Deleting a file used by another process.
-
I have been trying to delete files that is kept opened by another process. For this, I took the handle of the file, Duplicate it and the call the CloseHandle with that handle. It works fine for almost all files. But in some cases, even though I was able to close the handle, I coudn't delete it. I am able to rename it also. For eg the event log files like CstEvent.Evt, AppEvent.Evt etc in the "C:\WINDOWS\system32\config" folder (This files are used by services.exe). If any one knows the reason, please tell me. Thanks
nave [OpenedFileFinder]
Is it within your design to delete the file at the next system startup?
"Love people and use things, not love things and use people." - Unknown
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne
-
Iain Clarke wrote:
I'm really struggling to think of a legitimate reason to do what you're asking, and many bad ones.
:). Not for anything bad. Actaully I want to extent the feature in one of my utility OpenFileFinder[^]. In the initial stage I didnt give the close handle option purposefully cause I was also afraid that it may lead the application to an unstable state. But later I found that option is also a good one, when we cannot terminate the process( Like terminating service.exe will make the entire system unstable ). So I added that option. I tried closing the handle using the process explorer also. But that also gave me same result. But with the UnLocker[^] utiltiy, I can delete the file. I coudnt understand what he have done in it :(.
Iain Clarke wrote:
Frankly, I'm surprised you can even rename those files while they're still opened.
NO no. I mean, I can rename the file after calling the CloseHandle with handle.
nave [OpenedFileFinder]
Unlocker utilizes a driver "\\DosDevices\\UnlockerDriver5" to unlink the handle from the kernels internel handle linked list. The driver file image is named 'UnlockerDriver5.sys' and resides in the installation folder. For most locked files it is using UnlockerHook.dll which is closing the file handle from inside the remote process. For those files locked by the SYSTEM it uses the driver. I highly recommend that you do not duplicate this 'unlocking' behavior. Best Wishes, -David Delaune
-
Is it within your design to delete the file at the next system startup?
"Love people and use things, not love things and use people." - Unknown
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne
no :(
nave [OpenedFileFinder]
-
Unlocker utilizes a driver "\\DosDevices\\UnlockerDriver5" to unlink the handle from the kernels internel handle linked list. The driver file image is named 'UnlockerDriver5.sys' and resides in the installation folder. For most locked files it is using UnlockerHook.dll which is closing the file handle from inside the remote process. For those files locked by the SYSTEM it uses the driver. I highly recommend that you do not duplicate this 'unlocking' behavior. Best Wishes, -David Delaune
Randor wrote:
For most locked files it is using UnlockerHook.dll which is closing the file handle from inside the remote process
Exactly. Me too found out the CreateFile and WriteFile calls with this driver during the program flow.
Randor wrote:
For most locked files it is using UnlockerHook.dll which is closing the file handle from inside the remote process
So you are saying that if I try to close the handle opened by service.exe, it is using the UnlockerHook.dll ?? So any guess which function it might be calling.. A similiar way I tried is using the CreateRemoteThread() by passing address of Closehandle as function entry and the handle as the parameter to it. In that case also handle closed successfully but coudn't delete the file.
nave [OpenedFileFinder]
-
I have been trying to delete files that is kept opened by another process. For this, I took the handle of the file, Duplicate it and the call the CloseHandle with that handle. It works fine for almost all files. But in some cases, even though I was able to close the handle, I coudn't delete it. I am able to rename it also. For eg the event log files like CstEvent.Evt, AppEvent.Evt etc in the "C:\WINDOWS\system32\config" folder (This files are used by services.exe). If any one knows the reason, please tell me. Thanks
nave [OpenedFileFinder]
Can you rename file and then delete it?
-
Can you rename file and then delete it?
No I am not able to delete it even after renaming...
nave [OpenedFileFinder]
-
No I am not able to delete it even after renaming...
nave [OpenedFileFinder]
Did you check close threads or susped threads of that process?
-
Did you check close threads or susped threads of that process?
Hamid. wrote:
Did you check close threads or susped threads of that process?
Terminating the thread of that process is no possible. Also I dont know which thread of the process opened that handle. BTW do you think the file handle have any relation with the thread created it?
nave [OpenedFileFinder]
-
Hamid. wrote:
Did you check close threads or susped threads of that process?
Terminating the thread of that process is no possible. Also I dont know which thread of the process opened that handle. BTW do you think the file handle have any relation with the thread created it?
nave [OpenedFileFinder]
I guess yeah(but not sure) I saw this case with Explorer(I think it has 57 threads) on the XP and also Im agree with you its not safe way to terminate threads but when you told that you could to closehandle but you cant delete file.
-
I guess yeah(but not sure) I saw this case with Explorer(I think it has 57 threads) on the XP and also Im agree with you its not safe way to terminate threads but when you told that you could to closehandle but you cant delete file.
Hamid. wrote:
I guess yeah(but not sure) I saw this case with Explorer(I think it has 57 threads) on the XP and
I would like to know more about this. You mean you have faced secnario like "Renaming is possible but deletion is not possible" with explorer?
nave [OpenedFileFinder]
-
Hamid. wrote:
I guess yeah(but not sure) I saw this case with Explorer(I think it has 57 threads) on the XP and
I would like to know more about this. You mean you have faced secnario like "Renaming is possible but deletion is not possible" with explorer?
nave [OpenedFileFinder]
I am also facing a situation same as you,need to delete a file which is locked by another process. But still do not know the solution. For your reference,he is the code to do this,but this application is also not very successful on deleting. http://sourceforge.net/project/showfiles.php?group_id=151239[^] In my case I need to delete the locked file,and again create it using a Linker(ILINK32.exe) to produce a DLL. Even when using Unlocker to delete the file,it is not possible to create the same file.The linker gives me error like "Cannot release virtual memory at addr xxxx for xxxxx bytes".
-
I am also facing a situation same as you,need to delete a file which is locked by another process. But still do not know the solution. For your reference,he is the code to do this,but this application is also not very successful on deleting. http://sourceforge.net/project/showfiles.php?group_id=151239[^] In my case I need to delete the locked file,and again create it using a Linker(ILINK32.exe) to produce a DLL. Even when using Unlocker to delete the file,it is not possible to create the same file.The linker gives me error like "Cannot release virtual memory at addr xxxx for xxxxx bytes".
It will not work for me also. He is just closing the handle using the CreateRemoteThread, which i already explained here http://www.codeproject.com/script/Forums/View.aspx?fid=1647&msg=2552620[^] From you name it seems ur a malayalee? arent u? :)
nave [OpenedFileFinder]
-
Hamid. wrote:
I guess yeah(but not sure) I saw this case with Explorer(I think it has 57 threads) on the XP and
I would like to know more about this. You mean you have faced secnario like "Renaming is possible but deletion is not possible" with explorer?
nave [OpenedFileFinder]
It returns to 2 or 3 years ago when I tried to monitor and control my system I saw we have a lot of detaily on the memory and memory of processes for example I deleted all threads of Explorer except a thread ot two threads of it but it works without problem I tried to copy/move/paste/open new window and other actions but it doesnt show me any error but when I deleted a thread of it then it finished,it was like when you close it of Task manager ,But your ptoblem is like when you want to close some processes that are depedns to an antivirus you cant delete then until you inactive anitivirus,but I have a suggestion for you you cant test this action on your system (and answer is determined because its harmful for your system) but you can test your program on the virtual PC with a OS.
-
It returns to 2 or 3 years ago when I tried to monitor and control my system I saw we have a lot of detaily on the memory and memory of processes for example I deleted all threads of Explorer except a thread ot two threads of it but it works without problem I tried to copy/move/paste/open new window and other actions but it doesnt show me any error but when I deleted a thread of it then it finished,it was like when you close it of Task manager ,But your ptoblem is like when you want to close some processes that are depedns to an antivirus you cant delete then until you inactive anitivirus,but I have a suggestion for you you cant test this action on your system (and answer is determined because its harmful for your system) but you can test your program on the virtual PC with a OS.
Thanks for the information. Any how I cannot do this because, I dont know which thread of the application opened the file.
nave [OpenedFileFinder]
-
Thanks for the information. Any how I cannot do this because, I dont know which thread of the application opened the file.
nave [OpenedFileFinder]
-
poda wrote:
SetFileAttributes(FileName,FILE_SHARE_DELETE);
FILE_SHARE_DELETE is used along with the CreateFile() API. It cannot be used in SetFileAttributes() function.
nave [OpenedFileFinder]
-
Thanks for the information. Any how I cannot do this because, I dont know which thread of the application opened the file.
nave [OpenedFileFinder]
I hope you find the answer,early.
-
I hope you find the answer,early.
No. which one?
nave [OpenedFileFinder]
-
No. which one?
nave [OpenedFileFinder]
It was a bad grammer for my post. :-O BTW I dont know its effective or no can you clear mark of "Use simple file sharing(Recommended) of Folder Options and also see How To Set, View, Change, or Remove Auditing for a File or Folder [^]. BTW(remember my advise work on the Virtual PC).