Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Troubleshooting
  New Posts New Posts RSS Feed - Registry keys not being closed
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Registry keys not being closed

 Post Reply Post Reply Page  12>
Author
Message
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Topic: Registry keys not being closed
    Posted: 16 March 2009 at 4:40pm
We're having issues on a number of our servers where the system is continually getting event ID 2020 and 333 errors. After heavily researching the issue, I've found out the following:

Our PagedPool is filling up gradually over a number of days.  Running poolmon shows that the "Key" tag grows increasingly large, occupying a large majority of the Paged Pool. Unfortunately, this doesn't point to a third party app, but Windows itself.

Looking closer, I see that the System process in Task Manager occupies an increasingly large number of handles. After reboot, it will be a few thousand, then it grows and grows. Near the time where the server is about to hang, the System process may have 1.5 to 3 MILLION handles.

Running "handle -s" I see that almost all of the open handles are of type "Key". So there are apparently lots of registry keys that are being left open.

Running a full dump using handle (handle -a) shows that there are a number of registry keys open, but the worst offender being "HKLM\SOFTWARE\Microsoft\Cryptography\RNG".
(I'm not sure the problem is limited to this key, but it's a good example.)

So I run regmon. If I filter on "RNG", I see only the key specified above. I notice that the usually pattern is:
OpenKey
QueryKey
SetKey

A number of different applications access the key in the same manner.

If I logon to a machine that is not having the issue, I see a different pattern:

Open Key (by application.exe)
QueryKey
(by application.exe)
CloseKey (by System)
SetKey
(by application.exe)

So it appears as if the affected servers are not doing their job in closing the key after it is being used.

Does anyone have any ideas on how I could fix this? How do I tell Windows to clean up after itself and why are some servers doing it while others are not?

Any help at all would be greatly appreciated. Thanks!
Back to Top
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 4:45pm
P.S. I have already implemented the registry changes that Microsoft recommends, namely the PoolUsageMaximum, PagedPoolSize, and RegistryLazyFlushInterval. These seem to make the problem occur less often, but really just act as bandaids.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 4:48pm
Hi fatmosh,

I'd suggest using Process Monitor on the system that is experiencing the problem.  Configure symbols and monitor the system for a while.  When you notice the key handles increasing, and the lack of CloseKeys paired with OpenKeys, check the stack of the OpenKey event(s).

Quote Does anyone have any ideas on how I could fix this? How do I tell Windows to clean up after itself
It very well may not be Windows at all, but rather some application that is installed.  The fix would need to come from the maker of the application.


Edited by molotov - 16 March 2009 at 4:50pm
Daily affirmation:
net helpmsg 4006
Back to Top
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 5:00pm
Unfortunately, I've been unable to get the symbols configured correctly as I don't have Internet access and they all seem to point to Microsoft's server. If you could point me on how to set up that, it might help.

Regarding the application itself, I see in regmon that multiple apps access this Crypto key and none of them close it. So that seems to indicate that it's not the app itself. (In fact, when it is closed on the system that is working correctly, the System process itself is always the one that closes it, not the app.)
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 5:07pm
Quote I see in regmon that multiple apps access this Crypto key and none of them close it. So that seems to indicate that it's not the app itself.
The reason I'm curious about the stack is that there may be some software that causes its code to be loaded into the address space of each process.

Even without symbols, can you post the stack of an OpenKey event for which there is no corresponding CloseKey?  Ideally, you could point the symbol path to use the public Microsoft symbol server, but just the module names may be enough to get a bit more information...
Daily affirmation:
net helpmsg 4006
Back to Top
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 5:51pm
Sure.

Looking into the stack of a RegOpenKey from within ProcessMon shows the following 4 things in the stack:

ntkrnlpa.exe (14 times)
ksecdd.sys (4 times)
sisipsdriver.sys (1 time)
sisidsregdrv.sys (1 time)

The first two are core Windows things and the second two are for a piece of security software installed on the system.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 6:05pm
Is that the complete stack?  The "sis" drivers appear suspect; are they able to be stopped? How easy is it to get them out of the picture?
Daily affirmation:
net helpmsg 4006
Back to Top
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 6:11pm
Yes, that's everything in the stack. I have disabled the sis drivers and am rebooting. I'll let you know if the problem persists.

Know, however, that those drivers are also present in the machine that doesn't have the problem :-/
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 6:13pm
Quote Know, however, that those drivers are also present in the machine that doesn't have the problem :-/
The same version(s)?
Daily affirmation:
net helpmsg 4006
Back to Top
fatmosh View Drop Down
Newbie
Newbie


Joined: 16 March 2009
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote fatmosh Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2009 at 6:18pm
Yep, same exact.
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down