locked
Persistent intermittent disk activity $LogFile (NTFS Volume Log) etc. RRS feed

  • Question

  • Windows 7 Home Premium Version 6.1 (Build 7601: Service Pack: 1
    Machine: HP 1370

    Persistent intermittent disk activity.

    The disk is audible.  It cycles through read/write for several seconds, every two minutes or so.
    Task Manager Resource Monitor shows disk activity, with this:

    Image    PID    File    
    System    4    C:\$LogFile (NTFS Volume Log)
    System    4    C:\$Mft (NTFS Master File Table)
    System    4    C:\$BitMap (NTFS Free Space Map)
    System    4    C:\Windows\System32\LogFiles\WMI\RtBackup
    etc.

    Are these processes necessary?
    How can I reduce their load on the disk?
    If I cannot reduce them, how do I eliminate them?
    Monday, August 13, 2012 12:49 AM

Answers

  • $LogFile is an NTFS metadata file which catching all changes to your file system. It is not only be used by System, but also by your programs e.g. Chrome.exe or iTunes.exe.

    The directory C:\Windows\System32\LogFiles\WMI\RtBackup stores ETW trace files (extension .etl) for real time event trace sessions.

    They are not expendable. To boot in Safe Mode, please keep pressing F8 before Windows starts.

    http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode


    Niki Han

    TechNet Community Support

    • Marked as answer by Niki Han Friday, August 31, 2012 2:50 AM
    Wednesday, August 15, 2012 3:06 AM

All replies

  • Hi,

    These files are the records of all the files on the drive. It is a normal behavior. There might be other read/write behavior to cause the issue. You can try the following suggestions to test the issue.

    1. Run chkdsk C: /f command
    2. Test the issue in Safe Mode without security software running.
    3. If you suspect the system image, please suspend the process for a test.


    Niki Han

    TechNet Community Support


    • Edited by Niki Han Tuesday, August 14, 2012 8:49 AM
    Tuesday, August 14, 2012 8:48 AM
  • Thanks!

    I can understand that $Mft and $BitMap are what their names suggest.

    But $LogFile?  Is that some sort of log?  Is it expendable?

    And RtBackup?  Is there a doc somewhere that tells me what this is?

    I ran chkdsk,  without /f (because I don't trust any program that "fixes" anything on my disk).  It reported no errors.

    (I haven't booted into Safe Mode yet.  I haven't yet figured out how, on this new machine. The boot-up screen lasts two milliseconds.)

    So I need to pin down which application thinks it is adding value by scribbling something to the disk every few seconds, thereby forcing bitmap and mft updates, and wearing out the disk 5,000 times faster than necessary.

    Wednesday, August 15, 2012 12:01 AM
  • $LogFile is an NTFS metadata file which catching all changes to your file system. It is not only be used by System, but also by your programs e.g. Chrome.exe or iTunes.exe.

    The directory C:\Windows\System32\LogFiles\WMI\RtBackup stores ETW trace files (extension .etl) for real time event trace sessions.

    They are not expendable. To boot in Safe Mode, please keep pressing F8 before Windows starts.

    http://windows.microsoft.com/en-US/windows7/Advanced-startup-options-including-safe-mode


    Niki Han

    TechNet Community Support

    • Marked as answer by Niki Han Friday, August 31, 2012 2:50 AM
    Wednesday, August 15, 2012 3:06 AM
  • This is not entirely accurate regarding the $LogFile.

    With a prefix of "$", this indicates a system hidden file, and normally inaccessible.

    However, what is being reported is that it contains metadata specific to the NTFS drive and files located there.

    Direct examination of the file reveals a content far different.

    This file contains ALL activity performed by the user and/or system during any activity; up to and including which URLs were accessed, on what date and at what time. While it may identify disk files used/accessed/updated/deleted, it certainly does not limit itself to just that activity.

    So, when replying, lets get real. Lets not limit our definitions of content nor mislead those that ask questions. $LogFile is the auditor of the system. It will tell anyone that looks what you've been doing, when you've been doing it, and how it was done. It continully grows and expands. There does seem to be a wrapping capability. At present my system has a 64MB sized $LogFile. I've done far more than 64MB on my system since I built it in 2010. I just don't know if that is the limitation and the system will wrap it at that point.

    In any case, it is best to understand a person's question before responding to it. Below is an example of $LogFile content:



    Jim - Mastiffs are the greatest!

    Monday, February 10, 2014 5:05 PM
  • Kudoes JIM.LOW!  Sharp and observant deserves reward. 

    My system is a Dell t3500 2.8/Ghz Xeon Quad core (the one that runs 8 cores) with 24G's of 1333 Mhz matched RAM

    I have been watching my video rendering go from 20,000,000 B/Sec Read times for the first 20 minutes, then slowly decline to an average 7,000,000 B/sec read time after that.  This is reading off of a RAID level 0 volume consisting of 2 - 2TB  disks.  Currently holding less than 2GB of files.   I thought it was odd my performance should drop so drastically after having watched it perform fairly well, so after exhausting the possibility of it being my virus software - or a virus itself,  I looked around on google for some answers.  Gleaning what I could, I understand it this way: 

    Virtual file systems require constant monitoring, and can often lead to calculations growing in size.  this is due to an ever increasing need to add additional I/O calculations.  As it has been understood (I am no expert),  VM's can actually create a much slower read/write environment.   Essentially reading Empty file space to determine where the next Input should be written, it has been shown that many programs, using VM's would create extensively large but incredibly fragmented files, causing the problem to get perpetually worse every time a file segment is written.  So the first thing to do is

    DEFRAGMENT DEFRAGMENT DEFRAGMENT

    And my apologies to our good host, but I think it's important to note that the Defragger on Windows leaves much to be desired...  try A third party Disk de-fragment utility that operates with awareness to VM's!

    -Singing Fish


    Wednesday, May 14, 2014 4:02 AM
  • This is a good answer :-)
    Tuesday, March 10, 2015 11:24 PM