none
Monitoring processes that are access my hard disk using Windows builtin tool RRS feed

  • Question

  • Hi all,

    I want to monitor what processes are accessing my D drive and record it. Because it will run on datacenter servers on enterprise, so there is no way to install Process Monitor.

    In Resource Monitor\Disk\Disk Activity, I can find out the what process is accessing what file, but I cannot collect full and longterm from it automatically.

    In Performance Monitor, I cannot find any options that can record the same thing like Resource Monitor\Disk\Disk Activity!

    Is there any builtin tool or ways that I can record the processes accessing my harddisk from system start up to a spefiic time?

    Thanks in advance for your help.

    Thursday, April 11, 2019 7:56 AM

Answers

  • If you're on Windows server 2016 or above, you may use wpr:

    wpr -start diskio

    <repro>

    wpr -stop C:\trace\disk.etl 

    and then use WPA to analyze the trace.

    Also you may use logman:

    logman create trace "disktrace" -ow -o c:\trace\disktrace.etl -p "Microsoft-Windows-Kernel-Disk" 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 2048 -ets

    logman update trace "disktrace" -p "Microsoft-Windows-Kernel-File" 0xffffffffffffffff 0xff -ets

    <repro>

    logman stop "disktrace" -ets

    but it'll be tricky to analyze it.

    • Marked as answer by Caesium51817 Tuesday, April 16, 2019 3:42 AM
    Monday, April 15, 2019 8:45 AM

All replies

  • If you're on Windows server 2016 or above, you may use wpr:

    wpr -start diskio

    <repro>

    wpr -stop C:\trace\disk.etl 

    and then use WPA to analyze the trace.

    Also you may use logman:

    logman create trace "disktrace" -ow -o c:\trace\disktrace.etl -p "Microsoft-Windows-Kernel-Disk" 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 2048 -ets

    logman update trace "disktrace" -p "Microsoft-Windows-Kernel-File" 0xffffffffffffffff 0xff -ets

    <repro>

    logman stop "disktrace" -ets

    but it'll be tricky to analyze it.

    • Marked as answer by Caesium51817 Tuesday, April 16, 2019 3:42 AM
    Monday, April 15, 2019 8:45 AM
  • But I want to monitor diskio on servers for a long time, maybe half a month, but I found that the output for wpr is too large: I have run wpr -start diskio for 10 minutes, and the result is ~100MB.

    There are 2 problems I want to solve:

    1. I found the result contains even System Activity and Memory when open the result with WPA, but I only want the disk results, how can I omit the other recordings?
    2. Is there any way I can reduce the file size?
    3. I only want to monitor the processes accessing the D drive (data drive), can I only record the diskIO for D drive?


    • Edited by Caesium51817 Thursday, April 18, 2019 6:06 AM fix error.
    Thursday, April 18, 2019 5:41 AM