What to do if your hard disk is unexpectedly thrashing.
Thrashing — excessive disk activity — can happen for many reasons. The most common resource hogs are security tools, Windows Restore, or the system indexing service, if it’s enabled.
To find out what’s happening in your system, we’ll use a fairly powerful system monitoring tool called Procmon.
Become a Patron of Ask Leo! and go ad-free!
Using a free Windows Sysinternals Suite tool called Process Monitor, you can examine exactly what programs are accessing your disk and what files they’re reading and writing. With that information in hand, you can decide if the program(s) are expected or if you need to take action.
Process Monitor, or simply Procmon, is a free tool included in the Windows SysInternals Suite from Microsoft. (Don’t confuse it with Process Explorer, a different tool in the suite I often recommend as well.) It’s a very sophisticated system monitoring tool that works by:
- Collecting data called “events”1 while your system runs, presumably while you’re experiencing whatever you’re attempting to understand.
- Allowing you to examine the individual events.
- Summarizing the event data in useful ways.
It’s that last feature we’ll focus on here.
After installing the Sysinternals Suite, you’ll find Process Monitor in your “All apps” Start Menu.
Since there are several Sysinternals tools, you’ll need to scroll down to locate Process Monitor.
Click on it to run it.
You may be asked to confirm UAC. Click Yes. You may also be prompted with a “Process monitor filter” dialog saying you had filters on the last time you ran it. Ignore that for now; just click OK.
Process Monitor will start monitoring processes.
When you run Process Monitor, it’ll start recording things and displaying them in its windows. By default, it monitors a lot, and will probably surprise you with all the items scrolling by at a fast clip.
As long as the disk isn’t thrashing (it’s possible that it’s not even being hit at this point), it’s all quite normal. Let Process Monitor run.
As soon as you hear or see your hard disk thrashing when you think it shouldn’t be, let it run for a few more seconds and then press CTRL+E in Process Monitor to stop the capture.
If you like, you can scroll through the events to see what’s happening, but I have two better solutions.
Filter the results
Process Monitor has several ways to filter the results down to only the things you care about. One of the simplest is right on the toolbar.
Each button enables the display of a class of Process Monitor events. From left to right, they represent:
The one we care about for our purposes here is “File System activity” because we want to know what’s hitting the disk so hard. Since all five are selected by default, click on the other filter buttons until only File System activity remains selected.
The list of events is filtered to show only disk activity. You can scroll up and down this list to see what programs are accessing your disk(s), and what files they’re reading or writing to.
In the example above, it’s all about “MsMpEng.exe” (Microsoft Malware Protection Engine), which is a component of Windows Security. In other words, it’s probably just the security software scanning files on my hard disk.
Summarize the results
Click the Tools menu and then the File Summary… item. This gives you a report of the file I/O activity (input/output operations) within the recorded data.
In the example above, I’ve made the window wider (by clicking and dragging its right edge), and made the “Path” column wider (by clicking and dragging its header’s right-hand divider).
The default is sorted by Total Events. You can sort by any of the other column headers in the File Summary dialog, so you can see which file took the most time, had the most reads or writes, or any of several other activities. I assume that a simple “Why is my disk thrashing?” analysis, the default “Total Events” is the best place to start.
In the example above, sorting by “Read Bytes” shows that several “.dll” were responsible for most of the disk-read activity for the duration of the recorded events. If I sort by “Write Bytes”, we see that a Windows Defender file is being written to.
It’s important to note that this summary is a summary of all recorded events. If your disk thrashing represents only the last few seconds of a large amount of data, a summary might not show it as clearly.
Whether you look at the activity by time, by filtering the results, or by the files being accessed in the summary, you can gather clues as to what might be responsible for the disk activity you’re seeing.
The next question is: is it expected? Is it the result of the system operating as it should, or is it a sign of a problem?
You may recognize a process — perhaps your anti-malware tools, perhaps the system indexing service, perhaps something else you recognize — and be able to say, “Oh, it’s that,” and take no further action.
You might also decide that whatever is running is unwanted, and work through the steps to turn it off or remove it. Exactly what those steps are, of course, depend on exactly who the culprit turns out to be.
In the meantime, you also now have a new tool in your tool belt: Process Monitor. Feel free to explore some of the other filters and information it can gather for you about your system and how it operates.
Feel free to also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.