System process constantly writing to disk
-
quinta-feira, 30 de julho de 2009 14:02While dealing with another hard drive Problem, ive noticed in Ressource Monitor, that the process 'System' is constantly writing to my main drive.
Sometimes its about 100-200 KiB/sec, today ive watched it for a while, and its writing action was 1.5 MiB/sec for quite a while! Later on it was about 300-400 KiB/sec.
Why does this process write so much data to my disk? Considering Windows running times, this adds up to multiple times the size of my hard drive.
Anyone knows whats going on here?
Todas as Respostas
-
quinta-feira, 30 de julho de 2009 14:09Hi Johannes,
Can you use Sysinternals' Process Monitor to determine what files are being written to? -
quinta-feira, 30 de julho de 2009 14:44Pagefile was one of it. Disableing the pagefile did not resolve the issue. (There shouldnt be much writing action to it anyway with 3.2 GiB of free RAM left.)
Writing action consists almost only of:
C:\windows\ subfolders
Files that start with C:\$**** . These are $Mft, $Logfile $Directory and $Bitmap.
C:\Users\MyUsername\ folder and subfolders -
quinta-feira, 30 de julho de 2009 15:53The $* files are NTFS metadata files.
Perhaps, configure symbols and check the stacks of events to attempt to determine the cause for activity in question. -
quinta-feira, 30 de julho de 2009 21:21
I've found that with Vista and with Windows 7, Drive C: is always up to something or other; so when I walk away, it never spins down after the power plan time interval.
Is there anybody out there with a C: drive that will shut off via Power Plan ?? -
sexta-feira, 31 de julho de 2009 15:55dunno how important it is, but it is also happening when the CPU is 100% busy, running stress tests or benchmark, or any other kind of activity, as well as in complete idle
-
sexta-feira, 7 de agosto de 2009 03:25Anyone having any idea yet what causes this annoyance?
-
sexta-feira, 7 de agosto de 2009 10:01Perhaps, configure symbols in Procmon and check the stacks of events to attempt to determine the cause for activity in question.
-
sexta-feira, 7 de agosto de 2009 10:32I think the reason your drive is running all the time is becasuse its indexing so you can do faster searches. When you have just installed windows it goes thru and index's everything.
After a while it does stop.
Mike -
sexta-feira, 7 de agosto de 2009 20:06Ive checked them. The only that i could see there was that pretty much every stack contained this 2 locations:
HvWriteDirtyDataToHive
HvOptimizedSyncHive
More i cannot tell by the stacks. Hope that helps.
@mike
It cant be indexing for a whole month often at speed of 1mb/sec and higher. -
sexta-feira, 7 de agosto de 2009 20:07Are symbols configured properly? Those functions are related to the hypervisor. You're not running with hyper-V, are you?
-
sexta-feira, 7 de agosto de 2009 20:13i configured Symbols as you told me earlier. Im quite sure they are, it resolves locations when i open stacks first.
Installed debugging tools for windows (x64)
Set path of the newly installed dbghelp.dll
and set Symbols Paths as: symsrv*symsrv.dll*C:\Symbols*http://msdl.microsoft.com/download/symbols
I dont know what Hyper-V is, can you explain me? Google/Wiki didnt really help me there... -
sexta-feira, 7 de agosto de 2009 20:24Hyper-V is a hypervisor based virtualization solution. This page probably can address your inquiries...
I can't explain why those functions would be in the stack of an event... What is the offset associated with the function in the stack frame (the hex number after it)? -
sexta-feira, 7 de agosto de 2009 20:36Keeps changing, after HvOptimizedSyncHive ive found 0x26 and 0x32, after HvWriteDirtyDataToHive a wider variety of numbers, but always 0x*** (3 digits), like 0x161, 0x166, 0x26c, 0x1e6 ...
Is Hyper-V included in Win7?
Edit: Another thing i found quite often this time is CcFlushCache- Editado Johannes-H sexta-feira, 7 de agosto de 2009 20:45
- Editado Johannes-H sexta-feira, 7 de agosto de 2009 23:01
-
sábado, 8 de agosto de 2009 00:02
I think the reason your drive is running all the time is becasuse its indexing so you can do faster searches. When you have just installed windows it goes thru and index's everything.
After a while it does stop.
Mike
OK Mike, does your C: drive shut down upon expiry of the interval specified in the Power Plan? -
sábado, 8 de agosto de 2009 02:02The offsets are small enough to suggest the symbols are correct, and the thread is indeed executing that code. CcFlushCache is a normal function that is called to flush the contents of a cached file to disk.
I compared activity on my Win7 system, and I also notice events with those functions in the stack. I'd say it is normal and expected, given that.
Probably, I was mistaken. But that would mean that the hypervisor set of functions in the kernel share a prefix (Hv) with another set of functions - the "hive manipulation functions" as I will call them, used by the configuration manager to manipulate registry hives. So the activity in question seems related to registry IO. -
sábado, 8 de agosto de 2009 02:05So, why would System process need to write so much to the registry?
Is it possible to stop that? -
sábado, 8 de agosto de 2009 02:33In the event I looked at, it was due to a lazy writer worker thread doing lazy writes. Presumably, the activity will at least at times be in response to other activity taking place on the system.
Again, the specific paths in question, and the details of the events including stack would probably hold the most information about why a specific event is occurring. Perhaps, check other processes that may be attempting activity on a file or path in question to attempt to determine if something else is taking place. Consider stopping other running programs and processes and services to attempt to minimize the amount of system activity, and see if that has an impact of things. -
sábado, 8 de agosto de 2009 06:45Will disabling anything in startup and disableling all nonwindows services in msconfig window and then reboot and check be sufficient?
Also, ive closed all programs tonight except ORTHOS Prime Stress Test. With it running or stopped, both time constant HD LED action. -
sábado, 8 de agosto de 2009 12:28
Will disabling anything in startup and disableling all nonwindows services in msconfig window and then reboot and check be sufficient?
Depends on what software you have installed, and what extensibility points it may be loaded by. I'd suggest closing all apps, going into services.msc and stopping any services you can. Then look at the process list with e.g. Process Explorer, and eliminate (terminate or suspend) non-Microsoft processes
With it running or stopped, both time constant HD LED action.
Do you notice the HDD LED activity in safe mode? Is there a disc in an optical drive? Consider powering down, and then removing power to all optical drives. Then reboot and see if the HDD LED activity persists.
Process Monitor is showing filesystem activity; the HDD LED represents actual activity. -
sábado, 8 de agosto de 2009 13:44"Constant activity" may be misunderstood. Is not always flashing. But there is not a single minute without flashing the light.
No CD in the drive. I hate the delay it causes when opening explorer or booting up, so always empty it. Also its pretty noisy drive.
Ill try that later, closing any app i can find in task manager after startup (its not many), after ill disable all running services possible.
Safe mode ill also check out. -
sábado, 8 de agosto de 2009 14:00I would also suggest removing power to optical drives, as I've seen cases where the optical drive was responsible for HDD LED activity that is interpreted by observers as HD activity.
-
sábado, 8 de agosto de 2009 14:07Aye, can be done.
-
sábado, 8 de agosto de 2009 14:13OK No.Compromise, does your C: drive shut down upon expiry of the interval specified in the Power Plan?
-
sábado, 8 de agosto de 2009 14:37To be honest, I don't pay attention to power plans; I'm more concerned about speed and performance on my ancient hardware - the quicker I can do something, the better. x_X
-
sábado, 8 de agosto de 2009 16:25Semi recent hardware isnt that expensive actually :p
What is, 100-200 Bucks for a 3 year old comp that runs quite much still all fine. Youll be missing guarantees, but i assume you dont have any either now. -
sábado, 8 de agosto de 2009 18:47<offtopic>My needs/wants are specific enough that I'm willing to put up with older hardware that works and does what I wish, albeit a bit more slowly, than to settle for something that's faster but frustrates me because it is not precisely what I know is required for me to be most productive. Yeah, I'm picky. :-) </offtopic>
-
segunda-feira, 10 de agosto de 2009 15:44Ive run in safe mode. No apps running beside task manager/ressurce monitor.
Stopped all services but 6, which couldnt be stopped (greyed out stop button).
