1

I'm using handle.exe from SysInternals to grab information about open handles. Running just handle.exe -p cmd to get the handles for cmd.exe, I get the following output. Other output is similar, just much longer.

cmd.exe pid: 22916 NT AUTHORITY\SYSTEM
   3C: File  (RW-)   C:\Windows
   7C: File  (RW-)   C:\Program Files (x86)\ManageEngine\AssetExplorer\bin
------------------------------------------------------------------------------
cmd.exe pid: 22264 RADHSV\nsshinabarger
   3C: File  (RW-)   C:\Users\nsshinabarger\Downloads\Handle
  12C: File  (R-D)   C:\Windows\System32\en-US\cmd.exe.mui

I assume the R and W stand for read and write, but I can't seem to find documentation on what the D stands for. Could someone tell me what it stands for, or point me towards documentation?

Thank you!

theTheodidact
  • 113

2 Answers2

2

Disclaimer: This answer explains with some in-depth of Windows kernel stuff.

Gist:

SharedAccess parameter from NtCreateFile().

| Name | ShareAccess       |  Value   |
|:----:|:-----------------:|:--------:|
| R    | FILE_SHARE_READ   | 1        |
| W    | FILE_SHARE_WRITE  | 2        |
| D    | FILE_SHARE_DELETE | 4        |

How it works

  • The handle program gets the process ID from the process name. Then it passes the process ID/client ID to the Process Explorer's kernel mode driver aka. PROCEXP152.sys file. If the driver is not present it creates one.

  • In kernel mode, 0x8335004C IOCTL query iterates all the associated objects/handles with that process and determines the object type with ZwQueryObject() and ObReferenceObjectByHandle().

  • When a 'file' handle is received, with 0x83350048 IOCTL query, ZwOpenProcess() and ObReferenceObjectByHandle() creates a FILE_OBJECT structure.

  • Then the kernel mode driver creates a bit-field by checking the shared access booleans, like this:

if (FileObject->SharedRead)
    Mode |= 1;
if (FileObject->SharedWrite)
    Mode |= 2;
if (FileObject->SharedDelete)
    Mode |= 4;

And the user mode program receives that 'Mode' and converts them into characters, like this:

FirstBit = '-';
SecondBit = '-';
if (Mode & 4)
    FirstBit = 'D';
ThirdBit = '-';
if (Mode & 2)
    ThirdBit = 'W';
if (Mode & 1)
    SecondBit = 'R';
Community
  • 1
Biswapriyo
  • 11,584
0

This is the sharing mode of the file handle – see dwShareMode under CreateFile() in the Win32 API documentation.

Sharing mode is practically the opposite of "mandatory locks", the program specifies when opening a file whether other programs should be allowed to simultaneously open it. (I believe it dates back to MS-DOS era "LAN Manager" networking. See also SMB protocol documentation.)

The letters stand for read/write/delete.

grawity
  • 501,077