Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#51
lexluthermiester
AusWolfIs it free?
Oh yeah, they have an excellent free option. However, I pay for the premium version because I want to continue supporting the company. Would rather pay for Comodo than use defender for free. Reason? Configuration choices and respect for user privacy. By default, Comodo does cloud referencing and analysis. However, should a user need complete data security and privacy, those can be shut off. In fact the whole suite can be easily isolated from the internet if needed.

However, we're getting off-topic, so let's rope ourselves in..
Posted on Reply
#52
ThrashZone
Veseleilo
Disable the damn spyware.

Edit:
Been reading trough posts, and the fact that people still believe in AV made me kinda sad. It's 2022. damn, learn how to protect your (windows) PC already...
Sorry for million edits, Eng. is not my native.
Hi,
That's nice but it's just a fraction of what W1zard's script does
Here is win-11's
rem Disable Windows Defender. For this to work you have to manually disable "Tamper protection"
powershell "if ((Get-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows Defender\Features').TamperProtection -eq 4) { exit 0; } ; Write-Output 'Windows Defender can not be disabled, Tamper Protection is still active' '' 'Disable Tamper Protection manually, then press OK' | msg /w *"
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f

Win-10's

rem Disable Windows Defender. For this to work you have to manually disable "Tamper protection"
powershell "if ((Get-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows Defender\Features').TamperProtection -eq 4) { exit 0; } ; Write-Output 'Windows Defender can not be disabled, Tamper Protection is still active' '' 'Disable Tamper Protection manually, then press OK' | msg /w *"
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
Posted on Reply
#53
Verpal
OneMoarcan we not with the clickbait speculation

great job finding this its a minor bug and will be shortly patched if enough noise is made about it

6% is hardly significant in the grand scheme

remember that your average user doesn't care and if it doesn't impact the average user neither does intel/microsoft

and PSA:Windows defender Consistently ranks at the top of the protection and performance charts it should be your goto when basic protection is required
Considering in many case ''generational improvement'' can be as little as 20%, and 6% is way way above what would generally describe as ''measurable difference'', I don't think reviewer should just ignore this potential source of error. Also, I don't think the article tried to stop people from using Windows defender at any point whatsoever.

and PSA: TPU is resided by nerd, nerd cares about 6%.
Posted on Reply
#54
phanbuey
6% is huge.

All of this stuff adds up - like 6% for this, another 10% for virtualization based security, another few percent for the indexer, and now you have a machine that's 20-25% slower than it's supposed to be and stuttering in games.

So related question:


Some game guides (like the Ascent) recommend putting the program in the excluded exploit protection programs to stop stuttering... does this effectively get rid of this need? Will do some testing with this fix vs exploit protection on and off... this would be huge if people didn't need to jump through the control flow guard disabling hoops and could just use the windows defender boost.
Posted on Reply
#55
Veseleil
ThrashZoneHi,
That's nice but it's just a fraction of what W1zard's script does
Here is win-11's
rem Disable Windows Defender. For this to work you have to manually disable "Tamper protection"
powershell "if ((Get-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows Defender\Features').TamperProtection -eq 4) { exit 0; } ; Write-Output 'Windows Defender can not be disabled, Tamper Protection is still active' '' 'Disable Tamper Protection manually, then press OK' | msg /w *"
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f

Win-10's

rem Disable Windows Defender. For this to work you have to manually disable "Tamper protection"
powershell "if ((Get-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows Defender\Features').TamperProtection -eq 4) { exit 0; } ; Write-Output 'Windows Defender can not be disabled, Tamper Protection is still active' '' 'Disable Tamper Protection manually, then press OK' | msg /w *"
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f
I'm aware of that, but i learned my ways... my way, since the XP days. Services and Regedit are my main start shortcuts. I've pasted that reg entry for the illiterate people, but i do have many different system tweaking tools. For a fast way of disabling spyware and similar, I've been using Blackbird for years. Great little tool.
Posted on Reply
#56
ThrashZone
VeseleiloI'm aware of that, but i learned my ways... my way, since the XP days. Services and Regedit are my main start shortcuts. I've pasted that reg entry for the illiterate people, but i do have many different system tweaking tools. For a fast way of disabling spyware and similar, I've been using Blackbird for years. Great little tool.
Hi,
That rhymes :laugh:
Posted on Reply
#57
Veseleil
ThrashZoneHi,
That rhymes :laugh:
Used to write songs when I was younger and had longer and stronger periods of depression. I kinda hate rhymes nowadays. :D
Posted on Reply
#58
AusWolf
Veseleilo
Disable the damn spyware.

