Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#226
Solaris17
Super Dainty Moderator
unclewebbI am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.
Interestingly, as far as random conjecture goes. I ran your tool 2-3 weeks ago before christmas just to see if my machine was affected as I only had defender on it and it never once stole the show. /shrug
Posted on Reply
#227
lexluthermiester
unclewebbI am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.
Solaris17Interestingly, as far as random conjecture goes. I ran your tool 2-3 weeks ago before christmas just to see if my machine was affected as I only had defender on it and it never once stole the show. /shrug
Maybe it's still present in a limited number of PCs? Perhaps it's a specific configuration dependent thing?
Posted on Reply
#228
unclewebb
ThrottleStop & RealTemp Author
I just had a look through my private messages and found this one from Dec 22.
I built a computer with an i5-13600K running Windows 11 23H2 and I’ve encountered the bug where a few minutes after starting windows, the anti malware service will start using 2% of my CPU when running benchmarks like Cinebench, lowering my scores by nearly 4%. Counter Control does resolve this performance loss.
The 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.
Posted on Reply
#229
lexluthermiester
unclewebbThe 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.
That's a bit messed up. Another example of microsoft being dishonest?
Posted on Reply
#230
ThrashZone
unclewebbI just had a look through my private messages and found this one from Dec 22.



The 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.
Hi,
You know what else kicks in after startup
Windows checking for updates even set on manual
Disabled doesn't stick
I have my wifi off or set to not to auto connect
Every startup I have to stop updates service and switch back to disabled before connecting wifi lol
If I forget just opening settings page you can see ms boasting that it checked for updates.
Pure freaking evil.

Hell it checks even when still set on disabled lol
Posted on Reply
#231
lexluthermiester
ThrashZoneDisabled doesn't stick
That depends. You have to disable several services to truly disable autoupdates and facilitate manual update applications.
Posted on Reply
#232
ThrashZone
lexluthermiesterThat depends. You have to disable several services to truly disable autoupdates and facilitate manual update applications.
Hi,
I ran @W1zzard turn off or remove windows update script and this is what happening lol
Think I ran the restore manual updating so that could be why it's acting like this.

I'll do it again without the restore manual and see what happens tomorrow...
rem Stop and delete Windows Update Medic Service (it re-enables Windows Update)
net stop WaasMedicSvc
takeown /f %SYSTEMROOT%\System32\WaaSMedicSvc.dll
cacls %SYSTEMROOT%\System32\WaaSMedicSvc.dll /e /p "Administrator":f
del %SYSTEMROOT%\System32\WaaSMedicSvc.dll

rem Stop and disable Update Orchestrator Service
net stop UsoSvc
takeown /f %SYSTEMROOT%\System32\usosvc.dll
cacls %SYSTEMROOT%\System32\usosvc.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\usosvc.dll usosvc.dll.disabled

rem Stop and disable Windows Update Service
net stop wuauserv
takeown /f %SYSTEMROOT%\System32\wuaueng.dll
cacls %SYSTEMROOT%\System32\wuaueng.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuaueng.dll wuaueng.dll.disabled
takeown /f %SYSTEMROOT%\System32\wuauserv.dll
cacls %SYSTEMROOT%\System32\wuauserv.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuauserv.dll wuauserv.dll.disabled

rem Remove scheduled tasks
PowerShell "(New-Object System.Net.WebClient).DownloadFile('https://www.poweradmin.com/paexec/paexec.exe','%TEMP%\paexec.exe');
for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WaaSMedic\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\UpdateOrchestrator\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WindowsUpdate\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate

del %TEMP%\paexec.exe
Posted on Reply
#233
lexluthermiester
ThrashZoneHi,
I ran @W1zzard turn off or remove windows update script and this is what happening lol
Think I ran the restore manual updating so that could be why it's acting like this.

I'll do it again without the restore manual and see what happens tomorrow...
rem Stop and delete Windows Update Medic Service (it re-enables Windows Update)
net stop WaasMedicSvc
takeown /f %SYSTEMROOT%\System32\WaaSMedicSvc.dll
cacls %SYSTEMROOT%\System32\WaaSMedicSvc.dll /e /p "Administrator":f
del %SYSTEMROOT%\System32\WaaSMedicSvc.dll

rem Stop and disable Update Orchestrator Service
net stop UsoSvc
takeown /f %SYSTEMROOT%\System32\usosvc.dll
cacls %SYSTEMROOT%\System32\usosvc.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\usosvc.dll usosvc.dll.disabled

rem Stop and disable Windows Update Service
net stop wuauserv
takeown /f %SYSTEMROOT%\System32\wuaueng.dll
cacls %SYSTEMROOT%\System32\wuaueng.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuaueng.dll wuaueng.dll.disabled
takeown /f %SYSTEMROOT%\System32\wuauserv.dll
cacls %SYSTEMROOT%\System32\wuauserv.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuauserv.dll wuauserv.dll.disabled

rem Remove scheduled tasks
PowerShell "(New-Object System.Net.WebClient).DownloadFile('https://www.poweradmin.com/paexec/paexec.exe','%TEMP%\paexec.exe');
for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WaaSMedic\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\UpdateOrchestrator\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WindowsUpdate\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate

del %TEMP%\paexec.exe
Something that script is missing is the WaaS and the Update protection services. Those also need to be forcibly disabled to set the updates to full manual.
Posted on Reply
#234
ThrashZone
lexluthermiesterSomething that script is missing is the WaaS and the Update protection services. Those also need to be forcibly disabled to set the updates to full manual.
You got the code until W1zzard passes by ?
Posted on Reply
#235
lexluthermiester
ThrashZoneYou got the code until W1zzard passes by ?
There is no scriptable "code", at least that I know of. Those two services are "protected" and you have to deep dive the registry to control them. AFAIK, this can not be avoided.

EDIT:
Ok, just did a fresh install so I could get into the nitty-gritty of it to remind myself, and the services that need disabling that were not included in you above post are BITS(Background Intelligent Transfer Service) and both of the Web Threat Defense services(one will be a unique User instance).

You have to disable Windows Defender Tamper Protection and all protection before making any of these changes. Otherwise Defender will just change them back. Running that script does not prevent Defender or the OS itself from turning things back on unless you specifically disable them and lock the system out of making changes in the registry.
Posted on Reply
#236
ThrashZone
lexluthermiesterThere is no scriptable "code", at least that I know of. Those two services are "protected" and you have to deep dive the registry to control them. AFAIK, this can not be avoided.

EDIT:
Ok, just did a fresh install so I could get into the nitty-gritty of it to remind myself, and the services that need disabling that were not included in you above post are BITS(Background Intelligent Transfer Service) and both of the Web Threat Defense services(one will be a unique User instance).

You have to disable Windows Defender Tamper Protection and all protection before making any of these changes. Otherwise Defender will just change them back. Running that script does not prevent Defender or the OS itself from turning things back on unless you specifically disable them and lock the system out of making changes in the registry.
Hi,
Good info
WaaS... is showing running but error 2 as well might have something to do with W1zard's script ?
I can stop the service but can't switch it to disabled and just stopping it just repeats a few minutes later it's running again.

On a good note updates is still disabled after running the script again without restoring manual updating :cool:
But it's still early so updates will probably turn back on again.
Posted on Reply
#237
lexluthermiester
ThrashZoneWaaS... is showing running but error 2 as well might have something to do with W1zard's script ?
That description read error exists even on a fresh default install, so W1zzards script is not involved there. I'm still looking at the situation, microsoft has made a few changes in 23H2. Nothing drastic but things are doable..
Posted on Reply
#238
ThrashZone
lexluthermiesterThat description read error exists even on a fresh default install, so W1zzards script is not involved there. I'm still looking at the situation, microsoft has made a few changes in 23H2. Nothing drastic but things are doable..
Hi,
Says last checked 7 hours ago and still shows disabled at 3:25pm lol
Damn that's only about 1.5 hours after startup it checked :/
That's messed up.
Posted on Reply
#239
lexluthermiester
ThrashZoneHi,
Says last checked 7 hours ago and still shows disabled at 3:25pm lol
Damn that's only about 1.5 hours after startup it checked :/
That's messed up.
Weird..
Posted on Reply
#240
Mussels
Freshwater Moderator
ThrashZoneHi,
You know what else kicks in after startup
Windows checking for updates even set on manual
Disabled doesn't stick
I have my wifi off or set to not to auto connect
Every startup I have to stop updates service and switch back to disabled before connecting wifi lol
If I forget just opening settings page you can see ms boasting that it checked for updates.
Pure freaking evil.

Hell it checks even when still set on disabled lol
That's not how it works here - just set that network as metered and you'll have no issues.
Posted on Reply
#241
AusWolf
I just checked on my 11700 after watching a film. Everything seems to be working as intended. MS really patched this, it seems. :)
Posted on Reply
#242
Ed_1
ThrashZoneHi,
Good info
WaaS... is showing running but error 2 as well might have something to do with W1zard's script ?
I can stop the service but can't switch it to disabled and just stopping it just repeats a few minutes later it's running again.

On a good note updates is still disabled after running the script again without restoring manual updating :cool:
But it's still early so updates will probably turn back on again.
I have that same error in service name and never ran any scripts, Defender running normal.

Little update, I honestly forgot about this thread as I posted when I first tried it on my 12600k in Win10. It seems it was not an issue but now I couldn't find why new install of Win11 CPU-Z was slower than my notes in Win10.
Today I tried this and seems Defender 0x222 comes up and it was causing slightly lower scores.
I am on the latest Win11 23H2, 22631.3007.
Posted on Reply
#243
unclewebb
ThrottleStop & RealTemp Author
Ed_1Defender 0x222 comes up and it was causing slightly lower scores
This should not be happening on the latest Windows 11 version if Microsoft actually patched this. I do not know why this problem is still showing up but only on some computers and not others.
Ed_1CPU-Z
Cinebench is a good benchmark that will show the loss of performance when Defender is busy doing something in the background. My 10850K drops about 1000 points in Cinebench R23 when Counter Control shows that the timers have been set to 0x222.
Posted on Reply
#244
Ed_1
unclewebbThis should not be happening on the latest Windows 11 version if Microsoft actually patched this. I do not know why this problem is still showing up but only on some computers and not others.


Cinebench is a good benchmark that will show the loss of performance when Defender is busy doing something in the background. My 10850K drops about 1000 points in Cinebench R23 when Counter Control shows that the timers have been set to 0x222.
Here a 5 run test after fresh reboot. I will try CB2x and see but the MT in CPU-Z you can see 2%. also while the ST not seeing it there I normally never see 800 in ST run and now do even if it ends tiny bit below when finished.
Edit here results of CPU-Z, CB20/23.

Defender counters on. 0x222
ST= 796, 796, 793, 797, 795
MT= 7356, 7408, 7408, 7412, 7407
CB20= 6870, 6886, 6870
CB23= 17924, 18275, 18272

Defender counters off. 0x330
ST= 796, 797,797, 799, 800,
MT= 7564, 7559, 7552, 7540, 7554
CB20= 7077, 7091, 7088
CB23= 18579, 18591, 18545

PS: I noticed you can't run the tests from popular BenchMate app as it sets counters to "not used" 0x000 as soon as you run CB2x. You have to go into folder and run CB2x directly, no launcher.
Anyway, it is showing "Defender" 0x222 after a few mins on a fresh boot.
Posted on Reply
#245
lexluthermiester
Ed_1BenchMate app
Try to lean away from Benchmark "Apps" from the app store. Install and use normal benchmarks as you will get more reliable results.
Posted on Reply
#246
Ed_1
lexluthermiesterTry to lean away from Benchmark "Apps" from the app store. Install and use normal benchmarks as you will get more reliable results.
I have them in both ways, BenchMate is handy way.
This is it.
benchmate.org/
Posted on Reply
#247
lexluthermiester
Ed_1I have them in both ways, BenchMate is handy way.
This is it.
benchmate.org/
Ah, nice! Never seen that one before.

EDIT: That looks interesting, gonna give it a try. Thanks for posting the link!
Posted on Reply
#248
unclewebb
ThrottleStop & RealTemp Author
Ed_1Anyway, it is showing "Defender" 0x222 after a few mins on a fresh boot.
That is typically what happens. That is why I believe that whatever Windows Defender is doing, it cannot be that important. If it was busy doing some real time defending of your computer, why is it not running this part of its algorithm immediately when you start up your computer?

@Ed_1
Thanks for doing some testing. It makes sense that there is zero difference in single threaded performance. If Defender is keeping one core busy, your CPU still has plenty of other cores available to run a single threaded benchmark at full speed.

The hit to multi threaded performance seems to be less on your computer compared to on my 10850K. If this Defender background task is being scheduled on one of the slower E cores, the loss of performance might not be as noticeable.

Interesting that BenchMate resets all of the performance monitoring timers but does not actually use any of them. There could be some other program that is running on many user's computers that is doing the same thing. That is the only way I can explain why this problem is still happening but only on some computers and not on all computers.

Perhaps some of us have accidentally opted in or have been chosen to run some unnecessary Windows Defender code in the background.
Posted on Reply
#249
Ed_1
unclewebbThat is typically what happens. That is why I believe that whatever Windows Defender is doing, it cannot be that important. If it was busy doing some real time defending of your computer, why is it not running this part of its algorithm immediately when you start up your computer?

@Ed_1
Thanks for doing some testing. It makes sense that there is zero difference in single threaded performance. If Defender is keeping one core busy, your CPU still has plenty of other cores available to run a single threaded benchmark at full speed.

The hit to multi threaded performance seems to be less on your computer compared to on my 10850K. If this Defender background task is being scheduled on one of the slower E cores, the loss of performance might not be as noticeable.

Interesting that BenchMate resets all of the performance monitoring timers but does not actually use any of them. There could be some other program that is running on many user's computers that is doing the same thing. That is the only way I can explain why this problem is still happening but only on some computers and not on all computers.

Perhaps some of us have accidentally opted in or have been chosen to run some unnecessary Windows Defender code in the background.
Hi, I been testing some more and the Defender mode is always on so far(been 1/2 day) as mentioned it goes on about 3 min in on fresh boot.
The ST CPU-Z test is better with counters set to Normal - 0x330, my description above was not best there. During the ST test I see 800 marks but sometimes it ends 79x, with in Defender mode it nevers spikes to 800 and those scores above are better than normal, as I tested that mode first and generally scores go down tiny bit longer system is running.

Also the results seem more consistent in Normal - 0x330, plus I do see effective clocks lower like you do. my all core clocks of 4700mhz show around mid 46xx in Defender mode -0x222 .

To give idea of performance lose it probably take about 100mhz OC to compensate the hit.
Posted on Reply
#250
unclewebb
ThrottleStop & RealTemp Author
Ed_1my all core clocks of 4700mhz show around mid 46xx in Defender mode -0x222
The actual clocks are consistent. The problem is that Windows Defender and HWiNFO are constantly fighting over control of the monitoring timers. HWiNFO sets the timers to mode 3 so it can accurately determine the effective clocks. Windows Defender comes along and changes the timers back to mode 2. This happens over and over again. Kind of like two people trying to share a single stop watch. This is what prevents HWiNFO from accurately measuring the effective clock speed. The clock speed has not changed. Just the ability to correctly monitor the effective clock speed has changed.

Monitoring software should be able to request exclusive access to these system timers. That would help prevent any fights like this over their use. The shared timer model that Intel uses is flawed.
Posted on Reply
Add your own comment
Dec 23rd, 2024 10:47 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts