Solution
Yes. This behavior is expected and is part of RabbitMQ (Erlang Runtime) design. It does not create files or make any modifications to the system.
RabbitMQ on Windows relies on handle.exe to obtain handle count information. If handle.exe is not found in the Windows PATH, RabbitMQ attempts to locate it and, as a fallback, checks whether PowerShell can be used instead.
As a result, erl.exe scans multiple directories, including:
- Windows system directories (e.g.,
C:\Windows\System32) - All directories listed in the Windows PATH
- Known search paths for PowerShell (
powershell.exe, pwsh.exe)
During this discovery process, Erlang issues CreateFile API calls to check whether these files exist and whether they are accessible.
CreateFile = existence check, not file creation
By Windows API design, CreateFile is used not only to create files but also for:
- File existence checks
- Attribute queries
- Permission validation
- Directory probing
Therefore, even if Procmon or a security tool shows a SUCCESS result, it does not mean that any file was created.
All observed events belong to this discovery process and are part of normal RabbitMQ behavior.
This behavior is known and documented by RabbitMQ
RabbitMQ’s documentation confirms:
- RabbitMQ requires handle.exe on Windows
- If not found, RabbitMQ scans directories to locate it
- This results in multiple CreateFile attempts across system and PATH directories
Because of this specification, Procmon logs may contain a high volume of CreateFile entries.
1. Add handle.exe to the Windows PATH
→ RabbitMQ stops searching for it and stops probing directories, reducing CreateFile calls.
2. Upgrade to SystemLink 2026 Q1 (RabbitMQ v3.13.7 equivalent)
→ This version includes improvements that reduce the directory scanning behavior.