Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

handle leak in winlogon.exe


  • Please log in to reply
3 replies to this topic

#1 MattFl

MattFl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 31 October 2008 - 10:04 AM

Please help me figure out why winlogon.exe is leaking handles on my WinXP Pro SP3 x86 machine. About 12 hours after a reboot I'm already up to about 40,000 handles for winlogon.exe. The handle count continues to increase even while the machine sits idle. Eventually the machine begins behaving eratically and I have to reboot it, usually every 24 hours or so. The md5sum for my winlogon.exe matchines the md5sum for winlogon.exe on a properly working machine (ed0ef0a136dec83df69f04118870003e *C:\\WINDOWS\\SYSTEM32\\winlogon.exe) so I don't think I have a corrupt winlogon.exe. I think the problem is due to some interaction between winlogon.exe and another process, but I'm not sure which one. Can anyone help me to trouble shoot this further?

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:51 AM

Posted 31 October 2008 - 04:55 PM

What are you using to determine that it's leaking?
Have you scanned the system with an independent malware scanner (in case yours is corrupted by malware)?
Links to several free, online scanners are here: http://www.bleepingcomputer.com/blogs/usas...?showentry=1252
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 MattFl

MattFl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 03 November 2008 - 09:05 PM

Maybe leak is the wrong word; the number of handles for the winlogon.exe process(s) just keeps increasing until the OS becomes unstable.

I've got some executables that run on a schedule and if I turn some of them off then the rate of increase of the handles goes down, so it's definitely the spawning of new processes that run as a user that are causing the number of handles owned by winlogon.exe to increase. I have run multiple spyware and virus scanners, and so far things look clean. That's not to say I didn't pick up a root kit or something.. Is anyone aware of a way to find out why winlogin.exe is holding on to these handles, or force it to release handles that are no longer in use?

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:51 AM

Posted 04 November 2008 - 07:43 AM

Here's a free tool that may help: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
In the View menu, select "Show lower pane", then select Lower Pane View and select "Handles ( http://support.microsoft.com/kb/232830 )

I'd also right click on the winlogon.exe process and select Properties,
then select the Threads tab and see what's going on there.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users