3

I am trying to create an application that closes open file handles of other processes. Aside from the fact that this causes instabilities in applications, I would like to proceed with this exercise. I have been successful in enumerating processes that have open handles or locks to particular files using this example (download link). Put simply, I am left with either a SYSTEM_HANDLE object or a duplicate of it (of type HANDLE):

SYSTEM_HANDLE handle = handleInfo->Handles[i];
HANDLE dupHandle = NULL;
if (!NT_SUCCESS(NtDuplicateObject(processHandle, (HANDLE)handle.Handle, GetCurrentProcess(), &dupHandle, 0, 0, 0)))
{
    continue;
}

I have tried closing the SYSTEM_HANDLE with no luck:

wcout << "Found " << fullPath << " in process " << process << "." << endl;
if (CloseHandle((HANDLE)handle.Handle))
{
    wcout << "Closed handle successfully." << endl;
}

The SYSTEM_HANDLE structure is defined as:

typedef struct _SYSTEM_HANDLE
{
    ULONG ProcessId;
    BYTE ObjectTypeNumber;
    BYTE Flags;
    USHORT Handle;
    PVOID Object;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

The application lies to me because it prints out "Closed handle successfully.", yet when I enumerate open handles of it again, this handle shows up. If, for example, I use an application like LockHunter to close the handle, if I enumerate it again, it does not show up. How can I close this handle?

Alexandru
  • 12,264
  • 17
  • 113
  • 208
  • 1
    possible duplicate of [Remove file locked by another process](http://stackoverflow.com/questions/26482721/remove-file-locked-by-another-process) – Raymond Chen Oct 30 '14 at 14:17
  • @RaymondChen That question is too broad to be a duplicate. Titled as "Remove file locked by another process", its an extremely open-ended question, and not many people are going to find what they are looking for if that's the only thing on this topic on Stack. The question itself reads, "...maybe someone faced this case before and you can give me/us an example on possible ways to bypass this lock in test code"; maybe its just me but to bypass a lock there's a number of things you can do, like terminate the locking process for one, etc., so I can't see this as a duplicate question of that. – Alexandru Oct 30 '14 at 16:10
  • The problem in the proposed duplicate is "How do I close a handle in another process?" which is also what you're trying to do. – Raymond Chen Oct 30 '14 at 20:52
  • @RaymondChen It's not worded that way. That's just the way you interpreted the question. – Alexandru Oct 30 '14 at 21:10
  • Not sure what your comments have to do with closing handles. I think you should start a new question. – Raymond Chen Sep 09 '15 at 02:09
  • I think you have confused StackOverflow with a product support channel. – Raymond Chen Sep 09 '15 at 03:18
  • There are already feedback channels for reporting these problems. Please use them. I do not work in customer support. – Raymond Chen Sep 09 '15 at 15:20
  • @RaymondChen Something this Intel Management Engine Interface driver does stops Windows from booting, so it may be a good idea to check the boot code for Windows 10 to see why and perhaps publish a fix for it, because drivers like these shouldn't have the power to stop the OS and also because its a liability. Sorry for using Stack Overflow like this to contact you as you put it, as a "Support Channel", but maybe getting in touch with one of the few people that can do something about this is a good idea. I'm not doing it for me, but for the sake of other people out there. – Alexandru Sep 17 '15 at 20:27

1 Answers1

1

I should have read my own link a little bit better, as wj32 clearly states:

(Step 3: Closing remote handles) To close handles opened by other processes, you simply call DuplicateHandle with DUPLICATE_CLOSE_SOURCE (1) specified in the options parameter (it's documented on the MSDN page for DuplicateHandle, so go read it). You can specify NULL for the target process handle and target handle parameters. For example:

DuplicateHandle(handleToTheRemoteProcess, theRemoteHandle, NULL, NULL, 0, FALSE, 0x1);

Although in my case, judging from the code, NtDuplicateObject should do the same trick if I pass in DUPLICATE_CLOSE_SOURCE.

Alexandru
  • 12,264
  • 17
  • 113
  • 208
  • Just tested this and it works: `NtDuplicateObject(processHandle, (HANDLE)handle.Handle, 0, 0, 0, 0, 1);` – Alexandru Oct 31 '14 at 02:26