Leadership optimize

How do I ... hunt down hard disk resource hogs?

Find out how to narrow your search for the cause of system slowdowns by configuring the Performance Monitor and Task Manager to reveal rogue processes that can tie up valuable system resources.

Most users find that the longer they use Microsoft Windows, the slower it seems to run. While there are countless areas in which you can tweak Windows to regain that lost speed, most techniques result in negligible performance boosts. In this Daily Drill Down, originally published as an article on March 26, 2002, Brien Posey shows you how to focus your troubleshooting efforts to restore Windows XP to its past performance levels.

This blog post is also available in PDF format in a free TechRepublic download.

Disk time percentage and disk queue length

IT professionals think of hard disk corruption or inadequate disk space as the cause of most system performance problems, but disk time is an equally important performance factor. Disk time is represented as a percentage of time that the hard disk is in use. If the hard disk is running 80 percent of the time, for example, you can be sure that system performance is suffering.

Another factor to consider is the average disk queue length, which refers to the number of processes that are waiting to use the hard disk. Using the disk time percentage in conjunction with the disk queue length will tell you not only how much the hard disk is being used but also if the heavy usage is a problem. For example, if the disk time is 40 percent but the average disk queue length has a factor of two or less, then the hard disk is keeping up with the demand that's being placed on it.

On the other hand, if the percentage of disk time and average disk queue length are both high (above 80 percent disk time and a factor of two or more for the average disk queue length), it means that processes are waiting for the hard disk to become available. Anytime a process has to wait for a component to become available, a user will experience less-than-desirable performance.

Measuring hard disk performance

To accurately diagnose a system's hard disk, you need to measure the percentage of disk time and the average disk queue length.

Begin by performing a full defragmentation on all the system's partitions to ensure that all files are contiguous and that the hard disk can perform file reads and writes optimally. Click on the Start menu and select All Programs | Accessories | System Tools | Disk Defragmenter.

Once you've defragmented all partitions, run the Performance Monitor utility by opening the Control Panel and clicking Administrative Tools | Performance.

Tip

When the Performance Monitor opens, select any counters that are previously running from the bottom of the window and press Delete. Every counter that's running has a slight, but noticeable, impact on the system's performance. Therefore, the fewer counters you use, the more accurate your measurements will be.

In the Performance Monitor utility, follow these steps:

  • Click the Plus icon to open the Add Counters dialog box.
  • Next, select PhysicalDisk from the Performance Object dropdown list, which will bring up a list of the physical disk counters.
  • Now, select the %Disk Time counter from the list and click the All Instances radio button to tell the system to measure the performance of all hard drives.
  • Next, click the Add button to add the counter to the Performance Monitor.
  • Finally, select Avg. Disk Queue Length from the counter list, select the All Instances radio button, and click the Add button followed by the Close button. When you do, the performance monitor will begin analyzing the disk usage, as shown in Figure A.

Figure A

The numbers beneath the graph refer to the percent of disk time for Drive 0.

As you look at the output, you can see that the lines on the graph correspond to the counters that you've installed. For example, in Figure A, the pink line is predominant. You can tell by the legend that the pink line corresponds to the average disk queue length for the C: and D: partitions of Drive 0. You can also tell the exact values of any counter by selecting the counter that you want to examine. It's best to look at the actual numbers rather than the graph, as the graph can be deceptive if the scale isn't set correctly.

Narrowing down the suspects

Now it's time to figure out which process is using all those disk resources. The first thing that I recommend to track down the culprit is to press [Ctrl][Alt][Delete] simultaneously to access the Windows Security dialog box. Next, click Task Manager to bring up the Task Manager utility, which reports on the resource utilization of every process running on the entire system.

While disk usage isn't one of the factors that Task Manager normally reports, you can configure it to provide this information.

  • First, select the Processes tab to view the list of processes that are running on your machine.
  • Next, select the Select Columns command from the View menu. You'll now see a list of all the resources that you can monitor through the Task Manager.
I recommend deselecting every resource except for I/O Read Bytes and I/O Write Bytes. When you click OK, you'll see the number of bytes read and written by each process, as shown in Figure B.

The trick now is to go through the list and look for rapidly changing values. It's normal for most of the values to occasionally change, but if you see one that is constantly changing, then the process that corresponds to that value is hogging your system's disk resources.

Figure B

To kill a system resource hog, highlight the process and click End Process.

If the rogue system process is a part of the Windows operating system, there's a good chance that the excessive disk usage is caused by thrashing.

Swapping vs. thrashing

The process of moving memory blocks between physical and virtual memory is called swapping. Although swapping is inefficient, it's a perfectly normal process in a Windows environment. Virtual memory is hard disk space that is used as extra memory. Basically, any time Windows needs to read something that exists in virtual memory, it must move that memory block into the system's physical memory. Thrashing problems are caused by excessive physical and virtual memory swapping.

However, if the disk usage is traced to a non-Windows process, then you may have problems with an individual service.

Be careful

If you eliminate a process you feel is causing excessive disk usage, processor time and memory will also be affected.

The usual suspects

We've focused on explaining how excessive disk time usage can degrade system performance, and you have seen some ways to track down the processes that create this problem. By using the Performance Monitor to measure both disk time and average queue length, you can get a sense of whether or not the hard disk is being taxed by the system's processes. Analyzing the Task Manager further narrows down the possible suspects that may be causing the problem.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Brien Posey is a seven-time Microsoft MVP. He has written thousands of articles and written or contributed to dozens of books on a variety of IT subjects.

27 comments
yobyalp_97
yobyalp_97

doesnt satisfies me enough... pid columns much better lol

tgoodman
tgoodman

how do I know which process is safe to shut down without crashing my system? The process Isass.exe seems to be thrashing. can I shut it down safely?

scratch4653
scratch4653

I use \exctrlst.exe to disable all counters and I only run 12 services, I turn on some services when I need to use them eg print spool. And of course the standard reg tweaks.

sracinski
sracinski

What if it doesn't begin analyzing disk usage but shows zero and no graph line movement?

stephen_r1937
stephen_r1937

I followed these instructions step by step and came up with four processes: two of these are my AV (Avira), and the other two are lsass.exe, which is a necessary MS program, and one of the svchost.exe processes. I can't tell which one because the Task Manager does not provide PIDs for them (I'm running XP; maybe in Vista it does). So what do I do now? Stephen R.

joe.davis
joe.davis

I found I could not follow the directions given in How do I ? Hunt down hard disk resource hogs. I skip the defragmentation as I didn?t want to wait. I selected Adminstrative Tools | Performance There was no plus icon next to Add Counters. There was a name listed System Overview I doubled clicked on System Overview and found counters for \Memory\Pages/sec, \PhysicalDisk(_Total)\Avg. Disk Queue Length, \Processor(_Total)\%Processor Time. I tried to add the %Disk Time counter by selecting add counters, PhysicalDisk | %Disk Time | Add | Close | OK But that got me Modifications are not allowed for default logs and alerts. You can start or stop the session from the associated toolbar buttons.

cutedeedle
cutedeedle

Best of all, go to BlackViper's excellent site and disable any unnecessary and security-risk Win & 3rd party services. It's the first thing I do with a new PC, after removing all the junk programs.

reisen55
reisen55

The cursed Windows patch for search is a horror show and does nothing to improve life. Disable it upon installation and never show it again. It also is given to servers. Secondly, whenever possible, schedule processor intensive work for off-hours such as virus and malware scanning. Disable useless startup programs in msconfig. And kill off most of the Windows pretty-pretty stuff by setting performance variables to BEST performance. Sometimes I remember when SPINRITE was a joy too.

k.schank
k.schank

Great article, but now how do I do it in Vista? The monitor is more robust in Vista but looks different and has more cryptic counters. How do I interpret them?

pmiddleton
pmiddleton

For me it's searchindexer.exe - how do I disable it?

Mark W. Kaelin
Mark W. Kaelin

When you run the Performance Monitor utility, what application or service is using the most resources? Can you reduce your resource overhead?

Merlin the Wiz
Merlin the Wiz

You should Google the process, and read several results. Are you sure it is lsass.exe and not isass.exe with a capitol I? as in Isass.exe? there are several viruses that change a small L for a capitol I which look very similar depending on the font used. The best suggestion I can make is to get familiar with the processes that run on each of your computers. There are things to be wary of. First, if you have more than one instance of any process other that svchost.exe running, the odds are one of them is bogus. Second, make sure Task Manager has the CPU Time column displayed. The System Idle Process, followed by Explorer, your firewall, and anti-virus should be among the most time consuming processes you have running. There is only one safe way to stop a process. You should save all of your work, and exit any program that you have started since the computer finished booting. This will put you at your normal desktop. From here when you stop a process, the only risk you are taking (in my experience) is crashing the system and having the computer reboot. Some processes cannot be stopped. These usually activate a pop-up that says something like "This process cannot be stopped right now." Some processes svchost.exe for example have been called by another process which may or may not be stopped without crashing the system. If you really need to know what can and what cannot be stopped, you will have to experiment on more than one computer. Two nearly identical computers may NOT have exactly the same processes running at any one time. Hardware manufacturers have the habit of adding programs to Windows that are designed to make their hardware operate better. Windows Home versions versus Windows non-Home versions do not have the same processes running.

luis
luis

You can stop and start the counters by pressing the red icon with the white X or use Cntrl-F to stop and start.

Merlin the Wiz
Merlin the Wiz

Go to: technet.microsoft.com/en-us/sysinternals/default.aspx and download at least Process Explorer. (I recommend the entire suite of tools.) There are a lot of goodies in this suite of tools. Process Eplorer will show all of the processes running on your computer. It will also attempt to do a web search for any running process. Right click on the process and then a left click on the search on line choice.

jlambert
jlambert

The plus sign wasnt said to be next to anything. it is in the tool bar above graph. First remove counters running below graph. Easy and a great article.

txpecmakr
txpecmakr

I disabled search indexer by opening the Control Panel. Go to Administrative Tools and open Services. In the window on the right I found "Indexing Service" and double clicked it. Under the General Tab about the middle of the page I changed the Startup Type to "Manual" and just below that where it says Service Status I clicked "Stop".

denkile
denkile

I like "Extended Task Manager"(free) running by the clock. http://www.extensoft.com/ Also the last "clean install" for the internet system, I turned off indexing when partitioning and formating using XP Admin Tools > Disk Management on another systen. This seemed to make a difference in "background" HDD activity as shown by Extended Task Manager, Disk I/O. Now the background, minimum Disk I/O is 6 KB.

don.howard
don.howard

Would you still look at physical disk or logical disk? Also, what if it is a local, software based raid-set?

dkburkhart
dkburkhart

The Services app located in the Admin tools group provides a lot of great info on processes running on your system. Once you start Services you will see a list of processes on the right. Now highlight one of the processes and an explanation of that process will be displayed in the left hand column. You can also right click on that process, and then click on properties and now you can see more functions you can perform on the process such as stopping it, pausing it, changing it's startup parameters. Here's an example: Once you've opened the services window scroll down to "indexing Service" and highlight it. This will now show you some basic info on this process. Now right click on the process and click "properties" in the drop down menu. You'll see a window with four tabs across the top. Now start reading the info on all the tabs to see what functions you can perform. I the General tab, i.e., you can click on the Start, Stop, Pause buttons. Good luck. I hope this helps!

wlportwashington
wlportwashington

I have used SysInternals many times in trying to locate resources hogs and other problems. The biggest drawback is that it can be very time consuming and tedious. With one system it was taking so long just to nail down the culprit, we were about to do an O/S reload which probably would take less time. I wish there was a better and faster solution.

BizIntelligence
BizIntelligence

There are many ways we can track down the slow performance issue. I really like the concept of performance counter but that require little bit administration. I have always used following two tools to find out which process is causing a problem during boot or operational state: Process Explorer BootVis With no doubt, there will be more tools but above two has worked for me so far.

stephen_r1937
stephen_r1937

I have Process Explorer and it's pretty impressive. The problem is that the scvhost buggers are not displayed in the same order by it as by Process Manager; and whereas PE also identifies each of them by a Pee Eye Dee number, PM does not. So I can identify the troublemaker on PM but then cannot match it to what is showing on PE. Stephen

pdr5407
pdr5407

The Image name process with a lot of I/O reads on my system is csrss.exe, but it has no writes. What does this Windows file (csrss.exe) control? The one with the most I/O Writes is Nero Home.

fmdeveloper
fmdeveloper

You can run tasklist /svc in the command prompt to see a list of all processes, with PID and a list of all services running under each services.exe instance.

Merlin the Wiz
Merlin the Wiz

I hate to ask this, but have you read at the Help file in Process Explorer? There are a lot of options in this program that are not intuitively obvious. For example: When you open the System Information window (Ctrl + i or View System Information) and hover your mouse over the highest point on your CPU usage graph?? The little pop-up shows what was the biggest resource hog at that exact point in time by 1/100 second, as you move the mouse pointer left or right the pop-up information changes. The reason I suggested doing the web search is because there are a lot of programs whose names do not fit their function. A web search will hopefully let you know who wrote the program and what it is supposed to do. Merlin

stephen_r1937
stephen_r1937

More on Process Manager & Process Explorer: Search online will tell me what svchost is. I know that, but there's a pack of them, and the one that's a pain in the butt has a bunch of items in it, and I don't have a clue what most of them are. Stephen