Unexplained disk activity turns out to be fairly easy to identify with the right tools. We'll use Process Monitor to track down disk activity.
Obviously, something appears to be running outside of Windows XP Pro SP.3. Unfortunately, I am unable to find and DESTROY it.
One thing that I can tell you is that it’s not outside of Windows. The assumption that you have that the CPU usage is telling you something is incorrect.
In the past, I’ve recommended a tool called FileMon to determine what’s been writing to your disk. FileMon has been replaced by a significantly more powerful utility, Process Monitor.
We’ll look at using Process Monitor to see if we can determine just exactly who’s doing what to your machine.
Let’s start by clarifying the CPU-usage issue. It’s quite possible for your CPU to be doing “nothing” while your disk thrashes. The CPU is much faster than the disk – which means that it’s actually spending most of its time waiting for the disk to read or write data. For a CPU, “waiting” means “doing nothing,” which in Process Explorer is considered idle. 98% idle makes total sense even if the disk is thrashing as you describe. – 2% CPU usage or even much less is plenty to keep the disk busy.
When it comes to disk activity, you can pretty much ignore CPU usage. It’s not really telling you anything valuable.
To figure out what’s really going on, we’re going to start by downloading a powerful (if extremely geeky) utility called Process Monitor, or “procmon” (not to be confused with another great utility Process Explorer or “procexp”).
Procmon allows us to monitor almost all of the activity of processes running on your machine, including who’s accessing the disk.
After downloading and running procmon, it’ll start collecting data immediately:
Press CTRL+E to stop the data collection for now.
Make sure that Enable Advanced Output is not checked on the Filter menu:
Unlike Process Explorer, which simply shows you process information in relatively real time, Process Monitor works by collecting data for some period of time, and then after you stop, it gives you various tools to review and analyze the data collected.
Because Process Monitor automatically begins collecting data once you run it, all you need to do is start it. If your concern is a startup problem, you could include it at Windows Startup time by simply adding it to the Startup sub menu.
After procmon has run “a while,” collecting data during the behavior that you’re concerned about, click it and once again, press CTRL+E to stop data collection.
Rather than trying to analyze the raw data (which you’re more than welcome to do), Procmon includes a couple of handy summarization tools.
Click File Summary… It gives you a report of the file I/O activity within the recorded data:
The default is sorted by “Total Events.” Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).
In this case, you can see that “C\:WINDOWS\system32\config\system.LOG” was the most accessed file during this capture taken when I logged into this machine.
You can also sort by any of the other column headers in the file summary dialog so as to see which file took the most time, had the most reads or writes, or did any of several other activities. I would assume that a for simple “Why is my disk thrashing?” analysis, the default “Total Events” is likely to be the best place to start.
Once you’ve identified a file that you want to understand more about, you can double-click it and the main procmon window will automatically filter the data that it displays to only include accesses of that file. For example, I’ve double-clicked on that “system.LOG” file here:
Now, we can see that at least initially the process in question was “services.exe.” Double-click any line there and you’ll get more detailed information about that specific event and the process that caused it:
Of course, our old friend Process Explorer is still valuable, as it will tell us even more about the specific process that we’ve located, such as any Windows Services that it might be providing.
What happens next depends on what you’ve found. Process Monitor (and Process Explorer) won’t fix anything – they’re both tools to help you answer the common question of “what’s happening?” with additional data that might help you also know why.
In case you haven’t noticed, Process Monitor is very powerful and somewhat complex. But the basic “capture and filter” scenario that I’ve outlined above will get you 90% of the information that most people might want to see.
If you’re at all interested in diving deeper, make sure to check out the Help information that comes with Procmon and spend a little time exploring its features.
Me? I’ve only skimmed the surface.