On a specific build of Win 11 (and not on later ones), I see a lot of leaks from File/IoFE.
Usual Verifier pool tracking does not work (driver cannot be unloaded and also … it would track too much and thus be useless). No paths seem indicate we hold references.
Any ideas how to pinpoint these specifically?
You know this space better than I, so am reluctant to point out, what you already know, that ‘File’ is a often file object and so !obtrace, might help. As might (maybe, perhaps) !verifier 80.
If the leaked ‘File’ pool is for file objects the →FileName (and indeed pool tagging of FsContext) might help
There are millions of leaks of "File" memory. So !verifier 80 shows nothing of value (too many things are tracked and only 10k logs)
ObTrace might work... thanks.
Lemme know if anyone has other ideas.
Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com
Interesting. I just noticed 5 million open File handles open in the System process of my Windows 11 machine yesterday. Does that match what you see?
I took a look in Process Explorer and the handles were, anecdotally, largely DLLs coming from the winsxs folder.
I assumed it was whatever EDR was on my system but an actual Windows bug would be much more interesting.
No, without my driver, there are only about 100k File allocations. So 50x increase.