0

It's an issue on a Win7-system.

It looks like system-Process (PID 4) (running ntoskrnl.exe) doesn't releases handles on *.exe files after the programs are closed.

Hence, those files can't be deleted, it's impossible to update any program.

I looked onto with the ProcessHacker or sysinternals Processexplorer (both in Admin-Environment) and no process of the *.exe are running for several minutes. But system has still an open handle to that *.exe. Trying to close that handle out of either of that tools is not possible. As I try to close that handle in Processexplorer, I get an pop-up message telling "Error opening process: The handle is invalid."

Hence, all options to delete the *.exe manually (Explorer, cmd, Powershell) don't work at all.

I checked the system (sfc command), no issues.

I tried the mentioned solution in Windows 7 access denied to executables.. by what? and had no success. Could the thumbs.db cache disabling really influence that ? I didn't tried yet the over-there mentioned answer.

How to fix that / release those handles without a restart ?

Henning
  • 1
  • 1
  • I don’t have a Win 7 computer to check what is normal but what type of handle is it? Process? Could be a driver opening a handle to the process. Do you see the same behaviour in Safe mode? – HelpingHand Jun 25 '20 at 08:55
  • The type of the handle is 'file'. So I expect, in Safe mode the same behaviour. But I'll test later. – Henning Jun 25 '20 at 09:03
  • @HelpingHand : It looks like my assumption wasn't correct. In Safe mode I didn't see this behaviour and after some restarts, the behaviour couldn't be reproduced, at least not by starting and stopping an any application. But I had the behaviour several times. Do you have any ideas, how to determine the driver blocking the *.exe if it occurs again? – Henning Jun 26 '20 at 14:22
  • A little tricky, one approach might be, get the ADK so you can run: `wpr.exe -start handle` then `wpr.exe -stop C:\h.etl` In WPA you can then order the columns, as "Handle type" to focus on "File", followed by "Creating Process", so you can expand System, followed by "Object name" which would be the file in question, or just have Object Name as the first column and scroll down or add a filter. If you can find the handle being opened, the "Create Stack" column will show you where the call has come from and could identify the driver opening a handle. You could then disable that driver as a test. – HelpingHand Jun 26 '20 at 14:37
  • When to start/stop the capturing is the next question, a boot trace? Do you boot with certain drivers disabled and start them? etc.. – HelpingHand Jun 26 '20 at 14:38
  • @HelpingHand Do you know, where to get wpr.exe and wpa.exe for windows 7? – Henning Jun 26 '20 at 16:41
  • The Windows 8 ADK does have it, and it is compatible but it seems that the Handle profile didn't exist. You can't use the Windows 10, ADK it seems, the oldest lets you install the Performance Toolkit but then wpr.exe doesn't run. Not sure if you can use the Handle Profile on Windows 7 then, unless XPERF has a way to trace it. Sorry. – HelpingHand Jun 26 '20 at 17:26
  • Thank you, anyway for your idea. Maybe it's time for reinstall or switch to Win10. – Henning Jun 27 '20 at 14:30
  • The other option is to just disable a number of drivers that aren’t Microsoft (assume they are OK) and that don’t start in safeboot. A few ways to do it. Rename the driver files under \windows\system32\drivers\ and reboot or set the start value to 4 in the registry. It maybe you can use this method to determine a driver. You can add the Company column in Explorer to more easily identify them. Quite time consuming so maybe try batches of 5. – HelpingHand Jun 27 '20 at 14:42
  • That would be possible, but actually, the issue seems to not occur each time after a boot - so it looks like it is a random behaviour. And that makes it a lot more difficult to find. Another idea: is it possible that the call of an update process / routine and the included deinstallation of the old version is the root of that behaviour? I'll have an eye on that as soon as the next update will be available. – Henning Jun 29 '20 at 09:25
  • Hard to say. It might be worth initially ruling out any security software as the nature of the software has drivers and opens handles to processes/files. – HelpingHand Jun 29 '20 at 09:43

0 Answers0