Help2Go.com

What is accessing my hard drive when I'm not using my PC?

by Oscar Sodani
December 10, 2005

You're at your PC, reading a web page, and for some reason your hard drive light suddenly starts flashing like crazy. Or perhaps you aren't using your computer at all - but yet you still hear the click-click-click of the hard disk doing something. What is it causing it? Is it a virus?

99% of the time, so called "disk thrashing" is perfectly harmless. In this article, we'll explain what is probably accessing your hard drive, and how you can know for sure.


Likely causes of disk thrashing

The most likely culprits are anti-virus software, anti-spyware software, instant messenger programs (IM), and Microsoft's own indexing service.

Some IM software, such as Trillian or AOL Instant Messenger, may write system events to a cache file. A system event may be that someone on your buddy list is logging on or logging off. Your IM program takes note of this, and may write that to a file, or even play a sound.

If you have anti-virus or anti-spyware software installed, they are probably set to auto-protect (and they should be set that way). That means that they are constantly monitoring your system to make sure that there is no virus or spyware activity. Especially if another program is making a small change (like if the IM program is writing to the cache file), the anti-virus and anti-spyware programs will suddenly "wake-up" to check to make sure that the disk activity isn't the result of a virus.

Other programs that monitor your disk for changes are indexing utilities, like "Google Desktop" and Windows XP's indexing service. Whenever something is written to your hard drive, these programs also make note of the change so that your searches (whether through Google Desktop or through the Search function in Windows) are always up to date.

So, in essence, a small event (like someone on your buddy list logging off) may cause 4 or 5 other programs to also access the hard disk!

One easy fix is to disable the Windows XP indexing service. Your searches (when you click on Start, then Search) make take longer as a result.
To turn it off, click the Start button and choose Run...
In the pop-up box, type in services.msc
In the Services window, find the Indexing Service and double-click on it to see its Properties.
Change the Startup type to Manual. Click the Stop button to stop the service from currently running, then hit OK and close the Services window.

Find out what is accessing your hard disk

If you want to find out specifically which programs are accessing your drive, SysInternals makes a great free utility called Filemon - download it here.

There's no need to install Filemon - just unzip the files and double-click the filemon.exe program to run it. You should see a window that looks like this:

Each disk access is a different line on the screen, and it will automatically update as new accesses take place. On my screen, you can see that a process called "Rtvscan.exe" accessed my disk - that process is Norton Antivirus. Next, the Trillian instant messenger program accesses my disk, followed immediately by Google Desktop.

This program makes it very easy to see what processes are accessing your hard drive, and what folders the processes are looking at. If you don't know what a particular process is, the quickest way to find out is simply to enter the process name in Google. For instance, if I Google "rtvscan.exe", it will show me loads of web pages about Symantec's Norton Anti-Virus.

If you don't know what a particular process is, ask us in the Computer Help forum and we'll be glad to find out. If you're convinced that spyware or a virus has taken over your PC, then please read our guide on getting rid of spyware and viruses.