Handles - microsoft/MSO-Scripts GitHub Wiki

Tools such as Task Manager and Process Explorer can show the number of system handles/objects in use by each process. But what types of object handles are they? What code created them? Might some of them be leaked!?

There are three classes of objects within core Windows:

• Kernel Objects: Process, Thread, Module, Key (Registry), File, File Mapping, Event, Timer, ...
• GDI Objects: Font, Region, Palette, Pen, Brush, Bitmap, Device Context, ...
• User Objects: Window, Menu, Icon, Cursor, ...

A handle is a reference to one of these objects.

• Either download and unzip a recent Release, or clone the Repository: <> Code ↓
  
• MSO-Scripts\TraceHandles Start
  Exercise the code.
• MSO-Scripts\TraceHandles Stop
• MSO-Scripts\TraceHandles View

List all options:

• MSO-Scripts\TraceHandles -?

The Kernel Handles Chart/Table answers the question: What kernel objects were opened, and which may be leaked?

Legend
Lifetime: AIFI = "Allocated In, Freed Inside the trace",
               AIFO = "Allocated In, Freed Outside the trace" (any leaks would be included here), etc.
Handle Type: Process, Thread, File, (Registry) Key, Event, (Memory Mapped) Section, Timer, Semaphore, etc.
Object Name: File Path (type = File), Registry Path (type = Key), Object Name, etc.
Create Stack: The execution stack which created the Kernel Handle/Object.
Count _Sum : The sum total number of Kernel Handle creations.
Count _{Peak Outstanding} : The greatest number of Kernel Handles open at any one time (with the time stamp).

The GDI & User Handles Chart/Table answers the question: Why are there so many GDI and User objects/handles created? And which may be leaked!?

Legend
Lifetime: AIFI = "Allocated In, Freed Inside the trace",
               AIFO = "Allocated In, Freed Outside the trace" (any leaks would be included here), etc.
Handle Class: GDI or USER
Handle Type: GDI: Font, Region, Palette, Pen, Brush, Bitmap, Device Context, ...; USER: Window, Menu, Icon, Cursor, ...
Handle: Numerical value of the handle when created.
Count: Sum total number of handles created.
Duration: Time from creation to deletion.
Create Stack: Execution stack which created the handle.

1. Launch Task Manager: Press Ctrl-Shift-Esc
2. If needed: click More Details (bottom left).
3. Select the Details tab.
4. Right-click a column header and choose Select Columns.
5. Enable: Handles, User objects, GDI objects / OK

Task Manager: Right-Click a Column Header, Enable 3 Handles Columns

Task Manager: columns showing three types of Windows handles/objects

Legend
Handles: Kernel Object Handles - Process, Thread, Module, File, File Mapping, Event, Timer, ...
User Objects: User Object Handles - Window, Menu, Icon, Cursor, ...
GDI Objects: GDI Object Handles - Font, Region, Palette, Pen, Brush, Bitmap, Device Context, ...

• Download and launch Process Explorer (a Microsoft / SysInternals tool).
• Ensure Administrator mode: File > Show Details for All Processes (if available, else it's already Administrator.)
• View > Show Unnamed Handles and Mappings = ON
• View > Show Processes From All Users = ON (optional)
• View > Select Columns > Process Performance tab > Handle Count = ON (Kernel Object Handle Count)
• View > Select Columns > Process Memory tab > GDI Objects = ON, USER Objects = ON
• View > Select Columns > Handle tab > Enable All Column Options > OK
• Select the process of interest.
• Press Ctrl+H (Handles Pane: Kernel Objects)
• Dbl-click a handle of interest for additional info.

Process Explorer Kernel Handles

• Pushing the Limits of Windows: Handles
• Pushing the Limits of Windows: User Objects
• Pushing the Limits of Windows: GDI Objects