Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I Have Constant Disk Activity and I Don’t Know Why. How Can I Tell What Program Is Doing It?

My machine has a constant red LED, constant disk activity, no response from mouse, Task Manager, not able to gain control of any processes or programs. Problem is, I have had Process Explorer (boot) running and it shows +-98% inactive!!! I am unable to see what is causing me the problem (using Admin. Tools Events etc. when I look at various categories).

Obviously, something appears to be running outside of Windows XP Pro SP.3. Unfortunately, I am unable to find and DESTROY it.

One thing I can tell you is, it’s not outside of Windows. Your assumption that CPU usage is telling you something is incorrect.

In the past, I’ve recommended a tool called FileMon to determine what’s been writing to your disk. FileMon has been replaced by a significantly more powerful utility, Process Monitor.

We’ll look at using Process Monitor to see if we can determine just exactly who’s doing what to your machine.

Become a Patron of Ask Leo! and go ad-free!

CPU usage

Let’s start by clarifying the CPU-usage issue. It’s quite possible for your CPU to be doing “nothing” while your disk thrashes. The CPU is much faster than the disk, which means it’s actually spending most of its time waiting for the disk to read or write data. For a CPU, “waiting”  means “doing nothing,” which in Process Explorer is considered idle. 98% idle makes total sense, even if the disk is thrashing as you describe. -2% CPU usage or even much less is plenty to keep the disk busy.

When it comes to disk activity, you can pretty much ignore CPU usage. It’s not really telling you anything valuable.

Process Monitor

To figure out what’s really going on, we’re going to start by downloading a powerful (if extremely geeky) utility called Process Monitor, or “procmon” (not to be confused with another great utility, Process Explorer, or “procexp”).

Procmon allows us to monitor almost all of the activity of processes running on your machine, including who’s accessing the disk.

After downloading and running procmon, it’ll start collecting data immediately:

Process Monitor Initial Screen

Press CTRL+E to stop the data collection for now.

Make sure that Enable Advanced Output is not checked on the Filter menu.

Process Monitor Filter menu

Unlike Process Explorer, which simply shows you process information in relatively real time, Process Monitor works by collecting data for a period of time and then gives you various tools to review and analyze the data collected.

Running Procmon

Because Process Monitor automatically begins collecting data once you run it, all you need to do is start it. If your concern is a start-up problem, you could include it at Windows Startup time by simply adding it to the Startup sub menu.

After procmon has run “a while,” collecting data during the behavior you’re concerned about, click it, and once again, press CTRL+E to stop data collection.

Process Monitor disconnecting after data collection

Rather than trying to analyze the raw data (which you’re more than welcome to do), Procmon includes a couple of handy summarization tools.

Process Monitor Tools menu

Click File Summary…  for a report of the file I/O activity within the recorded data.

Process Monitor file summary

The default is sorted by “Total Events.” Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).

Process Monitor file summary showing Path

In this case, you can see that “C\:WINDOWS\system32\config\system.LOG” was the most-accessed file during this capture (taken when I logged into this machine).

You can also sort by any of the other column headers in the file summary dialog so as to see which file took the most time, had the most reads or writes, or did any of several other activities. I would assume that a for simple “Why is my disk thrashing?” analysis, the default “Total Events” is likely to be the best place to start.

Once you’ve identified a file you want to understand more about, double-click it, and the main procmon window will automatically filter the data to include only accesses of that file. For example, I’ve double-clicked on that “system.LOG” file here.

Process Monitor showing only specific file access

Now, we can see that. at least initially. the process in question was “services.exe.” Double-click any line there and you’ll get more detailed information about that specific event and the process that caused it.

Process Monitor showing details of a specific file access

Of course, our old friend Process Explorer is still valuable, as it will tell us even more about the specific process that we’ve located, such as any Windows Services that it might be providing.

An Active Hard DIsk What happens next depends on what you’ve found. Process Monitor (and Process Explorer) won’t fix anything – they’re both tools to help you answer “what’s happening?” with additional data that might help you also learn why.

In case you haven’t noticed, Process Monitor is very powerful and somewhat complex. But the basic “capture and filter” scenario I’ve outlined above will get you 90% of the information that most people might want to see.

If you’re at all interested in diving deeper, make sure to check out the Help information that comes with Procmon and spend a little time exploring its features.

Me? I’ve only skimmed the surface.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

33 comments on “I Have Constant Disk Activity and I Don’t Know Why. How Can I Tell What Program Is Doing It?”

  1. I’m not seeing that the main procmon window is automatically filtering the data it displays to only include accesses of the file that you want to understand more about (the one that appears in the File Summary tool window — I’ve double clicked it or various others with no change to the main procmon window). I’ve started and exited procmon 3-4 times, cleared data, CNTL+E toggled, etc but no joy. Still a great tool and appreciate the tip, Leo!

    • > I’ve started and exited procmon 3-4 times, cleared data, CNTL+E toggled, etc but no joy.
      > Still a great tool

      What is great about it? It’s helped you zero.

      • He can see the value of the tool even if it didn’t immediately solve this immediate problem. It is an extremely powerful utility and techies tend to see possibilities in things they learn about that may not immediately apply to the problem at hand. It can get distracting sometimes but it’s a component at least behind the essence of engineering

  2. I know I”m a dummy,but once I know what’s running and hogging my computer… what do I do with the information. What action do I take to resolve this activity?

    Unfortunately there’s no single answer to that since it depends on what you find. It could be a program you no longer need, or it could be more data that you would take to research on the internet, or or it could be an “ah ha” moment where it turns out to be correct behaviour.


  3. Depends on what is running at the background. Indexing service for example (usually shown as “svchost.exe”, but there may be more of these running at the same time for different services) may be running all the time. You can stop or postpone that activity, since it slows down the pc. However a programme running “real time” at the background may also be a reason.
    You need to find out first what is running.

  4. I had a similar problem recently. The hard drive activity light was constantly on and all my drive names changed to unreadable garbage. There were two files that were created. One was called folder.exe and another file that I cant recall. There was also another exe file in the startup folder under the all users account that seemed to trigger it. I had to use a Bart PE disk to boot the machine and delete the files and the problem stopped.

  5. Just an addition to this great post-

    The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools.
    This file contains the individual troubleshooting tools and help files. Process Monitor / Explorer are included with 60+ more Sysinternals Utilities.
    Many seem to be for uber-geeks only, but that describes many of us! 9.0 MB download, not too shabby.
    Have fun, and please comment Leo! Your opinion is law with me! Thanks much! Link below.
    John N.


  6. Great tool, and results really interesting and somewhat confusing. It seems my printer is doing a ton of ‘work’, even when it is not on or in use. Tons of ‘create file, lock file, query standard information file, read file, write file, set end of file information file,unlock file single, close file, and then it starts all over again with create file…Why would it be doing this if its not in use or even on?? And how do I(or should I) stop this?

  7. -had similar problem, but it stopped when linux replaced xp. the all-knowing lads on soundbytes radio prog nailed it: a corrupt FAT32 volume

  8. I’m disappointed, maybe the link to sysinternals it’ll prove more help. This article doesnt tell us anything some common causes of the problem. malware, a corrupt volume from not shutting down? why does the “system sometimes write feverishly? more importantly,
    what can you do about it? can you schedule it? reduce it? stop it? How long will it continue? How do you know it its a virus? If its nececesary? I realize the answers maybe complex, but thats why we are looking for someone to uravel the complexity.All I learned was the system might be writing log files, I can get the names and look them up myself, but THATs what I was doing when I came here! I see a lot of “instructions for the comments” you probably get people coming here at their worst, p. o.’d at having their system hyjacked and wanting to know, what to do. That services.exe is running doesn’t answer the important questions. But its a start!

    • Honestly you’ll need a pretty deep understanding to figure this out most of the time unless there are some obvious clues that tie into obvious or current problems, like “Ever since I installed this security update my machine is slow” or “My antivirus software expired and said it will function but no longer will be up to date so I bought another one” (did you remove the old one?). ProcMon is going to give you valuable information. “AutoRuns,” another SysInternals utility, is amazing for finding every possible place where a “resident” or “Auto-Launch” program might be running — Services, Scheduled Tasks, the “AT” command which is another source of scheduled tasks, Registry “Run” values, etc.

      The simplest thing is to see if you have at least 20% free disk space, turning off your resident antivirus helps (this is not a solution, it’s getting the right information, like maybe your antivirus sucks), closing everything in your system tray, start killing things in Task Manager. What’s the worst that can happen? When I want to play games on my machine I end up killing almost everything and there are tools that do it for you.

      Not much can go wrong killing processes on your home computer to be honest; just reboot that sucker. And home users need to be backing up and doing the brain dead easy things you can simply buy without thinking about in order to lower the stakes of exploring their computer’s internals (but not acting like a bonehead on the internet).

  9. super “services.exe” is using the disk. What does that tell us? Nothing. About half the services on the pc are running under that context. terrible article.

    • Uhm, it tells you that a service is probably to blame rather than a random resident task, and there’s a huge difference. So go stop some services…see what happens. You can teach a man to fish, but do you need to teach him how to butcher it and eat it too?

  10. Yep. Procmon told me the APC PowerChute program was busily logging data, and Macrium Reflect was disk-mumbling about image mounting. I stopped those services, and the computer is still running! I do wish programmers would grasp the concept that disk IO is not free. Maybe APC and Macrium will buy me a new disk when mine fails…

  11. It’s too late for Dar but I believe they could have either saved their OS without too much trouble by using the usual Windows utilities. It seems that if you want to use Linux etc you are going to find an excuse anyway. To each his own but why throw the horse out if a cart wheel is broken?

