# how can I retrieve process name/ID from a target file?



## pure_evil020 (Jul 31, 2008)

Hi, I have been working on a little security program for a while, designed to assist your antivirus programs when windows wont let them delete a virus running in the background.

for someone to successfully shred a file, they need to enter the process ID or the name of the running process.
Antivirus programs often only point to the file itself, and the virus is using a process name other than its actuall file name, so sometimes it can be hard for the user to find which process is actually the virus...

I'm wondering if there is any way I can retrieve the process name from a target file, and return it to a txt file.


----------



## pure_evil020 (Jul 31, 2008)

If there is a way to achieve this by using a batch file, this would be preferable.


----------



## Squashman (Apr 4, 2003)

Not sure if there is anyway to do it natively with a batch or within the os. But I know there is plenty of third party utilities that will do what you want.


----------



## Squashman (Apr 4, 2003)

You should be able to use this in a batch file.
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx


----------



## tommo020788 (Oct 20, 2008)

Thanks, I have downloaded it and attempted to use it to do what I want, but I cant seem to get it to do what I want it to do...

For example, there might be a file at "C:\windows\file.exe" and its process is currently running in the background, but its actuall process name\handel name comes up as "crsl" in task manager...

I thought if i type the following, it would Identify the objects(files) handle name as "crsl"

Handle C:\windows\file.exe or Handle name C:\windows\file.exe

when I type either of these, it says "no arguments will dump all file refrences"


----------



## tommo020788 (Oct 20, 2008)

FYI, I am pure_evil020.... I didnt realise I even had an account with that name XD


----------



## TheOutcaste (Aug 8, 2007)

You should use the Contact Us form or PM an Administrator and they can merge your two accounts.

Is it displaying _only_ that line, or displaying the usage info, which has that line at the bottom:

```
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

usage: handle [[-a [-l]] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|<pid>] [name]
  -a      Dump all handle information.
  -l      Just show pagefile-backed section handles.
  -c      Closes the specified handle (interpreted as a hexadecimal number).
          You must specify the process by its PID.
          WARNING: Closing handles can cause application or system instability.
  -y      Don't prompt for close handle confirmation.
  -s      Print count of each type of handle open.
  -u      Show the owning user name when searching for handles.
  -p      Dump handles belonging to process (partial name accepted).
  name    Search for handles to objects with <name> (fragment accepted).

[COLOR=Red][B]No arguments will dump all file references.[/B][/COLOR]
```
Which means you have a syntax error. The *No Arguments* line just means if you just type *handle* with nothing else on the line (No Arguments) it will list (dump) all file handle references

If you are typing a path with spaces, it has to be quoted.
Typing a non existent file name should just return *No matching handles found*:

```
C:\>Handle C:\windows\file.exe

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching handles found.

C:\>
```
To see if any processes have an open handle to file.exe, you'd just use this, no need for the path unless there are multiple files with the same name:
*handle file.exe*

As an example, try this:
*handle windowsupdate*

This will list all processes that are accessing the WindowsUpdate.log file


----------



## tommo020788 (Oct 20, 2008)

I have tried using exactly what you said to use, e.g.(handel file.exe) and I have tried a number of other combinations in hope that I had it typed the wrong way or something, But by all means it should be working...

I am now getting an error saying that there is no matching handle.
I have double checked and tripple checked. Used handle in the same folder as the file i'm testing it on, tried multiple files to test it on, but it still tells me the same thing...

I am sure the file is there, so why would it be saying its not?

If the file is in the same folder as the handle.exe then


> handle file.txt


 should work right?
If the file is opened by notepad, it should return saying that notepad has this file open yes?

heres a full quote of the line in cmd.


> C:\>handle file.txt


 thats including the cmd window showing the current directory it is working in. I put it as C: so there is no mix up as to where the file is...

So any ideas whats wrong here?


----------



## tommo020788 (Oct 20, 2008)

Hi, I have tried using another tool similar to handle.exe, (also made by microsoft) called OH.exe, but when i try typing OH file.txt it comes back saying


> // exception c00000005 raised with OH process. Aborting ...


Any idea what is wrong here??


----------



## TheOutcaste (Aug 8, 2007)

tommo020788 said:


> If the file is opened by notepad, it should return saying that notepad has this file open yes?
> 
> heres a full quote of the line in cmd. thats including the cmd window showing the current directory it is working in. I put it as C: so there is no mix up as to where the file is...
> 
> ...


Notepad doesn't create a file handle, so this will not show that Notepad has the file open.

The process has to create a handle for either Handle or OH to work. If it simply starts another process and exits, there is no way to track it back, unless you are logging all disk accesses and can see what process launched the one you see running.

Otherwise, you would have to search the contents of files looking for the process name, which may not exist if it's randomly generated, and can't be found if it isn't a text string in a file. The name could be every 5th letter in a block of text, or the first letter of each word in a sentence, or any other pattern that obfuscates the process name.

For OH, it requires a Process ID, not a file name. For example, a command prompt (cmd.exe) with a PID of 1396 produces this output:

```
C:\>oh -P 1396
//
// TIME: 2009-12-06 01:43
// MACHINE: XP-RETAIL-SP3
// BUILD: 2600
// OH version:  built by: dnsrv_dev(v-smgum)
//
//
00000574 cmd.exe        KeyedEvent     0004 \KernelObjects\CritSecOutOfMemoryEvent
00000574 cmd.exe        Directory      0008 \KnownDlls
00000574 cmd.exe        File           000c \
00000574 cmd.exe        Directory      0014 \Windows
00000574 cmd.exe        WindowStation  001c \Windows\WindowStations\WinSta0
00000574 cmd.exe        WindowStation  0024 \Windows\WindowStations\WinSta0
00000574 cmd.exe        Directory      0028 \BaseNamedObjects
00000574 cmd.exe        Mutant         002c \BaseNamedObjects\SHIMLIB_LOG_MUTEX
00000574 cmd.exe        Desktop        0030 \Default
00000574 cmd.exe        Key            003c \REGISTRY\MACHINE
00000574 cmd.exe        Key            004c \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000574 cmd.exe        Key            005c \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
00000574 cmd.exe        Semaphore      0060 \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
00000574 cmd.exe        Event          0064 \BaseNamedObjects\userenv:  User Profile setup event
00000574 cmd.exe        File           0068 \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2
600.5512_x-ww_35d4ce83
00000574 cmd.exe        Key            006c \REGISTRY\USER\S-1-5-21-515967899-920026266-1957994488-500
00000574 cmd.exe        Key            0070 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
00000574 cmd.exe        Key            0074 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
00000574 cmd.exe        Key            0078 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
00000574 cmd.exe        Mutant         0084 \BaseNamedObjects\ShimCacheMutex
00000574 cmd.exe        Section        0088 \BaseNamedObjects\ShimSharedMemory

C:\>
```


----------

