PID 4 - High disk activity - What and why?

I have the same problem also now, it's been happening for about 3 months. My computer configuration (except for automatic updates from MS) hasn't changed in about 3 years. Windows 7 w/SP1.

In Resource Monitor PID 4 (System) is constantly reading 1000's and 1000's of files, most of which are from my media directory which has literally 10's of thousands of files in nested directories (which I think is not so relevant).

There is very little write activity but the disk queue is constantly >0 and, because the files are on a RAID array it's REALLY loud.

Process explorer tells me nothing useful about the activity.

I initially thought it was MS Security Essentials because when it first occurred I could "turn it off" by disabling real time file protection. This was a 1:1 result - if I turned off real time scanning the activity stopped, as soon as I turned on real time scanning the activity returned. The *abnormal* thing about this was that the entire directory being access was *excluded* from Security Essentials.

So I removed Security Essentials, replaced it with Avast and things went back to normal for over a month.

Now the reading is back again. I let it do it's thing last night and 10 hours later it's still going, repeatedly reading *exactly* the same files, again and again and again. Security Essentials is no longer installed in my computer.

I have explicitly *denied* "SYSTEM" access to this path (and all child folders and files) using NTFS security permissions and the access still persists (how is this possible?).

If I change the drive letter assignment from D: to say E: the activity stops immediately and does not resume. The *instant* I change it back to D: the activity resumes. If the activity is dependent on a drive letter assignment it can't be a very low level activity - i.e. it *should* be easy to diagnose.

Windows Search is disabled at the system level (via Add/Remove Windows Components) and all Indexing services are stopped.

Windows Media Player has all of it's libraries pointed to an empty folder so it's not scanning or sharing anything.

I've scanned for all sorts of infection using multiple tools (including MS tools) and can find none.

Questions:

1. How do I establish *precisely* what "SYSTEM" activity is causing this and more importantly *why*? The "why" part is the most essential here. There should be a very simple tool in Windows to allow me to do this.
2. It's undesirable activity, it's unsolicited activity and by all logical reasoning it's unnecessary activity. How do I stop it?
3. Why, if I *explicitly* deny access to a folder and files using NTFS security permissions is "SYSTEM" still able to access those files? Should this not be impossible?

Please under no circumstances recommend an upgrade to Windows 8.

Thanks in eager anticipation.

I had the same issue.

turning off indexing via right click on drive -> prop -> general tab-> uncheck "allows files on this drive to have contents indexed" for all my drives and it appears to have gone away.

Anyone found the fix for this?

I tried disabling Windows Updates from Automatic Installation and also the Antivirus, yet the issue persists.

Someone mentioned at ServerFault.com that disabling IE's feature to automatically update fixes the issue but this option is on IE 10 only and my system has IE 9.0

Link to answer: http://serverfault.com/questions/419048/system-process-pid-4-constantly-accessing-the-hard-disk/435843#435843

Eagerly waiting for fix.

I am DM991 but have no idea what account I used for my last post so had to create another one.

Short answer: No fix

I stripped my system down entirely to MS software only, I removed everything including purging all non-MS entries from the registry, I rebuilt/replaced all MS system files to original and downloaded all required updates directly from MS and MS only.

The problem persisted and it's 100% a Microsoft process (or MS approved driver) that is causing it.

I have "fixed" it by reinstalling Windows from scratch... but of course I assume it will eventually return.

It may have something to do with the e/SATA drivers in use - are other victims using SATA or eSATA disks? Mine is an eSATA RAID array (MS drivers).

Microsoft should either account for this or provide us with tools to diagnose it. Their product support is rubbish.

Edit: I removed IE and the problem remained.

I'v just noticed this.

downloading file in firefox

-> proces firefox.exe eats cpu, but has no disk activity

-> the disk activity on downloaded file is under System PID 4.

Windows update eats a whole core

-> svchost - no disk

-> System PID 4 - activity on LwtNetLog.etl and simmilar wupdate stuff

Why is the disk activity under System ?

So the answer to "Why is System PID 4 having so much disk activity?" is: "Because it shows activity from other processes."

But the real question should be : "WHY?"

Hopefully somebody can do this (I'm not experiencing the problem at the moment).

I did try but a dll complained about the symbol server and pointed me to a (Windows 8) SDK page which is a suggestion beyond my willingness to investigate.

If MS can't provide a "what's (over)using my disk right now" tool for their own software then they shouldn't be publishing operating systems.

Yes I'm grumpy. This should be a trivial matter to diagnose.

Thanks for the suggestion nevertheless, if it works I hope it gets ranked up.