Preface

The Inventory and Compatibility appraisal service (InventorySvc) on Windows is interesting. As its name suggests, this service (let’s call it “the appraisal service” hereinafter) has something to do with the compatibility workarounds that Microsoft maintains for old applications (this article on MSDN is probably relevant).

Unfortunately, the appraisal service is also a big player when it comes to unexpected, unexplainable CPU hogging on recent versions of Windows. The symptom? Simple - just open Task Manager and observe that an svchost.exe process pegging a CPU core for multiple minutes.

On Windows 11, every time I open and close a File Explorer window, it leaks about 140 Key handles to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore and some registry keys under CommandStore\shell, like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.properties. I noticed this issue at the end of last year and reproduced it on both Windows 11 23H2 and 24H2.

The leak source

Thanks to the awesome ETWAnalyzer, finding handle leaks on Windows is so much easier (I was spending hours and hours switching between Handle, x64dbg, IDA Pro, and WPA before when tracking down other handle leaks in Windows). A typical stack trace of the leaked Key handle is the following: