Constant writing to Windows System Restore
-
<p>I mentioned this in another post, but I think it is worth its own case. Writing "last accessed" time information to all files scanned might be part of the cause of this issue.</p>
<p></p>
<p><strong></strong><strong>Reproduction steps: Run a full scan (iSwift/iChecker disabled for better reproducibility) of the system with Windows System Restore enabled.</strong></p>
<p><span></span></p>
<p><strong>Actual result: During the scan Windows keeps writing new data to System Volume Information and MFT, mostly in <em>many</em> small bits instead of single large ones. As a consequence drive utilization is increased during scan (sometimes affecting scan performance) and System Restore is filled up with likely unnecessary data.</strong></p>
<p><span>Before scan:</span></p>
<p><span><img src="https://i.imgur.com/qGU46oG.png" alt="" width="301" height="94" /></span></p>
<p><span>After scan = over 1 gb extra data written to disk just by scanning via KES:</span></p>
<p><span><img src="https://i.imgur.com/t7Dvoj6.png" alt="" width="304" height="86" /></span></p>
<p><span>This also happens when KES trace file is <em>disabled </em>and also seems to happen while no temporary files are written to ProgramData by KES (scanning inside of archives).</span></p>
<p><span><img src="https://i.imgur.com/mndz3Zu.png" alt="" width="1045" height="906" /></span></p>
<p><strong>Expected Result: No write operations to scanned folders. Other AV solutions also offer an option to have AV scans <em>not</em> change "last accessed" times on files, which makes a lot of sense.</strong></p> -
<p>I wonder if "tempio" being in ProgramData instead of Appdata or Windows/temp might also have an impact? Not sure.</p>
-
<p>I am currently testing DisableLastAccess enabled and disabled. Things are not so easily reproducible with this one.</p>
-
<p>I reproduced this using Windows Defender. It seems that saving the AV cache files in ProgramData is mostly responsible for the increase of used up System Restore space. So the first scan sees the largest increase and consecutive scans show less increase and less SYSTEM write operations.</p>
<p>Test using DisableLastAccess seem to indicate that growth and writes are higher when last access times are enabled. It also seems that not only are some folder access times not updates, but also some file access times. This needs more testing, though.</p>
<p>And then there is still the case where I saw AVP.exe write to scanned folders directly. This does not happen every time and I have to catch it again.</p>
<p>Apart from all that highest drive utilization seem to happen when AVP writes its tempio files. It would be interesting to see what happens if AVP would write all its temp files and preliminary cache files to appdata/local/temp or Windows/temp and only copy finished cache files over to ProgramData.</p>