Listing All Open Handles

Handles can represent files, ports, mutexes and other objects. By using the undocumented Native API function NTQuerySystemInformation() you can list all open handles from all processes. Here’s a small program that does that.

This is basically a ported version of “HandleList” application by someone known as Napalm on sysinternals.com forums. I added and removed some bits, and translated it to Delphi.

The handle values returned by NTQuerySystemInformation are only meaningful to the processes that opened those handles, so we need to call DuplicateHandle to get our own copy of any given handle. Some handles can’t be duplicated, so this application won’t be able to retrieve their type/name. However, you could inject a DLL in those applications to analyze a handle in its owners’ context.

There’s a lot of possible improvements I can’t be bothered to make now 😛

Download
Source code (7 KB, Delphi)

More info
http://undocumented.ntinternals.net/
http://www.informit.com/articles/article.asp?p=22442
http://forum.sysinternals.com/forum_posts.asp?TID=3577&PN=3&TPN=2

Related posts :

2 Responses to “Listing All Open Handles”

  1. shlomo says:

    sir
    I was looking to find a comm (rs232) program association
    and found your source on your page
    However when i use process explorer i “see” under file >\device\serial0
    where is with your source i do not
    Any help or idea thanks
    shlomo
    I tried playing with the and could not resolve

  2. White Shadow says:

    This code is more than 2 years old; I’m not at all surprised it has some glitches. Also, as noted in the post, some opened handles can’t be shown by this program because it would require injecting code into the target process, which this example can’t do.

Leave a Reply