How to Figure out Unknown Hard Drive Activity

Posted on 2009-02-13
Last Modified: 2012-05-06
On 2/10/09 from 9:55am to 10:05am my client stated that their server's hard drives were being excessively accessed. During that time they stated that no one was using the server as they were just getting to office and not even booted up the workstations. He was extremely concerned and wants to know what caused this.

I have reviewed the event, raid, antivirus, battery backup and veritas backupexec logs. Nothing was logged during this time frame.

My question is, I doubt it, but how can I figure out what happened in the past. More importantly for future, how can I figure out what caused this the next time it happens.

The server is SBS 2003 Standard.
Question by:fa2lerror
    LVL 9

    Expert Comment

    You can enable auditing of the server. You can set it to log who accesses certain files/directories.  Keep in mind that auditing should be kept to the absolute minimum needed.  improper or over auditing can cripple even the beefiest servers.

    I like to enable auditing for files that are deleted... I was tired of doing restores and I wanted to know who the culprit's were.

    The problem is that it isnt retroactive...what happened in the past cannot be found.

    Now... your client stated that the server's hard drives were excessively accessed. Is your client a fellow IT person?  Or does this amount to a personal 'feeling'?  Either way, what evidence have they provided to you in that regard?

    Author Comment

    The evidence is that the server is right next to his computer. He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

    At this point I assume the activity was a process rather than user as no workstations were turned on. Would the auditing show backend processes?
    LVL 9

    Accepted Solution

    >>He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

    Do you mean he was physically looking at the HDD on the server and watching the little green lights flicker?
    How long was he watching? if he was watching for a few seconds or minutes, that has absolutely no bearing on its usage. Hours...maaaybe. It could have been doing a thousand different things, with all of them legitmate.  You ever leave your home computer on, and suddenly hear the hard drive making some noise for 5 seconds before going back to normal?

    If he actually logged on and noticed high usage, then thats a different story. What did he notice had high usage? Did task manager show any processes taking up memory?

    The server could have merely been doing updates. Updates are commonly run during off peak hours. It could have been running any background processes related to the services that server provides. If it was something bad... a service could have stopped and the server was trying to restart it...thus causing the hard drive activity to go up.  

    I digress,

    Did you check security logs?  Security logs will show logon/logoff activity on the server.  if they were blank around that time, chances are there was no activity.  

    Auditing can be set to do a number of things. You can audit
    -File access
    -File changes
    -file deletions
    -changes to security permissions.... the list goes on.

    I would NOT begin extended auditing if it is not known what you are looking for.  as stated above, improper auditing can bring a server down in no-time.  Whether there was a problem in the first place or not, there will be one after you enable auditing.


    Author Closing Comment

    I completely agree with everything you have said. Auditing/logs are clean. I keep telling him he is crazy. One of these days he is going to break something.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
    The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now