So I got a crash 10 days later. This time there were not as many instances of LogonUI zombies as before2 but there was one and that was enough. Not surprisingly Winlogon turned out to be not involved, the handle table did not carry a handle to LogonUI.
Now suspected handle leaks like this can be hard to track but one of the ways to track handle leaks really nicely is to turn on Object Reference Tracing which shows you the stack of when reference counts got affected on an object. Pretty handy when you really are puzzled about what is going on with certain objects and who could be leaking. But before I went that route I needed to find out which process or driver is doing this.
For tracking down the process that has the handle open, I had to do it the hard way. I listed all process handles in all processes and searched for the process object in the output. Here is where I found my suspect
As you can see it is EgisService.exe, ostensibly a service. I had to check if this was malware of some sort first.