MSMpEng writes?

Any idea why MsMpEng would be writing almost as many bytes as it reads?

See the attached image.

This occurred just after waking the machine from sleep and firing up Outlook and IE8.

Gary

 

Are you doing an active scan at the moment of this screen shot? Maybe an update?

Are you downloading or installed a program? Since WinDefend has active scanning, it may be viewing the file as it is examined.

It is not normal, for what it is worth.

 

But my question is why would MsMpEng.exe be writing at all?? I rarely reboot my machine, I just put it to sleep so the high number of bytes read makes sense. But the writes? What is the engine writing???

Gary

 

Do you use Microsoft Security Essentials?

 

Yes. How does that explain the writes?

Gary

 

MSE creates restore points everytime it updates. The update might have initiated the write process.

 

Rajesh,

But would the restore point writes be attributed to MsMpEng.exe in task manager or would they be attributed to another task which MSE calls to do the restore point creation?

Gary

 

It's not the restore points, MSE has a bug where it can crank your CPU useage up to 100% with MsMpEng. I have experienced it on numerous occasions. You basically have to exclude MSE from itself! It's like a feedback loop.

Microsoft Security Essentials MsMpEng.exe using high CPU Time - 1st Byte Solutions

People kept calling heresy when I mentioned this, like I'm an idiot, but eventually it pops up when you use MSE. Try doing as that article suggests and see if it works for you.

 

Uh, who said anythig about a cpu issue? My original question was and still is why is MsMpEng doing so many disc writes, or ANY writes for that matter (other than its dictionary updates)? But even those don't account for it writing almost as much as it reads. Look at the attached image in the OP again.

Gary

 

CPU useage or disk writes. It's over-active. Try the method I linked to. I had similar issues across multiple machines until I came upon that "solution".

 

Thanks, but I am not seeing any spike in CPU use. I am trying to find out WHY the engine is doing any writes other than to update it's own dictionaries. The article you linked to doesn't give me any insight into that quest.

For the sake of argument, lets say I did what the article suggests and the number of data writes drops. That still wouldn't tell me WHY the engine is writing to the hard drive. I am looking for the reason, before I attempt to find a solution.

BTW how did you like the Hannspree Hannsbook? A colleague of mine just picked one up on Friday.

Gary

 

Or disable MSE for a bit and see if it stops. Then you'll know it's related to MSE at least and can go from there.

I love the Hannspree Hannsbook. I am reluctant to sell it but need the money to offset the M11x I bought to replace it, mainly because I want to ability to play a few games. Best little laptop I've ever used.

 

Did you look at the attachment in my first post in the thread??? I already know it is MSE that is doing the writes. I am just trying to find out WHAT it is writing. It makes no sense to me that a scanning engine should be writing almost as much data as it is reading. I would think it would be a lot more lopsided, leaning toward many many more reads than writes.

Gary

 

use a process and disk activity monitor such as those available from sysinternals and/or nirsoft to keep an eye on things.

You will not be able to capture the info you want in 'real time' just by looking at it. You are going to have to use a logging utility that records things for analysis.

 

Ok, so tonight I noticed the disk activity again so I started up the Resource Monitor and zeroed in on what the MSMpEng was doing. Take a look at the attached screen shot. The engine seems to be doing a scan, yet Microsoft Security Essentials is quiet, it is not scanning. But what the hell is that HUGE temp file being created?

Anyone have any clue what this is all about???

Gary

 

The temp file would have been created for the definition update before the scan.

 

The temp file is being written to AS the "scan" is taking place. But this raises two questions. First, what scan??? MSSE is NOT scanning right now, so what IS scanning? I can see it reading/scanning through my picture files right now. Second, why is it writing to this temp file WHILE it is reading my picture files?

Gary

 

I'm confused as you are saying a scan is not taking place, but then you say you can see it scanning your picture files.

It sure looks like it's scanning your pictures.

I think I can speculate on the temp file though--but of course, this is just speculation.

MSMpEng.exe is Microsofts catch all antivirus engine--you can see it in Microsoft Security Essentials, Windows Defender and even its corporate AV solution, Forefront.

Speaking about Forefront, but I am guessing the function occurs in MSE and Windows Defender, MSMPENg.exe on an initial scan creates a "fingerprint" of all the files as it scans them and records when it was last modified. On subsequent scans, if the fingerprint matches its record, it simply skips the file after an initial check. If the file is new or it has been altered, it performs a new scan, thorough scan of the file--if the file is ok, it adds the fingerprint to its database--if it is bad, it flags it as a virus.

As MSMpEng.exe is scanning My Pictures, a directory that changes quite frequently, perhaps it is building a temporary file of new fingerprints for the files there prior to adding/merging the new fingerprints into its database?

Just speculation....

 

gerryf19,

Coolguy (Rajesh) and I spent some time on Skype last night discussing this and yes it does appear that MSSE was actually scanning my files. I am using the new version (2.0) and the UI has changed such that when running a scheduled scan, the system tray Icon no longer shows any animation like it did in previous versions. That was why I thought I was NOT running a scan. So that mystery is solved. But the temp file one still exists. About 45 minutes after the scan started the writes to the temp file stopped.

Rajesh thought the temp file was related to updates to the MSSE signatures file. But that step of updating the signatures has to be done BEFORE the scanning can start. And indeed the logs files I found seem to bear that out. But I still can't figure out what that temp file was that was being created. Like I said it only happened thru PART of the scan. Latter, the scan continued on without the engine doing ANY writes.

I see no signs of any sort of fingerprints being created by MSSE, in fact it is fully scanning files (pictures) that have been on my machine unchanged for several years. Well I assume it is fully scanning them as it is reading them in their entirety, but I suppose it could be doing a checksum to compare against a fingerprint.

I'll continue to monitor this just to see if I can solve the "mystery".

Gary

 

So it's Saturday night/Sunday AM and my weekly mystery update. Tonight I caught the system while MSSE was doing its weekly quick scan. And captured the attached image of resource manager. (Capture.jpg)


You will notice that msseces.exe AND MSMpEng.exe are BOTH scanning files. But after the quickscan is done MsMpEng.exe continues to scan, once again my photo library. And once again is writing to this TEMP file. (Capture2.JPG)

So it is now obvious this MsMpEng.exe scan is NOT Microsoft Security Essentials. It did its weekly Quickscan and is done. And the "other" scan continues on. It's not some other app (like Picasa) scanning thru my photos and MsMpEng is just doing its normal real time virus scan of opened files. If it were that I would see some other EXE also reading the photos. But I don't.

The mystery continues!

Gary

 

According to this german website

msmpeng.exe ? Was ist msmpeng.exe?

MsMpEng.exe belongs to Windows Defender.

 

It does not "belong" to Windows Defender. Once you install Microsoft Security Essentials, Windows Defender is disabled. The MSMpEng.exe was also used by Windows Defender, that much is true. But it was not exclusive to Defender.

Gary

 

Do you have a different location than default for Temp files or do you perhaps regularly delete temp files?

 

It seems to me Windows Defender is included in MSE, but the MSMpEng.exe still belongs to Windows Defender.

 

-> if you read around, you'll find that that's the engine Microsoft uses.

It's the same in Windows Defender/MSE/Forefron/LiveOneCare -> just that the latter three replace Defender when installed.

 

Nope on both counts.

Gary

 

I don't know if it will show you anything more, but the next time it takes off scanning, you might want to run process monitor and see if it sheds anymore light on the mystery

Process Monitor

 

I did and it really didn't shed any more light. The Resource Monitor in Win7 is pretty good. Although having said that, maybe Process Explorer could show me what has CALLED MsMpEng. Anyone know if it does that?

Gary