Can Windows tell me what is using my USB drive?

107

Being the good citizen I am, I left-click on the "Safely Remove Hardware" icon in my taskbar, and select my USB drive to dismount.

Then I get the message:

Windows can't stop your Generic volume device because it is in use. Close any programs or windows that might be using the device, and then try again later.

Of course, being the Operating System, it knows exactly what applications are using my device. So why won't it tell me?

Or is there a way that I can find out?

PP.

Posted 2009-12-24T17:00:39.650

Reputation: 1 995

1I have had numerous occasions with Vista where I could never figure it out and it wouldn't "release" the USB until I had re-boot/shutdown. Upgraded to Win7 and have not had that problem since, so I figured, at least on my PC, it was a system driver issue. – BBlake – 2009-12-24T19:02:17.783

Answers

You can use Sysinternals Process Explorer to find the handle for any files that are open. Just select the Find menu and select Find Handle or DLL. In the dialog that opens enter the drive letter into the search box. The search results should show all of the files that are open from the drive and which process has them open.

heavyd

Posted 2009-12-24T17:00:39.650

Reputation: 54 755

4After Killing the offending process, Windows would still not free the USB drive. Go figure.... – Grantly – 2015-12-24T13:18:30.147

2I only explored the drive with Explorer. Then from a cmd.exe shell, I ran a backup script on that drive, which finished. Closed the cmd.exe window. Killed and restarted Explorer.exe with Taskmgr. Still, the drive is in use and won't eject. – Kaz – 2016-07-06T05:28:40.290

3Process Explorer finds nothing for M:. – Kaz – 2016-07-06T05:47:01.623

2If Process explorer shows nothing, you may use Nirsoft's OpenedFilesView software. You won't see which program is using the drive (or Process Explorer would have found it too) but you will still see the handles, the used files and have a possibility to close them (if you feel like risking it) – LeFauve – 2016-07-28T23:37:02.323

4Windows Explorer itself can sometimes lock drives. You can relaunch Windows Explorer in the Task Manager in Windows 10 (scroll all the way down to find it). In older versions of Windows, you will have to End explorer.exe , and explicitly run explorer.exe from the File menu. – Christopher Hostage – 2017-03-01T17:05:46.723

119

Simpler Method: Windows (10 at least, AFAIK) creates an entry in the event log when you try to eject a removable drive and you cannot because a process has a lock on it. The two Event IDs 225 will show the process ID and the name of the process responsible for the lock.

Step by step:

1) Start the event viewer

2) Open up "Windows Logs" then "System"

3) Right click on "System" and choose "Filter Current Log"

4) In the dialog that comes up, enter "225" (without quotes) where it says "All Event IDs"

5) You will then see all events related to unable to eject because a process locked the drive.

6) Look at the timestamps on all these entries and find out which ones relate to the actual time when you tried to eject the drive.

7) Take appropriate action. Ending a task gracefully (closing the program that has the lock) is OK most of the time. Stopping the Windows Search service is also ok. Stopping an antivirus scan should be ok (if you don't suspect you have any viruses at the time). Going into the task manager and killing the process might not be ok. How to deal with this is beyond the scope of this question.

8) (Save the view...) in Actions panel (in the right frame) you could "Save Filter to Custom View..." so you'll find it in "Custom Views" (in the left frame above the "Windows Logs")

Process ID:

Process Name:

8) If you don't have another entry with a process name, the System process (process id 4) is holding your drive. To get around this one you will have to go to disk management and put the drive you want to eject offline. If the file is on your boot drive, you can't put it offline. In this case, see the note below:

UPDATE 2018: I've seen applications such as WhatsApp Desktop keeping handles on Chrome Canary via the System Process. Since you cannot eject the boot disk (beacuse it is in use), the solution was to use another nifty Sysinternals utility, called Handle. After you close the program which has the locked file, launch handle and run (as an example) handle64 "Chrome SxS\Application\chrome.exe" to see if the handles are still present on the file that has the PID 4 lock. Via trial and error, close each program running, until there are no more handles on the locked file.

Best method (paid)

Download and run SafelyRemove. It helps you eject the drive and if it can't do it, it displays which processes have a lock on it:

Gaia

Posted 2009-12-24T17:00:39.650

Reputation: 4 549

1Can you please tell about number 225. How you got it ? – Ajeeb.K.P – 2016-07-29T04:34:35.817

It is the Event ID for this type of Event. – Gaia – 2016-07-29T14:38:29.450

3The application System with process id 4 stopped the removal or ejection for the device ... Well... I'll try disabling Distributed Link Tracking Client and see if that helps. – Tithen-Firion – 2017-03-19T08:33:39.453

20Windows 10 Task Manager can prevent removal as well! Who new. – Alex Che – 2017-10-12T15:47:04.253

If nothing else works, shut down your computer then remove the external device – Pierre – 2018-01-19T16:23:57.550

Great answer. Although ironically, the screenshot shows Process ID 4 (System), which doesn't help, because you can't terminate this process. – hazymat – 2018-01-29T13:56:11.653

3Also works well for win7. Probably works fine on win8 too. Thanks for this method. The problem can be infuriating. – Syndacate – 2018-02-17T11:12:47.443

Confirm works in Win 8.1. Now I know that every time this has happened was because of task manager. – Matthew W – 2018-02-27T17:50:48.633

2Useful tip. Thanks for that. I have saved a custom view "Locked Devices" for future quick access to this filtered view. – Steve Crane – 2018-05-18T06:54:22.110

I had found this procedure in https://www.addictivetips.com/windows-tips/how-to-find-which-app-or-process-is-using-a-usb-in-windows/ . Surprisingly, the Task Manager was preventing safe ejection of my USB drive.

– sancho.s Reinstate Monica – 2018-05-29T03:24:57.817

So I'm going to be skipping straight to turning the drive offline to handle eject problems from now on, because diagnosing the problem just makes it take longer. – Steven Armstrong – 2019-02-01T21:48:28.297

Depending on your write cache policy for the removable device, you might lose data when you do that. @StevenArmstrong – Gaia – 2019-02-02T18:49:50.097

I've accidentally removed removable drives too many times to leave that kind of thing to chance. Best practices must include the possibility of someone catching the USB cord with their hand when reaching for something near the computer, or the cat pushing the backup drive off the desk. – Steven Armstrong – 2019-02-03T01:40:42.080

FYI: In my case, it was Avast bugging me. Even stopping the active shield it didn't allow me to properly eject. Only worked with blakev (diskmgmt.msc) solution. – Tiago Cardoso – 2019-02-08T20:41:40.160

You can also use command line to query the Windows log, with wevtutil.exe (since Windows 7) with the knowledge that the Windows Kernel-PnP uses Event ID 225 to log system (always having process id 4) refusal to remove or eject the device USB\VID_####&PID_############ (where the #'s denote hexadecimal numbers).

wevtutil qe System /q:"*[System[(EventID=225)]]" /c:5 /f:text /rd:true

qe System : query events from System log
/q : query with XPath
EventID=225 means the system refused an ejection request
/c:5 : number of entries to retrieve (5 here)
/f:text : format (default is xml)
/rd:true : reverse order (newest first)

I use it in a batch script.

Tchonialite

Posted 2009-12-24T17:00:39.650

Reputation: 61

I love this, it is a true copy and paste gem! Works perfectly. It shows the application that blocked eject, the process ID of that instance of the application and USB device ID that was blocked. – Jon – 2019-12-12T15:25:30.777

Here's a quick PowerShell command to query the event log and show which application is blocking drive ejection (works for me with Windows 10, probably works with 7/8 too)

Get-EventLog -LogName System -after (Get-Date).AddHours(-1) | Where-Object {$_.EventID -eq 225} | Sort-Object TimeGenerated | Format-Table -Wrap

The output will list all instances in the past hour where the system couldn't eject a disk drive. The Message column shows the process that blocked ejection. In my example below, task manager was actually the culprit and I was able to eject after closing task manager.

PS C:\Users\Jonathan> Get-EventLog -LogName System -after (Get-Date).AddHours(-1) | \Where-Object {$_.EventID -eq 225} | Sort-Object TimeGenerated | Format-Table -Wrap

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
   14692 Sep 07 10:50  Warning     Microsoft-Windows-Ke          225 The application \Device\HarddiskVolume4\Windows\System32\Taskmgr.exe with process id 11972 stopped
                                   rnel-PnP                          the removal or ejection for the device USB\VID_0781&PID_5575\200445301013C111B1A0.
   14693 Sep 07 10:50  Warning     Microsoft-Windows-Ke          225 The application \Device\HarddiskVolume4\Windows\System32\Taskmgr.exe with process id 11972 stopped
                                   rnel-PnP                          the removal or ejection for the device USB\VID_0781&PID_5575\200445301013C111B1A0.

Jon

Posted 2009-12-24T17:00:39.650

Reputation: 404

For me (Windows 7).

Hit Windows key
In "search programs and files: type: diskmgmt.msc
In search list find entry and right click - select run as administrator
Enter admin credentials to run "Disk Management" (if required)
Find offending usb drive that won't eject in disk list
Left hand panel, right click select "Eject"
Handles "should" close - you can always double check in sys internals process explorer

Note: "Safely remove hardware and eject media" taskbar icon no longer shows usb drive - just three dots

Physically remove drive

blakev

Posted 2009-12-24T17:00:39.650

Reputation: 51

4No left hand panel or Eject command in Windows 7 Disk Management. (Version 1.00, according to Help/About). I can Shrink it, Delete it, Mark it Active, Format, ... no Eject. – Kaz – 2016-07-06T05:32:42.797

1Couldn't find Eject either, but the Offline option did the job. And don't forget to set it online again when reconnecting your storage device. – Adriano P – 2016-09-29T02:25:00.007

2Recently I've used 'Offline' to stop my external USB-SSD disk which most probably was somehow used by system (Win 10), after that "safe remove" did work. Some time later I re-plugging that disk and have got disk with "RAW" partition. By executing of chkdsk /f f: file system was somehow re-enginerried, but everything landed in 'found.000'. So ... that method does not look to be really safe. Luckily i did not have anything really important on that disk ... – Xtra Coder – 2016-11-10T10:02:54.000

You can start resmon.exe (through WIN+R), go to disk > Disk Activity > Sort by File Now you can see all files being accessed by the system and which processes are accessing them, ordered by the file path (which btw starts with a drive letter). May not work with all cases, but it's a simple approach.

Restarting the computer seems "free up" device usage. Also for faster removal, you can disable windows caching on Hardware section of your device, sometimes windows will take longer than expected to flush the cache to external disk and will display that message saying that the device is in use (because it will be, by Windows itself)

Felype

Posted 2009-12-24T17:00:39.650

Reputation: 149

Similar to this: In resmon.exe, in the CPU tab. Scroll down to the Associated Handles box. There is a Search Handles search box there, where you could enter the locked drive's letter. – Andrew – 2018-02-11T12:10:22.163

If you open "My Computer" and your drive is not listed under the "Removable Storage" headers, then Windows is viewing it as a fixed system resource for some reason. You will have to unmount any partitions on the drive.

If this is the case, open "Computer Management", then go to "Disk Management". For each partition on the device, right-click the partition, select "Change Drive Letters and Paths", and remove any drive letters assigned to that partition. Once you do so, you should find that the "safely eject" feature works as you had hoped.

user1575326

Posted 2009-12-24T17:00:39.650

Reputation: 31

1This worked exactly as you described on my laptop running Windows 7 Home Premium. I do wish the button in windows would use the word "Unmount" instead of "Remove" (which is worrying similar to "delete" in my mind). – steveOw – 2019-06-01T21:21:02.247

Had USB that windows reported as being in use...same as everyone else here.

In Windows 10 Ctrl+Alt+Del gets to Task Manager.

Find by scrolling - Windows Explorer. and highlight.

Bottom right is a nice friendly button called "Restart Process"

Double triple check that "Windows Explorer" is the only thing highlighted.

Mouse left-click the friendly button "Restart Process".

I only had a single Explorer, others sometimes have two. Just note which one comes back on. Try and close/eject the USB. Mine worked fine, close the USB.

If yours does not eject/close, then probably it was the other Explorer. Try again and Restat that one. Good Luck.

John Henson

Posted 2009-12-24T17:00:39.650

Reputation: 1

Welcome to superuser: Please read the question again carefully. Your answer does not answer the original question."Can Windows tell me what is using my USB drive?"Please take a couple of minutes and read:- http://superuser.com/help .Answering: http://superuser.com/help/how-to-answer, again welcome to superuser.Thankyou

– mic84 – 2018-03-26T08:31:30.730