Understanding Disk Activity using Process Monitor -Part 2

windows process stack

Understanding Disk Activity using Process Monitor is Part 2 in My Series: How to use Process Monitor.  If you want to learn Process Monitor (ProcMon) from Beginning please refer to:  Understanding Windows Process Layer using Process Monitor (ProcMon) – Part 1.

Here we are going to learn more about Disk Activity using this tiny yet powerful tool named Process Monitor.

You can download the tool from: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Scenario 1

Sometimes you might have come across some issues where you some application or process is doing a lot of reads or write on the disk but we are not able to figure out which process is doing this. Disk Activity in the Task Manager will be showing as 100 %.

Task Manager

Scenario 2

Sometimes we might even get into issues where the C: Drive keeps on filling up but we don’t have an idea about the file or folder which is getting all these read and writes.

My Computer

Process Monitor
(ProcMon) can help you out to isolate these issues very easily without any hassle. 

To create an issue in the environment for scenarios 1 and 2, I will be using the DiskSPD tool.

If you want to
understand more about this tool named DiskSPD, please visit: https://knowitlikepro.com/test-storage-performace-using-diskspd/

Identify the Files creating high Disk Write:

We will use DiskSPD to create Disk Activity on a File. This tool will create a 1GB file on which we will be doing write for 60 Seconds:

diskspd.exe -b8K -d60 -h -L -o2 -t4 -r -w100 -c1024M C:\io.dat

Now before running the command Lets just clear and Pause the Process Monitor (ProcMon) as shown in the image below:

ScreenShot1

Let’s Start the Capture and hit Enter on the command prompt. This tool is going to run for 60 Seconds so we will pause the capture once this will complete.

Screenshot2

In DIskSPD you will
see that 4 Threads in Total did 2029920256 Bytes of Write on the IO.dat File.
Since we are only doing writes the Read Tab is 0.

Total IO

threadbytesI/OsMiB/sIOPSAvgLatLatStdDevfile
0510984192623768.121039.601.9201.107C:\io.dat (1024MiB)
1516472832630468.211050.771.9001.025C:\io.dat (1024MiB)
2512974848626198.151043.651.9141.072C:\io.dat (1024MiB)
3489488384597527.78995.872.0061.311C:\io.dat (1024MiB)
Total:202992025624779332.264129.881.9341.132 

Read IO

threadbytesI/OsMiB/sIOPSAvgLatLatStdDevfile
000000N/AC:\io.dat (1024MiB)
100000N/AC:\io.dat (1024MiB)
200000N/AC:\io.dat (1024MiB)
300000N/AC:\io.dat (1024MiB)
total:00000N/A 

Write IO

threadbytesI/OsMiB/sIOPSAvgLatLatStdDevfile
0510984192623768.121039.61.921.107C:\io.dat (1024MiB)
1516472832630468.211050.771.91.025C:\io.dat (1024MiB)
2512974848626198.151043.651.9141.072C:\io.dat (1024MiB)
3489488384597527.78995.872.0061.311C:\io.dat (1024MiB)
total:202992025624779332.264129.881.9341.132 

You can see the File of 1GB created on the C Drive:

File Properties

Now while the Process Monitor (ProcMon) is paused, go to Tools > File Summary…

Screenshot 3

Once you will click
this, it’s going to open the File Summary which shows the Recent Activity of
all the Files which Process Monitor (ProcMon) was able to capture.

Here you have 3 Different View, However, the best one is By Folder

File summary 1

Once you have selected that you can sort the Data by Write Byte:

File Summary 2

Once doing the sorting you can see a huge chunk of 2.2 GB of data that is written on C Drive:

File Summary 3

Once you will expand the C Drive you will see the File IO.dat that we have created and its write Byte is somewhat similar to the Out of DiskSPD i.e. 2.2GB Approx.

File Summary 4
You can now use this tool to troubleshoot issues where you are not sure about which file is filling up the space, even after we delete the files and clear space. You can also use this to find which file is getting Major amount of Reads/Writes in your System.
For more information on this Process Monitor (Procmon) Series Please refer: https://knowitlikepro.com/category/tools-and-software/process-monitor/


Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

This Post Has 2 Comments

  1. Javed Saifi

    Bro I know Ex-EPS can only explain like this . Great work

    1. Ashutosh Dixit

      Thank you Javed !

Leave a Reply