ThrottleStop triggers Defender on svchost process

[Toan]

Hi, I am observing a behaviour that I wasn't able to understand.
In the last month, while launching ThrottleStop everything seems fine, except that a Defender notification pops-up. I attach an example here (not mine, since not in English but is really similar, same temp files, same comments).



I updated ThrottleStop and the issue is still there, it seems that only ThrottleStop triggers these messages, no other program until now.

I found others having this problem but I haven't found a solution.
Thank you

 

[unclewebb]

only ThrottleStop triggers these messages

My laptop is running Windows 11 23H2 Home. I use Microsoft Defender and ThrottleStop. I never get any warnings like that. Are you the Administrator of your computer or are you using a work computer? Are you using Windows 11 Pro? Are you using an account with Administrator privileges?

Some computers are setup so the signed driver that ThrottleStop uses is blocked and cannot be installed into Windows. If ThrottleStop cannot create and use that driver then ThrottleStop will not be able to work.

There is nothing I can do about this. If you want an extra safe computer then you will not be able to run ThrottleStop. If you really need to run ThrottleStop then you will have to make an exception in Microsoft Defender so it does not complain.

Windows Security: Defender Antivirus, SmartScreen, and More | Microsoft Windows

Protect your privacy, identity, and devices with Windows Security. Explore Windows 11 security features like Microsoft Defender Antivirus that help keep you and your PC safe.

www.microsoft.com

 

[Toan]

I am admin of my pc, win10 pro 22H2. Nothing apparently changed. Time ago I disabled every windows update except defender and it is is not in "super paranoia secure mode", it is just normal realtime protection, standard settings I would say.

Throttlestop was even added as exception before this warning. Suddenly, it came out every time I open throttlestop, complaining about svchost and that was a bit strange.
I suppose it is a recent defender update, or something.

By the way, if it happens only on mine and you don't think it needs to be investigated, I don't want to bother you anymore and I will try to solve it myself. If I found a solution or at least a workaround, I will post it here, hoping to help someone else that has the same problem.

Thank you

 

[unclewebb]

you don't think it needs to be investigated

I do not know how to fix or investigate this problem any further. If Microsoft Defender has determined that ThrottleStop is a dangerous program, there is nothing I can think of to solve that problem.

I suppose it is a recent defender update

That would be my guess. It is a bit odd that I have not seen this warning on either of my computers running Windows 10 Pro and Windows 11. That might be because I do not install updates as often as Microsoft tries to force feed them to me.

complaining about svchost

That is the weird part. ThrottleStop does not contain any code that directly accesses svchost. When I do a Google search for ThrottleStop svchost, the only info I find is this thread and the problem you are having. With a million downloads a year, I would expect to see a lot more talk about this issue if Defender was preventing everyone from running ThrottleStop.

Try running GPU-Z. It uses a similar driver to ThrottleStop. Does GPU-Z trigger any svchost warnings?

I don't want to bother you anymore and I will try to solve it myself.

It is no bother at all. I am glad you told me about this. I have literally thought about this kind of issue for the last 10 years. At any time, if Microsoft or any antivirus program wants to block ThrottleStop, they can do that and there is nothing I can do about it. Let me know if you ever find a solution.

 

[Toan]

I checked Event Viewer and noticed that ASR-related events (ID1121) started appearing only in November 2024. Interestingly, I haven’t seen any notifications until this month.

After some research, it seems initially linked to the Windows update KB5048239, but I haven’t installed this update. I suspect something related might have been pushed through Defender definitions, though I can’t confirm this for sure.

Regarding the ASR rule in question, as you mentioned, it’s 56a863a9-875e-4185-98a7-b882c64b5ce5, related to vulnerable signed drivers. Disabling this rule solves the issue, or alternatively, temporarily disabling real-time protection works as well.
Here some info about all this.

In Event Viewer, the error points to "C:\Users\...\AppData\Local\Temp\GPU-Z-v2.sys" instead of svchost.exe, and the command line references the GPU-Z executable, unlike the one triggered by ThrottleStop (svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc).
I’ve seen other reports involving svchost.exe and Defender (like the screenshot above), but none specifically related to ThrottleStop. Since you could clarify (as you did) whether TS uses svchost.exe in this way, I decided to share this. The difference between the two programs remains unclear to me.

Without messing around too much with ASR rules and following this, I made some changes to the registry:

1. Registry Path:
   Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
   • If this path doesn’t exist, you’re likely unaffected.
   • In my case, I found two values:
     • MpBafsExtendedTimeout
     • MpCloudBlockLevel (set to 6, seemingly the cause of the issue)
2. Adjustment:
   I gradually reduced MpCloudBlockLevel
   • ThrottleStop: starts without triggering Defender with the value 3
   • GPU-Z: Even with the value set to 0, the block still occurs and GPU-Z could not start since the driver was not loaded (an error appears). However, adding the GPU-Z executable to Defender’s exclusions allows the driver to load and the app to run (apparently without any problems), despite the persistent Defender block notification

I suspect the different behavior is because ThrottleStop interacts via svchost.exe (at least according to Defender), while GPU-Z doesn’t.

Lastly, I’ve never manually tweaked Defender settings, so I’m unsure why these registry keys exist on this machine. Some suggest deleting them, which apparently resolves the issue—I might try that eventually.

Hopefully, this info could be useful to you, unclewebb, and others. If not, at least it was fun digging into the issue, even if there’s still something else to uncover - especially about the differences between TS and GPU-Z.

 

[unclewebb]

Knowing exactly why ThrottleStop or GPU-Z are being blocked by Windows Defender is good to know.

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine

• If this path doesn’t exist, you’re likely unaffected.

I checked my desktop that is running Windows 10 and my laptop that is running Windows 11. Neither computer has the MpEngine folder in the registry. That explains why I have not had any issues with ThrottleStop being blocked. At least not yet. If it ever does happen, now I know what I need to do.

Thanks @Toan for your thorough investigation of Windows Defender.

 

[W1zzard]

GPU-Z could not start since the driver was not loaded

What's the error message? Permission denied or insufficient resources?

 

[Toan]

The error message is "Could not start driver: Access is denied", as in this post. Interestingly, it seems started around the same time.