With which tool can I investigate the File Control Block of a loaded application?

Karl Kunze 1 Reputation point
2021-03-12T19:40:10.78+00:00

Hi, I am investigating a situation on a terminal-server, where we have stability-issues with some applications. Our actual suspects are orphaned fcbs. I would like to nail it down on this, but have no actual clue, with which sysinternal-tool I could possible look on those and check, what is going on. Thanks in advance. Karl

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,184 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 32,066 Reputation points
    2021-03-15T21:20:07.187+00:00

    What do you expect to find in this FCB?

    I'll ask my favorite question: what's the real problem?

    https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/the-fcb-structure
    https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/connection-and-file-structure-management

    From reading over the link that you provided and the 2 links that I found, the Sysinternals tool that I would use is LiveKd.

    https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

    That would allow you to launch a debugger (WinDbg) on a running system and let you to traverse the internal control block structures of the OS. Troubleshooting at this level requires extensive experience.

    Are your Paged-pool and Non-paged-pool memory numbers excessive? Are you running out of memory?

    Technically the FCB is not owned by any specific user. It's just a shared structure that represents a file. The FCB is created when the first handle to the file is opened, and it's destroyed when the last handle to the file is closed. Therefore, it is not tied to a user.

    I would think that an analysis of file handles either with ProcExp or Handle would be your best bet. Or try RamMap and see if the File Summary tab provides any useful info.

    https://learn.microsoft.com/en-us/sysinternals/downloads/rammap

    2 people found this answer helpful.
    0 comments
  2. MotoX80 32,066 Reputation points
    2021-03-13T20:36:02.907+00:00

    If you are looking for file handles, then Process Explorer would be my first choice.

    https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

    You can sort by the handle column or use the Find menu item to search for a file name.

    77475-capture.jpg

    0 comments
  3. Ian Xue (Shanghai Wicresoft Co., Ltd.) 30,361 Reputation points Microsoft Vendor
    2021-03-15T08:38:14.243+00:00

    Hi,

    Are you trying to get the file handles opened by the application? If so you can use Handle

    https://learn.microsoft.com/en-us/sysinternals/downloads/handle

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Karl Kunze 1 Reputation point
    2021-03-15T20:25:04.533+00:00

    Hi,

    I want to look at the file-control-block connected to the binary application itself by the redirector

    The problem is very likely described in https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/applications-crash-if-another-user-logs-off-session .

    From my understanding a look on the file-handles is not what I am looking for.

    But what option could it be in the sysinternal-tools?

    Regards.

    Karl

    0 comments
  5. Karl Kunze 1 Reputation point
    2021-03-16T19:29:23.147+00:00

    Hi,

    that is quite a lot of valuable information to dig through.

    I will test with ProcExp and RamMap as advised and give some feedback in a few days.

    Thanks so far.

    Karl

    0 comments