So I got a crash 10 days later. This time there were not as many instances of LogonUI zombies as before2 but there was one and that was enough. Not surprisingly Winlogon turned out to be not involved, the handle table did not carry a handle to LogonUI.

Now suspected handle leaks like this can be hard to track but one of the ways to track handle leaks really nicely is to turn on Object Reference Tracing which shows you the stack of when reference counts got affected on an object. Pretty handy when you really are puzzled about what is going on with certain objects and who could be leaking. But before I went that route I needed to find out which process or driver is doing this.

For tracking down the process that has the handle open, I had to do it the hard way. I listed all process handles in all processes and searched for the process object in the output. Here is where I found my suspect

egisservice-exe-has-open-handle-to-logonui

As you can see it is EgisService.exe, ostensibly a service. I had to check if this was malware of some sort first.

Tagged with →  
Share →

Leave a Reply

Your email address will not be published. Required fields are marked *

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.