Why, when I’m doing nothing at all, will my hard disk suddenly start thrashing?
It could be for many reasons. The most common are antivirus tools or the system indexing service, if it’s enabled.
To find out what’s happening on your system, we’ll use fairly powerful system monitoring tool called Procmon.
Process Monitor, or simply Procmon, is a free tool that you can download here from Microsoft. (It’s different from, and should not be confused with, Process Explorer.) It’s a very sophisticated system monitoring tool that works by:
- Collecting data, called “events”, while your system runs – presumably while you’re experiencing whatever it is that you’re attempting to understand.
- Allowing you to examine the individual events.
- Summarizing the event data in useful ways.
It’s that last feature that we’ll focus on here.
When you run Procmon, you’ll probably be surprised by all the things your system is doing while you’re not doing anything.
As long as the disk isn’t thrashing (it’s possible that it’s not even being hit at this point), it’s all quite normal. Let Procmon run.
As soon as you hear your hard disk thrashing when you think it shouldn’t be, let it run for a few seconds and then press CTRL+E in Procmon to stop the capture.
In among all of the other events are some relating to disk I/O. If you like, you can scroll through the events to see what’s happening, but I have a better solution.
Click the Tools menu and then the File Summary… item. This gives you a report of the file I/O activity within the recorded data:
The default is sorted by Total Events. Scroll the data to the left to see the rightmost Path column (which you can also widen by grabbing its right-most column header bar and dragging right).
You can also sort by any of the other column headers in the File Summary dialog so you can see which file took the most time, had the most reads, writes, or any of several other activities. I would assume that for simple “Why is my disk thrashing?” analysis, the default “Total Events” is likely to be the best place to start.
Expected or not?
What we may determine is that the results that you find are indeed expected behavior for your system. You may recognize a process – perhaps your anti-malware tools, perhaps the system indexing service, perhaps something else that you recognize – and simply be able to say, “Oh, it’s that,” and take no further action.
On the other hand, you might also decide that whatever is running is unwanted and work through the steps to turn it off or remove it. Exactly what those steps are, of course, will depend on exactly who the culprit turns out to be.
(This is an update to an article originally published August 10, 2003.)