Perfmon didnt run cause it was missing its driver. Thus couldnt check stacks.
The writing action was less. Between 0 and 40 kb/sec. But it was still there. -
segunda-feira, 10 de agosto de 2009 16:15What processes did Process Explorer / Task Manager indicate were running?
Have you had a chance to try taking the optical drive(s) out of the picture yet? -
segunda-feira, 10 de agosto de 2009 16:16Ups, sorry, i really forgot about that. Ok. Unplugging. Running safemode again.
-
segunda-feira, 10 de agosto de 2009 16:38Ok, unplugged the drive ( i hate 4pin and IDE plugs, hail sata <.< )
Running safe mode got me the same result as before. No change.
Here the Processes running:
http://image-upload.de/image/koidvF/b743542691.png -
segunda-feira, 10 de agosto de 2009 16:53What services are running in the SVCHOST instances?
Have you tried killing explorer.exe, ctfmon.exe, and exiting Taskmgr, to see if the LED activity subsides (in addition to being booted into safe mode and having the optical drives powered down, and having the other services and apps stopped)? -
segunda-feira, 10 de agosto de 2009 18:16How can i check on the services?
Is svchost.exe causing the system process to do write action? I see it doing its own action as well, but thats only reads. -
segunda-feira, 10 de agosto de 2009 18:35tasklist /svc at a CMD prompt should show the services, if any, running in each process. Process Explorer can also display the services running in a process (process properties, Services tab;or, hover over the process name and any services will appear in a tooltip).
-
terça-feira, 11 de agosto de 2009 00:28Ok, done that.
Run safe mode. Stop all services that can be stopped in services.msc window.
Open task manager. Kill cftmon.exe (restarts itself when terminated), explorer.exe and than close task man.
LED activity still is there.
Opened cmd
run tasklist /svc command.
Heres the results:
http://image-upload.de/image/u4RTl4/17fd7fa985.png -
terça-feira, 11 de agosto de 2009 01:24Optical drives still powered down? Consider suspending processes with Process Explorer, to see if suspending any one processes has an impact on the activity. Note that this may cause the system to freeze such that you will need to manually power it down.
-
terça-feira, 11 de agosto de 2009 01:34Yes, optical drive still plugged off.
Ill go in safe mode try that. -
terça-feira, 11 de agosto de 2009 01:46What is process Explorer? =.="
-
terça-feira, 11 de agosto de 2009 01:57Process Explorer is another Sysinternals tool; it has been described as "Task Manager on steroids".
-
terça-feira, 11 de agosto de 2009 03:27Uhh, that thing is cool, why dont they use that instead of normal task manager?
So, ive suspended almost everything.
Writing activity is caused by the process System with PID:4.
Having suspended almost everything, writing action dropped to almost nothing, 26 kB packages every 10 sec - 3 mins. But i still remained.
http://image-upload.de/image/XiEQpd/40638abc68.png
Gonna check in normal Mode now.
Update: Its showign the same behavior in normal Mode. Writing packages every couple sec - few mins. Just that the packages are not 26kB, but sometimes as big as 4.4 and 7 MB, at other times like 35 kB small.- Editado Johannes-H terça-feira, 11 de agosto de 2009 03:36
-
terça-feira, 11 de agosto de 2009 09:28Does the System process always show "Access Denied" for the username? That seems a bit odd...
Update: Its showign the same behavior in normal Mode.
Try Procmon again, with fewer things running. -
terça-feira, 11 de agosto de 2009 18:49Yes, when i run Process Explorer with limited rights, it only shows my username, on all other its access denied. Running it with admin rights its shows all usernames except for system.
Btw, i was pretty staggered when i saw what Firefox was doing on my disc with its running. Though that was an easy to solve issue. It was writing 0.9-1.9 MB every 15 seconds, cause are 2 security features, that are new with 3.5. Disabling them solved that.
Ill do a restart, with as few things running as possible. Then checking Process Explorer and Procmon. -
terça-feira, 11 de agosto de 2009 20:20I could identify one 7 MB package causing 1500 Hv writing events.
