HANDLE.EXE (still) doesn't find many of the handles that Process Explorer does find RRS feed

  • Question

  • Quite often "handle foo" doesn't find anything, whereas searching for "foo" in Process Explorer does.

    This issue has been reported for years, but is still present.

    Can we expect this to be fixed someday?

    Thursday, August 30, 2018 9:42 AM

All replies

  • Hello

    I'm currently looking at a similar issue for another of the tools so now would be a great time for me to take a look at this too. Wondering if you have a reproduction scenario that you could share with me ??


    Thursday, September 6, 2018 4:56 PM
  • Well... HANDLE.EXE most often returns "no handles found"...

    I've just picked a random DLL loaded by a random (system) process, and this was the case!

    This is Process Explorer 16.21, system is running 64-bit Windows 10 RS4 build 10.0.17134.254

    Thursday, September 6, 2018 7:12 PM
  • Have you tried specifying the -p parameter

    C:\tools\Sysinternals\Handle>handle -p 10324 -a | findstr /i file
        4: Key           HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
       44: File  (RW-)   C:\Windows\System32
       7C: File  (---)   \Device\CNG
      2F0: File  (---)   \Device\KsecDD
      314: File  (R-D)   C:\Windows\System32\en-US\
      3B4: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
      3E0: File  (---)   \Device\DeviceApi
      464: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
      4EC: File  (RW-)   C:\Windows\WinSxS\
      628: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui

    And the corresponding handle entries in Process Explorer (for brevity I omitted non-file handles but these seem to correlate too)

    Not suggesting that there's not an issue here - rather I am trying to understand what the issue is.


    • Edited by markc(msft) Thursday, September 6, 2018 10:39 PM
    Thursday, September 6, 2018 10:36 PM
  • Good idea, might indeed get you some clues.

    Here's what I did with HANDLE.EXE:

