Windows Defender can Significantly Impact Intel CPU Performance, We have the Fix

[unclewebb]

Are you sure?

I am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.

 

[Solaris17]

I am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.

Interestingly, as far as random conjecture goes. I ran your tool 2-3 weeks ago before christmas just to see if my machine was affected as I only had defender on it and it never once stole the show. /shrug

 

[lexluthermiester]

I am not sure what version of Windows were being used or what updates were installed. The last person to contact me about this issue was not that long ago.

Interestingly, as far as random conjecture goes. I ran your tool 2-3 weeks ago before christmas just to see if my machine was affected as I only had defender on it and it never once stole the show. /shrug

Maybe it's still present in a limited number of PCs? Perhaps it's a specific configuration dependent thing?

 

[unclewebb]

I just had a look through my private messages and found this one from Dec 22.

I built a computer with an i5-13600K running Windows 11 23H2 and I’ve encountered the bug where a few minutes after starting windows, the anti malware service will start using 2% of my CPU when running benchmarks like Cinebench, lowering my scores by nearly 4%. Counter Control does resolve this performance loss.

The 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.

 

[lexluthermiester]

The 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.

That's a bit messed up. Another example of microsoft being dishonest?

 

[ThrashZone]

I just had a look through my private messages and found this one from Dec 22.



The 2% performance hit is not accurate because the performance monitoring timers are being manipulated by Windows Defender when this problem happens.

Hi,
You know what else kicks in after startup
Windows checking for updates even set on manual
Disabled doesn't stick
I have my wifi off or set to not to auto connect
Every startup I have to stop updates service and switch back to disabled before connecting wifi lol
If I forget just opening settings page you can see ms boasting that it checked for updates.
Pure freaking evil.

Hell it checks even when still set on disabled lol

 

[lexluthermiester]

Disabled doesn't stick

That depends. You have to disable several services to truly disable autoupdates and facilitate manual update applications.

 

[ThrashZone]

That depends. You have to disable several services to truly disable autoupdates and facilitate manual update applications.

Hi,
I ran @W1zzard turn off or remove windows update script and this is what happening lol
Think I ran the restore manual updating so that could be why it's acting like this.

I'll do it again without the restore manual and see what happens tomorrow...

rem Stop and delete Windows Update Medic Service (it re-enables Windows Update)
net stop WaasMedicSvc
takeown /f %SYSTEMROOT%\System32\WaaSMedicSvc.dll
cacls %SYSTEMROOT%\System32\WaaSMedicSvc.dll /e /p "Administrator":f
del %SYSTEMROOT%\System32\WaaSMedicSvc.dll

rem Stop and disable Update Orchestrator Service
net stop UsoSvc
takeown /f %SYSTEMROOT%\System32\usosvc.dll
cacls %SYSTEMROOT%\System32\usosvc.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\usosvc.dll usosvc.dll.disabled

rem Stop and disable Windows Update Service
net stop wuauserv
takeown /f %SYSTEMROOT%\System32\wuaueng.dll
cacls %SYSTEMROOT%\System32\wuaueng.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuaueng.dll wuaueng.dll.disabled
takeown /f %SYSTEMROOT%\System32\wuauserv.dll
cacls %SYSTEMROOT%\System32\wuauserv.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuauserv.dll wuauserv.dll.disabled

rem Remove scheduled tasks
PowerShell "(New-Object System.Net.WebClient).DownloadFile('https://www.poweradmin.com/paexec/paexec.exe','%TEMP%\paexec.exe');
for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WaaSMedic\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\UpdateOrchestrator\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WindowsUpdate\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate

del %TEMP%\paexec.exe

 

[lexluthermiester]

Hi,
I ran @W1zzard turn off or remove windows update script and this is what happening lol
Think I ran the restore manual updating so that could be why it's acting like this.

I'll do it again without the restore manual and see what happens tomorrow...

rem Stop and delete Windows Update Medic Service (it re-enables Windows Update)
net stop WaasMedicSvc
takeown /f %SYSTEMROOT%\System32\WaaSMedicSvc.dll
cacls %SYSTEMROOT%\System32\WaaSMedicSvc.dll /e /p "Administrator":f
del %SYSTEMROOT%\System32\WaaSMedicSvc.dll

rem Stop and disable Update Orchestrator Service
net stop UsoSvc
takeown /f %SYSTEMROOT%\System32\usosvc.dll
cacls %SYSTEMROOT%\System32\usosvc.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\usosvc.dll usosvc.dll.disabled

rem Stop and disable Windows Update Service
net stop wuauserv
takeown /f %SYSTEMROOT%\System32\wuaueng.dll
cacls %SYSTEMROOT%\System32\wuaueng.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuaueng.dll wuaueng.dll.disabled
takeown /f %SYSTEMROOT%\System32\wuauserv.dll
cacls %SYSTEMROOT%\System32\wuauserv.dll /e /p "Administrator":f
ren %SYSTEMROOT%\System32\wuauserv.dll wuauserv.dll.disabled

rem Remove scheduled tasks
PowerShell "(New-Object System.Net.WebClient).DownloadFile('https://www.poweradmin.com/paexec/paexec.exe','%TEMP%\paexec.exe');
for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WaaSMedic\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WaaSMedic

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\UpdateOrchestrator\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\UpdateOrchestrator

for /f "delims=" %f in ('dir /b %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate') do %TEMP%\paexec -i -s schtasks /delete /f /tn "Microsoft\Windows\WindowsUpdate\%f"
rmdir %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate
copy NUL %WINDIR%\System32\Tasks\Microsoft\Windows\WindowsUpdate

del %TEMP%\paexec.exe

Something that script is missing is the WaaS and the Update protection services. Those also need to be forcibly disabled to set the updates to full manual.

 

[ThrashZone]

Something that script is missing is the WaaS and the Update protection services. Those also need to be forcibly disabled to set the updates to full manual.

You got the code until W1zzard passes by ?

 

[lexluthermiester]

You got the code until W1zzard passes by ?

There is no scriptable "code", at least that I know of. Those two services are "protected" and you have to deep dive the registry to control them. AFAIK, this can not be avoided.

EDIT:
Ok, just did a fresh install so I could get into the nitty-gritty of it to remind myself, and the services that need disabling that were not included in you above post are BITS(Background Intelligent Transfer Service) and both of the Web Threat Defense services(one will be a unique User instance).

You have to disable Windows Defender Tamper Protection and all protection before making any of these changes. Otherwise Defender will just change them back. Running that script does not prevent Defender or the OS itself from turning things back on unless you specifically disable them and lock the system out of making changes in the registry.

 

[ThrashZone]

There is no scriptable "code", at least that I know of. Those two services are "protected" and you have to deep dive the registry to control them. AFAIK, this can not be avoided.

EDIT:
Ok, just did a fresh install so I could get into the nitty-gritty of it to remind myself, and the services that need disabling that were not included in you above post are BITS(Background Intelligent Transfer Service) and both of the Web Threat Defense services(one will be a unique User instance).

You have to disable Windows Defender Tamper Protection and all protection before making any of these changes. Otherwise Defender will just change them back. Running that script does not prevent Defender or the OS itself from turning things back on unless you specifically disable them and lock the system out of making changes in the registry.

Hi,
Good info
WaaS... is showing running but error 2 as well might have something to do with W1zard's script ?
I can stop the service but can't switch it to disabled and just stopping it just repeats a few minutes later it's running again.

On a good note updates is still disabled after running the script again without restoring manual updating
But it's still early so updates will probably turn back on again.

 

[lexluthermiester]

WaaS... is showing running but error 2 as well might have something to do with W1zard's script ?

That description read error exists even on a fresh default install, so W1zzards script is not involved there. I'm still looking at the situation, microsoft has made a few changes in 23H2. Nothing drastic but things are doable..

 

[ThrashZone]

That description read error exists even on a fresh default install, so W1zzards script is not involved there. I'm still looking at the situation, microsoft has made a few changes in 23H2. Nothing drastic but things are doable..

Hi,
Says last checked 7 hours ago and still shows disabled at 3:25pm lol
Damn that's only about 1.5 hours after startup it checked :/
That's messed up.

 

[lexluthermiester]

Hi,
Says last checked 7 hours ago and still shows disabled at 3:25pm lol
Damn that's only about 1.5 hours after startup it checked :/
That's messed up.

Weird..

 

[Mussels]

Hi,
You know what else kicks in after startup
Windows checking for updates even set on manual
Disabled doesn't stick
I have my wifi off or set to not to auto connect
Every startup I have to stop updates service and switch back to disabled before connecting wifi lol
If I forget just opening settings page you can see ms boasting that it checked for updates.
Pure freaking evil.

Hell it checks even when still set on disabled lol
View attachment 328023

That's not how it works here - just set that network as metered and you'll have no issues.

 

[AusWolf]

I just checked on my 11700 after watching a film. Everything seems to be working as intended. MS really patched this, it seems.

 

[Ed_1]

Hi,
Good info
WaaS... is showing running but error 2 as well might have something to do with W1zard's script ?
I can stop the service but can't switch it to disabled and just stopping it just repeats a few minutes later it's running again.

On a good note updates is still disabled after running the script again without restoring manual updating
But it's still early so updates will probably turn back on again.
View attachment 328085

I have that same error in service name and never ran any scripts, Defender running normal.

Little update, I honestly forgot about this thread as I posted when I first tried it on my 12600k in Win10. It seems it was not an issue but now I couldn't find why new install of Win11 CPU-Z was slower than my notes in Win10.
Today I tried this and seems Defender 0x222 comes up and it was causing slightly lower scores.
I am on the latest Win11 23H2, 22631.3007.

