System PID 4 has high read and write to disk when unzipping large file

%3CLINGO-SUB%20id%3D%22lingo-sub-2190570%22%20slang%3D%22en-US%22%3ESystem%20PID%204%20has%20high%20read%20and%20write%20to%20disk%20when%20unzipping%20large%20file%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190570%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20large%20rar%20file%20that%20i%20had%20for%20a%20large%20amount%20of%20data%20that%20i%20compressed%20before%20i%20carried%20out%20a%20fresh%20install%20of%20Windows%20Server%202022%20build%2020298.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20seems%20that%20when%20I%20was%20extracting%20this%20using%20either%20winrar%20or%207%20zip%2C%20I%20could%20see%20high%20read%20and%20write%20to%20the%20extracted%20files%20by%20the%20'System'%20PID%204.%26nbsp%3B%20I%20have%20no%20idea%20what%20is%20doing%20this%2C%20I%20thought%20maybe%20the%20defender%20real-time%20protection%20may%20have%20been%20the%20culprit%20but%20disabling%20this%20didn't%20seem%20to%20change%20anything.%26nbsp%3B%20I%20wouldn't%20have%20noticed%20but%20I%20was%20trying%20to%20use%20the%20pc%20while%20it%20was%20extracting%20and%20it%20was%20becoming%20unresponsive.%26nbsp%3B%20Looking%20into%20it%2C%20it%20seemed%20that%20the%20files%20were%20not%20being%20extracted%20quickly%20(seemed%20System%20PID%204%20was%20hogging%20the%20disk).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20an%20issue%20when%20writing%20large%20amount%20of%20data%20to%20my%20RAID1%20drives.%26nbsp%3B%20It%20starts%20fast%20but%20then%26nbsp%3B%20slows%20right%20down.%20I%20assumed%20it%20was%20because%20the%20hardware%20RAID%20kicked%20where%20it%20may%20be%20trying%20to%20read%20from%20one%20drive%20and%20mirroring%20to%20the%20other.%26nbsp%3B%20But%20the%20above%20PID%204%20stuff%20was%20on%20my%20NVMe%20SSD%20which%20is%20not%20RAID%20and%20contains%20the%20OS.%20So%20it%20s%20possible%20that%20copying%20to%20the%20RAID%20drives%20is%20not%20a%20RAID%20issue%20but%20related%20to%20the%20PID%204%20activity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20here%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2190570%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esystem%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2218531%22%20slang%3D%22en-US%22%3ERe%3A%20System%20PID%204%20has%20high%20read%20and%20write%20to%20disk%20when%20unzipping%20large%20file%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2218531%22%20slang%3D%22en-US%22%3EHello%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%20thanks%20for%20the%20feedback.%20For%20us%20to%20investigate%20more%2C%20can%20you%20help%20us%20out%20and%20collect%20some%20logs%20for%20us.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%20Can%20you%20please%20run%20this%2C%20send%20us%20the%20results%2C%20so%20we%20can%20take%20a%20better%20look%20at%20what%20is%20going%20on%20here%3A%3CBR%20%2F%3E%20stordiag.exe%20-collectEtW%20-collectPerf%20-out%20%3CLOG%20file%3D%22%22%20path%3D%22%22%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%20Since%20Windows%20Server%20doesn't%20have%20Feedbackhub%2C%20you%20would%20need%20to%20copy%20over%20your%20logs%20to%20a%20Windows%20client%20machine%20and%20file%20a%20feedback.%20While%20filing%20the%20feedback%2C%20please%20chose%20the%20Category%20as%20%22Windows%20Server%22%20and%20the%20sub%20category%20as%20%22Storage%22.%20In%20the%20%22Add%20more%20Details%22%20step%20you%20would%20have%20an%20option%20to%20attach%20the%20logs.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3C%2FLOG%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I had a large rar file that i had for a large amount of data that i compressed before i carried out a fresh install of Windows Server 2022 build 20298.  

 

Its seems that when I was extracting this using either winrar or 7 zip, I could see high read and write to the extracted files by the 'System' PID 4.  I have no idea what is doing this, I thought maybe the defender real-time protection may have been the culprit but disabling this didn't seem to change anything.  I wouldn't have noticed but I was trying to use the pc while it was extracting and it was becoming unresponsive.  Looking into it, it seemed that the files were not being extracted quickly (seemed System PID 4 was hogging the disk).

 

I also have an issue when writing large amount of data to my RAID1 drives.  It starts fast but then  slows right down. I assumed it was because the hardware RAID kicked where it may be trying to read from one drive and mirroring to the other.  But the above PID 4 stuff was on my NVMe SSD which is not RAID and contains the OS. So it s possible that copying to the RAID drives is not a RAID issue but related to the PID 4 activity.

 

 

Any help here would be appreciated.

 

1 Reply
Hello there,

thanks for the feedback. For us to investigate more, can you help us out and collect some logs for us.

Can you please run this, send us the results, so we can take a better look at what is going on here:
stordiag.exe -collectEtW -collectPerf -out <log file path>

Since Windows Server doesn't have Feedbackhub, you would need to copy over your logs to a Windows client machine and file a feedback. While filing the feedback, please chose the Category as "Windows Server" and the sub category as "Storage". In the "Add more Details" step you would have an option to attach the logs.

Thanks.