    PS C:/WINDOWS/system32> pslist | select-string runtimebroker
    RuntimeBroker      5936   8  31  708  12268     0:01:31.781    56:35:49.953
    RuntimeBroker      6224   8  28  579   9756     0:00:14.203    56:35:49.829
    RuntimeBroker      7720   8  20  779  26056     0:00:18.187    56:35:47.924
    RuntimeBroker     13768   8  19  686  12180     0:03:16.437    56:35:38.190
    RuntimeBroker     14220   8   3  182   6140     0:00:00.593    56:35:37.738
    RuntimeBroker     12316   8   3  210   3144     0:00:00.312    56:35:34.242
    RuntimeBroker     18244   8   3  167   2628     0:00:00.125    56:35:26.626
    RuntimeBroker      6320   8  19  704 282900     0:10:48.640    47:41:32.538
    RuntimeBroker     10780   8   2  306   8428     0:00:01.203    47:39:58.666
    RuntimeBroker      5156   8   4  309   4620     0:00:00.593    47:37:25.558
    RuntimeBroker     15204   8  11  407   8732     0:00:02.140     7:26:28.396
    PS C:/WINDOWS/system32> handle RuntimeBroker
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
    No matching handles found.
    PS C:/WINDOWS/system32> handle -p 6224
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
       44: File  (RW-)   C:\Windows\System32
      164: Section       \BaseNamedObjects\__ComCatalogCache__
      1D0: Section       \BaseNamedObjects\__ComCatalogCache__
      1D4: File  (R--)   C:\Windows\Registration\R000000000015.clb
      3E8: Section       \Windows\Theme3208416215
      3EC: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
      43C: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
      548: Section       \BaseNamedObjects\windows_shell_global_counters
      5D8: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      5DC: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      5E0: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000003e.db
      5F4: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
      610: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
      65C: File  (R-D)   C:\Windows\System32\en-US\
      6A4: File  (RW-)   C:\Windows\WinSxS\
      718: File  (RW-)   C:\Windows\WinSxS\
      790: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_steph
      810: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      848: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
      8AC: File  (R-D)   C:\Windows\System32\fr-FR\KernelBase.dll.mui
      8B0: Section       \Sessions\1\Windows\Theme3249597166
      8B8: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      918: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
      9B8: File  (R-D)   C:\Windows\System32\en-US\mpr.dll.mui
      A58: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{74DF5627-29FB-4302-864A-4B9E6E5BC557}.2.ver0x0000000000000001.db
    PS C:/WINDOWS/system32> handle -p 6224 -a
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
        4: Key           HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
        8: EtwRegistration
        C: Event
       10: WaitCompletionPacket
       14: IoCompletion
       18: TpWorkerFactory
       1C: IRTimer
       20: WaitCompletionPacket
       24: IRTimer
       28: WaitCompletionPacket
       2C: EtwRegistration
       30: EtwRegistration
       34: EtwRegistration
       38: Directory     \KnownDlls
       3C: Event
       40: Event
       44: File  (RW-)   C:\Windows\System32
       48: EtwRegistration
       4C: EtwRegistration
       50: ALPC Port
       54: IoCompletion
       58: TpWorkerFactory
       5C: IRTimer
       60: WaitCompletionPacket
       64: IRTimer
       68: WaitCompletionPacket
       6C: EtwRegistration
       70: EtwRegistration
       74: Key           HKLM\SYSTEM\ControlSet001\Control\Session Manager
       78: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
       7C: EtwRegistration
       80: Key           HKLM
       84: File  (---)   \Device\CNG
       88: Event
       8C: WaitCompletionPacket
       90: Mutant        \Sessions\1\BaseNamedObjects\SM0:6224:304:WilStaging_02
       94: Directory     \Sessions\1\BaseNamedObjects
       98: Semaphore     \Sessions\1\BaseNamedObjects\SM0:6224:304:WilStaging_02_p0
       9C: Semaphore     \Sessions\1\BaseNamedObjects\SM0:6224:304:WilStaging_02_p0h
       A0: Key           HKLM
       A4: Key           HKLM\SOFTWARE\Microsoft\Ole
       A8: Event
       AC: Semaphore
       B0: Key           HKCU\Local Settings
       B4: EtwRegistration
       B8: EtwRegistration
       BC: EtwRegistration
       C0: EtwRegistration
       C4: Event
       C8: Event
       CC: Event
       D0: Event
       D4: Event
       D8: Event
       DC: EtwRegistration
       E0: EtwRegistration
       E4: EtwRegistration
       E8: EtwRegistration
       EC: EtwRegistration
       F0: EtwRegistration
       F4: EtwRegistration
       F8: EtwRegistration
       FC: Event
      100: Event
      104: Event
      108: Event
      10C: Event
      110: Event
      114: Event
      118: Event
      11C: EtwRegistration
      120: EtwRegistration
      124: Event
      128: IoCompletion
      12C: WindowStation \Sessions\1\Windows\WindowStations\WinSta0
      130: Desktop       \Default
      134: WindowStation \Sessions\1\Windows\WindowStations\WinSta0
      138: EtwRegistration
      13C: Event
      140: EtwRegistration
      144: EtwRegistration
      148: EtwRegistration
      14C: Event
      150: Thread
      154: ALPC Port
      15C: Key           HKCR
      160: Event
      164: Section       \BaseNamedObjects\__ComCatalogCache__
      168: Key           HKCR
      16C: EtwRegistration
      170: Event         \KernelObjects\MaximumCommitCondition
      174: Event
      178: ALPC Port     \RPC Control\OLE82211E427060DCC7C6BAD9774E36
      17C: Event
      184: EtwRegistration
      188: Event
      190: ALPC Port
      1A0: Thread
      1A4: EtwRegistration
      1A8: Event
      1B4: Key           HKLM\SOFTWARE\Microsoft\WindowsRuntime
      1B8: Key           HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
      1BC: EtwRegistration
      1C0: Semaphore
      1C4: Semaphore
      1CC: Semaphore
      1D0: Section       \BaseNamedObjects\__ComCatalogCache__
      1D4: File  (R--)   C:\Windows\Registration\R000000000015.clb
      1D8: Section
      1DC: EtwRegistration
      1E0: EtwRegistration
      1E4: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids
      1E8: Key           HKCU
      1EC: Event
      1F8: EtwRegistration
      1FC: EtwRegistration
      200: EtwRegistration
      208: EtwRegistration
      20C: EtwRegistration
      210: EtwRegistration
      214: EtwRegistration
      218: EtwRegistration
      21C: EtwRegistration
      220: EtwRegistration
      224: EtwRegistration
      228: EtwRegistration
      22C: EtwRegistration
      230: EtwRegistration
      234: EtwRegistration
      238: EtwRegistration
      244: Event
      248: WaitCompletionPacket
      250: EtwRegistration
      254: Event
      25C: IoCompletion
      268: Event
      26C: EtwRegistration
      270: Thread
      274: ALPC Port
      278: Semaphore     \Sessions\1\BaseNamedObjects\ComTaskPool:6224
      280: EtwRegistration
      284: Semaphore
      288: EtwRegistration
      28C: Event
      298: Event
      2A0: ALPC Port
      2A4: EtwRegistration
      2A8: EtwRegistration
      2AC: EtwRegistration
      2B0: EtwRegistration
      2B4: EtwRegistration
      2B8: EtwRegistration
      2BC: EtwRegistration
      2C0: EtwRegistration
      2C4: EtwRegistration
      2C8: EtwRegistration
      2CC: EtwRegistration
      2D4: Event
      2F8: Event
      2FC: Event
      300: WaitCompletionPacket
      314: Event
      318: IoCompletion
      320: WaitCompletionPacket
      324: Event
      32C: EtwRegistration
      334: ALPC Port
      338: WaitCompletionPacket
      340: Thread
      350: EtwRegistration
      35C: Event
      388: Event
      390: Event
      394: Thread
      398: WaitCompletionPacket
      3A4: Event
      3CC: Event
      3D0: Event
      3D8: Event
      3DC: Thread
      3E0: Event
      3E8: Section       \Windows\Theme3208416215
      3EC: File  (R-D)   C:\Windows\System32\en-US\shell32.dll.mui
      3F0: Event
      3F8: EtwRegistration
      3FC: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PropertyBag
      408: Thread
      40C: EtwRegistration
      410: Semaphore     \Sessions\1\BaseNamedObjects\SM0:6224:120:WilError_01_p0h
      418: Event
      41C: File  (---)   \Device\DfsClient
      420: TpWorkerFactory
      424: IoCompletion
      428: Mutant        \Sessions\1\BaseNamedObjects\SM0:6224:120:WilError_01
      42C: Semaphore     \Sessions\1\BaseNamedObjects\SM0:6224:120:WilError_01_p0
      434: EtwRegistration
      43C: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
      440: WaitCompletionPacket
      444: EtwRegistration
      448: EtwRegistration
      44C: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
      450: WaitCompletionPacket
      458: WaitCompletionPacket
      46C: EtwRegistration
      470: EtwRegistration
      474: WaitCompletionPacket
      478: EtwRegistration
      47C: File  (---)   \Device\HarddiskVolume3
      480: EtwRegistration
      484: EtwRegistration
      488: EtwRegistration
      4A0: Thread
      4A4: EtwRegistration
      4A8: ALPC Port     \BaseNamedObjects\[CoreUI]-PID(6224)-TID(20456) b0e25ff0-bfcc-4458-9e33-f8fe806bbc7d
      4AC: Thread
      4B4: Event
      4B8: Semaphore
      4C4: EtwRegistration
      4D0: Key           HKCU
      4D8: Thread
      4DC: WaitCompletionPacket
      4E4: File  (---)   \Device\DeviceApi
      4E8: Semaphore
      4EC: Semaphore
      4F0: EtwRegistration
      4F4: EtwRegistration
      4F8: EtwRegistration
      4FC: EtwRegistration
      500: EtwRegistration
      504: EtwRegistration
      508: EtwRegistration
      50C: EtwRegistration
      510: EtwRegistration
      514: EtwRegistration
      518: Semaphore
      51C: Thread
      520: EtwRegistration
      524: Event
      528: Event
      52C: Semaphore
      530: EtwRegistration
      534: EtwRegistration
      538: EtwRegistration
      53C: EtwRegistration
      540: EtwRegistration
      544: EtwRegistration
      548: Section       \BaseNamedObjects\windows_shell_global_counters
      54C: EtwRegistration
      550: Event
      554: Event
      558: IoCompletion
      560: Event
      56C: EtwRegistration
      570: EtwRegistration
      574: EtwRegistration
      578: Thread
      57C: Event
      580: WaitCompletionPacket
      584: EtwRegistration
      58C: EtwRegistration
      594: Semaphore
      598: EtwRegistration
      59C: Event
      5A0: EtwRegistration
      5AC: IoCompletion
      5B0: EtwRegistration
      5B4: Event
      5C8: EtwRegistration
      5CC: EtwRegistration
      5D0: EtwRegistration
      5D8: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      5DC: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      5E0: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000003e.db
      5E4: EtwRegistration
      5E8: EtwRegistration
      5EC: EtwRegistration
      5F0: EtwRegistration
      5F4: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
      5F8: EtwRegistration
      5FC: Event
      600: Thread
      60C: EtwRegistration
      610: File  (R-D)   C:\Windows\System32\en-US\propsys.dll.mui
      614: EtwRegistration
      618: EtwRegistration
      61C: Key           HKCU\Software\Microsoft\Input\EC
      620: Key           HKLM\SOFTWARE\Microsoft\WindowsRuntime\Server
      624: EtwRegistration
      630: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag
      634: Event
      64C: Event
      658: EtwRegistration
      65C: File  (R-D)   C:\Windows\System32\en-US\
      668: EtwRegistration
      66C: Event
      670: ALPC Port
      674: Timer
      678: EtwRegistration
      680: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag
      684: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PropertyBag
      688: EtwRegistration
      68C: EtwRegistration
      690: Timer
      694: IoCompletion
      69C: EtwRegistration
      6A4: File  (RW-)   C:\Windows\WinSxS\
      6A8: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
      6AC: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\PropertyBag
      6B4: Key           HKCU\Software\Microsoft\Windows NT\CurrentVersion
      6B8: Semaphore
      6BC: Semaphore
      6CC: Key           HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
      6D0: EtwRegistration
      6D8: ALPC Port
      6DC: EtwRegistration
      6E0: EtwRegistration
      6E8: EtwRegistration
      6F4: EtwRegistration
      704: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
      708: EtwRegistration
      70C: EtwRegistration
      710: EtwRegistration
      714: EtwRegistration
      718: File  (RW-)   C:\Windows\WinSxS\
      720: EtwRegistration
      724: EtwRegistration
      72C: Key           HKLM\SOFTWARE\WOW6432Node
      730: Key           HKCU\Software\Microsoft\Internet Explorer\Main
      738: Key           HKLM\SOFTWARE\Policies
      73C: Key           HKCU\Software\Policies
      740: Key           HKCU\Software
      744: Key           HKLM\SOFTWARE
      748: Key           HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
      74C: EtwRegistration
      750: Key           HKCU\Software\Microsoft\Internet Explorer\Security
      754: Key           HKLM\SOFTWARE\Microsoft\Internet Explorer\Security
      758: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
      75C: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
      764: Key           HKLM\SYSTEM\ControlSet001\Control\NetworkUxManager
      768: Key           HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
      76C: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
      770: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
      778: EtwRegistration
      77C: Key           HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
      784: ALPC Port
      788: EtwRegistration
      78C: EtwRegistration
      790: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_steph
      798: Mutant        \Sessions\1\BaseNamedObjects\ZonesCacheCounterMutex
      7A0: Mutant        \Sessions\1\BaseNamedObjects\ZonesLockedCacheCounterMutex
      7A4: EtwRegistration
      7A8: Event
      7AC: Thread
      7B4: Event
      7B8: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
      7C0: Key           HKLM\SOFTWARE\Microsoft\Windows\Dwm
      7C4: EtwRegistration
      7C8: IRTimer
      7D0: ALPC Port
      7D8: EtwRegistration
      7DC: Event
      7E4: Event
      7E8: Semaphore
      7EC: Semaphore
      7F0: IRTimer
      80C: IoCompletion
      810: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      818: Thread
      828: Event
      848: File  (R-D)   C:\Windows\System32\en-US\netmsg.dll.mui
      84C: File  (---)   \Device\Nsi
      850: Event
      854: Event
      858: Semaphore
      860: EtwRegistration
      868: EtwRegistration
      870: EtwRegistration
      874: Key           HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
      87C: Event
      880: Event
      884: IoCompletionReserve
      888: Semaphore
      88C: WaitCompletionPacket
      890: Key           HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
      898: Event
      8A4: Event
      8A8: Key           HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\ProviderOrder
      8AC: File  (R-D)   C:\Windows\System32\fr-FR\KernelBase.dll.mui
      8B0: Section       \Sessions\1\Windows\Theme3249597166
      8B8: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*
      8C0: EtwRegistration
      8C4: EtwRegistration
      8CC: Event
      8D0: Thread
      8D4: Thread
      8D8: EtwRegistration
      8DC: Thread
      8E0: Event
      8E4: EtwRegistration
      8E8: EtwRegistration
      8EC: Semaphore
      900: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Holographic
      904: Event         \BaseNamedObjects\TermSrvReadyEvent
      908: ALPC Port
      90C: Event
      914: Event
      918: File  (R-D)   C:\Windows\System32\en-US\KernelBase.dll.mui
      91C: EtwRegistration
      920: EtwRegistration
      924: Thread
      928: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PropertyBag
      930: EtwRegistration
      934: EtwRegistration
      938: Semaphore
      93C: Semaphore
      940: Semaphore
      944: Semaphore
      948: IoCompletion
      94C: Event
      950: EtwRegistration
      954: EtwRegistration
      958: EtwRegistration
      960: Event
      964: Event
      968: EtwRegistration
      96C: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
      974: Key           HKLM\SYSTEM\ControlSet001\Control\Terminal Server
      980: EtwRegistration
      984: UserApcReserve
      988: Event
      98C: EtwRegistration
      998: File  (---)   \Device\KsecDD
      9A0: Semaphore
      9AC: EtwRegistration
      9B0: Semaphore
      9B8: File  (R-D)   C:\Windows\System32\en-US\mpr.dll.mui
      9BC: Semaphore
      9C0: Event
      9C4: Thread
      9C8: EtwRegistration
      9CC: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Mobility
      9D4: IoCompletion
      9D8: EtwRegistration
      9E0: ALPC Port
      9E4: WaitCompletionPacket
      9E8: Key           HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager
      9F0: Event
      9F8: Event
      A00: Event
      A04: WaitCompletionPacket
      A10: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\CDP
      A14: WaitCompletionPacket
      A18: IoCompletion
      A20: Event
      A24: EtwRegistration
      A2C: File  (---)   \Device\DeviceApi
      A30: Thread
      A34: WaitCompletionPacket
      A38: WaitCompletionPacket
      A3C: Thread
      A40: Event
      A44: Thread
      A48: WaitCompletionPacket
      A4C: EtwRegistration
      A50: WaitCompletionPacket
      A54: Thread
      A58: Section       \Sessions\1\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{74DF5627-29FB-4302-864A-4B9E6E5BC557}.2.ver0x0000000000000001.db
      A68: EtwRegistration
      A6C: EtwRegistration
      A70: EtwRegistration
      A7C: IoCompletion
      A80: Event
      A84: Event
      A88: Event
      A8C: Event
      A94: Event
      A98: Event
      A9C: IoCompletion
      AA0: Event
      AA4: Event
      AA8: EtwRegistration
      AB4: EtwRegistration
      AB8: Thread
      AC0: Event
      AC4: WaitCompletionPacket
      ACC: Event
      ADC: EtwRegistration
      AEC: Thread
      AF4: WaitCompletionPacket
      B00: Event
      B08: Thread
      B0C: Semaphore
      B10: Event
      B14: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Lock Screen
      B18: Event
      B1C: Event
      B24: Event
      B2C: Event         \Sessions\1\BaseNamedObjects\SubscribedContent-338388
      B38: EtwRegistration
      B3C: ALPC Port
      B48: Event
      B4C: ALPC Port
      B70: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
      B90: IoCompletion
      B9C: WaitCompletionPacket
      BA0: Event
      BA4: Event
      BB4: Event
      BB8: Thread
      BC4: Event
      BC8: Thread
      BF0: IoCompletion
      BF4: Event
      BF8: Event
      C10: Event
      C18: IoCompletion
      C24: WaitCompletionPacket
      C34: Event
      C38: Event
      C3C: Event
      C4C: UserApcReserve
      C70: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
      C88: Mutant
      C94: Thread
      CA0: Event
      CA4: Event
      CAC: Event
      CB4: Event
      CBC: UserApcReserve
      CC0: Thread
      CD8: Event
      CE4: Thread
      CF4: IoCompletion
      D08: WaitCompletionPacket
      D10: Event
      D14: IoCompletion
      D1C: Thread
      D20: Event
      D24: IoCompletion
      D2C: Key           HKCU\Local Settings\Software\Microsoft
      D30: Event
      D40: ALPC Port
      D48: IoCompletion
      D50: Thread
      D5C: Thread
      D64: Event
      D6C: Thread
      D84: Event
      D8C: IoCompletion
      DB4: Event
      DBC: Key           HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
      DC4: IoCompletion
      DC8: Key           HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
      DD8: Event
      DDC: ALPC Port
      DE0: Event
      DF0: Event
      DF8: EtwRegistration
      E18: Key           HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
      E24: Thread
      E2C: Event
      E34: IoCompletion
      E3C: Event
      E40: EtwRegistration
      E50: Event
      E54: Thread
      E68: Event
      E6C: Event
      E78: Event
      E84: Thread
      EB0: Event
      EB8: Event
      EC4: Event
      ECC: File  (---)   \Device\DeviceApi
      EF0: WaitCompletionPacket
      EFC: Event
      F10: Event
      F20: Thread
      F24: Event
      F34: Event
      F38: ALPC Port
      F50: Event
      F60: Thread
      F6C: Event
      F80: Thread
      F98: Event
      FA0: Event
      FA4: Key           HKCR\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1488484395-3151224171-932466930-1001\{EC01CA27-F2D9-440A-B574-BAA38A80BA03}
      FB4: Event         \Sessions\1\BaseNamedObjects\SubscribedContent-314559
      FC8: Semaphore
      FE4: Thread
      FE8: Event

    As a reference, the lower (handle / Ctrl+H) pane of Process Explorer contains:

    Name	Description	Company Name	Path	
    {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000003e.db			C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000003e.db	
    {74DF5627-29FB-4302-864A-4B9E6E5BC557}.2.ver0x0000000000000001.db			C:\ProgramData\Microsoft\Windows\Caches\{74DF5627-29FB-4302-864A-4B9E6E5BC557}.2.ver0x0000000000000001.db	
    {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000034.db			C:\Users\steph\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000034.db	
    {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db			C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	
    advapi32.dll	Advanced Windows 32 Base API	Microsoft Corporation	C:\Windows\System32\advapi32.dll	
    apphelp.dll	Application Compatibility Client Library	Microsoft Corporation	C:\Windows\System32\apphelp.dll	
    AppXDeploymentClient.dll	AppX Deployment Client DLL	Microsoft Corporation	C:\Windows\System32\AppXDeploymentClient.dll	
    bcrypt.dll	Windows Cryptographic Primitives Library	Microsoft Corporation	C:\Windows\System32\bcrypt.dll	
    bcryptprimitives.dll	Windows Cryptographic Primitives Library	Microsoft Corporation	C:\Windows\System32\bcryptprimitives.dll	
    BluetoothApis.dll	Bluetooth Usermode Api host	Microsoft Corporation	C:\Windows\System32\BluetoothApis.dll	
    cfgmgr32.dll	Configuration Manager DLL	Microsoft Corporation	C:\Windows\System32\cfgmgr32.dll	
    clbcatq.dll	COM+ Configuration Catalog	Microsoft Corporation	C:\Windows\System32\clbcatq.dll	
    cldapi.dll	Cloud API user mode API	Microsoft Corporation	C:\Windows\System32\cldapi.dll	
    combase.dll	Microsoft COM for Windows	Microsoft Corporation	C:\Windows\System32\combase.dll	
    comctl32.dll	User Experience Controls Library	Microsoft Corporation	C:\Windows\WinSxS\\comctl32.dll	
    CoreMessaging.dll	Microsoft CoreMessaging Dll	Microsoft Corporation	C:\Windows\System32\CoreMessaging.dll	
    CoreUIComponents.dll	Microsoft Core UI Components Dll	Microsoft Corporation	C:\Windows\System32\CoreUIComponents.dll	
    cryptbase.dll	Base cryptographic API DLL	Microsoft Corporation	C:\Windows\System32\cryptbase.dll	
    cscapi.dll	Offline Files Win32 API	Microsoft Corporation	C:\Windows\System32\cscapi.dll	
    cversions.2.db			C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db	
    cversions.2.db			C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db	
    cversions.2.db			C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db	
    cversions.2.db			C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db	
    davclnt.dll	Web DAV Client DLL	Microsoft Corporation	C:\Windows\System32\davclnt.dll	
    davhlpr.dll	DAV Helper DLL	Microsoft Corporation	C:\Windows\System32\davhlpr.dll	
    devobj.dll	Device Information Set DLL	Microsoft Corporation	C:\Windows\System32\devobj.dll	
    drprov.dll	Microsoft Remote Desktop Session Host Server Network Provider	Microsoft Corporation	C:\Windows\System32\drprov.dll	
    dwmapi.dll	Microsoft Desktop Window Manager API	Microsoft Corporation	C:\Windows\System32\dwmapi.dll	
    edputil.dll	EDP util	Microsoft Corporation	C:\Windows\System32\edputil.dll	
    EthernetMediaManager.dll	Windows Ethernet Media Manager DLL	Microsoft Corporation	C:\Windows\System32\EthernetMediaManager.dll	
    fltLib.dll	Filter Library	Microsoft Corporation	C:\Windows\System32\fltLib.dll	
    gdi32.dll	GDI Client DLL	Microsoft Corporation	C:\Windows\System32\gdi32.dll	
    gdi32full.dll	GDI Client DLL	Microsoft Corporation	C:\Windows\System32\gdi32full.dll	
    ieproxy.dll	IE ActiveX Interface Marshaling Library	Microsoft Corporation	C:\Windows\System32\ieproxy.dll	
    iertutil.dll	Run time utility for Internet Explorer	Microsoft Corporation	C:\Windows\System32\iertutil.dll	
    imm32.dll	Multi-User Windows IMM32 API Client DLL	Microsoft Corporation	C:\Windows\System32\imm32.dll	
    InputHost.dll			C:\Windows\System32\InputHost.dll	
    IPHLPAPI.DLL	IP Helper API	Microsoft Corporation	C:\Windows\System32\IPHLPAPI.DLL	
    kernel.appcore.dll	AppModel API Host	Microsoft Corporation	C:\Windows\System32\kernel.appcore.dll	
    kernel32.dll	Windows NT BASE API Client DLL	Microsoft Corporation	C:\Windows\System32\kernel32.dll	
    KernelBase.dll	Windows NT BASE API Client DLL	Microsoft Corporation	C:\Windows\System32\KernelBase.dll	
    KernelBase.dll.mui	Windows NT BASE API Client DLL	Microsoft Corporation	C:\Windows\System32\en-US\KernelBase.dll.mui	
    KernelBase.dll.mui	DLL du client API BASE Windows NT	Microsoft Corporation	C:\Windows\System32\fr-FR\KernelBase.dll.mui	
    linkinfo.dll	Windows Volume Tracking	Microsoft Corporation	C:\Windows\System32\linkinfo.dll	
    locale.nls			C:\Windows\System32\locale.nls	
    mpr.dll	Multiple Provider Router DLL	Microsoft Corporation	C:\Windows\System32\mpr.dll	
    mpr.dll.mui	Multiple Provider Router DLL	Microsoft Corporation	C:\Windows\System32\en-US\mpr.dll.mui	
    MrmCoreR.dll	Microsoft Windows MRM	Microsoft Corporation	C:\Windows\System32\MrmCoreR.dll	
    msctf.dll	MSCTF Server DLL	Microsoft Corporation	C:\Windows\System32\msctf.dll	
    msvcp_win.dll	Microsoft® C Runtime Library	Microsoft Corporation	C:\Windows\System32\msvcp_win.dll	
    msvcp110_win.dll	Microsoft® STL110 C++ Runtime Library	Microsoft Corporation	C:\Windows\System32\msvcp110_win.dll	
    msvcrt.dll	Windows NT CRT DLL	Microsoft Corporation	C:\Windows\System32\msvcrt.dll	
    mswsock.dll	Microsoft Windows Sockets 2.0 Service Provider	Microsoft Corporation	C:\Windows\System32\mswsock.dll	
    netmsg.dll	Net Messages DLL	Microsoft Corporation	C:\Windows\System32\netmsg.dll	
    netmsg.dll.mui	Net Messages DLL	Microsoft Corporation	C:\Windows\System32\en-US\netmsg.dll.mui	
    netprofm.dll	Network List Manager	Microsoft Corporation	C:\Windows\System32\netprofm.dll	
    netutils.dll	Net Win32 API Helpers DLL	Microsoft Corporation	C:\Windows\System32\netutils.dll	
    NetworkUXBroker.dll	NetworkUXBroker DLL	Microsoft Corporation	C:\Windows\System32\NetworkUXBroker.dll	
    npmproxy.dll	Network List Manager Proxy	Microsoft Corporation	C:\Windows\System32\npmproxy.dll	
    nsi.dll	NSI User-mode interface DLL	Microsoft Corporation	C:\Windows\System32\nsi.dll	
    ntdll.dll	NT Layer DLL	Microsoft Corporation	C:\Windows\System32\ntdll.dll	
    ntlanman.dll	Microsoft® Lan Manager	Microsoft Corporation	C:\Windows\System32\ntlanman.dll	
    ntmarta.dll	Windows NT MARTA provider	Microsoft Corporation	C:\Windows\System32\ntmarta.dll	
    ntshrui.dll	Shell extensions for sharing	Microsoft Corporation	C:\Windows\System32\ntshrui.dll	
    ole32.dll	Microsoft OLE for Windows	Microsoft Corporation	C:\Windows\System32\ole32.dll	
    oleaut32.dll	OLEAUT32.DLL	Microsoft Corporation	C:\Windows\System32\oleaut32.dll	
    OneCoreUAPCommonProxyStub.dll	OneCoreUAP Common Proxy Stub	Microsoft Corporation	C:\Windows\System32\OneCoreUAPCommonProxyStub.dll	
    policymanager.dll	Policy Manager DLL	Microsoft Corporation	C:\Windows\System32\policymanager.dll	
    powrprof.dll	Power Profile Helper DLL	Microsoft Corporation	C:\Windows\System32\powrprof.dll	
    profapi.dll	User Profile Basic API	Microsoft Corporation	C:\Windows\System32\profapi.dll	
    propsys.dll	Microsoft Property System	Microsoft Corporation	C:\Windows\System32\propsys.dll	
    propsys.dll.mui	Microsoft Property System	Microsoft Corporation	C:\Windows\System32\en-US\propsys.dll.mui	
    R000000000015.clb			C:\Windows\Registration\R000000000015.clb	
    regapi.dll	Registry Configuration APIs	Microsoft Corporation	C:\Windows\System32\regapi.dll	
    rmclient.dll	Resource Manager Client	Microsoft Corporation	C:\Windows\System32\rmclient.dll	
    rpcrt4.dll	Remote Procedure Call Runtime	Microsoft Corporation	C:\Windows\System32\rpcrt4.dll	
    RuntimeBroker.exe	Runtime Broker	Microsoft Corporation	C:\Windows\System32\RuntimeBroker.exe	
    sechost.dll	Host for SCM/SDDL/LSA Lookup APIs	Microsoft Corporation	C:\Windows\System32\sechost.dll	
    SettingsEnvironment.Desktop.dll	System Settings Environment for Desktop	Microsoft Corporation	C:\Windows\System32\SettingsEnvironment.Desktop.dll	
    SHCore.dll	SHCORE	Microsoft Corporation	C:\Windows\System32\SHCore.dll	
    shell32.dll	Windows Shell Common Dll	Microsoft Corporation	C:\Windows\System32\shell32.dll	
    shell32.dll.mui	Windows Shell Common Dll	Microsoft Corporation	C:\Windows\System32\en-US\shell32.dll.mui	
    ShellCommonCommonProxyStub.dll	ShellCommon Common Proxy Stub	Microsoft Corporation	C:\Windows\System32\ShellCommonCommonProxyStub.dll	
    shlwapi.dll	Shell Light-weight Utility Library	Microsoft Corporation	C:\Windows\System32\shlwapi.dll	
    slc.dll	Software Licensing Client Dll	Microsoft Corporation	C:\Windows\System32\slc.dll	
    SortDefault.nls			C:\Windows\Globalization\Sorting\SortDefault.nls	
    sppc.dll	Software Licensing Client Dll	Microsoft Corporation	C:\Windows\System32\sppc.dll	
    srvcli.dll	Server Service Client DLL	Microsoft Corporation	C:\Windows\System32\srvcli.dll	
    sspicli.dll	Security Support Provider Interface	Microsoft Corporation	C:\Windows\System32\sspicli.dll	
    StateRepository.Core.dll	StateRepository Core	Microsoft Corporation	C:\Windows\System32\StateRepository.Core.dll	
    StructuredQuery.dll	Structured Query	Microsoft Corporation	C:\Windows\System32\StructuredQuery.dll	
    SystemSettings.DataModel.dll	SystemSettings.Datamodel private API	Microsoft Corporation	C:\Windows\System32\SystemSettings.DataModel.dll	
    TetheringStation.dll	Microsoft Windows Tethering Station DLL	Microsoft Corporation	C:\Windows\System32\TetheringStation.dll	
    twinapi.appcore.dll	twinapi.appcore	Microsoft Corporation	C:\Windows\System32\twinapi.appcore.dll	
    ucrtbase.dll	Microsoft® C Runtime Library	Microsoft Corporation	C:\Windows\System32\ucrtbase.dll	
    urlmon.dll	OLE32 Extensions for Win32	Microsoft Corporation	C:\Windows\System32\urlmon.dll	
    user32.dll	Multi-User Windows USER API Client DLL	Microsoft Corporation	C:\Windows\System32\user32.dll	
    userenv.dll	Userenv	Microsoft Corporation	C:\Windows\System32\userenv.dll	
    usermgrcli.dll	UserMgr API DLL	Microsoft Corporation	C:\Windows\System32\usermgrcli.dll	
    uxtheme.dll	Microsoft UxTheme Library	Microsoft Corporation	C:\Windows\System32\uxtheme.dll	
    win32u.dll	Win32u	Microsoft Corporation	C:\Windows\System32\win32u.dll	
    Windows.ApplicationModel.dll	Windows ApplicationModel API Server	Microsoft Corporation	C:\Windows\System32\Windows.ApplicationModel.dll	
    Windows.Internal.Shell.Broker.dll	Windows Shell Broker	Microsoft Corporation	C:\Windows\System32\Windows.Internal.Shell.Broker.dll	
    Windows.Services.TargetedContent.dll	Windows.Services.TargetedContent	Microsoft Corporation	C:\Windows\System32\Windows.Services.TargetedContent.dll	Microsoft WinRT Storage API	Microsoft Corporation	C:\Windows\System32\	Microsoft WinRT Storage API	Microsoft Corporation	C:\Windows\System32\en-US\	
    Windows.Storage.Search.dll	Windows.Storage.Search	Microsoft Corporation	C:\Windows\System32\Windows.Storage.Search.dll	
    WindowsCodecs.dll	Microsoft Windows Codecs Library	Microsoft Corporation	C:\Windows\System32\WindowsCodecs.dll	
    winhttp.dll	Windows HTTP Services	Microsoft Corporation	C:\Windows\System32\winhttp.dll	
    wininet.dll	Internet Extensions for Win32	Microsoft Corporation	C:\Windows\System32\wininet.dll	
    winsta.dll	Winstation Library	Microsoft Corporation	C:\Windows\System32\winsta.dll	
    WinTypes.dll	Windows Base Types DLL	Microsoft Corporation	C:\Windows\System32\WinTypes.dll	
    wkscli.dll	Workstation Service Client DLL	Microsoft Corporation	C:\Windows\System32\wkscli.dll	
    wlanapi.dll	Windows WLAN AutoConfig Client Side API DLL	Microsoft Corporation	C:\Windows\System32\wlanapi.dll	
    WlanMediaManager.dll	Windows WLAN Media Manager DLL	Microsoft Corporation	C:\Windows\System32\WlanMediaManager.dll	
    ws2_32.dll	Windows Socket 2.0 32-Bit DLL	Microsoft Corporation	C:\Windows\System32\ws2_32.dll	
    wshbth.dll	Windows Sockets Helper DLL	Microsoft Corporation	C:\Windows\System32\wshbth.dll	
    wtsapi32.dll	Windows Remote Desktop Session Host Server SDK APIs	Microsoft Corporation	C:\Windows\System32\wtsapi32.dll	


