Monday, June 27th 2022
Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix
Kevin Glynn, aka "Uncle Webb," our associate software author behind popular utilities such as ThrottleStop and RealTemp, developed a new utility named Counter Control, which lets you monitor and log the performance counters of Intel Core processors since 2008 (Core "Nehalem"). During development for ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the built-in security software of Windows, which causes significantly higher performance impact on the processor than it should normally have. Of course a security software is bound to have some (small) performance impact during real-time protection, but this is much bigger.The first sign that something is happening is that HWiNFO will be reporting a reduced "Effective Clock" speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, performance of your machine will be significantly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th Gen, both desktop and mobile CPUs, on both Windows 10 and Windows 11. AMD processors are not affected.
The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.
Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.
The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.
Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.
As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.
Counter Control is available as free download in our downloads section.
The underlying issue that costs so much performance is that Windows Defender will randomly start using all seven hardware performance counters provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure at which privilege level it counts—Disabled, OS (ring-0), User (ring>0), and All-Ring levels. Since these counters are a shared resource, it is possible that multiple programs want to access these counters at the same time.
Popular system utilities like HWiNFO, OCCT, Core Temp, and ThrottleStop, all set these counters to "mode 3" or "All-Ring Levels." Since they all set the same mode, there's no issues with multiple programs using the same counter. Windows Defender on the other hand will set these counters to "mode 2", at what looks like random intervals, for random durations of time. This can happen when a computer first boots up or it can happen at any time after that. While Windows Defender is running in the background, it can start and stop or continuously try to change these counters to mode 2 at any time. Just to clarify, the performance loss will happen even without any monitoring software running—Defender will still use excessive CPU time.
The issue is not with the Intel hardware, as setting the same timers as Windows Defender manually has no negative performance impact. Also, if these counters are manually overwritten, Defender detects that, immediately stops whatever it is doing and performance returns to normal—without any negative effect on the ability to detect viruses in real-time.Our Counter Control software monitors and logs the "IA32_FIXED_CTR_CTRL" register of Intel Core processors, located at MSR 0x38D. This register provides access to the three fixed-function performance monitoring counters mentioned before. Counter Control will inform users if any software is using the Intel fixed-function counters, and for how long they've been in use. Typical values reported by Counter Control look like this:
- Not Used - 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
- Defender - 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
- Normal - 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
- Warning - 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.
If "Windows Defender Boost" is not checked, the counter will be initially cleared. This stops the Window Defender algorithm but ThrottleStop will no longer try to keep one counter running while using ThrottleStop and it will not keep that one counter running after you exit ThrottleStop. This allows a person to use ThrottleStop without having to worry that ThrottleStop might be doing something to Windows Defender that it should not be doing. After ThrottleStop starts up, if that timer is not being used, after 10 minutes or so, Windows Defender will check that timer, see that it is not being used, and will be able to start its mysterious performance-eating algorithm again.
Let us know your experience in the comments of this article. It'll be interesting to see how widespread this issue is, we have confirmed (thread at TPU, thread at OCN) it to be happening on many systems in recent months. If we make enough noise, I'm sure Microsoft will look into why they need that many timers in Defender, why there's such a big performance hit, and fix it accordingly.
As always, let us know your thoughts and questions in the comments. Also let us know if you didn't understand certain technical details, so we can improve this writeup.
Counter Control is available as free download in our downloads section.
257 Comments on Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix
Technically, if you can determine that a file contains a virus that has already wiped some of the data/code in the file, you can't recover that. It's ok to just delete it. But first you'd have to determine that with a (very) high degree of confidence.
Googling this shows it to have been the default back in windows 10 as well unless a group policy was set.
They'd never have gotten away with deleting false positives without a massive backlash
And then this:
So it may delete if its a KNOWN virus, while PUP's and 'tools' are quarantined
Delete if known 100% to be malware, quarantine if it's in a grey area
(Where it'd be bad in a work/business environment, but a home user can over-ride if they did want it)
As an example, keygens and eth mining tools end up in that second category - they dont go overboard and delete a keygen just because its for microsoft products, for example.
I dont see how it's possible for any AV to NOT delete known viruses immediately... what else are you expecting?
I'm not seeing it change behaviour, it's consistent.
Confirmed known dangerous active viruses are instantly deleted, anything potentially wanted is quarantined - and you get a popup telling you and offering you a choice of what you want to do
You're talking about things without explaining what you even mean... i'm not seeing these changes. I showed a link from a few years back with windows 10 showing its the same as now in 11.
www.techpowerup.com/forums/threads/strange-throttling-on-desktop-12700k-fixed-with-throttlestop.310106/#post-5040961
If you have a 12th or 13th Gen CPU, try running the Counter Control program. Usually about 5 minutes after booting up, part of Windows Defender will start up doing something important.
I downloaded the software and started it and i can see that "BD PROCHOT", "SpeedStep" and "C1E" are enabled by default. I just want to get the performance boost for Windows Defender and keep everything else on the default settings and default behaviour like it would be without ThrottleStop. What settings would you recommend in this case or should i not use ThottleStop on a desktop at all ?
Kind regards
Post some ThrottleStop screenshots if you need help.
- BD PROCHOT
- SpeedStep
- C1E
In your guide it says "On older CPUs (pre-Skylake), toggles the software-level governance of CPU clockspeeds". Does that mean this option has no effect at all in my case since i have a Skylake CPU ?
The option BD PROCHOT sounds like it is not necessary on a Desktop with a GPU & CPU that have good cooling. BUT if this is a default Windows feature that is enabled by default anyways, regardless of whether ThrottleStop was ever started or not, then I could also leave it on since it doesnt change the default behaviour of my computer which is exactly what i want. Or is this a features that come with ThrottleStop. It sounds like a laptop feature or is this a general Windows thing that also applies to desktops ?
By default (without using ThrottleStop at all) my CPU clock is always changing between 0.80 and 4.00Ghz most of the time depending on what i am doing. Is this behaviour called "C1E" or is this something else that comes with ThrottleStop ? The reason im asking is i am curious what changes the application exactly makes to my computer as soon as i start the app. Because all i want is the Windows Defender Boost and everything else should behave in the same way it would without using ThrottleStop. But since there are these 3 options that are enabled by default i thought they maybe change the default behaviour of my computer. Thanks in advance for the help.
Kind regards
Never hurts to keep WD in check.