Something you may have found while performing maintenance in Windows is that some files or folders simply cannot be opened or copied. One example is the System Volume Information folder found in the root of your hard drives which cannot be opened. Another is the system registry files found in the System32\Config folder. Try to open or copy the SOFTWARE or SAM hive files for example and Windows will not allow you to do it popping up an error message.
The error “The action can’t be completed because the file is open in System. Close the file and try again.” will show and even if you retry, the action cannot be completed. A similar error is “Location not available, access denied” trying to open or read a file or folder. The reason these items cannot be accessed is because they are either intentionally locked to prevent access or are open and in use by the operating system meaning nothing else can can touch them.
Various methods to unlock these files so you can gain access and manually copy them would include trying an unlocking tool like Unlocker. However, trying to unlock important system files often doesn’t work. Other ways to accomplish the task of removing their in use status are the Volume Shadow Service (VSS) which takes a snapshot of the required files, or using low level disk access to gain access which can help bypass certain windows restrictions.
Here we show you 7 different tools that can get access to those locked or in use files allowing you to copy or back them up manually.
Shadow Copy uses the Volume Shadow Service allowing you to copy locked and in use files from one location to another with the aid of a simple user interface. It does need installing but you can easily copy the Shadow Copy folder from Program Files and then uninstall again to run the program portably in future.
Usage is pretty easy, browse for a copy from folder (note it will copy what’s in the folder and not the folder itself), browse for a copy to folder and click the Copy button. By default all files will be copied with the all files mask (*.*) which you can change to copy files with a specific extension.
There are a few tick box options below to copy subdirectories, overwrite existing files, ignore errors and parse junction points. Running from the command line is supported but all that really does is open the user interface with predefined from and to locations set and automatically starts the copy.
HoboCopy is a command line file copy and backup tool which uses the Volume Shadow Service and is inspired by Microsoft’s Robocopy. It has a few commands to create a full or incremental backup but these are not required for copying in use or locked files. The command and arguments for that purpose are quite simple:
HoboCopy /r C:\Windows\System32\config\ C:\Backup
This will copy the whole contents of Config to the Backup folder, remove the /r to ignore any sub folders. To copy individual files from the Config folder append them to the end of the line:
HoboCopy C:\Windows\System32\config\ C:\Backup SOFTWARE SYSTEM
The above will copy only the SOFTWARE and SYSTEM registry hive files to the Backup folder.
If you prefer to avoid the command line you can use a front end GUI for HoboCopy called Hobo GUI to simplify the task and copy folders to another location. Click Add to find a source folder, click and browse for a destination folder, press Find Hobo to locate the HoboCopy executable and then press the Backup button.
Weirdly Hobo GUI is only 40K in size but requires installation although you can easily bypass this by extracting the installer file with 7-Zip and keeping it as a portable tool.
Do note that HoboCopy requires the Visual C++ runtimes and you will need to use the appropriate 32-bit or 64-bit version. Although it still works fine, HoboCopy itself was discontinued by its author in favor of ShadowSpawn, which is below.
ShadowSpawn’s author says HoboCopy’s copy process was not as good as he wanted so he took the shadowing part and released it as a standalone product so it can be used with third party copy tools. ShadowSpawn is command line only and relies on the end user having knowledge of other copy tool commands as well as its own.
It works by copying the specified folder to a temporary RAM drive using VSS, and in the same command you supply the copy command and arguments from the copy utility using the RAM drive letter as the source. Here’s an example using the FastCopy copying tool:
Shadowspawn C:\windows\system32\config y: fastcopy /open_window y:\ /to=c:\backup
That will copy the contents of the Config folder to the temporary RAM drive (y:), then ShadowSpawn invokes FastCopy which copies the contents from y: to the backup folder. Once copying is complete and the copy tool closed, ShadowSpawn will unmount the RAM drive and exit. You can actually browse and copy most shadowed files from Windows Explorer without a third party copying tool using a command like below:
ShadowSpawn C:\windows\system32\config y: cmd /k explorer.exe y:
This will open shadowed drive y: in Explorer so you can view and copy whatever files you need. When you’re finished go back to the ShadowSpawn window and press Ctrl+C to release the RAM drive and exit. There are separate 32-bit and 64-bit versions and Visual C++ runtimes are required.
4. Passmark OSForensics
OSForensics may seem a bit overkill because it’s a 50MB+ installer and a full suite of information gathering tools, but the copying of locked and in use files is completely transparent and done from a Windows Explorer style interface. This makes it very easy to use and allows you to copy whole folders full of locked files with minimal fuss.
After install choose to “Continue using the free version”, click the Create Case button and give it a name which places all operations into a profile. Then click File System Browser on the left, choose the drive you want to copy from and click OK.
The file browser will be familiar as it’s like Explorer and you simply use it to locate the in use files or folders you want to copy. Right click on the entry, select Save to disk and choose the folder you want to save to. This makes OSForensics ideal for quickly copying several different folders containing in use files, you can also multi select with Shift+click and Ctrl+click.
5. PC Hunter
If OSForensics is a bit too much for you, PC Hunter is worth a try because it provides a similar Explorer like file and folder tree view so you can easily copy in use files or a whole folder. PC Hunter is actually an advanced anti rootkit tool that operates at an extremely low level on the system, as a result it may trigger an alert in your antivirus.
For such a powerful tool PC Hunter is remarkably simple to use, run the portable 32-bit or 64-bit executable, click on the File tab and use the folder tree to locate the file you want to copy. Right click on the file and choose Copy to. One issue is selecting more than one file will grey out the option although you can still duplicate the whole folder by right clicking on it in the folder tree and using the Copy to option. For advanced users PC Hunter is also very capable at deleting hard to remove files and registry entries although it needs to be used with care.
Extents is a little bit different because it doesn’t use the Volume Shadow Service but instead reads the actual raw clusters on the disk used by the file and reconstructs them into a new file. This has the side effect of bypassing locking or in use restrictions imposed by the operating system.
Only a single file can be handled at a time so it’s best used when you only want to copy one or two files at the most. Run the Extents executable and press Open to look for the in use file. The display will show the disk cluster details of the file. Click the Dump button and choose the save location and filename, make sure to use the same filename and include the extension. Note that Extents doesn’t work perfectly in 64-bit Windows, for instance it will not detect or load open Registry hives like SAM or SOFTWARE.
While it’s not exactly the same as Extents in operation, RawCopy is quite similar by using low level disk reading to copy a file from an NTFS formatted disk, whether it’s locked or not. The biggest obvious difference is the fact RawCopy is used from the command line only and has no user interface.
Usage is quite straightforward, simply supply a source path and name of a single file and a destination folder argument to the command, make sure to include quotes if spaces are involved:
rawcopy C:\WINDOWS\system32\config\SYSTEM C:\outputfolder
By default the tool will try to copy using the file’s name, if it cannot because for instance the parent folder has locks on it, RawCopy will then try by using the file index number from the Master File Table. There are 32-bit and 64-bit versions available so make sure you use the correct one.