System process this time didnt show access denied. It showed NT AUTHORTY/SYSTEM as user. -
terça-feira, 11 de agosto de 2009 23:16
Yes, when i run Process Explorer with limited rights, it only shows my username, on all other its access denied. Running it with admin rights its shows all usernames except for system.
The first part is normal and expected. The latter is not. x_X Oh, well...
Can you provide a .pml of the referenced activity? -
terça-feira, 11 de agosto de 2009 23:53Process Explorer seems to show access denied on System only in safe mode. In normal mode it shows NT AUTHORTY/SYSTEM.
Mailed you the logfile.
Edit: Just had an weird idea. Is it possible that what i see there is the Trim command working? But that makes not really sense, cause its not writing data, its just sending commands to the drive to erase empty sektors. -
quarta-feira, 12 de agosto de 2009 12:30The vast majority of writes (both number of operations, and number of bytes), are reactive, and are attributable to non-cached writes, paging, or flushes, or related to general activity taking place on the system (e.g. ...\AppData\Local\Temp\*.tmp). Many of the operations are related to NTFS "recordkeeping" in the metadata files. If an application is not the source of some of the behavior unexpected, a driver may be.
-
quarta-feira, 12 de agosto de 2009 12:34Pageing occours cause procmon saves its data in the pagefile.
I dunno, the flushes and Metadata file writes dont seem to contain any of the Hv-events. What are those about? -
sexta-feira, 15 de janeiro de 2010 12:32are any of you drives in a raid array? i have my main drive mirrored to a second drive using the raid controller on my motherboard and every now and then it will need to resync which causes the system process to read and write like crazy for quite a while.
-
domingo, 27 de março de 2011 21:31
Hello all. I realize this thread is over a year old, but since I think I've found the problem (at least for my HD issue), I figured that I would share. There is a process called SuperFetch which tries to speed up application load times as well as response times after coming back from leaving the computer idle. I can't explain it very well, but this website seems to have some good information along with numerous posters commenting on how disabling it stopped their issues with a constantly spinning HD.
http://www.howtogeek.com/howto/windows-vista/how-to-disable-superfetch-on-windows-vista/
- Sugerido como Resposta mlc2112 domingo, 27 de março de 2011 21:32
-
segunda-feira, 28 de março de 2011 11:58
Superfetch not System ;)
You have to make a xperf trace [1] to diagnostic HDD activity. You can find an alternative download link for xperf/WPT in my topic on msfn [2]. Please upload the XperfSlowIOcir.etl to your SkyDrive [3] and post a link here.
I'll take a look at it.
André
[1] http://blogs.msdn.com/b/ntdebugging/archive/2009/08/17/xperf-to-investigate-slow-i-o-issues.aspx
[2] http://www.msfn.org/board/index.php?showtopic=146919
[3] http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65
"A programmer is just a tool which converts caffeine into code"
Want to install RSAT on Windows 7 Sp1? Check my HowTo: http://www.msfn.org/board/index.php?showtopic=150221 -
domingo, 29 de abril de 2012 13:01
I have a similar, though less severe issue that hopefully someone can help me with. The System process (pid 4) on my dual core Vaio laptop is writing to disk appx. once every 500ms. This is not performance impacting and I considered it just a minor annoyance until I recently installed a SSD. Since SSD lifetimes are limited by write/erase cycles, I'm concerned these writes are deteriorating my SSD; not good since they're expensive and I LOVE the performance; boots in appx. 15s, instant IE, etc.
As with the original poster here, the same activity persists in safe mode. Per SSD optimization guidelines I've read elsewhere, I've disabled all fetching (super, pre, etc.), indexing and all logging except Application, Security & System but the writes persist.
Im using the latest (very recent) driver from Intel (Intel 5 Series 4 Port SATA AHCI Controller 10.8.0.1003 10/17/2011). I've tried other drivers and while the write pattern seems to change (drive activity light no longer blinks), Resource Monitor shows they're still there. They also cause an additional issue of consuming CPU (?) which doesn't occur with the "recommended" driver I just mentioned.
Anyone know what these writes may be and if/how I can/should stop them? Thanks.
(BTW, love the caffiene->code quote :-)
-
segunda-feira, 30 de abril de 2012 20:58
Disable different drivers and see if it still happens? Not antivirus?
.png)
