how to find source of a handle leak

  • Thread starter Thread starter Microsoft News
  • Start date Start date
M

Microsoft News

XP Pro SP3

ProcessExplorer is showing that some process under the
System entry is creating dozens of handles each second and
is apparently not freeing them. After an hour or so, there
are 200,000+ handles.

In the Handle View, I see that the vast (vast!) majority
listed show

Key HKLM\SYSTEM\ControlSet003\Control\DeviceClasses

My guess is that this is telling me that a device driver is
the culprit. How can I track it down?

Thanks,
Jason
 
Do you use more than one Hardware Profile?

ControlSet003 is an unusual feature.

Malwarebytes' Anti-Malware
1.38 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
Do you use more than one Hardware Profile?

ControlSet003 is an unusual feature.

Malwarebytes' Anti-Malware
1.38 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.
Click to expand...
Thanks, Gerry. I have run everything I can find already,
including Malwarebytes. Nada.

I do not have multiple hardware profiles. I was also
surprised. Is that a clue?

Thanks,

Jason
 
This is the result I get from a Google search.
http://snurl.com/nfeqb [www_google_co_uk]

The result suggests malware possibly a Rootkit.

You might try this software
http://download.cnet.com/GMER/3000-8022_4-10720106.html
Click to expand...
Thanks. I ran malwarebytes' and GMER. I'm not sure how to
interpret the GMER results, but they seem to line up with
those from malwarebytes. Both identified components of
ZoneAlarm AV and Commview, a net monitoring utility. Neither
is dangerous (I hope!). These, and other malware finders, do
not report anything suspicious, so perhaps it's a bug in ZA
or Commview. I will try shutting ZA down and see what
happens.

Jason
 
XP Pro SP3

ProcessExplorer is showing that some process under the
System entry is creating dozens of handles each second and
is apparently not freeing them. After an hour or so, there
are 200,000+ handles.

In the Handle View, I see that the vast (vast!) majority
listed show

Key HKLM\SYSTEM\ControlSet003\Control\DeviceClasses

My guess is that this is telling me that a device driver is
the culprit. How can I track it down?

Thanks,
Jason
Click to expand...

Take a look in the Select key at the values and the Data columns.

You will see (hopefully):

Current
Default
Failed
LastKnownGood

In my Select values, I have:

Current (1)
Default (1)
Failed (0)
LastKnownGood (2)

In Select, Current and Default have Data values of (1), which is the
right now set, so ControlSet001 and CurrentControlSet should be images
and the same (for me).

In Select, LastKnownGood has a Data value of (2) which is what gets
loaded if you boot with Last Known Good Configuration.

In Select, my Failed value is (0) and therefore I don't have a
ControlSet000 since I have never had a failed boot in my life ;).
This makes sense that there is no ControlSet000 to match my Failed
value.

Windows loads whichever one you choose when you boot or if you let it
boot naturally, the appropriate one, so you should see if you have a
(3) in your Select key and if you do, it should be either Failed or
LastKnownGood. Generally with a single hardware profile, there should
be no ControlSet003.

If you have and ControlSet003 and it is not in your Select key, that
is most curious. You would have to verifyyour Select key values 0, 1,
2 etc. to see if they all make sense.

If you have ControlSet003 and it is not in the Select key as a (3)
option, there would be no way for it to load, unless you have a
rootkit infection that is loading ControlSet003 for you by going
around what is in the Select keys. How rude.

There are many rootkit detection and removal tools. MBAM is good,
BlackLight is good, and there are others to search for and try.

No single detection tool can know about everything, so run them until
what you see in the registry makes sense and can be explained.
 
Jose said:
Take a look in the Select key at the values and the Data columns.

You will see (hopefully):

Current
Default
Failed
LastKnownGood

In my Select values, I have:

Current (1)
Default (1)
Failed (0)
LastKnownGood (2)

In Select, Current and Default have Data values of (1), which is the
right now set, so ControlSet001 and CurrentControlSet should be images
and the same (for me).

In Select, LastKnownGood has a Data value of (2) which is what gets
loaded if you boot with Last Known Good Configuration.

In Select, my Failed value is (0) and therefore I don't have a
ControlSet000 since I have never had a failed boot in my life ;).
This makes sense that there is no ControlSet000 to match my Failed
value.

Windows loads whichever one you choose when you boot or if you let it
boot naturally, the appropriate one, so you should see if you have a
(3) in your Select key and if you do, it should be either Failed or
LastKnownGood. Generally with a single hardware profile, there should
be no ControlSet003.

If you have and ControlSet003 and it is not in your Select key, that
is most curious. You would have to verifyyour Select key values 0, 1,
2 etc. to see if they all make sense.

If you have ControlSet003 and it is not in the Select key as a (3)
option, there would be no way for it to load, unless you have a
rootkit infection that is loading ControlSet003 for you by going
around what is in the Select keys. How rude.

There are many rootkit detection and removal tools. MBAM is good,
BlackLight is good, and there are others to search for and try.

No single detection tool can know about everything, so run them until
what you see in the registry makes sense and can be explained.
Click to expand...


Thanks so much! I took a look at the Registry before your post, but now I
have a
much better idea of what to look for.

So far, the only "devices" I've found are associated with ZoneAlarm and
Commview. Both
are (nominally!) legit.. but I suppose either could have a bug. There have
been issues with
ZA's vsdatant driver not loading properly after ZA is installed. Perhaps
this is a further clue...


Jason
 
Thanks so much! I took a look at the Registry before your post, but now I
have a
much better idea of what to look for.

So far, the only "devices" I've found are associated with ZoneAlarm and
Commview. Both
are (nominally!) legit.. but I suppose either could have a bug. There have
been issues with
ZA's vsdatant driver not loading properly after ZA is installed. Perhaps
this is a further clue...

Jason
Click to expand...

I used to like ZA, but sometimes it causes some issues, consumes too
much CPU or Mem Usage, expecially the ZLCLIENT and ScanningProcess
(check in Task Manager). I don't care for it anymore.

I am not using either of them here, so I can't look into it further.

You could disable ZA and Commview (whatever that is) and see if your
issue goes away, which ne is suspicious - or both.

I just got rid of AZ and Ad-Aware on a system. ZA ScanningProcess was
consuming 113K of memory and AA was at a constant 35%. Ugh.

The real time protection and "extra" firewall in some of these things
are sometimes irritants.
 
I used to like ZA, but sometimes it causes some issues, consumes too
much CPU or Mem Usage, expecially the ZLCLIENT and ScanningProcess
(check in Task Manager). I don't care for it anymore.

I am not using either of them here, so I can't look into it further.

You could disable ZA and Commview (whatever that is) and see if your
issue goes away, which ne is suspicious - or both.

I just got rid of AZ and Ad-Aware on a system. ZA ScanningProcess was
consuming 113K of memory and AA was at a constant 35%. Ugh.

The real time protection and "extra" firewall in some of these things
are sometimes irritants.
Click to expand...
I agree! This Dell machine came with McAfee security
software. Talk about bloat! ZA is a gazelle comparatively...
My wife's machine came with Norton AV and that is a pig
too... What would really help would be Necrosoft products
without all the vulnerabilities! Probably around version 37
of Windows, or five years after H*ll freezes over.

Jason
 
I agree! This Dell machine came with McAfee security
software. Talk about bloat! ZA is a gazelle comparatively...
My wife's machine came with Norton AV and that is a pig
too... What would really help would be Necrosoft products
without all the vulnerabilities! Probably around version 37
of Windows, or five years after H*ll freezes over.

Jason
Click to expand...

I also promptly uninstalled the free McAfee provided by the ISP.

Ugh again!

Norton is also sometimes an interferer.
 
Well, I have no idea why I have a ControlSet 007!, but the
others make sense. The Current one at boot is 003, so I
tried the LastKnownGood (002) and I get the same result:
hundreds of thousands of handles after a few hours...

Once upon a time, I used the MS kernel debugger to track
down a Pool allocation issue that was causing BSOD crashes.
It was quite an adventure... I suppose I could try to
remember everything and see if I can just trace CreateEvent
system calls. Perhaps I can identify the caller--a driver I
presume--that's causing the trouble.
 
-snip-
Perhaps I can identify the caller--a driver I
presume--that's causing the trouble.
Click to expand...
FWIW, if I start in Safe Mode, with or without Networking
enabled, the leak doesn't exist apparently.
 
Back
Top