Sysinternals Handles Close Command?

Question

https://docs.microsoft.com/en-us/sysinternals/downloads/handle >>> I downloaded the file on this site. Everything is fine but I cannot do exactly what I want. I explained exactly what I wanted with video. I'm coding an application. I have set this up to work via CMD. How can I close the specified directory with a single code from CMD? I want to do this without needing a handles-id. I want to prepare this as a code. Please help me. :(

This code works like this. But I want to do this without needing a handle-id.

handle -c 0x1a2c -p Notepad.exe

I want to do it this way. But it doesn't work.

handle -c C:\Users\dream -p notepad.exe

I want to do it like in this video. How do I do this with the cmd command? I just want to specify a handles-directory. Sample: https://www.youtube.com/watch?v=cC2-5PPpLBo

Answer 1

Danger! Forcing handles closed can cause cascade failure and data corruption in the target process.

If you want to do it anyway, you can use the below PowerShell script. It takes two arguments: the name of the process to target, then the path to the file/directory to close the handle(s) to. It requires the handle utility to be placed in the same directory.

$targetPid = $null
$targetFile = $args[1]
.\handle -p $args[0] | % {
    If ($_ -match 'pid: (\d*) ') {
        $targetPid = $Matches[1]
    } ElseIf ($_ -match '([0-9A-F]*): File.{10}(.*)') {
        If ($Matches[2] -eq $targetFile) {
            .\handle -c $Matches[1] -p $targetPid -y | Out-Null
        }
    }
}

First, it invokes handle to list the handles of the target process. It then loops over the lines of output, parsing them with regular expressions. When it sees a line that specifies the target process's PID, it notes that for later use. When it later sees a line about a file handle, it checks whether the file is the one specified as a command-line argument and, if so, invokes handle again to close it.

If the script is saved as handleclose.ps1, you can run it from a command prompt like this:

powershell -ExecutionPolicy Bypass -c .\handleclose.ps1 TargetProcess.exe 'C:\path\to\file'

Tip: If you're looking for a GUI way to see and close handles, Sysinternals Process Explorer can do that.

Answer 2

If the intention is to kill a process where the name of the executable and the path of some file in use are found, they coincide in a given PID ...

In command line:

wmic process where "name like '%notepad.exe%' and commandline like '%C:\\Users\\dream%'" delete

In bat/cmd file:

wmic process where "name like '%%notepad.exe%%' and commandline like '%%C:\\Users\\dream%%'" delete

In PowerShell using Get-WmiObject:

Get-WmiObject Win32_Process | % { if ($_.ProcessName -like '*Notepad.exe*' -and $_.CommandLine -like '*C:\Users\dream*') {kill $_.ProcessId}}

Using Get-CimInstance Win32_Process:

Get-CimInstance Win32_Process -Filter "name='notepad.exe'" | % { if ($_.CommandLine -like '*C:\Users\dream*') {kill $_.ProcessId}}

# Or.... 
Get-CimInstance Win32_Process -Filter "name='notepad.exe'" | 
% { if ($_.CommandLine -like '*C:\Users\dream*') {kill $_.ProcessId}}

Additional resources:

• wmic /? | www.ss64.com

• Win32_Process | Some usage examples

• Get Process Owner and Other Info with WMI and PowerShell

Answer 3

Using the csv output and powershell, it's pretty straightforward. These days you need the numeric PID to close a handle, otherwise you'll just get the usage help message. Handle64.exe may crash doing these, and the only option may be to reboot to run handle again as the same user. The yes/no prompt doesn't work over invoke-command.

handle js2010 -p emacs -nobanner -v | convertfrom-csv

Process : emacs.exe
PID     : 12616
Type    : File
Handle  : 0x00000040
Name    : C:\Users\js2010

It's asking y/n and I answer n. $name and $process can be partial matches.

$name = 'js2010'
$process = 'emacs'

handle $name -p $process -nobanner -v | convertfrom-csv | 
  % { handle -nobanner -c $_.Handle -p $_.PID }

   40: File          C:\Users\js2010
Close handle 40 in emacs.exe (PID 12616)? (y/n) n

Handle close aborted.