HandleLeakInvestigator
Find Windows handle leaks by allocation stack.
Free download. Placeholder package currently available.
HandleLeakInvestigator watches Windows handle create, duplicate, and close activity live, then groups open handles by owning process, object type, and allocation stack. Instead of staring at a process handle count and guessing what grew, you can sort by live count or growth and inspect the code path that opened the leaked handles.
It is built for the common leak hunt where a service, application, or driver-adjacent process climbs slowly over time. Use Mark A and Mark B to compare a steady baseline against a repro run, filter to groups that grew, and resolve the allocation stack for the leading candidate.
What It Does
- Tracks NT handles for files, events, mutexes, sections, registry keys, processes, threads, ALPC ports, tokens, and other Object Manager types.
- Groups by allocation stack so leaks are tied to call sites, not just object types or process totals.
- Diffs leak scenarios with Mark A, Mark B, Growth, and Delta Mark columns.
- Shows DuplicateHandle provenance when a process receives handles from another process.
- Can include GDI and USER handles through an experimental, off-by-default Win32k source.
Typical Workflow
Start a capture elevated, let the workload settle, press Mark A, run the suspected leak path, press Mark B, and enable Growth only. The groups left on screen are the handle leak candidates. Select one to resolve the allocation stack, or double-click it to drill into the raw create and duplicate events behind that group.
For a detailed walkthrough, see how to track down Windows handle leaks.
Requirements
- Windows 10 or later.
- Administrator privileges for system-wide kernel ETW capture.
- A configured PDB search path for symbolized user-mode frames.
Frequently Asked Questions
What is HandleLeakInvestigator?
HandleLeakInvestigator is a Windows handle leak debugging tool. It captures handle activity live and groups currently open handles by process, object type, and allocation stack so the leaking code path can be identified.
Does HandleLeakInvestigator require administrator privileges?
Yes. Capturing system-wide kernel ETW handle events requires running elevated. Without administrator privileges the capture cannot be started.
Can it show who duplicated handles into a process?
Yes. Cross-process DuplicateHandle events include source-process provenance, so HandleLeakInvestigator can show which process gave handles to the selected target group.
HandleLeakInvestigator
What our customers say about us?

Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials
