How do I find out why my computer is thrashing its drive?

I booted up today and my disk hasn't stopped thrashing in 20 minutes. CPU activity is flat; the only processes using anything right now are firefox and dwm.exe and it's ~1%. So I figured I'd look at what's happening with Procmon.

svchost.exe is making thousands of requests per second. It looks like something or the other is running an install, because it checks HKLM\System\Setup\SystemSetupInProgress every few milliseconds. It's also looking at files in C:\Windows\System32\wbem\repository a lot; I presume that's WMI queries. Everything else looks like random hard drive queries (for example, it looked for "close.WAV" in 7 or 8 program files directories.

I want whatever it is to STFU and stop thrashing my hard drive (since starting this post it sounds like it's calming down.) But since it's hiding in svchost.exe, it's pretty hard for me to tell it to calm down. The Event Viewer doesn't seem to indicate much, though there's about 15 failures that seem to hint it tried to install some automatic updates. I set my computer to ask before installing them; I'm not sure why it'd do this.

Why is there not a "WTF are you doing?" button? Why is it so easy for a process to perform hard drive olympics while I have nothing to do but sit back and hope it's for the better? Is there any way to figure out exactly what's going on when this happens?


From my Post on What’s making my disk thrash in Windows XP?

Download Process Explorer from Microsoft / Sysinternals.

Run it and click view > Select columns. Click on the Process Performance Tab, and select "I/O Reads" and "I/O Writes".

You can do this from Task manager, but I prefer using Process Explorer.

You can then sort by these columns and see what is doing the most read / writes.

(if using Vista / 7 remember to run as ADMIN (or click file then "show details for all processes" which will do this for you)

I tend to find that Dropbox and mesh on a few machines I support seem to run wild with read/write bytes 24/7 so if you use any sycn software, first bet is to look at that, however running this tool should tell you exactly what is wrong.

In addition, you can click on any of the graphs at the top of the screen which brings up a "System Information" dialog of historic information. One of the graphs (third one down) is "I/O Bytes", Simply hover your mouse over any of the peaks, and it will tell you what is taking up the most resources. - Exactly what you want!


Probably about the best solution is to use Process Explorer or Process Monitor to narrow down to a particular svchost instance and get the list of which services are inside it. Then you can individually set each service (1 by 1) to disabled until you figure out which service was the cause of the thrashing.


Use Process Explorer from the same Syinternals site as Procmon to get the break down of the svchost processes.