|
Registry keys not being closed |
Post Reply 
|
Page 12> |
| Author | |
fatmosh 
Newbie 
Joined: 16 March 2009 Status: Offline Points: 9 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Registry keys not being closedPosted: 16 March 2009 at 4:40pm |
|
We're having issues on a number of our servers where the system is continually getting event ID 2020 and 333 errors. After heavily researching the issue, I've found out the following:
Our PagedPool is filling up gradually over a number of days. Running poolmon shows that the "Key" tag grows increasingly large, occupying a large majority of the Paged Pool. Unfortunately, this doesn't point to a third party app, but Windows itself. Looking closer, I see that the System process in Task Manager occupies an increasingly large number of handles. After reboot, it will be a few thousand, then it grows and grows. Near the time where the server is about to hang, the System process may have 1.5 to 3 MILLION handles. Running "handle -s" I see that almost all of the open handles are of type "Key". So there are apparently lots of registry keys that are being left open. Running a full dump using handle (handle -a) shows that there are a number of registry keys open, but the worst offender being "HKLM\SOFTWARE\Microsoft\Cryptography\RNG". (I'm not sure the problem is limited to this key, but it's a good example.) So I run regmon. If I filter on "RNG", I see only the key specified above. I notice that the usually pattern is: OpenKey QueryKey SetKey A number of different applications access the key in the same manner. If I logon to a machine that is not having the issue, I see a different pattern: Open Key (by application.exe) QueryKey (by application.exe) CloseKey (by System) SetKey (by application.exe) So it appears as if the affected servers are not doing their job in closing the key after it is being used. Does anyone have any ideas on how I could fix this? How do I tell Windows to clean up after itself and why are some servers doing it while others are not? Any help at all would be greatly appreciated. Thanks! |
|
 |
|
|
fatmosh
Newbie
Joined: 16 March 2009 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 4:45pm |
|
P.S. I have already implemented the registry changes that Microsoft recommends, namely the PoolUsageMaximum, PagedPoolSize, and RegistryLazyFlushInterval. These seem to make the problem occur less often, but really just act as bandaids.
|
|
|
|
|
molotov
Moderator Group 
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 4:48pm |
|
Hi fatmosh,
I'd suggest using Process Monitor on the system that is experiencing the problem. Configure symbols and monitor the system for a while. When you notice the key handles increasing, and the lack of CloseKeys paired with OpenKeys, check the stack of the OpenKey event(s).
Edited by molotov - 16 March 2009 at 4:50pm |
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
fatmosh
Newbie
Joined: 16 March 2009 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 5:00pm |
|
Unfortunately, I've been unable to get the symbols configured correctly as I don't have Internet access and they all seem to point to Microsoft's server. If you could point me on how to set up that, it might help.
Regarding the application itself, I see in regmon that multiple apps access this Crypto key and none of them close it. So that seems to indicate that it's not the app itself. (In fact, when it is closed on the system that is working correctly, the System process itself is always the one that closes it, not the app.) |
|
|
|
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 5:07pm |
Even without symbols, can you post the stack of an OpenKey event for which there is no corresponding CloseKey? Ideally, you could point the symbol path to use the public Microsoft symbol server, but just the module names may be enough to get a bit more information... |
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
fatmosh
Newbie
Joined: 16 March 2009 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 5:51pm |
|
Sure.
Looking into the stack of a RegOpenKey from within ProcessMon shows the following 4 things in the stack: ntkrnlpa.exe (14 times) ksecdd.sys (4 times) sisipsdriver.sys (1 time) sisidsregdrv.sys (1 time) The first two are core Windows things and the second two are for a piece of security software installed on the system. |
|
|
|
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 6:05pm |
|
Is that the complete stack? The "sis" drivers appear suspect; are they able to be stopped? How easy is it to get them out of the picture?
|
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
fatmosh
Newbie
Joined: 16 March 2009 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 6:11pm |
|
Yes, that's everything in the stack. I have disabled the sis drivers and am rebooting. I'll let you know if the problem persists.
Know, however, that those drivers are also present in the machine that doesn't have the problem :-/ |
|
|
|
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 6:13pm |
|
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
fatmosh
Newbie
Joined: 16 March 2009 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2009 at 6:18pm |
|
Yep, same exact.
|
|
|
|
|
Post Reply
|
Page 12> |
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
Does anyone have any ideas on how I could fix this? How do I tell Windows to clean up after itself