Why is Windows 10 Reading files like crazy when idle?

Topic

New Reply

I happened to notice my Windows 10 VM, when left alone a while, starts reading files like crazy – to the tune of tens of MB per second or more – from all over the system volume. I’ve left it for 7 hours and it continues. The files are mostly executables and DLLs, but not all. The screen grab here with Resource Monitor shows the mix of files being read.

Since it’s in a VMware VM I can watch the display even when it thinks it’s idle, by just not capturing the mouse in the VM UI. In the screen grab I disconnected the mouse input while hovering over process 1056 in Process Hacker, so it would break out the services in a ToolTip.

Screen grab:
http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/14393/HighDiskActivityWhenIdle.png

If I move the mouse around in the VM the activity stops abruptly, as though it’s been caught doing something it shouldn’t be. Perhaps it’s some kind of idle maintenance activity, though I can’t imagine that continually reading the disk at a fairly high rate all day could be useful.

The activity is attributed to svchost by Resource Monitor; process ID 1056, specifically, which hosts these services:

• AudioEndpointBuilder (Windows Audio Endpoint Builder)
• DeviceAssociationService (Device Association Service)
• StorSvc (Storage Service)
• SysMain (SuperFetch)
• TrkWks (Distributed Link Tracking Client)
• UmRdpServices (Remote Desktop Services UserMode Port Redirector)

Of the above, my suspicions fall mostly on StorSvc and SysMain.

Observations:

It’s not doing any significant network activity besides typical link maintenance with other LAN systems.

The CPU used is not high, just a few percent, which implies it’s only partially saturating one of the cores. It’s not particularly intensive activity like you might expect with a malware scan.

I don’t believe it’s a defrag, because hardly anything is written.

File History is not enabled.

Process Hacker doesn’t attribute as much I/O to svchost as Resource Monitor does in the top pane, and Resource Monitor itself shows a disparity between the Read rate in the top pane by svchost (typically showing 60+ megabytes per second) and the Disk I/O rate in the middle pane (typically showing 20 ish megabytes per second). That just seems weird.

I think the next thing I’ll try is disabling SuperFetch.

Can you suggest what else I can do to try to narrow down what’s happening?

-Noel

Reply | Quote

Replies

Very curious???? 😛

What jumps to mind immediately is Windows Defender(or like) scanning behavior or indexing behavior of Windows Search/Explorer….

Best I can do off the top of my head???? very curious???

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Thanks. I hadn’t thought of indexing, but I don’t think that can be it. I have indexing turned off entirely, and notably we don’t see SearchIndexer listed in the running processes. Plus I never observed indexing to stop when a system became interactively used.

I only disabled SuperFetch literally 10 minutes ago, but so far I haven’t seen the activity start back up.

-Noel

Reply | Quote

I understand,

I just don’t have the capacity today to dig into you image, that’s why I said “top of my head”.
Also, they are my old problems and like wise Window Search is disabled, and I do keep an eye on WD in the bottom right corner of my screen by System Explorer. I call it a lite form of several Sysinternals tools.

I am curious, do you run SSD’s under your OS? As I understand it, if you do, one should not leave “Fetch” or “Super Fetch” on because of harm on the SSD. By the way, SSD’s support software runs in system idle.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Everything here runs off of SSDs. I have 8 of them in my workstation organized in two 4 x 480 GB drive RAID 0 arrays. One array is volume C: and boots and runs the workstation and the other, V:, hosts my virtual machines.

I do have several internal HDDs and a number of external HDDs, but they hold only low access and backup data and are spun down almost all the time.

SuperFetch – when running per design – shouldn’t harm SSDs, since its intent is to pre-load things you’re likely to use FROM the drive(s) into the file system RAM cache so that they’ll be very quick to load should you decide to use them. SSDs don’t mind being read from at all. It’s only writing that stands to “wear them out” – and practically speaking the lifetime write limits are stratospheric in modern hardware.

Regarding SSD write load in my system, with so many SSDs sharing the load even though the first 4 of my drives are from 2012 and I’ve used my system pretty heavily since then (it’s on 24/7), they have decades of life left in them at the rate I’m going (the SMART data says so). I’ll have moved to NVMe storage or something even more sophisticated well before these drives get anywhere close to their lifetime write cycle limits.

We could have a very long discussion about “internet SSD advice”, but I’ll summarize it like this:

There is a LOT of “lore” out there about SSDs and what to do / not to do. I’ve got quite a few years experience with them now, and I can tell you most of the stuff you find out there about SSD storage is at best outdated, and at worst so incomplete or inaccurate that the recommendations are actually counter to reality.

Bottom line: If SuperFetch can be trusted to work properly, you probably want to have it on. Even though SSDs are very fast, RAM is still faster. 🙂

-Noel

1 user thanked author for this post.

satrow

Reply | Quote

I am new to SSD’s. I am not the one to have a discussion with but Samsung’s SSD Division might be? I use the Samsung Magician which advocates this.
I might pose the question to the PCPer’s expert, and see what he says.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

I asked Allyn Malventano a storage expert from https://www.pcper.com/ about the SSD’s. I have been watching their Netcast(podcast with Video) for years and have come to trust their guidance and advise.
See our short conversation on Twitter:
https://twitter.com/malventano/status/843975082091446272

I will continue to keep the fetches turned OFF.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Noel Carboni

Reply | Quote

PhotM wrote:

I will continue to keep the fetches turned OFF.

Thank you for the follow-up, Crysta.

You are to be commended for making your own decisions after gathering information. Few folks do that.

Notably for me back in 2013 a full clean Windows 8.1 install on my SSD array did NOT default SuperFetch to off. Did it misrecognize the array? Hard to imagine, given the high WEI score, but maybe.

I wonder what Windows version Allyn is talking about defaulting to off.

For what it’s worth, I haven’t seen the problem occur again.

Oh, and I did try running Windows 10 without it on and frankly I didn’t notice one iota of difference in responsiveness.

I am now going to have to carefully consider whether to turn SuperFetch off on my main Win 8.1 workstation is a good idea. On the one hand I like things that run as simply as possible. On the other, it’s already supremely stable and performs well just as is. The “if it works don’t fix it” adage applies…

Since I saw a problem once, it’s definitely going to stay off in my Win 10 VM. One less service running might bring some additional performance in other ways.

-Noel

1 user thanked author for this post.

PhotM

Reply | Quote

You would have to ask him Noel, but I believe he is probably talking W 8.1 Pro and W 10.0 Pro. Just ask him in the same Twitter Thread. I have them off on my my 4 partition as well as my NUC. When I do an upgrade they are on for a short time until I get to my UWT tweaks and settings step. I have yet to notice a difference so why not shutdown 2 more services…. 😀

Thanks for the compliment. I have never had a problem making decisions or being a student of subject. 😀

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

PhotM wrote:

Just ask him in the same Twitter Thread.

I don’t “tweet”. In fact, I had to un-blacklist twitter.com in order to even see the thread you mentioned. 🙂

But it’s all good. I have already decided that I’m going to leave my Win 8.1 workstation config alone, and I’m going to disable SuperFetch entirely on my Win 10 VM. I consider it just another workaround for a deficiency in Windows 10.

-Noel

Reply | Quote

P.S., I noted that MemoryCompression is no longer listed as a running process after the SuperFetch service in Windows 10 is disabled. Hooray for yet another reduction in running processes!

-Noel

1 user thanked author for this post.

PhotM

Reply | Quote

That’s highly debatable if it is a good or bad thing.
Some would say that the memory compression is a fantastic new feature, although as far as I know, independent measurements show that the compression amount is tiny and because of that, there is no enhancement to memory utilisation due to this feature.

Reply | Quote

Crysta

I read your tweets with @malventano and he is right about the defaults.
However, as you said, it is not all black and white about the Superfetch for SSD.
This functionality can be left on with minimal difference if any.
What @malventano says is that SSD is fast enough to act as memory.
The other school of thought is that an SSD is fast, but not as fast as RAM, so Superfetch may still serve a good purpose.
The truth is that there no definitive answer and either way works pretty much the same.

What actually matters in relation to Superfetch is the BootDefrag associated functionality which can be disabled granularly – see my reply to Noel for registry keys associated – no Group Policy here 😀
What that does is that a file named layout.ini is created during idle periods laying out the files on disk as fetched by Superfetch. From there, the Bootdefrag tries to order the files on disk via the built-in defragmenter in such a way that the boot will get faster and faster in time. This function is not required on SSD and used in excess can be damaging to the SSD.
It is very likely that on Windows 10 and SSD, this is disabled by default by Windows, but in Windows 7 this is not so clear.

Reply | Quote

Resource Monitor shows AeroGlassGUI as high, order by Read MB/s?

1 user thanked author for this post.

Noel Carboni

Reply | Quote

AeroGlassGUI.exe isn’t running (or particularly special), and different programs/DLLs/files showed up on top of the list second to second.

