Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#101
Tarnak
Hi,

I've encountered issue on mine AW 17r4 i7700HQ. 0x222 changing very quickly.
Resetting seems to fix it to 0x330.

Thx UncleWebb
Posted on Reply
#102
phanbuey
NemiyenThis has been great to prove the issue exists for Windows Defender, please can someone confirm this same bug exists for Teams because... Damn! That program is slow as hell! Especially when in a video meeting lol.
Teams is an absolute disaster... I can confirm it's a ton better on 12th gen since it's relegated to e cores.
Posted on Reply
#103
RobinHood2022
I have an Intel Core i5-7600K at 3.8GHz running Windows 11 (despite the fact that this CPU isn't "officially" supported by Microsoft for Windows 11), and I'm getting solid "Not Used" status, hex value 0x000, even while running a scan using Windows Defender. It seems to me, therefore, that I am unaffected by this bug which Kevin is talking about.

My advice to anyone who is experiencing problems with this bug is to regularly run Windows Update. Yes, I know people don't like to hear something like that, but it's good advice -- and it WORKS.
Posted on Reply
#104
TheHunter
I have this bug on my 11700kf and win10

It started this year around Jan-feb.. at first i thought it was nvidia driver fault had some constant registry writes until i finally noticed it was defender..

3dmark physics is also affected


So i just need to run this once per boot or is it permanent?


Edit; and if I disable virtualization it also eliminates this issue as someone mentioned it one page earlier?

Thanks :)
Posted on Reply
#105
ThrashZone
Hi,
Ran into this
www.av-comparatives.org/tests/performance-test-april-2022/

mbam at almost 20% right behind defender 24%
The way default setting are in mbam I'd believe it updating every hour those little hits can be a pain on low resource systems
phanbueyTeams is an absolute disaster... I can confirm it's a ton better on 12th gen since it's relegated to e cores.
I get rid of teams
Seems most use zoom anyway why waist time with teams or even skype anymore.
Posted on Reply
#106
unclewebb
ThrottleStop & RealTemp Author
RobinHood2022I'm getting solid "Not Used" status
That is good. Best to monitor for this for a few days. Do some sleep resume cycles if you normally use that.

In Windows 10 on my 10th Gen CPU, sleep resume is a guaranteed way for Windows Defender to set the timers to mode 0x222 and for it to start running its algorithm which reduces performance.
RobinHood2022even while running a scan using Windows Defender
The Windows Defender automatic scanning feature works whether the timers are in mode 0x222 or not. It is almost like Defender has a separate chunk of code that is sometimes causing excessive CPU usage in the background. It can start or stop at anytime. Unless you are monitoring for this, it is difficult to know when this might be happening. It seems like this chunk of code is not running on Intel's recent 12th Gen CPUs.
RobinHood2022regularly run Windows Update
This problem has been around for years. So far, nothing on Windows Update seems to fix it.
TheHunterSo i just need to run this once per boot or is it permanent?
Pushing the Reset Counters button seems to fix this issue until the computer goes to sleep or you reboot. If you want to be 100% sure this does not start up again, run ThrottleStop and minimize it to the system tray. You can start Counter Control at any time to see what is going on with the counters.
Posted on Reply
#107
TheHunter
It says normal now and it fixes the issue 100%, tested cpuz benchmark and it's consistent all the time now.

Thanks
Posted on Reply
#108
TheDeeGee
I'm getting almost 800 more points with reset timer.

Now it's very unclear how to run ThrottleStop, do i need to click "Turn On" to enable it? Do i have to apply it every reboot?
Posted on Reply
#109
UrsineSaturn9
I tested it out on 10750h and only got "Normal" status. But I've been running TS v9.2 for ages anyway, so have updated to v9.5 and left this feature turned on. Absolutely love ThrottleStop for my gaming laptop. Used to routinely hit temperatures of 100C and with this program, some undervolting and limiting the turbo ratios I rarely get more than 70-75C while gaming.

Posted on Reply
#110
unclewebb
ThrottleStop & RealTemp Author
TheDeeGeeI'm getting almost 800 more points with reset timer.
A rough estimate is about +100 points for every core you have. I have a 10 core 10850K so it gains 1000 points. A 6 core CPU will typically gain 600 points and an 8 core CPU should gain about 800 points in Cinebench R23. Those are just some numbers off the top of my head.
TheDeeGeehow to run ThrottleStop
To fix this problem you can run ThrottleStop, minimize it to the System Tray / Notification Area and that is all you need to do. There is no need to enable any of its many options.

