Handle leak in System process?

  • Thread starter Thread starter Charles Lavin
  • Start date Start date
C

Charles Lavin

Hi --

I have a Windows XP Pro SP3 box that's been giving me a headache for some
time now. Every so often, programs will fail to load and Windows (or an app)
will complain about being out of memory or system resources. Or windows
won't open. Etc., etc.

I've been looking high and low for the reason for this, with little luck.
One thing I have noticed is that when the PC starts to get cantankerous, the
System process has an elevated handle count (18,500 this last time I started
having problems). When I check the System process through Process Explorer,
I see thousands of handles open to what looks like an empty key, and a
lesser but still large number of handles open to what looks like a file with
no name:

--------------------
DETAILS

Basic Information
Name:
Type: Key
Description: A Registry key

References
References: 1
Handles: 1

Quota Charges
Paged: 0
Non-Paged: 0

SECURITY

Unable to display security information.
--------------------
DETAILS

Basic Information
Name:
Type: File
Description: A disk file, communications endpoint, or driver interface.

References
References: 2
Handles: 1

Quota Charges
Paged: 0
Non-Paged: 0

SECURITY

Everyone: Delete, Synchronize, Query State, Modify State, (Special
Permissions)

Advanced:
Permissions: <empty>
Auditing: <empty>
Owner: Everyone
--------------------

The Handles list shows all of these empty Key handles with an Access code of
0x000F003F, and the empty File handles with an access code of 0x0012091F.

I have checked just about every other process listed in Process Explorer. No
other process that has handles open to Registry keys has any open to blank
or empty keys. Process Explorer shows valid key names for every other key
every other process has open. No other process that has handles open to
files has any open to files with no name.

Rebooting the PC solves the problem -- temporarily. The System process
returns to a manageable handle count. But even after rebooting, Process
Explorer shows a collection of "empty" keys and "no-name" files open to the
System process. And even with the PC just sitting there at a desktop with no
other windows open, that count steadily increases over time.

At the risk of sounding stupid: This is _not_ normal, right? How do I find
whatever is triggering this, if I don't even know what to look for? Any help
would be appreciated.

Thanks
CL
 
This computer is routinely sweeped for viruses and malware, and is also
running Symantec's Endpoint Protection suite. Malware and virus checks
always come up clean.

CL
 
It was only a suggestion based on the info you gave us. You didn't
mention malware checks or anti-virus and that is the first thing that
jumped into my mind on your report.

Q

--->
 
I know ...

As for 0-length files: I just discovered that there's no way to search for
them in Windows XP ...
 
About the only way I can think of is to open Windows Explorer and go
directory by directory and click on the top of the Size column. This
will arrange the files by size and not name. The zero-length ones will
go to the top of the list (or the bottom, depending on how many times
you click). VERY tedious operation however. I have no idea of knowing
if you know, but clicking on the top of ANY column sorts the listings in
that order.

Q

--->
 
Questor said:
About the only way I can think of is to open Windows Explorer and go
directory by directory and click on the top of the Size column. This
will arrange the files by size and not name. The zero-length ones will
go to the top of the list (or the bottom, depending on how many times
you click). VERY tedious operation however. I have no idea of knowing
if you know, but clicking on the top of ANY column sorts the listings in
that order.

You can search an entire disk specifying a maximum file size of 1 KB and
then sort the results by size. You will then have to skip over all the
folders but the 0 byte files should be next.
 
Hi --

I am aware of that, but there are hundreds of thousands of folders on the
drives on this particular PC.

Asking Search to find all files "with size less than 0 KB" results in a lot
of drive crunching but no results. Which makes me wonder what MS considers
to be "0 KB" ...

But asking Search to find all files "with size less than 1 KB" results in
the eventual crash of the task as it produces hundreds of thousands of files
smaller than 1 KB.

Methinks I'll have to rely on my old Unix bag of tricks for this one (again)
....

find / -size 0 -ls >/zerofiles.txt

Thanks
CL
 
I mentioned in a prior post that when I did that, the search app crashed
because of the massive number of small files it found.

I did what I needed with a Unix command.

Thanks
CL
 
Charles Lavin said:
As for 0-length files: I just discovered that there's no way to search
for them in Windows XP ...

Hi Charles,

Here is a simple VBScript to list Zero Byte files:

'[Begin Code:]
For Each obj in GetObject("winmgmts:\\.\root\cimv2").ExecQuery(_
"Select * from CIM_DataFile where FileSize = 0")
Wscript.Echo obj.FileSize & " -- " & obj.Name
Next
'[:End Code]

Copy and paste the code into NotePad and SaveAs: C:\ZeroByte.vbs

Open a Command Prompt window (Start|Run CMD) at C:\>
Use this command to list files:
Cscript ZeroByte.vbs | More

That will list the files one screen full at a time, with a More prompt.
Press Spacebar for next screen full.

Or you can use this command to send the list to a text file:
Cscript ZeroByte.vbs > C:\ZeroByteList.txt

Do not double click the ZeroByte.vbs file, or it will run with Wscript,
(instead of Cscript,) and will use the MsgBox feature to display the files
one file per message box, one after another when you click OK. To stop
that, you have to use Task Manager to End this Process: Wscript.exe

Keep in mind that some Zero Byte files are necessary, like those in your
"Send To" folder, and some in the root (C:) folder. Most Zero Byte files
are found in your "Temporary Internet Files" (TIF) subfolders, and can be
safely deleted. The normal "Internet Options" Delete Files function only
gets rid of files that are listed in the [TIF] index.dat file. There are
other programs beside Internet Explorer that use TIF for temp files.

HTH (Hope This Helps. :)
--Richard
 
Back
Top