[HANDLE]
Display information about open handles for processes, useful for file lock investigation and forensic analysis
Difficulty: Intermediate
Category: Advanced
Key Features
Handle Enumeration
List all open handles for processes and files
File Lock Detection
Identify which processes are locking specific files
System Object Access
View handles to registry keys, events, and other objects
Command Line Interface
Scriptable for automated system analysis
Understanding Windows Handles
A handle is a reference to a system resource such as a file, registry key, process, thread, or synchronization object. When a process needs to access a resource, Windows creates a handle that the process uses to reference that resource.
Common Handle Types:
- • File: Open files and directories
- • Process: Running process references
- • Thread: Thread objects within processes
- • Registry: Open registry keys
- • Event: Synchronization events
- • Mutex: Mutual exclusion objects
Handle Information:
- • Process ID: Which process owns the handle
- • Handle Value: Numeric handle identifier
- • Access Rights: Permissions granted
- • Object Name: Path or name of the resource
- • Object Type: Type of system object
Basic Usage
File Handle Investigation
# Find what's locking a file
handle C:\\path\\to\\locked_file.txt
# Search for handles to a directory
handle C:\\Windows\\System32
# Find handles with partial filename
handle -a logfile
Process Handle Analysis
# Show all handles for a process
handle -p 1234
# Show handles by process name
handle -p notepad.exe
# List all handles on system
handle -a
Advanced Features
Object Type Filtering
# Show only file handles
handle -a | findstr "File"
# Show registry handles
handle -a | findstr "Key"
# Show process handles
handle -a | findstr "Process"
Handle Closure (Use with Caution)
Warning: Handle closure can crash processes!
Only use -c flag when absolutely necessary and with full understanding of consequences.
# Close a specific handle (DANGEROUS)
handle -c -y -p 1234 0x123
Command Line Options
| Option | Description | Example |
|---|---|---|
| -a | Show all handles | handle -a |
| -p [PID] | Show handles for specific process | handle -p 1234 |
| -u | Show unnamed handles | handle -u -p 1234 |
| -s | Show summary of handle types | handle -s |
| -c | Close handle (dangerous) | handle -c -p 1234 0x123 |
| -y | Suppress prompts | handle -c -y -p 1234 0x123 |
Security Use Cases
🔍 Digital Forensics
Identify which processes are accessing critical system files.
# Check SAM database access
handle C:\\Windows\\System32\\config\\SAM
🦠 Malware Analysis
Analyze what files and resources malware is accessing.
# Check suspicious process handles
handle -p malware.exe
🚨 Incident Response
Investigate file access during security incidents.
# Find processes accessing log files
handle C:\\Windows\\System32\\winevt
🔧 File Lock Troubleshooting
Resolve "file in use" errors by identifying blocking processes.
# Find what's locking a file
handle "\\path\\to\\locked\\file.txt"
Common Investigation Scenarios
File Deletion Issues
# Cannot delete file - find blocking process
handle "C:\\temp\\cannot_delete.txt"
# Check directory handles
handle "C:\\temp"
# Find processes with handles to entire drive
handle C:\\ | findstr "C:\\\\"
System File Access
# Check registry access
handle -a | findstr "HKEY_LOCAL_MACHINE"
# Monitor system file access
handle C:\\Windows\\System32\\ntdll.dll
# Check device access
handle -a | findstr "Device"
Output Interpretation
Sample Output Analysis
------------------------------------------------------------------------------
notepad.exe pid: 1234 type: File 3C8: C:\\Users\\john\\document.txt
explorer.exe pid: 5678 type: Key 1A4: HKEY_CURRENT_USER\\Software
chrome.exe pid: 9012 type: Process 2F0: <unnamed>
Process name: The executable holding the handle
PID: Process ID for identification
Type: Handle type (File, Key, Process, Thread, etc.)
Handle value: Hexadecimal handle identifier
Object name: Path or name of the resource
Best Practices & Tips
Run with administrative privileges: Administrator rights required for complete handle visibility
Use specific searches: Search for specific files rather than listing all handles for performance
Avoid handle closure: Never close handles unless absolutely necessary and understood
Combine with Process Explorer: Use Process Explorer for GUI-based handle analysis
Export for analysis: Redirect output to files for detailed analysis and documentation