Constand HD thrashing, dozens of Security log events per hour (audit success, logon, special logon)

OS Win 8.1 standalone user on home network.

My wife's new computer is having CONSTANT HDD thrashing. Check Security event logs and find MANY entries for  "Audit Success, Microsoft Windows Security Auditing, Event ID 4672 Special Logon, 4624 Logon, and 4797 User Account Management. As many as 30 per hour. Also "Audit Policy change" as many as hundreds with the same date/time stamp.

This activity goes on constantly, even if she has not been at her computer for a few hours. If I turn off our home network it stops. When I restart the network (issues a new IP address) it takes a while for the activity to resume. All of which create suspicion that it might be spoofed testing from outside. Some posters say "If you are not having a problem, ignore it" but security concerns aside, the constant HDD thrashing (audible) is very annoying (and wearing to the HDD).  Thanks
June 20th, 2015 5:46pm

I would start by running a malwarebytes scan (just to be sure)

Please download the free version of Malwarebytes. Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products

If that comes back clean I would run a system file check

Please run a system file check (SFC) & DISM (if necessary) if you are on win 8 or higher
All instructions are in our Wiki article below...
Should you have any questions please ask us.

 System file check (SFC) Scan and Repair System Files

Free Windows Admin Tool Kit Click here and download it now
June 20th, 2015 10:45pm

My wife's new computer is having CONSTANT HDD thrashing.

If you want a guess take a look at your Search Indexing.  Incredibly even with the amount of RAM we can now have I have seen that process still causing thrashing, maybe not as bad as it once was in XP when I only had 256 MB for it to fill and abuse but still really bad performance.  We can't even change its priority but we can still disable it, so that is something that I have had to do on occasion still (e.g. via sc config wsearch start= disable).  Note that simply stopping it (e.g. via net stop wsearch) provides only extremely temporary relief from its erratic excesses.  

BTW I have also had to do at least a stop of wsearch to try to avoid hangs in ProcMon if I need to do finds in it.  That is a new symptom I have had only recently.  I don't know what the relationship between finds in ProcMon and indexing might be but there certainly seems to be one.

FYI

June 21st, 2015 9:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics