How to Tell Who Has a Shared File Open
File sharing is a key component of teamwork. However, users with full permissions on files and folders are the ideal target for cyber-criminals. Continuous tracking of file permissions is a must for organizations.
To know who has a shared file open, you can use various tools like Process Explorer, File Properties, and session logs. The following article will help you to understand these tools in detail.
Occasionally, you may find that a shared file is already open on another computer. This can happen if desktop software doesn’t close the file correctly, or if someone forgot to log off before leaving the office for the day.
You can use the Windows command-line tool psFile to see who has a file on a local share opened. The tool displays a list of all currently active processes, which includes files that are in use by other users.
If you have edit permissions on a file, any changes you make appear automatically in the version other people see. You can also disable viewer info for your own content.
If you’re the owner of a file, you can view who has it open by clicking or tapping the person icon (
If you don’t have a comprehensive file server auditing solution in place, one option is to look at the properties of the file. A window will open showing the current effective permissions on that file (including read, write and execute) held by users.
Seasoned IT pros may also use the openfiles command to display files opened by local processes from a command line. This is less convenient than the Computer Management GUI and should only be used for debugging purposes.
Note that when you move a file into a shared folder, it adopts the viewer info settings of the new location. The owner of a folder and members who can manage access to that folder can disable viewer info on individual files within the folder. This won’t prevent people who have already viewed the content from disabling viewer info. However, it will stop people from sharing the same content with others. If the file is still in use by a user, you can kill their process from the terminal to free up the file.
When someone uses a shared file, a record of this activity is logged in the system. These logs often have timestamps that make troubleshooting a breeze.
In addition to the details outlined above, session logs also provide the name of the user who reads or opens a file and what mode (read or write+read) the file is opened in. This information is particularly useful when it comes to determining who has a shared file open.
Using free tools such as WhoHasAccess, teams can scan their drives and generate reports of files they’ve shared with other users. This can save time over individually checking permissions for each file. A similar option is to run the openfiles command on a computer management console to see a list of all open files on the current SMB server. This command returns the open file ID, which can then be used to force close the file remotely. Teams can also export a session log to a format that is readable by asciinema, allowing them to replay the recorded logs.
If you haven’t already, check out the Sysinternals Primer delivered by Aaron Margosis and Tim Reckmeyer at TechEd 2010. It focuses on a variety of tools that are available for monitoring and troubleshooting Windows systems, including Process Explorer and Process Monitor.
One of the great things about Process Explorer is that it allows you to see what handles and DLLs processes have opened. This can help if you are trying to track down DLL version problems and other resource leaks.
The tool also provides a wealth of other information, including a process tree that lets you see the relationship between parent and child processes. This can be helpful when you are troubleshooting issues, such as uploads to a shared network folder that fail due to files being locked. Moreover, you can also use the tool to identify what the originating process is. You can then force close it, which might help resolve the issue. Alternatively, you could install another application, such as SolarWinds Server & Application Monitor, to track file activity in real time.