NT Kernel & System reading disk constantly

Hello,

I'm running Windows 7 Enterprise, SP 1 on a Thinkpad W510.

Sometimes the disk is being accessed constantly and the computer is sluggish, to the point that even the mouse pointer freezes now and then.

I check Task Manager and it says the System Idle Process is taking upwards of 95% of CPU usage. I open the Resource Monitor and see on the disk activity tab that the disk is indeed being accessed all the time by process #4, NT Kernel & System, which nevertheless only seems to take 2 or 3% of CPU time.

The disk access, according to Resource Monitor, are read accesses, not writes.

It does tend to stop after an hour or so if I leave it alone.

Hard to believe this is normal behavior, but I don't know how to diagnose it. I have Symantec Endpoint Protection (SEP) and wonder if this is it scanning files (this seems to happen when I get back to the computer after leaving it idle for a while, so perhaps the antivirus kicks in), but it seems odd that the NT Kernel & System process would be doing the disk accesses for it. Also, when I open SEP's panel it does not indicate a current scan.

So the question is: how can I diagnose this? I installed Process Explorer but I don't see how it would help me. Whatever program is doing this, is doing it through the NT Kernel & System process, and it doesn't look like the latter will tell me which program is requesting all these reads.

Any help much appreciated.

 

rodrigo_braz...

System Idle Process is equal to %100 - the % of processor being used by running processes. This means it should be high. It's normal for it to be 95-100% at idle.

Need to look in another direction for your PCs sluggishness.

Take a look here and report back anything you find. In particular focus on anything related to your security programs (Symantec and/or any others on the PC):

You are likely onto something with the scans as they are probably running after the computer reaches idle. That shouldn't freeze your mouse, however.

Might get more in detail later, but could you reply with your processor and how much RAM you have? Also, how large your main OS hard drive is and how much free space there is on the drive would be helpful...

 

Thanks for replying!

Sure, I just said that to point out that the problem is not due to CPU usage, which is basically unused.

I did take a look at Event Viewer (great tool, I didn't know about it, thanks), but didn't find anything that seemed relevant. SEP did run a scan not long before I noticed the problem, but the log says it only lasted 4 minutes, and the problem with the disk lasted well beyond half an hour, maybe one hour.

I can't think of any other applications I could check. I do use CrashPlan which is a background backup application, but it runs all the time and does not seem to cause problems. For example, it tells me it is running a backup as I type this and the computer is super smooth. Also, when the disk was going crazy I did check CrashPlan and it was inactive. Besides, at other episodes in the past I did put the CrashPlan service to sleep and the problem continued anyway.

Answering your other questions:

Processor: Intel Core i7 Q.820 1.73 GHz (per Control Panel->System)
RAM: 4GB
Main hard drive: 500GB, 173GB free

Anything else we could check?

Thanks!

 

rodrigo_braz...

Thanks for the info. Maybe we can get this resolved.

Notice you are keeping quite a bit of data onboard your PC...over 300 GB. People sometimes think I am crazy, but I like to keep my main drives at below 40% full. For you with a 500 GB drive that would be 200 GB. Not that I am saying do this. It's a laptop, and I am sure everything on the PC is something you want there when you are out and doing what you do. However, I believe long term it makes sense to keep an eye on your main drive's health and be ready to quickly replace a drive if one breaks, especially when there is alot of data on the drive. Fuller drives have to work a little harder to get info (just a fraction really but a little harder). Anyway, you have a nice speedy PC, so keeping a spare drive around isn't wasteful as you should be able to sell it with the PC if you decide to sell or keep it for another PC, and you won't be stuck with something you can't use.

Ok, I guess we can start with some of the basics. Just in case you don't know, it's a good idea to run something to remove your temporary internet files (cleaner) every day (or every day you use the PC). Only takes a few minutes, but it helps alot, and you can run it on boot with many of the good cleaner programs. I use CCleaner, but I only remove Temporary Internet files and Internet cache files from the browsers. This means I do not use the registry cleaner. I recommend deactivating the registry cleaning option in whatever cleaner you choose to use. Windows cares for the registry, even if it does so at a snail's pace. On another note, I recommend daily defragging, but there is some debate on the subject. Some say defragging wears out hard drives. However, daily defrags are short, which I like and which I think works best for my usage. Also, the shorter defrags seem to wear on my computers less than a once a week or month methodology for defragging, and I notice the PC running better. I would say at the bare minimum once a week or on the outside a month if you aren't using the PC very much.

You seem to be suspecting troubled system processes as the problem you are having. This leads me to think that it would be a good idea to run a Malwarebytes'. If you don't have MBAM, you can download it here:

http://www.majorgeeks.com/files/details/malwarebytes_anti_malware.html

Run the quick scan once and then save a log and attach it in your next post. Once you have saved the log to the desktop, click "Remove Selected" to remove any items in the list.

I would also recommend you run AdwCleaner. This is just to get a look at the log, so don't actually remove anything...unless a PC is fairly choked with adware, I leave it, but it's a good gauge as to what's on a PC at the least. Here is the download link:

http://www.majorgeeks.com/files/details/adwcleaner.html

Click "Report" and save this log to the desktop and zip it up with the MBAM log. No need to run the "Clean" option yet. Once you have the files zipped, attach the zip folder to your next post.

If you find alot of extraneous files and so on the PC with these scans, maybe it would be a good idea to go through the malware removal preparation list of programs to run here at MG. For now, though, I think the above should help to get a look at what might be slowing down your PC...

 

Hi again,

Thanks for the info. I did everything you asked, excluding the removal of files and defragging. I ran the anti-malware and anti-adware software (no problems there) and installed CCleaner. I selected several types of things in CCleaner to clean, and rebooted the computer. However, the problem did not go away.

In fact, it is happening right now and the computer is sluggish. I checked and a Symantec Endpoint Protection scan happened not long ago, but it's been over for 20 minutes now and the hard drive is still being continually read by the NT Kernel & System process. The other day a SEP scan had also run shortly before the problem, but had also been over before the disk problem was still raging. It almost makes me believe the SEP somehow triggers some task within the system that takes longer than the scan itself.

Perhaps I should uninstall SEP for a few days and see what happens. The burning question right now is:

- if SEP is doing this, how come it happens through the "NT Kernel & System" process? One would think it would appear as some SEP process...

Thanks again.

Rodrigo

 

NT Kernel & System is the core of Windows processes associated with multi-task optimization. In short it's the engine under the hood. I'm not exactly sure what you mean by it's reading the hard drive, because that doesn't seem to me unusual that it would do so.

The first thing I would do is look at the list of running processes. Open Task Manager and sort the processes by CPU usage with the processes using the most of the PC at the top. If there are any runaway processes, this would be the place to begin (post if there is anything running at 20% or greater at idle (other than System Idle Process which should be nearly 100% at idle)). If not, you are likely in a situation where an installed program is using too many resources at the core level. Sometimes this won't show up in that Task Manager in the list of running processes as CPU usage (it isn't a large amount per se), but basic Windows functionality can be limited or blocked if a program is clogging the core bandwidth (amount of the processor devoted to kernel processing)...

You have mentioned SEP scans as a possible source for the problem with sluggishness, but that shouldn't cause mouse freezes or any other freezes. However, depending on the specs of the PC, you can see more of a draw on PC reserves when scans are run. This can affect how fast programs open, but there shouldn't be any freezes. This is especially true with a fairly modern PC like you have.

I think you have amongst your startup programs possibly one that is causing your problem. It could be SEP, although hopefully not. Anyway, if you still have CCleaner, open it to the startups tab in Tools. Make a list of the processes that are set to run on boot and post it in your next post. In the mean time, try to boot into safe mode and see if the PC runs better. Your startup programs won't be running in safe mode, so this could help identify whether one of them is the problem...

 

What I mean is that the lots of disk readings that are making the computer very slow and even freezing the mouse are coming form the "NT Kernel & System" process. I don't think that's part of its normal operation. I assume some process is making lots of requests to the kernel that requires it to make all these reads. What I am trying to do here is to identify what other process that may be.

I know that the kernel is doing all the reads from the Resource Monitor accessible from the Task Manager.

One of the suspects is SEP, but it seems like if it were really SEP, then the resource monitor would indicate the reads as coming from a SEP process, not the kernel.

That is the first thing I did. I described that in my original post.

I forgot mentioning that in my previous post, but I had done that already.

The main question is: how come the kernel is reading the disk so intensely, and how can I find out what is causing that? Task manager and Resource monitor don't provide that information...

Thanks again.

Rodrigo

 

I'm wondering if your disk is OK. I've been having a look at PID 4 on two systems here and in both cases they are writing to disk continually, about 4-7000B/sec, but reads are only intermittent and of a much lower order, < 1000 B/sec when active. Might be worth running chkdsk /r if you haven't already done so.

 

rodrigo_braz...

Apologies...it was a while since your original post. I just rescanned the thread to see where you are and didn't notice you have looked over your running processes. So you have no runaway processes (over 20%). That's good...

Have you tried booting into safe mode with networking? While in safe mode double check that the scanner is off or disable the program. This will of course mean that it won't be a good idea to use the internet. However, it's the only way you can find out if SEP is the source of the processor usage and freezes. Looking more like it's associated with the SEP scans to me. If the problem isn't there in safe mode with networking, chances are it's SEP or one of your startups, either that or malware.

It would help if you could list your startups here.

Some processes (especially system tray processes) run behind a system process when they run. That in mind, if this is not SEP, you really should check for malware. I would try a Malwarebytes scan first...

rodrigo...meant to ask you. Did you check the various tabs of AdwCleaner after you ran the scan to see if there was adware on the PC? The first tab might be empty and it appear that there is no adware, but there are several tabs. Also, if you find and remove adware (I usually only do this if there is more than 20 finds), it's a good idea to run AdwCleaner over and over until it doesn't turn up anything new.

 

Your suggestion made sense, since I had this same problem while using another hard drive, and it ended up failing. I thought these problems were due to the faulty disk and got this new one.

However, I ran chkdsk today and it found zero problems with the disk (pasting below). It was still a good thing to check, thanks.

Rodrigo

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 1/28/2014 12:13:51 PM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Dallas.aic.ai.sri.com
Description:


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
396544 file records processed.

File verification completed.
683 large file records processed.

0 bad file records processed.

2 EA records processed.

77 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
498472 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
396544 file SDs/SIDs processed.

Cleaning up 112 unused index entries from index $SII of file 0x9.
Cleaning up 112 unused index entries from index $SDH of file 0x9.
Cleaning up 112 unused security descriptors.
Security descriptor verification completed.
50965 data files processed.

CHKDSK is verifying Usn Journal...
33590688 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
396528 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
43523908 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

488282111 KB total disk space.
313518380 KB in 318263 files.
155916 KB in 50966 indexes.
0 KB in bad sectors.
512183 KB in use by the system.
65536 KB occupied by the log file.
174095632 KB available on disk.

4096 bytes in each allocation unit.
122070527 total allocation units on disk.
43523908 allocation units available on disk.

Internal Info:
00 0d 06 00 58 a2 05 00 76 eb 09 00 00 00 00 00 ....X...v.......
2c 03 00 00 4d 00 00 00 00 00 00 00 00 00 00 00 ,...M...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-01-28T14:13:51.000000000Z" />
<EventRecordID>9003</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Dallas.aic.ai.sri.com</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
396544 file records processed.

File verification completed.
683 large file records processed.

0 bad file records processed.

2 EA records processed.

77 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
498472 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
396544 file SDs/SIDs processed.

Cleaning up 112 unused index entries from index $SII of file 0x9.
Cleaning up 112 unused index entries from index $SDH of file 0x9.
Cleaning up 112 unused security descriptors.
Security descriptor verification completed.
50965 data files processed.

CHKDSK is verifying Usn Journal...
33590688 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
396528 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
43523908 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

488282111 KB total disk space.
313518380 KB in 318263 files.
155916 KB in 50966 indexes.
0 KB in bad sectors.
512183 KB in use by the system.
65536 KB occupied by the log file.
174095632 KB available on disk.

4096 bytes in each allocation unit.
122070527 total allocation units on disk.
43523908 allocation units available on disk.

 

No apologies needed, thanks for your help and time!

I will try that.

Sure, please find below.

Yes, I did run them when you first asked me. Nothing bad found, only some stray registry entries and cookies.

Please find startup below as provided by CCleaner. Thanks again!

Rodrigo

No HKCU:Run Akamai NetSession Interface "C:\Users\braz\AppData\Local\Akamai\netsession_win.exe"
Yes HKCU:Run CCleaner Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /AUTO
No HKCU:Run Google+ Auto Backup "C:\Users\braz\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
No HKCU:Run SpybotSD TeaTimer Safer Networking Limited C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run APSDaemon Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
Yes HKLM:Run BCSSync Microsoft Corporation "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
Yes HKLM:Run IAStorIcon Intel Corporation C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
Yes HKLM:Run IMSS Intel Corporation "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
Yes HKLM:Run NUSB3MON NEC Electronics Corporation "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
Yes HKLM:Run PSQLLauncher Authentec Inc. "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
Yes HKLM:Run PWMTRV rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor
Yes HKLM:Run RotateImage Ricoh co.,Ltd. C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
Yes HKLM:Run SmartAudio Conexant Systems, Inc. C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
Yes Startup Common CrashPlan Tray.lnk Code 42 Software, Inc. C:\Program Files (x86)\CrashPlan\CrashPlanTray.exe
Yes Startup Common ListProAlarms.lnk Ilium Software, Inc. C:\Program Files (x86)\Ilium Software\ListPro\ListProAlarms.exe
Yes Startup Common ListProSync.lnk Ilium Software C:\Program Files (x86)\Ilium Software\ListPro\ListProSync.exe
Yes Startup User ArsClip.lnk C:\ArsClip\ArsClip.exe