Process Handle

Hello,

This is actualy a repost because I couldn’t find any solution to this problem and the previous answers didn’t help(thanks anyway for them).

I developed a driver. Is a filter kind. I use an application to read data from it. Once a second I make a reading.

Ok. Now, my problem is this: When I use Process Explorer I see that every second the number of “System(4)” handles is increasing by 5. So, every second I get new 5 handles of this type. Important is that “System (4)” is not the owner of the handle. The following is a part of my process reading:

Type Name Handle Access

Process System(4) 0x110 0x00000410
Process System(4) 0x114 0x00000410
Process System(4) 0x130 0x00000410
Process System(4) 0x13C 0x00000410
Process System(4) 0x144 0x00000410

Process System(4) 0x148 0x00000410
Process System(4) 0x14C 0x00000410
Process System(4) 0x150 0x00000410
Process System(4) 0x154 0x00000410
Process System(4) 0x15C 0x00000410

Process System(4) 0x160 0x00000410
Process System(4) 0x164 0x00000410
Process System(4) 0x168 0x00000410
Process System(4) 0x16C 0x00000410
Process System(4) 0x170 0x00000410

Process System(4) 0x178 0x00000410
Process System(4) 0x17C 0x00000410
Process System(4) 0x180 0x00000410
Process System(4) 0x184 0x00000410
Process System(4) 0x18C 0x00000410

Process System(4) 0x190 0x00000410
Process System(4) 0x194 0x00000410
Process System(4) 0x198 0x00000410
Process System(4) 0x19C 0x00000410
Process System(4) 0x1A0 0x00000410

The type of handle as you can see it is “Process”. I just want to say that I never create new processes. I only start 9 threads when the app is starting. Two of these threads connect every second to read some information.

I think an important thing to mention is that my driver is using couple of simple linked lists. I am using KeAcquireSpinLock() and KeReleaseSpinLock() to lock the section while I’m working with the list. The memory for these lists is alocated in the non-paged pool.

And the question is… : What in the world is the THING that opens those handles… and they never get closed? How can I find what handles are those? Name… anything.

Thank you,
Andrei CIUBOTARU

Why dont you just set a breakpoint on interesting points / API’s , and see
what actually is creating thjose handles and why ?
The data you pasted is kinda irelevant. You dont even say what are you
trying to do and how. In those conditions is kinda hard
for us to make any assumptions. You where given some usefull pointers in
previous post. Did you analyzed the ideeas thoughly ?

Dan

----- Original Message -----
From: “Ciubotaru Ovidiu Andrei”
To: “Windows System Software Devs Interest List”
Sent: Friday, January 21, 2005 6:40 PM
Subject: [ntdev] Process Handle

> Hello,
>
> This is actualy a repost because I couldn’t find any solution to this
> problem and the previous answers didn’t help(thanks anyway for them).
>
>
> I developed a driver. Is a filter kind. I use an application to read data
> from it. Once a second I make a reading.
>
> Ok. Now, my problem is this: When I use Process Explorer I see that every
> second the number of “System(4)” handles is increasing by 5. So, every
> second I get new 5 handles of this type. Important is that “System (4)” is
> not the owner of the handle. The following is a part of my process
> reading:
>
>
> Type Name Handle Access
>
> Process System(4) 0x110 0x00000410
> Process System(4) 0x114 0x00000410
> Process System(4) 0x130 0x00000410
> Process System(4) 0x13C 0x00000410
> Process System(4) 0x144 0x00000410
>
> Process System(4) 0x148 0x00000410
> Process System(4) 0x14C 0x00000410
> Process System(4) 0x150 0x00000410
> Process System(4) 0x154 0x00000410
> Process System(4) 0x15C 0x00000410
>
> Process System(4) 0x160 0x00000410
> Process System(4) 0x164 0x00000410
> Process System(4) 0x168 0x00000410
> Process System(4) 0x16C 0x00000410
> Process System(4) 0x170 0x00000410
>
> Process System(4) 0x178 0x00000410
> Process System(4) 0x17C 0x00000410
> Process System(4) 0x180 0x00000410
> Process System(4) 0x184 0x00000410
> Process System(4) 0x18C 0x00000410
>
> Process System(4) 0x190 0x00000410
> Process System(4) 0x194 0x00000410
> Process System(4) 0x198 0x00000410
> Process System(4) 0x19C 0x00000410
> Process System(4) 0x1A0 0x00000410
>
>
> The type of handle as you can see it is “Process”. I just want to say that
> I never create new processes. I only start 9 threads when the app is
> starting. Two of these threads connect every second to read some
> information.
>
> I think an important thing to mention is that my driver is using couple of
> simple linked lists. I am using KeAcquireSpinLock() and
> KeReleaseSpinLock() to lock the section while I’m working with the list.
> The memory for these lists is alocated in the non-paged pool.
>
> And the question is… : What in the world is the THING that opens those
> handles… and they never get closed? How can I find what handles are
> those? Name… anything.
>
>
> Thank you,
> Andrei CIUBOTARU
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com