Windows - Can not force close network file handle - Can not close system (Pid 4) file handles

Question

Firstly, sorry for the long question, but I wanted to provide sufficient detail.

Synopsis:

In Windows does not appear to be possible to force close a file handle opened over a network share. Hence a file that is opened over a network share can not be moved/renamed/deleted. I am using Win 7.

Question:

Can anyone see what I am doing wrong or can someone confirm that this is as expected and it is not possible to force close system file handles (always on pid 4, such as those related to network share access to the file).

Background:

We have remote network client users who access a log file. We need to roll the log file so it does not grow too large. We can not roll the log file as the file is reported as in use.

Recreate Issue:

0)

Do everything as Administrator

1)

Create a new dir and share it

2)

Create a file in the new dir

3)

Via the file share edit the file with something that tends to get a file lock like MS Word. So do Start / Run then type in \YourHostName then select the file share you creaeted, then navigate to the file and edit it with Word. This is to simulate a remote user/host locking the file.

4)

List the open file handles, we can see 2 below

C:>handle C:\Log\MyLockedFile.txt

Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com

System pid: 4 type: File 3E64: C:\Log\MyLockedFile.txt System pid: 4 type: File 5E48: C:\Log\MyLockedFile.txt

5)

Try to close a file handle, here we see the attempt to close fail.

C:>handle -c 3E64 -p 4

Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com

3E64: File (R--) C:\Log\MyLockedFile.txt Close handle 3E64 in System (PID 4)? (y/n) y Error closing handle: The handle is invalid.

6)

List network file handles, here we see the opened network shares to the file.

C:>openfiles /query -v

INFO: The system global flag 'maintain objects list' needs to be enabled to see local opened files. See Openfiles /? for more information.

Files opened remotely via local share points:

Hostname ID Accessed By Type #Locks Open Mode Open File (Path\executable) 14693W7N 67109233 myuser1 Windows 0 Write + Read C:\Log\MyLockedFile.txt 14693W7N 495 myuser1 Windows 0 Read C:\Log\

7)

Close/disconnect file handles to the file, here it appears to work

C:>openfiles /disconnect /a * /OP C:\Log\MyLockedFile.txt

SUCCESS: The connection to the open file "C:\Log\MyLockedFile.txt" has been terminated.

8)

System file handle is still active even after attempting to delete it.

C:>handle C:\Log\MyLockedFile.txt

Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com

System pid: 4 type: File 3E64: C:\Log\MyLockedFile.txt

9)

The file can not be moved/renamed as it is still in use

C:>move C:\Log\MyLockedFile.txt C:\Log\MyLockedFile.txt.newName The process cannot access the file because it is being used by another process. 0 file(s) moved.

Answer 1

Just posting as an answer because saw this question hanging around answerless (heh, by holy chance, for EXACTLY one year?)

First, there is a really interesting discussion on this very topic here (about NTFS, I suppose). If you read the above link, you can get nice hints about why some handles seem to "hang" open forever, and why "forcing close" is not a very good idea.

The reason "handle -c" was giving an invalid handle error could have something to do with running "handle" locally and remotely, i.e. on the machine that the network drive is physically attached to (?)

For my own purposes, and in my own scenario, I ended up forcing close a handle remotely (just because I wanted to close it in a quick and dirty way - using Sysinternals tools you mentioned, namely "psexec" and "handle" (no need to specify user and password, given that I am logged in as administrator role, I guess) :

rem To list the open handles
psexec \\someserver -c handle /accepteula some_filename

rem To force close a particular handle
psexec \\someserver -c handle /accepteula -c 3F9C -p 4

But while running handle command remotely again didn't give any results (no open handles), the folder I was trying to delete was still locked. After some time (I also tried to disconnect from the network share in question using "net use f: /delete" to no avail, as it "was being accessed by an active process") - I figured out that my own local machine was still retaining open handles to that directory - and actually the handles I forced close remotely were from my own machine. I closed them without problems using Process Explorer GUI, which should be equal to using "handle" from the command prompt. After that the folder in question could be deleted.