Monthly Archives: July 2013

How to troubleshoot a handle leak?

From: https://blogs.technet.com/b/yongrhee/archive/2011/12/19/how-to-troubleshoot-a-handle-leak.aspx?Redirected=true

What are the thresholds (estimates, not a hard and fast rule)?

32-bit Windows XP, Server 2003, Vista, Server 2008, 7:

For most processes, if higher than 2,500 handles open, investigate.

Exceptions are:

System 10,000

lsass.exe 30,000

store.exe 30,000

sqlsrvr.exe 30,000

64-bit Windows XP, Server 2003, Vista, Server 2008, 7, Server 2008 R2:

For most processes, if higher than 3,000 handles open, investigate.

Exceptions are:

System 20,000

lsass.exe 50,000

store.exe 50,000

sqlsrvr.exe 50,000

Now the question becomes, what type of handles are open by the application?

There are tools such as the Microsoft Sysinternals tools such as Handle and Process Explorer that will let you look into the open handles.

In Process Explorer, to see the handles used by a process, you will have to go thru a few steps.
2

 

Click on View > Select Columns…

3

Click on the ‘Process Performance’ tab > ‘Handle Count’

4

What you will notice is the new column called ‘Handles’

5

Move the ‘Handles’ columns next to ‘Working Set’

6

Sort it by the ‘Handles’ columns

Now, we have the process that is consuming the most amount of handles just like in Task Manager.

But we still don’t see what type of handles they are.

7

Click on View > Lower Pane View > Handles

Note:  This will enable the “Show Lower Pane” by default.

8

Click View > Show Unnamed Handles and Mappings

9

What you will see is the second pane at the bottom that has ‘Type’ and ‘Name’

10

In our sample application, they are ‘Event’ handles to ‘Sessions11BaseNamedObjectsTestLimit’

11

So, each handle that is open, will consume paged or nonpaged pool (kernel memory) which on 32-bit systems, there is a finite amount available.

Thus, handle leaks, can and will cause Windows clients and servers to hang.

In the example above, we could see that it consumes 112 Non-Paged pool memory(kernel memory).

Note:  To see what type of handles are the most used for the application, you will want to click on File > Save As > .txt and load it in Excel to sort by handle type.

 

Ok, so now that we have the handle type and name, what’s our next steps?

If you are lucky, if the handle leak is related to a Microsoft process, you could do a search in our (Microsoft) Knowledge Base http://support.microsoft.com and find the root cause.

Keyword:  Handle count

If it is a 3rd party process, please check their Knowledge Base articles.

Hint:  A lot of times, the 3rd party vendors and Independent Software Vendors (isv’s) will not use the word ‘handle leak’, instead will use ‘memory leak’ in their KB’s.  Thus, if you don’t get any results using ‘handle leak’, change the keyword in your searches to ‘memory leak’.

 

After you search the Microsoft and 3rd party KB’s and end up empty handed.  To tackle a ‘new’ handle leak, we will need to:

Enable handle tracking on the application using Microsoft Application Verifier or use Gflags which is a part of of the Debugging Tools for Windows.

Once you have enabled any of the handle tracking tools, we will need to use one of the debuggers such as WinDbg Download and Install Debugging Tools for Windows

Option 1a)  Enable handle tracing on the process by using Global Flags (GFlags):

Go to c:Program FilesDebugging Tools for Windows (x64)

12

Double click on gflags.exe

13

Click on the ‘Kernel Flags’ tab

Check the box next to ‘Enable bad handles detection’

14

Click on the ‘Image File’ tab

Next to ‘Image: (TAB to refresh)’, enter the path and the executable name.

For example:

c:program filesMicrosoft Sysinternalstestlimit64.exe

And then click on the ‘Tab’ key

Next to ‘Stack Backtrace: (Megs):’ enter ‘10’

Click on Apply

Click on Ok

OR

Option 1b) Enable handle tracing on the process by using Global Flags (GFlags):

Install Application Verifier (x64), you can download it from https://www.microsoft.com/en-us/download/details.aspx?id=20028

15

Click on All Programs > Application Verifier (x64) > Application Verifier (x64)

16

You will see the “Application Verifier 4.0 (x64) tool above.

17

Click on File > Add Application

18

For example:

Point it to c:program filesmicrosoft sysinternals folder

Next to ‘File name:’ testlimit64.exe

Click on Open

19

You will see this UI.

20

Expand ‘Basics’ and you will notice that there are a good amount of options (Exceptions, Handles, Heaps, Input/Output, Leak, Locks, Memory, Threadpool, TLS) checked by default.

21

Uncheck all, except for ‘Handles’ since it is what we are troubleshooting.

Click on Save

22

You will get this informational, click on OK

Click on Exit

23

Right click on WinDbg > Run as administrator

24

Click on File > Symbol File Path…

25

Under “Symbol Search Path”, type srv*c:websymbols*http://msdl.microsoft.com/download/symbols

26

Click on “File, Attach to a Process…”

27

Scroll down to the application that you want to monitor for high handle consumption.