    Friday, September 7, 2018 4:52 AM
  • Feels like we're comparing apples and oranges here....

    The Lower Pane view is controlled via the following menu option

    When this is set to Handles, the output is (or in my testing certainly appears to be) identical to the output from handles.exe.

    When this is set to DLLs we see the list of DLLs that you described above which is something else - this is maintained by the LDR_DATA_TABLE in the PEB and not the process's handle table.

    Suggest if you want to view the list of DLLs loaded by a process then the LISTDLLs tool might be a better fit? You may that these don't correlate exactly with ProcessExplorer but this is a known issue (in fact the very issue that I am looking at as mentioned at the start of this thread)


    • Edited by markc(msft) Friday, September 7, 2018 5:40 PM
    Friday, September 7, 2018 5:35 PM
  • Sorry if I brought any confusion to this discussion, but I think I'm not comparing apples to oranges.

    I do know that the Handle view of Process Explorer is about handles, and should be in line with HANDLE.EXE's output.

    And my example tries to show it's not the case.

    "HANDLE Runtimebroker" is supposed (AFAIK) to display the handles for a process with that name. Instead, it says "no handles found."

    OTOH, Process Explorer's lower pane in "handle" mode does display the handles for these processes (one process at a time, that is).

    But my repro scenario was somewhat warped 'cos I chose a process with multiple instances.

    So I've done the experiment again with one instance of NOTEPAD.EXE running.

