Thread: External USB hard drive activity question
View Single Post
  #2  
Old March 22nd 17, 10:05 AM posted to alt.comp.hardware
Paul[_28_]
external usenet poster
  
Posts: 1,467
Default External USB hard drive activity question
wrote:
I have a hard drive connected to my W10 PC via USB.
It has a green light on it which I assume indicates activity?
Anyway - I just noticed it is blinking madly even though the PC is
sitting on, but unused. Scares me,
What does this mean? Why is there activity? Someone is not on my PC
accessing my drive is there? I hope this is not a dumb Q.
Anyone?
Pete

Use Process Monitor, to look for ReadFile, WriteFile, CreateFile activity.
The partition on the drive will have a drive letter. You should
be able to identify a process making transactions on the drive.

https://technet.microsoft.com/en-us/...processmonitor

Leave it running long enough to collect a trace. Say for a minute.
Then, go to the File menu and remove the tick mark in there. That
stops the ETW tracing, then scroll back at your leisure and see
what is accessing the drive.

For that to run, it should present a UAC box, as it needs
to be elevated (administrators group) in order to trace.

There should also be a "find" command in there, but at the
moment, I can't think of anything clever to look for. You're
going to have to eyeball what you see.

Note that it is "normal" for Windows to check the same set of
registry keys, over and over and over again. You might find anywhere
from 50-200 keys being checked. But, because of file caching of
the Registry files, there should not be any disk traffic. If for
some reason the cache wasn't working, then the LED on the C: drive
would go nuts. But that would not be a normal kind of failure.
This is why I suspect something real and tangible is loose on
your computer, which is why I'm suggesting tracing it.

*******

A worst case scenario, is you have acquired a copy of Locky
Ransomware from an email attachment. Someone in one of the other
groups had that happen. Apparently, the Ransomware in question,
did the old style file-by-file encryption. So if you got Locky
on the machine, that disk LED blinking, is all your files being
turned into unusable mush. Locky will present a dialog box,
saying all your files are encrypted, and would you like to send
0.3 bitcoins to a certain Bitcoin account number. This allows
a ransom to be paid, to have your files decrypted again.

This is why, in 2017, it's important to have full backups
of your computer hard drives, stored on an external drive which is *not*
regularly connected to the computer. Some people who had Dropbox
or something, Locky climbed up in there and encrypted whatever it
could find on there as well. Cloud storage is only suitable
for protection, if you can contact the cloud operator and
get an older version of the file. It's very difficult to
construct a backup system, which is totally resistant to
ransomware. Just to make you feel better.

I hope it's not Locky, and just a silly MSFT OS bug.

Paul