Edit:
Been reading trough posts, and the fact that people still believe in AV made me kinda sad. It's 2022. damn, learn how to protect your (windows) PC already...
Sorry for million edits, Eng. is not my native.
Why? You can avoid viruses by not visiting dodgy websites, which works 99% of the time, but there's always that 1% when you click on something that someone not so tech-savvy posted. An AV can be quite useful then.
Posted on Reply
#59
Veseleil
AusWolfWhy? You can avoid viruses by not visiting dodgy websites, which works 99% of the time, but there's always that 1% when you click on something that someone not so tech-savvy posted. An AV can be quite useful then.
AV software have too many security risks involved, and as an entity that has higher privileges than a system administrator (in most cases), therefore it cannot be trusted.
Posted on Reply
#60
AusWolf
VeseleiloAV software have too many security risks involved, and as an entity that has higher privileges than a system administrator (in most cases), therefore it cannot be trusted.
I'd rather have an AV just in case. The internet is a vile place. You never know what's lurking on the site you're about to visit, or on the link Random Joe posted and you're about to click on.
Posted on Reply
#61
Veseleil
AusWolfI'd rather have an AV just in case. The internet is a vile place. You never know what's lurking on the site you're about to visit, or on the link Random Joe posted and you're about to click on.
NoScript and uBlock origin take care of that. I choose what i want to see on a new sites, and I visit everything I want to without fear. I dare to do things on my PC, that I can only dream of IRL. :laugh:
Posted on Reply
#62
ThrashZone
Hi,
Plenty of people just using edge and windows pretender oops defender were hit by ransomware my dear old mom to amounted to nothing but did happen under microsoft securities watch
Since getting a real antivirus bitdefender I believe nothing eventful for about a year now

So yeah say pretender is free/ great if you want facts just don't support such a broad stroke it's really just more telemetryware under a false sense of security so is crappy chroedge.
Posted on Reply
#64
R-T-B
GreiverBladeand here i was, "awwwww defender is the issue" and then read "AMD cpu not affected" proceed to "oh, so Defender is perfectly fine ... Intel is the issue"

did they use a "performance boost shortcut that turned ou to be a vulnerability" (after mitigation: also a loss of performance ) but failed and instead made an issue?
No. This is ms misusing a documented intel feature, ie not intels fault.
Posted on Reply
#65
TheDeeGee
Doesn't affect me as i play with a 60 FPS cap, so CPU usage is like 30-50% plus the 4% of Windows Defender.
VeseleiloAV software have too many security risks involved, and as an entity that has higher privileges than a system administrator (in most cases), therefore it cannot be trusted.
I used NOD32 for over 10 years until i noticed it did like 150GB writes a day wearing down my SSD life.

Been using Defender for a year and a half now, no point in an paid AV these days, just use your brain when browsing. And use uBlock Origin.
phanbuey6% is huge.

All of this stuff adds up - like 6% for this, another 10% for virtualization based security, another few percent for the indexer, and now you have a machine that's 20-25% slower than it's supposed to be and stuttering in games.

So related question:


Some game guides (like the Ascent) recommend putting the program in the excluded exploit protection programs to stop stuttering... does this effectively get rid of this need? Will do some testing with this fix vs exploit protection on and off... this would be huge if people didn't need to jump through the control flow guard disabling hoops and could just use the windows defender boost.
20-25%?

Sounds like you have a messed up Windows installation. I'm having between 0.3% and 5% usage.
Posted on Reply
#66
DeathtoGnomes
btarunrWhen started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.
@unclewebb What about creating a powershell script to accomplish the same thing as your software does without loading the programs into windows (assuming some users dont install TS)? That could be used via the task manager so you wont have to open a program. Another option would be make a file added within your programs install folder that could be used to execute the fix at windows boot up, via task manager as well.
Posted on Reply
#67
AusWolf
DeathtoGnomes@unclewebb What about creating a powershell script to accomplish the same thing as your software does without loading the programs into windows (assuming some users dont install TS)? That could be used via the task manager so you wont have to open a program. Another option would be make a file added within your programs install folder that could be used to execute the fix at windows boot up, via task manager as well.
I would love that! With a locked CPU, I haven't got much use of ThrottleStop, except for this.
Posted on Reply
#68
phanbuey
TheDeeGeeDoesn't affect me as i play with a 60 FPS cap, so CPU usage is like 30-50% plus the 4% of Windows Defender.


I used NOD32 for over 10 years until i noticed it did like 150GB writes a day wearing down my SSD life.

Been using Defender for a year and a half now, no point in an paid AV these days, just use your brain when browsing. And use uBlock Origin.


20-25%?

Sounds like you have a messed up Windows installation. I'm having between 0.3% and 5% usage.
Run a sottr bench on a clean install, then shut off control flow guard / defender Realtime scan, vbs, indexer and it an run the bench again -- your gains will be in the double % easy.
Posted on Reply
#70
unclewebb
ThrottleStop & RealTemp Author
DeathtoGnomesWhat about creating a powershell script to accomplish the same thing
You cannot access individual registers within the CPU by only using a powershell script. You need to run a separate program that uses a signed driver so it can run at the Ring 0 level to access the MSR registers.
AusWolfI haven't got much use of ThrottleStop, except for this.
This is part of the master plan. :D

The ability to solve this issue will give users a reason to try ThrottleStop. My Cinebench scores are almost identical whether ThrottleStop is running or not. ThrottleStop is not a major source of CPU or memory usage.



Think of Counter Control as a proof of concept kind of program. If the thought of having to run ThrottleStop all of the time really makes people's skin crawl, I will consider writing a separate program that quietly runs in the background and takes care of this problem. It would be best to leave it running in the background so it can also take care of this issue when you resume from sleep. Any program that checks a single register every 5 or 10 seconds and when you resume from sleep is not going to be a significant drain of CPU resources.
dwmcthis has been a problem for 6 years at least
I think the Windows Defender problem listed on that site you posted is different from this new Windows Defender problem. Good to know that these issues take a while to solve.
Posted on Reply
#71
looniam
DeathtoGnomes@unclewebb What about creating a powershell script to accomplish the same thing as your software does without loading the programs into windows (assuming some users dont install TS)? That could be used via the task manager so you wont have to open a program. Another option would be make a file added within your programs install folder that could be used to execute the fix at windows boot up, via task manager as well.
a picture is worth 1000 w0rds . .






ok yeah you need TS. :p
Posted on Reply
#73
unclewebb
ThrottleStop & RealTemp Author
looniamExitTime=
If you are going to use that undocumented INI option, best to set it to 15 seconds. I might change that in the future.
Posted on Reply
#74
lexluthermiester
AusWolfEdit: How do you find Defender annoying? It's only a module in your system settings / Windows security centre. It couldn't be any lower profile than this.
lexluthermiesterNot at all. The annoying habit of defender deleting files without user prompting/verification is a big reason. By default defender takes that action on files which contain known or suspected viral-like routines, even for files that don't actually contain a virus. This can be a serious effing headache for many forms of legitimate work. The next problem is that defender reports back to microsoft every single file it scans, regardless of whether you want it to or not. This is a serious problem for data that needs complete confidentiality/secrecy.
There you go.
Posted on Reply
#75
R-T-B
VeseleiloAV software have too many security risks involved, and as an entity that has higher privileges than a system administrator (in most cases), therefore it cannot be trusted.
Wait until you find out about whats running in the ME or PSP enclaves.
Posted on Reply
Add your own comment
Dec 23rd, 2024 07:12 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts