Can Windows tell me what is using my USB drive?

Posted on

QUESTION :

Being the good citizen I am, I left-click on the “Safely Remove Hardware” icon in my taskbar, and select my USB drive to dismount.

Then I get the message:

Windows can’t stop your Generic volume device because it is in use. Close
any programs or windows that might be using the device, and then try again later.

Of course, being the Operating System, it knows exactly what applications are using my device. So why won’t it tell me?

Or is there a way that I can find out?

ANSWER :

You can use Sysinternals Process Explorer to find the handle for any files that are open. Just select the Find menu and select Find Handle or DLL. In the dialog that opens enter the drive letter into the search box. The search results should show all of the files that are open from the drive and which process has them open.

Simpler Method: Windows (10 at least, AFAIK) creates an entry in the event log when you try to eject a removable drive and you cannot because a process has a lock on it. The two Event IDs 225 will show the process ID and the name of the process responsible for the lock.

Step by step:

1) Start the event viewer

2) Open up “Windows Logs” then “System”

3) Right click on “System” and choose “Filter Current Log”

4) In the dialog that comes up, enter “225” (without quotes) where it says “All Event IDs”

5) You will then see all events related to unable to eject because a process locked the drive.

6) Look at the timestamps on all these entries and find out which ones relate to the actual time when you tried to eject the drive.

7) Take appropriate action. Ending a task gracefully (closing the program that has the lock) is OK most of the time. Stopping the Windows Search service is also ok. Stopping an antivirus scan should be ok (if you don’t suspect you have any viruses at the time). Going into the task manager and killing the process might not be ok. How to deal with this is beyond the scope of this question.

8) (Save the view…) in Actions panel (in the right frame) you could “Save Filter to Custom View…” so you’ll find it in “Custom Views” (in the left frame above the “Windows Logs”)

Process ID:
Event Viewer Entry

Process Name:
Event Viewer Entry

8) If you don’t have another entry with a process name, the System process (process id 4) is holding your drive. To get around this one you will have to go to disk management and put the drive you want to eject offline. If the file is on your boot drive, you can’t put it offline. In this case, see the note below:

UPDATE 2018: I’ve seen applications such as WhatsApp Desktop keeping handles on Chrome Canary via the System Process. Since you cannot eject the boot disk (beacuse it is in use), the solution was to use another nifty Sysinternals utility, called Handle. After you close the program which has the locked file, launch handle and run (as an example) handle64 "Chrome SxSApplicationchrome.exe" to see if the handles are still present on the file that has the PID 4 lock. Via trial and error, close each program running, until there are no more handles on the locked file.

Best method (paid)

Download and run SafelyRemove. It helps you eject the drive and if it can’t do it, it displays which processes have a lock on it:

enter image description here

You can also use command line to query the Windows log, with wevtutil.exe (since Windows 7) with the knowledge that the Windows Kernel-PnP uses Event ID 225 to log system (always having process id 4) refusal to remove or eject the device USBVID_####&PID_############ (where the #’s denote hexadecimal numbers).

wevtutil qe System /q:"*[System[(EventID=225)]]" /c:5 /f:text /rd:true
  • qe System : query events from System log
  • /q : query with XPath
  • EventID=225 means the system refused an ejection request
  • /c:5 : number of entries to retrieve (5 here)
  • /f:text : format (default is xml)
  • /rd:true : reverse order (newest first)

I use it in a batch script.

Here’s a quick PowerShell command to query the event log and show which application is blocking drive ejection (works for me with Windows 10, probably works with 7/8 too)

Get-EventLog -LogName System -after (Get-Date).AddHours(-1) | Where-Object {$_.EventID -eq 225} | Sort-Object TimeGenerated | Format-Table -Wrap

The output will list all instances in the past hour where the system couldn’t eject a disk drive. The Message column shows the process that blocked ejection. In my example below, task manager was actually the culprit and I was able to eject after closing task manager.

PS C:UsersJonathan> Get-EventLog -LogName System -after (Get-Date).AddHours(-1) | Where-Object {$_.EventID -eq 225} | Sort-Object TimeGenerated | Format-Table -Wrap

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
   14692 Sep 07 10:50  Warning     Microsoft-Windows-Ke          225 The application DeviceHarddiskVolume4WindowsSystem32Taskmgr.exe with process id 11972 stopped
                                   rnel-PnP                          the removal or ejection for the device USBVID_0781&PID_5575200445301013C111B1A0.
   14693 Sep 07 10:50  Warning     Microsoft-Windows-Ke          225 The application DeviceHarddiskVolume4WindowsSystem32Taskmgr.exe with process id 11972 stopped
                                   rnel-PnP                          the removal or ejection for the device USBVID_0781&PID_5575200445301013C111B1A0.

Leave a Reply

Your email address will not be published.