Skip navigation
Process Explorer.png

Hard Drive Health Check: Suspicious Activity on Windows Server Volumes

When it's time for a hard drive health check, Process Explorer can help. Here's how to get and use the free Microsoft tool.

Sometimes, hard disk activity is observed on a Windows Server volume that should be idle. Here's how to do a hard drive health check to determine whether the activity is part of some standard operating procedure or something more sinister.

Suspicious activity on a Windows Server volume that is supposed to be idle can stem from many different things. The activity may be maintenance related. In fact, Windows itself performs periodic maintenance tasks, which may include storage defragmentation and integrity checks. Similarly, hardware vendors sometimes perform automated health checks at the hardware level. Unexpected disk activity can also be attributed to things like data indexing or malware scans.

At the same time, unexpected storage activity can point to malicious activity. Most ransomware variants, for example, encrypt data before notifying the victim of the infection. This encryption process can generate large amounts of storage I/O.

So, how can you figure out what is causing unexpected disk activity on your Windows Server volumes? While there are a variety of methods that can be used, I personally like to use a tool called Process Explorer, a free tool from Microsoft’s Sysinternals collection. This is different from the similarly named Process Monitor. You can download the tool here.

Explorer 1.jpg

Figure 1

This is what the Process Explorer interface looks like.

Initially, the display can be a bit chaotic looking, and it does not show any information related to disk activity. However, it is possible to reconfigure the display so that it shows you the information that you are interested in. To do so, go to the View menu, and choose the Select Columns command. This will cause Windows to display the Select Columns dialog box.

If you look at Figure 2, you can see that the dialog box is divided into several different tabs, each relating to some aspect of the process. For instance, there is a tab related to network activity, a tab related to memory use, and so on. Each of these tabs contains numerous check boxes that you can select or deselect as a way of displaying or hiding information related to the various processes.

Explorer 2.jpg

Figure 2

The Select Columns dialog box allows you to change the information that is displayed to suit your needs.

If your goal is to track down unexpected disk activity, then a good place to start is the Process Disk tab. This tab allows you to display columns related to disk reads, writes and other disk activity. You can see what this information looks like in Figure 3. Incidentally, the colors that are used in the display indicate the processes' functions. The light red color for example, indicates that the process belongs to a system service. The Options menu includes a Configure Colors option that shows what the various colors mean.

 Explorer 3.jpg

Figure 3

Process Explorer can show you which processes are generating storage IOPS.

The main reason I like Process Explorer is because it can provide a wealth of information about each process. If a process is generating storage IOPS, you can double click on the process to learn all about it.

As much as I might like Process Explorer, I sometimes find that Resource Monitor is a better tool for the job--at least, initially. To see why this is the case, let’s suppose for a moment that you were trying to figure out why storage IOPS were occurring on a server’s F: drive. The Process Explorer will show you which processes are generating storage IOPS, but it makes no distinction between IOPS on the C: drive and IOPS on the F: drive. The Resource Monitor will help you to figure out where IOPS are being directed. You can then use Process Explorer to gather additional information.

You can launch Resource Monitor by opening the Task Manager, going to the Performance tab, and then clicking on Open Resource Monitor. Once the Resource Monitor opens, go to the Disk tab, and then expand the Disk Activity section. As you can see in Figure 4, this section will show you the specific storage location that a process is accessing. You can even click on the File column header to sort the activity by drive. Once you are able to determine which process is causing the unexpected disk activity, you can switch back over to Process Explorer and use it as a tool for researching the process.

 Explorer 4.jpg

Figure 4

The Resource Monitor can show you the specific storage location that a process is accessing.

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish