Solved

Getting a list of a process' open files.

Posted on 2004-09-20
6
286 Views
Last Modified: 2008-01-09
I've gotten very far with some of the questions other people asked. But I'm having problems. I'm trying to get a list of open files for one process. Once I've opened the process handle, how do I get all of the currently open file handles? And how do I figure out what their file location & name is?
0
Comment
Question by:TheJeffro
  • 4
6 Comments
 
LVL 3

Author Comment

by:TheJeffro
ID: 12118250
Ok, I figured out how to get a list of handles using:
ntdll.dll
NtQuerySystemInformation(16,PtrArray,ArraySize,ArrayRequiredSize) = 0 if successful
16 specifies that you want handles. I run the function twice, once to get the required size. And then again to get the list of handles. The PtrArray is an array of the HandleInformation type. I'm not sure how this type is structured. I know it's a total of 16 bytes. and there's probably 7 different values in it. I'm doing this in VB so I'm looking at someone's Delphi and C++ code trying to figure out the answer.
0
 
LVL 3

Author Comment

by:TheJeffro
ID: 12125666
Ok, now I'm really confused. I don't think the structure is 16 bytes anymore. It seems to generate an error every once in a while. I don't even know if there is a structure or a type. I am unable to recognize the Process ID. I just need to know: Process ID, Handle Type, and Handle. Please help me.
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 12125925
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 20

Accepted Solution

by:
Madshi earned 500 total points
ID: 12126193
The structure looks like this: First in the buffer you'll get 4 bytes which identify the number of handles. After those 4 bytes you'll get all the handles which are open in the whole OS. Each handle entry in the array has 16 bytes:

type
  TNtHandleItem  = packed record
    pid     : cardinal;  // 4 bytes
    objType : word;  // 2 bytes
    handle  : word;  // 2 bytes
    objAddr : pointer;  // 4 bytes
    access  : cardinal;  // 4 bytes
  end;

Let's say the OS has 5 handles open (which is unrealistic low, but anyway), the buffer size should be (4 + 5*16 =) 84.
0
 
LVL 3

Author Comment

by:TheJeffro
ID: 12126448
Thank you soooo much Madshi. You're the man! I guess that 4 bytes at the beginning would explain why my structure size never seemed to work.
0
 
LVL 3

Author Comment

by:TheJeffro
ID: 12128720
Private Declare Function apiNtQuerySystemInformation Lib "ntdll.dll" Alias "NtQuerySystemInformation" (ByVal SystemInformationClass As Long, ByRef SystemInformation As Long, ByVal SystemInformationLength As Long, ByRef ReturnLength As Long) As Long

Public Type HandleInfo
    HI_ProcessID As Long
    HI_ObjType As Integer
    HI_Handle As Integer
    HI_KeyObject As Long
    HI_Access As Long
End Type

Public Function GetHandleTable() As HandleInfo()
    Dim tLen As Long
    Dim tSize As Long
    Dim tBytes() As Byte
    Dim tRetHnd() As HandleInfo
    tSize = 20
    Do While tLen < tSize
        tLen = tSize
        ReDim tBytes(1 To tSize) As Byte
        apiNtQuerySystemInformation 16, ByVal VarPtr(tBytes(1)), tLen, tSize
    Loop
    apiCopyMemory tLen, tBytes(1), 4
    tSize = tSize - 4
    ReDim tRetHnd(1 To tLen) As HandleInfo
    apiCopyMemory tRetHnd(1), tBytes(5), tSize - 4
    GetHandleTable = tRetHnd
End Function
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction While answering a recent question (http://www.experts-exchange.com/Q_27402310.html) in the VB classic zone, I wrote some VB code in the (Office) VBA environment, rather than fire up my older PC.  I didn't post completely correct code o…
Enums (shorthand for ‘enumerations’) are not often used by programmers but they can be quite valuable when they are.  What are they? An Enum is just a type of variable like a string or an Integer, but in this case one that you create that contains…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now