Windows 10 Disk Usage at 100% but no corresponding process shows in task manager
Over the past month (possibly more), I have noticed that my laptop (running Windows 10) frequently becomes almost unusably slow, especially after many days of not having turned it on.
I notice that the disk usage in the task manager is at 100% for long periods of time, however this is ridiculous because even the sum of all the processes [that I can see...] could only approach about 5-10% in the generous case.
This is a development machine with 8GB RAM, i7 processor, plenty of space. There are almost no startup programs other than MS default programs (and even there I culled most of the non-essentials out of the startup list). I have also gone through and progressively disabled services such as BITS, Superfetch etc. to no observable effect.
What makes this more suspicious is the pattern in which it occurs - the issue is worst at startup after many days of the computer being physically disconnected and turned off. The startup time is around 3-5 minutes (!) after which the disk runs at 100% usage for a few minutes and then for no explicable reason, suddenly drops down to around 1-5%. All this without showing any processes near full disk usage.
After around a month of investigating this, I am beginning to suspect the involvement of malware, particularly because of the discrepancy in the task manager but also because of how the issue suddenly corrects itself. I should also note that the computer runs AVG Free edition and scans of the computer and anti-rootkit are coming up clean. That being said, I want to pursue the possibility that this could be malware connecting and updating itself, or even worse, exfiltrating data [or even worse, chewing my disk to encrypt my files while telling me everything is OK]?
Currently I do not observe an irregular amount of network traffic which would support the exfiltration theory, however it is also possible to hide this from the task manager / wireshark using a rogue driver.
I have a number of questions:
- Does this pattern of behavior fit any known malware / APT threats?
- Supposing I were to continue this into the forensics direction, what further steps could be taken to investigate and validate the drivers on the machine?
- What steps beyond task manager can I take in order to monitor and identify the process which is actually responsible for the 100% disk usage?
- Are there any legitimate / Windows reasons this might be occurring and if so, how can I narrow down and isolate the problematic components?
Do not rely on task manager as it will only show you what is running in Windows. You need to be looking at Resource and Performance Monitor (perfmon.exe
) which will give you a better idea of exactly what is using resources. Hyper-v for instance will not show in Task Manager but will show in Resource Monitor.
When you see 100% usage, sort by write. If you done see anything huge, check read.
How old is your HDD and what is the model of it?