Windows 10 Disk Usage at 100% but no corresponding process shows in task manager

3

1

Over the past month (possibly more), I have noticed that my laptop (running Windows 10) frequently becomes almost unusably slow, especially after many days of not having turned it on.

I notice that the disk usage in the task manager is at 100% for long periods of time, however this is ridiculous because even the sum of all the processes [that I can see...] could only approach about 5-10% in the generous case.

This is a development machine with 8GB RAM, i7 processor, plenty of space. There are almost no startup programs other than MS default programs (and even there I culled most of the non-essentials out of the startup list). I have also gone through and progressively disabled services such as BITS, Superfetch etc. to no observable effect.

What makes this more suspicious is the pattern in which it occurs - the issue is worst at startup after many days of the computer being physically disconnected and turned off. The startup time is around 3-5 minutes (!) after which the disk runs at 100% usage for a few minutes and then for no explicable reason, suddenly drops down to around 1-5%. All this without showing any processes near full disk usage.

After around a month of investigating this, I am beginning to suspect the involvement of malware, particularly because of the discrepancy in the task manager but also because of how the issue suddenly corrects itself. I should also note that the computer runs AVG Free edition and scans of the computer and anti-rootkit are coming up clean. That being said, I want to pursue the possibility that this could be malware connecting and updating itself, or even worse, exfiltrating data [or even worse, chewing my disk to encrypt my files while telling me everything is OK]?

Currently I do not observe an irregular amount of network traffic which would support the exfiltration theory, however it is also possible to hide this from the task manager / wireshark using a rogue driver.

I have a number of questions:

  1. Does this pattern of behavior fit any known malware / APT threats?
  2. Supposing I were to continue this into the forensics direction, what further steps could be taken to investigate and validate the drivers on the machine?
  3. What steps beyond task manager can I take in order to monitor and identify the process which is actually responsible for the 100% disk usage?
  4. Are there any legitimate / Windows reasons this might be occurring and if so, how can I narrow down and isolate the problematic components?

ose

Posted 2015-12-31T17:22:39.570

Reputation: 143

1disk usage or CPU usage is 100%? – schroeder – 2015-12-31T17:25:01.303

Disk usage, CPU is fine – ose – 2015-12-31T17:26:02.933

sounds like typical anti-malware behaviour - a scan is being triggered – schroeder – 2015-12-31T17:31:18.620

No record of such scans exist, and my antivirus is not set to perform any startup scans of any kind. – ose – 2015-12-31T17:32:45.927

Download Process Manager and see what it says. It is more complete than task manager.

– Neil Smithline – 2015-12-31T18:16:43.660

1My boss asked me to check out their computer for the same thing this week. I ran Process Hacker 2, windirstat and ccleaner on his machine. Through windirstat I discovered he had large generating log files. Process Hacker in detailed show me what services were keeping his harddisk busy. Through those details I was able to identify and disable legitimate but problematic programs. Ccleaner helped remove a bunch of additional unneeded logs and temp files. These three steps freed up nearly 50 gigs in 5 minutes as well as alleviate his HD traffic. – Bacon Brad – 2015-12-31T18:20:29.213

1The drive may be failing. If it goes to 100% with no or little actual reads/writes then that is most likely the issue. – Jonathan Gray – 2016-01-01T00:51:52.973

Answers

3

Do not rely on task manager as it will only show you what is running in Windows. You need to be looking at Resource and Performance Monitor (perfmon.exe) which will give you a better idea of exactly what is using resources. Hyper-v for instance will not show in Task Manager but will show in Resource Monitor.

When you see 100% usage, sort by write. If you done see anything huge, check read.

How old is your HDD and what is the model of it?

Tim

Posted 2015-12-31T17:22:39.570

Reputation: 578

1To whoever downvoted: What steps beyond task manager can I take in order to monitor and identify the process which is actually responsible for the 100% disk usage?

That question I have answered. – Tim – 2015-12-31T18:16:36.433

3

This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post. - From Review

– Vilican – 2015-12-31T18:39:17.427

This does answer question #3 (and likely will point the OP to the true answer). Unfortunately, #3 is the non-security portion of the question. I'll let the community decide (I'm a mod), but I hope that this answer survives. – schroeder – 2015-12-31T19:42:41.557

Ahh. I missed the Resource Monitor reference despite multiple readings. It's sort of subtle. Good catch @schroeder. – Neil Smithline – 2015-12-31T20:47:35.247

1Tim, perhaps adding a resmon link would make the answer stronger. – Neil Smithline – 2015-12-31T20:50:05.987

perfmon.exe didn't really take me to a UI that would easily give me what I wanted. perfmon.exe /res did though. – horta – 2018-01-09T16:53:47.737

Asked: 2015-12-31T17:22:39.570

Viewed: 37 752 times

Active: 2018-06-15T04:01:56.057