How to use procmon to monitor I/O

  1. Grab procmon.exe from http://live.sysinternals.com/procmon.exe
  2. Start procmon without capturing events:
    1. procmon /noconnect
  3. Setup the correct procmon environment:
    1. Filter->Filter
      1. Reset filter
      2. Operation is “Writefile” then include
      3. … any other filters such as Path begins with “c:” then include
    2. Enable Filter->Drop filtered events
    3. Enable File->Backing files: choose a filename to save the backing files
    4. Capture events
    5. Wait for some period of time
    6. You can view the latest capture results by:
      1. Going into “Tools->File Summary”
      2. Sort by “Write Bytes”
      3. Checking the top file paths
      4. “Tools->Process Activity Summary” can be used in a similar way to find processes that have generated the most amount of I/O

Example output and analysis

  • This log was captured over 20 hours on a problem client whose incremental sizes were around 7GB each day.
  • There was a total of 534GB total data written over the time period (this could be files that were created, updated and deleted, so it’s not a direct correlation to backup changed size)
  • This equates to an average of 7.5MB per second being written to the disk over this period.
  • We can see that the biggest culprit is the Windows search, Outlook writing out a large amount of data to it’s archive.pst and the anti-virus software is generating a significant amount of temp files