How to monitor the idle system process

Associate
Joined
18 Dec 2010
Posts
597
When the system starts up and is on the lock screen, I've noticed after a while the system fans start to ramp up a little indicating the CPU is processing something. Not heavy processing but light to medium as I can tell what fan curve it is on.

How do I check to see what process is running while idle? as soon as I unlock and go to Task Manager, the process has stopped, and fans have gone back to near silent.

Thanks!
 
It's probably the automatic maintenance task kicking in, if you check Event Viewer > Application and service logs > Microsoft > TaskScheduler > Maintenance: Does it show events with "Maintenance state changed to 1" around the time you notice a system load.
 
Last edited:
It's probably the automatic maintenance task kicking in, if you check Event Viewer > Application and service logs > Microsoft > TaskScheduler > Maintenance: Does it show events with "Maintenance state changed to 1" around the time you notice a system load.
Yes. I can see it kept going in this order on all the events 1, 3, 1, 3, 1, 3, 1. What could it be running? it was ramped up for over an hour, surely those tasks should be done by then right?



 
Going of what i remember it's things like running trim commands on SSDs, defragging HDDs, doing some .NET cleanup and stuff like that.

If you want to list everything open a powershell window and type
Code:
Get-ScheduledTask | Where-Object {$_.Settings.MaintenanceSettings}

e: If you want to know roughly what they do add "| Select-Object TaskPath, TaskName, State, Description" to the end so it reads...
Code:
Get-ScheduledTask | Where-Object {$_.Settings.MaintenanceSettings} | Select-Object TaskPath, TaskName, State, Description
Although it's worth saying not everything will have a description so you may need to dig a little deeper to find out exactly what each one does.
 
Last edited:
Process Explorer can give you a detailed look at what calls the system process is performing, etc. (properties->threads) which with a bit of Google can narrow it down - a common one with a lot of laptop/mobile/low power hardware recently is for either the memory scanning maintenance task or tasks related to the diagnostic policy service to malfunction and sit there chewing 100% of one core for a very long time or forever while the system thinks it is idle and/or sometimes even when it comes back from idle...

Really annoying when you've got a laptop you want to be quietly idle in the background and the fans are periodically spinning up for no good reason stupid MS.
 
Thanks all. I managed to find this while trying to quickly access task manager after unlocking the PC.



Any idea what archiver is? I can't seem to find anything on it and none of the virus scanners pick it up.
 
I used VirusTotal to scan the file and it came back positive. On the list, it showed AVG as one of the detectors thus I downloaded AVG and scanned that directory and it removed the file.

How do I remove any registry entry or scheduled task this program had set to auto-run on idle? the virus scanner only removed the file.
 
Thanks all. I managed to find this while trying to quickly access task manager after unlocking the PC.



Any idea what archiver is? I can't seem to find anything on it and none of the virus scanners pick it up.
Oh dear.

I googled archiver.exe found it is coin miner trojan caused PC slowness and overheat.

 
Last edited:
Thanks all. I used Farbar and did not find anything else with Archiver.

The Task Scheduler also had the following 3 items, which is interesting.

vssadmin.exe Delete Shadows /All /Quiet :eek:



 
Last edited:
The first image of the PCIeBusQueue with wevtutil as the action is running a Microsoft file intended to work with eventlogs, it's setup to clear your system logs.

Same with the last image of PCIeBus only that's clearing your Application logs

The middle image of PCIeBusPower with vssadmin.exe delete shadows /all /quiet is a Microsoft file and it's setup to delete all your system restore points and any files backed up that would restored if you used the restore previous version of a file.

If i had to guess, based on their names not being at all related to what they're doing and that they seem to be removing things that would make it easier for an end user to recover from an infection, I'd say they're probably related to your infection. That is unless you or anyone else with access to the PC can recall setting up or installing software that would actually do those things.

Worth saying though, none of those things are currently happening because they're all disabled. Did you do that? Edit: Yes you did because I've just checked the pervious images you posted that show them being enabled. :)
 
Last edited:
The first image of the PCIeBusQueue with wevtutil as the action is running a Microsoft file intended to work with eventlogs, it's setup to clear your system logs.

Same with the last image of PCIeBus only that's clearing your Application logs

The middle image of PCIeBusPower with vssadmin.exe delete shadows /all /quiet is a Microsoft file and it's setup to delete all your system restore points and any files backed up that would restored if you used the restore previous version of a file.

If i had to guess, based on their names not being at all related to what they're doing and that they seem to be removing things that would make it easier for an end user to recover from an infection, I'd say they're probably related to your infection. That is unless you or anyone else with access to the PC can recall setting up or installing software that would actually do those things.

Worth saying though, none of those things are currently happening because they're all disabled. Did you do that? Edit: Yes you did because I've just checked the pervious images you posted that show them being enabled. :)

Thanks that’s helpful knowledge.

Yes I disabled them after checking all the details. I’ve since deleted those tasks. They were all created the same time and date the Archive task was created. Also if you scroll to the right it shows you who created it, it had my name on it so I can confirm that definitely wasn’t the case.
 
This might seem overkill, but I'd nuke the system and reinstall with a clean Windows image. That's the only way I'd completely trust an infected system, regardless of what any antivirus or malware scanner tells me.
 
This might seem overkill, but I'd nuke the system and reinstall with a clean Windows image. That's the only way I'd completely trust an infected system, regardless of what any antivirus or malware scanner tells me.
You definitely bring a valid point and I have thought of it but the idea of doing it and spending countless hours setting everything up again is what’s stopping me
 
Back
Top Bottom