pid: 308 NT AUTHORITY\SYSTEM
avgrsa.exe pid: 384 NT AUTHORITY\SYSTEM
[...]
cmd.exe pid: 7140 FOO\alois.mahdal
conhost.exe pid: 1212 FOO\alois.mahdal
gvim.exe pid: 3408 FOO\alois.mahdal
  188: File  (RW-)   D:\some\locked\path\OpenFile.txt
taskmgr.exe pid: 6016 FOO\alois.mahdal
[...]

Here we can see that gvim.exe is the one having this file open.

Alois Mahdal
  • 10,763
  • 7
  • 51
  • 69
6

Try Unlocker.

The Unlocker site has a nifty chart (scroll down after following the link) that shows a comparison to other tools. Obviously such comparisons are usually biased since they are typically written by the tool author, but the chart at least lists the alternatives so that you can try them for yourself.

Greg Mattes
  • 33,090
  • 15
  • 73
  • 105
  • 5
    Unlocker only lists locked files, not opened files. Most Windows software locks the DLL it uses but not your documents. – Tobias Mar 26 '10 at 10:26
  • Anyone has comparison between it and http://www.iobit.com/en/iobit-unlocker.php please? – xpt Jul 10 '22 at 16:41
6

If the file is a .dll then you can use the TaskList command line app to see whose got it open:

TaskList /M nameof.dll
Sean
  • 60,939
  • 11
  • 97
  • 136
4

There is a program "OpenFiles", seems to be part of windows 7. Seems that it can do what you want. It can list files opened by remote users (through file share) and, after calling "openfiles /Local on" and a system restart, it should be able to show files opened locally. The latter is said to have performance penalties.

anonymous
  • 51
  • 2
  • 2
    I come here looking for a way to find out who's preventing me from deleting a folder and avoid a restart, and I find the command I need requires a config setup that ... you guessed it.... requires a restart. How very very windows. – Gus Nov 02 '16 at 22:18
  • folks, be aware that the openfiles command takes a LONG time to run (on the order of 4 minutes)! – NH. Nov 19 '18 at 20:17
3

Use Process Explorer to find the process id. Then use Handle to find out what files are open.

Eg handle -p

I like this approach because you are using utilities from Microsoft itself.

pushNpop
  • 1,954
  • 3
  • 16
  • 17
2

If you right-click on your "Computer" (or "My Computer") icon and select "Manage" from the pop-up menu, that'll take you to the Computer Management console.

In there, under System Tools\Shared Folders, you'll find "Open Files". This is probably close to what you want, but if the file is on a network share then you'd need to do the same thing on the server on which the file lives.

Matt Hamilton
  • 200,371
  • 61
  • 386
  • 320
  • 5
    Note that this only shows shared files that are open by other network users. It doesn't help find files that are open on the local system. Doing this on the server would probably tell you which user had the file open, but not which program on that user's machine. Process Explorer (as mentioned by @JayHofacker) worked well for me. – tomlogic Feb 27 '12 at 21:45
2

In OpenedFilesView, under the Options menu, there is a menu item named "Show Network Files". Perhaps with that enabled, the aforementioned utility is of some use.

M8R-qpgep8
  • 21
  • 1