Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NtQuerySystemInformation to enumerate opened files

880 views
Skip to first unread message

d.al...@gmail.com

unread,
Jan 17, 2006, 5:50:25 AM1/17/06
to
Hi to all,

this is my first post here!

I'm trying to write a backup application and one the features is that
when a file is opened a popup show and advise the user saying what
process is using that file.

My problem is that, for first, i've used handle, from sysinternal,
parsing its output but doing this my software is REALLY slow, so, after
a LONG research over google, i've founded NtQuerySystemInformation API
and after a lot of work and using sysinternal forum i've done something

My problem is that i don't get any opened file! Objects that are signed
as OB_TYPE_FILE are ALL socket handles!

1320 1108 File firefox.exe \Device\Tcp
1320 1112 File firefox.exe \Device\Afd
1320 1120 File firefox.exe \Device\Tcp
1320 1128 File firefox.exe \Device\Tcp
1320 1152 File firefox.exe \Device\Afd
1320 1168 File firefox.exe \Device\WS2IFSL
1320 1172 File firefox.exe \Device\WS2IFSL
1320 1176 File firefox.exe \Device\Tcp
1320 1180 File firefox.exe \Device\Tcp
1320 1184 File firefox.exe \Device\Tcp
1320 1192 File firefox.exe \Device\Tcp

Searching on sysinternal forum i've founded some code ... but it give
me the same result :\

someone has any idea?

tnx to all!

------
here there is some code

LPWSTR GetObjectInfo(HANDLE hObject, OBJECT_INFORMATION_CLASS
objInfoClass)
{
LPWSTR lpwsReturn = NULL;
DWORD dwSize = sizeof(OBJECT_NAME_INFORMATION);
POBJECT_NAME_INFORMATION pObjectInfo = (POBJECT_NAME_INFORMATION) new
BYTE[dwSize];
NTSTATUS ntReturn = pNTQO(hObject, objInfoClass, pObjectInfo, dwSize,
&dwSize);

if((ntReturn == STATUS_BUFFER_OVERFLOW) || (ntReturn ==
STATUS_INFO_LENGTH_MISMATCH))
{
delete pObjectInfo;
pObjectInfo = (POBJECT_NAME_INFORMATION) new BYTE[dwSize];
ntReturn = pNTQO(hObject, objInfoClass, pObjectInfo, dwSize,
&dwSize);
}

if((ntReturn >= STATUS_SUCCESS) && (pObjectInfo->Buffer != NULL))
{
lpwsReturn = (LPWSTR) new BYTE[pObjectInfo->Length + sizeof(WCHAR)];
ZeroMemory(lpwsReturn, pObjectInfo->Length + sizeof(WCHAR));
CopyMemory(lpwsReturn, pObjectInfo->Buffer, pObjectInfo->Length);
}

delete pObjectInfo;
return lpwsReturn;
}

int main(int argc, char *argv[])
{
pNTQO = (tNTQO)GetProcAddress(GetModuleHandle("NTDLL.DLL"),
"ZwQueryObject");
pNTQSI = (tNTQSI)GetProcAddress(GetModuleHandle("NTDLL.DLL"),
"ZwQuerySystemInformation");

if (pNTQO == NULL || pNTQSI == NULL)
{
printf("Unable to acquire addresses for ZwQueryObject or
ZwQuerySystemInformation!\nThis OS isin't Windows 2000 or Windows
XP!\n\n");
return -1;
}

printf("File Handle List\n");
printf("================\n\n");

DWORD dwSize = sizeof(SYSTEM_HANDLE_INFORMATION);
PSYSTEM_HANDLE_INFORMATION pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
new BYTE[dwSize];
NTSTATUS ntReturn = pNTQSI(SystemHandleInformation, pHandleInfo,
dwSize, &dwSize);

if(ntReturn == STATUS_INFO_LENGTH_MISMATCH)
{
delete pHandleInfo;
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION) new BYTE[dwSize];
ntReturn = pNTQSI(SystemHandleInformation, pHandleInfo, dwSize,
&dwSize);
}

if(ntReturn == STATUS_SUCCESS)
{
printf(" Found %d Handles.\n\n", pHandleInfo->uCount);
printf(" PID\tHandle\t%-16s%-18sHandle Name\n", "Type", "Process
Name");
for(DWORD dwIdx = 0; dwIdx < pHandleInfo->uCount; dwIdx++)
{
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE |
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, pHandleInfo->Handles[dwIdx].uIdProcess);
if(hProcess != INVALID_HANDLE_VALUE)
{
HANDLE hObject = NULL;
if(DuplicateHandle(hProcess,
(HANDLE)pHandleInfo->Handles[dwIdx].Handle,
GetCurrentProcess(), &hObject, STANDARD_RIGHTS_REQUIRED, FALSE, 0)
!= FALSE)
{
LPWSTR lpwsName = GetObjectInfo(hObject, ObjectNameInformation);
LPWSTR lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
if (wcscmp(lpwsType, L"File") == 0)
{
LPSTR lpszProcess = new CHAR[MAX_PATH];
ZeroMemory(lpszProcess, MAX_PATH);
GetModuleFileNameEx(hProcess, NULL, lpszProcess, MAX_PATH);
printf("%5d\t%6d\t%-16ws%-18s%ws\n",
pHandleInfo->Handles[dwIdx].uIdProcess,
pHandleInfo->Handles[dwIdx].Handle, lpwsType,
((lstrlen(lpszProcess) >
0)?PathFindFileName(lpszProcess):"[System]"), lpwsName);
delete lpszProcess;
}
delete lpwsName, lpwsType;
CloseHandle(hObject);
}
CloseHandle(hProcess);
}
}
printf("\n\n");
}
else
{
printf("Error while trying to allocate memory for System Handle
Information.\n");
}
delete pHandleInfo;

return 0;
}

d.al...@gmail.com

unread,
Jan 18, 2006, 5:01:06 PM1/18/06
to
after a lot of work, and help by someone, i done all the stuff!

tomorrow i'll post the complete code ... it's print only to screen
process handle, file handle and file path, but it is a good starting
point to do a lot of stuff

bye

Salini S K

unread,
Nov 20, 2012, 12:58:31 PM11/20/12
to
Hey I know this post is old. But I am held up with the same issue. Can u post the code if you have it.. thanks

Uwe Sieber

unread,
Nov 21, 2012, 5:53:10 AM11/21/12
to

http://www.codeproject.com/Articles/18975/Listing-Used-Files
0 new messages