Comments on: Who opened that file? https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 03:26:17 +0000 http://wordpress.org/?v=2.3.3 By: Software Generalist » Blog Archive » Reading Notebook: 18-August-09 https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-89454 Software Generalist » Blog Archive » Reading Notebook: 18-August-09 Tue, 18 Aug 2009 14:09:36 +0000 https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-89454 [...] !devhandles WinDbg command, searching for open files (p. 155) - it looks like it is done through device prefix to a file name; I’ve done simple text search for a file name if known through all handle tables: http://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/ [...] […] !devhandles WinDbg command, searching for open files (p. 155) - it looks like it is done through device prefix to a file name; I’ve done simple text search for a file name if known through all handle tables: http://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/ […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-89452 Dmitry Vostokov Tue, 18 Aug 2009 14:04:18 +0000 https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-89452 I found another technique via !devhandles WinDbg command, searching for open files (Windows Internals, 5th edition, p. 155) I found another technique via !devhandles WinDbg command, searching for open files (Windows Internals, 5th edition, p. 155)

]]> By: Kobi Ben Tzvi https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-34175 Kobi Ben Tzvi Mon, 14 Jul 2008 12:03:33 +0000 https://www.dumpanalysis.org/blog/index.php/2008/05/30/who-opened-that-file/#comment-34175 I usually use ProcExp's find handle command, but this seems to be great addition to the toolbox. Thanks Dima I usually use ProcExp’s find handle command, but this seems to be great addition to the toolbox.

Thanks Dima

]]>