Created
May 30, 2024 23:18
-
-
Save jborean93/590cb5e2ca9ab69e42c30fdf85eb0353 to your computer and use it in GitHub Desktop.
Gets the process ids that has the requested file(s) opened
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com> | |
# MIT License (see LICENSE or https://opensource.org/licenses/MIT) | |
#Requires -Module Ctypes | |
#Requires -Version 7.3 | |
Function Get-FileProcess { | |
<# | |
.SYNOPSIS | |
Get the process that has opened the requested file. | |
.DESCRIPTION | |
Output the path and process id of each process that has an opened HANDLE of | |
the provided files. | |
.PARAMETER Path | |
The paths to check for opened handles, this supports wildcard matching. | |
.PARAMETER LiteralPath | |
The paths to check for opened handles, this is the literal path with no | |
wildcard matching. | |
.EXAMPLE | |
Get-FilePath -Path C:\temp\test.txt | |
# Path PID | |
# ---- --- | |
# C:\temp\test.txt 824 | |
.OUTPUTS | |
An object with Path and PID being the file path the process id of the | |
opened handle. | |
.NOTES | |
If the file(s) requested do not have an opened handle then there will be no | |
output. | |
#> | |
[CmdletBinding(DefaultParameterSetName = "Path")] | |
param ( | |
[Parameter( | |
Position = 0, | |
Mandatory, | |
ValueFromPipeline, | |
ValueFromPipelineByPropertyName, | |
ParameterSetName = "Path")] | |
[string[]] | |
$Path, | |
[Parameter( | |
Mandatory, | |
ValueFromPipelineByPropertyName, | |
ParameterSetName = "LiteralPath")] | |
[string[]] | |
[Alias("PSPath")] | |
$LiteralPath | |
) | |
begin { | |
$k32 = New-CtypesLib Kernel32.dll | |
$ntdll = New-CtypesLib Ntdll.dll | |
$FileProcessIdsUsingFileInformation = 47 | |
$FILE_FLAG_BACKUP_SEMANTICS = 0x02000000 | |
$STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 | |
ctypes_struct FILE_PROCESS_IDS_USING_FILE_INFORMATION { | |
[int]$NumberOfProcessIdsInList | |
[MarshalAs('ByValArray', SizeConst=1)][IntPtr[]]$ProcessIdList | |
} | |
ctypes_struct IO_STATUS_BLOCK { | |
[int]$Status | |
[IntPtr]$Information | |
} | |
$ioStatus = [IO_STATUS_BLOCK]::new() | |
$procIdOffset = [int][System.Runtime.InteropServices.Marshal]::OffsetOf[FILE_PROCESS_IDS_USING_FILE_INFORMATION]( | |
'ProcessIdList') | |
} | |
process { | |
if ($PSCmdlet.ParameterSetName -eq 'Path') { | |
$allPaths = $Path | ForEach-Object -Process { | |
$provider = $null | |
try { | |
$PSCmdlet.SessionState.Path.GetResolvedProviderPathFromPSPath($_, [ref]$provider) | |
} | |
catch [System.Management.Automation.ItemNotFoundException] { | |
$PSCmdlet.WriteError($_) | |
} | |
} | |
} | |
elseif ($PSCmdlet.ParameterSetName -eq 'LiteralPath') { | |
$allPaths = $LiteralPath | ForEach-Object -Process { | |
$resolvedPath = $PSCmdlet.SessionState.Path.GetUnresolvedProviderPathFromPSPath($_) | |
if (-not (Test-Path -LiteralPath $resolvedPath)) { | |
$msg = "Cannot find path '$resolvedPath' because it does not exist" | |
$err = [System.Management.Automation.ErrorRecord]::new( | |
[System.Management.Automation.ItemNotFoundException]::new($msg), | |
"PathNotFound", | |
"ObjectNotFound", | |
$resolvedPath) | |
$PSCmdlet.WriteError($err) | |
return | |
} | |
$resolvedPath | |
} | |
} | |
foreach ($filePath in $allPaths) { | |
# ReadAttributes can open a file even if it's locked by another | |
# process. It also can open files where we have dir access but not | |
# to the file itself. | |
$fileHandle = $k32.CharSet('Unicode').SetLastError().CreateFileW[Microsoft.Win32.SafeHandles.SafeFileHandle]( | |
$filePath, | |
[System.Security.AccessControl.FileSystemRights]::ReadAttributes, | |
[System.IO.FileShare]'ReadWrite, Delete', | |
$null, | |
[System.IO.FileMode]::Open, | |
$FILE_FLAG_BACKUP_SEMANTICS, | |
$null) | |
if ($fileHandle.IsInvalid) { | |
$exp = [System.ComponentModel.Win32Exception]::new($k32.LastError) | |
$err = [System.Management.Automation.ErrorRecord]::new( | |
$exp, | |
"FailedToOpenFileHandle", | |
"NotSpecified", | |
$filePath) | |
$err.ErrorDetails = "Failed to open handle for '{0}' (0x{1:X8}): {2}" -f @( | |
$filePath, $exp.NativeErrorCode, $exp.Message) | |
$PSCmdlet.WriteError($err) | |
continue | |
} | |
$bufferLength = 8192 | |
$buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($bufferLength) | |
try { | |
while ($true) { | |
$res = $ntdll.NtQueryInformationFile( | |
$fileHandle, | |
[ref]$ioStatus, | |
$buffer, | |
$bufferLength, | |
$FileProcessIdsUsingFileInformation) | |
if ($res -eq $STATUS_INFO_LENGTH_MISMATCH) { | |
$bufferLength = $bufferLength * 8192 | |
$buffer = [System.Runtime.InteropServices.Marshal]::ReAllocHGlobal($buffer, $bufferLength) | |
} | |
else { | |
break | |
} | |
} | |
if ($res -ne 0) { | |
$errCode = $ntdll.TrlNtStatusToDosError($res) | |
$exp = [System.ComponentModel.Win32Exception]::new($errCode) | |
$err = [System.Management.Automation.ErrorRecord]::new( | |
$exp, | |
"FailedToRetrievePidList", | |
"NotSpecified", | |
$filePath) | |
$err.ErrorDetails = "Failed to retrieve PID list for '{0}' (0x{1:X8}): {2}" -f @( | |
$filePath, $exp.NativeErrorCode, $exp.Message) | |
$PSCmdlet.WriteError($err) | |
continue | |
} | |
$idInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure( | |
$buffer, | |
[type][FILE_PROCESS_IDS_USING_FILE_INFORMATION]) | |
$pidsBuffer = [IntPtr]::Add($buffer, $procIdOffset) | |
for ($i = 0; $i -lt $idInfo.NumberOfProcessIdsInList; $i++) { | |
$processId = [System.Runtime.InteropServices.Marshal]::ReadIntPtr( | |
$pidsBuffer, | |
([IntPtr]::Size * $i)) | |
[PSCustomObject]@{ | |
Path = $filePath | |
PID = $processId | |
} | |
} | |
} | |
finally { | |
$fileHandle.Dispose() | |
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($buffer) | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment