Sign in with
Sign up | Sign in
Your question

Which program is causing abnormal disc activity?

Last response: in Windows XP
Share
Anonymous
June 26, 2005 11:48:41 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I don't know much about computers but I seem to be having a lot of
disc activity since changing my hard drive and reinstalling windows
xp.

I've been to windows task manager & have enabled I/O Read Bytes & I/O
Write bytes.

When I'm doing nothing the following 3 programs are constantly
changing. I've been online for about 3 hours now & these are the
approximate figures:

ashserve.exe (Avast antivirus):

read: 4,700,000,000 write: 3,700,000

svhost.exe:

read: 705,000,000 write: 718,000,000

lsass.exe:

read: 1,010,000 write: 540,000

Today is the 1st time my firewall reporeted that lsass requested
internet access though this disc activity has been noticable since
doing the reinstall.

Any help or advice would be appreciated!
Anonymous
June 26, 2005 11:48:42 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Hi,

Avast probably has background scanning running and its VRDB points building,
which would account for its disk activity.

Svchost could indicate a number of things, but my guess is that since it's a
new installation this is most likely the indexing service at work.

lsass is a normal system function used to authenticate logons, but it should
not need to access the internet. This act may indicate suspicious activity,
and (to me at least) warrants investigation in Safe mode. By any chance were
you connected to the internet via a broadband connection when you were
installing the operating system? There is a point where the system is "live"
but the firewall is not fully running yet, and a connected system can
quickly become infected by sasser (which causes issues with lsass) and other
active worms seeking unprotected machines.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"John Latter" <jorolat@msn.com> wrote in message
news:etjsb1lkdbqor5e7kmkfqu4iacf0ok09c3@4ax.com...
>I don't know much about computers but I seem to be having a lot of
> disc activity since changing my hard drive and reinstalling windows
> xp.
>
> I've been to windows task manager & have enabled I/O Read Bytes & I/O
> Write bytes.
>
> When I'm doing nothing the following 3 programs are constantly
> changing. I've been online for about 3 hours now & these are the
> approximate figures:
>
> ashserve.exe (Avast antivirus):
>
> read: 4,700,000,000 write: 3,700,000
>
> svhost.exe:
>
> read: 705,000,000 write: 718,000,000
>
> lsass.exe:
>
> read: 1,010,000 write: 540,000
>
> Today is the 1st time my firewall reporeted that lsass requested
> internet access though this disc activity has been noticable since
> doing the reinstall.
>
> Any help or advice would be appreciated!
>
Anonymous
June 26, 2005 11:48:42 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

If using XPPro, run the command

tasklist /svc

at the command prompt. Find the PID number of the svchost.exe that's
causing the activity and look it up in the above command prompt window.

Let us know what the items listed under services in the far right column
are and someone should be able to let you know if they're benign or malicious.

"John Latter" wrote:

> I don't know much about computers but I seem to be having a lot of
> disc activity since changing my hard drive and reinstalling windows
> xp.
>
> I've been to windows task manager & have enabled I/O Read Bytes & I/O
> Write bytes.
>
> When I'm doing nothing the following 3 programs are constantly
> changing. I've been online for about 3 hours now & these are the
> approximate figures:
>
> ashserve.exe (Avast antivirus):
>
> read: 4,700,000,000 write: 3,700,000
>
> svhost.exe:
>
> read: 705,000,000 write: 718,000,000
>
> lsass.exe:
>
> read: 1,010,000 write: 540,000
>
> Today is the 1st time my firewall reporeted that lsass requested
> internet access though this disc activity has been noticable since
> doing the reinstall.
>
> Any help or advice would be appreciated!
>
>
Related resources
Anonymous
June 26, 2005 8:36:48 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

On Sun, 26 Jun 2005 07:14:28 -0400, "Rick \"Nutcase\" Rogers"
<rick@mvps.org> wrote:

>Hi,
>
>Avast probably has background scanning running and its VRDB points building,
>which would account for its disk activity.
>
>Svchost could indicate a number of things, but my guess is that since it's a
>new installation this is most likely the indexing service at work.
>
>lsass is a normal system function used to authenticate logons, but it should
>not need to access the internet. This act may indicate suspicious activity,
>and (to me at least) warrants investigation in Safe mode. By any chance were
>you connected to the internet via a broadband connection when you were
>installing the operating system? There is a point where the system is "live"
>but the firewall is not fully running yet, and a connected system can
>quickly become infected by sasser (which causes issues with lsass) and other
>active worms seeking unprotected machines.