And you can just see the top of a PhotoLine64.exe entry at the bottom of the visible client area that’s got an even bigger number.

-Noel

Reply | Quote

Blocking too much and retrying?

1 user thanked author for this post.

Noel Carboni

Reply | Quote

What, you mean blocking something with the firewall? Nothing is being logged as blocked.

Blocking things (e.g., services) from running in an uncommon way, causing some system function to get stuck in a loop? Why would something like that stop when the mouse is moved?

I even thought about possible malware, but a scan with MalwareBytes turns up nothing.

-Noel

Reply | Quote

Blocking things (e.g., services) from running in an uncommon way, causing some system function to get stuck in a loop?

This is what I was thinking.
The firewall would not log during the busy time because those processes would run in an infinite loop and never completing, i.e. it is too late even if the firewall would allow them to communicate now.

Reply | Quote

That’s a reasonable thought.

It stopped happening once I stopped and restarted the SuperFetch service, so I’m still leaning toward “intermittent bug”. Everything else is hanging together beautifully.

-Noel

Reply | Quote

More than half an hour of idle time after stopping and disabling the SuperFetch service and lo and behold… No more frantic reading of the disk while the system is idle.

It makes some sense… The files I saw it reading were just the kinds of files SuperFetch might be interested in optimizing access to. I wouldn’t have thought SuperFetch would just go on like that continuously though.

I’ve just re-enabled and started the SuperFetch service. I’ll report back if/when the activity starts up again.

I have no idea if this is abnormal, nor whether it might be new behavior of Win 10 after the March updates, or is something that’s been happening for a while. I might just not have noticed – my SSDs make no noise, and since they’re controlled by a PCIe card my front panel disk access light isn’t active when there’s SSD I/O. It only lights for motherboard SATA ports.

A question that comes to mind is this:

Does SuperFetch do this kind background activity on all systems when they’re idle, and most folks just don’t notice?

A corollary question:

If so, is it also true of Windows 8.1? 7?

-Noel

Reply | Quote

Noel Carboni wrote:

I’ve just re-enabled and started the SuperFetch service. I’ll report back if/when the activity starts up again.

I have no idea if this is abnormal, nor whether it might be new behavior of Win 10 after the March updates, or is something that’s been happening for a while.

Well, the disk reading of the same kinds of files by svchost process 1056 came back but it was a little different this time…

For a few minutes I saw the same kind of activity as before, but at lower level – hundreds of kbytes per second instead of megabytes per second. Then, continuing to leave the system alone, the activity ceased. Now the only file I/O I see is by PID 4 (System) doing occasional very small accesses to log files and some of the NTFS structural files.

My conclusion: It’s possible SuperFetch in Windows 10 build 14393.953 might be buggy, causing it to get into a loop where it continually reads files from the disk.

It seems as though I HAVE read occasional posts on forums about people wondering why their systems get busy on the disk when they should be idle. Maybe SuperFetch has been intermittently buggy for a while now.

-Noel

Reply | Quote

I’m not turning it back on to test 😉

There’s also the related ReadyBoot (Windows/Prefetch/ReadyBoot) and some ETL logging (System32/WDI/LogFiles/) which might be pertinent. If you can call up TaskMan with sub 16 seconds on the Uptime counter, you don’t need either running.

All referring to W7.

2 users thanked author for this post.

Noel Carboni, PhotM

Reply | Quote

satrow wrote:

some ETL logging (System32/WDI/LogFiles/) which might be pertinent

Come to think of it I did see some SleepStudy log accesses right after moving the mouse. I looked it up and apparently there are features that are supposed to monitor power consumption during sleep states. That’s doubly, or possibly triply unnecessary on a VM running on an AC-powered desktop system where neither the host nor guest ever sleep. I sure as heck don’t care too much about battery life. If I need more UPS time I’ll get a bigger battery pack.

In some ways, it’s a wonder that folks who don’t tweak their OSs for efficiency can get anything done at all.

-Noel

1 user thanked author for this post.

satrow

Reply | Quote

Superfetch in Windows 7 tends to stop after about 2 weeks if the drive is SSD. This is not sensed every time and in some instances the Superfetch service does not stop.
There are few components related to Superfetch functionality, mostly useful on HDD.
1. Prefetch which is the same functionality known from XP/2003.
2. Superfetch which is a superset of prefetch.
For both, the folder where data is written is C:\Windows\Prefetch – best seen as the built-in Administrator or any administrator with UAC disabled and Admin approval access disabled.
Registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters value EnablePrefetcher – set to 0 to disable, 3 to enable and possible 1 or 2 (not tested) for partial functionality like Prefetch in XP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain Start set to 4 to disable or other known values for services, can be set in GUI.

