Windows file or folder in use - cant be deleted or modified

When trying to delete files or folders, clean malware, or just modify something on your Windows system, windows won't let you, because the file is open in another programm:

Folder In Use / File In Use

The action can't be completed because the folder or a file in it is open in another program

Chose the folder or file and try again

How to find the program which is using the file?

1. Download Microsofts sysinternals tool "process explorer":

    From here: https://live.sysinternals.com/

    From here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

    From here: https://live.sysinternals.com/procexp.exe

    or from here: https://download.sysinternals.com/files/ProcessExplorer.zip

2. Open procexp.exe with admin rights

3. Use the magnifying glass or press CTRL + F

  

4. Search for the file or foldername (only parts of it will do)

5. Doubleclick the found process or use the process id PID to find the process

In order to show the Handles, which are opened by a process, either go to View\Lower Pane View\Handles or press CTRL+D

6. You can no close the process or close the handle, however closing the handle might crash your application or cause system instability, as process explorer will tell you, too.

Account Lockout Policy - A possible threat

Most companys use an account lockout policy for their directory service like Microsoft Active Directory, LDAP-system, eDirectory or their own environment solution. Locking out accounts is helpful when it comes to password guessing attacks like brute force (https://attack.mitre.org/techniques/T1110/) or similar ones.

However: An attacker is able to use lockout policies, too.

The following scenario is not so old, but was already used in the last two years:
1. Attacker gains access to environment
2. Attacker creates its own administrative accounts
3. Attacker brute forces all other administrative accounts
👉This way, the attacker makes sure, that all legitime administrators are locked out.

This is an advanced threat and a not very common attack, yet. The solution for this is to make sure, that not all accounts are affected by the lockout policy. Instead very few dedicated emergancy accounts, which are normally not used and stored in a safe location, should be excluded from it. Those accounts (as all administrative accounts) should be monitored closely in your SIEM or logging systems.