Could Process Lasso be improved to stop Windows 10 waking up offline drives?

Started by LoneRanger, December 28, 2017, 08:12:15 AM

Previous topic - Next topic

LoneRanger

Hi all,

First of all thank you very much for what is already a very useful program. I've signed up to ask the question in the title because nobody seems to have a solution for what is going on. To explain:


----

Normally I can find a solution or workaround for most things by searching the web or trial and error but this has me stumped. The clues as to the culprit are these logs in Event Viewer, which always coincide with the drives spinning up:


    svchost (3212,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.

    svchost (2884,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.

    taskhostw (5108,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.


Windows Search is disabled, Indexing disabled (all drives), Write Caching disabled (on mech drives), Superfetch disabled. Mech drives are an exception in Windows Defender as well. Even happens with the mech drives marked offline, which I find barmy.

In Power Options I have the hard drives set to turn off after 10 minutes (doesn't matter if 1 minute or 20 or anything) but the event keeps turning them on a few minutes after.

Now, the drives aren't unhealthy noisy, but they are a bit noisy. With a quiet fan profile the "hoom.... hoom" is noticeable. I wouldn't mind hearing them when I'm actually writing to or reading from them but not all the time. Aware I could also bungee them to reduce noise, and perhaps will, but I think it would be good/better to find the cause of this as I don't like the idea of the drives unnecessarily being made to work in the first place.

----


So I was wondering if Process Lassoo could identify what is going on and then help prevent it, and include this as a new feature which would help a lot of people with this issue (if you search for "EseDiskFlushConsistency" and "Win 10 waking up my drives etc").

Thank you for reading.

Jeremy Collake

Honestly, my first reaction is (aside from thanks for the compliments!) is that this is outside the purview of Process Lasso, but that doesn't mean it is something I am unwilling to explore or tackle with alternate applications. After all, despite the current design of the web site, there are actually a plethora of Bitsum apps.

So the event log message gives clues that you've already attempted to address. Namely, Windows Search / File-system Indexing and Write-caches. Having both of those disabled would presumably fix the issue, but what the heck is 'beta site mode' ... Best info I see is here: https://www.reddit.com/r/Dell/comments/78abzl/beta_feature_in_windows_update/

I assume you aren't using a page file on these disks? Surely not, and presumably the SQLite database used for file-system indexing is stored on the OS partition.

So we have to check closer. How do we do this?

I would give Process Monitor (procmon from SysInternals) a try. We want to try to find the API calls or device driver IOCTLs that are responsible for the disk access and trace it back from there. So turn on the file-system/disk monitoring, turn off the rest, and see if it shows anything. The log can get huge really fast, so try to target it to the problematic periods, filter out irrelevant categories and processes, and ensure you have plenty of free RAM for best performance.

If that doesn't work, there are other monitoring solutions. It is a bit of a specialized need. I am not sure how many have this problem. The more that do, the more interested I'd be in developing something to trace the culprit...

If you discover a solution during your own research and efforts then please do post it here to satisfy my curiosity! If I think of any clues or develop an epiphany, I'll similarly post it.
Software Engineer. Bitsum LLC.

LoneRanger

Grateful for the reply and your possible interest, Jeremy. Also appreciate your being upfront that no promises and that it'd have to be worthwhile for you to devote time to this. Not trying to sweet talk, just respect that in people. Hopefully people interested in blocking unnecessary Windows 10 access to their extra storage drives and all that head parking and unparking will come across this thread and make their voices heard.

Since writing the opening post I've been monitoring and disabled some services that Process Lassoo helped me identify. It's an uphill struggle - when I disabled RasMan and Diagnostic Policy Service, which were the two main culprits (regularly, over days), their absence has been made up for with other services with the same rate of occurrence. Services that hardly showed up when RasMan and Diagnostic Policy Service were hogging the limelight. It really is like a Gopher Bash game - bash one and another pops out. Almost like Windows has a thousand ways to get what it wants (whatever that is) and can use different services/processes to achieve the same goal.

There is no page file at all (same with or without, and when there is a page file it's on the OS partition on another disk).

I believe Win 10 is doing this to every system, and it's only that it bothers some people, like myself, for the reasons stated. I checked two other computers today (not my own), and the same was going on. Obviously if anyone wishes to self-verify, they'll need to be able to identify the sound their storage drive makes, so they realize it's been woken even when marked offline. Unless they know other methods.

