{
	"id": "d418ca56-e2b9-497b-8d4e-9df5d59e455d",
	"created_at": "2026-04-06T00:08:36.524986Z",
	"updated_at": "2026-04-10T03:21:39.654418Z",
	"deleted_at": null,
	"sha1_hash": "f9d97bc7f85e10cf1d96a6e4cc18f6a5c6fc6c3e",
	"title": "Locked File Access Using ESENTUTL.exe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 204614,
	"plain_text": "Locked File Access Using ESENTUTL.exe\r\nBy Mike Cary\r\nPublished: 2018-12-06 · Archived: 2026-04-05 16:27:17 UTC\r\nI’m currently working on a solution to collect files off a live system to be used during some IR processes. I won’t\r\ngo into any great detail but I’m limited to only using built-in Windows utilities.  I need access to browser history\r\ndata and while Chrome and Firefox allow copying of the history files, the WebCacheV01.dat file that IE and Edge\r\nhistory are stored in is a locked file and cannot be copied using native copy commands/cmdlets like Xcopy, Copy-Item, RoboCopy, etc.\r\nESE Database Files and ESENTUTL.EXE\r\nThe WebCacheV01.dat file is an ESE (Extensible Storage Engine) database file and there is a built-in tool for\r\nperforming maintenance operations on such files: esentutl.exe. I started wondering if I could use this tool to export\r\nthe database or at least dump the history.  Running esentutl.exe from a command prompt, we see two interesting\r\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nPage 1 of 5\n\noptions: /m to dump a file and /y to copy a file.\r\nCopying the file sounds great to me.  Let’s try\r\n“esentutl.exe /y WebCacheV01.dat /d C:\\Path\\To\\Save\\WebCacheV01.dat”\r\nStrike 1. That gives us the same “file is being used” error that I received with other copy commands.  Ok so taking\r\nanother look at the copy options, I see the /vss and /vssrec options. A couple of important distinctions here:\r\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nPage 2 of 5\n\nI am running Windows 10, build 1803. The /vss and /vssrec options are only available on Win 10 and\r\nServer 2016 or later.\r\nThe /vss and /vssrec options require you to be running as an admin\r\nThe /vss option “copies a snapshot of the file, does not replay the logs”.  We’ll talk a little more about the\r\ntransaction logs later but let’s go with the /vss option for now.\r\nOK, that’s much better. If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I\r\nsee browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a\r\nprevious Volume Shadow Copy (VSC) but that isn’t the case. Esentutl.exe is able to use the Volume Shadow Copy\r\nservice to make a backup of a locked file.  This can be done even if VSCs are disabled on the system.\r\nWhat about the /vssrec option?  Data is not written directly to the database file. In simple terms, data is instead\r\nwritten to RAM and then to transaction logs before being flushed into the database file.  Microsoft’s\r\ndocumentation says: “The data can be written to the database file later; possibly immediately, potentially much\r\nlater.”\r\nI did some testing with this and I’m not sure under what scenarios this doesn’t happen right away.  I opened up\r\nEdge and navigated to a new page, then immediately copied the WebCacheV01.dat file while Edge was still open\r\nand it contained this new entry.\r\nJust keep in mind that when using the /vss option only, we have the potential to miss entries that have not been\r\nwritten to the database. Using the /vssrec option will replay these transaction logs.  This is the syntax used:\r\nesentutl.exe /y C:\\Path\\To\\WebCacheV01.dat /vssrec V01 . /d c:\\exports\\webcachev01.dat\r\nThis can be a double-edged sword though because you also have the potential to lose deleted records that have yet\r\nto be purged from the database once the logs are flushed.  If this is a concern you could go with both options and\r\njust save two copies of the file. This article from SANS provides more details on the ins and outs of ESE\r\ndatabases and transaction logs.\r\nhttps://digital-forensics.sans.org/blog/2015/06/03/ese-databases-are-dirty\r\nAdditional Uses of Esentutl.exe\r\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nPage 3 of 5\n\nSo we know we can use esentutl.exe to copy ESE database files but what about other locked files? Well, it turns\r\nout you can. In this example, I grab a copy of the NTUSER.dat file for the currently logged in account.\r\nI really like this as an option for copying system files when doing investigations or even testing. I’m sure it has\r\nvalue to Red Teams as well as it allows you to grab other hives like the SAM and other ESE databases like\r\nNTDS.dit without introducing outside tools or using PowerShell.  Blue Teams can detect this type of activity by\r\nauditing process creation and looking for activity by esentutl.exe, particularly with the /vss switch.  \r\nFinal Thoughts\r\nI’m still looking for a good way to get IE/Edge browser history on the versions of Windows that do not have the\r\n/vss switch so if you’ve got any ideas there, let me know.\r\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nPage 4 of 5\n\nPublished December 6, 2018December 6, 2018\r\nPost navigation\r\nSource: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/"
	],
	"report_names": [
		"locked-file-access-using-esentutl-exe"
	],
	"threat_actors": [],
	"ts_created_at": 1775434116,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9d97bc7f85e10cf1d96a6e4cc18f6a5c6fc6c3e.pdf",
		"text": "https://archive.orkl.eu/f9d97bc7f85e10cf1d96a6e4cc18f6a5c6fc6c3e.txt",
		"img": "https://archive.orkl.eu/f9d97bc7f85e10cf1d96a6e4cc18f6a5c6fc6c3e.jpg"
	}
}