Understanding Disk Activity using Process Monitor is Part 2 in My Series: How to use Process Monitor. If you want to learn Process Monitor (ProcMon) from Beginning please refer to: Understanding Windows Process Layer using Process Monitor (ProcMon) – Part 1.
Here we are going to learn more about Disk Activity using this tiny yet powerful tool named Process Monitor.
You can download the tool from: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Scenario 1
Sometimes you might have come across some issues where you some application or process is doing a lot of reads or write on the disk but we are not able to figure out which process is doing this. Disk Activity in the Task Manager will be showing as 100 %.
Scenario 2
Sometimes we might even get into issues where the C: Drive keeps on filling up but we don’t have an idea about the file or folder which is getting all these read and writes.
Process Monitor
(ProcMon) can help you out to isolate these issues very easily without any hassle.
To create an issue in the environment for scenarios 1 and 2, I will be using the DiskSPD tool.
If you want to
understand more about this tool named DiskSPD, please visit: https://knowitlikepro.com/test-storage-performace-using-diskspd/
Identify the Files creating high Disk Write:
We will use DiskSPD to create Disk Activity on a File. This tool will create a 1GB file on which we will be doing write for 60 Seconds:
diskspd.exe -b8K -d60 -h -L -o2 -t4 -r -w100 -c1024M C:\io.dat
Now before running the command Lets just clear and Pause the Process Monitor (ProcMon) as shown in the image below:
Let’s Start the Capture and hit Enter on the command prompt. This tool is going to run for 60 Seconds so we will pause the capture once this will complete.
In DIskSPD you will
see that 4 Threads in Total did 2029920256 Bytes of Write on the IO.dat File.
Since we are only doing writes the Read Tab is 0.
Total IO
thread | bytes | I/Os | MiB/s | IOPS | AvgLat | LatStdDev | file |
0 | 510984192 | 62376 | 8.12 | 1039.60 | 1.920 | 1.107 | C:\io.dat (1024MiB) |
1 | 516472832 | 63046 | 8.21 | 1050.77 | 1.900 | 1.025 | C:\io.dat (1024MiB) |
2 | 512974848 | 62619 | 8.15 | 1043.65 | 1.914 | 1.072 | C:\io.dat (1024MiB) |
3 | 489488384 | 59752 | 7.78 | 995.87 | 2.006 | 1.311 | C:\io.dat (1024MiB) |
Total: | 2029920256 | 247793 | 32.26 | 4129.88 | 1.934 | 1.132 |
Read IO
thread | bytes | I/Os | MiB/s | IOPS | AvgLat | LatStdDev | file |
0 | 0 | 0 | 0 | 0 | 0 | N/A | C:\io.dat (1024MiB) |
1 | 0 | 0 | 0 | 0 | 0 | N/A | C:\io.dat (1024MiB) |
2 | 0 | 0 | 0 | 0 | 0 | N/A | C:\io.dat (1024MiB) |
3 | 0 | 0 | 0 | 0 | 0 | N/A | C:\io.dat (1024MiB) |
total: | 0 | 0 | 0 | 0 | 0 | N/A |
Write IO
thread | bytes | I/Os | MiB/s | IOPS | AvgLat | LatStdDev | file |
0 | 510984192 | 62376 | 8.12 | 1039.6 | 1.92 | 1.107 | C:\io.dat (1024MiB) |
1 | 516472832 | 63046 | 8.21 | 1050.77 | 1.9 | 1.025 | C:\io.dat (1024MiB) |
2 | 512974848 | 62619 | 8.15 | 1043.65 | 1.914 | 1.072 | C:\io.dat (1024MiB) |
3 | 489488384 | 59752 | 7.78 | 995.87 | 2.006 | 1.311 | C:\io.dat (1024MiB) |
total: | 2029920256 | 247793 | 32.26 | 4129.88 | 1.934 | 1.132 |
You can see the File of 1GB created on the C Drive:
Now while the Process Monitor (ProcMon) is paused, go to Tools > File Summary…
Once you will click
this, it’s going to open the File Summary which shows the Recent Activity of
all the Files which Process Monitor (ProcMon) was able to capture.
Here you have 3 Different View, However, the best one is By Folder
Once you have selected that you can sort the Data by Write Byte:
Once doing the sorting you can see a huge chunk of 2.2 GB of data that is written on C Drive:
Once you will expand the C Drive you will see the File IO.dat that we have created and its write Byte is somewhat similar to the Out of DiskSPD i.e. 2.2GB Approx.
Bro I know Ex-EPS can only explain like this . Great work
Thank you Javed !