Helping people with computers... one answer at a time.
Unexplained disk activity turns out to be fairly easy to identify with the right tools. We'll use Process Monitor to track down disk activity.
My machine has a constant red led, constant disk activity, no response from mouse, Task Manager, not able to gain control of any processes or programs. Problem is, I have had Process Explorer(boot) running and it shows +-98% inactive!!! I am unable to see what is causing me the problem (using Admin. Tools Events etc. when I look at various categories).
Obviously something appears to be running outside of Windows XP Pro SP.3. Unfortunately I am unable to find and DESTROY it.
•
One thing I can tell you is that it's not outside of Windows. The assumption that the CPU usage is telling you something is incorrect.
In the past we've used a tool called FileMon to determine what's been writing to your disk. FileMon has since been replaced by a significantly more powerful utility, Process Monitor.
We'll look at using Process Monitor to see if we can determine just exactly who's doing what to your machine.
•
I do want to start by clarifying the CPU usage issue. It's quite possible for your CPU to be doing "nothing" while your disk thrashes. The CPU is much faster than the disk - which means that it's actually spending most of its time waiting for the disk to read or write data. "Waiting", for a CPU, means "doing nothing", which in Process Explorer is "Idle". 98% idle makes total sense even if the disk is thrashing as you describe - 2% CPU usage, or even much less, is plenty to keep the disk busy.
When it comes to disk activity, you can pretty much ignore CPU usage. It's not really telling you anything valuable.
To figure out what's really going on, we're going to start by downloading a powerful, if extremely geeky, utility called Process Monitor, or "procmon" (not to be confused with another great utility Process Explorer, or "procexp").
Procmon allows us to monitor almost all the activity of processes running on your machine - including who's accessing the disk.
After downloading and running procmon, it'll start collecting data immediately:
Press CTRL+E to stop the data collection for now.
Make sure that Enable Advanced Output is not checked on the Filter menu:
Unlike Process Explorer, which simply shows you process information in relatively real time, Process Monitor works by collecting data for some period of time, and then after you stop, giving you various tools to review and analyze the data collected.
Since Process Monitor automatically begins collecting data when it's run, all you need to do is start it. If your concern is a startup problem, you could, for example, include it at Windows Startup time by simply adding it to the Startup sub menu.
After procmon has run "a while", collecting data during the behaviour you're concerned about, click on it and once again press CTRL+E to stop data collection.
Rather than trying to analyze the raw data, which of course you're more than welcome to do, Procmon includes a couple of handy summarization tools.
Click on File Summary... gives you a report of the file I/O activity within the recorded data:
The default is sorted by "Total Events". Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).
In this case you can see that "C:\WINDOWS\system32\config\system.LOG" was the most accessed file during this capture taken when I logged into this machine.
You can also sort by any of the other column headers in the file summary dialog so as to see which file took the most time, had the most Reads, Writes or any of several other activities. I would assume that for simple "why is my disk thrashing" analysis, the default "Total Events" is likely to be the best place to start.
Once you've identified a file that you want to understand more about, you can double click on it, and the main procmon window will automatically filter the data it displays to only include accesses of that file. For example, here I've double clicked on that "system.LOG" file:
Now we can see that at least initially the process in question was "services.exe". Double click on any line there and you'll get more detailed information about that specific event and the process that caused it:
Of course our old friend Process Explorer is still valuable, as it will tell us even more about the specific process we've located - such as any Windows Services it might be providing.
What happens next, of course, depends on what you've found. Process Monitor (and Process Explorer) won't fix anything - they're both tools to help you answer the common question "what's happening?", with additional data that might help you also answer "why?".
Process Monitor, in case you haven't noticed, is very powerful and somewhat complex. The basic "capture and filter" scenario that I've outlined above, though, will get you 90% of the information that most people might want to see.
If you're at all interested in diving deeper, make sure to check out the Help information that comes with Procmon, and spend a little time exploring its features.
Me? I've only skimmed the surface.
Article C3819 - July 26, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
March 8, 2012 5:52 PM
I'm disappointed, maybe the link to sysinternals it'll prove more help. This article doesnt tell us anything some common causes of the problem. malware, a corrupt volume from not shutting down? why does the "system sometimes write feverishly? more importantly,
what can you do about it? can you schedule it? reduce it? stop it? How long will it continue? How do you know it its a virus? If its nececesary? I realize the answers maybe complex, but thats why we are looking for someone to uravel the complexity.All I learned was the system might be writing log files, I can get the names and look them up myself, but THATs what I was doing when I came here! I see a lot of "instructions for the comments" you probably get people coming here at their worst, p. o.'d at having their system hyjacked and wanting to know, what to do. That services.exe is running doesn't answer the important questions. But its a start!
April 27, 2012 9:29 AM
super "services.exe" is using the disk. What does that tell us? Nothing. About half the services on the pc are running under that context. terrible article.
July 27, 2012 4:18 AM
great article. found out Norton was thrashing the disk. thanx a lot.
December 9, 2012 10:48 AM
Leo,
thanks alot for the article.
Precise and clean as usual !
Always great stuff by your side.
ciao
April 2, 2013 12:09 PM
Yep. Procmon told me the APC PowerChute program was busily logging data, and Macrium Reflect was disk-mumbling about image mounting. I stopped those services, and the computer is still running! I do wish programmers would grasp the concept that disk IO is not free. Maybe APC and Macrium will buy me a new disk when mine fails...