How to Figure out Unknown Hard Drive Activity

On 2/10/09 from 9:55am to 10:05am my client stated that their server's hard drives were being excessively accessed. During that time they stated that no one was using the server as they were just getting to office and not even booted up the workstations. He was extremely concerned and wants to know what caused this.

I have reviewed the event, raid, antivirus, battery backup and veritas backupexec logs. Nothing was logged during this time frame.

My question is, I doubt it, but how can I figure out what happened in the past. More importantly for future, how can I figure out what caused this the next time it happens.

The server is SBS 2003 Standard.
fa2lerrorAsked:
Who is Participating?
 
L3370Connect With a Mentor Commented:
>>He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

Do you mean he was physically looking at the HDD on the server and watching the little green lights flicker?
How long was he watching? if he was watching for a few seconds or minutes, that has absolutely no bearing on its usage. Hours...maaaybe. It could have been doing a thousand different things, with all of them legitmate.  You ever leave your home computer on, and suddenly hear the hard drive making some noise for 5 seconds before going back to normal?

If he actually logged on and noticed high usage, then thats a different story. What did he notice had high usage? Did task manager show any processes taking up memory?

The server could have merely been doing updates. Updates are commonly run during off peak hours. It could have been running any background processes related to the services that server provides. If it was something bad... a service could have stopped and the server was trying to restart it...thus causing the hard drive activity to go up.  

I digress,

Did you check security logs?  Security logs will show logon/logoff activity on the server.  if they were blank around that time, chances are there was no activity.  

Auditing can be set to do a number of things. You can audit
-File access
-File changes
-file deletions
-changes to security permissions.... the list goes on.

I would NOT begin extended auditing if it is not known what you are looking for.  as stated above, improper auditing can bring a server down in no-time.  Whether there was a problem in the first place or not, there will be one after you enable auditing.




0
 
L3370Commented:
You can enable auditing of the server. You can set it to log who accesses certain files/directories.  Keep in mind that auditing should be kept to the absolute minimum needed.  improper or over auditing can cripple even the beefiest servers.

http://technet.microsoft.com/en-us/library/cc779526.aspx

I like to enable auditing for files that are deleted... I was tired of doing restores and I wanted to know who the culprit's were.

The problem is that it isnt retroactive...what happened in the past cannot be found.

Now... your client stated that the server's hard drives were excessively accessed. Is your client a fellow IT person?  Or does this amount to a personal 'feeling'?  Either way, what evidence have they provided to you in that regard?
0
 
fa2lerrorAuthor Commented:
The evidence is that the server is right next to his computer. He walked into the office and before turning on his workstation he commented that the server hdd was excessive even more than normal day to day use.

At this point I assume the activity was a process rather than user as no workstations were turned on. Would the auditing show backend processes?
0
 
fa2lerrorAuthor Commented:
I completely agree with everything you have said. Auditing/logs are clean. I keep telling him he is crazy. One of these days he is going to break something.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.