Under XP SP2 RC4 I am having issues sometimes files cannot be deleted because they are "being used by another process" - in this case, the file in question is my own datafile and the process which had it open is very very dead - so why does the XP filesystem still think a process is using it?

Firstly, I want to say that I just checked and I'm SURE the file is being Closed before the process is terminated.

Now, can anyone tell me is there a way to find out the PID which has the file open so I can identify the culprit process?

Can anyone shed any light on the relationship between the filesystem and processes under NT?

TIA, Homer.
Posted on 2005-01-06 05:15:48 by Homer
Posted on 2005-01-06 05:23:51 by f0dder
f0dder - I used the Handle utility from sysinternals to find out the PID... turns out explorer.exe had it open FIVE TIMES - so I closed the only open folder and checked again - no handles matched this time... reopen folder, try to delete, no good - back to Handle util, this time explorer.exe only opened it once - so I'm thinking ok my explorer.exe process has been injected and is dirty so I killed explorer.exe and restarted it - still no good !! The WhoLockMe utility gave NO feedback at all...

So.. Am I dirty? Is this a "feature" of SP2RC4?
If I am not dirty, why does explorer.exe actually open the file at all when I browse to the folder containing it?
Posted on 2005-01-06 06:12:23 by Homer
One piece of information which I think is critical that I omitted...
The file in question is named as EXE - but its NOT AN EXE.
It's a binary datafile of my own creation.
Could it be that some malware has injected explorer.exe and has attempted to open the exe, realized its not PE but then forgot to close it thus giving itself away?
Posted on 2005-01-06 06:15:13 by Homer
I found this, is interesting and have the source code written in Assembly:


But don't reply your question :(

Posted on 2005-01-06 06:15:48 by Opcode
DelLater sounds like a batchfile to me - it deletes the file on reboot.
Not much use to me and no it certainly doesnt answer my Q...
I'm currently installing ProcessGuard from the same site, which may be able to prevent the suspected process (re)injection from occuring.
Let's see what shakes when I restart explorer.exe under guard :)
Posted on 2005-01-06 06:25:11 by Homer
That sounds like the same type of bug that is in shmedia.dll in WinXP SP2. With that DLL there is sloppy handling if it does not recognize the file header of an AVI, it simply skips the file but does not close the handle, making it impossible to delete the file from Explorer. Seems like the dev team at MS has decided that closing handles is no longer important :)
Posted on 2005-01-06 06:41:44 by donkey
I wonder how much crack the shell coders at MS smoke... the kernel coders are pretty decent, but the shell coders rather ruin everything. Foo!
Posted on 2005-01-06 06:45:27 by f0dder
I installed the processguard, rebooted, then started the processguard.. now I killed and restarted explorer.exe then deleted the nasty file - no biggy, this time it deleted ... but another file (the DLL from the WhoLockMe utility) was in the folder at the time - and guess what - it wouldn't delete !! So I undeleted all files in the folder and ran the batchfile to uninstall the WhoLockMe dll - then tried to delete them all again - this time theres TWO locked files , the DLL still locked and now the file that is named EXE is AGAIN LOCKED even though I just succeeded in deleting it moments before and nothing had opened it to my knowledge !!?!
I'm starting to get pissy and considering seriously reverting to SP1 - this is just craptastic, its happened before and I've ignored it, now I want answers and nobody seems to know whats going on :(
The internet is a testament that this is not a local problem, there's a zillion postings on this issue, for pretty much all flavours of Win...

Anyone have a better idea than reverting the OS?
Posted on 2005-01-06 06:48:35 by Homer
The only thing I am convinced of at this moment is that explorer.exe is the process that opened the file(s) and left them open..

Is it normal behaviour for explorer.exe to be opening files at all? I thought it was preoccupied with folders, not files...

If I close all folders, I can delete the file(s) using the cmd.exe shell. I need to close ALL FOLDERS to force explorer.exe to relinquish the filehandle(s) !! (explorer.exe is still running but no folders open)

This STILL smells like I'm dirty imho - I'll check out Services and see if I can find anything spurious in there.. No weird exes "appear" to be running that could be injecting explorer.exe so I'm running out of ideas...
Maybe this really is a "feature" after all :)
Posted on 2005-01-06 06:53:27 by Homer
Homer, it opens .exe files to extract icons... etc... dunno why it leaves the files open, though :/. I've had my share of annoyances because of open files, but when it's explorer they usually "unlock" after a while.
Posted on 2005-01-06 07:03:17 by f0dder

try delete the file using console , it works for me ;)
Posted on 2005-01-06 07:04:09 by wizzra
I've noticed them "unlock after a while" as well - but "a while" can be a few minutes, a few hours, or not at all...

I wonder which of us is lagging here? :)

Thanks for the feedback guys..
Posted on 2005-01-06 07:05:33 by Homer
wizzra - one time it did not work for me but I suspect I had left a folder open ;)
Posted on 2005-01-06 08:06:02 by Homer
That AVI problem has caused my porn movie folders to really bloat up - deleting duplicates used to be so easy. :lol:
Posted on 2005-01-06 18:28:55 by bitRAKE
I experienced similar situation with IIS. Every now and then some broken connection holds the files open so I couldn't update them.
I solved it with renaming of locked files:

REN Index.htm *.BAK
COPY FreshIndex.html Index.html
Posted on 2005-01-08 08:04:28 by vit$oft
Interesting - the "official workaround" posted on MSDN describes using "MoveFileEx" to achieve the same thing :)
Posted on 2005-01-08 20:16:58 by Homer
I had this problem too, on Win2k SP4. But only with exe-s (that contain no exe data) on the desktop. I second f0dder - Explorer tries to get icons from that file, but probably a thread of its gets lost in an infinite loop. Since when I boot, the file is on the desktop , the only 2 ways I found to delete it are:
- by logging in with another username (best as Administrator), going to the \Desktop folder and deleting there
- the renaming with commandline, already suggested here.

My PC is virii-free, the malicious code is MS's this time :-D
Posted on 2005-01-09 18:50:57 by Ultrano
Hi EvilHomer2k !
You can find the process which are opening the file with Process Explorer of SysInternal. Swich to view Handle mode, search the file, right click and choose Close Handle. After that, you can delete the file.
Posted on 2005-01-10 09:40:02 by TQN
Latecomers who don't read previous postings should feel thoroughly ashamed of themselves.. I know I'd be embarassed if the above posting was mine !!

Have a nice day :)
Posted on 2005-01-12 22:20:08 by Homer