How To Diagnose a Suddenly Slow Windows Computer?

Ensign Taco writes "I'm sure nearly every one of us has had it happen. All of a sudden your Windows PC slows to a crawl for no apparent reason. Yeah, we all like Linux because it doesn't do annoying things like this, but the Windows desktop still reigns supreme in most managed LAN work environments. I'm running XP with 4G of RAM and a decent CPU, and everything was fine, until one day — it wasn't. I've run spybot, antivirus, and looked at proc explorer — no luck. There is no one offending, obvious process. It seems every process decides to spike at once at random intervals. So I'm wondering if there's a few wizards out there that know what to look at. Could this be a very clever virus that doesn't run as a process? Or could this just be some random application error that's causing bad behavior? I've encountered this a few times with Windows PCs, but the solution has always been to just add more hardware. Has anyone ever successfully diagnosed this kind of issue?" And whether such a problem is related to malware or not, what steps would you take next?

Check the HDD

[Fez (468752)]

Very commonly this happens when a hard drive reverts to PIO mode after Windows decides it has seen a few errors from the drive. You can verify this by looking at the properties of the IDE Controller to which the drive is connected in device manager. (IDE ATA/ATAPI Controllers/Primary IDE Channel/Advanced Settings tab, for example)

There is a VBScript [winhlp.com] that resets the drive back to DMA mode, and is effective if that is indeed the case.

This could also be an early sign of hard drive failure. I've seen plenty of drives that passed diagnostics but were very, very slow. Try checking the SMART data with something like HDTune [hdtune.com].

Second on the drive thing

[Sycraft-fu (314770)]

But rather than just checking SMART, get the manufacturer's test program. All the HD makers have one, just get the one appropriate for yours. It's the sort of thing you boot from CD and let run for a few hours, but it is the way to go. SMART can report ok even when a drive is dying but it is extremely rare (though possible) that the manufacturer's diags give it a pass when it is dying.

Check that, since a dying drive often makes things really slow (in part because it starts remapping lots of bad sectors).

Re:Second on the drive thing

[speeDDemon (nw) (643987)]

SMART has its uses, and a quick and easy check is to use the program 'speedfan [almico.com]' as this has a built in feature to read AND analyze (requires net connection) your HDD's smart information, By no means the be all and end all, but it is the quickest way I know to identify a failing hard drive.

Re:Second on the drive thing

[Klaus_1250 (987230)]

http://hddscan.com/ [hddscan.com]

Checks SMART, can perform all SMART test (e.g. offline), gives loads of information on the drives internals and it can scan the disk surface using the disk-controller chip only (e.g no data transfer over the cable). The latter is really useful to test the surface and speed of a USB-HD.

Re:Second on the drive thing

[g0es (614709)]

But rather than just checking SMART, get the manufacturer's test program. All the HD makers have one, just get the one appropriate for yours.

Careful, some manufactures have utilities that just check SMART and don't actually do a test.

Re:Second on the drive thing

[athakur999 (44340)]

I've had a Linux box slow to a crawl for the same reason, so definitely good advice if you're experiencing random slowness regardless of what OS you're running. When I ran top I could see the "iowait" percentage was near 100% frequently and also saw many drive-related error messages in the system log.

Still...

[Moraelin (679338)]

Actually, while I do somehow sped more time at home on my Windows gaming box than under Linux (so this isn't a blanket Windows bashing,) my superficial and uninformed impression was that, all else being equal, any Windows box I've seen seems harder hit by IO than any Linux/Unix box I've ever seen.

Yes, you can get a Linux box to crawl too, if the hard drive is stuffed and it can't swap for example. Or if the chipset isn't supported well by the drivers. (Rarer these days, but certainly possible.) Or whatever.

But Windows... seems a bit special. I mean try to copy a directory between two hard drives, or better yet from a DVD to HDD, and Windows seems to me basically stuffed. Even notepad can get about as responsive as a narcoleptic snail. And you can just about forget about, say, playing a game while that happens.

And that's before you even add such brakes as an anti-virus.

I've seen that behaviour in any Windows, from 3.0 to Vista, including a detour through NT 4.0. In fact in Vista let's just say there's a reason why so many people were pissed off at the indexer kicking in all the time.

My subjective impression is that I've yet to see Linux get anywhere near that unresponsive, in a similar scenario. Again, assuming that you don't have a nearly dead HDD and the chipset is supported in DMA mode.

But heck, even in PIO mode, I've used Linux in PIO mode and I've used, say, NT in PIO mode. (Thanks to a retarded IT department which installed the wrong IDE drivers.) Linux did obviously have poor file IO performance, but NT just freaking _froze_ for a second or two, for example, when minimizing or maximizing a window. (Presumably due to aggressive memory management which swapped more of a process out when minimized.)

Now admittedly I haven't actually programmed an OS at any point, so I'm probably talking out the arse, but I see no reason why that should happen at all. Any common source of IOWait has an interrupt. Even in PIO mode you don't have to poll until it's done. And DMA, now that was invented for the precise reason and purpose of transferring some data while the CPU services another process. It's why it's there. So there's no freaking reason for the whole OS to just twiddle its thumbs and wait. Even if one process is waiting for _paging_, you can still yield to another process while waiting for the HDD.

Re:Second on the drive thing

[DennisZeMenace (131127)]

What the manufacturer's test programs do is *precisely* run the SMART diagnostic test, so save yourself a CD-R. All they do is run the long self test. All SMART-friendly HDDs support the short (1 to 2 minutes) and long (1 to 2 hours) diagnostic tests, the latter doing an exhaustive sector scan. Boot a Linux live CD and type "sudo smartctl -t long /dev/sda", and voila.

A damaged disk cannot pass that test, not unless something is utterly borked with the firmware (*cough* seagate *cough*).

Re:Second on the drive thing

[ChienAndalu (1293930)]

Wrong. Some do extended surface read-write-scans and offer options like disk erase etc. Like this here [samsung.com] for example.

Re:Check the HDD

[flyingsquid (813711)]

My Windows is NOT slow.

It is special.

Re:Check the HDD

[yo_tuco (795102)]

"My Windows is NOT slow. It is special."

It's speed challenged.

Re:This was the funniest thing on Slashdot today

[Korin43 (881732)]

Yeah seriously. Windows not being slow is obviously flamebait.

Re:Check the HDD

[Nefarious Wheel (628136)]

That does figure high in my list of potential causes, but generally I clear the dll and prefetch cache and reboot before I start worrying about hardware. Especially if you've been running a diverse series of programs on it.

Re:Check the HDD

[bdwebb (985489)]

Hmm...the prefetch cache is only used when a call is made by commonly used programs. Clearing the prefetch cache is only really useful to rid yourself of extra unnecessary files when you uninstall programs as Windows will simply rebuild the directory.

Since we're trying to diagnose a cause of sudden sluggishness, clearing the prefetch won't really do anything unless the HDD is full. A quick review of the prefetch directory, however, is a good indicator of which programs have been running. I usually take a look to see if I can spot anything out of the ordinary.

Other helpful ideas:

- Disable system restore before you do anything...irritating spyware and virii can hide here and restore themselves
- Download and run X-Ray PC [x-raypc.com] (freeware) and run an online analysis of your processes...will give you a good/bad/unknown triage for some processes and allow you to kill them.
- Start>Run> msconfig.exe and check your startup processes...do a quick google search for anything you don't recognize and if it is not a necessary startup process, kill it. Having a shitload of processes running at startup can bring your system to its knees. Usually, for a desktop XP machine, between 28 and 35 processes is ideal on a fresh boot. For a laptop it can be up to 50...depends on what utilities are required to make your touchpad/buttons/wireless/etc work.
- Start>Run> msconfig.exe and check your services. Check 'hide all Microsoft services' and do a quick scan to make sure no extra junk services are hiding here. If you lose functionality to something on startup that you want, you can either just turn it back on or, if necessary, boot into safe mode and turn it on.
- Download Crap Cleaner [filehippo.com] and run the registry scan to see how many junk items you have in your registry. Review the causes and fixes to all the issues you find...you're usually okay doing a fix all but I check them just in case (this is your registry after all...never hurts to back it up either.)
- Add/remove any programs that you don't recognize or don't use. All this extra junk does nothing to help you. Additionally, if you can pinpoint one or two programs that were installed around the time your computer started having issues, definitely uninstall them and check your performance after (probably run ccleaner again to ensure they are completely gone).
- Restart your machine and check msconfig and xraypc again to ensure that nothing you killed came back...if it did, you've got a virus or spyware.
- If you still have issues, try running one of many drive fitness test tools to determine whether or not you have bad sectors or possibly a bad HDD altogether. Some tools will even allow you to repair the bad sectors but usually if you've got bad sectors you should start looking at a new HDD soon.
- If you have the option, pull the HDD and hook it up to a test rig and run a Housecall [trendmicro.com] scan on the drive.
- Run Rootkit Revealer [microsoft.com] to determine whether or not you have a rootkit installed on your machine. Rootkits are nasty as hell but you can usually find additional info via a google search on how to rid yourself of them.
- When all else fails, a clean install is usually the best way to get your system back up to snuff. It is a pain in the fucking ass and no one likes to do it until you remember what it is like having a clean install. Just make a list of your programs, do a backup of your data, and format that sucker.

Hope some of that is helpful...a lot of the other comments I see here are great things to check as well (right below me I see gad zuki! mention netstat -a to check your active connections...also very useful) so bookmark this page and try everything. If nothing else, you'll learn some new tricks.

Re:Check the HDD

[gad_zuki! (70830)]

Its also worth mentioning that you'll see disk errors in the event log. The source will be 'disk.' Is the disk working hard. Use filemon to see whats going on.

The asker should also look in the event log for any warnings or errors that started at the time of the slowness.

He should also do a netstat -a to see what active internet connections are working. If youre seeing lots of connects to port 25 someplace then you are running a mass mailing trojan. Investigate any suspicious connections. You can use tcpview for more info.

He should also boot up with a linux live disc or a PE disc like UBCD4WIN. If the slowness is still there then its most likely a hardware issue. UBCD4win also has a bunch of utilities with easy to use GUIs like HDTune. He can run an antivirus or spybot from the PE environment too for a second opinion.

Lastly, when you fix the issue you should remove your wife from the administrators group and just make her a user or power user. When she needs to install software or whatever just have her log in as admin.

Re:Check the HDD

[Bobfrankly1 (1043848)]

But the best way is still to download Windows Optimizer 2009. It removes all performance limitations Microsoft has put in their products and makes your Windows work as fast as your hardware allows.

That's a lie. I just installed Antivirus 2009 and it says that Windows Optimizer 2009 is spyware!!!

Re:Check the HDD

[HermMunster (972336)]

Lol, that's pretty funny seeing as both are malware. Yeah, I know you know. Others might not.

Re:Check the HDD

[by Anonymous Coward]

My computer does this all the time. The culprit is usually that my kid has hit the Turbo button off.

Sorry

[by Anonymous Coward]

Sorry about that. I slowed it down for my own amusement. I'm a bastard that way.

-God

Re:Sorry

[PotatoFarmer (1250696)]

Nice try, but everyone knows you're dead. Nietzschecraft confirmed it.

Re:Sorry

[Yvan256 (722131)]

Congratulations, you just invented a new word [google.com]!

PerfLogs

[Drakin020 (980931)]

Run performance counters against the computer to see what might be spiking. (Hard drive usage, memory pages /sec etc...)

Try this

[by Anonymous Coward]

Unplug the network cable in the back and see if the problem persists. The network is a common cause of this problem.

Re:Try this

[LingNoi (1066278)]

If that doesn't work, try cleaning the gunk out of the mouse.

Re:Try this

[cyphercell (843398)]

then hold the keyboard over your head and shake it.

Process Explorer

[by Anonymous Coward]

I'll be the first of many to suggest:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Virtual Machine

[DissociativeBehavior (1397503)]

Watch porn in a virtual machine.

Re:Virtual Machine

[orclevegam (940336)]

That's always good advice!

What, watching porn, or the virtual machine?

Re:Virtual Machine

[pem (1013437)]

Yes.

Obligatory

[samriel (1456543)]

GeekSquad diagnosis:
Vista installed. Remove immediately.

Hmmmm.

[SatanicPuppy (611928)]

Not a lot to go on, though as a freebie, XP doesn't do jack with that extra gig of RAM...You could put in 100gigs and it won't use any more than 3 (less you're using the 64 bit version, iirc).

Rootkits can run "under the radar". Might want to try software like RootKitRevealer, or Blacklight. A crappy one might grab a ton of cycles for a minute, but most of them are less intrusive.

Everything spiking at once sounds like that stupid "System Restore" process, or maybe a big swap dump (which is weird with that much RAM, but you know, it's windows.) Stupid programs like Norton can grab a huge chunk of resources every now and then for no discernable reason. Maybe some peripheral is crapping out?

Barring malware, I'd start writing down what's running when it spikes, and see if that tells you anything. Lot of programs can cause momentary spikes, but background processes usually don't. You could try testing some of the hardware but without anything specific to look for, you're going to have a hell of a time finding something.

Re:Hmmmm.

[suricatta (617778)]

<quote>Not a lot to go on, though as a freebie, XP doesn't do jack with that extra gig of RAM...You could put in 100gigs and it won't use any more than 3 (less you're using the 64 bit version, iirc).</quote>

Just FYI, the reason for this is because with 32 bits, you're system is limited to 2^32 bits of address space = 4GB of memory in total, which has to include both RAM and the memory on your graphics card.

So in many cases, users with 4GB of RAM will only see 3GB becuase they have a 1GB graphics card. It follows that if a user only have a 512MB graphics card, then they will see (and XP will use) 3.5GB RAM.

This is not a design flaw for XP, it's a limitation if the 32 bit architecture. Switching to 64 bits solves this because then your total address space increases to 2^64 = 16EB. Which ought to be enough for anyone ;-)

Re:Hmmmm.

[cbhacking (979169)]

Accurate but oversimplified - video cards aren't the only drivers that are mapped into memory space, just (usually) the biggest thing.

If your drivers support it (many don't, which is why it's disabled by default - a driver which lacks support will cause crashes with this option) you can add /pae
to the boot.ini file to enable Physical Address Extension in the kernel. PAE uses an extra 4 bits for internal memory addressing, resulting in up to 64GB of RAM being addressable. Individual processes will still run with only 4GB memory spaces. However, Windows will map some of its physical memory above the 4GB mark, allowing drivers their accustomed memory mapping (assuming the driver developer didn't make assumptions that PAE violates, like that the address space stops hard at 0xFFFFFFFF).

Firefox

[tnk1 (899206)]

Actually, the first thing you should do is close Firefox. I find that once you aren't using 10 GB of RAM to keep your 25 tabs open, the computer magically stops swapping.

Re:Firefox

[liquidpele (663430)]

This is actually good advice. I've found that the flash plugin with firefox can go ape-shit and destroy performance (even if you close the tab) until you kill firefox to kill it.

The best way to accelerate a slow Windows.

[Faryshta (1362521)]

9.8 m/s^2 Sorry, it just flip out.

Answer:

[tiananmen tank man (979067)]

"Well, I think you know the answer to that."

Re:Answer:

[ciaohound (118419)]

From story [slashdot.org] to meme in under four hours? That's got to be a slashdot record!

The Case of the Slow System

[Fast Thick Pants (1081517)]

Mark Russinovich has an enlightening blog entry called The Case of the Slow System [technet.com] that might serve as an example of how, if you are are one of the planet's top 10 Windows experts, you can, with persistence, luck, and the proper tools, solve one of the obscure problems that are slowing down your wife's computer. This particular case pertains to Vista, but the general techniques are applicable to XP as well.

Re:The Case of the Slow System

[pbhj (607776)]

Has Mark Russinovich's wife tried turning it off and on again?

bad fan?

[Monoman (8745)]

Some systems will slow down the CPU if it gets too hot. Check the fans and the temp in the CMOS if it can report it.

background defragmenting

[xonen (774419)]

XP and Vista have the 'feature' of automated background defragmenting enabled by default, you might wish to disable this.

From: http://www.kessels.com/Jkdefrag/ [kessels.com]

How do I disable the Windows built-in defragger?

Windows 2000 & 2003:

The built-in defragger is not started automatically.
Windows XP:

1. Download the free * Tweak UI utility from Micorosft.

2. Click on 'General' and untick the 'Optimise hard disk when idle' box.

Windows Vista:

1. Start -> All Programs -> Accessories -> System Tools -> Disk Defragmenter

2. Untick the "Run on a schedule (recommended)" box.

diagnostics

[datapharmer (1099455)]

check in this order: virus (look both for viruses and malware and bad scanners... I've seen antivirus scanner updates hose systems... use more than one virus scanner and more than one malware scanner but NOT AT THE SAME TIME!), drivers (might be badly written ,corrupt, or for wrong hardware), rogue processes (startup, services, etc), hardware (run chkdsk /f and defrag, check bios settings and make sure smart hd is enabled if possible and run a memory test), replace cables such as IDE that tend to corrode and cause errors, then start checking components (graphics, memory slots - use just one stick - if it improves use the same stick in another slot until there is a problem or you get to a stick that is causing problems) pci, dongles and adapters) If that fails run linux like you should have done in the first place. ;-)

learn from the Hackers!

[Tumbleweed (3706)]

Open a command prompt and type "OPTIMIZE" and hit the Enter or Return key (doesn't matter which).

If you get an error, type "OVERRIDE" or "SECURITY OVERRIDE" and then try the optimize command again.

Make sure you type these in all-caps (it's best just to leave the caps lock key on all the time, really).

After the optimization sequence is complete, reboot your computer. The best way to do this is to simply pull the power plug on the back of the machine and then plug it back in. Do this a few times just to make sure it's rebooted everything correctly.

If this doesn't work, go online from another computer and buy a Mac or something from Dell.

Re:Use process explorer

[GPLDAN (732269)]

Between DiskMon, FileMon and Process Explorer - there should be nothing that you cannot see. The new generation of viruses that steal thread handlers from other processes are nasty, but very very hard to detect.

Add in wireshark, as the cause of many a slow computer has been a ISP provided DNS server that has suddenly decided to take it's sweet ass time about answering queries for A and PTR records. Usually a by-product of being under some external load that you know nothing about (it could be backing up, etc).

DiskMon in particular will show you any files that are being sought by any process, an incredibly valuable resource.

Every workstation in our company has the SysInternals complete suite installed in the C: drive. The help desk has been trained to use it. It solves alot of problems.

Re:Use process explorer

[The MAZZTer (911996)]

FYI DiskMon and FileMon have been superseded by ProcMon. I used it the other day because there were pinned items on my Start Menu I couldn't delete, so a simple filter for RegWriteValue when I pinned or unpinned something and I was able to find where the list lived and wiped it.

Re:Use process explorer

[liquidpele (663430)]

For those that don't know, to monitor different performance aspects go to start->run and type "perfmon". You can add snap-ins that graph performance of many things. Very very useful.

Re:Defrag?

[jayhawk88 (160512)]

Perhaps the hard drive is using an Infinitely Improbable File System.

Re:Simplest answer

[bluefoxlucid (723572)]

If you've got everything backed up, that should be the quickest option. (Versus spending a weekend or so digging and digging to find the problem.)

It's Windows, not Ubuntu. Last time I had a "reinstall windows" problem, it took me 2 weeks to get all the software installed and configured again. I can't just tick off what I want and hit Apply.

Re:1. run task manager

[shutdown -p now (807394)]

I've seen systems start crawling on stupid windows background crap that only shows up in the process tab as "System Idle Process."

System Idle Process cannot make system crawl by definition - it's not even a process, it's just the line that shows how much of your CPU is not being utilized at all.

Thing is, when the system is crawling, it needs not be CPU. Random HDD reads/writes by one process can also kill performance for the entire system very fast, and yet the process will still show up as using 1-2% CPU time in Task Manager. You can change it to show the columns for I/O though and look there.