Windows Defender is reportedly affecting the performance of Intel CPUs, but there's a fix
Kevin Glynn, the developer of popular tools like ThrottleStop and RealTemp has discovered a bug in Windows Defender that was causing it to consume more system resources than was required. He has also released a new app that fixes this problem.
Windows Defender consumes more resources on Intel CPUs
Antivirus programs are constantly scanning your system for unusual activity to prevent malware from impacting your system. That's normal, and Windows Defender is no exception to this.
But there's more to it than meets the eye. A screenshot shared by Techpowerup shows that Defender used about 4% of the CPU while CineBench was running, and some benchmark comparisons resulted in a 6% loss because the antivirus was using excessive resources. It uses these for the Real-time Protection notifications.
Computer processors have special registers called hardware performance counters. Techpowerup's report mentions that Windows Defender uses all possible hardware performance counters, including the fixed function counters in Intel processors.
These counters can run in one of 4 possible modes:
- Disabled
- OS (ring-0)
- User (ring >0)
- All-Ring levels
Windows Defender sets these counters to mode 2 at random intervals for an unspecified amount of time. This can happen anytime, at start up or during normal usage. The problem is that this starts chewing up CPU usage, which leaves fewer resources for other programs.
Interestingly, AMD CPUs are not affected by this issue.
The value of these performance counters are set to mode 3 or All-Ring levels, when you run system monitoring tools such as including ThrottleStop, HWinfo to name a few. When Windows Defender detects a change in the counter, it will not reset it, which also ensures your computer runs at maximum efficiency.
Now, you can't have system tools running all the time. So, how do we fix this issue?
Counter Control and ThrottleStop 9.5
Say hello to a new app called Counter Control. This application, also made by Glynn, fixes the performance impact of Windows Defender. How does it do that? It monitors and logs the IA32_FIXED_CTR_CTRL register located at MSR 0x38D. It not only reports whether Defender is impacting your system's performance, but also provides a way to set the counter to mode 3. The best part is that this does not affect the antivirus capabilities of Windows Defender, so your computer's security is not comprosmised.
How can I check if my Intel computer is affected?
Download Counter Control and run it, it's a portable software. The utility supports most Intel CPUs that have been released since 2008.
If you see the code 0x222 in the app's GUI, it means that Windows Defender is using up CPU cycles needlessly to gain control of the counter. Here is a screenshot that I took that highlights the status.
Click the Reset Counters button in the app, and the code will change to 0x330, which indicates that everything is normal. That's it.
Do I need to run Counter Control every time I start my computer? Yes, you will need to run it and click on Reset Counters when your PC restarts. This is necessary since Windows Defender randomly starts using up the counters.
Alternatively, you can use ThrottleStop 9.5 for fixing the performance issue. The latest update for the popular undervolting app, introduces a new feature called Windows Defender Boost. Enable this option, and run the app when you start the computer. This is essentially the same as using Counter Control, but if you're already using ThrottleStop to undervolt your laptop, then this saves you an additional click.
Thank You Very Very Much For This Info…! ;)
I’m IT admin in company with almost 2,5k devices placed across the world and I can honestly say that Defender makes really good work.
Yes it consumes lot of resources sometimes (mostly when any executables comes from outside domain network or process is being initiated remotely) but
a) only until it finish ensuring that income data is safe, then uses minimal amount of cpu in background monitor.
b) It’s better to wait longer every installation, deployment or sync than exposure sensitive data on public or being forced to pay milions $ for your data decryption
It’s also in Microsoft interests to provide best performance for their customers but they’re also responsible to provide same quality protection too. Defender helps keep us all devices and cloud stored data safe all the time by wide range of automatization possibilities including automatic threat remediation, isolating corrupted users account’s and devices and more.
You just simply don’t know what it actually does until you’re able to see “back-end”, well in case of Enterprise solution at least.
My home laptop shows Unkown 0xBBB The Reset Counters seems to do nothing. Any thoughts on why? It’s a sixth generation Core i5-6200U.
If it says: “Not Used” + 0x000 .
Can I then ignore this or do I have to click “Reset Counters” (then “Normal” + 0x330 appears)? I think I see a very slight difference, but that can be wishful seeing.
Thanks for any motivated advice.
If it’s “Not Used 0x000” then you are not affected by this bug. It only affects Intel CPUs from 8 – 11th gen.
What does “Unknown”, “0xBBB” result mean”
Thinkpad T430 i7
4% resources?? I remember when an Anti-virus program would literally bring some PCs to a standstill while it worked in background.
I agree — what’s 4%? I too remember when programs would take up way more than 4%. 4%? I have way more things to be concerned about than an antivirus that only uses 4% of resources — please!
Avira used to be great. Even it’s free edition was either on par or ahead of paid alternatives when it comes to detection-rate. But it recently “innovated” it’s UI and now comes with loads of crapware.
Let’s not forget that they’ve recently been acquired by Norton/Symantec…
I use kaspersky and amd. Never bothered with defender. Kaspersky improved a lot on system usage.
This is great, thanks. Tried Counter Control and then updated ThrottleStop since I already use it on my laptop. I may need to set up Counter Control on some of the computers at work, hmm…
It’s a feature. You’re using your computer wrong. Your processor is not compatible with Defender. This only affects computers that do not use a Microsoft account. Our product is perfect, your computer is ours, you agreed to the EULA. Shut up, peasant.
I switched to Bitdefender Free months ago precisely because of this, background CPU usage + high spikes with Defender that were noticeable that I don’t get using Bitdefender. Turns out it wasn’t just me having issues with it then.
Not surprising. Windows Defender is the first thing I rip out of all my Window 7 and 10 installs. Useless waste of resources for tech savvy users.
If Microsoft really cared, they’d probably fix this if you asked.
Why should anyone have to ask? Do Microsoft programmers use pen and paper instead of laptops?
There will be an executive reason Defender craves power. There is no need to change as long as a bulk of Windows users don’t bother installing an alternative. If it wasn’t for Kaspersky wanting me to remove a couple of programs…
I’ve thought long and hard about my antimalware tools, and I’ve settled for Sophos Home Premium. It’s a tad heavy on the resources, not the fastest of the bunch (though they’ve made great improvements to what used to be a massive CPU hog), but if it’s good enough for the biggest enterprises then it’s good enough for me. Windows Defender is simply not reliable enough.
If I remember correctly, AV Comparatives stated in it’s 2019 annual report that there was a single piece of third-party antivirus named “Sophos” that was so bad that even the users who don’t use any anti-virus (just preinstalled Defender) were more secure than users who used the paid Sophos. I hope the situation have changed now.
Not really, the 2019 reviews on AV-C actually place Sophos in a pretty decent place near the top. Do note that most antimalware reviewers generally review the Business/Enterprise versions of Sophos and not the Home version, so you should check out reviews in the Enterprise section instead.