In some (if not all) cases the SunMSCAPI provider leaks keys. When getting the keys and building certificate chains the provider silently gets the keys as a test which are then freed. The Windows API for CryptAcquireCertificatePrivateKey details that the caller needs to release the key if the output value of pfCallerFreeProvOrNCryptKey is true. The existing code handled this case but did not use the correct free in all cases. There's a second output (pdwKeySpec) value which tells you whether to use CryptReleaseContext or NCryptFreeObject. However the current code always calls CryptReleaseContext.

Here's a repro case (watch the handle counts in the windows task manager grow) for both java.exe and lsass.exe

Note that this issue existed prior to the support for localmachine stores was added

import java.security.*;

class AcpTest {
    public static void main(String[] args)
    {
        try {
            while (true)
            {
                KeyStore keyStore = KeyStore.getInstance("Windows-MY");
                keyStore.load(null, null);
            }
        } catch (Exception ex) {
            System.out.println("Error!");
            ex.printStackTrace();
        }
    }
}