Handle leak in System process?

[Charles Lavin]

Hi --

I have a Windows XP Pro SP3 box that's been giving me a headache for some
time now. Every so often, programs will fail to load and Windows (or an app)
will complain about being out of memory or system resources. Or windows
won't open. Etc., etc.

I've been looking high and low for the reason for this, with little luck.
One thing I have noticed is that when the PC starts to get cantankerous, the
System process has an elevated handle count (18,500 this last time I started
having problems). When I check the System process through Process Explorer,
I see thousands of handles open to what looks like an empty key, and a
lesser but still large number of handles open to what looks like a file with
no name:

--------------------
DETAILS

Basic Information
Name:
Type: Key
Description: A Registry key

References
References: 1
Handles: 1

Quota Charges
Paged: 0
Non-Paged: 0

SECURITY

Unable to display security information.
--------------------
DETAILS

Basic Information
Name:
Type: File
Description: A disk file, communications endpoint, or driver interface.

References
References: 2
Handles: 1

Quota Charges
Paged: 0
Non-Paged: 0

SECURITY

Everyone: Delete, Synchronize, Query State, Modify State, (Special
Permissions)

Advanced:
Permissions: <empty>
Auditing: <empty>
Owner: Everyone
--------------------

The Handles list shows all of these empty Key handles with an Access code of
0x000F003F, and the empty File handles with an access code of 0x0012091F.

I have checked just about every other process listed in Process Explorer. No
other process that has handles open to Registry keys has any open to blank
or empty keys. Process Explorer shows valid key names for every other key
every other process has open. No other process that has handles open to
files has any open to files with no name.

Rebooting the PC solves the problem -- temporarily. The System process
returns to a manageable handle count. But even after rebooting, Process
Explorer shows a collection of "empty" keys and "no-name" files open to the
System process. And even with the PC just sitting there at a desktop with no
other windows open, that count steadily increases over time.

At the risk of sounding stupid: This is _not_ normal, right? How do I find
whatever is triggering this, if I don't even know what to look for? Any help
would be appreciated.

Thanks
CL

 

[Jose]

Hi --

I have a Windows XP Pro SP3 box that's been giving me a headache for some
time now. Every so often, programs will fail to load and Windows (or an app)
will complain about being out of memory or system resources. Or windows
won't open. Etc., etc.

What is the exact context of the complaining message(s)?

Please provide additional information about your system.

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste
the information back here.

There will be some personal information (like System Name and User
Name), and whatever appears to
be private information to you, just delete it from the pasted
information.

This will minimize back and forth Q&A and eliminate guesswork.

You can also look in the Event Viewer around the time of the incident:

Look in the Event Viewer for clues around the time of the failure:

Here is a method to post the specific information about individual
events.

To see the Event Viewer logs, click Start, Settings, Control Panel,
Administrative Tools, Event Viewer.

A shortcut to Event Viewer is to click Start, Run and in the box
enter:

%SystemRoot%\system32\eventvwr.msc /s

Click OK to launch the Event Viewer.

The most interesting logs are usually the Application and System.
Some logs may be almost or completely empty.
Not every event is a problem, some are informational messages that
things are working okay and some are warnings.
No event should defy reasonable explanation.

Each event is sorted by Date and Time. Errors will have red Xs,
Warnings will have yellow !s.
Information messages have white is. Not every Error or Warning event
means there is a serious issue.
Some are excusable at startup time when Windows is booting. Try to
find just the events at the date
and time around your problem.

If you double click an event, it will open a Properties windows with
more information. On the right are
black up and down arrow buttons to scroll through the open events. The
third button that looks like
two pages on top of each other is used to copy the event details to
your Windows clipboard.

When you find an interesting event that occurred around the time of
your issue, click the third button
under the up and down arrows to copy the details and then you can
paste the details (right click, Paste
or CTRL-V) the detail text back here for analysis.

To get a fresh start on any Event Viewer log, you can choose to clear
the log (backing up the log is offered),
then reproduce your issue, then look at just the events around the
time of your issue.