I have constant disk activity and I don’t know why. How can I tell what program is doing it?

Unexplained disk activity turns out to be fairly easy to identify with the right tools. We'll use Process Monitor to track down disk activity.

//
My machine has a constant red led, constant disk activity, no response from mouse, Task Manager, not able to gain control of any processes or programs. Problem is, I have had Process Explorer(boot) running and it shows +-98% inactive!!! I am unable to see what is causing me the problem (using Admin. Tools Events etc. when I look at various categories).

Obviously, something appears to be running outside of Windows XP Pro SP.3. Unfortunately, I am unable to find and DESTROY it.

One thing that I can tell you is that it’s not outside of Windows. The assumption that you have that the CPU usage is telling you something is incorrect.

In the past, I’ve recommended a tool called FileMon to determine what’s been writing to your disk. FileMon has been replaced by a significantly more powerful utility, Process Monitor.

We’ll look at using Process Monitor to see if we can determine just exactly who’s doing what to your machine.

CPU usage

Let’s start by clarifying the CPU-usage issue. It’s quite possible for your CPU to be doing “nothing” while your disk thrashes. The CPU is much faster than the disk – which means that it’s actually spending most of its time waiting for the disk to read or write data. For a CPU, “waiting”  means “doing nothing,” which in Process Explorer is considered idle. 98% idle makes total sense even if the disk is thrashing as you describe. – 2% CPU usage or even much less is plenty to keep the disk busy.

When it comes to disk activity, you can pretty much ignore CPU usage. It’s not really telling you anything valuable.

Process Monitor

To figure out what’s really going on, we’re going to start by downloading a powerful (if extremely geeky) utility called Process Monitor, or “procmon” (not to be confused with another great utility Process Explorer or “procexp”).

Procmon allows us to monitor almost all of the activity of processes running on your machine, including who’s accessing the disk.

After downloading and running procmon, it’ll start collecting data immediately:

Process Monitor Initial Screen

Press CTRL+E to stop the data collection for now.

Make sure that Enable Advanced Output is not checked on the Filter menu:

Process Monitor Filter menu

Unlike Process Explorer, which simply shows you process information in relatively real time, Process Monitor works by collecting data for some period of time, and then after you stop, it gives you various tools to review and analyze the data collected.

Running Procmon

Because Process Monitor automatically begins collecting data once you run it, all you need to do is start it. If your concern is a startup problem, you could include it at Windows Startup time by simply adding it to the Startup sub menu.

After procmon has run “a while,” collecting data during the behavior that you’re concerned about, click it and once again, press CTRL+E to stop data collection.

Process Monitor disconnecting after data collection

Rather than trying to analyze the raw data (which you’re more than welcome to do), Procmon includes a couple of handy summarization tools.

Process Monitor Tools menu

Click File Summary… It gives you a report of the file I/O activity within the recorded data:

Process Monitor file summary

The default is sorted by “Total Events.” Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).

Process Monitor file summary showing Path

In this case, you can see that “C\:WINDOWS\system32\config\system.LOG” was the most accessed file during this capture taken when I logged into this machine.

You can also sort by any of the other column headers in the file summary dialog so as to see which file took the most time, had the most reads or writes, or did any of several other activities. I would assume that a for simple “Why is my disk thrashing?” analysis, the default “Total Events” is likely to be the best place to start.

Once you’ve identified a file that you want to understand more about, you can double-click it and the main procmon window will automatically filter the data that it displays to only include accesses of that file. For example, I’ve double-clicked on that “system.LOG” file here:

Process Monitor showing only specific file access

Now, we can see that at least initially the process in question was “services.exe.” Double-click any line there and you’ll get more detailed information about that specific event and the process that caused it:

Process Monitor showing details of a specific file access

Of course, our old friend Process Explorer is still valuable, as it will tell us even more about the specific process that we’ve located, such as any Windows Services that it might be providing.

An Active Hard DIskWhat happens next depends on what you’ve found. Process Monitor (and Process Explorer) won’t fix anything – they’re both tools to help you answer the common question of “what’s happening?” with additional data that might help you also know why.

In case you haven’t noticed, Process Monitor is very powerful and somewhat complex. But the basic “capture and filter” scenario that I’ve outlined above will get you 90% of the information that most people might want to see.

If you’re at all interested in diving deeper, make sure to check out the Help information that comes with Procmon and spend a little time exploring its features.

Me? I’ve only skimmed the surface.

This is an update to an article originally posted : July 26, 2009

There are 31 comments:

  1. Steve Reply

    I’m not seeing that the main procmon window is automatically filtering the data it displays to only include accesses of the file that you want to understand more about (the one that appears in the File Summary tool window — I’ve double clicked it or various others with no change to the main procmon window). I’ve started and exited procmon 3-4 times, cleared data, CNTL+E toggled, etc but no joy. Still a great tool and appreciate the tip, Leo!