Hi Rick,

Unfortunately its not VRDB :( 

I've done some googling & by disabling terminal services Isass.exe is
no longer constantly accessing the disc but svchost.exe & ashserve are
- i think svc is 'triggering' ashserve.
Anonymous
June 26, 2005 8:38:58 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

On Sun, 26 Jun 2005 04:53:02 -0700, usasma
<usasma@discussions.microsoft.com> wrote:

>If using XPPro, run the command
>
>tasklist /svc
>
>at the command prompt. Find the PID number of the svchost.exe that's
>causing the activity and look it up in the above command prompt window.
>
>Let us know what the items listed under services in the far right column
>are and someone should be able to let you know if they're benign or malicious.

Hiya,

I've done some googling & tried tasklist /svc before I realized that
the info was for XP Pro and I've only got Home :( 

Still googling - would be grateful for any help :) 

John

>
>"John Latter" wrote:
>
>> I don't know much about computers but I seem to be having a lot of
>> disc activity since changing my hard drive and reinstalling windows
>> xp.
>>
>> I've been to windows task manager & have enabled I/O Read Bytes & I/O
>> Write bytes.
>>
>> When I'm doing nothing the following 3 programs are constantly
>> changing. I've been online for about 3 hours now & these are the
>> approximate figures:
>>
>> ashserve.exe (Avast antivirus):
>>
>> read: 4,700,000,000 write: 3,700,000
>>
>> svhost.exe:
>>
>> read: 705,000,000 write: 718,000,000
>>
>> lsass.exe:
>>
>> read: 1,010,000 write: 540,000
>>
>> Today is the 1st time my firewall reporeted that lsass requested
>> internet access though this disc activity has been noticable since
>> doing the reinstall.
>>
>> Any help or advice would be appreciated!
>>
>>
June 26, 2005 8:38:59 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

John Latter wrote:

> On Sun, 26 Jun 2005 04:53:02 -0700, usasma
> <usasma@discussions.microsoft.com> wrote:
>
>>If using XPPro, run the command
>>
>>tasklist /svc
>>
>>at the command prompt. Find the PID number of the svchost.exe that's
>>causing the activity and look it up in the above command prompt
>>window.
>>
>>Let us know what the items listed under services in the far right
>>column are and someone should be able to let you know if they're
>>benign or malicious.
>
> Hiya,
>
> I've done some googling & tried tasklist /svc before I realized that
> the info was for XP Pro and I've only got Home :( 
>
> Still googling - would be grateful for any help :) 
>
John - When you reinstalled Windows, did you connect to the Internet
without having a firewall in place? If you did, it is possible that you
have some malware running. Here are things to check:

1. Do some clean-boot troubleshooting:

http://support.microsoft.com/default.aspx?kbid=310353
and How to Troubleshoot By Using the Msconfig Utility in Windows XP -
http://support.microsoft.com/?id=310560

2. Make sure your computer is 100% malware-free. Start by running
Ad-aware and Spybot Search & Destroy. Install and update these free
programs and then scan with them (not simultaneously!) in Safe Mode. If
you need more detailed malware removal steps, I have some on my website
here:
http://www.elephantboycomputers.com/page2.html#Removing...

