Server 2003 Doing Something Odd with Files/Folders (Timed)

[debbiezzzzz]

Hello,

One of our 2003 Servers is doing something odd that severely hinders Hard Drive and Server access at noted intervals during the day. (For example, about 9:37AM it might start for 1/2 hour or so)

Access to the hard disks becomes constant and heavy. Running a program to monitor files, it appears EVERY directory on the drive is being "browsed or looked at" in sequential order. It will also write to the $mft file. After about 20 mins to 1/2 hour, it stops and the server is fine for hours again.

Any ideas? There is nothing in the scheduler, the process related to the directory browsing is "System:4", there are no odd processes running.

 

[Roadki11]

Couple ideas.

1. Antivirus scan
2. Indexing service
3. Shadow copy



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[debbiezzzzz]

Hi Roadki11

Checked all 3 and it's not those either. (Thanks for your suggestions though.)

 

[Roadki11]

What about a 3rd party disk defrag program, could be scheduled or could run when a preset is reached say 15% of the disk is fragmented. What is the server used for, what software is installed on it?



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[debbiezzzzz]

Checked 3rd party defrag and it's definately not running. It's primarily (sp?) a file server for shared folders. There are some printers on it as well, but we've check the queues during these "instances" and no print jobs were running. (Also nothing out of the ordinary in services utilizing the cpu at the time)

We have Etrust anti-virus (but it's not doing a scan at these times), Diskkeeper (but it's scheduled not to defrag at these times, and we've verified it's not running.)

Thanks!

D

 

[Roadki11]

Any idea what kind of raid you are running? have you looked at the event log for anything like I/O errors? The $MFT is the master file table, i am wondering if maybe a disk is going bad in the array and the raid is rebuilding itself. just fishing here.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[debbiezzzzz]

We're raid 5. We have the compaq management software reporting no errors at the time. Good suggestion though.

 

[Roadki11]

Well i am stumped, did you try kicking it?

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[theravager]

Check in task manager one of the processes are going to be incrementing read and write bytes (you will need to add these column). Maybe be able to spot a bit of extra cpu usage as well.

Once you id the process there are a lot of tools to work out exactly whats going on depending on what its doing.

 

[technome]

Any possibility your array controller is running a disk scrub (disk surface check), though they generally run with low disk activity or scheduled. (unlikely)

Have you run chkdsk ?

"there are no odd processes running."
Maybe none the Os lets you see, malware and viruses are beyond this. Have you scanned from safe mode with a 3rd party virus scanner, Spybot etc

"Running a program to monitor files, it appears EVERY directory on the drive is being "browsed or looked at" in sequential order."
Sure sound like an AV scan. Any possibility AV client on the wks are scanning the network drive or profiles.



Have you tried Process Explorer....

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Process Monitor....

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[debbiezzzzz]

Sorry I hadn't got back on this in a couple days. We wanted to make sure we checked EVERY workstations AV settings to make sure no-one was scanning network drives. We checked and no-one was.

About to try kicking it.... (Just kidding)

Going to install process explorer / monitor next.

Thanks for all the helpful suggestions. We did look at the process read/writes. About the only item really incrementing was the AV on the server. (Understandable as if something is opening files, we do scan them.) and the spooler.

 

[technome]

About to try kicking it.... (Just kidding)"
A friend takes machines upstate, and kills them with a .357 (not kidding)

"Going to install process explorer / monitor next."
At least you will be able to see what is going on in the background.


"Access to the hard disks becomes constant and heavy. Running a program to monitor files, it appears EVERY directory on the drive is being "browsed or looked at" in sequential order.
Wonder if their is a delay on the network, which is causing slow requests/responses on the server. The "browsing may be normal, but not in a slow fashion due to delays.
Have you pathpinged from a wks to server and then in reverse. Same but wks to another wks.
Do you have managed switches, which you could monitor the ports for errors.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm