Cannot delete a file or folder

• Author
• Recent Posts

Leos Marek

Leos has started in the IT industry in 1995. For the past 15+ years he focused on Windows Server, VMware administration and security. Recently, Leos is focusing on automation via Ansible. He is also a Certified Ethical Hacker.

Latest posts by Leos Marek (see all)

• AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
• Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
• Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023

Happened to me hundreds of times. I need to delete a file, but the system tells me it is in use. But I know that I don't have it opened anywhere. All my programs are closed. There might be several reasons for this, including:

• The file is opened by the System process (process ID 4)
• The file is opened by a program running in the background
• The file might be opened by a process that hangs

Unfortunately, the error message does not provide any valuable information. There are various methods for identifying the correct program and solving the problem. Today, you will learn how to use Handle, a command-line tool from the Sysinternals suite. You will also learn how to identify the program with Process Explorer, another Sysinternals suite tool.

This action cant be completed because the file is open in another program

Before we start with the tools, let's stop for a moment and talk about handles. Windows kernel mode comprises various subsystems, such as I/O Manager or Configuration Manager (registry) and some others. These subsystems define object types, which represent the resource the subsystem exposes to the application. I/O Manager defines the File object, while Configuration Manager defines the Key object. You can use the WinObj utility (also Sysinternals) to see all object types defined in a particular Windows version.

The WinObj utility shows all object types presented by Windows

When an application wants to use these objects, it must call the API to create or open the resource. If the operation succeeds, Windows creates a handle. The handle has an index value that is used by the application for further operations on that resource. File handles also have sharing mode information, which is set at the time the handle is opened. As you may guess, the sharing mode defines whether other callers (threads, processes) can open the same file for reading (R), writing (W), or deleting (D). If the sharing mode is not defined (-), the handle is exclusively for use by the owning process. Handles are exactly the reason why you cannot delete a file or folder.

Handle sharing mode information

Finding the program that is blocking file deletion with Handle

Handle is a command-line tool that displays information about object handles. The tool has several options, as you can see in the picture below. To describe each option is not the goal of this post, so I will only focus on three points: how to list all handles opened by a process, how to find a process that is using a specific file, and how to close that handle.

Handle is a command line tool to show object handle information

To list all handles opened by a process, use the -p option. The process can be defined by the process ID (PID) or its full or partial name. If it is defined by its name, whether full or partial, Handle will show results for all processes matching the name.

List handles by a process PID or name

To find a process that has opened a handle to a specific file name, simply type its full path without any additional options. In my case, I am looking for handles opened on file D:\temp\handle.docx.

Find and close a handle on a specific file

As you can see in the picture, I found that Microsoft Word has opened a handle to my file, with PID 8892 and handle value 1474. Now, I can move forward and close that handle. To do so, I have to use the PID and the handle value in the command, as follows:

handle.exe -c 1474 -p 8892

Handle will ask for confirmation that I really want to close that handle. This can be bypassed by using the -y option. Note that closing handles might be risky, as the application is not aware that the handle is being closed, and this may cause the application to crash. At this point, I can delete my handle.docx file even when Microsoft Word is still running and showing the file contents. Also note that Handle does not show DLLs and files loaded using a LoadLibrary API call, as such a call does not add a handle to the process handle table. For such cases, use Process Explorer, as described below.

Finding a DLL that is blocking file deletion with Process Explorer

Another quick method to find an open handle is to use Process Explorer. As described above, Process Explorer also shows open DLLs. Use the CTRL+F shortcut or click the binoculars icon to perform the search. The file path is not required here.

Finding a handle using Process Explorer

You can also close the handle from Process Explorer by right-clicking its name in the list and selecting Close Handle. Now, you can delete the file.

Final words

In this post, you have learned a little theory about handles and how to solve the mystery of which process is the culprit if you cannot delete a file or folder. It seems that Microsoft finally did a little upgrade in this regard, as in recent Windows versions, the error message usually tells you the blocking program name directly.