• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Getting a list of a process' open files.

I've gotten very far with some of the questions other people asked. But I'm having problems. I'm trying to get a list of open files for one process. Once I've opened the process handle, how do I get all of the currently open file handles? And how do I figure out what their file location & name is?
  • 4
1 Solution
TheJeffroAuthor Commented:
Ok, I figured out how to get a list of handles using:
NtQuerySystemInformation(16,PtrArray,ArraySize,ArrayRequiredSize) = 0 if successful
16 specifies that you want handles. I run the function twice, once to get the required size. And then again to get the list of handles. The PtrArray is an array of the HandleInformation type. I'm not sure how this type is structured. I know it's a total of 16 bytes. and there's probably 7 different values in it. I'm doing this in VB so I'm looking at someone's Delphi and C++ code trying to figure out the answer.
TheJeffroAuthor Commented:
Ok, now I'm really confused. I don't think the structure is 16 bytes anymore. It seems to generate an error every once in a while. I don't even know if there is a structure or a type. I am unable to recognize the Process ID. I just need to know: Process ID, Handle Type, and Handle. Please help me.
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

The structure looks like this: First in the buffer you'll get 4 bytes which identify the number of handles. After those 4 bytes you'll get all the handles which are open in the whole OS. Each handle entry in the array has 16 bytes:

  TNtHandleItem  = packed record
    pid     : cardinal;  // 4 bytes
    objType : word;  // 2 bytes
    handle  : word;  // 2 bytes
    objAddr : pointer;  // 4 bytes
    access  : cardinal;  // 4 bytes

Let's say the OS has 5 handles open (which is unrealistic low, but anyway), the buffer size should be (4 + 5*16 =) 84.
TheJeffroAuthor Commented:
Thank you soooo much Madshi. You're the man! I guess that 4 bytes at the beginning would explain why my structure size never seemed to work.
TheJeffroAuthor Commented:
Private Declare Function apiNtQuerySystemInformation Lib "ntdll.dll" Alias "NtQuerySystemInformation" (ByVal SystemInformationClass As Long, ByRef SystemInformation As Long, ByVal SystemInformationLength As Long, ByRef ReturnLength As Long) As Long

Public Type HandleInfo
    HI_ProcessID As Long
    HI_ObjType As Integer
    HI_Handle As Integer
    HI_KeyObject As Long
    HI_Access As Long
End Type

Public Function GetHandleTable() As HandleInfo()
    Dim tLen As Long
    Dim tSize As Long
    Dim tBytes() As Byte
    Dim tRetHnd() As HandleInfo
    tSize = 20
    Do While tLen < tSize
        tLen = tSize
        ReDim tBytes(1 To tSize) As Byte
        apiNtQuerySystemInformation 16, ByVal VarPtr(tBytes(1)), tLen, tSize
    apiCopyMemory tLen, tBytes(1), 4
    tSize = tSize - 4
    ReDim tRetHnd(1 To tLen) As HandleInfo
    apiCopyMemory tRetHnd(1), tBytes(5), tSize - 4
    GetHandleTable = tRetHnd
End Function
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now