Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#1
phanbuey
wow what a great find... and solution!
Posted on Reply
#2
HD64G
Good thing it was both found and solved using a small tool. Kudos!
Posted on Reply
#3
plastiscɧ
i have always known and said...!
now we have it in black and white. :cool:

great job!
:lovetpu:


@lexluthermiester :D

i killed it a long time ago
:nutkick:
Posted on Reply
#4
VulkanBros
I have a fix too...AMD CPU :roll: (couldn't resist :))
Posted on Reply
#6
unclewebb
ThrottleStop & RealTemp Author
Here is an easy test to see if this is an issue for your Intel based computer.

Run Counter Control 1.1 and see if it reports 0x222 for the status of the counters. This is usually a sign that Windows Defender is hard at work, wasting CPU cycles. Run Cinebench R23 and see what score you get for a baseline.



It appears that Windows Defender is reducing CPU performance. Press the Reset Counters button and this will stop the Windows Defender Real-time Notification messaging system that has run amok. It also resets the counters to normal values. The result is a nice boost in performance.



People have been aware of inconsistent performance for quite a while. This problem has been around for at least 2 years and probably longer. Nice to finally find a way to detect this issue as well as come up with a solution for this problem. Simply running ThrottleStop 9.5 is enough to fix this issue and restore full performance.
Posted on Reply
#7
tabascosauz
@AusWolf good you brought up Defender CPU usage few days ago, this might be something worth checking out for yours
Posted on Reply
#8
Ed_1
I tried it on a 12600k and it shows normal all times running CBxx with HWinfo64, also checked with PE and defender shows 0.0 usage.
So seems I am not affected or at least not while I tested, maybe right after a fresh reboot would show different results.
Posted on Reply
#9
AusWolf
tabascosauz@AusWolf good you brought up Defender CPU usage few days ago, this might be something worth checking out for yours
Huh? Do you mean Defender initiating a search even when Cinebench is running if I don't move the mouse? If so, that's really annoying. I'll test the program, see what it says.

Honestly, I thought it was an issue of Defender not considering Cinebench as "user input". I wouldn't have thought it had anything to do with having an Intel CPU. o_O
Posted on Reply
#10
Makaveli
Ed_1I tried it on a 12600k and it shows normal all times running CBxx with HWinfo64, also checked with PE and defender shows 0.0 usage.
So seems I am not affected or at least not while I tested, maybe right after a fresh reboot would show different results.
"Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs"
Posted on Reply
#11
unclewebb
ThrottleStop & RealTemp Author
Ed_1I tried it on a 12600k and it shows normal all times
So far this issue has only been reported on computers with Intel 8th to 11th Gen CPUs.

Try doing a sleep resume cycle. Exit HWiNFO and leave Counter Control running on the desktop. Does Counter Control still report Normal or Not Used after you resume? My 10th Gen computer always shows Defender has set the counters to 0x222 after I resume from sleep.

Some users originally thought that this might only last for a few minutes. In some instances, I have seen this slow down due to Windows Defender go on for 3 or 4 hours. I gave up monitoring after that. Performance is reduced for the entire time.

Posted on Reply
#12
Vayra86
Fork some of my supporter Kudos over to the Webb please :)

Well done sir!
Posted on Reply
#13
unclewebb
ThrottleStop & RealTemp Author
AusWolfDo you mean Defender initiating a search even when Cinebench is running if I don't move the mouse?
You can be running Cinebench or playing a game or moving the mouse or using your computer however you normally use your computer. Whatever Windows Defender is doing, it can have a big negative impact on performance. Do some 3D Mark testing while Windows Defender has the counters set to 0x222 and then do a similar test when this is not happening. The drop in performance should be obvious.
Posted on Reply
#14
ThrashZone
Hi,
Last I looked a 5800x with 3060 laptop would be my choice.
Posted on Reply
#16
GreiverBlade
VulkanBrosI have a fix too...AMD CPU :roll: (couldn't resist :))
and here i was, "awwwww defender is the issue" and then read "AMD cpu not affected" proceed to "oh, so Defender is perfectly fine ... Intel is the issue"

did they use a "performance boost shortcut that turned ou to be a vulnerability" (after mitigation: also a loss of performance ) but failed and instead made an issue?

nonetheless AWESOME @unclewebb :lovetpu: fantastic job!

@ThrashZone actually Defender is perfectly fine ... and other "real" antivirus always turned bad later on ... (free or not)
i use defender since i switched to Win 8.1 and never had any issue ever (which i had with "real" antivirus which were ranging from "ressources hog" to "not efficient at all and had to do all manually or reinstall" to me every single paid/subscription even the "free" version of them are just scam. )
Posted on Reply
#17
AusWolf
unclewebbYou can be running Cinebench or playing a game or moving the mouse or using your computer however you normally use your computer. Whatever Windows Defender is doing, it can have a big negative impact on performance. Do some 3D Mark testing while Windows Defender has the counters set to 0x222 and then do a similar test when this is not happening. The drop in performance should be obvious.
Wow! This is night and day. :eek:

Here's a Cinebench run after a normal startup (Steam and GOG Galaxy running in the background):


And here's a Cinebench run after clicking "Reset Counters" (Steam and GOG Galaxy still running in the background):
Posted on Reply
#18
OneMoar
There is Always Moar
cue microsoft & intel patching this in 3 2 1 ...
Posted on Reply
#19
unclewebb
ThrottleStop & RealTemp Author
For a long time some people have noticed that HWiNFO was not reporting the full effective clock speed when the CPU was fully loaded. This was not a problem with HWiNFO. This happens because Windows Defender is changing the system counters that HWiNFO is trying to use. This interferes with HWiNFO's Effective Clock results.

The small difference in Effective Clock speed when fully loaded does not accurately indicate the drop in performance.
Many users might have noticed this issue but chose to ignore it, thinking it was not that important.



Posted on Reply
#20
ThrashZone
GreiverBladeand here i was, "awwwww defender is the issue" and then read "AMD cpu not affected" proceed to "oh, so Defender is perfectly fine ... Intel is the issue"

did they use a "performance boost shortcut that turned ou to be a vulnerability" (after mitigation: also a loss of performance ) but failed and instead made an issue?

nonetheless AWESOME @unclewebb :lovetpu: fantastic job!

@ThrashZone actually Defender is perfectly fine ... and other "real" antivirus always turned bad later on ... (free or not)
i use defender since i switched to Win 8.1 and never had any issue ever (which i had with "real" antivirus which were ranging from "ressources hog" to "not efficient at all and had to do all manually or reinstall" to me every single paid/subscription even the "free" version of them are just scam. )
Hi,
No thanks I'll stick with the "bad third party" mbam pro and keep getting rid of pretender :cool:
Posted on Reply
#21
AusWolf
GreiverBladeand here i was, "awwwww defender is the issue" and then read "AMD cpu not affected" proceed to "oh, so Defender is perfectly fine ... Intel is the issue"

did they use a "performance boost shortcut that turned ou to be a vulnerability" (after mitigation: also a loss of performance ) but failed and instead made an issue?
Actually, Defender is the issue... on a few select Intel platforms. :roll: (including mine) :(
Posted on Reply
#22
unclewebb
ThrottleStop & RealTemp Author
GreiverBladeAMD cpu not affected
AMD CPUs have not been tested yet. They might have a similar issue where Windows Defender is hard at work, doing something in the background that it really does not need to be doing.
OneMoarmicrosoft patching this in 3 2 1 ...
Given that this issue has been around for years, it will likely take longer than that.
AusWolfWow! This is night and day.
Thanks for posting your results.

Was this all just an honest mistake or was someone trying to make Intel CPUs look slower than they are? All CPU reviews during the last few years are suddenly suspect if they were not testing for this issue. Windows Defender can start and stop this part of its algorithm at any time. As soon as it starts, performance tanks.
Posted on Reply
#23
GreiverBlade
AusWolfActually, Defender is the issue... on a few select Intel platforms.:roll: (including mine) :(
well the issue is caused by Intel thus Intel is the cause then?
unclewebbAMD CPUs have not been tested yet. They might have a similar issue where Windows Defender is hard at work, doing something in the background that it really does not need to be doing.
if they have, i do not notice it ;) defender is at 0% Malware protection is at 0.2% which is MsMp (and also use half the RAM your screenshot show )

@ThrashZone MBAM is ok ... but i meant other AV like well ... Norton and co which are more akin to malware than AV in the end
and defender was recognized as one of the best (if not the best) in the AV category, some time ago, although i do not remember the source but i am 100% sure i did read it somewhere
Posted on Reply
#24
AusWolf
unclewebbThanks for posting your results.
No problem. I hope something can be done to bring this to Microsoft's attention and fix this.
unclewebbWas this all just an honest mistake or was someone trying to make Intel CPUs look slower than they are? All CPU reviews during the last few years are suddenly suspect if they were not testing for this issue. Windows Defender can start and stop this part of its algorithm at any time. As soon as it starts, performance tanks.
It starts as soon as you boot up the system. I think Intel would be under more suspicion if AMD CPUs were slowed down. Who would want to cripple Intel? Microsoft? Nah, they're best buddies for life.
GreiverBladewell the issue is caused by Intel thus Intel is the cause then?
How is it caused by Intel?
Posted on Reply
#25
OneMoar
There is Always Moar
unclewebbWas this all just an honest mistake or was someone trying to make Intel CPUs look slower than they are? All CPU reviews during the last few years are suddenly suspect if they were not testing for this issue. Windows Defender can start and stop this part of its algorithm at any time. As soon as it starts, performance tanks.
can we not with the clickbait speculation

great job finding this its a minor bug and will be shortly patched if enough noise is made about it

6% is hardly significant in the grand scheme

remember that your average user doesn't care and if it doesn't impact the average user neither does intel/microsoft

and PSA:Windows defender Consistently ranks at the top of the protection and performance charts it should be your goto when basic protection is required
Posted on Reply
Add your own comment
Dec 23rd, 2024 11:23 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts