KBI 310136 Excess Handle Counts When Monitoring Performance Counters




24 Dec 2008


Windows Servers with performance monitoring done via Argent Guardian show massive excess of handles for svchost.exe, along with consequent available memory loss.

Handle counts of between 15,000 and 30,000 are seen in all servers investigated.

Technical Background

Using Process Explorer (Sysinternals tool) the source of the handle count can be traced to the Remote Registry Service on the target server.

The account accessing that service is the Argent service account.

Stopping Argent monitoring does not result in handles closing.

Restarting the remote registry service is the only way to clear the open handles.

Testing has revealed the issue can be reproduced using Microsoft Perfmon alone.

Running Perfmon for multiple counters against a remote server will open a large number of handles for the server’s remote registry service. Closing Perfmon closes most but not all of those handles.

This demonstrates that running Perfmon at high frequency will cause the handle count to grow until the service is restarted.

Argent Guardian is essentially acting as an automation tool that elicits this Microsoft issue to a high degree.


A Microsoft article describes this Microsoft issue and mentions an available hotfix:


Multiple memory leaks occur in the Svchost.exe process when you use performance counters in Windows Server 2003