openfiles.exe

  • File Path: C:\Windows\system32\openfiles.exe
  • Description: Displays the current open files list

Hashes

Type Hash
MD5 E9B42270F9D7C5F8F11C1FCCACDDA2B8
SHA1 03837335A68E92E907FD46CA3BB59094ABAE0081
SHA256 F559EB1DE240CC388D2D1B612D45B8AD962822783FCF36EC8C541ED0F29C9D48
SHA384 8E2C6043D94B324AC03C95F656B4F3CB84BC7485FE26A99B4DC9528E3794B61CEC8A2E1CEA400B7D7E92F88CB094A59D
SHA512 E47B20B7B71DB151FF0785194F5B68874E986E749A7CD294D4EC943D38961A29731163DFE0636906C108DE8CA08F634678BA6D1FDB0F5CEED6021237EA25DD6A
SSDEEP 1536:ZophSZFo1G6cxXw2Z01utNJCL3vwVy4GvJ482E69vP+f0Pz9nEPx4zF:ZoYh5ZUX3vyyZiC0zhEPxc
IMP A7F4C437854AA08D24A43D35AF38A943
PESHA1 57EF9896CDAA266A6AF722175D496EA2E5451132
PE256 890719FE4AF9C2D6537FECBCF9F9DEF5343DC720C3E7CCA1823DA903A00FC683

Runtime Data

Usage (stdout):


OPENFILES /parameter [arguments]

Description:
    Enables an administrator to list or disconnect files and folders
    that have been opened on a system.

Parameter List:
    /Disconnect      Disconnects one or more open files.

    /Query           Displays files opened locally or from shared
                     folders.

    /Local           Enables / Disables the display of local open files.

    /?               Displays this help message.

Examples:
    OPENFILES /Disconnect /?
    OPENFILES /Query /?
    OPENFILES /Local /?

Usage (stderr):

ERROR: Invalid syntax.
Type "OPENFILES /?" for usage.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\openfiles.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: opnfiles.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/f559eb1de240cc388d2d1b612d45b8ad962822783fcf36ec8c541ed0f29c9d48/detection

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


openfiles

Enables an administrator to query, display, or disconnect files and directories that have been opened on a system. This command also enables or disables the system Maintain Objects List global flag.

openfiles /disconnect

Enables an administrator to disconnect files and folders that have been opened remotely through a shared folder.

Syntax

openfiles /disconnect [/s <system> [/u [<domain>\]<username> [/p [<password>]]]] {[/id <openfileID>] | [/a <accessedby>] | [/o {read | write | read/write}]} [/op <openfile>]
Parameters
Parameter Description
/s <system> Specifies the remote system to connect to (by name or IP address). Don’t use backslashes. If you don’t use the /s option, the command is run on the local computer by default. This parameter applies to all files and folders that are specified in the command.
/u [<domain>\]<username> Runs the command using the permissions of the specified user account. If you don’t use the /u option, system permissions are used by default.
/p [<password>] Specifies the password of the user account that is specified in the /u option. If you don’t use the /p option, a password prompt appears when the command is run.
/id <openfileID> Disconnects open files by the specified file ID. You can use the wildcard character (*) with this parameter.<p>Note: You can use the openfiles /query command to find the file ID.
/a <accessedby> Disconnects all open files associated with the user name specified in the accessedby parameter. You can use the wildcard character (*) with this parameter.
/o {read | write | read/write} Disconnects all open files with the specified open mode value. Valid values are Read, Write, or Read/Write. You can use the wildcard character (*) with this parameter.
/op <openfile> Disconnects all open file connections that are created by a specific open file name. You can use the wildcard character (*) with this parameter.
/? Displays help at the command prompt.

Examples

To disconnect all open files with the file ID 26843578, type:

openfiles /disconnect /id 26843578

To disconnect all open files and directories accessed by the user hiropln, type:

openfiles /disconnect /a hiropln

To disconnect all open files and directories with read/write mode, type:

openfiles /disconnect /o read/write

To disconnect the directory with the open file name *C:\testshare*, regardless of who is accessing it, type:

openfiles /disconnect /a * /op c:\testshare\

To disconnect all open files on the remote computer srvmain that are being accessed by the user hiropln, regardless of their ID, type:

openfiles /disconnect /s srvmain /u maindom\hiropln /id *

openfiles /query

Queries and displays all open files.

Syntax

openfiles /query [/s <system> [/u [<domain>\]<username> [/p [<password>]]]] [/fo {TABLE | LIST | CSV}] [/nh] [/v]
Parameters
Parameter Description
/s <system> Specifies the remote system to connect to (by name or IP address). Don’t use backslashes. If you don’t use the /s option, the command is run on the local computer by default. This parameter applies to all files and folders that are specified in the command.
/u [<domain>\]<username> Runs the command using the permissions of the specified user account. If you don’t use the /u option, system permissions are used by default.
/p [<password>] Specifies the password of the user account that is specified in the /u option. If you don’t use the /p option, a password prompt appears when the command is run.
[/fo {TABLE | LIST | CSV}] Displays the output in the specified format. Valid values include:<ul><li>TABLE - Displays output in a table.</li><li>LIST - Displays output in a list.</li><li>CSV - Displays output in Comma Separated Values (CSV) format.</li></ul>
/nh Suppresses column headers in the output. Valid only when the /fo parameter is set to TABLE or CSV.
/v Specifies that detailed (verbose) information be displayed in the output.
/? Displays help at the command prompt.

Examples

To query and display all open files, type:

openfiles /query

To query and display all open files in table format without headers, type:

openfiles /query /fo table /nh

To query and display all open files in list format with detailed information, type:

openfiles /query /fo list /v

To query and display all open files on the remote system srvmain by using the credentials for the user hiropln on the maindom domain, type:

openfiles /query /s srvmain /u maindom\hiropln /p p@ssW23

[!NOTE] In this example, the password is supplied on the command line. To prevent displaying the password, leave out the /p option. You’ll be prompted for the password, which won’t be echoed to the screen.

openfiles /local

Enables or disables the system Maintain Objects List global flag. If used without parameters, openfiles /local displays the current status of the Maintain Objects List global flag.

[!NOTE] Changes made by using the on or off option don’t take effect until you restart the system. Enabling the Maintain Objects List global flag might slow down your system.

Syntax

openfiles /local [on | off]
Parameters
Parameter Description
[on | off] Enables or disables the system Maintain Objects List global flag, which tracks local file handles.
/? Displays help at the command prompt.

Examples

To check the current status of the Maintain Objects List global flag, type:

openfiles /local

By default, the Maintain Objects List global flag is disabled, and the following message appears, INFO: The system global flag 'maintain objects list' is currently disabled.

To enable the Maintain Objects List global flag, type:

openfiles /local on

The following message appears when the global flag is enabled, SUCCESS: The system global flag 'maintain objects list' is enabled. This will take effect after the system is restarted.

To disable the Maintain Objects List global flag, type:

openfiles /local off

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.