51

Recently I noticed some of our machines are getting sluggish, mainly after boot-up. Using the Resource Monitor I detected excessive disk access from the system process with PID 4. Following some tips, I disabled the anti-virus on the System Volume Information folder, hoping it will help (I don't want to disable system restore).

However, it seems like PID 4 is accessing everything. When running a simple extraction of a ZIP file, I can see the WinRAR reading a few hundreds KBs per second from the file, but PID 4 reads dozens of MBs per second from the same file. After cancelling the operation, PID 4 keeps accessing the file for around 30 seconds, reading many MBs per second. This is not a Resource Monitor bug, as the disk is clearly active, and stops once resource monitors says PID 4 is finally resting.

Why is this miraculous process accessing everything every other process accesses?

I'm using the AVG antivirus. Disabling it did not change this behavior/

What is going on here?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
zmbq
  • 675
  • 1
  • 7
  • 9
  • 1
    PID 4 is the Process ID for the Windows SYSTEM process. It's a lot like PID 1 on Unix systems, in fact. A *lot* of services run under PID 4. – sysadmin1138 Aug 19 '12 at 13:13
  • Don't services run under their own processes? Anyway, even if that is so, why is it ordinary file accesses in regular non-service processes are mostly done under PID 4? – zmbq Aug 19 '12 at 19:30
  • I have the same problem and can't find any solution too. By any chance, do you use TrueCrypt? I use TrueCrypt system-wide encryption and I suspect that might be the cause, as it is running under "System" as a driver, and it needs to encrypt/decrypt every file access. –  Aug 20 '12 at 00:15
  • No, no TrueCrypt or any form of encryption here. – zmbq Aug 20 '12 at 04:57
  • Related question here: http://superuser.com/questions/349349/windows-7-system-process-reading-writing-like-crazy –  Sep 05 '12 at 21:03
  • Same problem, especially when opening IE. Chrome can run fine with 20 tabs open, but running IE with 2 tabs makes PID 4 spaz out, system is non responsive for around 30 seconds. Not running TrueCrypt. I use MS security essentials as AV. – Coomie Jul 09 '13 at 01:36
  • Mine was hammering wbem\repository\objects.data, not sure why. – MDMoore313 Jul 17 '13 at 13:52
  • Check this to detect what file this process write - https://superuser.com/questions/716905/how-to-check-what-files-a-process-has-written-into and then investigate for each folder. – Cherry Nov 28 '20 at 18:48

7 Answers7

28

This is an older question, but I had this issue, and for me it was SuperFetch. I tried everything I could find on PID 4 excessive hard drive usage, and some of it helped. A RAM upgrade from 4GB to 8GB only made the issue more obvious - RAM usage was low, no paging, but yet the hard drive was lit up for ~10 minutes after my laptop booted.

Long story short, there's a registry setting that controls what level of SuperFetch is appropriate. You can see below the EnableSuperfetch value is now set to 1, which seems to be "prefetch all executables and libraries". The default is a 3, which seems to mean "prefetch all executables, libraries, and documents". I have many documents, so I think this was taking way too long. Every document opened is another one that SuperFetch has to "analyze" to see how you're using it.

The registry key/value in question is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch

So far the only downside is that my outlook folders take a few extra seconds to open, and some commonly used documents like MS Project files take longer. But those delays pale in comparison to the disk thrash I was getting before!

SuperFetch Registry Key

drharris
  • 381
  • 3
  • 4
12

A lot of system services (I don't mean Windows Services) run under PID 4, the "System" process. Every time you open a file, you trigger a slew of background mechanisms such as the virtual memory manager caching the file in memory, moving other things around in memory, servicing page faults, etc. That activity is separate from the disk activity charged against the process that originally accessed the file, e.g. WinRAR.

That said, what you're describing still doesn't sound like normal behavior to me. You should see a quick bump in disk activity from the System process when the file is accessed, and then it should go back to 0 rather quickly - within a couple seconds.

I did a little testing on my own machine using Windows Resource Monitor, and I saw somewhat similar behavior. What I think we're witnessing is Resource Monitor showing us some sort of rolling average that is slow to drop off.

Try looking at PID 4 disk activity using another tool such as Sysintenals' Process Explorer. I got a much different impression from it, as the Read Delta and Read Bytes Delta by the System process seem to return to 0 much faster than when viewed through ResMon.

Edit: If that's not it, then I think a more in-depth analysis is going to be needed in order to answer the question. For instance, you can list the currently-loaded file system filter drivers with fltmc.exe, and kernrate.exe can help you isolate those modules which are causing inordinately high disk I/O.

Destiny Architect
  • 105
  • 4
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
6

System process is used by Windows Update. If you have selected to install updates automatically, it is probably your systems is currently installing windows software. If you run Windows Update and try to install updates you will receive a message saying you cannot install as Windows is currently updating the system.

Change the Windows Update to not downloading and installing without manual action and wait the current installation to finish.

Caronte
  • 69
  • 1
1

I had the exact same symptoms. In my case they were related to Norton360 and the MS-SQL VSS service. Once I disabled VSS, my activity dropped significantly. System still locks up when Norton does it's thing, but it's semi bearable since it only seem to happen every hour.

aggaton
  • 111
  • 2
1

Posting this answer here as I stumbled over this thread when looking for answers on why system process 4 was consuming so many read/write traffic.

Users when having mapped drives or going out to a UNC path to a share, especially something with a good sized directory structure would all the sudden have a ton of receive traffic continuously from the host server. Normally I would see 100-300k, as soon as you expand in the nav pane it would shoot up in the 20,000k plus range.

Ended up disabling the automatically expand to current folder option in Explorer and that traffic goes away.

http://www.sevenforums.com/tutorials/1014-navigation-pane-automatically-expand-current-folder.html

ATek
  • 131
  • 1
  • 1
  • 8
0

Beware that the Windows "Resource Monitor" computes an average I/O speed for the last 60 seconds for the 3 columns "Read (B/sec)", "Write (B/sec)" and "Total (B/sec)", which means that there is an inertia. This applies to all processes, including explorer.exe, or command-line processes. Even after the process has exited, it still appears in the "Resource Monitor", with a linearly decreasing I/O speed down to 0.

In contrast, Sysinternals Process Explorer columns called "I/O Delta Read bytes" and "I/O Delta Write Bytes" show the real instant values.

These observations were made on Windows 10 Pro 20H1.

metatechbe
  • 141
  • 4
0

I had a similar issue, however in my case it appears that somehow Offline Files was enabled. I'm going to be investigating things on the server side (e.g. I thought it was disabled globally via Group Policy and on the shares.....) but I had two Windows 7 machines at a remote office merrily trying to sync several hundred GB over a VPN connection.

(Edit before posting: Offline files were not properly disabled on the shares, possibly following a server migration.

fencepost
  • 972
  • 6
  • 10