How To Figure Out Which Processes are Generating Disk IO in Windows 7

This article is a step by step guide on how to identify how much data each process is writing to disk. It’s particularly relevant for VDI installations, but also applies to physical Windows 7 installations.

If you are using Windows 7 as a VDI client, you really care about disk IO. If you are using differencing disks you really care about disk writes.

More disk writes = (bigger child vhd * many virtual machines) = More Storage = More Dollars

Minimising the amount of data that is written to a disk can massively impact the scalability and performance of you solution. Before you can minimise it, you need to understand what is happening.

Installing the Tools

Install the Windows Performance Toolkit. To do this:

1. Install the Windows SDK

2. In BIN directory of the SDK install, locate the wpt_x64.exe or wpt_x86.exe file.

3. Copy the wpt_xXX.exe file to the machine to be monitored and install it.

4. In the install directory (normally C:\Program Files\Microsoft Windows Performance Toolkit) you should find XPerf.exe


Generate the Log File Using Xperf

1. Open a Command Prompt as administrator and navigate to the directory that contains Xperf.exe.

2. Start Kernel Tracing by running the command line.

xperf -on DiagEasy

3. Stop the tracing with this command line.

xperf -d c:\MyFolder\MyTrace.etl

Analysing the Trace in XPerf

These steps help you identify which processes are writing data

1. Open the Trace in XPef.

xperf c:\MyFolder\MyTrace.etl

2. Right Click on the “Disk” section of the graph click “Summary Table”.


3. Sort on “Write Size” to find the processes writing the most data and use “Path Name” to find the files being written to.


4. To get more details about each process, right click on the “Checkpoint” graph and select “Process Summary Table”.


5. Use the “Command Line” column to help identify how the process started. This is particularly useful for looking at what each svchost.exe is actually doing.


Analysing the trace in Excel

You might want to analyse the trace in a more familiar tool and generate some custom reports.

1. Open the Trace in XPef.

xperf c:\MyFolder\MyTrace.etl

2. Right click the “Disk” graph and select “Detail Graph”.


3. On the new graph right click and select “Summary Table”.


4. On the table right click, select “Export Full Table” and save to a CSV file.


5. Open the CSV file in Excel and save it as an Excel Workbook.

6. Insert a pivot table using the entire data set and set it up like this:


7. Filter the pivot table based on “Write” and the table should look like screenshot below. You might then want to sort the table on “Sum of IO Size”.


Next Steps

Note: “c:\Kernel.etl” is the file used to store all the performance data. This will grow to be quite large and can be discarded from your analysis as it is only generated when you are actively monitoring Windows.

By now you have a sorted list on which processes are writing the most data and to which files. You also have the exact command line that is calling each process. The next stage is the tricky part! You need to identify the purpose of the processes writing the data. Sadly, this stage is out of scope of this article. For this, the internet is your friend J

Hope this helps