date: “2016-12-01” draft: false title: “handle”
Examples
| command | description |
|---|---|
handle <QUERY> |
show system wide handles that match |
handle -p <PID> |
show for specific pid |
handle -a <NAME> |
show all |
handle -s <NAME> |
show statistics of handles |
Man
handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]
-a Dump information about all types of handles, not just those that refer to files. Other types include ports,
Registry keys, synchronization primitives, threads, and processes. Need to use this with any searches beyond files
-c Closes the specified handle (interpreted as a hexadecimal number). You must specify the process by its PID.
WARNING Closing handles can cause application or system instability.
-l Dump the sizes of pagefile-backed sections.
-y Don't prompt for close handle confirmation.
-s Print count of each type of handle open.
-u Show the owning user name when searching for handles.
-p Dump all the handles belonging to process (you can use partial names i.e. exp for explorer).
name Search for handles to objects with a particular name. for example, if you wanted to know which process (if any)
has "c:\windows\system32" open type handle windows\system The name match is case-insensitive and the fragment specified
can be anywhere in the paths you are interested in.
EXAMPLES
Disply the open handles with an instance of notepad
handle -a -p notepad.exe (-a is for all -p indicates process, can use fragments i.e. note or lsass )
Display to handle information using command shell PID
handle -a -p 2944 (PID of cmd.exe)
Find process that have a specific handle open
handle -a hklm\system (-a allows search of all handle types, without it will only search for files)
handle -a hku shows process