Summary: Unexplained disk activity turns out to be fairly easy to identify with the right tools. We'll use Process Monitor to track down disk activity.
My machine has a constant red led, constant disk activity, no response from mouse, Task Manager, not able to gain control of any processes or programs. Problem is, I have had Process Explorer(boot) running and it shows +-98% inactive!!! I am unable to see what is causing me the problem (using Admin. Tools Events etc. when I look at various categories).
Obviously something appears to be running outside of Windows XP Pro SP.3. Unfortunately I am unable to find and DESTROY it.
•
One thing I can tell you is that it's not outside of Windows. The assumption that the CPU usage is telling you something is incorrect.
In the past we've used a tool called FileMon to determine what's been writing to your disk. FileMon has since been replaced by a significantly more powerful utility, Process Monitor.
We'll look at using Process Monitor to see if we can determine just exactly who's doing what to your machine.
•
I do want to start by clarifying the CPU usage issue. It's quite possible for your CPU to be doing "nothing" while your disk thrashes. The CPU is much faster than the disk - which means that it's actually spending most of its time waiting for the disk to read or write data. "Waiting", for a CPU, means "doing nothing", which in Process Explorer is "Idle". 98% idle makes total sense even if the disk is thrashing as you describe - 2% CPU usage, or even much less, is plenty to keep the disk busy.
When it comes to disk activity, you can pretty much ignore CPU usage. It's not really telling you anything valuable.
To figure out what's really going on, we're going to start by downloading a powerful, if extremely geeky, utility called Process Monitor, or "procmon" (not to be confused with another great utility Process Explorer, or "procexp").
Procmon allows us to monitor almost all the activity of processes running on your machine - including who's accessing the disk.
After downloading and running procmon, it'll start collecting data immediately:
Press CTRL+E to stop the data collection for now.
Make sure that Enable Advanced Output is not checked on the Filter menu:
Unlike Process Explorer, which simply shows you process information in relatively real time, Process Monitor works by collecting data for some period of time, and then after you stop, giving you various tools to review and analyze the data collected.
Since Process Monitor automatically begins collecting data when it's run, all you need to do is start it. If your concern is a startup problem, you could, for example, include it at Windows Startup time by simply adding it to the Startup sub menu.
After procmon has run "a while", collecting data during the behaviour you're concerned about, click on it and once again press CTRL+E to stop data collection.
Rather than trying to analyze the raw data, which of course you're more than welcome to do, Procmon includes a couple of handy summarization tools.
Click on File Summary... gives you a report of the file I/O activity within the recorded data:
The default is sorted by "Total Events". Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).
In this case you can see that "C:\WINDOWS\system32\config\system.LOG" was the most accessed file during this capture taken when I logged into this machine.
You can also sort by any of the other column headers in the file summary dialog so as to see which file took the most time, had the most Reads, Writes or any of several other activities. I would assume that for simple "why is my disk thrashing" analysis, the default "Total Events" is likely to be the best place to start.
Once you've identified a file that you want to understand more about, you can double click on it, and the main procmon window will automatically filter the data it displays to only include accesses of that file. For example, here I've double clicked on that "system.LOG" file:
Now we can see that at least initially the process in question was "services.exe". Double click on any line there and you'll get more detailed information about that specific event and the process that caused it:
Of course our old friend Process Explorer is still valuable, as it will tell us even more about the specific process we've located - such as any Windows Services it might be providing.
What happens next, of course, depends on what you've found. Process Monitor (and Process Explorer) won't fix anything - they're both tools to help you answer the common question "what's happening?", with additional data that might help you also answer "why?".
Process Monitor, in case you haven't noticed, is very powerful and somewhat complex. The basic "capture and filter" scenario that I've outlined above, though, will get you 90% of the information that most people might want to see.
If you're at all interested in diving deeper, make sure to check out the Help information that comes with Procmon, and spend a little time exploring its features.
Me? I've only skimmed the surface.
Related:
-
Process Explorer - A Free Powerful Replacement for Windows Task Manager Process Explorer is Task Manager on steroids. A free utility that completely replaces Task Manager, there's no reason not to have and use procexp.
-
How do I find out what program is using all my CPU? Occasionally one program will use up all of your computers processing resources. Using process explorer it's easy to figure out which program that is.
-
Why, when I'm doing nothing at all, will my hard disk suddenly start thrashing? There are several reasons you might see hard disk activity when you're not doing something yourself. It's not hard to see what's causing it.
Article C3819 - July 26, 2009
I'm not seeing that the main procmon window is automatically filtering the data it displays to only include accesses of the file that you want to understand more about (the one that appears in the File Summary tool window -- I've double clicked it or various others with no change to the main procmon window). I've started and exited procmon 3-4 times, cleared data, CNTL+E toggled, etc but no joy. Still a great tool and appreciate the tip, Leo!
Posted by: Steve at July 28, 2009 9:40 AMI know I"m a dummy,but once I know what's running and hogging my computer... what do I do with the information. What action do I take to resolve this activity?
29-Jul-2009
Posted by: Paul Hayes at July 28, 2009 11:20 AM
Depends on what is running at the background. Indexing service for example (usually shown as "svchost.exe", but there may be more of these running at the same time for different services) may be running all the time. You can stop or postpone that activity, since it slows down the pc. However a programme running "real time" at the background may also be a reason.
Posted by: lrk at July 28, 2009 4:09 PMYou need to find out first what is running.
I had a similar problem recently. The hard drive activity light was constantly on and all my drive names changed to unreadable garbage. There were two files that were created. One was called folder.exe and another file that I cant recall. There was also another exe file in the startup folder under the all users account that seemed to trigger it. I had to use a Bart PE disk to boot the machine and delete the files and the problem stopped.
Posted by: david waiters at July 28, 2009 5:42 PMJust an addition to this great post-
The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools.
This file contains the individual troubleshooting tools and help files. Process Monitor / Explorer are included with 60+ more Sysinternals Utilities.
Many seem to be for uber-geeks only, but that describes many of us! 9.0 MB download, not too shabby.
Have fun, and please comment Leo! Your opinion is law with me! Thanks much! Link below.
John N.
SYSINTERNALS
Posted by: John N. at July 29, 2009 1:08 AMCorrection to my first post. Sorry, I think I forgot a " in my html:( I'll use both this time!
Sysinternals>
http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Posted by: John N. at July 29, 2009 1:15 AMGreat tool, and results really interesting and somewhat confusing. It seems my printer is doing a ton of 'work', even when it is not on or in use. Tons of 'create file, lock file, query standard information file, read file, write file, set end of file information file,unlock file single, close file, and then it starts all over again with create file...Why would it be doing this if its not in use or even on?? And how do I(or should I) stop this?
Posted by: Jane B. at July 29, 2009 11:55 AM-had similar problem, but it stopped when linux replaced xp. the all-knowing lads on soundbytes radio prog nailed it: a corrupt FAT32 volume
Posted by: dar at July 29, 2009 4:48 PMExtended Task Manager by Extendsoft (free) works better and easier for me.
http://www.extensoft.com/?p=home
http://www.extensoft.com/?p=free_task_manager
Posted by: Dennis at August 2, 2009 6:04 AM