Use handle to disconnect external storage safely… sometimes

The problem

Yesterday I received my shiny Samsung M3 1TB Portable Hard Drive from Amazon to solve my storage problems (I hoard MP3s). It looks like this:

Samsung M3 1TB Slimline

A static picture does little justice to the case. It’s not covered by a tacky plaid pattern; the surface is all angular. You should see the light reflects beautifully when you wobble it about.

Today I plugged it in to my workstation to transfer a few personal downloads. When I had finished, I played the responsible user and safely disconnected the device before yanking the USB cable from the socket.

In Windows 7, you do that by context-clicking the system tray icon that looks like a USB connector and choosing ‘Eject Samsung M3 Portable’ or whatever matches the name of your device:

Eject_Samsung_M3_Portable_ContextItem

Instead of rewarding me with a signal that I could now yank my device from the socket, Windows gave an impudent error dialog that declares “This device is currently in use”:

Problem_Ejecting_USB_Mass_Storage_Device_Dialog

The dialog indirectly warns me that I could potentially trash data by ejecting the device prematurely. However, the proposed resolution to “Close any programs or windows that might be using the device, and then try again.” is vague, and that sucks.

I multitask a lot at my workstation, and have open files all over the place. I don’t feel like wading through each window to find the one that won’t let go.

A solution

Thankfully, you can make up for the dialog’s shortcomings with Mark Russinovich’s awesome Handle utility. The following steps assume you have put handle.exe in your Windows folder so that it is on the path.

Start a new PowerShell session and use handle to search for processes that have a file open anywhere on the device. For me, the root directory of my device is I:\, so the command and output look like this:

PS Z:\> handle I:\

 

Handle v3.5

Copyright (C) 1997-2012 Mark Russinovich

Sysinternals - www.sysinternals.com

 

System             pid: 4      type: File          2990: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

System             pid: 4      type: File          3464: I:\$Extend\$RmMetadata\$Txf

System             pid: 4      type: File          3DB8: I:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf

System             pid: 4      type: File          3F9C: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001

WINWORD.EXE        pid: 6748   type: File           100: I:\Iain Elder.docx

After the copyright notice, each line of output represents a file handle – a process that has opened a file.

The last line of output is the useful one here. It means that the file I:\Iain Elder.docx, a copy of my CV, is open in Microsoft Word, whose executable name is WINWORD.EXE.

Make sure you’re finished working with the file (I have) and then close the file. I’ve got no other documents open in Word, so I can just close Word from the task bar like this:

Close_window_ContextItem

Go back to the PowerShell session and repeat the previous command. You should see one less line of output:

PS Z:\> handle I:\

 

Handle v3.5

Copyright (C) 1997-2012 Mark Russinovich

Sysinternals - www.sysinternals.com

 

System             pid: 4      type: File          2990: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

System             pid: 4      type: File          3464: I:\$Extend\$RmMetadata\$Txf

System             pid: 4      type: File          3DB8: I:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf

System             pid: 4      type: File          3F9C: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001

The handle output now shows that only Windows’ internal System process has opened files on the device. I’m not sure what the files in I:\$Extend\$RmMetadata are for, but they looks like something important to Windows.

If your output shows more lines than this, then continue to close files until only the System process holds open files.

If you try eject the device again, you should see a popup indicating successful removal like this:

Safe_To_Remove_Hardware_Popup

You can now safely yank the cable!

A problem with the solution

Sometimes, even though the System process is the only one holding opening files, you will still see the error dialog when you try to eject the device.

Right now the same handle command produces similar output, but it shows that the System process now also has a handle on the root directory of the device:

PS Z:\> handle I:\

 

Handle v3.5

Copyright (C) 1997-2012 Mark Russinovich

Sysinternals - www.sysinternals.com

 

System             pid: 4      type: File          2200: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001

System             pid: 4      type: File          314C: I:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

System             pid: 4      type: File          3670: I:\$Extend\$RmMetadata\$Txf

System             pid: 4      type: File          3AAC: I:\

System             pid: 4      type: File          5C80: I:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf

The System is greedily and unjustifiably  hogging my device. I want it back, even if I have to kill the System process to do that.

The System process starts before I get to control the computer, so it’s not really mine to kill. We can be kinder by using handle to break its fingers instead of killing it outright.

The handle utility lets you close a file handle by force if you give it a couple of magic numbers. In each line of output, the number after pid: is the ID of the process, and the number before the file location is the ID of the handle.

From the above output, you can close the file handle of the System process on the root directory of the device using handle like this:

PS Z:\> handle -c 3AAC -p 4

 

Handle v3.5

Copyright (C) 1997-2012 Mark Russinovich

Sysinternals - www.sysinternals.com

 

 3AAC: File  (RW-)   I:\

Close handle 3AAC in System (PID 4)? (y/n)

Because forcing a file handle to close is a potentially dangerous operation, handle asks you to confirm the action before committing it.

I’m feeling lucky, so I press y then return. The remaining output looks like this:

Error closing handle:

T

Bugger.

After a little searching, it seems that this is a well-known problem on TechArena and Talking Technical, and it’s existed since Windows XP.

I tried the close-and-reopen-Explorer workaround on TechArena. It didn’t affect the output of handle and I still can’t eject my device.

I tried searching for services as suggested on Talking Technical, but I couldn’t find any.

I don’t have time left to try anything else.The only thing left to do for now is to shut down the computer before removing the drive.

Kinda defeats the purpose of having a removable drive, eh?

Advertisements

10 thoughts on “Use handle to disconnect external storage safely… sometimes

  1. I’ve had the same problem, and I’ve recently discovered that restarting the “Server” service (which will generally require Windows to also restart the dependent “Computer Browser” service and possibly the “HomeGroup Listener” service at the same time) has allowed me to then safely remove the drive. I don’t know if this is actually safe to do or not, but it does work in a pinch.

  2. Thanks for the advice! I can’t try out your solution until I get another removable drive. The Samsung drive was stolen last month.

  3. Pingback: Mounting a Windows Server 2012 backup | Base Table

  4. Is maybe the system process related to the fact that the drive is formatted as primary active by mistake? I have just found that converting my M£ (formatted as NTFS) to logical has sorted the problem.

  5. …I had of course reformatted it myself using a third party tool and missed the setting of primary active.

  6. … non-system drive = no system processes ….maybe – that seems to have been my solution anyway

  7. I found a solution to the problem with the system process keeping files like $TxfLog open. These are something to do with Transactional NTFS, and forcing them shut is a risky idea. What worked for me was to launch an elevated command prompt, and run “fsutil volume dismount [DRIVE]”, i.e. in your case “fsutil volume dismount I:”. That got the system process to close its handles and I could then use safely remove hardware as normal to eject the drive. Hope it works for you too!

  8. I had a similar problem and it was related to a program named “Everything.exe” which is a third party freeware NTFS indexing search utility created by VoidTools. Whenever Everything.exe was running, I couldn’t safely eject any external USB drive. It always told me that the drive was in use. However when I closed Everything.exe, it released the following handles:

    \$Extend\$RmMetadata\$Txf:$I30:$INDEX_ALLOCATION
    \$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
    \$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
    \$Extend\$RmMetadata\$TxfLog\$TxfLog.blf

    I can safely remove hardware now with no problem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s