 

[unclewebb]

Defender 0x222 comes up and it was causing slightly lower scores

This should not be happening on the latest Windows 11 version if Microsoft actually patched this. I do not know why this problem is still showing up but only on some computers and not others.

CPU-Z

Cinebench is a good benchmark that will show the loss of performance when Defender is busy doing something in the background. My 10850K drops about 1000 points in Cinebench R23 when Counter Control shows that the timers have been set to 0x222.

 

[Ed_1]

This should not be happening on the latest Windows 11 version if Microsoft actually patched this. I do not know why this problem is still showing up but only on some computers and not others.


Cinebench is a good benchmark that will show the loss of performance when Defender is busy doing something in the background. My 10850K drops about 1000 points in Cinebench R23 when Counter Control shows that the timers have been set to 0x222.

Here a 5 run test after fresh reboot. I will try CB2x and see but the MT in CPU-Z you can see 2%. also while the ST not seeing it there I normally never see 800 in ST run and now do even if it ends tiny bit below when finished.
Edit here results of CPU-Z, CB20/23.

Defender counters on. 0x222
ST= 796, 796, 793, 797, 795
MT= 7356, 7408, 7408, 7412, 7407
CB20= 6870, 6886, 6870
CB23= 17924, 18275, 18272

Defender counters off. 0x330
ST= 796, 797,797, 799, 800,
MT= 7564, 7559, 7552, 7540, 7554
CB20= 7077, 7091, 7088
CB23= 18579, 18591, 18545

PS: I noticed you can't run the tests from popular BenchMate app as it sets counters to "not used" 0x000 as soon as you run CB2x. You have to go into folder and run CB2x directly, no launcher.
Anyway, it is showing "Defender" 0x222 after a few mins on a fresh boot.

 

[lexluthermiester]

BenchMate app

Try to lean away from Benchmark "Apps" from the app store. Install and use normal benchmarks as you will get more reliable results.

 

[Ed_1]

Try to lean away from Benchmark "Apps" from the app store. Install and use normal benchmarks as you will get more reliable results.

I have them in both ways, BenchMate is handy way.
This is it.

BenchMate

benchmate.org

 

[lexluthermiester]

I have them in both ways, BenchMate is handy way.
This is it.

BenchMate

benchmate.org

Ah, nice! Never seen that one before.

EDIT: That looks interesting, gonna give it a try. Thanks for posting the link!

 

[unclewebb]

Anyway, it is showing "Defender" 0x222 after a few mins on a fresh boot.

That is typically what happens. That is why I believe that whatever Windows Defender is doing, it cannot be that important. If it was busy doing some real time defending of your computer, why is it not running this part of its algorithm immediately when you start up your computer?

@Ed_1
Thanks for doing some testing. It makes sense that there is zero difference in single threaded performance. If Defender is keeping one core busy, your CPU still has plenty of other cores available to run a single threaded benchmark at full speed.

The hit to multi threaded performance seems to be less on your computer compared to on my 10850K. If this Defender background task is being scheduled on one of the slower E cores, the loss of performance might not be as noticeable.

Interesting that BenchMate resets all of the performance monitoring timers but does not actually use any of them. There could be some other program that is running on many user's computers that is doing the same thing. That is the only way I can explain why this problem is still happening but only on some computers and not on all computers.

Perhaps some of us have accidentally opted in or have been chosen to run some unnecessary Windows Defender code in the background.

 

[Ed_1]

That is typically what happens. That is why I believe that whatever Windows Defender is doing, it cannot be that important. If it was busy doing some real time defending of your computer, why is it not running this part of its algorithm immediately when you start up your computer?

@Ed_1
Thanks for doing some testing. It makes sense that there is zero difference in single threaded performance. If Defender is keeping one core busy, your CPU still has plenty of other cores available to run a single threaded benchmark at full speed.

The hit to multi threaded performance seems to be less on your computer compared to on my 10850K. If this Defender background task is being scheduled on one of the slower E cores, the loss of performance might not be as noticeable.

Interesting that BenchMate resets all of the performance monitoring timers but does not actually use any of them. There could be some other program that is running on many user's computers that is doing the same thing. That is the only way I can explain why this problem is still happening but only on some computers and not on all computers.

Perhaps some of us have accidentally opted in or have been chosen to run some unnecessary Windows Defender code in the background.

Hi, I been testing some more and the Defender mode is always on so far(been 1/2 day) as mentioned it goes on about 3 min in on fresh boot.
The ST CPU-Z test is better with counters set to Normal - 0x330, my description above was not best there. During the ST test I see 800 marks but sometimes it ends 79x, with in Defender mode it nevers spikes to 800 and those scores above are better than normal, as I tested that mode first and generally scores go down tiny bit longer system is running.

Also the results seem more consistent in Normal - 0x330, plus I do see effective clocks lower like you do. my all core clocks of 4700mhz show around mid 46xx in Defender mode -0x222 .

To give idea of performance lose it probably take about 100mhz OC to compensate the hit.