Monday, June 27th 2022

Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.

The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.

The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.

Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.

The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.
Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
  • Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If your system seems affected, showing the "Defender" readout, then a quick fix is to click the "Reset Counters" button in Counter Control. By pressing the button, one timer will be reprogrammed to mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please verify with benchmarks.
There are two ways to go about mitigating this performance loss permanently. You could disable Windows Defender Real-time Monitoring, which is highly not recommended due to the security implications; or you could use the latest version 9.5 of ThrottleStop, which has a feature in the "Options" window, called "Windows Defender Boost." Ticking this ensures maximum performance and accurate Core Effective Clock monitoring in all applications whether Windows Defender real-time protection is enabled or not. To achieve that goal, ThrottleStop activates one of the programmable timers immediately. When Windows Defender detects that some user software is trying to use one of the programmable counters, it stops using all the counters and leaves them alone for as long as that counter stays enabled. This returns performance back to normal. The "Reset" button in Counter Control does the same, and gives people a way to activate only this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to work fine. It can still detect and notify users of any viruses. When started once, with the "Windows Defender Boost" option, ThrottleStop will let the timer running in mode 3, even when closed. This means you can start ThrottleStop once at bootup, close it right afterward, and your system will be protected from the Defender performance issues.

If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.

Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.

As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.

Counter Control is available as free download in our downloads section.
Add your own comment

257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

#201
SomeOne99h
MusselsNah it doesn't delete - it quarantines them. You can do two clicks and get them back and excluded from future scans (It doesnt like a few of my router hacking tools, but it's also clear that they're "Hack Tools" and potentially unwanted)

When you compare the results instead of techspots view on them, it's not quite what they make you think
Equal best protection, equal best usability, 5.0 of 6.0 for performance

The ones they recommend like Avast have constant popups peddling addons and upgrades, so i'm not sure how that's got better usability


Their forums had the best answer on this one (Still an issue now, older post was just the funniest and first hit)
With Avast, I do custom installation with only the needed components installed. I don't get any of those crapware that you mentioned. Then, I also set it to "Game Mode". With this setting, I don't get nagged. Works pretty well.
Posted on Reply
#202
bug
SomeOne99hWith Avast, I do custom installation with only the needed components installed. I don't get any of those crapware that you mentioned. Then, I also set it to "Game Mode". With this setting, I don't get nagged. Works pretty well.
That's just the thing, when you install the bare minimum, it nags you about some other stuff you "should" install. Complete with the usual "we have detected X on your system, but if you install Y from us, it will take care of it for you".
Posted on Reply
#203
lexluthermiester
MusselsNah it doesn't delete - it quarantines them.
Not that I've seen. The diferences are in the edition of Windows being used. Home deletes without prompting. Pro handles things depending on user configuration.
Posted on Reply
#204
bug
lexluthermiesterNot that I've seen. The diferences are in the edition of Windows being used. Home deletes without prompting. Pro handles things depending on user configuration.
Considering the target audience, that's probably the right thing to do. Annoying as hell for those of us that know how to use a computer.
Posted on Reply
#205
lexluthermiester
bugConsidering the target audience, that's probably the right thing to do.
Deleting files without gaining user consent is NEVER the right thing to do.
Posted on Reply
#206
bug
lexluthermiesterDeleting files without gaining user consent is NEVER the right thing to do.
I was just poking at users that just click "next", "next", "next" and then they're like "umm... I didn't do anything".

Technically, if you can determine that a file contains a virus that has already wiped some of the data/code in the file, you can't recover that. It's ok to just delete it. But first you'd have to determine that with a (very) high degree of confidence.
Posted on Reply
#207
R-T-B
bugI was just poking at users that just click "next", "next", "next" and then they're like "umm... I didn't do anything".

Technically, if you can determine that a file contains a virus that has already wiped some of the data/code in the file, you can't recover that. It's ok to just delete it. But first you'd have to determine that with a (very) high degree of confidence.
Still as a tech always gain consent to do so, trust me. Right it may be, but you don't want an angry customer, even if it's an irrationally angry one.
Posted on Reply
#208
lexluthermiester
bugI was just poking at users that just click "next", "next", "next" and then they're like "umm... I didn't do anything".
Ah, right. I see what you mean.
Posted on Reply
#209
Mussels
Freshwater Moderator
bugThat's just the thing, when you install the bare minimum, it nags you about some other stuff you "should" install. Complete with the usual "we have detected X on your system, but if you install Y from us, it will take care of it for you".
As someone else pointed out in those links/threads, it begins to spam you once it does scans, or detects certain types of activity. Can take a bit before it begins the nagging and it's extremely offputting.
lexluthermiesterNot that I've seen. The diferences are in the edition of Windows being used. Home deletes without prompting. Pro handles things depending on user configuration.
I've never seen that - it moves them to quarantine to stop them being able to trash your PC while it waits for a user to click something, but it's never, ever deleted them outright.
Googling this shows it to have been the default back in windows 10 as well unless a group policy was set.

They'd never have gotten away with deleting false positives without a massive backlash


And then this:



So it may delete if its a KNOWN virus, while PUP's and 'tools' are quarantined
Posted on Reply
#210
lexluthermiester
MusselsI've never seen that - it moves them to quarantine to stop them being able to trash your PC while it waits for a user to click something, but it's never, ever deleted them outright.
Googling this shows it to have been the default back in windows 10 as well unless a group policy was set.

They'd never have gotten away with deleting false positives without a massive backlash


And then this:



So it may delete if its a KNOWN virus, while PUP's and 'tools' are quarantined
See this is the problem with microsoft's nonsense, their variable policies cause so much uncertainty and confusion. This is a perfect example of why I don't bother messing with it at all. It get's deleted and replaced by something that works the way it's supposed to. I have better things to do with my time than to sort through microsoft's incompetent BS.
Posted on Reply
#211
Mussels
Freshwater Moderator
lexluthermiesterSee this is the problem with microsoft's nonsense, their variable policies cause so much uncertainty and confusion. This is a perfect example of why I don't bother messing with it at all. It get's deleted and replaced by something that works the way it's supposed to. I have better things to do with my time than to sort through microsoft's incompetent BS.
I dont see how its variable?

Delete if known 100% to be malware, quarantine if it's in a grey area
(Where it'd be bad in a work/business environment, but a home user can over-ride if they did want it)

As an example, keygens and eth mining tools end up in that second category - they dont go overboard and delete a keygen just because its for microsoft products, for example.

I dont see how it's possible for any AV to NOT delete known viruses immediately... what else are you expecting?
Posted on Reply
#212
lexluthermiester
MusselsI dont see how its variable?
How do you not? They change there minds more often than most people buy new pants. The decision makers at microsoft frequently go in circles on policies, sometimes as frequently as in-between updates.
Musselswhat else are you expecting?
USER PROMPTING and complete information WITHOUT the fear-tactic wording.
Posted on Reply
#213
Mussels
Freshwater Moderator
lexluthermiesterHow do you not? They change there minds more often than most people buy new pants. The decision makers at microsoft frequently go in circles on policies, sometimes as frequently as in-between updates.


USER PROMPTING and complete information WITHOUT the fear-tactic wording.
As someone using the AV, i'm not getting that experience in the slightest.
I'm not seeing it change behaviour, it's consistent.

Confirmed known dangerous active viruses are instantly deleted, anything potentially wanted is quarantined - and you get a popup telling you and offering you a choice of what you want to do

You're talking about things without explaining what you even mean... i'm not seeing these changes. I showed a link from a few years back with windows 10 showing its the same as now in 11.
Posted on Reply
#214
lexluthermiester
MusselsYou're talking about things without explaining what you even mean... i'm not seeing these changes. I showed a link from a few years back with windows 10 showing its the same as now in 11.
You don't install and reinstall various versions and editions of Windows on a daily basis. I do. Try it sometime, you'll figure out what I'm talking about fairly quickly.
Posted on Reply
#215
bug
MusselsConfirmed known dangerous active viruses are instantly deleted, anything potentially wanted is quarantined - and you get a popup telling you and offering you a choice of what you want to do
Both can't be true at the same time. I get what you mean, but poor wording ;)
Posted on Reply
#216
unclewebb
ThrottleStop & RealTemp Author
Not only has this issue not been fixed by Microsoft, the same reduced performance problem is happening on Intel's 12th Gen CPUs. When this issue first surfaced last year, Windows Defender was not running its secret and probably broken code on 12th Gen and newer Intel CPUs. Now it is.

www.techpowerup.com/forums/threads/strange-throttling-on-desktop-12700k-fixed-with-throttlestop.310106/#post-5040961

If you have a 12th or 13th Gen CPU, try running the Counter Control program. Usually about 5 minutes after booting up, part of Windows Defender will start up doing something important.
Posted on Reply
#217
Computerjul
unclewebbNot only has this issue not been fixed by Microsoft, the same reduced performance problem is happening on Intel's 12th Gen CPUs. When this issue first surfaced last year, Windows Defender was not running its secret and probably broken code on 12th Gen and newer Intel CPUs. Now it is.

www.techpowerup.com/forums/threads/strange-throttling-on-desktop-12700k-fixed-with-throttlestop.310106/#post-5040961

If you have a 12th or 13th Gen CPU, try running the Counter Control program. Usually about 5 minutes after booting up, part of Windows Defender will start up doing something important.
Can i use ThrottleStop on a Desktop-PC? I do not have a laptop or notebook but i would like to have the performance boost for Windows Defender but i dont want to change anything else.

I downloaded the software and started it and i can see that "BD PROCHOT", "SpeedStep" and "C1E" are enabled by default. I just want to get the performance boost for Windows Defender and keep everything else on the default settings and default behaviour like it would be without ThrottleStop. What settings would you recommend in this case or should i not use ThottleStop on a desktop at all ?

Kind regards
Posted on Reply
#218
unclewebb
ThrottleStop & RealTemp Author
ComputerjulCan i use ThrottleStop on a Desktop-PC?
I use ThrottleStop on my desktop computer everyday. As long as your computer has an Intel CPU that was released during the last 15 or so years, ThrottleStop should work fine. What CPU does your computer have?

Post some ThrottleStop screenshots if you need help.
Posted on Reply
#219
Computerjul
unclewebbI use ThrottleStop on my desktop computer everyday. As long as your computer has an Intel CPU that was released during the last 15 or so years, ThrottleStop should work fine. What CPU does your computer have?

Post some ThrottleStop screenshots if you need help.
Thank you. I have a Intel i7 6700k (Skylake) in my desktop. Yes, so i have a few questions regarding these 3 options that are enabled by default and my question is somewhat tricky to explain.

- BD PROCHOT
- SpeedStep
- C1E

In your guide it says "On older CPUs (pre-Skylake), toggles the software-level governance of CPU clockspeeds". Does that mean this option has no effect at all in my case since i have a Skylake CPU ?

The option BD PROCHOT sounds like it is not necessary on a Desktop with a GPU & CPU that have good cooling. BUT if this is a default Windows feature that is enabled by default anyways, regardless of whether ThrottleStop was ever started or not, then I could also leave it on since it doesnt change the default behaviour of my computer which is exactly what i want. Or is this a features that come with ThrottleStop. It sounds like a laptop feature or is this a general Windows thing that also applies to desktops ?

By default (without using ThrottleStop at all) my CPU clock is always changing between 0.80 and 4.00Ghz most of the time depending on what i am doing. Is this behaviour called "C1E" or is this something else that comes with ThrottleStop ? The reason im asking is i am curious what changes the application exactly makes to my computer as soon as i start the app. Because all i want is the Windows Defender Boost and everything else should behave in the same way it would without using ThrottleStop. But since there are these 3 options that are enabled by default i thought they maybe change the default behaviour of my computer. Thanks in advance for the help.



Kind regards
Posted on Reply
#220
Upgrayedd
Was this ever officially addressed or is this fix still used?
Posted on Reply
#221
lexluthermiester
UpgrayeddWas this ever officially addressed or is this fix still used?
If microsoft ever officially addressed it, they did so quietly. It seems to have been fixed so it's a non-issue currently as long as you're up to date.
Posted on Reply
#222
unclewebb
ThrottleStop & RealTemp Author
UpgrayeddWas this ever officially addressed
This issue was not fixed. I have heard from users that have told me it also happens to the 12th Gen and newer processors. This issue was swept under the carpet.
Posted on Reply
#223
lexluthermiester
unclewebbThis issue was not fixed. I have heard from users that have told me it also happens to the 12th Gen and newer processors. This issue was swept under the carpet.
Are you sure? I have not seen it in recent system builds. Since about September, everything seems well. (You know me, I'm no microsoft defender LOL!)
Posted on Reply
#225
unclewebb
ThrottleStop & RealTemp Author
lexluthermiesterAre you sure?
I am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.
Posted on Reply
Add your own comment
Dec 23rd, 2024 06:29 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts