Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#126
ThrashZone
lexluthermiesterYeah, them too.
Hi,
I know he uses a three headed dog but there is still just one of him so "them" don't apply :laugh:
Posted on Reply
#127
skates
OneMoargo be wrong somewhere else lex

www.av-test.org/en/antivirus/home-windows/windows-10/april-2022/microsoft-defender-4.18-221213/

I have waning tolerance for idiots as I age please do your homework first defender has for years consistently been as good if not better then most solutions on the market the only recommendation I give other then defender is Avria or MBAM if the situation calls for a second option &
the amount of times I have run a scan with MBAM or AVRIA and they have found something that defender missed is ...... honestly can't tell you because I haven't seen it happen in person yet
I read that article and was not surprised. I have defender running on a new build and traditionally I disable it because I have ESET home internet (for many years now). I simply forgot to disable Defender on my new build and after looking at the eset review at av-test for Dec 2021, it's a perfect score. So, I think I'll disable defender unless someone with more knowledge can tell me why I would need it to supplement eset?
skatesI read that article and was not surprised. I have defender running on a new build and traditionally I disable it because I have ESET home internet (for many years now). I simply forgot to disable Defender on my new build and after looking at the eset review at av-test for Dec 2021, it's a perfect score. So, I think I'll disable defender unless someone with more knowledge can tell me why I would need it to supplement eset?
Here is the eset review www.av-test.org/en/antivirus/home-windows/windows-10/december-2021/eset-internet-security-15.0-211609/
Posted on Reply
#128
AusWolf
skatesI read that article and was not surprised. I have defender running on a new build and traditionally I disable it because I have ESET home internet (for many years now). I simply forgot to disable Defender on my new build and after looking at the eset review at av-test for Dec 2021, it's a perfect score. So, I think I'll disable defender unless someone with more knowledge can tell me why I would need it to supplement eset?


Here is the eset review www.av-test.org/en/antivirus/home-windows/windows-10/december-2021/eset-internet-security-15.0-211609/
No one in their right mind will ever tell you to "supplement" an AV with another. Running more than one doesn't benefit you in any way, but can harm system performance.
Posted on Reply
#129
skates
AusWolfNo one in their right mind will ever tell you to "supplement" an AV with another. Running more than one doesn't benefit you in any way, but can harm system performance.
Thank you for the advice.
skatesThank you for the advice.
Actually, defender is off, but windows 11 does report on ESET and Malware Bytes, so I was confused because the defender tray icon, although being off, isn't complaining like in windows 10. Windows 11 also gives the ability to have defender 'periodically' do a scan.
Posted on Reply
#130
AsRock
TPU addict
ThrashZoneHi,
Yeah 10 was bad but 11 is far worse than that.

I just started removing pretender early this year mainly because I started using it a bit more.
Dam now i got a queen song in my head.
Posted on Reply
#131
Mussels
Freshwater Moderator
skatesThank you for the advice.


Actually, defender is off, but windows 11 does report on ESET and Malware Bytes, so I was confused because the defender tray icon, although being off, isn't complaining like in windows 10. Windows 11 also gives the ability to have defender 'periodically' do a scan.
Enabling another AV disables defender, and has for longer than i can remember

The tray icon etc are not the same as actively scanning or competing
Posted on Reply
#132
lexluthermiester
MusselsEnabling another AV disables defender, and has for longer than i can remember
While true, the services keep running and using system resources. It's best to remove it in favor of a replacement.
Posted on Reply
#133
Mussels
Freshwater Moderator
lexluthermiesterWhile true, the services keep running and using system resources. It's best to remove it in favor of a replacement.
but while inactive, it's not doing any scanning or triggering performance losses

It goes dormant to switch back on if your other AV is disabled (which genuinely is a good thing, as so many scams have instructions on "if you have problems, disable your AV..."
Posted on Reply
#134
lexluthermiester
Musselsbut while inactive, it's not doing any scanning or triggering performance losses

It goes dormant to switch back on if your other AV is disabled (which genuinely is a good thing, as so many scams have instructions on "if you have problems, disable your AV..."
Anyone foolish/silly enough to be falling for such a scam is not someone who is going to go through the effort to remove Defender anyway, so that's a mute point. The task of removing Defender is for experienced users who know better that to be taken in by scams, not the technologically illiterate.
Posted on Reply
#135
TheoneandonlyMrK
lexluthermiesterFirst, this is purely a microsoft coding problem. Second, it's been happening for donkey's years. You really expect them to patch it anytime soon?


Really makes one wonder about all the reviews and benchmarks we've seen over the years. This is one of the MANY reasons I remove defender from the systems I use.


What?!?

Seriously, you gotta hush your cakehole.
I am pretty sure W1zzard disables defender, telemetry etc before benching, it's a plus for sure since it means all Tpu reviews right now are still valid.

Maybe someone else said this shrug.
Posted on Reply
#136
TheHunter
Well now it's my daily tool, and haven't had any regression since then, I just enable/reset by each new logon and that's it.


btw I think I saw one user mentioning about 15sec delay in ini file, but there is no such file, I just have exe, do I make one by exe location?
Posted on Reply
#137
Mussels
Freshwater Moderator
TheoneandonlyMrKI am pretty sure W1zzard disables defender, telemetry etc before benching, it's a plus for sure since it means all Tpu reviews right now are still valid.

Maybe someone else said this shrug.
He does, as do most serious reviewers
Posted on Reply
#138
unclewebb
ThrottleStop & RealTemp Author
TheHunterdelay in ini file, but there is no such file,
Counter Control does not yet have an INI file but I will probably add one in the near future.

ThrottleStop 9.5.1 has a new INI file option so it will reset the timer and then immediately exit. Let me known in a message if you want to try that feature.
Posted on Reply
#139
AlwaysHope
MusselsHe does, as do most serious reviewers
But that relegates the benchmarks to academic performance, not real world practical for everyday users.
I mean are regular users going to disable defender & telemetry, etc.. just for the sake of performance on their systems?
Posted on Reply
#140
Mussels
Freshwater Moderator
AlwaysHopeBut that relegates the benchmarks to academic performance, not real world practical for everyday users.
I mean are regular users going to disable defender & telemetry, etc.. just for the sake of performance on their systems?
I brought this up in another thread as well about required software
Hard to praise a motherboard for its overclocking performance, if the average user gets massive performance losses after installing the required software for its OLED display, etc.

I agree with W1zzard that hardware reviews definitely need to be done with a clean OS, even with the AV disabled - as that's a software issue and it can change over time - things like AV should only be enabled when you're comparing AV programs.

That said, i think any required software should be tested with a before and after comparison. If you cant use RGB controllers, OLED displays or update the BIOS without these softwares the average user will install them - and they need to know if they're got performance issues.
Posted on Reply
#141
lexluthermiester
MusselsHe does, as do most serious reviewers
But does he disable or remove?
Posted on Reply
#144
ThrashZone
lexluthermiesterBut does he disable or remove?
Hi,
Disables for the most part and deletes some automatic processes

W1zard's 10 & 11 script removes the most annoying part to
The defender shield on taskbar/ action center so it doesn't show a yellow flag on it for setting changes off default like disabling cloud sample sending/.....or needs or wants to scan
So yeah kind of a half measure to remove the wd pestware.
Posted on Reply
#145
TheHunter
unclewebbCounter Control does not yet have an INI file but I will probably add one in the near future.

ThrottleStop 9.5.1 has a new INI file option so it will reset the timer and then immediately exit. Let me known in a message if you want to try that feature.
Sure I would like to test :)
Posted on Reply
#146
Unregistered
Hardware reviews need to be done with a clean install with nothing disabled, as that is most likely what the avg users install would be like. It is only people like us that will tweak windows and disable certain stuff. Surely the hardware results should show results based on the avg persons PC.
#147
RandomBeeps77
After a hell of tweaks finally deactivated. Battery went from 1.30h with desktop sightseeing to 7h battery with firefox 6 tabs and Code Editor... Battery is at 85% at the factory capacity. Laptop. from late 2018.

The tweak from OP helped a lot.
Posted on Reply
#148
AusWolf
I turned my PC on today, and got "not used" from Counter Control. Previously, it has always been "Defender" until I reset the counters. Has Microsoft issued an update or something?
Posted on Reply
#149
zebra_hun
Idk. Later i will check. I use ts 9.3 with autostart, cant test original w10. I hope, ms patched.
Posted on Reply
#150
AusWolf
AusWolfI turned my PC on today, and got "not used" from Counter Control. Previously, it has always been "Defender" until I reset the counters. Has Microsoft issued an update or something?
I'll take it back. It's back to "Defender" now. :(
Posted on Reply
Add your own comment
Dec 23rd, 2024 06:52 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts