Helping people with computers... one answer at a time.
Constant disk activity is not always a sign of a problem; it depends on the cause. We'll use Process Monitor to identify the source of disk activity.
Win7, new system and new load with all available patches. Processor I5-750, Intel Desktop Board DH55HC, 4gig mem. The disk is constantly being accessed. How do I stop it and let it rest? I see several people are having that issue, but no fixes so far as to what to stop. My XP didn't seem to do that all the time.
Well, first we need to know what's accessing the disk.
Then we'll worry about how to stop it, or if we even need to. Windows 7 does do a few things differently than XP; for example one might be background defragmentation, so it's important to know just what's happening before we decide it's a problem that needs to be fixed.
And I've got just the tool to figure it out.
Process Monitor (not to be confused with Process Explorer, a completely different program) is a utility that as its name implies monitors processes - but it does a lot more than just monitor processes.
Much, much more.
I've just recently begun exploring some of its features, and for this situation it's an almost perfect diagnostic tool.
Download Process Monitor - it's a free download from Microsoft - and place it somewhere on your computer so that you can run it at will.
Process Monitor works by collecting information - events - and then allowing you to analyze those events for the information you're looking for. Even better, Process Monitor includes a couple of summary tools that do some of that analysis for you.
Run Process Monitor and after accepting the license agreement (first run only) you should see something similar to this:
What you're seeing is the Process Monitor main window, and in front of that, the Filter dialog.
We're going to ignore the filter, so just click "OK" and Process Monitor will begin collecting data; you'll see the screen quickly fill with geeky gibberish, and the count of events in the status bar will begin increasing.
Let it run for "a while". How long is difficult to say, but long enough for you to experience the problem that lead you here: your constant disk activity.
Press CTRL+E to stop the data collection.
Click on the Tools menu, and click on File Summary...:
That's a summary of the file activity that occurred on the system during data collection, listed with the most active files first. Here's the interesting part:
Here you can see that when I took this snapshot the most active file was "OBJECTS.DATA", a file used by Windows itself, followed by a World of Warcraft download that was happening in the background, followed by the Process Monitor executable itself.
Sometimes this information alone will be enough for you to determine just what's happening.
But not always. In particular, while this might tell you what file is being accessed, it's not telling you what program is accessing it.
In Process Monitor, click on the Tools menu, and then Process Activity Summary..., and in the resulting screen click on the File Events column header to sort the data:
Here we can see that in my case "wmiprvse.exe" - the Windows Manage Interface (WMI) executable which is responsible for all the "OBJECTS.DATA" activity is top of the list, with "prl_disp_service.exe" (a component of Parallels Workstation, the virtual machine technology I use), our friend "svchost.exe", the Blizzard background downloader (working on that World of Warcraft download), and other executables following.
A few random notes about what you're looking at:
Note the File Events and File I/O Bytes graphs - these summarize when during the time the data collection was happening that the File Events occurred. wmiprvse.exe had a burst at the beginning, where as the Blizzard downloader was plugging away periodically throughout.
Note that not all File Events have "I/O Bytes" associated with them. Frequently programs test for the existence of a file or a registry key, or for access permissions, without actually transferring any data. From what I've seen there's a lot of registry activity that consists of nothing more than "does this registry key exist" requests.
That being said, if you're tracking down disk activity File I/O Bytes are probably more important than simple File Events since they involve actual data transfer.
Quite often non-disk activity is also treated as File I/O - for example network activity is often treated as if it were File I/O.
As you can see, many programs you might not have thought about could be accessing the disk: MsMpEng.exe is Windows Security Essentials performing anti-malware work in the background (probably scanning the download for malware); SearchIndexer.exe is the content indexer for the Windows search feature; svchost.exe hosts several different system services that may need to perform File I/O.
My conclusion from looking at the data above is that my disk was active mostly due to the ongoing download, coupled with a spurt of activity from Security Essentials. Other things contributed, but those were most likely to be the most noticeable.
Naturally, I used my machine to generate the examples above and yours will probably be quite different.
In my case, "File Activity" was less helpful at identifying what was happening than "Process Activity", but that too will vary based on exactly what's causing the activity in the first place.
As you might guess, we've barely scratched the surface of what Process Monitor can do, but I'd be willing to bet that one or the other of these two summaries that it generates will be enough to tell you exactly why your disk might be active when you don't expect it.
And from that you can determine what action to take, if indeed you need to take any action at all.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.