Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #1 
under mgmt sessions - some windows 10 clients show over 1400 open files
on mapped drive

the clients are not running backups or anything major at the time - just accessing
a few cad files

I'm guessing...
is this due to indexing and windows search (or similar) on the clients?

and if so, is this typical?

please advise

thanks,

j
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #2 
Those figures only make sense if you have the home drive and application data redirected to the server.
__________________
Have SpaceSuit, Will Travel

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #3 
Could someone from the outside be accessing files?
0
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #4 
thanks - that would make sense for sure but we are not using folder re-direction and the files in use do not seem to be application data
(we are not running the software the clients use from the server if that helps)
I know it is old school but the clients just access a shared mapped drive? maybe something is being re-directed?
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #5 
First have a look on what files are opened.
'net files' on the server can do that for you

If that's not conclusive then:
By default network shares can't be indexed by the client, so that could not be it. 
Maybe the files are checked by antivirus, or another 3th party tool that's being used for indexing/scanning 

__________________
Have SpaceSuit, Will Travel

0
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #6 
all remote access is turned off for all users
when lots of files are being accessed they are listed as being accessed
from authorized users on the LAN from their workstations
(have to rule out remote access to their workstations I guess)
and see what other processes could be scanning files?
it is only at various times each day and not constant
usually each user only has 20-30 files open

net files shows same info as "open files" under computer mgmt - shared folders ...
when many hundreds are open by a single user - they are standard document files and or cad files
not system or config files etc...
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #7 
With process explorer you could see which files are open with what process. on the client
Search for a file name in handles

__________________
Have SpaceSuit, Will Travel

0
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #8 
excellent idea - used the process explorer before but not for this latest behavior research
0
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #9 
no help yet with process explorer - it looks like many of the open files are just folders - searches for the handle names come up empty in process explorer
it looks like something is scanning folders for changes?  or (new theory) could it be defender (but we excluded the mapped drives on the settings there we thought)
real time protection on the clients - scanning the mapped share periodically?
0
jcerbus

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #10 
thanks everyone so far - it does appear to be the realtime scanner from defender scanning the mapped share
from the windows 10 workstations - when all the folders and or files were listed as open in computer mgmt sessions
for a given user - on that ws the app with the largest network utilization was the defender scanner

turned off with group policy (on workstations) to confirm

should know for sure soon

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.