[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How to Figure out Unknown Hard Drive Activity

Posted on 2009-02-13
Medium Priority
Last Modified: 2012-05-06
On 2/10/09 from 9:55am to 10:05am my client stated that their server's hard drives were being excessively accessed. During that time they stated that no one was using the server as they were just getting to office and not even booted up the workstations. He was extremely concerned and wants to know what caused this.

I have reviewed the event, raid, antivirus, battery backup and veritas backupexec logs. Nothing was logged during this time frame.

My question is, I doubt it, but how can I figure out what happened in the past. More importantly for future, how can I figure out what caused this the next time it happens.

The server is SBS 2003 Standard.
Question by:fa2lerror
  • 2
  • 2

Expert Comment

ID: 23636832
You can enable auditing of the server. You can set it to log who accesses certain files/directories.  Keep in mind that auditing should be kept to the absolute minimum needed.  improper or over auditing can cripple even the beefiest servers.


I like to enable auditing for files that are deleted... I was tired of doing restores and I wanted to know who the culprit's were.

The problem is that it isnt retroactive...what happened in the past cannot be found.

Now... your client stated that the server's hard drives were excessively accessed. Is your client a fellow IT person?  Or does this amount to a personal 'feeling'?  Either way, what evidence have they provided to you in that regard?

Author Comment

ID: 23636974
The evidence is that the server is right next to his computer. He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

At this point I assume the activity was a process rather than user as no workstations were turned on. Would the auditing show backend processes?

Accepted Solution

L3370 earned 2000 total points
ID: 23637309
>>He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

Do you mean he was physically looking at the HDD on the server and watching the little green lights flicker?
How long was he watching? if he was watching for a few seconds or minutes, that has absolutely no bearing on its usage. Hours...maaaybe. It could have been doing a thousand different things, with all of them legitmate.  You ever leave your home computer on, and suddenly hear the hard drive making some noise for 5 seconds before going back to normal?

If he actually logged on and noticed high usage, then thats a different story. What did he notice had high usage? Did task manager show any processes taking up memory?

The server could have merely been doing updates. Updates are commonly run during off peak hours. It could have been running any background processes related to the services that server provides. If it was something bad... a service could have stopped and the server was trying to restart it...thus causing the hard drive activity to go up.  

I digress,

Did you check security logs?  Security logs will show logon/logoff activity on the server.  if they were blank around that time, chances are there was no activity.  

Auditing can be set to do a number of things. You can audit
-File access
-File changes
-file deletions
-changes to security permissions.... the list goes on.

I would NOT begin extended auditing if it is not known what you are looking for.  as stated above, improper auditing can bring a server down in no-time.  Whether there was a problem in the first place or not, there will be one after you enable auditing.


Author Closing Comment

ID: 31546745
I completely agree with everything you have said. Auditing/logs are clean. I keep telling him he is crazy. One of these days he is going to break something.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question