Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Windows Defender High CPU Usage? Help!

    Posted on Schnarph Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 Windows Defender High CPU Usage? Help!

    Topic Resolution: Resolved

    This topic contains 39 replies, has 9 voices, and was last updated by  MrJimPhelps 3 months, 3 weeks ago.

    • Author
      Posts
    • #209130 Reply

      Schnarph
      AskWoody Lounger

      If I open a non-Microsoft internet browser, Antimalware Service Executable (Defender) CPU usage jumps from the usual 0%-1% up to 21% and stays there or higher. My CPU Package temp jumps at least 15C so the fans all go up from 30% to 50%+ (custom fan curve). Just opening Firefox or Palemoon to a blank tab is enough. It only takes one browser open to do this, no other apps at all. It stays this way anywhere from 1 to 5 minutes after closing the browser. It seems fine with I.E. and Edge, go figure.

      While 21% isn’t all that high, even opening and closing a 4kb text document in Notepad feels like opening LotR trilogy. Basically I can’t run or have recently run anything that browses the web and expect to have anything else run smoothly. The system is a 8600k at 4.4ghz with a humongous air cooler, 16GB of 3200mhz ddr4, Windows 10-1709 running on a Samsung 970 M.2. This equates to one of six cores running at 100% and bleeding over to another, I can’t imagine running a dual core CPU with this problem.

      I have gone to Task Scheduler and changed the Defender scheduled scan to wait for idle 30 minutes before starting and stop when it ceases to be idle, as if that would help. I read about adding C:\ProgramData\Microsoft\Windows Defender folder to exclusions, but that didn’t change anything either. Tried turning cloud-delivered protection and automatic sample submission off too. It must be the real time protection, the only point in having AV, but this is overkill. I could add my 3rd party browser of choice to the exclusion list, but that is the most likely vector for a virus with my usage.

      Before I start trying 3rd party AV, are there any suggestions for putting a leash on Defender? In lieu of a curb for Defender, any suggestions for free 3rd party AV that doesn’t constantly eat 1/5 to 1/4 of my more than adequate CPU just to post a message like this?

      Suggestions, please, and thank you in advance. I don’t want to chose between Defender + I.E. /Edge or 3rd party browser + 3rd party AV.

      • This topic was modified 4 months, 2 weeks ago by  Schnarph. Reason: just browsers, really
      • This topic was modified 4 months, 2 weeks ago by  Schnarph.
    • #209141 Reply

      Kirsty
      AskWoody MVP

      How long have you noticed this problem?

      It looks like this possibly isn’t a new problem – check out some of the search engine results

      One goes to this reddit reply, which may possibly apply to your situation and be of help to you.

      There is also a very current report of some systems being hit by High CPU issues. It may resolve itself with the next update?

      1 user thanked author for this post.
      • #209153 Reply

        Schnarph
        AskWoody Lounger

        Thank you very much for looking into this problem. I cloned my ~50GB C drive (Windows) 2 weeks ago to a new drive but behavior started a few weeks before. I also checked around in my free time for a couple of days and found the exact same info and suggestions on a few sites, except for your third link on Tenforums. The behavior in that link is the same here, it’s mostly just Firefox or the Palemoon fork. However many other programs cause a brief spike when opened. I have tried every potential fix except for turning Defender off, which would obviously do the trick but defeats the point.

        It’s not just 21%-25% CPU usage, it slows down everything. I can transcode video with Handbrake which uses 98%+ CPU and still run other programs with ease. While running FF to type this, opening a blank txt file to paste this post takes 5 seconds, pasting takes a couple of seconds, and closing it takes over 10 seconds with “not responding” for the two.

        As for waiting for an update to fix this, I haven’t applied July updates yet since DEFCON 1 started. That Tenforums thread with the same symptoms links to others with the same problems that started in January so I’m not holding my breath for a fix from Microsoft. There are links going back for years but they’re mostly about full scans not related to using a single program. In the meantime I’m looking into 3rd party AV that is easy on CPU and network bandwidth, although that was supposed to be the advantage of Defender. :/

        • This reply was modified 4 months, 2 weeks ago by  Schnarph.
    • #209170 Reply

      Sueska
      AskWoody Lounger

      I am not sure if my recent experience will be helpful or just add to the mystery.  I am running Defender with Win 8.1. On July 6th, System was running very poorly. High CPU usage from Defender caused the sluggishness. Was not due to Defender scanning, the last scan ran on July 1st

      1. Ran sfc /scannow – reported back no errors

      2. Ran dism /online /cleanup-image /restorehealth The restore operation completed successfully. The component store corruption was repaired.

      3. Reboot, still slow

      4. Updated Defender manually

      5. Disabled active components of Malwarebytes. No change

      6. Disconnect from internet and allow idle tasks to run, Reboot

      Running good, re-enabled Malwarebytes active components – continues to run good.

      Now for more mystery. Later that week I decided to run a full scan using Defender and checked the quarantine for Defender. To my surprise, A trojan for bitcoin mining was quarantined by Defender on July 5th. Oddly I did not receive a message of this quarantine. As a precaution, I did several other Antimalware scans. All Clean.

      3 users thanked author for this post.
      • #209444 Reply

        Schnarph
        AskWoody Lounger

        I did all that, all came back clean, no change in Defender hogging 21%+ CPU and doing some combination of disk read/write that makes everything slow to open, run, or close.

        However, thanks for sharing your experience with this Defender problem!

      • #213855 Reply

        MrJimPhelps
        AskWoody MVP

        If a bitcoin miner was running, you likely would have had 100% CPU usage. That is, unless the bitcoin malware writers are slowing down their programs so as not to be as noticeable.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
    • #209235 Reply

      anonymous

      I have had the same issue with Microsoft Security Essentials on Windows 7. It is only the real time protection and MsMpEng.exe. I believe it started July 20th for me.

      https://www.askwoody.com/forums/topic/microsoft-security-essentials-definitions-and-pfro-errors/
      https://www.askwoody.com/forums/topic/how-are-they-doing-it/#post-208617

      Works as it should Beijing time on Sundays though. Very odd. Multiple full scans using MSE and Malwarebytes don’t turn up anything though I doubt they find everything. I just disabled MSE real time protection and recheck it daily.

      I doubt it means anything but on July 20th the update included

      Command: /stub 1.1.15000.2 /payload 1.1.15100.1 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Engine_Patch_1.1.15000.2.exe

      Since then, every update mentions Command: /stub 1.1.15000.2 Version: 1.1.15000.2. Too obvious I am sure but ever since it stated it updated 1.1.15000.2 to 1.1.15100.1 all following updates still mention 1.1.15000.2.

      1 user thanked author for this post.
    • #209370 Reply

      anonymous

      About two weeks ago, msmpeng.exe started using 100% of one of the cores in my W7 computer.  It was an intermittent problem that I could sometimes trigger by starting up or shutting down my Firefox browser, but it would also happen when the computer was just idling, too.

      I tried a bunch of the tips on internet like excluding certain files and folders from scans and running a full scan.  I also scanned tfor viruses/malware/ad ware with no luck.  Nothing helped until I uninstalled Security Essentials and then re-installed it.  It now operates like it used to.

      1 user thanked author for this post.
      • #209451 Reply

        Schnarph
        AskWoody Lounger

        Same here. Internet browsers can be added to exclusions but besides scanning email why else run antivirus? It also happens while idle here, even after a full scan just an hour ago and no internet connection.

        Unlike 7 (in sooo many ways), Windows 10 makes uninstalling Defender rather complicated and there isn’t a specific download to reinstall. I suppose any automatic (vs manual) monthly cumulative update would reinstall it, but I’m not going to be the guinea pig for that scenario until I actually plan to reinstall Windows as well. Reinstall is last resort and this install is only 4 months old.

        I gave up, for now. I installed Avast free version. I have tried a handful of other “top rated” free AV and Avast on silent mode has been the easiest on resources including bandwidth. I know it’s not the best and I don’t really like the company, but uninstalling it is easy and everything is running like day one of this PC build.

        I’ve seen many forum posts around the web describing these symptoms and plenty have had no resolution. There is only one sure fix, stop using Defender.

         

        • #209455 Reply

          anonymous

          @schnarph question from from anon^3 just below here, #post-209452.

          So Avast is not stressing one of your CPU’s with a runaway process, good. Temporary fix in place. Do you believe the fault is gone, because the bug is in MSE/Defender. Or do you think it may be that Avast does not see the malware and is not isolating it. Or do you have an indication like Sueska that your new AV has isolated a known problem?

          • #209476 Reply

            Schnarph
            AskWoody Lounger

            Did I forget to mention high disk activity spikes on C drive indicating constant writing and deleting? That one took a while for me to find, nothing showed up anywhere but resource monitor. Defender tries to do… something, fails, and repeats. More unanswered questions here: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-defender-constantly-creates-and-reads/f5d48ecf-6446-40fd-b9e3-32ae5962b688

            I did a full scan with Defender, all drives, it came back clean, nothing in the quarantine. Malwarebytes scan was also clean. It still taxed the 6-core CPU 21%+ when a 3rd party browser was opened, with or without internet. If I put Firefox and/or Palemoon in exclusions then Defender does nothing when browsing, but it still randomly ramps up when everything has been idle for a while. Opening almost any program would cause a brief spike and total system lag. If there is some hidden malware or virus, would it be only in a 3rd party browser? I hadn’t even used Firefox until this problem started, the only add-on was uBlock Origin. If I had a nickle for every post I’ve read saying all you need is Defender and Malwarebytes…

            I was reading a few recent Firefox forum threads where many have this issue with Defender, supposedly their devs are aware and “are working with Microsoft” who are also aware. If you’re reading this, that makes it 4th party hearsay; I haven’t read an official announcement. I suspect it’s more than just Firefox.

            I’m going to try a few of those niche AV scans for super tricky virus/malware, not the usual realtime AV programs, and will report back if anything is found. While we usually tend to see and hear things that support our beliefs, I’m reading too many posts going back too far about msmpeng.exe going haywire.

            Anyways, Defender goes off when 3rd party AV goes on, and all is running super smooth here now with minimal system impact. Avast full scan found nothing either.

             

      • #209481 Reply

        Bill C.
        AskWoody Lounger

        That was always my solution for when MSE started to get strange – remove via Control Panel and then run the MSE Removal batch file to get any remnants. Howevr when I started having problems at boot with Windows7-64Pro_SP1 showing that there was no user profile I removed it for good.

        ThaT cut off one way of MS sabotaging a working Win7 machine. I have not had a profile issue since. I always like MSE as it was low drag and appeared to do its job.

        2 users thanked author for this post.
    • #209452 Reply

      anonymous

      @schnarph call me anon^3 for this thread. Trying to pull together some ideas scattered about. Can confirm a similar problem in my small dual core running Win7sp1 and MSE. Affects one CPU only, near max while other is happily idle. So in my case total demand hovers nearer 50% than 25%. A recent problem that had gone unidentified for an unknown time.

      But I am not sure how to differentiate between a hardware problem in that particular CPU, a rogue MSE/Defender process, or an actual intrusion that MSE is struggling to cope with. reference Kristy’s Coinhive topic and Sueska’s discovery in the final paragraph.

      I am holding steady as this currently only presents an annoyance, hoping like Kristy further up here that Microsoft’s MSE/Defender will soon update a solution and resolve. I am choosing not to un-re-install yet. My concern stems from wanting to install fresh only on a known clean system, fearing that a preexisting miner or other malware will not be noticed by a fresh install.

      Please, more experienced advisors, explain away my concern or give guidance on this developing topic as new information comes along.

      1 user thanked author for this post.
    • #209477 Reply

      anonymous

      Thanks Schnarph. For the moment I’m going to work under the idea that it is not browser use in itself, but processor activity of any kind that triggers some response. Browser interaction being a moment where we are more sensitive to delay feedback, and so notice the wayward activity more easily.

      I’m also going against my usual bias and say this may be an instance where Microsoft has something correct, at least partially. I think the runaway activity is the MSE/Def. struggling to get a handle on something, and coming up short. Other AVs just are not even triggering at all. Flip-side, could be a false positive and so useless.

      Not trying to ignite something too large here, but aside from miners and other malware, what would a speculative query threat look like in the wild? Could it look something like a runaway process an a maxed out processor? Obscured under the name of the one process meant to deal with the threat.

      No facts to back this up. Just letting the mind wander, trying to get a handle on the cause. May be over thinking. Silence from Microsoft creates a void that must be filled by pondering.

      Anon^3

      1 user thanked author for this post.
      • #209482 Reply

        Schnarph
        AskWoody Lounger

        Easy experiment, open Task Manager to view the following activity:

        1. Open 3rd party browser (Firefox?) and do some safe web surfing then close and wait for CPU to return idle

        2. (optional) Open Chrome and do the same (I don’t use Chrome on this PC)

        3. Open I.E. (and/or Edge if you run Win10) and do the same

        I had no problem with I.E. or Edge, indicating MS AV prefers MS browsers. I ran a few other CPU intensive programs that don’t touch the internet and msmpeng.exe did nothing.

        I had zero network activity opening Firefox to a blank tab, just CPU and disk. Defender still went nuts when everything was idle, even with Defender task scheduler changes. If there is/was a virus/malware, it’s wasn’t sending or receiving anything here. Nirsoft’s NetworkUsageView never showed anything unexpected, and it shows everything, matching my ISP’s teeny-tiny allowance monitor. 21% disk activity is nothing, I can run CPU @99% transcoding video and still open/run/close other programs smoothly, if Defender is OFF.  It’s the disk activity that brought my system to a crawl, and it was difficult to discover the disk activity. I didn’t name this thread correctly, but it was a learning process.

        I still want to know what was going on, for others I know who rely on Defender.

        • #213857 Reply

          MrJimPhelps
          AskWoody MVP

          It’s the disk activity that brought my system to a crawl, and it was difficult to discover the disk activity.

          If you could figure out exactly what is causing the disk activity, AND if you could isolate that activity to a second drive, you would get your computer back, because all other disk activity would be able to take place on the primary drive, without having to wait in line behind the problematic disk activity.

          The idea is that if you have two drives, and if you can divide disk activity between the two drives, it will speed things up, because there will be a lot less waiting in line for the disk. So if there is one process that is continually accessing the disk, you put it on one drive all by itself, so that it doesn’t interfere with all the other processes trying to access the disk.

          Of course, if your A/V program is the culprit, there isn’t much you can do other than schedule scans during times that you aren’t using the computer, because the A/V program has to access all drives in order to do its job.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
    • #209586 Reply

      Sueska
      AskWoody Lounger

      Perhaps this may be of interest to some. In Defender’s quarantined items, there was a link for more information about the quarantined coin mining Trojan.

      https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/

      Yes, I was using an older paid version of a pdf editor called Nitro Pdf Pro (Since then I changed to Chrome’s built in pdf utility)

      So I am left wondering, did Defender protect me but not notify me? Why was Defender continuing to max out cpu resources a day after the Trojan was quarantined?  Did updating Defender, then allowing the PC to sit idle, allow Defender to finish real time scanning?

      Thank you @schnarph and others for sharing your experiences and expertise.

      1 user thanked author for this post.
      • #209598 Reply

        Sueska
        AskWoody Lounger

        Edit to my response. Perhaps I should have asked, Did updating Defender, then allowing the PC to sit idle, allow Defender to finish it’s several maintenance tasks?

        • This reply was modified 4 months, 1 week ago by  Sueska. Reason: html
        • #209613 Reply

          Schnarph
          AskWoody Lounger

          Simply put, not as far as I could tell.

          As I mentioned above, while sitting at idle Defender would produce CPU/disk lag spikes at random intervals every few minutes. I set the Defender scan timing in Task scheduler to every 30 minutes when idle but it would do whatever it was trying to do every few minutes. The only open programs were Task Manager and Process Monitor, otherwise I wouldn’t know what was happening. Defender always got updates, twice a day I believe.

          My new C drive has only 55GB used space and 143 hours of use, yet 500GB data written. I cannot account for that much writing apart from Defender writing log files then deleting them, rinse and repeat.

          • #209854 Reply

            anonymous

            I have also found that Windows will run “idle tasks” after about 20 minutes of non use. Google “Process Idle Tasks”. Let the PC sit for an hour, and not sleep, so the Idle Tasks will run.

            Also some antivirus programs create or update a database of files on the hard drive. I have seen AVG do this and it is called “cache”. It will spike 25% on a regular basis until it updates it’s “cache” or database. Then after, it is happy and does not use as much CPU.

            Dot Net updates do the same thing. They “rebuild” the Dot Net image and WILL slow down your PC. https://blogs.msdn.microsoft.com/dotnet/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up/

            Restart the computer and get to the desktop and let it alone. Having a computer sit idle for an hour or two has worked wonders.

            This works for me, I hope it works for you.

            1 user thanked author for this post.
            • #209940 Reply

              Schnarph
              AskWoody Lounger

              Thanks for the suggestion. I uninstalled Avast in safe mode with Avastclear and rebooted a couple of times. Let the computer sit idle with no tasks running for 2 hours. The bad behavior is the same.

              Defender doesn’t stay at 21%+ CPU usage with Firefox open, but any user input in the browser makes it spike. Example: while typing this, if I stop typing the CPU usage goes down and up but eventually stays low, but every time I go back to typing it spikes again until no user input. Again, I can’t see any disk activity in task manager, but selecting msmpeng.exe in resource monitor shows some crazy disk activity. Closing the browser causes a constant 21-22% CPU and drive lag for up to one minute. I believe that’s what makes everything feel slow, hogging the C drive.

              Using 3rd party AV does not tax the system like this at all. There’s a very brief spike when a browser or almost any program needing internet is opened but it’s less than 10% and doesn’t tax the drive, only CPU.

               

            • #209947 Reply

              anonymous

              Schnarph, sorry you have those issues and the 2 hour idle time did not help. You mentioned Firefox. Please see these pages for Firefox and Defender issues. I hope you figure it out.

              Antimalware Service Executable very active when using Firefox (windows 10)
              https://bugzilla.mozilla.org/show_bug.cgi?id=1441918

              Defender utilization extremely high since Firefox Quantum update
              https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/defender-utilization-extremely-high-since-firefox/8a84b998-532d-4e2c-87d3-451623b923b2

              MsmpEng.exe(Windows Defender) high cpu usage specifically when I browse from Firefox.
              https://www.reddit.com/r/firefox/comments/94bdy1/msmpengexewindows_defender_high_cpu_usage/

              How to Fix High Windows Defender Disk Activity When Using Mozilla Firefox
              https://news.softpedia.com/news/how-to-fix-high-windows-defender-disk-activity-when-using-mozilla-firefox-521796.shtml

              1 user thanked author for this post.
            • #209955 Reply

              Schnarph
              AskWoody Lounger

              Thank you, but did you read those links?

              #1 describes my issue exactly but has no resolution. I referenced that one without linking it, that’s how I found the disk usage issue. There is no current fix, posts suggest MS is working on a fix. That thread 5 months old up to 2 weeks ago, no fix.

              #2 blames firefox quantum, but the same bad behavior comes from Palemoon which forks from pre quantum, thus bogus. Actually, it’s worse with Palemoon in terms of msmpeng.exe CPU demand.

              #3 is “a known issue, and a future version of Defender will fix it”. Sure, a future version of MS product will fix something, heard that line before. Complaints of Defender doing exactly this go back to January, other similar complaints go back years. It only hurts the 3rd party browser, why would they care? Before switching AV, I started using Edge for the first time and everything was smooth unlike FF or PM. I doubt this was intentional, but it’s still absolutely disgusting.

              #4 suggests excluding the 3rd party browser .exe from scanning, so what’s the point in using real-time AV? Might as well turn it off real-time protection completely and run it on demand like the freeware version of Malwarebytes.

