Re: Find out what is doing this

[Steven Peck]

What a co-incidence, we had this happen recently and wrote a powershell
script to run handle every minute around the time of the issue to find the
cause.  We found it was McAfee and that the database admin moved a database
path and it was no longer excluded.  In this example I picked word.exe at
random

-- start file
#############################################################################################################
#        Name:  detectFileLocks.ps1
#      Author:  Steven Peck
#        Date:  3/17/2011
# Description:  Script to check and log file locks on a specific file
#      Source:
#    Requires:  Handle.exe from sysinternal in same directory as the
source_directory
# scheduled task
#############################################################################################################
# Set date/time format
$date = get-date -format M-d-yyyy-HHmmss
# set source directory
$source_directory = "c:\scripts\handle"
# set file to monitor
$monitoredfile = "C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Microsoft Office\word.exe"
# cmd and output
"$source_directory\handle.exe $monitoredfile" | out-file
"$source_directory\$date.txt"
--- end file



On Thu, Mar 31, 2011 at 8:29 AM, Ziots, Edward <ezi...@lifespan.org> wrote:

> I would also use handle.exe which should show you what process has what
> open at the time, I have a sneaking suspicion that your backup software
> has a lock on the file during the time. Can you have the backup software
> exclude the directory in which you run the batch file, and see if the
> lock alleviates.
>
> Z
>
> Edward E. Ziots
> CISSP, Network +, Security +
> Network Engineer
> Lifespan Organization
> Email:ezi...@lifespan.org
> Cell:401-639-3505
>
> -----Original Message-----
> From: Charlie Kaiser [mailto:charl...@golden-eagle.org]
> Sent: Thursday, March 31, 2011 10:06 AM
> To: NT System Admin Issues
> Subject: RE: Find out what is doing this
>
> Crank up auditing on the file and see who's accessing it. Also, with
> process
> monitor, see what other processes are involved...
>
> ***********************
> Charlie Kaiser
> charl...@golden-eagle.org
> Kingman, AZ
> ***********************
>
>
> > -----Original Message-----
> > From: itli...@imcu.com [mailto:itli...@imcu.com]
> > Sent: Thursday, March 31, 2011 7:02 AM
> > To: NT System Admin Issues
> > Subject: RE: Find out what is doing this
> >
> > No backups at the time of error.
> >
> > -----Original Message-----
> > From: Charlie Kaiser [mailto:charl...@golden-eagle.org]
> > Posted At: Thursday, March 31, 2011 9:58 AM
> > Posted To: itli...@imcu.com
> > Conversation: Find out what is doing this
> > Subject: RE: Find out what is doing this
> >
> > Is there a backup going on at that time?
> >
> > ***********************
> > Charlie Kaiser
> > charl...@golden-eagle.org
> > Kingman, AZ
> > ***********************
> >
> >
> > > -----Original Message-----
> > > From: itli...@imcu.com [mailto:itli...@imcu.com]
> > > Sent: Thursday, March 31, 2011 6:55 AM
> > > To: NT System Admin Issues
> > > Subject: RE: Find out what is doing this
> > >
> > > Here is the process
> > > .bat creates setenv.bat in dir x
> > > About every 60 seconds all day long.
> > > At around 11:00pm each night this process fails with a sharing
> > violation
> > > of setenv.bat.
> > > Rerun the automated task and it runs.  The problem is this file is
> > being
> > > Created all day long no issues just around 11:00pm.  With process
> > > monitor we see the sharing violation but can't tell what was trying
> to
> > > share it or what was sharing it at the time??
> > > Need more guidance with process monitor I guess?
> > > Can I turn on auditing for dir x ?
> > > Will Windows give me more of a feel for what failed?
> > >
> > >
> > > -----Original Message-----
> > > From: Ben Scott [mailto:mailvor...@gmail.com]
> > > Posted At: Thursday, March 31, 2011 9:34 AM
> > > Posted To: itli...@imcu.com
> > > Conversation: Find out what is doing this
> > > Subject: Re: Find out what is doing this
> > >
> > > On Thu, Mar 31, 2011 at 9:21 AM, itli...@imcu.com <itli...@imcu.com>
> > > wrote:
> > > > Have a third party that creates a file before it runs.
> > >
> > >   You need to explain that using a lot more words.  :)
> > >
> > > > We're also using a piece of software called Process Monitor and we
> > > were able
> > > > to pin it down last night to a 'Sharing Violation' .
> > >
> > >   "Sharing Violation" nominally means a file was already open or
> > > locked when the program tried to access it.
> > >
> > >   Of course, that's also one of the error codes that Microsoft
> > > sometimes uses for completely unrelated things, so there's a
> > > (relatively small) chance it's something else.
> > >
> > > -- Ben
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> > >
> > > ---
> > > To manage subscriptions click here:
> > > http://lyris.sunbelt-software.com/read/my_forums/
> > > or send an email to listmana...@lyris.sunbeltsoftware.com
> > > with the body: unsubscribe ntsysadmin
> > >
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> > >
> > > ---
> > > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > > or send an email to listmana...@lyris.sunbeltsoftware.com
> > > with the body: unsubscribe ntsysadmin
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin