Possible GDI Object Leak in explorer extension (v5.3) [NBZ]

I’ve looked for other topics involving GDI, though I found only some involving CIS’s general GDI/User handle usage, after having upgraded to CIS v5.3 (.175888.1227) (from a much older version, the previous version was properly uninstalled, traces were cleaned as well, no imported configs) I have observed a GDI handle leak (6 handles at a time) that occurs each time I right click a file in explorer, this has not occurred prior to the update (my system in general has been up, often many weeks without a reboot, now the GDI pool ends being exhausted after just 5 days, I have removed other context menu extensions that loaded GDI related resources [icons mostly] but this issue persists).

This occurs on XP SP2 32-Bit, no other realtime security software is installed at this time.

EDIT: Please note, I have manually removed the CIS shell extension entries from HCR section of the reg and this fixed my problem. The CLSID involved 4255A182-CAD9-4214-A19B-7BA7FB633BBD (in folder, drive and * entries in HCR)

The bug/issue

  1. What you did: Opening and closing the context menu in explorer
  2. What actually happened or you actually saw: A GDI handle leak (6 handles each time the above was repeated)
  3. What you expected to happen or see: The handles should be properly freed upon closing the context menu
  4. How you tried to fix it & what happened: Removed other applications that added extensions to the context menu involving GDI related resources such as icons, the problem went away once I manually removed the CIS shellex..
  5. If its an application compatibility problem have you tried the application fixes here?: None
  6. Details & exact version of any application (execpt CIS) involved with download link: None
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: Yes, each time a context menu is opened (right clicking a file, folder or drive) this leak occurs
  8. Any other information (eg your guess regarding the cause, with reasons): The GDI resources used by the CIS shell extension aren’t properly released, I verified this by unregistering the shell extension, this fixed the handle leak. GDI resources aren’t automatically freed when a process is closed, this includes default contents (which need to be moved back for windows to be able to properly unloaded them).

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug:
  2. Screenshots of related CIS event logs and the Defense+ Active Processes List:
  3. A CIS config report or file.
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used: 5.3.175888.1227, 7415, Safe Mode (with default config)
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No
  5. Defense+, Sandbox, Firewall & AV security levels: D+= SafeMode, Sandbox= Disabled, Firewall = SafeMode, AV = Stateful
  6. OS version, service pack, number of bits, UAC setting, & account type: XP Pro SP2 32bit (User and Admin accounts)
  7. Other security and utility software installed: None that is actively running
  8. Virtual machine used (Please do NOT use Virtual box): a VM is installed but wasen’t used for this

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation


Thank you for your bug report in the required format.

Moved to verified.

Thank you