Monday, 31 December 2018

malware - Windows 10 Disk Usage at 100% but no corresponding process shows in task manager

Over the past month (possibly more), I have noticed that my laptop (running Windows 10) frequently becomes almost unusably slow, especially after many days of not having turned it on.


I notice that the disk usage in the task manager is at 100% for long periods of time, however this is ridiculous because even the sum of all the processes [that I can see...] could only approach about 5-10% in the generous case.


This is a development machine with 8GB RAM, i7 processor, plenty of space. There are almost no startup programs other than MS default programs (and even there I culled most of the non-essentials out of the startup list). I have also gone through and progressively disabled services such as BITS, Superfetch etc. to no observable effect.


What makes this more suspicious is the pattern in which it occurs - the issue is worst at startup after many days of the computer being physically disconnected and turned off. The startup time is around 3-5 minutes (!) after which the disk runs at 100% usage for a few minutes and then for no explicable reason, suddenly drops down to around 1-5%. All this without showing any processes near full disk usage.


After around a month of investigating this, I am beginning to suspect the involvement of malware, particularly because of the discrepancy in the task manager but also because of how the issue suddenly corrects itself. I should also note that the computer runs AVG Free edition and scans of the computer and anti-rootkit are coming up clean. That being said, I want to pursue the possibility that this could be malware connecting and updating itself, or even worse, exfiltrating data [or even worse, chewing my disk to encrypt my files while telling me everything is OK]?


Currently I do not observe an irregular amount of network traffic which would support the exfiltration theory, however it is also possible to hide this from the task manager / wireshark using a rogue driver.


I have a number of questions:



  1. Does this pattern of behavior fit any known malware / APT threats?

  2. Supposing I were to continue this into the forensics direction, what further steps could be taken to investigate and validate the drivers on the machine?

  3. What steps beyond task manager can I take in order to monitor and identify the process which is actually responsible for the 100% disk usage?

  4. Are there any legitimate / Windows reasons this might be occurring and if so, how can I narrow down and isolate the problematic components?

No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...