On a specific build of Win 11 (and not on later ones), I see a lot of leaks from File/IoFE.
Usual Verifier pool tracking does not work (driver cannot be unloaded and also … it would track too much and thus be useless). No paths seem indicate we hold references.
Any ideas how to pinpoint these specifically?
You know this space better than I, so am reluctant to point out, what you already know, that ‘File’ is a often file object and so !obtrace, might help. As might (maybe, perhaps) !verifier 80.
If the leaked ‘File’ pool is for file objects the →FileName (and indeed pool tagging of FsContext) might help
There are millions of leaks of "File" memory. So !verifier 80 shows nothing of value (too many things are tracked and only 10k logs)
ObTrace might work... thanks.
Lemme know if anyone has other ideas.
Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com
Interesting. I just noticed 5 million open File handles open in the System process of my Windows 11 machine yesterday. Does that match what you see?
I took a look in Process Explorer and the handles were, anecdotally, largely DLLs coming from the winsxs folder.
I assumed it was whatever EDR was on my system but an actual Windows bug would be much more interesting.
No, without my driver, there are only about 100k File allocations. So 50x increase.
My handle leak did turn out to be an OS component - wcifs. I couldn't quite RCA it but I can work around it at least.
Cool blog!
We managed to track the leak with !obtrace by sheer luck.
I hate how overcomplicated things are that even LLM can’t really dig a lot themselves.
In XP era, I could still figure the entire trace and work of all file i/o in real time. At Win7 I could analyze it fully myself post-mortem. But now….. looks more cryptic than if my machine were unknowingly mining crypto 
On a related topic: why does CPU usage always go down when we start Task Manager? 
The good ol’ days. I actually had to support a product on XP 2-3 years back. That cured me of some of my nostalgia.
Glad you were able to find the leak.
My hobby project still supports XP 
I’ve done a few XP projects over the last few years. One thing that I marvel at is just how “quiet” the system is. Like, you can put a breakpoint on NtfsFsdCreate and actually step through things. Now? Forget it. Spare CPU cycles are just an opportunity to generate more telemetry and/or botshit it seems.
(Insert “old man yells at cloud” meme here )