find out which computer has opened a file on Servers network share

I have a Windows Server 2008 and it shares a folder. Many clients access that folder and the inherit files. One client opens one dll file sporadically with mode rw, so after that no other client can load the dll.

Now I want to determine which client does it. All tools I found:

openfile
net
sharewatch
NetShareMonitor

doesn't show me the Network client which opens the file in rw mode.

I think it is the antivirus programm, but I need to know which client has the file opend.

Edit:

The clients are windows machines
All clients use the same user, so I can't determine the client with the username

Biber

Posted 2016-02-01T11:35:41.510

Reputation: 251

Could you clarify what you mean by client? – Jonno – 2016-02-01T11:42:48.213

a client is a PC with a win7, win8 or win10 OS – Biber – 2016-02-01T12:45:09.893

Answers

This may be of use to you:

I can't be certain it's the same location on Server edition, but I accessed it through Win + X -> Computer Management -> System Tools -> Shared Folders -> Open Files

This lists each open file handle, its "Open Mode" (Read/ReadWrite) and the user. You can also close the file handle from this location.

Jonno

Posted 2016-02-01T11:35:41.510

Reputation: 18 756

Yes, I know that dialog, but I can't determine the name (or IP) of the client-PC.I only know the user, and the user is always the same. – Biber – 2016-02-01T12:57:53.850

1@Biber Compare the list against net session from CMD, which should tell you which IP address a user is coming from. – Jonno – 2016-02-01T13:00:05.417

The user is always the same, so I can't compare anything,.. – Biber – 2016-02-01T13:02:02.480

@Biber Ah, okay. This makes things difficult, as I believe the file is locked against a user. Sorry, I don't know a way to narrow that down. – Jonno – 2016-02-01T13:04:58.647

For your reference, you can right click the list and close the session if the file is locked. This page is not view only :) – Bilo – 2016-02-01T13:37:04.850

@Bilo I did include that in the last sentence, but thank you ;) – Jonno – 2016-02-01T13:39:58.540

We have been wanting to do this for years!

Today we spotted this utility:

https://www.nirsoft.net/utils/network_opened_files.html

Fantastic!

Edit:

You can use NetworkOpenedFiles from Nirsoft to determine which host has an open file on a Windows file share.

Michael Melling

Posted 2016-02-01T11:35:41.510

Reputation: 21

Welcome to Super User. Please read How to recommend software for minimum required information and other suggestions on how to recommend software on Super User. To keep your answer useful even if included link(s) breaks please [edit] these details into your answer.

– I say Reinstate Monica – 2018-10-30T12:36:58.133

This is an old question, but nevertheless:

if you have PowerShell 4.0+ (which does not come with Windows Server 2008, you would have to update your PowerShell Version), you could use this:

Directly on the server:

Get-SmbOpenFile | where-object { $_.Path -like 'C:\foo\bar\*' }

from a RemoteMachine:

$cim = New-CimSession ServerName -Credential (get-credential)
Get-SmbOpenFile -CimSession $cim | where-object { $_.Path -like 'C:\foo\bar\*' }

Get-SmbOpenfile returns a list of all open files on the server, which we filter with where-object to only see the ones we're looking for.

This will return amongst other things the ClientComputerName which is the IP of the computer that has opened the file.

Here's an example output:

PS C:\WINDOWS\system32> get-smbopenfile -cimsession $cim | where-object { $_.Path -like 'D:\Daten\Transfer\*' }

    FileId       SessionId    Path                 ShareRelativePath ClientComputerName ClientUserName PSComputerName
    ------       ---------    ----                 ----------------- ------------------ -------------- --------------
    347355680805 348160786757 D:\Daten\TRANSFER\xy TRANSFER\xy       10.0.0.114         INTERNAL\xy    Server

If you then want to quickly see what's the hostname of the returned IP-Address, use:

[Net.DNS]::GetHostByAddress("10.0.0.114") | select -expand HostName

SimonS

Posted 2016-02-01T11:35:41.510

Reputation: 4 566