VSS, StorSvc and IAStorDataMgrSvc have also been disabled (and uninstalled too in the latter's case). Everything working fine except the issue continues.

I intend to give Process Monitor a go. Thank you for suggesting it. Will certainly post here if any solution is found or simply to share any interesting findings, for anyone interested.


edkiefer

Quote from: LoneRanger on December 28, 2017, 08:12:15 AM
Hi all,

First of all thank you very much for what is already a very useful program. I've signed up to ask the question in the title because nobody seems to have a solution for what is going on. To explain:


----

Normally I can find a solution or workaround for most things by searching the web or trial and error but this has me stumped. The clues as to the culprit are these logs in Event Viewer, which always coincide with the drives spinning up:


    svchost (3212,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.

    svchost (2884,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.

    taskhostw (5108,G,0) The beta feature EseDiskFlushConsistency is enabled in ESENT due to the beta site mode settings 0x800000.


Windows Search is disabled, Indexing disabled (all drives), Write Caching disabled (on mech drives), Superfetch disabled. Mech drives are an exception in Windows Defender as well. Even happens with the mech drives marked offline, which I find barmy.

In Power Options I have the hard drives set to turn off after 10 minutes (doesn't matter if 1 minute or 20 or anything) but the event keeps turning them on a few minutes after.

Now, the drives aren't unhealthy noisy, but they are a bit noisy. With a quiet fan profile the "hoom.... hoom" is noticeable. I wouldn't mind hearing them when I'm actually writing to or reading from them but not all the time. Aware I could also bungee them to reduce noise, and perhaps will, but I think it would be good/better to find the cause of this as I don't like the idea of the drives unnecessarily being made to work in the first place.

----


So I was wondering if Process Lassoo could identify what is going on and then help prevent it, and include this as a new feature which would help a lot of people with this issue (if you search for "EseDiskFlushConsistency" and "Win 10 waking up my drives etc").

Thank you for reading.
I just checked my 1703 Win10 install and I don't have any of those event error logs.
I do have some ESENT ones but not same as you, no errors just starting/stopping a database mainly.
I do have Indexing, search, VSS services running but i am on SSD (850evo) for main drive and WD black for secondary drive.

I do disable all "wake this device" options in Device manager for ever one except mouse an KB.
Bitsum QA Engineer

LoneRanger

Hi Ed,

1709 version here.

The numbers for the Esent events change every startup, and are different on each computer. And I should clarify - they are not error logs, just events in Event Viewer > Windows logs > Application, which coincide with the disks starting up. Also noticed on a few occasions, the disks would start up (without opening File Explorer or anything that should user-manually startup the disks) with no such log created.

After using Process Monitor as Jeremy suggested, it seems Defender was accessing the two mech drives all the time. Creating a file, then reading it. I've disabled Defender now. No respect, no stay. I told it to exclude the drives and it didn't respect my choice. Now using Avast. Will update in a few days.


edkiefer

Quote from: LoneRanger on December 31, 2017, 08:58:22 AM
Hi Ed,

1709 version here.

The numbers for the Esent events change every startup, and are different on each computer. And I should clarify - they are not error logs, just events in Event Viewer > Windows logs > Application, which coincide with the disks starting up. Also noticed on a few occasions, the disks would start up (without opening File Explorer or anything that should user-manually startup the disks) with no such log created.

After using Process Monitor as Jeremy suggested, it seems Defender was accessing the two mech drives all the time. Creating a file, then reading it. I've disabled Defender now. No respect, no stay. I told it to exclude the drives and it didn't respect my choice. Now using Avast. Will update in a few days.
Yup, that is where I found the ones I mentioned above.
It could very  well be a 1709 issue, its one reason I didn't upgrade my main system, still pretty buggy.
On Defender disable thing, I don't think you can do it for long with the settings in settings. If you got Pro version group policy I think has permanent one, but maybe it will stay long enough off to test.
Bitsum QA Engineer

LoneRanger

Have the Pro version and did it through Group Policy, yes. It's looking good so far, only a few ESENT events on restart which seems normal, and then none for an hour till I opened CrystalDiskInfo. That's already longer than ever without these events.

edkiefer

Ok, If that works then maybe try defender with just the real-time scanner option enabled and all other options off (cloud based and sample submissions off).
I did add MsMpEng.exe to exclude list.
Some users had issues with this were it would slow down system, or hang a bit (I forget details now).

So you can try that and see if it works better.
Bitsum QA Engineer