1

I'm using SysInternal's handle.exe and I'm trying to understand the output.

Here's a snippet:

  24C: File  (RW-)   C:\Program Files (x86)\Google\Chrome\Application\Dictionaries\en-US-8-0.bdic
  2E8: Section       \Sessions\1\BaseNamedObjects\CrSharedMem_5ae414b12a307dbddc3f42b8b35edcbf313107945050b3aaab1602ecd937c940
  2F4: Section       \Sessions\1\BaseNamedObjects\CrSharedMem_ccfa88ab65617b75dbdcb72cb6512bf1a9cc76d07a25e9f770b46f4f7c2234bf
  314: File  (R--)   C:\Windows\Fonts\arial.ttf
  324: File  (R--)   C:\Windows\Fonts\arialbd.ttf
  328: File  (R--)   C:\Windows\Fonts\arialbi.ttf
  1. What does the number at the start mean?
  2. What does "Section" mean? I can understand an open file, but what's an open section?
  3. What does the RWD triplet mean? I'm guessing R and W are read and write, but what's D?
Ram Rachum
  • 84,019
  • 84
  • 236
  • 374
  • It is hard to judge the research effort you put into your question. – Micha Wiedenmann Oct 08 '18 at 12:08
  • 2
    1. - this is handle value. 2. section this is real name of "file mapping" object .3 share access of file Read, Write, Delete – RbMm Oct 08 '18 at 12:10
  • 1. I have no idea what that means. Is that the ID? 2. I have no idea what that means. 3. Permission to delete a file? If it's about the share access, is the open mode (read or write) completely ignored? – Ram Rachum Oct 09 '18 at 06:09

1 Answers1

5

The first column is the HANDLE value, it serves as the unique identifier of the OS kernel object. Like the ID column of a database record. It is only useful if you need to compare it with what the debugger tells you when you debug code.

The second column identifies the type of OS object. "File" is obvious, a "Section" is an object that allows processes to share memory. "Memory mapped file" is the usual phrase in programming. "Mutant" tends to be confusing, it is a mutex in normal speech. The author of the program uses the kind of terms that David Cutler likes, he speaks with a VMS lisp. The WinObj utility is another way to look at these kernel objects.

The letters in parentheses are the sharing options specified when the object was created. The third argument to CreateFile. Important to know since it tells you what another program can do when it also wants to access the object. R says that it can read, W says that it can write, D says that it can delete the object without affecting anybody else that uses the object. The object won't be destroyed until everybody closes their handle. An anti-malware scanner or search indexer are typical examples of programs that use delete sharing.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • "Section" and "Memory mapped file" are separate things? – Ram Rachum Oct 10 '18 at 16:45
  • "An anti-malware scanner or search indexer are typical examples of programs that use delete sharing." Could you explain the reasoning? I don't understand. – Ram Rachum Oct 10 '18 at 16:47
  • These are services that run in the background, reading files. They need to do the job by not interfering with any other program that might also access those files. – Hans Passant Oct 10 '18 at 17:43
  • Interesting. Let's say I'm opening a file in my Python program on Windows. How do I communicate "Open the file but allow others to delete it"? – Ram Rachum Oct 12 '18 at 08:31
  • It is not a capability that is exposed in Python, the entire notion of specifying sharing options is lacking. Not exactly a Python omission, it is missing in the standard C language runtime library. Operating systems were much simpler in the 1970s. [This question](https://stackoverflow.com/q/43009584/17034) talks about it. – Hans Passant Oct 12 '18 at 09:05