Tool to log the disk I/O of the specific process to the file

1

2

I'm using Windows 8 x64. The MSSE (renamed to Windows Defender) constantly causes BSoD during the quick scan (the problem described here). I wanna find out which was the last file[s] it accessed.

Normally I use SysInternals Process Monitor for such tasks. However, it has no option to save events as they are generated, and because the system crashes with BSoD, I can't see any output.

Do you know the tool to monitor disk I/O like SysInternals Process Monitor does, which saves all the data to the HDD (filtering out its own disk I/O of course)?

Soonts

Posted 2013-03-23T19:37:25.267

Reputation: 576

Answers

2

  1. Enable a full crash dump. Press Win+Pause, go to "Advanced system settings" → Advanced tab, and under "Startup and Recovery" click on Settings.

  2. Make sure your pagefile is large enough to hold a complete dump, i.e. at least RAM size + 256 MB.

    • go to "Advanced system settings" → Advanced tab

    • under Performance, click Settings and go to the Advanced tab

    • click "Change.." and select "Custom size"

    • don't forget to click on Set before OK, just OK won't work

    If after that you have less than (25 GB + RAM size) of free space on the system drive, do the following:

    • open Regedit

    • navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

    • create a DWORD key AlwaysKeepMemoryDump with the value of 1

    • reboot

  3. Start an Xperf trace (xperf –on DiagEasy from the admin console) which captures HDD activity.

  4. Run MSE (or Windows Defender) and wait for the crash.

  5. Reboot to Windows and open the Memory.dmp file with WinDbg. Inside Windbg run the following command to see all active ETW loggings:

    !wmitrace.strdump

  6. Look which number is the "NT Kernel Logger". Now run the following command to export the data into a ETL file:

    !wmitrace.logsave 0xNUMBER c:\DISK.etl

  7. Open the ETL file in xperfview/WPA and look at the disk IO graph which files where accessed.

magicandre1981

Posted 2013-03-23T19:37:25.267

Reputation: 86 560

I've managed to create the full dump and save the ETL. The problem is, the WPA doesnt want to open the ETL saying "Trace C:\Temp\Crashes\DISK.etl could not be successfully opened [0x80070570]. Aborting operation". Any ideas? – Soonts – 2013-03-24T21:24:30.363

The code means file corrupt (0x80070570 = ERROR_FILE_CORRUPT). Try to open the ETL with xperfview instead. – magicandre1981 – 2013-03-25T05:15:35.187

Same error. BTW I have a feeling those 2 tools (wpa.exe and xperfview.exe) are merely thin wrappers over some shared library (even error message title's the same, "Windows Performance Analyzer"). Tried recreating the ETL - no luck. – Soonts – 2013-03-25T12:52:30.367

1

ask MSFT here in the comments or via mail how to avoid corrupted ETL files: http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-29-WinDbg-ETW-Logging

– magicandre1981 – 2013-03-25T20:40:26.383

0

Process Monitor can write to a log file on disk, see File → Backing Files.

user1686

Posted 2013-03-23T19:37:25.267

Reputation: 283 655

1Nope. The file 'C:\Temp\2remove\FileIO.PML' was not closed cleanly during capture and is corrupt. – Soonts – 2013-03-23T20:04:26.817

Asked: 2013-03-23T19:37:25.267

Viewed: 1 088 times

Active: 2013-03-24T21:34:08.017