A while ago, I noticed a handle leak in Apple's "Bonjour Service" (yeah, that sounds like something I want running on my system...) - mDNSResponder.exe. I knew right away that that was the executable for the "Bonjour Service" because the name is so helpful. (Joking. Even if it was named after the service, how the heck would I even guess what the "Bonjour Service" did. But I digress...)

The service description is:

Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start.

I put up with the leak for a while, from time to time stopping the service when I thought of it after booting. Most of the time I didn't think of it and the leak did not appear to be having any kind of performance impact on my system (I never saw it get above 80,000 handles). An update (or two?) later, I thought it would be fixed. So I was surprised to find mDNSResponder.exe had more than 55,000 handles when I checked recently with Sysinternals' Process Explorer.

I tried to use Process Explorer's handle pane to see the handles in mDNSResponder.exe, but with that many handles to display, and with Process Explorer running with its default High priority and refreshing every second, the system became rather sluggish. I dropped the priority of Process Explorer with Task Manager, hid the lower-pane view, and gave Handle.exe a shot with handle.exe -a -p mdnsresponder.exe.

I found that the handles being leaked are handles to registry keys - specifically, HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters. (ControlSet001 is the current control set on my system.)

Since there's not much I can do about the handle leak, I'll disable the service, and hope the next update fixes the problem as surely the next update will set the service to Automatic start. Wonder why the installer doesn't at least set a service such as this as "Delayed Start" in Vista...

Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

Recently, an individual going by the moniker 'hi' posted a comment to Setting the Priority of a Service Process via Script:

How would I, if I want to, find which services are part of a particular svchost.exe? Can in be done in C#?

Thanks!

I replied via comment, but one has even less control over formatting in comments than one does in the actual blog posting, so I figured I would post the response here as well.

=================

Tasklist.exe with the /svc param can tell you, as can Process Explorer. You can also inspect the registry to determine what services would load with what SVCHOST group (see "Troubleshooting Performance Issues with Automatic Updates" for more details).

As far as C# code, the following requires a reference to System.Management. Invoke the program, passing it the process id of the process you're curious about, and it will output the services running in that process.

using System;
using System.Management;

namespace MyGreenPaste
{
  class Program
  {
    static void Main( string[] args )
    {
      if( args.GetLength( 0 ) <= 0 )
      {
        Console.WriteLine( "Usage: {0} pid",
          System.IO.Path.GetFileName(
            System.Diagnostics.Process.GetCurrentProcess().
              MainModule.FileName ) );
        Console.WriteLine( "  where pid is the process id " +
          "of a process hosting at least one service" );
        return;
      }

      try
      {
        ManagementObjectSearcher mos =
          new ManagementObjectSearcher( "root\\CIMV2",
            string.Format( "SELECT * FROM Win32_Service " +
              "where ProcessId={0}", args[0] ) );
        foreach( ManagementObject result in mos.Get() )
        {
          Console.WriteLine( "{0} -> {1}", result["Name"],
            result["DisplayName"] );
        }
      }
      catch( ManagementException mex )
      {
          Console.WriteLine( "** Error querying WMI:{0}{1}",
            System.Environment.NewLine, mex.Message );
      }
    }
  }
}

Previously (here and here), I’ve written about isolating shared services so that they run in their own process, with a specific focus on the Windows Update Automatic Updates Service (wuauserv) that typically runs in the NETSVCS SVCHOST.EXE instance. One thing that can be done once this is accomplished is to lower the priority of the process so that when the service winds up consuming 100% of the CPU, the system doesn’t become unresponsive.

Since we’re dealing with a service, setting the priority of such a SVCHOST.EXE process can become problematic - the service may already be running, or, because it is a service, it is not started as non-service processes are, so one is not able to use START / [LOW NORMAL HIGH REALTIME ABOVENORMAL BELOWNORMAL] to impose a priority when the process starts. One can use a utility like Task Manager or Process Explorer to set the priority of a process on an ad hoc basis, but when the service restarts or the system reboots one has to remember to set the priority again.

Though not an ideal solution the following scripts (VBS using WMI, and PowerShell) can be used to set the priority of the SVCHOST.EXE instance hosting the isolated Windows Update Automatic Updates Service service to “below normal”. Note that no check is done to ensure that the SVCHOST.EXE instance is only hosting one service - if wuauserv is found to be a service inside of the process, the priority is adjusted. Note also that no error handling is implemented.

I’ll try to format the code so it looks nice, but I fear I will be limited…

Here’s the code for the VBS / WMI script:

Const BELOW_NORMAL = 16384Set objWMIService = GetObject(”winmgmts:\.rootCIMV2″)Set colServices = objWMIService.ExecQuery( _    “SELECT * FROM Win32_Service where name=’wuauserv’”)For Each oService in colServices    Set colProcesses = objWMIService.ExecQuery( _        “SELECT * FROM Win32_Process where ProcessId=” & oService.ProcessId )    For Each oProcess in colProcesses        oProcess.SetPriority(BELOW_NORMAL)    NextNext

Here’s the code for the PowerShell script:

(gps -id (get-wmiobject win32_service  where {$_.name -eq “wuauserv”}).ProcessId).PriorityClass=”BelowNormal”

The different values for the priority parameter of the SetPriority method of the Win32_Process WMI class can be found in the documentation for the SetPriority method.

The different values for the PriorityClass in the PowerShell script are “Normal”, “Idle”, “High”, “RealTime”, “BelowNormal”, or “AboveNormal”. Or, to get a list of the available options, one can use the following PowerShell command:

[ENUM]::getNames(”System.Diagnostics.ProcessPriorityClass”)

Once the script is in place and working, one can cause it to be invoked at will, or via scheduled task at specific times, or after logon, or any other way that one can get something to happen when Windows boots or a user logs on.

»