Windows Host Security: Network Security Hacks - Hack 22: Get a List of Open Files and Their Owning Processes
(Page 3 of 8 )
Hack 22: Get a List of Open Files and Their Owning Processes
Look for suspicious activity by monitoring file accesses.
Suppose you’re looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you haven’t seen before. Well, what do you do now? If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open. Unfortunately, Windows doesn’t provide a tool to do this.
Sysinternals makes an excellent tool called Handle, which is available for free at http://www.sysinternals.com/ntw2k/freeware/handle.shtml. Handle is a lot like lsof [Hack #8], but it can list many other types of operating resources, including threads, events, and semaphores. It can also display open registry keys and IOCompletion structures.
Running handle without any command-line arguments will list all open file handles on the system. You can also specify a filename, which will list the processes that are currently accessing it, by typing this:
C:handle filename Or you can list only files that are opened by a particular process -- in this case Internet Explorer:
C:\> handle –p iexplore
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
-----------------------------------------------------------
IEXPLORE.EXE pid: 688 PLUNDER\andrew
98: Section \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE
9c: Section \BaseNamedObjects\MtxWndList
12c: Section \BaseNamedObjects\__R_0000000000d4_SMem_ _
18c: File C:\Documents and Settings\andrew\Local Settings\
Temporary Internet Files\Content.IE5\index.dat
198: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Local Settings_Temporary Internet Files_Content.IE5_index.dat_3194880
1a0: File C:\Documents and Settings\andrew\Cookies\index.dat
1a8: File C:\Documents and Settings\andrew\Local Settings\
History\History.IE5\index.dat
1ac: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Local Settings_History_History.IE5_index.dat_245760
1b8: Section \BaseNamedObjects\C:_Documents and Settings_andrew_
Cookies_index.dat_81920
228: Section \BaseNamedObjects\UrlZonesSM_andrew
2a4: Section \BaseNamedObjects\SENS Information Cache
540: File C:\Documents and Settings\andrew\Application Data\
Microsoft\SystemCertificates\My
574: File C:\Documents and Settings\All Users\Desktop
5b4: Section \BaseNamedObjects\mmGlobalPnpInfo
5cc: File C:\WINNT\system32\mshtml.tlb
614: Section \BaseNamedObjects\WDMAUD_Callbacks
640: File C:\WINNT\system32\Macromed\Flash\Flash.ocx
648: File C:\WINNT\system32\STDOLE2.TLB
6a4: File \Dfs
6b4: File C:\Documents and Settings\andrew\Desktop
6c8: File C:\Documents and Settings\andrew\Local Settings\
Temporary Internet Files\Content.IE5\Q5USFST0\softwareDownloadIndex[1].htm
70c: Section \BaseNamedObjects\MSIMGSIZECacheMap
758: File C:\WINNT\system32\iepeers.dll
75c: File C:\Documents and Settings\andrew\Desktop
770: Section \BaseNamedObjects\RotHintTable
If you want to find the Internet Explorer process that owns a resource with a partial name of handle, you could type:
C:\> handle –p iexplore handle
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
IEXPLORE.EXE pid: 1396 C:\Documents and Settings\andrew\Local
Settings\Temporary Internet Files\Content.IE5\H1EZGFSH\handle[1].htm
Additionally, if you wanted to list all types of resources, you could use the -a option. Handle is quite a powerful tool, and any of its command-line options can be mixed together to quickly narrow your search and find just what you want.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
Next: Hack 23: List Running Services and Open Ports >>
More Windows Security Articles
More By O'Reilly Media
