You may have read my last 2 blog posts about the TrustedInstaller.exe leak that seems to be present in Windows 7 (Does Microsoft’s TrustedInstaller.exe have a leak? and Reproducing the TrustedInstaller.exe leak). It was not yet clear to me whether this leak that I observed was a bug or if it is by design, so I decided that the next time I had to build a Windows VM and install updates, I would capture some more log information about the update. I thought about using Process Monitor to capture everything, and this would certainly have captured reams of very interesting data, but this would have slowed the update install process down unacceptably on the day.
So instead, I ran the Handle program, also a part of the SysInternals suite, once a minute, and dumped its output to a text file. The update process ran as normal, and the handles logging generated a 50mb text file, which was fairly simple to import into a database. Now I had some data I could play with!
I picked a filename at random to look at in the logs. I closed my eyes and pointed, and the lucky filename chosen was winlogon! A simple search in the database came up with 4 different objects matching winlogon in the handle list:
C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe C:\Windows\winsxs\Temp\PendingRenames\0859c097e7b9cc0153330000d0088004.amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad_winlogon.exe_ac37d0c5 C:\Windows\winsxs\Temp\PendingRenames\aef6bd97e7b9cc0152330000d0088004.amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad.manifest
The first entry in this list was a directory, in the Windows component store (aka Side-by-Side Store). The second was a reference to winlogon.exe within this same folder. The third and fourth entries gave a bit of a clue as to what may be going on, with the PendingRenames temporary folder hinting at a possible reason why the files were being kept open.
OK, so that was a very rough analysis. But things got a bit more complicated when I started looking a bit deeper. I picked the second entry, our winlogon.exe in the Windows component store, and had a look at the handles which were opened to that. Here’s what I found. Remember that this is based on minute-by-minute snapshots, so this is incomplete, but still paints a curious picture:
- 41 different handles were logged for this one file.
- 14 of these handles were still open at the end of the session, when TrustedInstaller.exe had no further CPU or disk activity. (TrustedInstaller.exe remains in memory until the restart, it seems)
Why does TrustedInstaller.exe need to maintain 14 open handles to a single file until Windows is restarted? And why does it need to open at least 41 different handles over time to the same file? This seems horribly inefficient, as the same pattern is manifest for the 2000 or more other objects that were opened by the TrustedInstaller.exe process.
I could understand a requirement to maintain a single open handle for concurrency and replacement (PendingRenames) operations. I’m sure there’s a reason… There may be another update to this story yet!