              This issue isn’t widespread by any means. Maybe it’s a combination of Windows build, other installed programs, Windows settings, and who knows? If my internet wasn’t so slow and bandwidth restricted I would just clone my C drive to an external and reload windows to see if it’s any better from a fresh install. Unfortunately that takes at least one overnight session of watching progress bars and I already found the fix, go 3rd party AV.

            • #209972 Reply

              anonymous

              Schnarph, Yes I saw some were not solved. In one, Reddit I think, the problem started 7 days ago for the poster. See this one.

              Windows 10: High CPU usage from Windows Defender
              https://www.tenforums.com/performance-maintenance/114874-high-cpu-usage-windows-defender-5.html

              “…I stopped Defender in the Group Policy editor, and went looking for the files he mentioned. I found only one (mpenginedb.db), but it was in the subfolder “Scans” … “There was a few cache files as well, and all had been recently written to, so I deleted those in addition to mpenginedb.db” … “Then I restarted Defender (again from the GPE) and rebooted the computer. And what can I say, this made a world of difference, it clearly fixed the issue for me…”

              2 users thanked author for this post.
            • #209977 Reply

              Schnarph
              AskWoody Lounger

              Well that was interesting, and it worked! Nice Google*, anonymous sir or madame.

              I chose the processhacker route because it seemed more interesting and useful in the future though I do have an external linux mint drive ready for similar shenanigans. I’m not sure if it was the mpenginedb.db (database) or all the cache files (over 250MB!), but deleting them all fixed the Defender freakout. The cache files rebuilt to the same size after reboot, kinda large but I won’t complain since everything is running smooth now. Since nobody else in that thread or it’s reference can tell for sure, it looks like a corrupt Defender database was the cause. How it became corrupt, no telling, but it’s obviously not unique. I wonder how many suffer from this and have no clue of the origin.

              I really, really appreciate the help. I was going to give up and use Avast or whatever, which isn’t that bad but avoids the issue like switching OS when things go wrong. It’s a shame that it was so hard to find a solution, so few know how, and someone with 6 posts on Tenforums posted the answer yesterday after finding the fix posted 10 ago on reddit. That is too obscure.

              Again, many, many thanks anonymous person. You potentially saved me from a future reinstall for no good reason. I’m left satisfied yet still discontent and suspicious, the typical experience of a typical Windows 10 user?

            • #210014 Reply

              anonymous

              Schnarph, again glad it worked. People have their own ideas of “process killers” and we stick to the names like Systernals. Systernals Process Explorer will kill a handle (connection) to a file and allow you to rename or delete it.

              Here is an article on it and other solutions to “Access denied” file problems.

              How to Delete, Move, or Rename Locked Files in Windows
              https://www.howtogeek.com/128680/how-to-delete-move-or-rename-locked-files-in-windows/

              We did it here with Process Explorer and the mpenginedb.db and .bd-wal and .db-shm were much smaller. It appears Defender is using less resources.

              Hope this helps others.

              1 user thanked author for this post.
            • #210039 Reply

              Schnarph
              AskWoody Lounger

              I’ve used sysinternals autoruns a few times but never knew how many utilities they made. I just downloaded the whole suite, very impressive bunch of tools. That’s definitely one for the emergency thumb drive toolkit.

              Process explorer doesn’t sound nearly as scary as processhacker. They’re both portable but I have much more faith in sysinternals products.

            • #213861 Reply

              MrJimPhelps
              AskWoody MVP

              I’m not sure if it was the mpenginedb.db (database) or all the cache files (over 250MB!), but deleting them all fixed the Defender freakout. The cache files rebuilt to the same size after reboot, kinda large but I won’t complain since everything is running smooth now.

              It could very well have been that the cache files somehow got corrupted. When you deleted them, Defender recreated clean, new copies of them, thereby solving the problem.

              I have seen this in other instances: Years ago, a user was having email issues. We were using CC:Mail, and so I deleted the CC:Mail temp files, and the problem disappeared. Ditto for Java temp files and Windows temp files.

              Group "L" (Linux Mint)
              with Windows 8.1 running in a VM
            • #209980 Reply

              Kirsty
              AskWoody MVP

              See this one.

              Windows 10: High CPU usage from Windows Defender
              https://www.tenforums.com/performance-maintenance/114874-high-cpu-usage-windows-defender-5.html

              That thread was previously posted above:

              There is also a very current report of some systems being hit by High CPU issues.

              1 user thanked author for this post.
            • #210037 Reply

              Schnarph
              AskWoody Lounger

              Yes, but when you posted that last Tuesday there wasn’t any solution short of disabling Defender which is throwing the baby out with the bathwater so to speak. The solution didn’t come until 2 days ago in that thread, posts #40 and #42.

              1 user thanked author for this post.
            • #209997 Reply

              anonymous

              Schnarph, Thank you for letting me know and happy it did work! Kirsty did have page 3 of that posted as a “click here” type of comment so she saw it first. I prefer to post the whole link so people can see the link and title,  can see the domain,  thread title and a bit of the dialog if there was a success.

              Thanks to woody’s page, another problem solved.

               

              2 users thanked author for this post.
    • #210041 Reply

      Microfix
      AskWoody MVP

      So if this is solved, the concluding method of this is:

      To fix high CPU usage from Windows Defender:

      1. Kill MsMpEng.exe (Anti-malware Service Executable) process with a tool
      like Process Hacker /  Process Explorer or stop it in the Group Policy Editor (GPE)

      2. Then Navigate to C:\ProgramData\Microsoft\Windows Defender\Scans

      3. Delete mpenginedb.db AND mpenginedb.db-wal

      4. Then either (depending on what method you used):

      Restart MsMpEng.exe process in GPE. (Important otherwise the service will never start!)

      Restart MsMpEng.exe process using Process Hacker/ Process Explorer, OR just Reboot the system.

      This will save time in the future for an answer to the initial issue 😉

      Thanks goes to KF1983-Windows-10-Forums-Post#40

       

      | W10 Pro x64 | W8.1 Pro x64 | Linux x64 Hybrids | XP Pro O/L
      2 users thanked author for this post.
    • #210081 Reply

      Sueska
      AskWoody Lounger

      Congratulations Schnarph on fixing your problem.You did not give up, knew there was a problem, and posters came through for you. Even though my big issue with near 100% CPU usage was solved for my Windows 8.1, I began to question if I was still settling for mediocre performance. After continuing to read this post, I monitored my CPU usage closer and found there was indeed some occasional 25% CPU usage from Windows Defender. Coupled with CPU usage from Firefox ESR 52.9, CPU usage would occasionally be over 60%. So long story short, I renamed (mpenginedb.db, mpenginedb.db-wal, and mpengine.db.db-shm (for good measure). (files located in C:\ProgramData\Microsoft\Windows Defender\Scans). As a side note, I noticed when searching for mpengine.db that there was another file mpengine.db.db located in C:\Windows\Microsoft Antimalware\Scans. Files were not updated since 5/26/18. This led me to believe that this was just an older location for the Scans folder and it could be ignored.
      Firefox is still using a lot of resources, but CPU usage from Defender is now negligible! Thanks all.

      1 user thanked author for this post.
    • #210126 Reply

      anonymous

      You get another fun instance of Defender going crazy when you open updates and security window, one that goes on for several minutes

      I wonder if this is an issue that you have to fix yourself or they will eventually patch to fix the database issue

    • #210174 Reply

      anonymous

      Couple of questions. If this is just a case of a corrupted file causing the issue, why does it not happen on Sunday Beijing time? At least that is the case for me. A corrupted file wouldn’t seem to take the same day off each week.

      Do others have the program listed as Microsoft Antimalware (Beijing) in the Windows\Temp\MpSigStub file?

    • #210219 Reply

      Sueska
      AskWoody Lounger

      @anon regarding your questions.

      1. Sunday runs good, other days bad is puzzling indeed. It is Sunday now in US and my Windows 7 is running good, perhaps a coincidence. Sorry no ideas.

      2. Yes, In Windows 7,  I do have the file Windows\Temp\MpSigStub.log

      When I open the file with notepad I see Microsoft Defender (Windows 7) Microsoft Antimalware (Beijing) listed and its Status is listed as Disabled. This is correct since I do have Windows Defender disabled in Windows 7. I also see an entry in this log file for Microsoft Antimalware (Beijing) and its Status is listed as Active. I assume this is Microsoft Security Essentials.

      Windows Defender came with Windows 7 and is primarily an antispyware program. It was not meant to be an antivirus. I installed Microsoft Security Essential as my antivirus for Windows 7 and disabled Windows Defender. The files mpenginedb.db, mpenginedb.db-wal, and mpengine.db.db-shm are located in the C:\ProgramData\Microsoft\Microsoft Antimalware\Scans folder on my Windows 7. I am assuming these files are currently being used by Microsoft Security Essentials.

      There is a lot of confusion with Windows Defender in Windows 7. Windows Defender is not an antivirus in Windows 7. In Windows 8.1 and Windows 10 Windows Defender is an antivirus.

    • #213281 Reply

      anonymous

      Mine appears to have corrected itself a month to the day to when I first noticed it. I didn’t do any of the recommended deleting of files to fix it.

    • #213829 Reply

      RockJohny
      AskWoody Lounger

      Defender always got updates, twice a day I believe.

      wow! I didn’t let Windows update for a few years and catching up on Defender updates is taking forever…over 100 so far, guess 1000’s to go?!!

       

    • #213851 Reply

      GoneToPlaid
      AskWoody Lounger

      If I open a non-Microsoft internet browser, Antimalware Service Executable (Defender) CPU usage jumps from the usual 0%-1% up to 21% and stays there or higher. My CPU Package temp jumps at least 15C so the fans all go up from 30% to 50%+ (custom fan curve). Just opening Firefox or Palemoon to a blank tab is enough. It only takes one browser open to do this, no other apps at all. It stays this way anywhere from 1 to 5 minutes after closing the browser. It seems fine with I.E. and Edge, go figure. While 21% isn’t all that high, even opening and closing a 4kb text document in Notepad feels like opening LotR trilogy. Basically I can’t run or have recently run anything that browses the web and expect to have anything else run smoothly. The system is a 8600k at 4.4ghz with a humongous air cooler, 16GB of 3200mhz ddr4, Windows 10-1709 running on a Samsung 970 M.2. This equates to one of six cores running at 100% and bleeding over to another, I can’t imagine running a dual core CPU with this problem. I have gone to Task Scheduler and changed the Defender scheduled scan to wait for idle 30 minutes before starting and stop when it ceases to be idle, as if that would help. I read about adding C:\ProgramData\Microsoft\Windows Defender folder to exclusions, but that didn’t change anything either. Tried turning cloud-delivered protection and automatic sample submission off too. It must be the real time protection, the only point in having AV, but this is overkill. I could add my 3rd party browser of choice to the exclusion list, but that is the most likely vector for a virus with my usage. Before I start trying 3rd party AV, are there any suggestions for putting a leash on Defender? In lieu of a curb for Defender, any suggestions for free 3rd party AV that doesn’t constantly eat 1/5 to 1/4 of my more than adequate CPU just to post a message like this? Suggestions, please, and thank you in advance. I don’t want to chose between Defender + I.E. /Edge or 3rd party browser + 3rd party AV.

      Oh my goodness. Yet more Windows Defender issues again!

      Disable Windows Defender, and then download and install the free version of Panda’s antivirus program from:

      https://www.pandasecurity.com/usa/homeusers/solutions/free-antivirus/

      Panda has no issues which actually require the special registry key to be set in the registry, starting in January when Microsoft began its attempts to mitigate Meltdown and Spectre. If you don’t understand what I am talking about, then simply ignore this.

      The upshot is to simply do what I have recommended, above, so that you are done with having to deal with any issues regarding Windows Defender.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows Defender High CPU Usage? Help!

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.