When Windows is sitting idle and you think it’s doing nothing, it is often reading from or writing to your hard drive, even if it’s only a few bytes here and there. Sometimes there may be constant drive activity when you think there really should be very little, or none at all. This could be due to a number of factors such as security software updating or running background scans, scheduled defrags, Windows updates being installed, web browsers or download managers, the list goes on.
Checking what processes are constantly and actively accessing your hard drive is important to detect suspicious or unnecessary activity. Solid State Drives (SSDs) only have a limited number of writes so it is especially important that those devices don’t have programs constantly writing to them when they don’t have to. Also if you’re using a laptop, a constantly working hard drive will help shorten the battery life.
One of the improvements in Windows 8 was the updated built in Task Manager that includes a column for each process’s disk usage. This is something not included with the Windows XP, Vista or 7 Task Manager. While it’s not particularly advanced, the Windows 8 and 10 Task Manager disk usage column does at least give you a good idea if something is using the hard disk more than it should.
If your version of Task Manager doesn’t have disk usage activity monitoring or you want to separate reads and writes, which the Windows 8 and 10 version cannot do, here are 5 alternative ways to find out what programs are accessing your hard disk drive.1. What’s My Computer Doing?
If you want a simple interface that shows what is currently accessing your hard disks with nothing at all to configure, then What’s my computer doing? will probably be the tool for you. Besides hard disk access, the program will also show what is using up CPU cycles, give information about the process itself and even offers the option of sending the file to VirusTotal or running a scan with Kaspersky Security Scan.
The program’s interface is very easy to understand. After installation (or extract the executable with 7-Zip to get a portable version), run the program and it will automatically start monitoring your system and display the processes that currently have hard disk or CPU activity. Use the Freeze tick box to pause the list if the window is updating too quickly for you.
Clicking on the process in the list will pull information about the process from the internet such as details, security, known problems, external links and etc. If you don’t allow the program to access the internet or have no internet on the computer, none of the details at all will be shown.
2. Real-time System Monitoring
System monitoring will give you information about disk usage and file system activity in addition to many other things, and probably the number one tool for this job is Process Monitor by Microsoft owned Sysinternals. For such an advanced tool Process Monitor is reasonably easy to use and it starts monitoring the system as soon as you start the program. The filtering system is probably one of the most important areas to get to know otherwise you will always be overloaded with information.
One issue is the window that displays the disk activity isn’t in real time and shows what has been happening right up until you open the File Summary window. To open the window, launch Process Monitor and let it monitor the system, preferably when you get unknown or abnormal disk access, then go to the Tools menu > File Summary. This window will show information about reads, writes, events, file access times and the path to the files causing the activity.
The By Folder tab is useful for tracing if file reads or writes are coming from non standard locations such as the Temp or Users folders or even other drives. The Extension tab can sort everything by the file that has accessed the drive’s extension, useful for checking unrecognized files with extensions like VBS, BAT, COM or EXE.
A similar tool by SysInternals called DiskMon is also available although it dates back to 2006. It can log and display all hard disk activity on a Windows system but only tells you which sector is being read or written and not the process that is causing the activity. This makes it difficult to tell which file or program is accessing your hard drive using DiskMon by itself.
3. Using a Task Management Tool
As you might expect, a good task manager is able to display which open process is accessing the hard drive and by how much in addition to CPU and memory usage etc. There are many such tools around that can do this, including Process Explorer, Process Hacker, System Explorer, and others. The tool we’ll look at here is Anvir Task Manager Free simply because it has a real time Disk Load column displayed by default.
While installing Anvir free be careful to avoid the adware during install, or preferably use the portable version. Run the Anvir.exe and once started select the Processes tab. The read and write load on the disk in Kilobytes per second is already shown in its own column and displayed with a yellow background which becomes brighter the higher the activity. Click on the column header to sort by the most or least active. Obviously being a task manager you have the options to manipulate and get more information on the running processes causing high disk usage.
If you want extra detail like separate reads and writes from something like Process Explorer, you need to manually add the columns to the display. Right click on the column titles > Select Columns, from the Process I/O or Process Disk tabs select “Delta Read Bytes” and “Delta Write Bytes”.
4. Windows Resource Monitor
Something many users tend to overlook is Windows often has what you need right there built into the operating system, sadly most of the tools are hidden away or are not well documented and therefore remain relatively unknown. Thankfully Resource Monitor is easy to get to, simply open Windows Task Manager, click the Performance tab and then the Resource Monitor button at the bottom. Alternatively type Resmon into Start or the Run box.
Windows Resource Monitor is actually quite comprehensive and besides displaying disk activity, it also shows information for CPU, network and system memory activity, all of which can be shown at the same time or separately for more detail. To concentrate on the activity of the system drives only, select the Disk tab. This will give you a display with “Processes with disk activity”, “Disk Activity” and “Storage” sections, each of which can be opened or closed by clicking on its header.
You can easily sort the lists by the amount of disk activity by clicking the column title such as (Total B/sec) which will show in real time which system processes are using the disk drive the most in bytes per second. Ticking one of the boxes next to a process at the top will populate the Disk Activity area with just the activity for that process, multiples can be ticked if you wish. Graphs on the right will show how much your drives are being used in real time.
5. View Process Disk Activity From the System Tray
A less intrusive way to keep an eye on programs accessing your drives while not having opened windows obscuring your desktop, is to show the activity from the system tray. This way you can hover over the tray icon only when required to see what’s going on. The good news is some process managers like Process Hacker, Anvir Free and Process Explorer can show this activity in the tray, but we’ll look at Process Hacker because its display is superior to the others.
Install Process Hacker or run the portable version and launch the program. Go to the View menu making sure the Refresh Automatically option is ticked and then select Disk History, I/O History or both from the Tray Icons sub menu in View. If you select just one option it can be switched between different histories from the tray, more than one selection here will open more than one tray icon at once. Minimize the Process Hacker window and then hover over its tray icon to see the process disk activity list popup.
If you wish to keep the window open while doing other things, click the pin button. switching between I/O and Disk or any other history is done by clicking the stats bar across the bottom. The list auto updates every second by default (it can be changed from 0.5s to 10s) with the most disk intensive processes listed from the top down.