Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#152
unclewebb
ThrottleStop & RealTemp Author
AusWolfI'll take it back. It's back to "Defender" now.
I get "Not Used" when booting up immediately after a blue screen. A sleep resume cycle is always enough for Windows Defender to resume wasting CPU cycles. Nothing has changed with the most recent Windows Defender versions. This issue has already been forgotten.

Posted on Reply
#153
TheHunter
AusWolfI turned my PC on today, and got "not used" from Counter Control. Previously, it has always been "Defender" until I reset the counters. Has Microsoft issued an update or something?
Sometimes it shows not used, but it will start to use defender eventually.
Posted on Reply
#154
FLFLFL
Defender ON...

Defender OFF...

the results with Defender play Up-Down on Hi margin, with Defender OFF small margin 5-7Cb only.

If I let HP bloatware to run + Intel Tuning software with Defender ON
Performance drops to 700-710Cb

The 850+ with Defender ON are from TrottleStop… otherwise i7-11th Gen plays like i5
Our good HP take care us , and Intel lock from Factory everything
Posted on Reply
#155
DyslexicStoner240
Can someone please tell me if I can close the program once it's fixed or should I minimize it and let it run in the background?
Posted on Reply
#156
TheHunter
There was a Defender update yesterday



and now when I rebooted few times, it started as normal or not used - by not used I started realtemp and it switched to normal 0x330, so I guess they fixed it?


EDIT: false alarm! it's back lol
Posted on Reply
#157
unclewebb
ThrottleStop & RealTemp Author
DyslexicStoner240if I can close the program once it's fixed
What program?

If you are using Counter Control then you can usually close this program and the problem will not happen again until you either reboot or do a sleep resume or hibernate resume cycle. You can run Counter Control at any time to see the status of your counters.

I prefer to run ThrottleStop 9.5 all of the time so I do not have to worry about this issue. ThrottleStop will automatically reset the timers after you resume from sleep or hibernate.
Posted on Reply
#158
DyslexicStoner240
unclewebbWhat program?

If you are using Counter Control then you can usually close this program and the problem will not happen again until you either reboot or do a sleep resume or hibernate resume cycle. You can run Counter Control at any time to see the status of your counters.

I prefer to run ThrottleStop 9.5 all of the time so I do not have to worry about this issue. ThrottleStop will automatically reset the timers after you resume from sleep or hibernate.
Thanks for answering my question!
Posted on Reply
#159
Jasper
Hi,

Must I TURN ON Throttlestop using the button to realize this benefit OR is simply STARTING Throttlestop sufficient?

Thank you.
Posted on Reply
#160
unclewebb
ThrottleStop & RealTemp Author
JasperTURN ON
Turn On is not necessary.

Do some Cinebench testing to prove what works for your situation.
Posted on Reply
#161
mikev92
Seems to be fixed in latest Beta build 22622.575.
Posted on Reply
#162
unclewebb
ThrottleStop & RealTemp Author
mikev92Seems to be fixed
Interesting. Try doing a few sleep resume cycles to make sure Defender does not wake up and bite you in the back side.

Thanks for the update.
Posted on Reply
#163
mikev92
unclewebbInteresting. Try doing a few sleep resume cycles to make sure Defender does not wake up and bite you in the back side.

Thanks for the update.
Tried that and restarting a few times, still says 'Normal'. Usually it would switch to 'Defender' about 3-4 minutes after waking/booting and if it didn't then it usually would after a while. but so far it hasn't.

It's worth mentioning that this is a clean install so there's a chance that it was fixed on earlier builds but I didn't bother checking because I set up TS way back when it was discovered.

Another interesting thing is that VBS is now enabled by default when clean installing 22H2 which wasn't the case with 21H2 (when using Rufus), so I'll test how it goes with VBS off.

Edit: Same thing with VBS off so it probably has no effect on it, but yeah I'd say it's finally fixed.
Posted on Reply
#164
TheHunter
So I upgraded to windows 11 and the issues is still present. I'm on retail channel.


Sometimes it starts as not used, but it will turn into defender mode eventually.
Posted on Reply
#165
lexluthermiester
TheHunterSo I upgraded to windows 11 and the issues is still present. I'm on retail channel.


Sometimes it starts as not used, but it will turn into defender mode eventually.
Windows Defender is NOT going to behave. It is not going to obey you. So you have two options. Ignore it and carry on(dealing with the annoyances going forward), or delete Windows Defender and use something that will obey your settings and config choices. There are plenty of security suites out there that do better(some much better) than defender.
Posted on Reply
#166
TheHunter
lexluthermiesterWindows Defender is NOT going to behave. It is not going to obey you. So you have two options. Ignore it and carry on(dealing with the annoyances going forward), or delete Windows Defender and use something that will obey your settings and config choices. There are plenty of security suites out there that do better(some much better) than defender.
Like?

I use to run nod32 security for a long time, but ditched it eventually because its built-in firewall started to eat cycles..
Posted on Reply
#167
lexluthermiester
TheHunterLike?
Comodo is my personal fav currently. Their firewall and HIPS features are second to no one, IMO. ESET is also good as is Avira.
TheHunterbecause its built-in firewall started to eat cycles..
That's going to happen no matter what you use, especially Defender. Try to remember though, modern CPU's are far more powerful that they once were, so a firewall/security suite is not really going impact your over-all performance to any degree you will notice.

So do you research, figure out which one seems good for your needs and computing ethic/style and try it out. All of the respectable brands have a trial version for users to try. If they don't have a trial version, they're not worth your time.
Posted on Reply
#168
TheHunter
I updated to 22h2 today and so far so good.



I totally forgot about it running in the background and it hasn't been triggered yet, now when I saw it running over 2hrs, I opened both apps to see what's going on and it's still ok
Posted on Reply
#170
lexluthermiester
TheHunterYes it is fixed. :)
I still advise removing Defender and replacing it with some better and less intrusive.
Posted on Reply
#171
Mussels
Freshwater Moderator
lexluthermiesterI still advise removing Defender and replacing it with some better and less intrusive.
Not many options are less intrusive

Bitdefender is good, but requires an email
Kaspersky is fine if you're not into the politics with Russia, but preinstalls a VPN
Avast, Avira, Malwarebytes have all had their own scandals and issues....



For the average home PC, defender does great.
Posted on Reply
#172
lexluthermiester
MusselsNot many options are less intrusive
Perhaps so, but there are options. Comodo is not intrusive, privacy protection is one of their driving motivations. Avira is currently respectful of peoples privacy also. There are others as well.
MusselsFor the average home PC, defender does great.
This is where we disagree. The average user has no idea the level of intrusion microsoft makes into their information and they use Defender, in part, to do it. IMPO, almost anything would be better.
Posted on Reply
#173
Mussels
Freshwater Moderator
Intrusion into their information...
Sorry what exactly are they stealing from me?

Most home users have nothing on their PC worth that level of paranoia and fear.
Posted on Reply
#174
lexluthermiester
MusselsSorry what exactly are they stealing from me?
A detail list of files stored on a given PC as well as a list of what you download. Edge collect surfing habits and lists of sites you visit. Windows telemetry gathers data on your computing habits. It's the trifecta of privacy invasion. Anyone who allows it is fool to themselves.
MusselsMost home users have nothing on their PC worth that level of paranoia and fear.
Anything that could be used to profile a user or identify same outside the context of personal computing is a risk to said user and therefore a risk to the entire user base. There are practical risks not worth taking or tolerating. If you chose not to acknowledge those risks, that's your choice, but you can not deny they exist. Advising people not to be concerned about them is unwise.
Posted on Reply
#175
TheHunter
Fck me, it 's back.. -_-, MS is so dumb..

lexluthermiesterI still advise removing Defender and replacing it with some better and less intrusive.
any good suggestion? I did try a few in the past, avast, avira, kaspersky - removed this right away, it blocked too much lol, trendmicro -had this for a long time, then switched to nod32 security until they messed it up and firewall started to consume more cpu..

Then I installed malwarebytes Tinywall and kept default Defender, and haven't looked back, until this counter control issue started to happen., I still remember it good, it was this year around mid January @ win10.

I bought this 11700kf end of December 2021 and all was ok at first, tested/benchmarked a lot. Then few weeks later I started to see some strange regression..
Posted on Reply
Add your own comment
Dec 23rd, 2024 07:06 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts