Can Windows tell me what is using my USB drive?

Simpler Method: Windows (10 at least, AFAIK) creates an entry in the event log when you try to eject a removable drive and you cannot because a process has a lock on it. The two Event IDs 225 will show the process ID and the name of the process responsible for the lock.

Step by step:

1) Start the event viewer

2) Open up "Windows Logs" then "System"

3) Right click on "System" and choose "Filter Current Log"

4) In the dialog that comes up, enter "225" (without quotes) where it says "All Event IDs"

5) You will then see all events related to unable to eject because a process locked the drive.

6) Look at the timestamps on all these entries and find out which ones relate to the actual time when you tried to eject the drive.

7) Take appropriate action. Ending a task gracefully (closing the program that has the lock) is OK most of the time. Stopping the Windows Search service is also ok. Stopping an antivirus scan should be ok (if you don't suspect you have any viruses at the time). Going into the task manager and killing the process might not be ok. How to deal with this is beyond the scope of this question.

8) (Save the view...) in Actions panel (in the right frame) you could "Save Filter to Custom View..." so you'll find it in "Custom Views" (in the left frame above the "Windows Logs")

Process ID:

Process Name:

8) If you don't have another entry with a process name, the System process (process id 4) is holding your drive. To get around this one you will have to go to disk management and put the drive you want to eject offline. If the file is on your boot drive, you can't put it offline. In this case, see the note below:

UPDATE 2018: I've seen applications such as WhatsApp Desktop keeping handles on Chrome Canary via the System Process. Since you cannot eject the boot disk (beacuse it is in use), the solution was to use another nifty Sysinternals utility, called Handle. After you close the program which has the locked file, launch handle and run (as an example) handle64 "Chrome SxS\Application\chrome.exe" to see if the handles are still present on the file that has the PID 4 lock. Via trial and error, close each program running, until there are no more handles on the locked file.

Best method (paid)

Download and run SafelyRemove. It helps you eject the drive and if it can't do it, it displays which processes have a lock on it:

You can use Sysinternals Process Explorer to find the handle for any files that are open. Just select the Find menu and select Find Handle or DLL. In the dialog that opens enter the drive letter into the search box. The search results should show all of the files that are open from the drive and which process has them open.

You can also use command line to query the Windows log, with wevtutil.exe (since Windows 7) with the knowledge that the Windows Kernel-PnP uses Event ID 225 to log system (always having process id 4) refusal to remove or eject the device USB\VID_####&PID_############ (where the #'s denote hexadecimal numbers).

wevtutil qe System /q:"*[System[(EventID=225)]]" /c:5 /f:text /rd:true

• qe System : query events from System log
• /q : query with XPath
• EventID=225 means the system refused an ejection request
• /c:5 : number of entries to retrieve (5 here)
• /f:text : format (default is xml)
• /rd:true : reverse order (newest first)

I use it in a batch script.