    Process Explorer's lower pane shows the following:

    Type	Name	
    ALPC Port	\RPC Control\OLE6725263A5686B607860CA7FFDE37	
    ALPC Port	\BaseNamedObjects\[CoreUI]-PID(17564)-TID(21820) aa6e905a-4831-44e1-b651-4db820802d32	
    Desktop	\Default	
    Directory	\KnownDlls	
    Directory	\Sessions\2\BaseNamedObjects	
    Event	\KernelObjects\MaximumCommitCondition	
    File	C:\Users\steph	
    File	C:\Windows\System32\en-US\notepad.exe.mui	
    File	C:\Windows\WinSxS\	
    File	\Device\CNG	
    File	\Device\DeviceApi	
    File	\Device\KsecDD	
    File	C:\Windows\Fonts\StaticCache.dat	
    File	C:\Windows\Registration\R000000000015.clb	
    File	C:\Windows\WinSxS\	
    Key	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	
    Key	HKLM\SYSTEM\ControlSet001\Control\Session Manager	
    Key	HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions	
    Key	HKLM	
    Key	HKLM	
    Key	HKLM\SOFTWARE\Microsoft\Ole	
    Key	HKCU\Software\Classes\Local Settings\Software\Microsoft	
    Key	HKCU\Software\Classes\Local Settings	
    Key	HKCU\Software\Classes	
    Key	HKLM\SOFTWARE\Microsoft\WindowsRuntime	
    Key	HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId	
    Key	HKCU\Software\Classes	
    Key	HKCU	
    Key	HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder	
    Key	HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\ProviderOrder	
    Key	HKCU\Software\Classes	
    Key	HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids	
    Key	HKCU\Software\Classes	
    Mutant	\Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02	
    Mutant	\Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01	
    Section	\BaseNamedObjects\__ComCatalogCache__	
    Section	\Windows\Theme3208416215	
    Section	\Sessions\2\Windows\Theme2213531714	
    Section	\BaseNamedObjects\__ComCatalogCache__	
    Section	\Sessions\2\BaseNamedObjects\windows_shell_global_counters	
    Semaphore	\Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02_p0	
    Semaphore	\Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02_p0h	
    Semaphore	\Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01_p0	
    Semaphore	\Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01_p0h	
    Thread	notepad.exe(17564): 21820	
    Thread	notepad.exe(17564): 14420	
    Thread	notepad.exe(17564): 21820	
    Thread	notepad.exe(17564): 21820	
    Thread	notepad.exe(17564): 21820	
    WindowStation	\Sessions\2\Windows\WindowStations\WinSta0	
    WindowStation	\Sessions\2\Windows\WindowStations\WinSta0	

    Searching for "notepad" in Process Explorer yields the following, presumably because it searches only the "Name" column--so it doesn't show all handles for the NOTEPAD.EXE process:

    Process	PID	Type	Name	
    System	4	Process	notepad.exe(17564)	
    System	4	Process	notepad.exe(17564)	
    svchost.exe	1164	Process	notepad.exe(17564)	
    svchost.exe	2480	Process	notepad.exe(17564)	
    explorer.exe	6472	DLL	C:\Program Files (x86)\Notepad++\NppShell_06.dll	
    explorer.exe	6472	Thread	notepad.exe(17564): 21820	
    explorer.exe	6472	Process	notepad.exe(17564)	
    SetPoint.exe	9388	Process	notepad.exe(17564)	
    notepad.exe	17564	DLL	C:\Windows\System32\en-US\notepad.exe.mui	
    notepad.exe	17564	DLL	C:\Windows\System32\notepad.exe	
    notepad.exe	17564	File	C:\Windows\System32\en-US\notepad.exe.mui	
    notepad.exe	17564	Thread	notepad.exe(17564): 21820	
    notepad.exe	17564	Thread	notepad.exe(17564): 14420	
    notepad.exe	17564	Thread	notepad.exe(17564): 21820	
    notepad.exe	17564	Thread	notepad.exe(17564): 21820	
    notepad.exe	17564	Thread	notepad.exe(17564): 21820	
    AppMonitorPlugIn.exe	19176	Process	notepad.exe(17564)	
    csrss.exe	22560	Process	notepad.exe(17564)	
    csrss.exe	22560	Thread	notepad.exe(17564): 21820	

    Here's what I get from "HANDLE notepad" or "HANDLE -a notepad":

    PS C:/WINDOWS/system32> handle notepad
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
    notepad.exe        pid: 17564  type: File            4C: C:\Windows\System32\en-US\notepad.exe.mui
    PS C:/WINDOWS/system32> handle -a notepad
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
    notepad.exe        pid: 17564  type: File            4C: C:\Windows\System32\en-US\notepad.exe.mui

    Not empty, but rather terse, and not in line with Process Explorer's lower pane!

    If I specify a PID, I get the expected output, especially with the "-a" option:

