Monitoring access to the hard disk

B

belk2010-11-29 18:54:17

Hard disks

belk, 2010-11-29 18:54:17

The computer has an SSD and a RAID array of two hard drives, Windows 7 Professional x64 is on the SSD. When starting the calculator, there is a delay of 10 seconds, at which time you can hear the hard drives spinning up. But the array contains only games, backups, software distributions and virtual machines, nothing systemic. The swap file is also on the SSD.

D:\>dir /B
Backup
Games
Temp
Virtual Machines
VS_EXPBSLN_x64_enu.CAB
VS_EXPBSLN_x64_enu.MSI

D:\>dir /A:H /B
$RECYCLE.BIN
System Volume Information

What program can track what the system accesses when starting the calculator?

UPD: I started Process Monitor (FileMon is now part of it), set the disk stop timer to 1 minute. As it turned out, calc.exe does not access the RAID, but two other disks. Can anyone explain this?
Log

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

amirul, 2010-11-30
@belk

Someone (anti-virus?) opened music in the context of the calculator process - Windows remembered this and now every time it prefetches this music before starting the calculator.
del %SystemRoot%\Prefetch\calc.exe*.pf
From the console console should help. If it repeats - xperf with stack traces when accessing files and see who gets caught.

D

Dmitry Koshelenko, 2010-11-29
@GomelHawk

The FileMon program seems to be monitoring program launches ...

N

NanoDragon, 2010-11-29
@NanoDragon

What passions.
There is no rootkit code in calc.exe... This rootkit collects information about copyright infringement. It analyzes the downloaded content and the music folder. For this reason it also addresses to these disks.
This is the only reasonable conclusion that can be drawn. G)