Determining Where All Of Those Disk Writes are Coming From

Post to Twitter Post to Facebook Post to StumbleUpon

I did a quick performance study on an SBS 2003 server and found that Disk Writes were causing a bottleneck for the server. If you’d like to know how I determined that, see the blog post Discovering Disk I/O is a Problem at

This procedure is appropriate for any Windows server, not just SBS 2003.

We’re lucky in SBS 2003 in that there is already a populated Group Policy that enables Auditing because it’s Object Access Auditing that we’re going to use to determine whether or not the disk writes happening on our server are from a legitimate source or not. If you don’t have an Auditing Group Policy I would suggest creating one. It’s nice to be able to set the policy for all servers in your network when you’re doing a bottleneck study like this is one. In our case there were three servers on the network and we investigated all of them. This blog post will focus on the SBS 2003 server.

The first step was to edit the Small Business Server Auditing Policy. I changed the Audit Object Access from Not Defined to Success. Then executed a gpupdate /force to push out the updated policy to my servers. Setting this group policy will allow me to choose which folders to audit on my server.


The second step is to configure my security log. The audit policy results will post events into that log file.

In Event Viewer,  properties of the Security Log set the Maximum log size to a large enough number to accommodate the logs files for the period that you want to capture. This log file is likely to be big so I would make it at least double the default, if not more. Also for the duration of this study you will want to make sure that the log file doesn’t get overwritten and instead choose Do not overwrite events. Remember to change your settings back when you are finished reviewing the log files.


The Third Step is to turn on Auditing for the folders that you want to record. In my case, we are interested in Disk Writes. So the folder I am going to target are places where applications and users store their data.

Choose a data folder and view its properties. Select the Security tab and press the Advanced button. In the Advanced Security Settings move to the Auditing tab. Press the Add button and select the events that you’d like to monitor. I chose Traverse Folder/Execute File, List Folder/Read Data, Create Files/Write Data and Create Folders/Append Data. Be sure to choose as few as required to get the information you need. The log files in auditing operations can become huge if you’re not careful. Apply your settings and repeat this for each folder that you want to audit.


Step four is to wait. You now wait for the file access to occur and be logged to the security log.

Step five is to review the security log to determine where the disk write are coming from. This is the hard part. It’s a manual sift through the audit logs to determine the ratio and frequency of writes from all of the various sources. I thought I was looking for a single source of huge number of disk writes to the server and I did indeed find one.

In my case it was the time clock software, receiving data from the physical and software time clocks through IIS, writing that data to its database and updating its reporting engine. It’s a very busy application bustling with data moving from here to there and back again. We found the cause our disk bottleneck. Now to make a recommendation on what to do about it. 


So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

WordPress Tags: Disk,performance,server,bottleneck,Problem,Windows,Policy,Object,servers,Audit,folders,events,Event,Viewer,Maximum,size,settings,Third,users,data,Execute,File,List,Read,Create,Files,Write,Append,database

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.