Windows 7 64bit system process opens too much handles

1

Just found that my Windows 7 64bit has an unusual high number of opened handles (>180000) for around 60 minutes, but chrome (4 tabs) and other processes are ok - checked them with Process Explorer. The unusual thing is that the handles were around 40000, then they jumped to ~145k and before I restart the system they were over 180k. After the OS loaded observed the system process again with the same chrome tabs and other processes started. Found that the system process (PID 4) slowly grows the opened handles (1 to 4 handles per second, mostly 1/s), while the other processes are perfectly ok, they open handles and close them. And still after reaching these >150k handles I cannot see another process with so many. The only one is the system process itself, summing all handles of all processes by hand gives a lot less number compared to system - <30k. During this observation no sluggish performance is detected (probably due to 8c/16t processor), including that free RAM is enough (total 16.3GB, cached 4.1GB, allocated 12.2GB, free 8.5GB)

So, how to detect which leads to so many handles? Note that already tried and cannot use a WinDbg or Gflags - WinDbg cannot attach to System (Access denie) while Gflags cannot find the image file of System (I suppose this is normal)

1000Gbps

Posted 2018-09-07T16:35:58.847

Reputation: 167

You can do Live Kernel debugging https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging . Probably better to use LiveKD from Sysinternals.

– David Marshall – 2018-09-07T20:39:53.467

Try the Sysinternals handles tool, available from the MS web site. That will show you what objects the handles are to. (Personally, if it is causing no troublesome symptoms, I wouldn't worry about it.) – Harry Johnston – 2018-09-07T21:16:46.637

Well, livekd64.exe said Error finding kd.exe: The system cannot find the file specified. – 1000Gbps – 2018-09-07T23:03:12.120

Edit: Nvm, copied kd.exe 64bit to LiveKD64.exe directory and now I'm downloading the debugging symbols. Probably after 10-15 years MS and other OS providers will manage to add in their standard installations a corresponding maintenance feature for the masses – 1000Gbps – 2018-09-07T23:20:50.743

Nope, not possible to debug it - cannot find or correctly install the symbols or the tools needed. Any ideas? – 1000Gbps – 2018-09-09T10:54:17.453

Answers

1

Luckily I managed to find the reason for this very high handle count. It was a Comodo Internet Security 10.0.2. After stopping all CIS related services and processes, system stopped leaking handles. The leaking handle was from File type pointing to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CmdAgent\CisConfigs\0. Then before uninstalling it I deleted the whole CmdAgent\... key. Downloaded the newest version 11 of CIS and now everything is ok. Note that having a 150k or more handles for SYSTEM adds in fact a very clear feeling of microstuttering mainly in games and virtual machines started on the machine.

1000Gbps

Posted 2018-09-07T16:35:58.847

Reputation: 167

Asked: 2018-09-07T16:35:58.847

Viewed: 321 times

Active: 2018-09-12T07:20:21.207