Some users have decided to immediately exit ThrottleStop after it starts. This works for me but I cannot guarantee that this will work for everyone. I prefer to leave ThrottleStop running.

If you exit ThrottleStop, you will definitely need to run it gain if you do a sleep resume cycle or if you reboot.

ThrottleStop has an INI option that you can use to force ThrottleStop to immediately exit. If you are going to use this option, at the moment, I would set it to 15 seconds.
Add this line to the ThrottleStop.INI configuration file.

ExitTime=15

In the next version of ThrottleStop, I will be changing things so setting this to 1 second should be good enough.
UrsineSaturn9I've been running TS v9.2
TS 9.2 and 9.3 used to automatically fix this problem. Back then, I had no idea what was causing this problem or why ThrottleStop had this magic ability. I stopped using one of the programmable counters in TS 9.4 and didn't really think too much about it. This provided Windows Defender the opportunity to take over control of all of the counters so it could run its slow and sluggish algorithm. It took a while to get everything figured out. TS 9.5 uses one of the programmable counters like TS 9.2 and 9.3 used to use.
UrsineSaturn9Absolutely love ThrottleStop
Good to hear. ThrottleStop has greatly improved the user experience for quite a few laptop owners worldwide.
Posted on Reply
#112
unclewebb
ThrottleStop & RealTemp Author
ThrashZonea pinned thread
That sounds like a good idea. I have never created a pinned thread before. I will put it on the things to do list.
Posted on Reply
#113
ThrashZone
unclewebbThat sounds like a good idea. I have never created a pinned thread before. I will put it on the things to do list.
Hi,
Sure would make it easier to find your awesome software besides using various search engines :cool:
Posted on Reply
#114
Yooyoo1987
I have 10400f with the same issue, hope ms will correct this bug asap.
Posted on Reply
#115
Aaron2
I have an i7-9700K and so far I only get Normal and Not Used in Counter Control over the last three days, and I shutdown every night (fast reboot disabled). I have applied no tweaks to my knowledge that affect Defender in any way. Strange...
Posted on Reply
#116
AusWolf
Also:




Notice how single-threaded performance also suffers when the Defender timer is active. The multi-thread ratio is the same in both instances.
Posted on Reply
#117
unclewebb
ThrottleStop & RealTemp Author
@AusWolf
How about doing some 3D Mark testing?

It tends to be fairly consistent and should show some reduced performance because of this Windows Defender feature.
Posted on Reply
#118
AusWolf
unclewebb@AusWolf
How about doing some 3D Mark testing?

It tends to be fairly consistent and should show some reduced performance because of this Windows Defender feature.
Done. Interestingly, it's not as consistent as I thought it would be:




The CPU score clearly shows the difference. I don't know why my GPU score was lower the second time. I didn't change any setting in 3DMark or in Adrenalin. AMD GPUs are weird.




It's also strange that some scores were affected in the CPU profile test, some others were not.
Posted on Reply
#119
TheHunter
For me it was timespy and and firestrike physics that showed the most difference, cpu profile not as much.

By both at least 1000-1500points difference..


But back then i didnt test this tool yet, just disable/enable realtime protection.
Posted on Reply
#121
unclewebb
ThrottleStop & RealTemp Author
FLFLFLOK
0x222 is bad.

0x000 is good.
Posted on Reply
#122
ThrashZone
unclewebb0x222 is bad.

0x000 is good.
Hi,
Saw you found one of the dummies on elevenforums :laugh:

I posted to brink this thread and he saw fit to make a news story :cool:
Posted on Reply
#123
lexluthermiester
ThrashZoneSaw you found one of the dummies on elevenforums :laugh:
Devin isn't the worst there, for sure. He's a bit of a smart-ass but mostly harmless. It's Kari you have to be very careful of. @unclewebb be very careful how you interact with Kari. Say the wrong thing to them and they will get you banned, no matter who you are.
Posted on Reply
#124
ThrashZone
lexluthermiesterDevin isn't the worst there, for sure. He's a bit of a smart-ass but mostly harmless. It's Kari you have to be very careful of. @unclewebb be very careful how you interact with Kari. Say the wrong thing to them and they will get you banned, no matter who you are.
Hi,
No I was referring to cereberus.
Posted on Reply
Add your own comment
Dec 23rd, 2024 06:54 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts