Basic File Unlocker

[monoceres]

New release, this time I took a deep dive into the internals of windows to create a script that can find and close file handles in remote processes.

Usage:

Ever been annoyed by files that can't be deleted because some process have locked it(like explorer.exe)? With this neat little program those worries are all gone!

Drag 'n drop a file into the GUI, the script will immediately start searching the system for open handles to the file. When all the handles are found you will be asked what to do.

Press right button on GUI to view About dialog.

DISCLAIMER! IMPORTANT TO READ

As mentioned before this script uses undocumented function that microsoft does not give any support for. This means that the function may change without any warning by microsoft and unprediticeble effects can occour. An example of this is that unnamed pipes will be enumerated by the nt functions and trying to access this pipes will lead to extremely hard crashes (such has bluescreens and total system lockup). I have made checks to avoid access to these pipes, but as mentioned before, the function might change at any time so there aren't no guaranteses. The script is dangerous everall since it allows you to close handles to file that a process is trying to read or / and write to. This may cause crashes in respective process, therefore...

I take no responsibility for the possible effects of this script, you have been warned.

Just be careful.

Download

http://monoceres.se/Uploads/basic_unlocker.zip

Other

When comparing this script to other programs around the net you will notice that this script is really slow compared to the others, that's because most of them uses custom Nt Kernel drivers, something that obviously cannot be done in AutoIt.

I would also like to thank molotov @ sysinternals forum, I could never have done this without his help.

Enjoy!

[wraithdu]

Well, I can't say 100% that it's working or not...I can't seem to find an open handle on this computer. I tried explorer.exe, ntdll.dll, user32.dll, ntkrnlpa.exe.... I thought at least one of these (really all) should be open. This is an XP SP2 machine. Any ideas? Another way I can be sure to force an open handle for testing? Or to see if something internally is failing?

[Marlo]

Try opening a video file.

Cool script by the way

[monoceres]

Well, I can't say 100% that it's working or not...I can't seem to find an open handle on this computer. I tried explorer.exe, ntdll.dll, user32.dll, ntkrnlpa.exe.... I thought at least one of these (really all) should be open. This is an XP SP2 machine. Any ideas? Another way I can be sure to force an open handle for testing? Or to see if something internally is failing?

Try playing a video or listen to a song, that's what I did.

I don't find any handles to explorer.exe either. My guess is that it only enumerates things opened with CreateFile() and such.

[Emiel Wieldraaijer]

Hi Lookes nice..

but i cannot delete index.dat in \documents and settings\username\Local Settings\Temporary Internet Files\Content.IE5

Best regards,

Emiel

[TehWhale]

Obviously, another great script by monoceres! I think you should keep a .zip with every useful program you have made, and have a spot where users can download them

[OffTopic]I will have to talk with you about some GDI+ stuff at 1 PM IPBoard time [/OffTopic]

[wraithdu]

Hmmm, still no love on my XP work box. Freezes on Vista, of course LOL

I'll have to give it a shot on my XP box at home.

[monoceres]

Hmmm, still no love on my XP work box. Freezes on Vista, of course LOL

I'll have to give it a shot on my XP box at home.

Just for the record, this was developed on Win Vista Ultimate x86, tests were performed in VM on Win XP Pro x86.

x64 will probably fail.

[Zedna]

Sources looks nice - not tested yet.

Nice job monoceres

[TehWhale]

Whatt? It works for me on Vista.

[wraithdu]

Maybe I just didn't wait long enough? How long should it take to complete the scan on Vista?

[rasim]

Nice GUI design, but absolutely does not work

[Lazycat]

This should be nice thing, I long time thought about this in AU3. Sadly, this didn't work on WinXP (don't know about Vista).

I quickly look code, probably the first bug is incorrect OS_FILE value for XP. As mentioned here this value should be 28 for WinXP. After I changed this, script correctly processes about 130 file handles and then deadly freeze. Looks like this occur in the NtQueryInformationFile and/or NtQueryObject call. Maybe this will help you.

[ptrex]

@monoceres

Very Nice !!

Is this a replacement for the famous Unlocker

PS: It runs on my XP SP3 - x86 machine. But no open handles detected ?

Regards

ptrex

[monoceres]

This should be nice thing, I long time thought about this in AU3. Sadly, this didn't work on WinXP (don't know about Vista).

I quickly look code, probably the first bug is incorrect OS_FILE value for XP. As mentioned here this value should be 28 for WinXP. After I changed this, script correctly processes about 130 file handles and then deadly freeze. Looks like this occur in the NtQueryInformationFile and/or NtQueryObject call. Maybe this will help you.

Oh, I was so sure I changed that. Thanks, fixed it now.

Just tested with the new fix on my xp laptop, it works without any problems, the only reason I can think of is that it seems to have problems with parent processes or something (i noticed freezes when trying to query objects from Scite.exe, autoitwrapper.exe and autoit.exe), however I haven't got any freezes with the exe, so be surre to try it as well.

[wraithdu]

I've done some digging. The app freezes when calling NtQueryInformationFile on this object -

C:\Windows\System32\en-US\user32.dll.mui

I used Process Explorer to find the next object in the current PID AFTER the last successful query.

And one fix, in your NtQueryObject call, the "Length" of the string returned is the length in bytes, not including the terminating null, so your struct should be

$devicestr = DllStructCreate("wchar[" & Ceiling(DllStructGetData($poti, "Length") / 2) & "];", DllStructGetData($poti, "buffer"))

....I think

[monoceres]

I've done some digging. The app freezes when calling NtQueryInformationFile on this object -

C:\Windows\System32\en-US\user32.dll.mui

I used Process Explorer to find the next object in the current PID AFTER the last successful query.

And one fix, in your NtQueryObject call, the "Length" of the string returned is the length in bytes, not including the terminating null, so your struct should be

$devicestr = DllStructCreate("wchar[" & Ceiling(DllStructGetData($poti, "Length") / 2) & "];", DllStructGetData($poti, "buffer"))

....I think

Of course

I updated with your fix

[BuSykeniff]

Cool

[wraithdu]

I hope you don't mind, I'm working on a version that will hopefully work on Vista using a different method. I'll post when I have something.

[monoceres]

I hope you don't mind, I'm working on a version that will hopefully work on Vista using a different method. I'll post when I have something.

Of course not, I'm curious how you're going to do it