Heavy writing to SSD on Windows Server

Windows specific questions, problems.
Post Reply
wmn
Newbie
Newbie
Posts: 1
Joined: Wed Nov 18, 2020 4:31 am

Heavy writing to SSD on Windows Server

Post by wmn »

Hi,

I was having heavy writing on my SSD boot drive under Windows Server 2019, like more than 50GB/day. This was happening when running qBittorrent (latest version). I have even tried a portable installation to another drive than the boot drive, without success. All the torrent files ares located on conventional hard drive, not on the SSD.

When stopping qBittorrent, the writing dropped to a more acceptable 5GB/day. I was able to track the main cause of the excessive writing:

It was the windows firewall and it is related to a Microsoft case linked as KB3044882:


https://docs.microsoft.com/en-us/troubl ... ag-etl-log


Port Scanning Prevention Filter behavior in Windows

• 09/14/2020

This article describes the functionality of the Port Scanning Prevention Filter in Windows Server 2008 and later versions of Windows. It also includes a workaround for the by-design behavior that generates lots of disk I/O when there's activity in the wfpdiag.etl log.

Original product version: Windows Server 2012 R2

Original KB number: 3044882

Symptoms:

Consider the following scenario:

• You have a custom networking application installed on your server.
• The application captures lots of traffic on the wire.
• The server may be using a DHCP-assigned IP address.

In this scenario, a large volume of disk I/O may be generated when writes are made to the C:\Windows\System32\wfp\wfpdiag.etl log.

[EDIT] The correct path for the log file is: C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl

Cause

This behavior is by design. When the Port Scanning Prevention Filter is triggered, this typically means that there's no process listening on the port. (For security reasons, WFP blocks process listening.) When a connection is tried on a port where there's no listener, WFP recognizes the packet as if it was coming from a port scanner and therefore silently drops the connection.

If there had been a listener, and the communication was instead blocked because of either malformed packets or authentication, the dropped event would be listed as "DROP" (not silent), and WFP logging would indicate a different filter ID and name.

This filter is built in to the Windows Firewall and Advanced Security (WFAS). It's included in Windows Vista, Windows Server 2008, and later versions of Windows.

Workaround

To work around this issue, disable WFP logging in the registry:

1. Start Registry Editor.
2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Options
3. Right-click the subkey, click New, and then create a DWORD (32-bit) registry value.
4. Type CollectNetEvents as the registry value name.
5. Leave the value data as 0.
6. Restart the server.

[EDIT] This can also be disabled using an elevated command prompt and typing the command: "netsh wfp set options netevents=off"

Note

By disabling WFP logging, this only stops the logging of WFP activity in wfpdiag.etl. The Port Scanning Prevention Filter continues to work normally.


So I have found a solution that work for me. I don't know if qBittorrent can be patched to prevent the trigger of the Windows Firewall Port Scanning Prevention Filter. I hope that this information will help others that have similar problems of heavy SSD writing using qBittorrent.

Thanks.
Post Reply