File/IoFE leaks

Dejan_Maksimovic · November 14, 2025, 12:44pm

On a specific build of Win 11 (and not on later ones), I see a lot of leaks from File/IoFE.

Usual Verifier pool tracking does not work (driver cannot be unloaded and also … it would track too much and thus be useless). No paths seem indicate we hold references.

Any ideas how to pinpoint these specifically?

rod_widdowson · November 14, 2025, 1:15pm

You know this space better than I, so am reluctant to point out, what you already know, that ‘File’ is a often file object and so !obtrace, might help. As might (maybe, perhaps) !verifier 80.

If the leaked ‘File’ pool is for file objects the →FileName (and indeed pool tagging of FsContext) might help

Dejan_Maksimovic · November 14, 2025, 1:22pm

There are millions of leaks of "File" memory. So !verifier 80 shows nothing of value (too many things are tracked and only 10k logs)

ObTrace might work... thanks.

Lemme know if anyone has other ideas.

Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com

Alnoor_Allidina · November 15, 2025, 2:38pm

Interesting. I just noticed 5 million open File handles open in the System process of my Windows 11 machine yesterday. Does that match what you see?

I took a look in Process Explorer and the handles were, anecdotally, largely DLLs coming from the winsxs folder.

I assumed it was whatever EDR was on my system but an actual Windows bug would be much more interesting.

Dejan_Maksimovic · November 15, 2025, 2:43pm

No, without my driver, there are only about 100k File allocations. So 50x increase.

Alnoor_Allidina · November 28, 2025, 1:22am

My handle leak did turn out to be an OS component - wcifs. I couldn't quite RCA it but I can work around it at least.

Dejan_Maksimovic · November 28, 2025, 12:53pm

Cool blog!

We managed to track the leak with !obtrace by sheer luck.

I hate how overcomplicated things are that even LLM can’t really dig a lot themselves.

In XP era, I could still figure the entire trace and work of all file i/o in real time. At Win7 I could analyze it fully myself post-mortem. But now….. looks more cryptic than if my machine were unknowingly mining crypto

On a related topic: why does CPU usage always go down when we start Task Manager?

Alnoor_Allidina · November 28, 2025, 3:53pm

The good ol’ days. I actually had to support a product on XP 2-3 years back. That cured me of some of my nostalgia.

Glad you were able to find the leak.

Dejan_Maksimovic · November 28, 2025, 3:58pm

My hobby project still supports XP

Scott_Noone_OSR · December 1, 2025, 4:49pm

I’ve done a few XP projects over the last few years. One thing that I marvel at is just how “quiet” the system is. Like, you can put a breakpoint on NtfsFsdCreate and actually step through things. Now? Forget it. Spare CPU cycles are just an opportunity to generate more telemetry and/or botshit it seems.

(Insert “old man yells at cloud” meme here )

system · March 1, 2026, 4:50pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.