Isolating Disk Activity To A Process
Posted by William Diaz on September 21, 2011
The other night I noticed the hard drive light on my laptop was solid for several minutes, indicating some fairly aggressive disk file IO. There were no open applications and I didn’t have any scheduled services running, not even the Windows 7 defrag (yeah, I still like to do everything manually). I also had a virtual Windows XP machine running inside Windows 7 but there were no open applications there, either. A knee-jerk reaction of mine when I see this is to open the Task Manager and look for any processes that are using an excessive amount of CPU time, but there were none, and the system remained mostly idle with respect to the CPU counter in both Windows 7 and the virtual machine it was hosting.
To see what was causing the unknown disk IO, I started by adding a few more columns to the Windows 7 Task manager: I/O Read, I/O Writes, I/O Read Bytes, and I/O Write Bytes. I sorted the columns by both read bytes and write bytes and the process using the most disk IO was the vpc.exe process, the Virtual PC:
I went into the virtual PC and did the same thing. I used to Process Explorer this time, added the same columns and saw the cause of the ongoing disk activity:
You can see that svchost.exe has spawned a child service, wuauclt.exe, the Windows Automatic Update Service, which has consumed the most disk reads, writes, MBs read. At some point, probably during the recent installation of MSE in the vpc, the Windows Update Service was set to automatic. Upon ending the Windows update service, the disk IO returned to idle.
In Windows Vista/7 you can couple the Task manager with Resource Monitor (resmon.exe) in the Performance tab to assist you in isolating the process(es) involved. As an example, I set Windows Updates to automatic on one of my Windows 7 systems. Starting with the Task Manager, add the I/O write and read and I/O write bytes and read bytes columns. Sort by any of these columns until you come to a consensus of which process is the most intensive:
We can see here that svchost.exe has already written close to 400 MBs while having read more than 1.5 GBs1. To see what services are being hosted by svchost.exe, right-click the process and select Go to Service(s). The hosted services are not grouped by default so you will need to scroll the entire list here or sort by PID, where we find Windows update.
At this point, we need to switch over to Resource Monitor and go to the Disk tab. Ignore the System processes and focus on what is beneath it. If the process name is not enough to elude to what it is doing, look at the Disk Activity pane below it. The File column indicates the path of the disk IO. In the example below, the folder name is enough to gather that several Windows downloads from Microsoft are in the process of being installed:
1 In addition to svchost.exe, Trustedinstaller.exe and MsMpEng.exe are also eating up a lot of disk IO. Trustedinstaller is the Windows Update management installer while MsMpEng is the scanning engine behind MSE, both which would we would expect to see performing some aggressive IO after downloading updates.