Why does WinXP keep accessing my HD?

Factual Questions
1

Every few seconds…kkkccsss…kkkccsss…kkksccss…XP keeps accessing my hard drive.

I’ve disabled the indexing service and turned off that ISPEC thing. I don’t think its a virus; I’ve run the GriSoft AV and the online Housecall AV. From monitoring the task manager it appears to be a combination of lsass.exe, csrss.exe and services.exe

I ran a hard drive monitor that logs all HD access:

52319 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 21504 Length: 4096
52320 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 25600 Length: 4096
52321 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 29696 Length: 8192
52322 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 37888 Length: 4096
52323 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 41984 Length: 8192
52324 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 50176 Length: 4096
52325 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 54272 Length: 4096
52326 2:54:54 AM System:4 IRP_MJ_WRITE C:\Documents and Settings\Patrick
tuser.dat.LOG SUCCESS Offset: 58368 Length: 4096
53262 2:55:04 AM System:4 IRP_MJ_WRITE* C:$Directory SUCCESS Offset: 0 Length: 4096
53263 2:55:04 AM System:4 IRP_MJ_WRITE* C:$Mft SUCCESS Offset: 0 Length: 4096
53264 2:55:04 AM System:4 IRP_MJ_WRITE* C:$Directory SUCCESS Offset: 0 Length: 4096
53265 2:55:04 AM System:4 IRP_MJ_WRITE* C:$BitMap SUCCESS Offset: 28672 Length: 4096
53266 2:55:04 AM System:4 IRP_MJ_WRITE* C:$BitMap SUCCESS Offset: 20480 Length: 4096
53267 2:55:07 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 48590848 Length: 16384
53268 2:55:07 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 12288 Length: 4096

This keeps happening over and over (well, not these exact commands, but similar ones). what are these “#files”? None of them exist, nor does that ntuser.dat.log…I’ve got a bunch of those files in various directories.

Any idea what’s going on??

2

This is a symptom of the problem, not the problem. ntuser.dat is part of the Registry - the part that pertains to your user profile. ntuser.dat.log is a log of changes made so Windows can recover in case of disaster. Something is writing to your user profile like crazy. Adware? (www.lavasoftusa.com) Also try RegMon from www.sysinternals.com - it will show you what is writing to the Registry.

3

Darren is correct, but I have to add that the ntuser.dat file also keeps track of such mundane stuff as your desktop wallpaper, screensaver, password, desktop icons, blah, blah, blah.

Something is constantly modifying your user profile. Here are a couple WAGs:

  1. If this is happening mostly while you are on the Internet, it might be constantly writing cookies to your profile. Disable or minimize the space that the cookies can use by going to Tools -> Internet Options.

  2. Virus. Always a good scapegoat.

  3. If this is happening in an application such as Word or Excel, then it might be automatically saving the changes to the document that you are working on.

  4. XP has a service called System Restore. Start -> Programs -> Accessories -> System Tools -> System Restore. It makes periodic backups of your system information, so that your computer can be restored if there is a major problem. There you can set the time distances between each such backup. Maybe this time setting is extremely short, for some reason.

I would not recommend shutting down the services that you mentioned, especially IPSEC. These are integral to the stability and security of your system.

4

Oh yes, this is happening with System Restore turned off.

I’m always connected to the internet via wireless; however, this happens when I’m not explicitly using the net.

Any other suggestions for virus checking? As noted, I’ve run two different AV scans.

5

Check things out with AdAware and Spygot Search and Destroy to make sure you don’t have any usage checkers running. Do a good virus check (if you don’t have software installed, TrendMicro has a product called HouseCall that is free which does an online virus check). AFAIK nothing should be constantly writing to your Registry.

6

I’ve used HouseCall; it returned nothing.

I’ll install the AdAware software and see what it says - though I doubt that’ll be the source of my problem.

7

The problem is caused by OfficeXP’s “Indexing Service”
which tries to index your entire harddrive to make searching faster.
Open any Office XP application (Word, Excel, etc) then go to File>Search
This opens the search “pane” in the window. Below “Other Search Options” click on the link which says “Search Options…” (in blue, by default).
This opens the “Indexing Service Settings” dialogue box.
Click to bullet “No, do not enable Indexing Service.”

Then, bask in the silence of your hard disk drive NOT running all the time.

And send me $5 via PayPal.

~Wolfrick

8

Well, see, I’d send you the $5.00, except for the fact that I don’t have OfficeXP.

9

Office 2000? Same deal, I think.

10

Another vote for Adaware. Make sure you update it after you install it.

Do you have your computer set to check for windows updates? Got your virus scanner set to do the same?
Have GoBack installed?

Again… I’d suggest doing the scan for spyware.

11

Nope, no Office installed what-so-ever. Oh, its XP Home by the way.

I ran AdWare and it found a bunch of cookie-related issues. I quarantined them all.

It hasn’t made any difference. The logs are still the same:

Registry Monitor:

207 0.59459037 services.exe:628 EnumerateKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Name: #
208 0.59461021 services.exe:628 OpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}# SUCCESS Key: 0xE235F458
209 0.59462446 services.exe:628 OpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}#\Control NOTFOUND
210 0.59463759 services.exe:628 CloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}# SUCCESS Key: 0xE235F458
211 0.59464848 services.exe:628 EnumerateKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} NOMORE
212 0.59466133 services.exe:628 CloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#VOLUME#1&30A96598&0&SIGNATURE54B2F920OFFSET7E00LENGTH12B76A200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Key: 0xE25348E8
213 0.59467502 services.exe:628 EnumerateKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Name: ##?#STORAGE#Volume#1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
214 0.59470240 services.exe:628 OpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#Volume#1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Key: 0xE25348E8
215 0.59471693 services.exe:628 QueryValue HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#Volume#1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance SUCCESS “STORAGE\Volume\1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400”
216 0.59472838 services.exe:628 EnumerateKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#Volume#1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} SUCCESS Name: #
217 0.59474766 services.exe:628 OpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##?#STORAGE#Volume#1&30a96598&0&Signature95D695D6Offset1FD631C00Length3A9DFF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}# SUCCESS Key: 0xE235F458

File Monitor:

389 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 1536 Length: 4096
390 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 5632 Length: 4096
391 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 9728 Length: 4096
392 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 13824 Length: 4096
393 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 17920 Length: 4096
394 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 22016 Length: 4096
395 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 26112 Length: 4096
396 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 30208 Length: 4096
397 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 34304 Length: 4096
398 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 38400 Length: 4096
399 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 42496 Length: 4096
400 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 46592 Length: 4096
401 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 50688 Length: 4096
402 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 54784 Length: 4096
403 12:09:12 AM System:4 IRP_MJ_FLUSH_BUFFERS C:\WINDOWS\system32\config\system.LOG SUCCESS
404 12:09:12 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 9449472 Length: 4096
405 12:09:12 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 8192 Length: 4096
406 12:09:12 AM System:4 IRP_MJ_WRITE* C:$Mft SUCCESS Offset: 12906496 Length: 4096
407 12:09:12 AM System:4 IRP_MJ_WRITE* C:$Mft SUCCESS Offset: 32768 Length: 4096
408 12:09:12 AM System:4 IRP_MJ_WRITE* C:$Directory SUCCESS Offset: 0 Length: 4096
409 12:09:12 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 12288 Length: 4096
410 12:09:12 AM System:4 IRP_MJ_WRITE C:\WINDOWS\system32\config\system.LOG SUCCESS Offset: 0 Length: 512
411 12:09:12 AM System:4 IRP_MJ_FLUSH_BUFFERS C:\WINDOWS\system32\config\system.LOG SUCCESS
412 12:09:12 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 8192 Length: 4096
413 12:09:12 AM System:4 IRP_MJ_WRITE* C:$Mft SUCCESS Offset: 12906496 Length: 4096
414 12:09:12 AM System:4 IRP_MJ_WRITE* C:$Directory SUCCESS Offset: 0 Length: 4096
415 12:09:12 AM System:4 IRP_MJ_WRITE* C:$LogFile SUCCESS Offset: 12288 Length: 4096
416 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 0 Length: 16384
417 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 704512 Length: 16384
418 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 0 Length: 16384
419 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2850816 Length: 16384
420 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2785280 Length: 16384
421 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 1032192 Length: 16384
422 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2752512 Length: 16384
423 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2768896 Length: 16384
424 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2211840 Length: 16384
425 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2883584 Length: 16384
426 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2523136 Length: 16384
427 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2899968 Length: 16384
428 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 2867200 Length: 16384
429 12:09:12 AM System:4 IRP_MJ_WRITE* C:\WINDOWS\system32\config\system SUCCESS Offset: 0 Length: 4096

(Sorry for those long posts – I’m just hoping someone might recognize what’s going on)

12

Anything in the Event Logs?

Since this seems to be related to your userid, what happens if you create a whole new userid under XP and log on with that?

Is there any way in your file monitor to see what is being written?

Lastly, that CLSID that keeps showing up - {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} - seems to be Windows’s identifier for storage volumes like hard drives and CDs. Search for the CLSID (without the curly braces) on Google and newsgroups - it gets mentioned a few times (including on microsoft.com). I don’t know why something keeps accessing it though.

13

Hmmm, I’ll look into in.

I found something in one of my HD configuration dialogues that allowed to me enable/disable disk caching…whatever that is. I turned it off.

I also found a service running called something like “Disk Volume Manager”. I disabled it, with no ill effects.

The consant access seems to have stopped, but there’s still a regular kssscchh every 5 - 6 seconds.