On Wed, Feb 29, 2012 at 8:54 AM, Adam Bruss <abruss@awrcorp.com> wrote:
> I ran process explorer and looked at the handles for the System process. The vast majority of the handles are of type
"Key".I can find them in the registry. I took two at random from process explorer and exported the registry branch for
thembelow.
>
> ## EXAMPLE 1: ##
>
> Key Name: HKEY_CLASSES_ROOT\CLSID\{9F074EE2-E6E9-4d8a-A047-EB5B5C3C55DA}
> Class Name: <NO CLASS>
> Last Write Time: 2/28/2012 - 1:26 AM
> Value 0
> Name: <NO NAME>
> Type: REG_SZ
> Data: HwTextInsertion Class
>
>
> Key Name: HKEY_CLASSES_ROOT\CLSID\{9F074EE2-E6E9-4d8a-A047-EB5B5C3C55DA}\InprocServer32
> Class Name: <NO CLASS>
> Last Write Time: 2/29/2012 - 4:05 AM
> Value 0
> Name: <NO NAME>
> Type: REG_EXPAND_SZ
> Data: %CommonProgramFiles%\microsoft shared\ink\tiptsf.dll
>
> Value 1
> Name: ThreadingModel
> Type: REG_SZ
> Data: Apartment
Seems like your web server is leaking registry keys used when loading
COM objects. The sample that you posted is for the "Tablet PC Input
Panel Text Services Framework" [1]. However, I find it strange that
a) IIS needs this and b) that it would leak it.
Are you able to obtain a large statistical sample of the leaked
registry keys? 2 out of 130,000 seems like a small sample.
Try the command line "handle.exe" tool [2]. It can dump to a text
file that you can then analyze with perl, python, grep, etc... or your
own eyeballs. :) See if the handle list is dominated by a specific
set of registry keys.
[1] http://systemexplorer.net/filereviews.php?fid=515344
[2] http://technet.microsoft.com/en-us/sysinternals/bb896655