#3779 Constant writing to Windows System Restore

  • Accepted

    , last edited by Jarvis

    I mentioned this in another post, but I think it is worth its own case. Writing "last accessed" time information to all files scanned might be part of the cause of this issue.

    Reproduction steps: Run a full scan (iSwift/iChecker disabled for better reproducibility) of the system with Windows System Restore enabled.

    Actual result: During the scan Windows keeps writing new data to System Volume Information and MFT, mostly in many small bits instead of single large ones. As a consequence drive utilization is increased during scan (sometimes affecting scan performance) and System Restore is filled up with likely unnecessary data.

    Before scan:

    After scan = over 1 gb extra data written to disk just by scanning via KES:

    This also happens when KES trace file is disabled and also seems to happen while no temporary files are written to ProgramData by KES (scanning inside of archives).

    Expected Result: No write operations to scanned folders. Other AV solutions also offer an option to have AV scans not change "last accessed" times on files, which makes a lot of sense.

    System Settings

    Operating system: Win 10, x64

    System: 5900X, MSI X570, 16 gb, M.2 SSD

    Product: KES

    Product Version:

    Language: en-US

  • I reproduced this using Windows Defender. It seems that saving the AV cache files in ProgramData is mostly responsible for the increase of used up System Restore space. So the first scan sees the largest increase and consecutive scans show less increase and less SYSTEM write operations.

    Test using DisableLastAccess seem to indicate that growth and writes are higher when last access times are enabled. It also seems that not only are some folder access times not updates, but also some file access times. This needs more testing, though.

    And then there is still the case where I saw AVP.exe write to scanned folders directly. This does not happen every time and I have to catch it again.

    Apart from all that highest drive utilization seem to happen when AVP writes its tempio files. It would be interesting to see what happens if AVP would write all its temp files and preliminary cache files to appdata/local/temp or Windows/temp and only copy finished cache files over to ProgramData.

  • I am currently testing DisableLastAccess enabled and disabled. Things are not so easily reproducible with this one.

  • I wonder if "tempio" being in ProgramData instead of Appdata or Windows/temp might also have an impact? Not sure.

Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.