System process eats all available C: drive space

A

Andrew

The process "System" in the Task Manager on my Windows XP Pro SP2 (all
patched to date) will constantly eat disk space (I/O Write Bytes goes up
steadily) whenever I free up space on my C: drive... And clears up again
when I reboot...

Thurs, Oct 26th, I came in to work and my PC had a message saying my C:
drive space was low. Not thinking much of it, I moved an 8GB VM image I had
there over to my D: drive and carried on.

Around 1 or 2pm I got another message from windows saying my C: drive was
running low on space.(!) ... So now I'm trying to figure out what is eating
up space and moving another few GB of stuff over to D: ... and as I watch,
the C: drive space drops... Every few seconds I see it drop.

I use Treesize to try to find the directory or file being written to.. But
every time I move stuff off the C: drive, the total used space reported by
Treesize goes down... and then my hard drive fills up again, and the total
size reported by Treesize does *not* go up! (and yes.. I do have "Show
hidden files and folders" checked... and I do not have "Hide protected
operating system files" checked)

I got to a point where Treesize was indicating a total of about 40 GB used
on my 70GB C: drive - but the C: drive was *full* - no space available.

Trying to determin what was writing - All I could tell is that the process
"system" was writing the data - via I/O Write Bytes in task manager.
Sysinternals Process Explorer shed no more light on it, nor did filemon...

Filemond does not indicate any file being constantly written to... after
I'd disabled almost everything with autoruns, rebooted, and then stopped
every service that it would let me... There were maybe a dozen or less
processes running.. and only small periodic file access shown by filemon...
Yet the System process continued to write steadily.

Diskmon indicated data being written, but diskmon does not tell you what's
writing the data. :(

So I looked in my add/remove programs and in my Program Files folder and
tried to figure out everything I'd installed recently, and came up with the
list:

MS Power Shell
nncron
thinktecture - WSCF
VSWindowManager2005
CMAK
IE7

I couldn't find anything in add/remove programs for CMAK, so I renamed the
directory in Program Files... Then I uninstalled Power Shell, no change,
nncron, WSCF, VSwindowManager2005, then IE7... all no change, but the IE7
removal finally prompted me to reboot.

When I rebooted, and opened up the Task Manager... It was still eating up
space. I tried to do a bit of work (this is my work PC after all) before it
ate all my space... and I shortly noticed it had stopped writing at about
1.5GB or so... _stopped_!

Great! - What's the thing of those I wanted most... Power Shell... So it's
the first to go back... I re-install Power Shell, and reboot.. and...
wait.. and wait.. after it started getting up over 3GB written... I gave
up.

I un-installed Power Shell and re-booted.

And I wait... I'm waiting... I wrote this while I was waiting... It just
went up over 2GB :(

Argh.

Some time later I check back... It's up over 7GB... I can probably get away
with this... I just need to reboot every day to reclaim that 30GB and I'll
be good for another day or so. ;)

Any thoughts or suggestions would be very much appreciated. I would also
prefer to figure out what it is rather than re-install or whatever. (I
don't seem to have any restore points before yesterday)

Thanks for reading... ;)

Cheers
 
G

Gerry Cornell

Andrew

To increase you free space on your C select Start, All Programs,
Accessories, System Tools, Disk CleanUp, More Options, System Restore and
remove all but the latest System Restore points? Restore points can be quite
large.

It is likely that an allocation of 12% has been made to System Restore on
your C partition which is over generous. I would reduce it to 700 mb. Right
click your My Computer icon on the Desktop and select System Restore.
Place the cursor on your C drive select Settings but this time find the
slider and drag it to the left until it reads 700 mb and exit. When you get
to the Settings screen click on Apply and OK and exit.

If your hard drive is formatted as NTFS another potential gain arises with
your operating system on your C drive. In the Windows Directory of your
C partition you will have some Uninstall folders in your Windows folder
typically: $NtServicePackUninstall$ and $NtUninstallKB282010$ etc.

These files may be compressed or not compressed. If compressed the text
of the folder name appears in blue characters. If not compressed you can
compress them. Right click on each folder and select Properties, General,
Advanced and check the box before Compress contents to save Disk Space.
On the General Tab you can see the amount gained by deducting the size
on disk from the size. Folder compression is only an option on a NTFS
formatted drive / partition.

Another default setting on a large drive which could be wasteful is that for
temporary internet files especially if you do not store offline copies on
disk. The default allocation is 3% of drive. Depending on your attitude to
offline copies you could reduce this to 1% or 2%. In Internet Explorer
select Tools, Internet Options, General, Temporary Internet Files, Settings
to make the change. At the same time look at the number of days history
is held.

The default allocation for the Recycle Bin is 10 % of drive. On your drive
5% should be sufficient. In Windows Explorer place the cursor on your
Recycle Bin, right click and select Properties, Global and move the slider
from 10% to 5%,

Are any Norton products installed? If yes are you using Norton Protected
Storage

What programmes are you using when playing with images. Perhaps the
programme creates backups to enable you to undo changes!

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
A

Andrew

Andrew

To increase you free space on your C select Start, All Programs,
Accessories, System Tools, Disk CleanUp, More Options, System Restore and
remove all but the latest System Restore points? Restore points can be quite
large.

It is likely that an allocation of 12% has been made to System Restore on
your C partition which is over generous.
[...]

If your hard drive is formatted as NTFS another potential gain arises with
your operating system on your C drive. In the Windows Directory of your
C partition you will have some Uninstall folders in your Windows folder
typically: $NtServicePackUninstall$ and $NtUninstallKB282010$ etc.

These files may be compressed or not compressed. If compressed the text
of the folder name appears in blue characters. If not compressed you can
compress them.
[...]

Another default setting on a large drive which could be wasteful is that for
temporary internet files especially if you do not store offline copies on
disk. The default allocation is 3% of drive. Depending on your attitude to
offline copies you could reduce this to 1% or 2%. In Internet Explorer
select Tools, Internet Options, General, Temporary Internet Files, Settings
to make the change. At the same time look at the number of days history
is held.

The default allocation for the Recycle Bin is 10 % of drive. On your drive
5% should be sufficient. In Windows Explorer place the cursor on your
Recycle Bin, right click and select Properties, Global and move the slider
from 10% to 5%,

Are any Norton products installed? If yes are you using Norton Protected
Storage

What programmes are you using when playing with images. Perhaps the
programme creates backups to enable you to undo changes!


Hello Gerry,

Thank you very much for taking the time to reply... And for your
suggestions.

However, of the things you mention: System restore, compressing the
NT*Uninstall files in the windows directory, temp internet files, the
recycle bin, possible norton protected storage, and possible automatic
image backup by image software... None of those will cause the system
process to write continually until the free 30 gigs on my C: drive is
full... and then release the 30 gigs so it's free again every time I
reboot.

I'm not trying to free up more space.. There's not much point when I have
30GB free (on my 70GB C: drive) every time I reboot. I am trying to figure
out why the System process will constantly write to my C: drive as long as
there's space available... And then free it up again when I reboot.

Also, treesize (which I guess you're not familiar with...) would show the
system restore files using up the space.. Since as I mentioned I have both
show hidden files and show system files configured in my folder options.

I don't have norton installed (or anything like it - my recycle bin is the
normal windows one)

I do very much appreciate that you're trying to help though.

Any other thoughts or suggestions from you or anyone would be much
appreciated!

Thanks :)

- Andrew
 
G

Gerry Cornell

Andrew

I take your point.

Another approach. Can we put a name to this ever growing file?

To investigate how you are using hard disk space you need to make sure that
you can see all files. Go to Start, Control Panel, Folder Options, View,
Advanced Settings and verify that the box before "Show hidden files and
folders" is checked and "Hide protected operating system files " is
unchecked. You may need to scroll down to see the second item. You should
also make certain that the box before "Hide extensions for known file types"
is not checked. Next in Windows Explorer make sure View, Details is selected
and then select View, Choose Details and check before Name, Type, and Total
Size.

You still will not see the System Volume Information folder but for all
practical
purposes I think we can put that to one side.

Next use the Search option in Windows Explorer to search My Computer for
files over 1 mb. Sort the result in order of size by clicking on size over
the list of
files. Hopefully you should then being to spot the offending file.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
A

Andrew

Hi Gerry!

Thank you very much for continuing to try to help me solve this annoying
problem... It's fixed!! (Thanks to you!) :)

I was going to say that as per my original post (I know, it was long) I
already have show hidden files checked and hide protected operating system
files unchecked and that since I'd run treesize... It should have shown me
the directory with a large file(s) fairly easily...

But I guess since it turned out to be one huge log file (30GB, of course,
when my drive was full) that never really got closed... So it didn't really
register in treesize somehow..

And so even though I'd done more or less the same as you'd suggested... I
know it always helps not only to have another brain working on the
problem... But to also even try things different ways... So when I did a
file search as per your suggestion... It turned up a 500 MB file (even
though the missing disk space was getting up to about 25 GB by then) and
then the thing was.. when I tried to open it and it said it couldn't
because it was in use.. (and that was a clue too!) But as soon as I clicked
OK.. The file size jumped up to 25GB! So I felt fairly confident that I'd
finally found the culprit!

It turned out to be C:\Windows\system32\Logfiles\WMI\trace.log

A quick Google search on that turned up the info: One of the things I'd
done just before this all started was to try to run Bootvis to see if I
could help my boot time (it takes forever, but I suspect it's mostly due to
transferring my roaming profile) but.. After it re-booted, bootviz just
crashed when it tried to start up. I tried to run it again manually and it
just did the same thing... So... I (mistakenly) thought it just wasn't
going to do whatever it was supposed to do and forgot about it.

It turns out it continued to write this trace log file until you run it
again (and either have it come up, which I couldn't because it just
crashes.. or use a command line option, which is what I ended up doing) and
tell it to STOP TRACING! ;)

Then I just deleted the 30 GB file and I have lots of free space and the
System process is no longer eating it up!

Thanks again very much for helping me to solve this very frustrating
problem! :)

I wish I could do more than just say thanks... But please know at least
that I truly appreciate you help!

Cheers

- Andrew
 
G

Gerry Cornell

Thanks Andrew for letting us know the outcome. Bootvis was withdrawn
some time ago. I am not sure why. Of course it is available still from
sources other than Microsoft.


--

Regards.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top