Kevin Glynn (aka “Uncle Webb”) is a software developer who works on TechPowerUp support. While developing ThrottleStop, Glynn discovered a rather interesting bug related to Windows Defender. It would have detected that Windows Defender is consuming more CPU resources than it should in real-time protection.
Windows Defender consumes a lot of resources on Intel processors
The first sign that something “wrong” was happening was given by the HwiNFO tool. This tool displays a “effective clock” speed lower than expected speed when the processor was fully charged. It seems that the anomaly is more present when Defender is affected by a software conflictfurther slowing down the system.
According to Glynn, its processor Core i9-10850K clocked at 5.0 GHz on all cores lose 1000 points in Cinebench. This represents a performance loss of around 6%, which is a lot. A problem that affects any user with an Intel Core from 2008.
The funny thing is that it affects users of Intel Core desktop and laptop processors, but does not affect AMD Ryzen processors
It seems that the problem lies in the use by Windows Defender accountants of the Intel processors. Within these counters, three fixed functions are included. Each of the counters can be programmed within each of the software execution rings.
It can be disabled, run on ring 0 which has more control over hardware, on rings 1 and 2 for drivers, or on ring 3 which is the applications ring. Rings are shared resources and multiple programs may want to access them at the same time.
Wearing the rings seems to be the problem
HWiNFO, OCCT, Core Temp and ThrorttleStop, among other things, they are usually performed in ring 3, although at specific times they may need to be performed in other rings. That several programs share the same ring is not a problem, it is normal.
What Windows Defender seems to do is move them to Ring 2 in random situations, for random periods of time. This can happen when the system boots for the first time or at any time. When Windows Defender is running in the background, you can start or stop, and even constantly switch, these tools to Mode 2 at any time.
We must be clear that problem existseven though monitoring software is not used. Defender will continue to overuse the CPU on a recurring basis.
It should be noted that this is not an issue on Intel processors. The manual setup same timers Windows Defender has no negative impact on performance. If a manual counter overwrite occurs, Defender detects it, stops its work, and performance returns to normal. This does not affect virus detection at any time.
How can I solve it?
To make it easier for you, they have developed the counter control tool which monitors the register of Intel processors. This tool notifies the user if any software is using Intel’s fixed feature counters and usage time.
A series of values will appear on the screen, which means:
- 0x000 – Not used: Indicates that none of the drivers are used currently
- 0x222 – Defender: The bone three controllers are configured in Ring 2. This value indicates that they are used by Windows Defender
- 0x330 – Normal: Hay two of the controllers are configured in ring 3there one of the controllers is configured in ring 0 and is not used. It’s normal
- 0x332 – Warning: We have two controllers are used by the monitoring software while the third is configured in ring 2, possibly by Windows Defender. It may be a warning that two software are fighting for control of these resources. We can see a constant register change between 0x222 and 0x332. It may appear when we use HwiNFO and Windows Defender tries to use the drivers
qqqqqqqqqq
If we are in case 0x332, inside the Counter Control softwarewe can click reset drivers. What this does is a driver moves to ring 3. Defender will detect it, stop working and restore performance.
We have more two other solutions we can apply. These are:
- Disable Windows Defender real-time monitoring, which is not recommended at all
- Use the ThrottleStop 9.5 softwarewho in the window of “Options” includes the function Windows Defender Boost. Such action ensures maximum performance and precise control of the effective clock.
We don’t know if Microsoft will take action on this and fix it in future updates. Most likely, having such limited impact, it will end up being left that way. They could only fix it if it affects a significant number of users, which doesn’t seem to be the case.