When System PID 4 is locking a file or folder, How can I determine what program/process/service is locking it without guesswork?

(This question is not a duplicate of Find out which process is locking a file or folder in Windows I am asking specifically about when PID-4 is locking it (besides the fact that i'm saying without using guesswork. And that question doesn't even mention PID-4))

For example , see this result from process explorer showing a file that may be locked.

Now, without any guesswork, how can I determine what is locking it? (When the only info I see from process explorer is that it's SYSTEM/PID-4)

Added

Somebody asked if it is a duplicate of Process Explorer: How to find out what System PID 4 is The questoin is similar.. but there's no answer there that answered my case.. Also, the question there iis very simplistic and says "How could I find out which application "System, PID: 4" really is?"

I know that PID 4 isn't an application. It is something system related.. and may be a service.

So my question is not the same as that one. That one has misunderstandings about what PID 4 is and somebody could partly answer that question by just saying what it is and is not.

barlop

Posted 2019-01-18T19:54:08.777

Reputation: 18 677

@Moab Not a duplicate of that question, see my edit to explain why incase it wasn't obvious – barlop – 2019-01-18T20:30:44.160

https://stackoverflow.com/questions/4378192/windows-2008-r2-kernel-system-process-pid-4-is-locking-files-and-folders System IS the process, it's the Kernel. And this StackOverflow question references Windows 7. – music2myear – 2019-01-18T23:06:41.470

@music2myear great link. (And if it works then an incredible find). Funnily enough I see that service "Application Experience", is described as "stopping" on my machinie, unfortunately I can't start it even when picking 'manual'.. But I think that service may be the issue, i'll look into what I can do re that service. – barlop – 2019-01-19T00:04:34.050

Does this answer your question? Process Explorer: How to find out what System PID 4 is

– Gaia – 2020-01-16T19:56:13.167

@music2myear https://stackoverflow.com/questions/46685916/unable-to-copy-file-obj-debug-to-bin-debug-access-to-the-path-bin-debug-is-deni/53334130 was a bug in Malware Bytes Anti Virus (MBAM)!

– barlop – 2020-01-17T04:01:46.080

Answers

It's the Windows Kernel. This virtual process contains all running kernel-mode drivers. This also includes Windows File Sharing, HTTP.SYS and probably all virus scanners.

Unfortunately, file handle accounting is only done at process level, so you won't be able to get additional information.

(source) (also flagging as duplicate)

Gaia

Posted 2019-01-18T19:54:08.777

Reputation: 4 549

you just plagiarised somebody else's answer, you copy/pasted it from another question – barlop – 2020-01-17T03:55:45.890

it ain't plagiarism when the source is cited, go grab your dictionary. PLUS I flaged it as a duplicate question. – Gaia – 2020-01-17T05:24:21.520

You didn't include quotation marks so you made out like it was your own words and simply gave a link to a source that you used, except that you had actually copy/pasted it.. Also, you aren't meant to be copy/pasting answers from other users on the site. Furthermore, I didn't ask what PID 4 was, nor did I misstate what it was necessitating a correction, which is what was the case in that question you linked to – barlop – 2020-01-17T05:28:52.943

Oh excuse me sir, I missed the quotes. Nice work, detective! – Gaia – 2020-01-17T05:30:21.640

I could to an extent in that case and perhaps one could in some other cases..

For that one a lock on that file was causing an error from visual studio, and when I looked up that error I got a result about malware bytes causing a problem with it, i.e. there was a bug in malware bytes, that it'd lock the file. https://stackoverflow.com/questions/46685916/unable-to-copy-file-obj-debug-to-bin-debug-access-to-the-path-bin-debug-is-deni/53334130#53334130

There are perhaps certain suspect culprit programs.. anti-malware running, maybe 'application experience' being not manual.. Infact, the 'application experience' service was listed for me as 'stopping', and that may be because of a bug in malware bytes(MBAM).. That service needs to be manual.. at least for visual studio but maybe for other programs too. And it would be that by default anyway. If it's not then like in this case maybe a program is crashing it.

So as a general rule, if there's a piece of software that can't access the file, or can't do something with the file, or certain files, or its files, or files that it created, or files that it is working or dealing with, then that can be a useful thing to look for on google rather than just the file being locked 'cos for just the file being locked there don't seem to be many clues when it's PID 4.. Anti-malware may be a culprit though as it does scan files.

barlop

Posted 2019-01-18T19:54:08.777

Reputation: 18 677

@ItWasn'tMe I recommend cygwin https://www.cygwin.com/setup-x86_64.exe A lot of the other tools aren't well maintained and go out of date. I mention some of the tools here https://superuser.com/questions/168202/difference-between-unxutils-and-gnuwin32 and it seems to me that cygwin is most up to date, but if you find one that is better or as up to date as cygwin, then let me know.

– barlop – 2020-02-28T08:07:07.587