TalkBackVideo Understanding handle leaks and How to use !htrace to find them

TalkBackVideo Understanding handle leaks and How to use !htrace to find them

  • Comments 2

Written by Jeff Dailey

 

Hello, my name is Jeff Dailey, I’m an Escalation Engineer for the Global Escalation Services Platforms team.   I’d like to show you how to debug and find leaking handles within your application or other process.  We can do this with the !htrace command in windbg .  Windbg is the Microsoft Windows Debugger most of us use in GES/CPR  for debugging.   

 

Handles are a value we use in user mode, that when passed to a call that transitions to kernel, are used as an offset in your handle table to reference kernel mode objects.  Kernel mode objects are generally allocated from pool.   If you are having pool consumption problems and seeing errors like 2020 or 2019’s reported there is a good chance you may have a handle leak associated with them.  This is generally due to not doing a CloseHandle() on the handle when you have finished using it.

 

You can vide the channel9 "how to debug handle leaks" video here 

 

The following is the sample source for a handle leak that we will be debugging in our demo video.

 

// leakyhandles.cpp : Defines the entry point for the console application.

//

 

#include "stdafx.h"

#include <windows.h>

 

 

void fun1(void);

void fun2(void);

void fun3(void);

void fun4(void);

 

int main(int argc, char* argv[])

{

      while(1)

      {

            fun1();

            fun2();

            Sleep(100);

      }

      return 0;

}

 

void fun1(void)

{

      fun3();

}

 

void fun2(void)

{

      fun4();

 

}

void fun3(void)

{

      HANDLE hEvent;

 

      hEvent = CreateEvent(NULL,TRUE,TRUE,NULL);

      CloseHandle(hEvent);

}

void fun4(void)

{

    HANDLE hEvent2;

 

      hEvent2 = CreateEvent(NULL,TRUE,TRUE,NULL);

}

 

Thank you.

Jeff Dailey

Escalation Engineer (Platforms core team)

Leave a Comment
  • Please add 4 and 1 and type the answer here:
  • Post
  • So you have a dump from a hung server and you’re the first person on the scene. Your IT Manager is jumping

  • Thank you for the sample code!

    I really enjoyed it!

    I wrote the followin WinDbg script code just to see how your code works.

    It's beautiful.

    WinDbg script code:

    .catch

    {

       .block

       {

           .logclose

           .logappend d:\windbg\logs\browsers.log

           r $t0  = ${/d:$SafetyCheck}

       }

       .block

       {

          .if (0 == @$t0)

          {

              as $SafetyCheck "Written by Takashi Toyota"

          }

          .else

          {

              al

              ad /q *    

          }

       }

       .block

       {

            .create D:\ITDanwa\handleleak\Debug\handleleak.exe

            g

            .detach

            .attach -k

            g

            !gflag

            r $t0 = nt!PsActiveProcessHead

            .for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))

            {

               r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks)

               as /ma $ImageName @@c++(&@$t2->ImageFileName[0])

               .block

               {

                  .if (1 == $spat("${$ImageName}", "*handleleak*"))            

                  {

                     .for (r $t9 = 0; @$t9 < 3; r $t9 = @$t9 + 1)

                     {

                       .time

                       .sleep 0n3000

                       r? $t3 = @@C++((int) @$t2->ObjectTable->HandleCount)

                       n 10

                       ?? @$t3

                      }

                  }

                }

             ad $ImageName

            }

       }

     .detach

    }

    Result:

    Debug session time: Wed Nov  5 16:53:16.949 2008 (GMT+9)

    System Uptime: 0 days 8:28:36.780

    base is 10

    int 40

    Debug session time: Wed Nov  5 16:53:19.964 2008 (GMT+9)

    System Uptime: 0 days 8:28:39.794

    base is 10

    int 70

    Debug session time: Wed Nov  5 16:53:22.978 2008 (GMT+9)

    System Uptime: 0 days 8:28:42.809

    base is 10

    int 100

Page 1 of 1 (2 items)