3. Boot optimization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction
Value Enable REG_SZ Y or N
Apparently this can be trigered manually with
defrag c: -b at least in the old versions (not tested by me)

4. Related to boot optimization, layout.ini file, created only when idle – can be triggered with Rundll32.exe advapi32.dll,ProcessIdleTasks (tested by me and working if the registry keys allow it)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout
Value EnableAutoLayout with possible values 0 or 1

If Superfetch service is disabled, then none of the other components are functional and as far as I know, disabling this service does not affect any other Windows functionality. This is typical setup for SSDs, although it is not known to cause any harm if it is left running. Windows might stop it after a while for SSDs, after collecting enough “telemetry” 🙂 data.

You may have disk thrashing caused by the Boot Defrag component and not by the prefetching/superfetching funcitonality.
Try disabling only the BootDefrag as per item 3 above.

2 users thanked author for this post.

PhotM, Noel Carboni

Reply | Quote

Thanks for the info, ch100.

ch100 wrote:

You may have disk thrashing caused by the Boot Defrag component and not by the prefetching/superfetching funcitonality.
Try disabling only the BootDefrag as per item 3 above.

At this point I haven’t seen the issue recur, so I now fully believe it was a bona fide intermittent bug with SuperFetch.

-Noel

Reply | Quote

OKAY CH100,

3 and 4 the Names/values not in the Keys

1 and 2 are set Disabled.

This is on my Main W 8.1 Pro Partition. I will check the others in time but I would imagine they are the same

Thank You for the information, you know how I love Registry Keys 😉

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

Noel Carboni wrote:

I happened to notice my Windows 10 VM, when left alone a while, starts reading files like crazy – to the tune of tens of MB per second or more – from all over the system volume. I’ve left it for 7 hours and it continues. The files are mostly executables and DLLs, but not all. The screen grab here with Resource Monitor shows the mix of files being read. Since it’s in a VMware VM I can watch the display even when it thinks it’s idle, by just not capturing the mouse in the VM UI. In the screen grab I disconnected the mouse input while hovering over process 1056 in Process Hacker, so it would break out the services in a ToolTip. Screen grab: http://Noel.ProDigitalSoftware.com/ForumPosts/Win10/14393/HighDiskActivityWhenIdle.png If I move the mouse around in the VM the activity stops abruptly, as though it’s been caught doing something it shouldn’t be. Perhaps it’s some kind of idle maintenance activity, though I can’t imagine that continually reading the disk at a fairly high rate all day could be useful. The activity is attributed to svchost by Resource Monitor; process ID 1056, specifically, which hosts these services:

• AudioEndpointBuilder (Windows Audio Endpoint Builder)
• DeviceAssociationService (Device Association Service)
• StorSvc (Storage Service)
• SysMain (SuperFetch)
• TrkWks (Distributed Link Tracking Client)
• UmRdpServices (Remote Desktop Services UserMode Port Redirector)

Of the above, my suspicions fall mostly on StorSvc and SysMain. Observations: It’s not doing any significant network activity besides typical link maintenance with other LAN systems. The CPU used is not high, just a few percent, which implies it’s only partially saturating one of the cores. It’s not particularly intensive activity like you might expect with a malware scan. I don’t believe it’s a defrag, because hardly anything is written. File History is not enabled. Process Hacker doesn’t attribute as much I/O to svchost as Resource Monitor does in the top pane, and Resource Monitor itself shows a disparity between the Read rate in the top pane by svchost (typically showing 60+ megabytes per second) and the Disk I/O rate in the middle pane (typically showing 20 ish megabytes per second). That just seems weird. I think the next thing I’ll try is disabling SuperFetch. Can you suggest what else I can do to try to narrow down what’s happening? -Noel

According to this article, “Windows 7/8/10 therefore by default will automatically disable SuperFetch and Prefetch, once it detects an SSD on your system.”  http://www.thewindowsclub.com/disable-superfetch-prefetch-ssd

Maybe because you have Windows 10 running as a VM in VMWare, it is not detecting an SSD due to actually running on a virtual HDD provided by the VMWare virtualization software.

Windows 10 Pro 22H2

1 user thanked author for this post.

Noel Carboni

Reply | Quote