In our example here, we are clicking on “testlimit64.exe”

Click on Ok

28

Once the debugger (in this case, WinDbg) opens up.

29

Type “.logopen c:temphandleleak_testlimit64_MMDDYEAR_HHMMSS.txt” without the quotation marks and then press Enter.

Note:  Where MMDDYEAR is the Month, Date and Year.

Where HHMMSS is the Hour, Minute and Seconds.

and ApplicationName is the actual process name.

30

31

Type “!htrace enable” without the quotation marks and then press Enter.

32

Note:  Notice that you will get information such as “Handle” and that it’s opening (OPEN).

And you will also see the stack being called.

If you don’t have symbol resolution to the application that you are troubleshooting, then you will get an offset that is big instead of the function names.

In this example:

testlimit64+0x0000000000001b96

testlimit64+0x0000000000003037

33

Type “!htrace –snapshot” w/o the quotation marks, and then Press Enter.

34

You will get the following return informational “Handle tracing information snapshot successfully taken”

35

Type “g” without the quotation marks and then Press Enter.

Note:  g for Go.

36

Reproduce the issue.

37

Once the reproduction is done.

Click on Debug > Break (or just CTRL+Break)

38

Type “!htrace –diff” without the quotation marks and then press Enter.

39

Note:  By default, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 keep a history of 4000 handles open and close operations.

With !htrace you can enable to keep a much higher history by doing the following:

40

Type “!htrace –enable 0x20000” without the quotation marks and then press Enter.

In this example, we are increasing the handle history to 128000 (decimal, 0x20000 hexadecimal).

41

Then go thru

!htrace –snapshot

g

Note:  Reproduce the leak, or let the app leak

CTRL-Break

!htrace –diff

42
In this blog, we are going to be using Process Explorer since it is UI driven and it is easier for most of the audience.

Windows 8 and Intel USB 3.0 Host Controllers

http://plugable.com/2012/12/01/windows-8-and-intel-usb-3-0-host-controllers

Now download these two .inf files which have been modified to allow the Intel driver to install on Windows 8:
inf

We are going to replace the existing versions of these two files with the ones we just downloaded. Place the files in the following directory of the unzipped driver package and click yes when Windows warns that we are over writing a file with the same name:

Intel(R)_USB_3.0_eXtensible_Host_Controller_DriverDriversWin7x64

This will update these two infs with the modified versions that will allow the Intel driver to install on Windows 8 when the Host Controller and USB hub drivers are updated.

To install the Intel drivers in place of the in box XHCI stack, we’ll have to temporarily disable Driver Signing Enforcement. To do this press the Windows key + R and in the run box type:

shutdown.exe /r /o /f /t 00

Now make the following selections to boot into the Start Up Setting Screen

Troubleshoot — Advanced options — Start Up Settings — Restart

Then, when the machine restarts, select “Disable driver signature enforcement”. Your machine will start with Driver signing enforcement disabled until the next reboot.

When the machine restarts, open Device Manager (win + r, devmgmt.msc). Double click on the entry for the Intel(R) USB 3.0 eXtensible Host Controller and select the Drivers tab. You should see that the driver provider is Microsoft.

Now click “Update Driver” and then select “Browse my computer for driver software”.

Next choose “Let me pick from a list of device drivers on my computer”.

Next, select “Have Disk”.

In the Window that pops up titled “Install From Disk” choose “Browse” and navigate to the location where we replace the original infs with the two modified .inf files we downloaded earlier. Select iusb3xhc.inf and click ok.

Windows will warn that the driver is not signed and will require you to confirm the installation.

Once the installation is complete, reboot the machine following the same procedure as above:

shutdown.exe /r /o /f /t 00

Now make the following selections to boot into the Start Up Setting Screen

Troubleshoot — Advanced options — Start Up Settings — Restart

When the machine starts, select “Disable driver signature enforcement”. Your machine will start with Driver signing enforcement disabled until the next reboot. Once logged in, open Device Manager (win + r “devmgmt.msc”) and locate the entry under Other devices for an Unknown device, to find the correct one, double click on the entry for the unknown device view the details tab. Make sure it has the VID_8086.

Once you have located the correct device right click on it and choose “Update Driver” Choose “Browse my computer”, Windows will ask you to identify the type of device, scroll down and select “Universal Serial Bus Devices”.

Click next, choose “Have Disk”, “Browse” and select the modified iusb3hub.inf that we placed in the Intel(R)_USB_3.0_eXtensible_Host_Controller_DriverDriversWin7x64 folder earlier and click ok.

Again, Windows will warn about driver signing, when the install is finished, reboot your machine.

When it restarts look at the driver tab for the Intel(R) USB 3.0 eXtensible Host Controller and the Intel(R) USB 3.0 Root Hub to confirm that you are now running the Intel drivers.

To return to the built in Microsoft USB 3.0 driver stack, use the uninstall drivers button from the driver tab in device manager. When it’s finished, select the Action menu of Device Manager and “scan for hardware changes” Windows should find the Intel USB 3.0 host controller and re-install it using the built in Microsoft XHCI stack.