G
Guest
I cannot figure this one out... I hope somebody here has a clue about this.
I have a workstation where on every boot, it will have a very large amount
of hard drive IO for about 15 minutes. My first thoughts were Virus Scan or
Windows Defender. I did some digging using SysInternal's Process Explorer
and FileMon.
What I found surprised me... The culprit was SERVICES.EXE. According to
Process Explorer, the only two service threads hosted under that process are
EventLog and PlugPlay. However, from what I understand, SERVICES.EXE is also
the host of the SCM, so all other services are spawned from it... Although
they are in their own unique processes, so I am assuming I wouldn't see hard
drive I/O in services.exe related to deeper service.
FileMon revealed that SERVICES.EXE is "touching" every single file on my
hard drive. It does the following to each file: Open, Query Information,
Query Security, Set Security, Close.
Fifteen minutes later, it's done.
What is going on here?
Some additional information...
- SERVICES.EXE - I/O Reads: 600, I/O Writes: 13,565, I/O Other: 897,745
- Entire hard drive is cleared of all NTFS auditing entries (SACL)
- Audit object access is disabled in security policy settings
- Nothing shows up in the System or Application event logs, except normal
messages, such as "event log service started" and then each various service
starting and a few .NET 2.0 Runtime errors (shim database error - known issue
from MS and unrelated).
- Virus scanner is McAfee and windows defender beta is running, but neither
process shows disk usage and both have automatic scheduled system scans
disabled.
I have a workstation where on every boot, it will have a very large amount
of hard drive IO for about 15 minutes. My first thoughts were Virus Scan or
Windows Defender. I did some digging using SysInternal's Process Explorer
and FileMon.
What I found surprised me... The culprit was SERVICES.EXE. According to
Process Explorer, the only two service threads hosted under that process are
EventLog and PlugPlay. However, from what I understand, SERVICES.EXE is also
the host of the SCM, so all other services are spawned from it... Although
they are in their own unique processes, so I am assuming I wouldn't see hard
drive I/O in services.exe related to deeper service.
FileMon revealed that SERVICES.EXE is "touching" every single file on my
hard drive. It does the following to each file: Open, Query Information,
Query Security, Set Security, Close.
Fifteen minutes later, it's done.
What is going on here?
Some additional information...
- SERVICES.EXE - I/O Reads: 600, I/O Writes: 13,565, I/O Other: 897,745
- Entire hard drive is cleared of all NTFS auditing entries (SACL)
- Audit object access is disabled in security policy settings
- Nothing shows up in the System or Application event logs, except normal
messages, such as "event log service started" and then each various service
starting and a few .NET 2.0 Runtime errors (shim database error - known issue
from MS and unrelated).
- Virus scanner is McAfee and windows defender beta is running, but neither
process shows disk usage and both have automatic scheduled system scans
disabled.