Re: "High Disk Write Usage by: Host Process for Windows Services"

Calls · ‎10-07-2009

actually the amount of data indicated is 715mb. I put the incorrect amount in one of my posts.
what is most concerning to is that I cannot find out what service wrote that amount.
That is what scares me. Event log of windows shows nothing around the same time as the Norton log entery

SendOfJive · ‎02-07-2009

Hi Calls,

Please realize that Performance Monitoring is designed as an aid to help users understand which current system activity might be contributing to a given system behavior. For example you might get a high CPU usage alert for Flash Player or your browser when a sudden slowdown occurs while watching a video. Perfomance Monitoring is not a malware detection component like Auto-Protect, even though it might spot some system issues secondary to a malware infection (and those would be major anomalies, not a single write to disk). Given that there seem to be no indications of malware on your system coming from any of the protection components of NIS, it seems unlikely that the Svchost process in this case is a malicious imposter. It was almost certainly a legitimate process that happened to be active enough to be noticed by Performance Monitoring. Svchost is a Windows process that runs in the background - you are unlikely to know about most of the things it is doing or, actually, they are doing, since there are several of them.

Calls · ‎10-07-2009

Thanks all

As I say the only thing that is really stumping me is that there was not any recorded event in the Windows event log. I know that was some advice given to check that log. But as I say nothing noted around that same time.

Not sure if this makes any difference, but Looking through my NORTON history log, I see similar entries of

High Disk Write Usage by Host Process for Windows Services

October 1 2011 Saturday for 169MB

December 6 Tuesday for 188mb

Feburary 14 Tuesday for 2MB

March 14 Wednesday for 63 MB

and then April 10 Tuesday for 715mb

so not a real clear pattern, thought it might be windows update Tuesday but not

so again kinda stumped : (

Not a rootkit right?

Bombastus · ‎11-16-2009

No, it just needed to do something, but it was certainly something legitimate. Forget this thing; you are making an issue out of a non-issue. Turn the Norton performance monitoring off if needed; at the moment, it's the Norton performance monitoring that is causing you issues, not the disk writes svchost.exe did that day.

Besides, there doesn't have to be any entries in the event viewer, if it's a service that is constantly running that is causing the disk writes. Only starts and stops are logged there, but if it's an automatic service that is on 24/7 that increases its activity, it won't be logged. Could be Superfetch maybe.

Calls · ‎10-07-2009

Thanks, so superfetch would write that large amount to the disk?
I think when I check with services were assocaited with that particular?svchost.exe, ther was something about superfetch

Bombastus · ‎11-16-2009

Yeah, Superfetch runs under a svchost.exe, and it has been known to do a lot of disk trashing. On Vista especially. It has been much improved on Windows 7, but if you Google vista superfetch disk thrashing you get something like 50000 results

It also runs constantly by default - it's set to Automatic, so you won't see start- and stop messages about it in the event viewer.

Calls · ‎10-07-2009

so I think thats soubds like the source, eh?
I think its the service in Vista that shows as sysmain

Bombastus · ‎11-16-2009

Calls wrote:
so I think thats soubds like the source, eh?

Quite possible. In any case, there is no indication of malicious activity from that Norton high disk activity report. Chances are overwhelming that it is a Vista issue - or even more likely, no issue at all, just Windows processes doing their job.