    • Carol Reply

      > I’ve started and exited procmon 3-4 times, cleared data, CNTL+E toggled, etc but no joy.
      > Still a great tool

      What is great about it? It’s helped you zero.

      • Andrew Jones Reply

        He can see the value of the tool even if it didn’t immediately solve this immediate problem. It is an extremely powerful utility and techies tend to see possibilities in things they learn about that may not immediately apply to the problem at hand. It can get distracting sometimes but it’s a component at least behind the essence of engineering

  2. Paul Hayes Reply

    I know I”m a dummy,but once I know what’s running and hogging my computer… what do I do with the information. What action do I take to resolve this activity?

    Unfortunately there’s no single answer to that since it depends on what you find. It could be a program you no longer need, or it could be more data that you would take to research on the internet, or or it could be an “ah ha” moment where it turns out to be correct behaviour.

    Leo
    29-Jul-2009

  3. lrk Reply

    Depends on what is running at the background. Indexing service for example (usually shown as “svchost.exe”, but there may be more of these running at the same time for different services) may be running all the time. You can stop or postpone that activity, since it slows down the pc. However a programme running “real time” at the background may also be a reason.
    You need to find out first what is running.

  4. david waiters Reply

    I had a similar problem recently. The hard drive activity light was constantly on and all my drive names changed to unreadable garbage. There were two files that were created. One was called folder.exe and another file that I cant recall. There was also another exe file in the startup folder under the all users account that seemed to trigger it. I had to use a Bart PE disk to boot the machine and delete the files and the problem stopped.

  5. John N. Reply

    Just an addition to this great post-

    The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools.
    This file contains the individual troubleshooting tools and help files. Process Monitor / Explorer are included with 60+ more Sysinternals Utilities.
    Many seem to be for uber-geeks only, but that describes many of us! 9.0 MB download, not too shabby.
    Have fun, and please comment Leo! Your opinion is law with me! Thanks much! Link below.
    John N.

    SYSINTERNALS

  6. Jane B. Reply

    Great tool, and results really interesting and somewhat confusing. It seems my printer is doing a ton of ‘work’, even when it is not on or in use. Tons of ‘create file, lock file, query standard information file, read file, write file, set end of file information file,unlock file single, close file, and then it starts all over again with create file…Why would it be doing this if its not in use or even on?? And how do I(or should I) stop this?

  7. dar Reply

    -had similar problem, but it stopped when linux replaced xp. the all-knowing lads on soundbytes radio prog nailed it: a corrupt FAT32 volume

  8. steve sexauer Reply

    I’m disappointed, maybe the link to sysinternals it’ll prove more help. This article doesnt tell us anything some common causes of the problem. malware, a corrupt volume from not shutting down? why does the “system sometimes write feverishly? more importantly,
    what can you do about it? can you schedule it? reduce it? stop it? How long will it continue? How do you know it its a virus? If its nececesary? I realize the answers maybe complex, but thats why we are looking for someone to uravel the complexity.All I learned was the system might be writing log files, I can get the names and look them up myself, but THATs what I was doing when I came here! I see a lot of “instructions for the comments” you probably get people coming here at their worst, p. o.’d at having their system hyjacked and wanting to know, what to do. That services.exe is running doesn’t answer the important questions. But its a start!

    • Andrew Jones Reply

      Honestly you’ll need a pretty deep understanding to figure this out most of the time unless there are some obvious clues that tie into obvious or current problems, like “Ever since I installed this security update my machine is slow” or “My antivirus software expired and said it will function but no longer will be up to date so I bought another one” (did you remove the old one?). ProcMon is going to give you valuable information. “AutoRuns,” another SysInternals utility, is amazing for finding every possible place where a “resident” or “Auto-Launch” program might be running — Services, Scheduled Tasks, the “AT” command which is another source of scheduled tasks, Registry “Run” values, etc.

      The simplest thing is to see if you have at least 20% free disk space, turning off your resident antivirus helps (this is not a solution, it’s getting the right information, like maybe your antivirus sucks), closing everything in your system tray, start killing things in Task Manager. What’s the worst that can happen? When I want to play games on my machine I end up killing almost everything and there are tools that do it for you.

      Not much can go wrong killing processes on your home computer to be honest; just reboot that sucker. And home users need to be backing up and doing the brain dead easy things you can simply buy without thinking about in order to lower the stakes of exploring their computer’s internals (but not acting like a bonehead on the internet).

  9. Bill Reply

    super “services.exe” is using the disk. What does that tell us? Nothing. About half the services on the pc are running under that context. terrible article.

    • Andrew Jones Reply

      Uhm, it tells you that a service is probably to blame rather than a random resident task, and there’s a huge difference. So go stop some services…see what happens. You can teach a man to fish, but do you need to teach him how to butcher it and eat it too?

  10. Ray Reply

    great article. found out Norton was thrashing the disk. thanx a lot.

  11. Giovanni Reply

    Leo,
    thanks alot for the article.
    Precise and clean as usual !
    Always great stuff by your side.
    ciao

  12. Bob D Reply

    Yep. Procmon told me the APC PowerChute program was busily logging data, and Macrium Reflect was disk-mumbling about image mounting. I stopped those services, and the computer is still running! I do wish programmers would grasp the concept that disk IO is not free. Maybe APC and Macrium will buy me a new disk when mine fails…

  13. Steven Reply

    It’s too late for Dar but I believe they could have either saved their OS without too much trouble by using the usual Windows utilities. It seems that if you want to use Linux etc you are going to find an excuse anyway. To each his own but why throw the horse out if a cart wheel is broken?

  14. Tony Kightley Reply

    Yes, a program to monitor what the computer is doing is a very useful tool. I have used ‘What’s My Computer Doing’ quite successfully. It is very easy to use and easy to see the pedigree of each program and terminate it if it would appear to not cause havoc in doing so. I suggest you recommend it as an alternative – or try it for yourself if you are not familiar with it.

  15. Gerald Hoppe Reply

    I’m running XP Home. I’ve had the same problem, hard drive using up computer assets and slowing it to a crawl. for a couple of weeks now. It’s going to take me some time to read and digest this weeks “Ask Leo.” Task Mgr tells me the culprit is Windows Explorer with, at times, CPU usage in the 70’s. I have been able to slow down the usage by putting a disk in one of my drives clicking on Windows Explorer and sending it to to the disk. Also, after I save and close all my work, I terminate “explorer.exe” for several seconds, losing all the icons from the desk top, I use file, new task, ‘explorer.exe’, which gets my icons back, low, 2 to 5, CPU usage and memory a shadow of its’ former self. This gives me a reasonably fast computer for 30 minutes or so. It’s going to rain, here in NY, this afternoon so I’ll have time to work on this problem then. PS; I’m a 1950 grad of Bothell HS… Hop.

    • Bernard Winchester Reply

      Have you tried Checkdisk, Mr Hoppe? I have experienced Windows Explorer high CPU and a very slow computer when there is file corruption; you might get some relief by closing Explorer, but the problem may begin again when a bad file is accessed.
      Happy 10th anniversary, Leo!

  16. Joe Crisp Reply

    Windows Defender, turned it off and no more 100% Disk usage, Defender id De-fective, get a third party antivirus, much better off, solved my problem

  17. Ron Reply

    For Jane, Do you have an HP printer with wireless? Is it off. The computer is trying to establish communications with it. I’ve seen this on several customer’s machines. The CPU usage is so great that the cursor just becomes unmovable for several seconds, or the little circle thing goes around for a while. Very annoying. This should not happen if the printer is on. Off the top of my head, that’s about all I can offer.

    HPs can be very problematic, with their huge bloated software. It installs loads of stuff one never uses.
    Packrat1947

  18. SteveB Reply

    The ‘culprit’ usually turns out to be Windows itself .. specifically the well hidden and carefully missnamed ‘EnableAutoLayout’ registry key which is ‘Microsoft talk’ for “shuffle the contents of the hard drive around in an effort to speed up the boot sequence – and do this when ‘idle’ so the drives never get to power down”. Set the key ‘disabled’ and the constant disk accessing should stop ..

    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    OptimalLayout]
    Value Name: EnableAutoLayout
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = disabled, 1 = enabled)

  19. Covers Reply

    After a lot of heartache, your instruction on how to use Procmon has solved a problem I have lived with for weeks. My computer was running very slowly and taking ages to shut down. A computer pro wanted to re-install Vista but I didn’t want to undertake the massive task of re-installing all the past 3 years of updates without investigating other options. Using Procmon and following your instructions I identified a program I used for continuous backup of my system as being the problem. After deleting all relative programs the system is now running normally. Thank you for making a seemingly difficult problem easy to solve

  20. Lester Reply

    So what if this thrashing occurs during installation of Windows? How can you identify the culprit? Nothing is installed yet. Three additional drives with data.

    • Connie Delaney Reply

      Seems like installing Windows would be pretty disk intensive. I’d only worry if it doesn’t top afterwards.

  21. Mike Reply

    I had this problem and tried these and other tools to track down the problem without success. Then I discovered I was missing the NVIDIA AHCI driver. After I installed it everything was back to normal. So if you have AHCI enabled in the BIOS make sure you have the right driver installed.

  22. David A Reply

    Leo,

    Came across this article through a web search trying to figure out which process\user was filling up a log file on a dev web server. Was able to find out in just a few minutes after reading this, I now have a valuable tool in my tool belt. Thank you sir.

  23. J Donner Reply

    Great work Leo, this will be useful for me for years to come!!

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.