The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,231 other followers

ntfs – How do you find what process is holding a file open in Windows? – Server Fault

Posted by jpluimers on 2013/03/15

First a warning: when you have found the process holding open a file, and you want to forcibly close the handle, read this post why you should not: Windows Confidential: Forcing Handles Closed.

In fact:

if you forcibly need to close a handle to salvage something, you should reboot shortly afterwards.

Back to the question at hand:

How do you find what process is holding a file open in Windows?

One thing that annoys me no end about Windows is the old “sharing violation” error. Often you can’t identify what’s holding it open. Usually it’s just an editor or explorer just pointing to a relevant directory but sometimes I’ve had to resort to rebooting my machine.

Any suggestions on how to find the culprit?

All of the below solutions require you to run with Administrative privileges.

On current Windows versions, if you run them without UAC elevation, they will miss a lot of processes. And still: under some secured environments you won’t see all processes anyway.

My preferred answer is not on the list:

Quit the application that holds the handle

All the tools that show you the handles will indicate which process holds the handle.

Often, you can just quit that process, do your job on the affected file, then relaunch that process.

When the process is Explorer, there is a neat little trick that works for Windows Vista and up:

For explorer, btw, hold ctrl-shift and right-click a blank area of the start menu, and you’ll get “Exit Explorer” – ps, not quite Jeff’s answer.. – Mark Sowul

Another answer I like is to use Handle, as it is both a command-line tool, and allows for wildcard searching:


I’ve used Handle with success to find such processes in the past.

Greg Hewgill

I use this tool all the time. If I can’t eject a USB drive, I just type “handle H:” (or whatever the drive letter). Best of all, you can use it to force close handles. – Chris Thompson

If I know the exact path, then I’ll use Process Explorer, as I have that open most of the times anyway.

Process Explorer

I’ve had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want.


You can close the handle, but keep in mind, you’re pulling the rug out from under an application, results will be unpredictable at best. – WaldenL

@Walden: Absolutely. YMMV. With WinXP, I’ve many times had Explorer open a handle for no obvious reason and refuse to close it. When this happens on a file you need to delete, you have the choice of forcing the handle closed, or rebooting. So far, having done this dozens of times, I have suffered no ill effect. As with any advanced tool, use with caution and judgment. – Eddie

Closing the handles can cause the app to re-use the handle on another file, causing corruption – see Jeff’s answer below: … much safer to kill the application holding the file open, if you don’t want to reboot. – RichVel

For explorer, btw, hold ctrl-shift and right-click a blank area of the start menu, and you’ll get “Exit Explorer” – ps, not quite Jeff’s answer.. – Mark Sowul

Back again to the big fat warning. Warn this many times? Yes, warn this many times.

Be Cautious: closing handles backfire

Just be very careful with closing handles; it’s even more dangerous than you’d think, because of handle recycling – if you close the file handle, and the program opens something else, that original file handle may be reused. And now guess what happens if the program continues to work with the handle, thinking it is some other file.

see Raymond Chen’s post on this topic.

Mark Sowul

+1 for the link  – Unsigned

important warning, this should go nearer the top – a reboot is probably better than a silently corrupted file. – RichVel

Wow, very good point Mark! – David



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: