What is causing ntoskrnl aka the System process to continue accumulating handles

Question

I have a server which is accumulating handles on the System process aka c:\windows\system32\ntoskrnl.exe. The handles go to 18,000 in one day and keep going forever up at that rate. The server is running Postgresql 9.0.3, asp.net web services which insert into the database, and an asp.net website which queries the database. The web services are accessed from linux and windows test machines via gSOAP. I've ran Process Explorer on the System process and the extra handles are listed as Type Key. I found them in regiedt. Here are two examples exported from regedit.

1.

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2e167ea7-    85e3-4395-995a-77af9875d79a}\InprocServer32
Class Name:        <NO CLASS>
Last Write Time:   7/13/2009 - 10:53 PM
Value 0
  Name:            <NO NAME>
  Type:            REG_EXPAND_SZ
  Data:            %systemroot%\system32\colbact.dll

Value 1
  Name:            ThreadingModel
  Type:            REG_SZ
  Data:            Both

2.

Key Name:          HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{91162401-6E6B-478A-A7FF-994EBA35B9C3}
Class Name:        <NO CLASS>
Last Write Time:   7/13/2009 - 10:54 PM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            PSFactoryBuffer


Key Name:          HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{91162401-6E6B-478A-A7FF-994EBA35B9C3}\InProcServer32
Class Name:        <NO CLASS>
Last Write Time:   7/13/2009 - 10:54 PM
Value 0
  Name:            <NO NAME>
  Type:            REG_EXPAND_SZ
  Data:            %SystemRoot%\system32\ime\shared\imeapis.dll

Value 1
  Name:            ThreadingModel
  Type:            REG_SZ
  Data:            Both

The web service that inserts into the database is executed about 130,000 times a day across the whole day. An insert consists of a virtual machine running windows or linux on the intranet calling the web service function via gSOAP with the test result data. The data are strings and numbers. The web service opens a database connection, inserts the data into the database and closes the connection. The database in question is 150 gigabytes large. I've gone over the database usage code, which is C# by the way and every database connection is getting closed as far as I can see. The server functions work fine except for the handle accumulation.

When the handles get to about 150,000 the web site starts behaving strangely and I have to reboot which is problematic because test machines are bombarding the web service with test results.

What could be causing the handle accumulation? Any help would be greatly appreciated. Thanks.

Answer 1

Turns out the handle leak was coming from a driver in a license manager program made by SaferNet Inc. SmartBear software's AQTime uses this license manager and that's how we got it. I'm working with SmartBear to deal with the issue.

I was able to pinpoint registry opens that weren't being closed using Process Monitor from Sysinternals. Then I looked at the call stack for the handles in question and saw the driver from SaferNet invoking ntoskrnl.

In the end the problem had nothing to do with IIS, gSOAP or postgresql.

The guys from SmartBear provided a newer license manager. I installed it over the old one and the leak went away.