  12. Yes, a program to monitor what the computer is doing is a very useful tool. I have used ‘What’s My Computer Doing’ quite successfully. It is very easy to use and easy to see the pedigree of each program and terminate it if it would appear to not cause havoc in doing so. I suggest you recommend it as an alternative – or try it for yourself if you are not familiar with it.

  13. I’m running XP Home. I’ve had the same problem, hard drive using up computer assets and slowing it to a crawl. for a couple of weeks now. It’s going to take me some time to read and digest this weeks “Ask Leo.” Task Mgr tells me the culprit is Windows Explorer with, at times, CPU usage in the 70’s. I have been able to slow down the usage by putting a disk in one of my drives clicking on Windows Explorer and sending it to to the disk. Also, after I save and close all my work, I terminate “explorer.exe” for several seconds, losing all the icons from the desk top, I use file, new task, ‘explorer.exe’, which gets my icons back, low, 2 to 5, CPU usage and memory a shadow of its’ former self. This gives me a reasonably fast computer for 30 minutes or so. It’s going to rain, here in NY, this afternoon so I’ll have time to work on this problem then. PS; I’m a 1950 grad of Bothell HS… Hop.

    • Have you tried Checkdisk, Mr Hoppe? I have experienced Windows Explorer high CPU and a very slow computer when there is file corruption; you might get some relief by closing Explorer, but the problem may begin again when a bad file is accessed.
      Happy 10th anniversary, Leo!

  14. Windows Defender, turned it off and no more 100% Disk usage, Defender id De-fective, get a third party antivirus, much better off, solved my problem

  15. For Jane, Do you have an HP printer with wireless? Is it off. The computer is trying to establish communications with it. I’ve seen this on several customer’s machines. The CPU usage is so great that the cursor just becomes unmovable for several seconds, or the little circle thing goes around for a while. Very annoying. This should not happen if the printer is on. Off the top of my head, that’s about all I can offer.

    HPs can be very problematic, with their huge bloated software. It installs loads of stuff one never uses.

  16. The ‘culprit’ usually turns out to be Windows itself .. specifically the well hidden and carefully missnamed ‘EnableAutoLayout’ registry key which is ‘Microsoft talk’ for “shuffle the contents of the hard drive around in an effort to speed up the boot sequence – and do this when ‘idle’ so the drives never get to power down”. Set the key ‘disabled’ and the constant disk accessing should stop ..

    System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Value Name: EnableAutoLayout
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = disabled, 1 = enabled)

  17. After a lot of heartache, your instruction on how to use Procmon has solved a problem I have lived with for weeks. My computer was running very slowly and taking ages to shut down. A computer pro wanted to re-install Vista but I didn’t want to undertake the massive task of re-installing all the past 3 years of updates without investigating other options. Using Procmon and following your instructions I identified a program I used for continuous backup of my system as being the problem. After deleting all relative programs the system is now running normally. Thank you for making a seemingly difficult problem easy to solve

  18. So what if this thrashing occurs during installation of Windows? How can you identify the culprit? Nothing is installed yet. Three additional drives with data.

    • Seems like installing Windows would be pretty disk intensive. I’d only worry if it doesn’t top afterwards.

  19. I had this problem and tried these and other tools to track down the problem without success. Then I discovered I was missing the NVIDIA AHCI driver. After I installed it everything was back to normal. So if you have AHCI enabled in the BIOS make sure you have the right driver installed.

  20. Leo,

    Came across this article through a web search trying to figure out which process\user was filling up a log file on a dev web server. Was able to find out in just a few minutes after reading this, I now have a valuable tool in my tool belt. Thank you sir.

  21. In my case with HD activity constrant and prior dual-core CPU at 100%. I got a quad processor and that helped but I was stuck at 3.2Gb memory with a 32bit Windows system. Got the Windows 10 upgrade, still same trouble, CPU running fine, but 100% hard-drive activity taking very long time to settle. My system info described as 64bit cpu and 32 bit motherboard. I checked my system specs since I knew I had a 64bit cpu running and found out my board also supports 64bit OS. By coincidense I was trying to reinstall 32 bit Windows 10 due to some update issue, decided to reinstall from scratch (had files backed up) and found out that I could get a 64BIT Windows 10 Pro OS. Downloaded, installed and everything came up to snuff also because I had 8gb to use as well and finally broke the 4gb barrier. My point in my case is I was able to get 8gb memory and 64bit Windows system running on what once was hampered by 32 bit Windows with 4gb memory OS. That overall solved my hard-drive activity problem. Not perfect but much better.

    • 32 bit Windows only allows you to use 4GB of RAM. Upgrading to 64 bit allows you to use all of the installed RAM. When you don’t have enough RAM to run programs, the hard drive is used to take up the slack.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.