How to Identify a Process Accessing your Disk Drive

PostScript: The below is interesting, but a lot of work! A much easier method is the one outlined here I didn’t realize before task manager could be customized!

Sometimes while I’m working on a computer the whole computer all of a sudden slows to a crawl and the disk drive light starts flashing like crazy.  My immediate thought is to kill the evil program or process that is slowing my computer down. It may be spyware, or it may be a  legitimate but unnecessary program. The problem is, how do you identify which program is causing all the activity??

Well until recently I wasn’t sure how to identify the program in XP. The best I could do was to press ctrl-alt-del, pull up the task list, click on the “Processes” tab and then click on the “CPU” column and it will give you the list of processes running, ordered by CPU usage (or sometimes the memory column). The CPU or memory usage doesn’t really tell the story though – the process using the disk drive may use very little CPU power or memory. Or more likely, there are so many processes running, the programs are constantly changing in order so you can’t tell which one is being the most active and dragging you computer down with it.

Well, here’s a better way:

1. Click on Start->Run
2. Type “perfmon.msc” (without the quotes of course) and hit the enter key.  This will start the performance monitor of Windows XP.
3. Select “System Monitor” in the left column (if it’s not already highlighted).
4. Right click on the graph on the right and select “Properties”
5. Click the “data” tab and click on the “Remove” button until all counters are removed
6. Click the “add” button
7. Click “Use local computer counters”
8. Under “Performance” object click “Process” in the drop down menu
9. In the Radio buttons Click “All Instances” (so you will monitor all processes) and “Select Counters From List”
10. Click “IO Data Operations/sec” and click “Add”.
11. Click “Close”
12. Now you will be on the “Data” tab and it will list all the counters you added (one IO Data Operation for each Process). It also adds a “Total” usually at the bottom of the list. I would suggest selecting the Total counter and removing it (you usually don’t want to see total activity as it will clutter up the display). Notice that as you click on each counter for each process it will show a different color associated with that process.
13. Click the tab “General”
14. On the General Tab click “Histogram” (rather than graph – Histogram will allow you to better identify the activity)
15. Click “Ok”.
16. You should now see a graph which will show you a different color for each process that is using i/o operations. To identify the application that’s causing the activity double click the graph bar and it will identify the process and counter. To show more detailed information, right click and select “Properties” and the data tab will open highlighting the exact counter information.
17. Here’s a screenshot (showing only the graph portion of the display) as an example. I did a search using Explorer’s file search, the brown bar popped up indicating a process is using a lot of i/o operations. I click on the bar, and the process (explorer) is highlighted below:
    

18. Save the arrangement by clicking on File, Save As and name it something like “Disk Monitoring Utility”. You can then just double click on your saved file and the monitor will pop up exactly as you configured it. So for instance, if I notice my disk light pop on and my drive thrashing away, I just double click the file, double click the bar that’s causing the activity and the offending process is quickly identified. I can then decide if I want to kill it.
19. You of course can use this same technique to identify any other resource intensive process by experimenting with using different counters.