Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Repeated Intermittent Episodes of Runaway Disk Activity


  • Please log in to reply

#76
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

PDFXview.exe is PDF-XChange Viewer and at that moment in time it was OCR processing a 664 page image PDF.  So, yes, I use it quite frequently but, no, I'm not typically having it run an OCR scan on a huge document.  I far prefer it to Adobe Reader.  Believe it or not, I know that wasn't the problem.  Most of what gets eaten up during that sort of processing is CPU cycles as opposed to I/O.

 

I have two different Gmail accounts open at once, and you can't do that in a single browser session (even with multiple windows).  I can, however, use either Firefox or Chrome exclusively for some set period of days if you want to see if that makes a difference.

 

If this were directly "end user program" driven I'd expect that the activity would cease once I exited "the offending program."  I have yet to find something I can exit that makes the activity cease, which is why this is so *&^%(# frustrating!!   [And, of course, that *&^%(# is not aimed at you.]


  • 0

Advertisements


#77
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP

Maybe try Opera instead of Chrome?  http://www.opera.com/computer/windows  

 

Perhaps uninstall Spybot for a while?

 

See if Resource Monitor picks up anything:

 

http://www.7tutorial...nitor-windows-7


  • 0

#78
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

I still have Opera on my machine.  I switched from it to Chrome at the outset because it seemed to be one of the triggers.

 

I'll be happy to uninstall Spybot for a while, but I really can't see that as being the problem either.

 

I'll have to look at Resource Monitor, and particularly if it has a logging capability, further.  I was using this via Task Manager and not getting very far with it.


  • 0

#79
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP

You might try:

 

http://blogs.technet...e-provides.aspx

 

for the logging.

 

 

If you keep it open and click on Disk then on Total it will sort the processes by most disk activity.  Then when you get an episode see if you can get the PID of the top process and then look at it in more detail with Process Explorer.


  • 0

#80
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

Ron,

 

         The last few days have been nuts, thus the delay in my reply.   Yesterday I got a case of this so severe that I could not even manage to save a screen shot from Resource Monitor.  I do know, however, that it was "svchost.exe (netsvcs)" that had gone off the beam and was sitting at the top of the list with figures in the millions of bytes per second for both read and write.

 

          I have had several incidents going on in the last several minutes that have self-resolved, but where the machine would not respond during part of each episode.  I also had several "script failure" messages (one from this very forum) that occurred during the last one.  I am going to post the screenshots from resource monitor that I snagged in the order in which they occurred, oldest to newest.  I included a baseline taken shortly before the latest round of episodes of continuous disk activity.

Attached Thumbnails

  • Resource_Mon_Baseline.jpg
  • Resource_Mon_DiskThrashStart.jpg
  • Resource_Mon_DiskThrashOngoing.jpg
  • Resource_Mon_DiskThrashSelf-Resolved.jpg
  • Resource_Mon_DiskThrashSelf-Resolved2.jpg
  • Resource_Mon_SecondDiskThrashStart.jpg
  • Resource_Mon_ThirdDiskThrashStart.jpg
  • Resource_Mon_DiskThrashSelf-ResolvedafterThirdThrash.jpg

  • 0

#81
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP

What is Chrome up to that it has to read so much?  Was it uploading a large file?

 

Do you have any idea what ControlDeckStartup.exe  is responsible for?  It's from ASUS.  Supposed to be OK but not supposed to be a big user of CPU, Memory or Disk.

 

Why is cscript running?  Usually that means a .VBS program

 

Programs only write to D:\pagefile.sys when the system runs out of regular memory.

 

Radardt.dll is Resource Exhaustion Detector see:

 

https://technet.micr...9(v=ws.10).aspx

 

Look in your event logs and see if you have any 2004 errors.  I assume it would be in System.

 
  • 0

#82
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

Ron,

 

         I believe the Chrome bit was because I had just restarted Chrome and it was restoring a session with more than 10 tabs.

 

         I have no idea what ControlDeckStartup is beyond what you've already mentioned.  It came on the machine from ASUS and has just "always been there."

 

         I can't answer anything about cscript.  It could be something used by Zimbra desktop, depending on which snapshot this was in.

 

         I am attaching a VEW log of Critical, Error, and Warning messages culled from the System Log between 2/8 and 2/11/2015.  It's interesting that there is an error in there related to the hard disk controller, which I've never seen before.

 

Attached Files


  • 0

#83
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,010 posts
  • MVP

Hard to tell with Windows but I don't think the controller error is the C:\ drive.  More likely a USB port since the last digit varies. \Device\Harddisk1\DR6.  \Device\Harddisk1\DR4. etc.

 

In order to find out for sure you can download

WinObj

https://live.sysinte....com/Winobj.exe

 

Save it and right click and Run  As  Admin then OK the terms.  Once it opens click on Device.  You will see a list of drives and such.  You should be able to tell which one is Harddisk1

 

Your other errors are interesting.  Appears that SAM did not fireup correctly or has gotten into never-never-land.  Most of the other errors are because SAM was hosed.

 

 
 
The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:  The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.  To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

 

 

I don't have LSA in services but do have SAM.  It is set for Automatic and it is started.  More on it here:

 

https://technet.micr...8(v=ws.10).aspx

 

Don't know how it can get in the wrong state.  

 

This is what it should show if you run :

 

sc queryex samss

In a Run As Admin Command Prompt:

 
SERVICE_NAME: samss
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 728
        FLAGS              : RUNS_IN_SYSTEM_PROCESS

  • 0

#84
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

When I run the command you show above in an elevated command prompt my result is precisely the same as yours, with the exception of the PID, of course.

 

Now for hare-brained confession time, though I don't know whether this will be the "deciding factor" or not.  There is a single hard drive on this machine that is partitioned into two logical drives.  At one point I was tinkering with the paging file settings on this machine to see if I could fine tune things "better than Windows can manage it."  I thought I had decided that I couldn't and set everything back to letting Windows manage it.   Yesterday I noticed that processes were writing to C:\pagefile.sys and D:\pagefile.sys and I thought:

 

                  -  I didn't realize that I still had a D:\pagefile.sys

                  -  These processes could easily be engaged in a "fight to the death" trying to read/write to two page files on the same physical drive

 

As a result, I promptly went back and made sure that Windows was managing the page file size and that it only existed on the C:\drive.  So far things have been much quieter, but I'm going to keep monitoring for several days before I declare that my own bone-headedness created the situation.  There have been periods where the system goes along just fine for days at a time before getting "locked up" with wild disk activity.

 

The page file must get used when processes are "swapped out" because I'm nowhere near to using all of the RAM on this computer.  It has 4 GB and it's using only a hair over 3 GB most of the time, even when it's "busy."  I installed the maximum amount the hardware would support shortly after I got it.  When things are working correctly it remains more than adequate for what I need it for.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP