KernelMode.info

Close file handle in a general process is easy, use KeStackAttachProcess and ZwClose is feasible.
But how to close handle in SYSTEM process(PID=4)? Method on above is not useful. If direct use NtClose(in a kernel thread) is not useful, too.
Both ZwClose and NtClose return 0xC0000008(STATUS_INVALID_HANDLE).
Tested platform: WIN7 X64 and WIN8 X64.

I did not find any program able to close handles opened by SYSTEM process.

If anyone knows a method, I will be interested to hear of it too.

Buster_BSA wrote:I did not find any program able to close handles opened by SYSTEM process.

If anyone knows a method, I will be interested to hear of it too.

A software called 360SAFE can unlock/delete file opened by SYSTEM process.
But it is a Chinese software and have no English version.

myid wrote:A software called 360SAFE can unlock/delete file opened by SYSTEM process.
But it is a Chinese software and have no English version.

Good to know it´s possible. Unlocker is unable.

dont know how you tried. Process Explorer can close handle in System.

kmd wrote:dont know how you tried. Process Explorer can close handle in System.

You are wrong. ProcExp cannot close handle in SYSTEM process on WIN7 X64, too.
If you don't believe me, I can show you the screenshot.

lmao

want me to show you my screenshot?

kmd wrote:lmao

want me to show you my screenshot?

I just want to solve this problem but not quarrel with somebody.

In my experience is not possible to close handles opened by SYSTEM process.

Sometimes Sandboxie´s RegHive can not be deleted. When you check who has the handle opened is SYSTEM (PID 4), and none program, Unlocker and Process Explorer included, can close the handle. The only way is rebooting.

I have confirmed this behavior consistently.

There's a claim that handle (from sysinternals) can do it, but I haven't tested it.

http://www.xpresslearn.com/windows/wind ... ile-handle