When building a virtual machine today, I was curious as to why the Windows Update install process was taking such a long time. The initial run had over 100 different updates so I expected it to take a while, but it was even slower than expected. So I fired up Process Explorer and discovered that TrustedInstaller.exe had allocated over 1GB of RAM to do its updates. As I watched, this number kept ticking up until all the updates were installed, with a maximum memory usage of roughly 2GB. The handle count tended to increase over time as well, hitting a maximum of 50500 handles as I watched.
This VM was setup with 2GB RAM so this was causing lots of swap activity, which I guess is what was slowing down the update process so much.
I grabbed a screenshot at Update 94 when I decided that something was not right with this:
And another shot with the final update, Update 103. 50,484 handles is a whole lotta handles.
As each update finished, both the handle count and the memory usage would drop, but never back to the level before the update.
This really does suggest that TrustedInstaller.exe is leaking memory. So is this intentional? Whether by design, or by accident, it’s horrible. Microsoft?
Update: Mark asked me why one would leak by design. I suggested that one possibility might be that TrustedInstaller locks files or objects to prevent other processes from making changes to them before Windows is restarted, as the update process does not complete until Windows restarts.
This comment has been removed by the author.
The story continues:
Reproducing the TrustedInstaller.exe leak
But it’s not over yet:
Further analysis on the TrustedInstaller.exe memory leaks