Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#76
jpuser-axp
I have figured out how to use ThrottleStop 9.5.
Start and exit. It is very easy.
However, I do not know how to use Counter Control.

Do I start Counter Control, click "Reset Counters" and exit?
If so, will the Defender problem be permanently fixed as long as the PC is running?
Posted on Reply
#77
TheDeeGee
phanbueyRun a sottr bench on a clean install, then shut off control flow guard / defender Realtime scan, vbs, indexer and it an run the bench again -- your gains will be in the double % easy.
Thanks, but no thanks.

I've learned messing with windows the hard way.

If it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.
Posted on Reply
#78
8tyone
Excellent investigative work! Thank you Mr. Kevin.
Posted on Reply
#80
Chrispy_
Is the problem limited to 8th, 9th, 10th, 11th, and 12th gen only?

I've seen Windows Defender use 100% of a core on low-powered devices like old Bay-Trail Celerons etc. 100% of one core is either a quarter or half of the entire performance those devices have to offer.
Posted on Reply
#81
Naito
OneMoarthe amount of times I have run a scan with MBAM or AVRIA and they have found something that defender missed is
I've run Defender and MBAM for many years in parallel and honestly, I've found Defender to always be capable enough to not need MBAM intervention. So much so, that I don't bother running anything but Defender lately.

The inclusion of Defender on Windows Server 2019 and 2022 is also a welcome addition.
Posted on Reply
#82
DeathtoGnomes
NaitoI've run Defender and MBAM for many years in parallel and honestly, I've found Defender to always be capable enough to not need MBAM intervention. So much so, that I don't bother running anything but Defender lately.

The inclusion of Defender on Windows Server 2019 and 2022 is also a welcome addition.
The question is, can they tailor to specifically avoid Defender.
Posted on Reply
#83
Dark_Phoenix
I ran Counter Control after reading this post and in the current section it shows Unknown > 0x777. If I reset counters it will change to Normal 0x337, but it'll either stay at 0x337 or change back to 0x777 after a minute or 2.
Posted on Reply
#84
Naito
DeathtoGnomesThe question is, can they tailor to specifically avoid Defender.
Same can be said about most things. Like most AVs, Defender employs realtime monitoring and other heuristics to detect threats. The benefit of Defender is that so many PC's run it by default which helps with large scale analytics, machine learning, etc. Detection will be much quicker on such a network.

Any sufficiently popular software will more likely be targeted as you're guaranteed to have a much bigger attack surface. More chance of success, more reward for the hacker.
Posted on Reply
#85
phanbuey
TheDeeGeeThanks, but no thanks.

I've learned messing with windows the hard way.

If it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.
You don't need to install any apps for what I suggested, they're windows settings you can toggle on and off.
What is Control Flow Guard in Windows; How to turn it On or Off (thewindowsclub.com)
How to Disable Virtualization-Based Security (VBS) in Windows 11 | Beebom
- you can also just disable virtualization in the bios to do the same effect and then test performance.

The point I was trying to make is that security apparatus in windows looks like it might be a 5% hit, and is in some very synthetic benches, but it's closer to 15% in real games when taking into account IO/memory latency with just those two settings. The system virtualizes the kernel and then nannies memory access with extreme overhead.

We have a juicy chunk of performance left on the table when it comes to OS and software optimizations. Will be interesting to see also if CPU accelerators will come into play for some of these tasks.
Posted on Reply
#86
Veseleil
R-T-BWait until you find out about whats running in the ME or PSP enclaves.
We all know about spyware abillities integrated into chips as "security features". The difference is that i can't do much about that, and i can at least prevent some shady software running in the OS.
Posted on Reply
#87
R-T-B
VeseleiloWe all know about spyware abillities integrated into chips as "security features". The difference is that i can't do much about that, and i can at least prevent some shady software running in the OS.
They aren't really spyware, more useless features just waiting for a vulnerability, but same end result:

Source: Me. I'm well known as a ME security researcher.
Posted on Reply
#88
zebra_hun
YT Video Link

15500 vs 16700 Cinebench R23 score. I start TS with windows, and use .ini to stop 5 sec later.
Posted on Reply
#89
NfiniteL00p
I've not been able to replicate this issue for some reason. The highest Defender CPU usage I got was 0.31% during the Cinebench R23.200 run; otherwise it hovered around 0.06% or less. Windows 11 Enterprise Build 21H2, latest updates, 12th Gen Intel Core i9-12900K for the CPU.
Posted on Reply
#90
Aquinus
Resident Wat-man
We have the Fix
When I first saw this part of the title, I thought to myself, "I do too. Use Linux." :laugh:
Posted on Reply
#91
Ed_1
NfiniteL00pI've not been able to replicate this issue for some reason. The highest Defender CPU usage I got was 0.31% during the Cinebench R23.200 run; otherwise it hovered around 0.06% or less. Windows 11 Enterprise Build 21H2, latest updates, 12th Gen Intel Core i9-12900K for the CPU.
12th gen doesn't seem to be effected, I never see defender show up in app.
Posted on Reply
#92
othersteve
Ed_112th gen doesn't seem to be effected, I never see defender show up in app.
Yup, agreed, I've yet to see any issues on the new XPS 13 Plus I've been using. Hopefully that means it isn't affected.
Posted on Reply
#93
lexluthermiester
TheDeeGeeIf it can't be disabled or uninstalled without an app, leave it alone or risk messing up future updates.
It's not about what you do, rather how you do it. IF done the right way, it's easy-breezy and works perfectly. Key point, doing it the right way.
othersteveYup, agreed, I've yet to see any issues on the new XPS 13 Plus I've been using. Hopefully that means it isn't affected.
Or you didn't notice. If your computing habits and activities don't require intensive compute power, you might not even notice.
Posted on Reply
#94
ThrashZone
Ed_112th gen doesn't seem to be effected, I never see defender show up in app.
Hi,
Read the op and see for yourself here's the first clue

Not to many people stare are task manager especially when doing other things.
Posted on Reply
#95
othersteve
lexluthermiesterIt not about what you do, rather how you do it. IF done the right way, It's easy-breezy and works perfectly. Key point, doing it the right way.


Or you didn't notice. If your computing habits and activities don't require intensive compute power, you might not even notice.
No, what I mean to say is that Counter Control doesn't seem to have reported anything amiss on my system yet.
Posted on Reply
#96
lexluthermiester
othersteveNo, what I mean to say is that Counter Control doesn't seem to have reported anything amiss on my system yet.
Ah, ok. Understood.
Posted on Reply
#97
Ed_1
ThrashZoneHi,
Read the op and see for yourself here's the first clue

Not to many people stare are task manager especially when doing other things.
That's 10th gen I ran the app for many hours, I see only normal and not used.
here my log
2022-06-27 13:38:28 00:13:48 0x330 Normal

2022-06-27 13:42:37 00:03:07 0x000 Not Used
2022-06-27 17:15:47 03:33:10 0x330 Normal

2022-06-28 12:31:11 00:00:43 0x000 Not Used

2022-06-28 19:17:36 00:01:47 0x330 Normal

Plus running CB23 before and after I get same score, even after reset counters.
Posted on Reply
#98
unclewebb
ThrottleStop & RealTemp Author
Ed_1Plus running CB23 before and after I get same score
When testing, boot up and run Counter Control. Do not push the Reset Counters button and do not run ThrottleStop 9.5. When my 10th Gen computer first boots up or when I resume from sleep, the counters are in mode 0x222 and performance is decreased. If your computer does not have this problem then you do not need to fix anything. You will not see any improvement in Cinebench R23 scores if you do not have this problem.
Dark_Phoenix0x777
Thanks for posting that. 12th Gen CPUs do not seem to have this issue.
zebra_hun15500 vs 16700 Cinebench R23
Thanks for posting that video. It shows the problem exactly.
Posted on Reply
#99
Ed_1
unclewebbWhen testing, boot up and run Counter Control. Do not push the Reset Counters button and do not run ThrottleStop 9.5. When my 10th Gen computer first boots up or when I resume from sleep, the counters are in mode 0x222 and performance is decreased. If your computer does not have this problem then you do not need to fix anything. You will not see any improvement in Cinebench R23 scores if you do not have this problem.


Thanks for posting that. 12th Gen CPUs do not seem to have this issue.


Thanks for posting that video. It shows the problem exactly.
fresh restart and it shows not used 0x000
when running CB23 I get 100% load so as I said before it doesn't seem to affect 12th gen or at least my 12th gen config.

As far as sleep goes I always disable sleep with powercfg /hibernate off right after windows install so can't really test that, never use sleep.
I just let the monitor go into low power mode
Posted on Reply
#100
Nemiyen
This has been great to prove the issue exists for Windows Defender, please can someone confirm this same bug exists for Teams because... Damn! That program is slow as hell! Especially when in a video meeting lol.
Posted on Reply
Add your own comment
Dec 23rd, 2024 06:22 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts