Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#176
lexluthermiester
TheHunterany good suggestion?
Comodo is my current fav and goto. It has the best personal firewall I've seen so far and it is fully customizable. The HIPS functions, which watchdogs programs and the OS, is exceptional. Comodo makes microsoft look like monkey's flinging poo.
download.comodo.com/cis/download/installs/8060/standalone/cispro_installer.exe?af=7639
The free version does not exire. It'll ask you to try the pro version and to be fair $40 for a 3PC 1year license is damn decent.
Posted on Reply
#177
Solaris17
Super Dainty Moderator
btarunrDefender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
This doesn't seem entirely accurate. "Defender" while obviously causing issues in this context by setting these values; any software can assign these values. Are you performing other checks to be certain it is defender before reporting it as the performance issue @unclewebb ?
Posted on Reply
#178
unclewebb
ThrottleStop & RealTemp Author
Solaris17This doesn't seem entirely accurate.
You are 100% correct. Any software can use these timers within the CPU and any software can set these timers to mode 2.

The word Defender is only a warning. It is not a confirmation that Windows Defender is guilty of anything. Open the Task Manager, go to the Details tab and have a look to see if the Microsoft Malware Protection Engine (MsMpEng.exe) is using more CPU cycles than usual.

If I had this problem, I would run a consistent benchmark like Cinebench R23 and I would compare my score to when these timers are not being set to mode 2. If you are running Windows Defender and you see a noticeable increase in performance when these timers are not being set to mode 2, and MsMpEng.exe is using more CPU cycles than usual, I would conclude that Windows Defender is why your performance is being reduced.
Posted on Reply
#179
Solaris17
Super Dainty Moderator
unclewebbYou are 100% correct. Any software can use these timers within the CPU and any software can set these timers to mode 2.

The word Defender is only a warning. It is not a confirmation that Windows Defender is guilty of anything. Open the Task Manager, go to the Details tab and have a look to see if the Microsoft Malware Protection Engine (MsMpEng.exe) is using more CPU cycles than usual.

If I had this problem, I would run a consistent benchmark like Cinebench R23 and I would compare my score to when these timers are not being set to mode 2. If you are running Windows Defender and you see a noticeable increase in performance when these timers are not being set to mode 2, and MsMpEng.exe is using more CPU cycles than usual, I would conclude that Windows Defender is why your performance is being reduced.
Sick thanks for explaining!
Posted on Reply
#180
TheHunter
Seems to be ok again.. and i didnt start anything unusual last time when i saw it, maybe they fixed it again with recent defender update.



weird stuff..

@lexluthermiester

does that comodo av also disable Defender?
Posted on Reply
#181
Mussels
Freshwater Moderator
TheHunterdoes that comodo av also disable Defender?
Defender disables the moment any other AV is installed and active
Posted on Reply
#182
lexluthermiester
MusselsDefender disables the moment any other AV is installed and active
This.
Posted on Reply
#183
TheHunter
So I was still struggling with defender, but then I said enough and installed that Comodo AV only part and now it says


all the time.

Bye bye defender :laugh:
Posted on Reply
#184
AusWolf
TheHunterSo I was still struggling with defender, but then I said enough and installed that Comodo AV only part and now it says


all the time.

Bye bye defender :laugh:
I went the hard way: I upgraded to a Ryzen 7 7700X, and my 11700 is in my HTPC now, where the defender-restricted performance doesn't matter anymore. :laugh:
Posted on Reply
#185
ThrashZone
Hi,
The third party AV does have to register with defender to disable WD
Most AV's will give the option on install or in their settings.
Amazing how many want to use both :laugh:
Posted on Reply
#186
lexluthermiester
ThrashZoneAmazing how many want to use both :laugh:
Right? Just crazy as hell. :banghead:
Posted on Reply
#187
Mussels
Freshwater Moderator
ThrashZoneHi,
The third party AV does have to register with defender to disable WD
Most AV's will give the option on install or in their settings.
Amazing how many want to use both :laugh:
which is smart, after having dealt with users who disabled their AV because an ad on a fake pirate website told them to disable their AV to get their movie to play... it's annoying, but at least it's valid that defender won't shut off without a recognised AV to prevent malware and idiocy disabling all antivirus.
Posted on Reply
#188
bug
Musselswhich is smart, after having dealt with users who disabled their AV because an ad on a fake pirate website told them to disable their AV to get their movie to play... it's annoying, but at least it's valid that defender won't shut off without a recognised AV to prevent malware and idiocy disabling all antivirus.
I wouldn't call it "smart". I think it's sad when people use computers without understanding what an AV does or how it works. People using computers there days are so "smart", they don't know what the URL bar in a browser is for :(
Posted on Reply
#189
Mussels
Freshwater Moderator
bugI wouldn't call it "smart". I think it's sad when people use computers without understanding what an AV does or how it works. People using computers there days are so "smart", they don't know what the URL bar in a browser is for :(
because it changed over the years and varies between browsers?
Posted on Reply
#190
bug
Musselsbecause it changed over the years and varies between browsers?
Yeah, that requires a PhD to understand or keep track of :wtf:
Posted on Reply
#191
lexluthermiester
bugYeah, that requires a PhD to understand or keep track of :wtf:
Not really. It requires one to pay attention, little more.
Posted on Reply
#192
TheHunter
Yeah, after I installed this Comodo AV some defender part wanted to contact microsoft and I allowed it, after I did that it somehow magically enabled Denfender as well, had to reboot the system then it was ok again.
This happened 2x so far in 1 month, I think it was by update Tuesdays..
Posted on Reply
#193
lexluthermiester
TheHunterYeah, after I installed this Comodo AV some defender part wanted to contact microsoft and I allowed it, after I did that it somehow magically enabled Denfender as well, had to reboot the system then it was ok again.
This happened 2x so far in 1 month, I think it was by update Tuesdays..
You need to disable Defender completely and not allow it to run again.
Posted on Reply
#194
Veseleil
lexluthermiesterYou need to disable Defender completely and not allow it to run again.
Running the defender free OS in the first place was such a relief. :D
Posted on Reply
#195
lexluthermiester
TheHunterYeah, after I installed this Comodo AV some defender part wanted to contact microsoft and I allowed it, after I did that it somehow magically enabled Denfender as well, had to reboot the system then it was ok again.
This happened 2x so far in 1 month, I think it was by update Tuesdays..
VeseleilRunning the defender free OS in the first place was such a relief. :D
I hate to link an external article, but it is a good example of why I just won't use it.
www.techspot.com/news/98634-examination-18-antivirus-programs-shows-microsoft-defender-has.html
Personally, I think AV-Test.org was being a bit generous and nice. My reasoning for that is Windows Defender is FAR more annoying than ANY other AV. It deletes things without asking first, STILL.
Eff Windows Defender...
Posted on Reply
#196
claylomax
Has it been fixed? Every time I boot my computer now Counter Control says Normal; before it would say Defender.
Posted on Reply
#197
AusWolf
claylomaxHas it been fixed? Every time I boot my computer now Counter Control says Normal; before it would say Defender.
Wait a couple of minutes after boot - Defender can take its time to kick in.
Posted on Reply
#198
claylomax
It's the same after two hours.
Can anybody check please?
Posted on Reply
#199
Mussels
Freshwater Moderator
lexluthermiesterI hate to link an external article, but it is a good example of why I just won't use it.
www.techspot.com/news/98634-examination-18-antivirus-programs-shows-microsoft-defender-has.html
Personally, I think AV-Test.org was being a bit generous and nice. My reasoning for that is Windows Defender is FAR more annoying than ANY other AV. It deletes things without asking first, STILL.
Eff Windows Defender...
Nah it doesn't delete - it quarantines them. You can do two clicks and get them back and excluded from future scans (It doesnt like a few of my router hacking tools, but it's also clear that they're "Hack Tools" and potentially unwanted)

When you compare the results instead of techspots view on them, it's not quite what they make you think
Equal best protection, equal best usability, 5.0 of 6.0 for performance

The ones they recommend like Avast have constant popups peddling addons and upgrades, so i'm not sure how that's got better usability


Their forums had the best answer on this one (Still an issue now, older post was just the funniest and first hit)
Posted on Reply
#200
Veseleil
"Completely remove the software and all associated files, folders, and registry items." the best solution indeed.
Posted on Reply
Add your own comment
Dec 23rd, 2024 07:01 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts