Too many handles?

[rwn0072]

Hi!

When using the command (in Windows PowerShell) "Get-Process -Id (Get-NetUDPEndpoint).OwningProcess",
I see that AvastSvc takes up around 20 000 handles!

I thought it had to do with my computer being on for quite some time, so I restarted it, but it stayed around the same.

Is that amount actually correct? Last post I saw on this forum said that 2000 were normal, in that case 20 000 seem high...

I am using Windows 10 Home Edition (x64), and I only use Windows Defender and Avast Free AntiVirus with:
Program Version: 20.10.2442 (build 20.10.5824.624)
Virus definitions version: 210113-0
Number of definitions: 19,407,619
UI version: 1.0.591

Here is a printscreen of it:

[igor]

No, I wouldn't call it normal.
How long did it take to reach this number? I mean, if you restart the machine, I'd expect the number to go down - and I'm interested if it goes up again, and how quickly.

Could you please create/upload the support package and post its ID here? Maybe the logs would show something unusual...

[rwn0072]

The thing is that yesterday before I restarted the computer, that number was at around 19 000.
When I restarted it, waited 5 minutes (to let everything load up on the computer), I had what you see there (20 178).

I have had the computer on since then, and now I have 21 378.

So it seems to always be around this value, since before I restarted the computer yesterday, I had the computer on for a whole week.

I downloaded the tool at "https://support.avast.com/en-ww/article/Submit-support-file" and completed the steps.
Here is the ID for it: OOOTW
I also have the files stored locally like the tool said, in case you need those.

[rwn0072]

Why I even saw that handle value was because I am experiencing port exhaustion for some reason on my computer when trying to run a program that takes up 4000 ports (even though I have increased the dynamic port range to around 64000).
So that was one of the commands to run to try to see the culprit.
Though I am not sure if the handles on Avast are actually ports/sockets, I bet 99% of them are file handles instead.

[igor]

Strange, so the number is rather high right from the start (I've got something like 6000 handles in AvastSvc process on my machine).
Didn't find anything suspicious in the logs yet...
Could you please post the output of the handle tool, say

Code: [Select]

handle -s -p AvastSvc

[rwn0072]

Here they are, I used all 3 programs in there:

handle.exe

Code: [Select]

C:\Users\rwn00\Desktop\Handle>handle -s -p AvastSvc

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

Handle type summary:
  ALPC Port       : 88
  Desktop         : 2
  Directory       : 2
  EtwRegistration : 215
  Event           : 3514
  File            : 1274
  IoCompletion    : 25
  IRTimer         : 6
  Key             : 15422
  Mutant          : 432
  PcwObject       : 2
  Process         : 10
  Section         : 19
  Semaphore       : 70
  Thread          : 266
  Timer           : 9
  Token           : 7
  TpWorkerFactory : 3
  UserApcReserve  : 1
  WaitCompletionPacket: 58
  WindowStation   : 3
Total handles: 21428

C:\Users\rwn00\Desktop\Handle>

handle64.exe

Code: [Select]

C:\Users\rwn00\Desktop\Handle>handle64 -s -p AvastSvc

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

Handle type summary:
  ALPC Port       : 87
  Desktop         : 2
  Directory       : 2
  EtwRegistration : 215
  Event           : 3511
  File            : 1274
  IoCompletion    : 25
  IRTimer         : 6
  Key             : 15425
  Mutant          : 432
  PcwObject       : 2
  Process         : 10
  Section         : 19
  Semaphore       : 70
  Thread          : 264
  Timer           : 10
  Token           : 7
  TpWorkerFactory : 3
  UserApcReserve  : 1
  WaitCompletionPacket: 58
  WindowStation   : 3
Total handles: 21426

C:\Users\rwn00\Desktop\Handle>

handle64a.exe

Code: [Select]

C:\Users\rwn00\Desktop\Handle>handle64a -s -p AvastSvc
This version of C:\Users\rwn00\Desktop\Handle\handle64a.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

C:\Users\rwn00\Desktop\Handle>


[igor]

OK, so the biggest number are registry key handles.
Can you please try to find out what are those key handles for, e.g. using Process Explorer (run it elevated, select AvastSvc.exe in the upper panel and press Ctrl+H - that should show the list of handles in the lower panel; scroll down to "Key" handles. If there's 15000 registry key handles, I'd expect you'd see a lot of them with the same target). Or just use File / Save As (after pressing the Ctrl+H on AvastSvc process).

Theoretically you could also use the handle tool to dump the handles into a file (handle64.exe -a -p AvastSvc > file.txt) - but when I tried that I got a BSoD... so that's risky.

[rwn0072]

Yeah you are right, most of them are exactly the same target:
Key   HKLM\SOFTWARE\Microsoft\Internet Explorer

Here is a file uploaded with the whole info:
https://easyupload.io/j3jy80

The strange thing is that I don't even use Internet Explorer. I only use it like once a month when Chrome fails to load a site.
I have not even used it since the last restart of my computer.

[igor]

Actually I found and fixed a leak of this key in December. While I don't know why the piece of code in question should be called that many times, I'd find it rather unlikely that there were two different leaks of the same key.
The fix is included in the latest public beta, with the expected release date three weeks from now.

[rwn0072]

Ok nice! I'll check back in about 4 weeks then.

[rwn0072]

I updated Avast and restarted my computer yesterday (2021-02-22), and it then only had 5804 handles on startup.
Today I checked again (without restarting the computer since yesterday) and it has 5919 handles.
So it seems the fix worked!