    PS C:/WINDOWS/system32> handle -p 17564
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
       3C: File  (RW-)   C:\Users\steph
       4C: File  (R-D)   C:\Windows\System32\en-US\notepad.exe.mui
       54: File  (RW-)   C:\Windows\WinSxS\
      200: Section       \BaseNamedObjects\__ComCatalogCache__
      248: Section       \Windows\Theme3208416215
      24C: Section       \Sessions\2\Windows\Theme2213531714
      258: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
      2F8: Section       \BaseNamedObjects\__ComCatalogCache__
      2FC: File  (R--)   C:\Windows\Registration\R000000000015.clb
      310: Section       \Sessions\2\BaseNamedObjects\windows_shell_global_counters
      318: File  (RW-)   C:\Windows\WinSxS\
    PS C:/WINDOWS/system32> handle -a -p 17564
    Nthandle v4.11 - Handle viewer
    Copyright (C) 1997-2017 Mark Russinovich
    Sysinternals -
        4: Event
        8: WaitCompletionPacket
        C: IoCompletion
       10: TpWorkerFactory
       14: IRTimer
       18: WaitCompletionPacket
       1C: IRTimer
       20: WaitCompletionPacket
       24: EtwRegistration
       28: EtwRegistration
       2C: EtwRegistration
       30: Directory     \KnownDlls
       34: Event
       38: Event
       3C: File  (RW-)   C:\Users\steph
       40: EtwRegistration
       44: EtwRegistration
       48: ALPC Port
       4C: File  (R-D)   C:\Windows\System32\en-US\notepad.exe.mui
       50: EtwRegistration
       54: File  (RW-)   C:\Windows\WinSxS\
       58: EtwRegistration
       5C: Key           HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
       60: Key           HKLM\SYSTEM\ControlSet001\Control\Session Manager
       64: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
       68: Event
       6C: IoCompletion
       70: WindowStation \Sessions\2\Windows\WindowStations\WinSta0
       74: Desktop       \Default
       78: WindowStation \Sessions\2\Windows\WindowStations\WinSta0
       7C: EtwRegistration
       80: Key           HKLM
       84: File  (---)   \Device\CNG
       88: Event
       8C: WaitCompletionPacket
       90: Mutant        \Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02
       94: Directory     \Sessions\2\BaseNamedObjects
       98: Semaphore     \Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02_p0
       9C: Semaphore     \Sessions\2\BaseNamedObjects\SM0:17564:304:WilStaging_02_p0h
       A0: Key           HKLM
       A4: Key           HKLM\SOFTWARE\Microsoft\Ole
       A8: Event
       AC: Key           HKCU\Local Settings\Software\Microsoft
       B0: Key           HKCU\Local Settings
       B4: Event
       B8: EtwRegistration
       BC: EtwRegistration
       C0: EtwRegistration
       C4: Event
       C8: Event
       CC: Event
       D0: Event
       D4: Event
       D8: Event
       DC: EtwRegistration
       E0: EtwRegistration
       E4: EtwRegistration
       E8: EtwRegistration
       EC: EtwRegistration
       F0: EtwRegistration
       F4: EtwRegistration
       F8: EtwRegistration
       FC: EtwRegistration
      100: EtwRegistration
      104: EtwRegistration
      108: EtwRegistration
      10C: EtwRegistration
      110: EtwRegistration
      114: EtwRegistration
      118: EtwRegistration
      11C: File  (---)   \Device\DeviceApi
      120: EtwRegistration
      124: EtwRegistration
      128: EtwRegistration
      12C: EtwRegistration
      130: EtwRegistration
      134: EtwRegistration
      138: EtwRegistration
      13C: EtwRegistration
      140: EtwRegistration
      144: EtwRegistration
      148: EtwRegistration
      14C: EtwRegistration
      150: EtwRegistration
      154: Semaphore
      158: Semaphore
      15C: EtwRegistration
      160: EtwRegistration
      164: EtwRegistration
      168: EtwRegistration
      16C: EtwRegistration
      170: EtwRegistration
      174: EtwRegistration
      178: EtwRegistration
      17C: EtwRegistration
      180: EtwRegistration
      184: EtwRegistration
      188: EtwRegistration
      18C: EtwRegistration
      190: EtwRegistration
      194: EtwRegistration
      198: EtwRegistration
      19C: EtwRegistration
      1A0: EtwRegistration
      1A4: EtwRegistration
      1A8: EtwRegistration
      1AC: Semaphore
      1B0: Semaphore
      1B4: Event
      1B8: File  (---)   \Device\KsecDD
      1BC: EtwRegistration
      1C0: EtwRegistration
      1C4: EtwRegistration
      1C8: EtwRegistration
      1CC: EtwRegistration
      1D0: EtwRegistration
      1D4: EtwRegistration
      1D8: EtwRegistration
      1DC: EtwRegistration
      1E0: Event
      1E4: Event
      1E8: EtwRegistration
      1EC: ALPC Port
      1F0: Event
      1F4: Event
      1F8: Event
      1FC: Event
      200: Section       \BaseNamedObjects\__ComCatalogCache__
      204: Key           HKCU
      208: EtwRegistration
      20C: Event         \KernelObjects\MaximumCommitCondition
      210: Key           HKLM\SOFTWARE\Microsoft\WindowsRuntime
      214: Key           HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
      218: Event
      21C: Key           HKCU
      220: EtwRegistration
      224: EtwRegistration
      228: Semaphore     \Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01_p0
      22C: Mutant        \Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01
      230: Semaphore     \Sessions\2\BaseNamedObjects\SM0:17564:120:WilError_01_p0h
      234: Key           HKCU
      238: EtwRegistration
      23C: Event
      240: EtwRegistration
      244: EtwRegistration
      248: Section       \Windows\Theme3208416215
      24C: Section       \Sessions\2\Windows\Theme2213531714
      250: EtwRegistration
      254: EtwRegistration
      258: File  (R-D)   C:\Windows\Fonts\StaticCache.dat
      25C: Section
      260: Event
      264: Event
      268: Key           HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
      26C: Key           HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\ProviderOrder
      270: Semaphore
      274: Semaphore
      278: EtwRegistration
      27C: EtwRegistration
      280: EtwRegistration
      284: EtwRegistration
      288: EtwRegistration
      28C: EtwRegistration
      290: EtwRegistration
      294: EtwRegistration
      298: EtwRegistration
      29C: EtwRegistration
      2A0: EtwRegistration
      2A4: EtwRegistration
      2A8: EtwRegistration
      2AC: EtwRegistration
      2B0: EtwRegistration
      2B4: EtwRegistration
      2B8: Event
      2BC: EtwRegistration
      2C0: EtwRegistration
      2C4: Event
      2C8: Event
      2CC: Thread
      2D0: ALPC Port
      2D4: Event
      2D8: Key           HKCU
      2E0: ALPC Port     \RPC Control\OLE6725263A5686B607860CA7FFDE37
      2E4: Event
      2E8: Thread
      2EC: ALPC Port
      2F8: Section       \BaseNamedObjects\__ComCatalogCache__
      2FC: File  (R--)   C:\Windows\Registration\R000000000015.clb
      300: Section
      304: EtwRegistration
      308: EtwRegistration
      30C: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids
      310: Section       \Sessions\2\BaseNamedObjects\windows_shell_global_counters
      314: EtwRegistration
      318: File  (RW-)   C:\Windows\WinSxS\
      31C: Key           HKCU
      320: ALPC Port
      324: Thread
      328: Semaphore
      32C: Semaphore
      330: Semaphore
      334: Semaphore
      338: Semaphore
      33C: Semaphore
      340: Semaphore
      344: Semaphore
      348: EtwRegistration
      34C: EtwRegistration
      350: EtwRegistration
      354: EtwRegistration
      358: Event
      35C: Timer
      360: Timer
      364: ALPC Port
      368: Event
      36C: WaitCompletionPacket
      370: WaitCompletionPacket
      374: WaitCompletionPacket
      378: Thread
      37C: WaitCompletionPacket
      380: IoCompletionReserve
      384: Thread
      388: ALPC Port     \BaseNamedObjects\[CoreUI]-PID(17564)-TID(21820) aa6e905a-4831-44e1-b651-4db820802d32
      38C: WaitCompletionPacket
      390: ALPC Port
      394: WaitCompletionPacket
      39C: ALPC Port

    Am I just completely misunderstanding what "HANDLE <name>" is supposed to do?

    Friday, September 7, 2018 7:20 PM
  • Ah ok I see. I was confused because in your previous screenshot you had included the DLL view rather than the handle view. Will raise a bug to deal with the handle search issue. Thanks for raising it. 

    Monday, September 10, 2018 5:54 PM
  • Oops... Sorry for the confusion

    (was searching for an actual screenshot, and it wasn't a screenshot, but a text capture of the lower panel made with SysExporter)

    Glad this helps; tell me if you want me to give any test version a shot.

    Monday, September 10, 2018 7:13 PM
  • Any news about a bugfix?

    Thursday, February 21, 2019 10:05 AM
  • When will this bug be fixed?

    I encountered this bug today. I installed Listary(a tool can be used to search files on disks.), then uninstalled it. But ListaryHook.dll and ListaryHook64.dll cannot be deleted. Handle.exe and Handle64.exe reported "No matching handles found.". But Process Explorer and ListDlls.exe can report it is opened by jusched.exe。

    Version of Handle.exe is v4.22 released on June 14, 2019.

    Monday, August 3, 2020 2:39 AM