Since you have Avast, make sure its definitions are current and do a
scan with it in Safe Mode also.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Anonymous
June 27, 2005 12:37:17 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

On Sun, 26 Jun 2005 11:09:40 -0700, Malke <invalid@not-real.com>
wrote:

>John Latter wrote:
>
>> On Sun, 26 Jun 2005 04:53:02 -0700, usasma
>> <usasma@discussions.microsoft.com> wrote:
>>
>>>If using XPPro, run the command
>>>
>>>tasklist /svc
>>>
>>>at the command prompt. Find the PID number of the svchost.exe that's
>>>causing the activity and look it up in the above command prompt
>>>window.
>>>
>>>Let us know what the items listed under services in the far right
>>>column are and someone should be able to let you know if they're
>>>benign or malicious.
>>
>> Hiya,
>>
>> I've done some googling & tried tasklist /svc before I realized that
>> the info was for XP Pro and I've only got Home :( 
>>
>> Still googling - would be grateful for any help :) 
>>
>John - When you reinstalled Windows, did you connect to the Internet
>without having a firewall in place? If you did, it is possible that you
>have some malware running. Here are things to check:
>
>1. Do some clean-boot troubleshooting:
>
>http://support.microsoft.com/default.aspx?kbid=310353
> and How to Troubleshoot By Using the Msconfig Utility in Windows XP -
>http://support.microsoft.com/?id=310560
>
>2. Make sure your computer is 100% malware-free. Start by running
>Ad-aware and Spybot Search & Destroy. Install and update these free
>programs and then scan with them (not simultaneously!) in Safe Mode. If
>you need more detailed malware removal steps, I have some on my website
>here:
>http://www.elephantboycomputers.com/page2.html#Removing...
>
>Since you have Avast, make sure its definitions are current and do a
>scan with it in Safe Mode also.
>
>Malke

Hiya Maoke,

Thanks for the advice & info Malke :) 

I installed XP, installed SP2, installed McAfee PFW & only then
connected to the internet.
June 27, 2005 12:37:18 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

John Latter wrote:

>>John - When you reinstalled Windows, did you connect to the Internet
>>without having a firewall in place? If you did, it is possible that
>>you have some malware running. Here are things to check:
>>
>>1. Do some clean-boot troubleshooting:
>>
>>http://support.microsoft.com/default.aspx?kbid=310353
>> and How to Troubleshoot By Using the Msconfig Utility in Windows XP
>> -
>>http://support.microsoft.com/?id=310560
>>
>>2. Make sure your computer is 100% malware-free. Start by running
>>Ad-aware and Spybot Search & Destroy. Install and update these free
>>programs and then scan with them (not simultaneously!) in Safe Mode.
>>If you need more detailed malware removal steps, I have some on my
>>website here:
>>http://www.elephantboycomputers.com/page2.html#Removing...
>>
>>Since you have Avast, make sure its definitions are current and do a
>>scan with it in Safe Mode also.
>>
>>Malke

> Thanks for the advice & info Malke :) 
>
> I installed XP, installed SP2, installed McAfee PFW & only then
> connected to the internet.

I'd still do the above. Clean-boot t-shooting is a really good tool, and
checking for malware can't hurt. Also check and see if the Indexing
Services is running. You might want to turn it off and see if that
solves the issue. Start>Run services.msc [enter] and scroll down to the
Indexing Service.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Anonymous
June 28, 2005 1:52:07 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Having difficulty posting a question, so I hope I have not done the wrong
thng by intruding on another subject. When I press "new" and question, I get
nothing. Anyway, my question is: Recently I downloaded a photo editing
program Ulead photosmart. When I went to install the program, I got the
message "not a valid win 32 application. Can anyone tell me what is going on
here. I thought the Ulead programmes would be suitable for windows XP
June 28, 2005 4:49:14 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Pam from Oz wrote:

>
> Having difficulty posting a question, so I hope I have not done the
> wrong
> thng by intruding on another subject. When I press "new" and
> question, I get
> nothing. Anyway, my question is: Recently I downloaded a photo
> editing
> program Ulead photosmart. When I went to install the program, I got
> the
> message "not a valid win 32 application. Can anyone tell me what is
> going on
> here. I thought the Ulead programmes would be suitable for windows XP

Hi, Pam. Actually it isn't a good idea to hijack someone else's thread.
It really limits your chances of getting an answer. I only looked at
this thread (which is finished) because I participated in it. The
reason you are having trouble posting is because you are using the web
interface, which is terrible. Let me give you info on how to use a
newsreader, and then I'll address the Ulead issue.

A. Newsgroups

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlookexpressnewreader.h...
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/default.aspx?scid=/support...
- Set Up Newsreader

http://www.dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

B. Ulead

What version of Ulead? Is it an old program? If it is old, it may not be
support by XP. If everything else is working well on your computer, I
would check with the program's tech support. Here's a link:

http://www.ulead.com/tech/techsupport.htm

If you need more help, get your newsreader set up and make a new post.
Take the time to go to the "goodpost" and "smart-questions" links
first.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Anonymous
June 28, 2005 5:11:12 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

"Malke" wrote:

> Pam from Oz wrote:
>
> >
> > Having difficulty posting a question, so I hope I have not done the
> > wrong
> > thng by intruding on another subject. When I press "new" and
> > question, I get
> > nothing. Anyway, my question is: Recently I downloaded a photo
> > editing
> > program Ulead photosmart. When I went to install the program, I got
> > the
> > message "not a valid win 32 application. Can anyone tell me what is
> > going on
> > here. I thought the Ulead programmes would be suitable for windows XP
>
> Hi, Pam. Actually it isn't a good idea to hijack someone else's thread.
> It really limits your chances of getting an answer. I only looked at
> this thread (which is finished) because I participated in it. The
> reason you are having trouble posting is because you are using the web
> interface, which is terrible. Let me give you info on how to use a
> newsreader, and then I'll address the Ulead issue.
>
> A. Newsgroups
>
> Since you are using the web interface, you may not realize that this is
> really a newsgroup. You will get far more out of this resource if you
> learn to use a newsreader. There are many good newsreaders for Windows,
> but you can use Outlook Express since you already have it. Here are
> some links to information about newsgroups:
>
> http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
> explanation of newsgroups
> http://michaelstevenstech.com/outlookexpressnewreader.h...
> http://rickrogers.org/setupoe.htm
> http://support.microsoft.com/default.aspx?scid=/support...
> - Set Up Newsreader
>
> http://www.dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
> http://aumha.org/nntp.htm - list of MS newsgroups
> microsoft.public.test.here - MS group to test if your newsreader is
> working properly
> http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
> http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
> crossposting
>
> B. Ulead
>
> What version of Ulead? Is it an old program? If it is old, it may not be
> support by XP. If everything else is working well on your computer, I
> would check with the program's tech support. Here's a link:
>
> http://www.ulead.com/tech/techsupport.htm
>
> If you need more help, get your newsreader set up and make a new post.
> Take the time to go to the "goodpost" and "smart-questions" links
> first.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>
Anonymous
June 29, 2005 11:22:37 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

On Sun, 26 Jun 2005 04:53:02 -0700, usasma
<usasma@discussions.microsoft.com> wrote:

>If using XPPro, run the command
>
>tasklist /svc
>
>at the command prompt. Find the PID number of the svchost.exe that's
>causing the activity and look it up in the above command prompt window.
>
>Let us know what the items listed under services in the far right column
>are and someone should be able to let you know if they're benign or malicious.

Tasklist.exe gives:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman,Nla,RasMan,
Schedule, seclogon,SENS,SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,wuauserv

Thats tidied up more or less as it appears in the command window,
after pasting it actually looked like this:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
RasMan,
Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,
wuauserv

Jorolat

>
>"John Latter" wrote:
>
>> I don't know much about computers but I seem to be having a lot of
>> disc activity since changing my hard drive and reinstalling windows
>> xp.
>>
>> I've been to windows task manager & have enabled I/O Read Bytes & I/O
>> Write bytes.
>>
>> When I'm doing nothing the following 3 programs are constantly
>> changing. I've been online for about 3 hours now & these are the
>> approximate figures:
>>
>> ashserve.exe (Avast antivirus):
>>
>> read: 4,700,000,000 write: 3,700,000
>>
>> svhost.exe:
>>
>> read: 705,000,000 write: 718,000,000
>>
>> lsass.exe:
>>
>> read: 1,010,000 write: 540,000
>>
>> Today is the 1st time my firewall reporeted that lsass requested
>> internet access though this disc activity has been noticable since
>> doing the reinstall.
>>
>> Any help or advice would be appreciated!
>>
>>

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech
!