my .Net application is leaking handles into lsass.exe

Question

Hi all,

i'm trying to find the root cause of this weird behavior

I wrote an application 3 years ago in .net 4.5 (and updated to 4.5.2) that was running fine on win 7 32bit on Mini-PC barebone

in last 3 months I've revamped hw with 64bit win 10 and I just installed same executable which is compiled .Net and JIT 

every week (or after  4 5 days) the mini-pc is unresponsive and I found that lsass.exe is starving, moreover after activating "Russinovich mode" I discovered that lsass.exe was accumulating > 50k handles, while may application is constantly under 1000 handles.

but If I kill my application lsass.exe handles count return under 3k

I ask if everybody knows correlation among security token / login validation that could generate invalid / orphan handles on lsass.exe ?
Is there any tool in vstudio for tracking .net call vs lsass.exe ?

thanks in advance
Diego

---

Diego scaravaggi (Freelancer)

Answer 1

from procmon logging I have a lot of:

18:12:05,8773963 lsass.exe 836 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\ECCParameters REPARSE Desired Access: Read
18:12:05,8774053 lsass.exe 836 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS Desired Access: Read
18:12:05,8774147 lsass.exe 836 RegQueryKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS Query: HandleTags, HandleTags: 0x0
18:12:05,8774222 lsass.exe 836 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters\nistP256 NAME NOT FOUND Desired Access: Read
18:12:05,8774835 lsass.exe 836 RegCloseKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS
18:13:41,4208546 lsass.exe 836 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
18:13:41,4208643 lsass.exe 836 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\ECCParameters REPARSE Desired Access: Read
18:13:41,4208736 lsass.exe 836 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS Desired Access: Read
18:13:41,4208836 lsass.exe 836 RegQueryKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS Query: HandleTags, HandleTags: 0x0
18:13:41,4208915 lsass.exe 836 RegOpenKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters\nistP384 NAME NOT FOUND Desired Access: Read
18:13:41,4209011 lsass.exe 836 RegCloseKey HKLM\System\CurrentControlSet\Control\Cryptography\ECCParameters SUCCESS

 

---

Diego scaravaggi (Freelancer)

Answer 2

Hi dscaravaggi,

Thank you for posting here.

You can use Process Explorer to handle leaks, and provide insight into the way Windows and applications work.

Hope the following reference could be helpful.

Handles leak (Event type) in .NET application

Besides, you can also consider posting your question in Developer Community.

Best Regards,

Xingyu Zhao

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 3

Thanks Xingyu Zhao,

with my officemates, we collected further info.
The Leak is restricted in 2 compoenents.
.Net SSLStream SslStream.AuthenticateAsServer and Java 8 SSLServerSocketFactory

I think that LSASS.exe is bugged with handle leak, but .net library adopts a smart way to mitigate the problem, caching SSL connections and limiting handshake vs lsass.
On the contrary Java 8 SSLServerSocketFactory re-init a new connection and e new SSL handshake for every new connection.

which is the best forum for asking remediation ?
we have prepared a very simple .Net server solution c# with 2 clients (Java 8 and .Net c#) and we are able to reproduce the weird behavior.

 

---

Diego scaravaggi (Freelancer)