Handle Leak

Although a handle leak may lead to Insufficient Memory (Volume 1, page 327) it is not always the case especially if pool structures are small such as events. So we describe another pattern called Handle Leak that covers high memory usage (including fat structures), high handle counts and also abnormal differences in allocations and deallocations. As an example for the latter here is a nonpaged pool leak of Event objects and correlated pooltag ABCD. Although memory usage footprint is small compared with other nonleaking pooltags we see that the difference between Allocs and Frees is surely abnormal and correlating with high handle counts:

0: kd> !poolused 3
Sorting by  NonPaged Pool Consumed


Pool Used:
NonPaged                    Paged
Tag    Allocs    Frees     Diff     Used   Allocs    Frees     Diff     Used
[...]
ABCD  1778517  1704538    73979  4734656        0        0        0        0 UNKNOWN
pooltag ‘ABCD’, please update pooltag.txt
Even  6129633  6063728    65905  4224528        0        0        0        0 Event
objects
[...]


0: kd> !process 0 0


[...]


PROCESS d2b85360  SessionId: 2  Cid: 1bf4    Peb: 7ffdf000  ParentCid:
1688
DirBase: 7d778dc0  ObjectTable: e53dda08  HandleCount: 18539.
Image: AppA.exe


PROCESS b2fcd670  SessionId: 2  Cid: 0818    Peb:
7ffd4000  ParentCid: 1688
DirBase: 7d778400  ObjectTable: b3ffd8c0  HandleCount: 36252.
Image: AppB.exe


[...]