Note that only the last instance has a non-zero handle count. Zero handle count processes generally tend to be processes getting born or processes that have died but are still around (aka zombies). The presence of zombie processes such as these generally suggests (but does not necessarily point to) leak of some kind. There is not a whole lot you can do in a process without having some handles open. Examining the processes further confirms that they do not have any threads active in them either. We can assume that process id 1bb0 must be the one that was meant to be around. Let us look at what is keeping the zombie process objects hanging around.
Both HandleCount and PointerCount are 1 which means someone has a handle to this process still. You will notice that process id 3a4 (Winlogon.exe) launches LogonUI.exe. Processes are launched typically via a call to CreateProcess (or one of its causins) which returns handles to the process and main thread of the process launched in LPPROCESS_INFORMATION structure. Parent processes that do not pay attention to what they are doing with the process handle either “forget” to close the handle or worse keep overwriting the old handle with the new handle thereby leaking handle to prior opens.
Unfortunately this was a kernel summary dump file so attempting to switch to LogonUI led to Process fffffa80`0e4bb8a0 has invalid page directories message. It was time to turn on full memory dump by changing CrashDumpEnabled and AlwaysKeepMemoryDump REG_DWORD values under HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ CrashControl\ to 1 and wait for the crash to happen again. The previous crash had happened a week back so I hoped I would not have to wait for long before this happens again.
