New Utility Fixes Windows Defender Hogging CPU Time on Intel CPUs

This site may earn affiliate commissions from the links on this page. Terms of use.

Kevin Glynn, aka Uncle Webb at TechSpot, has developed several useful freeware utilities like ThrottleStop and RealTemp over the years. In the course of developing those programs he discovered a curious behavior in Windows Defender with Intel CPUs. Windows Defender is the software included with Windows to protect your PC from malware and viruses. Webb discovered that at random intervals Defender would suddenly begin using excessive CPU resources. In some cases it can result in up to six percent lower performance. Thankfully Webb has created a free utility to resolve the issue, and it’s called Counter Control. Note this behavior has been reported so far with Intel 8th, 9th, 10th, and 11th gen CPUs on Windows 10 and 11. AMD CPUs are not affected at all.

Here’s a simple explanation of the situation. Intel CPUs include three fixed function hardware performance counters for each thread. They are designed to be a shared resource, so temperature and performance tools can access them. They can be used either by the OS or the user. These three counters can be programmed to one of four modes reflecting different levels of privilege. Those include Disabled, OS access (Ring-0), User (ring>0), and all-ring levels. Most performance monitoring tools set this to “all-ring levels” or Mode 3. This allows any program to access them with no issues. However, Windows Defender’s Real-time Protection notification feature will try to change all three to Mode 2 at random intervals. This is the crux of the issue, as Defender will use CPU time trying to change the status of the counters. If you’re curious, you can load up HWINFO and put the CPU under full load. If might report a slightly lower maximum clock speed. The software’s author says this is likely Defender trying to use the counters, and interfering with HWINFO.

What I saw after a fresh boot. The 0x222 means Defender is using the counters.

As far as it affecting performance, it can have a noticeable impact, at least in benchmarks. One example according to TechPowerUp uses a Core i9-10850K running at 5GHz. It showed a decreased Cinebench R23 benchmark score of ~1000 points (16800 vs 15800). Your humble author did the same test on his own Intel 11th gen CPU. I ran Cinebench R23 and with my PC “as is” and got a score of 11,158. Next, I downloaded the utility and clicked “reset counters” and ran it again. My score with the counters reset was 12,163; which is 8.6 percent uplift. That said, I’ve had this system for roughly a year now and it’s never felt slow or unresponsive. It features an Intel Core i7-11700KF, 32GB of DDR4, and a PCIe 3.0 NVME SSD.

When you fire up the utility, which can be downloaded here, you’ll see the status of the “IA32_FIXED_CTR_CTRL” register on Intel CPUs. Here’s how to interpret the number you see, copied from TechPowerUp:

  • Not Used – 0x000: The three fixed function counters are stopped. None of the counters are presently being used.
  • Defender – 0x222: All three fixed function counters are programmed to mode 2. This is the value that Windows Defender sets these counters to when it is using them.
  • Normal – 0x330: Two counters are programmed to mode 3. One counter is programmed to mode 0 and is not being used. This is normal. Most monitoring programs that use these counters will program the counter control register to this value.
  • Warning – 0x332: This is shown when two counters are being used normally by monitoring software while the third counter has been set to mode 2, likely by Windows Defender. This is a warning that two different programs might be fighting over control of the shared counters. You might see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the IA32_FIXED function counters at the same time.

If you use the utility and click “reset counters,” it will resolve the issue. Defender will not try to change it back for the duration of that session. If you reboot, you will need to check it again. As far actual fixes go, you can always disable Windows Defender’s real-time notification system, but that’s not recommended. However, if you want to do it anyway, here’s how you do it. On Windows Pro OSes, go to the Local Group Policy Editor (gpedit.exe). Next navigate to “Computer Configuration / Administrative Templates / Windows Components / Microsoft Defender Antivirus / Real-time Protection.” Here you can enable “Turn off real-time protection.”

If you’re on Windows Home, you will need to edit the registry. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection. Next, if you do not see a value called DisableRealtimeMonitoring, right click and create a new DWORD value. Name this DWORD value DisableRealtimeMonitoring and set this to a value of 1.

If you want to leave Defender alone, you can also run ThrottleStop.  It has a feature called “Windows Defender Boost.” Enabling it it activates one of the programmable timers. Windows Defender will notice this and cease trying to access them until the system is restarted.

The software’s author is curious to see if more people are experiencing this issue. Hopefully, he writes, if enough people complain about it, Microsoft will fix Defender, permanently.

Now Read:

Comments are closed.