The Windows 10 operating system (and also Windows 11) includes the Windows Defender tool to protect us against security threats. This tool consumes little relevant resources, a small cost to keep us safe. But, they have found that in reality this processor consumption of Windows Defender on Intel CPU is higher than it should be.
Kevin Glynn (aka “Uncle Webb”) is a software developer who works for the TechPowerUp milieu. During the development of ThrottleStop, Glynn discovered a rather interesting bug that had to do with Windows Defender. It would have detected that Windows Defender is consuming more processor resources than it should in real-time protection.
Windows Defender consumes a lot of resources on Intel processors
The first sign that something “abnormal” was happening was given by the HwiNFO tool. This tool shows a lower than expected “effective clock” speed when the CPU was fully loaded. It seems that the anomaly is more present when Defender is affected by a software conflict , slowing down the system more.
According to Glynn, its Core i9-10850K processor clocked at 5.0 GHz across all cores loses 1,000 points in Cinebench . This represents a loss of performance of approximately 6%, which is a lot. A problem that affects any user who has an Intel Core from 2008 onwards.
The funny thing is that it affects users with Intel Core desktop and laptop processors, but does not affect AMD Ryzen processors .
The issue appears to be underlying Windows Defender’s use of counters for Intel processors. Within these counters, three of fixed functions are included. Each of the counters can be programmed within each of the software execution rings.
It can be disabled, run on ring 0 which has more control over the hardware, on rings 1 and 2 for drivers, or on ring 3 which is the applications ring. Rings are shared resources and multiple programs may want to access them at the same time.
Wearing the rings seems to be the problem
HWiNFO, OCCT, Core Temp and ThrorttleStop, among others, are usually executed in ring 3, although at specific times they may need to be executed in other rings. That several programs share the same ring is not a problem, it is normal.
What Windows Defender seems to do is move them to ring 2 in random situations, for random periods of time. This can happen when the system boots for the first time or at any time. When Windows Defender is running in the background, you can start or stop, and even constantly switch, those tools to mode 2 at any time.
We must be clear that the problem exists , even if monitoring software is not used . Defender will continue to overuse the processor on a recurring basis.
It should be noted that this is not a problem on Intel processors. Manually setting the same timers as Windows Defender has no negative impact on performance. If a manual overwrite of the counters occurs, Defender detects it, stops its work, and performance returns to normal. This does not affect virus detection at any time.
How can I solve it?
To make it easy they have developed the Counter Control tool that monitors the registry of Intel processors. This tool informs the user if any software is using Intel’s fixed feature counters and usage time.
A series of values will appear on the screen, which mean:
- 0x000 – Not Used: Indicates that none of the controllers are currently in use
- 0x222 – Defender: The three controllers are configured in ring 2. This value indicates that they are being used by Windows Defender
- 0x330 – Normal: Two of the controllers are configured in ring 3 , and one of the controllers is configured in ring 0 and is not being used . This is normal
- 0x332 – Warning: We have two drivers being used by monitoring software while the third is configured in ring 2, possibly by Windows Defender . It may be a warning that two software are fighting for control of these resources. We may see a constant register change between 0x222 and 0x332. It can appear when we use HwiNFO and Windows Defender tries to use the drivers
If we are in case 0x332, within the Counter Control software , we can click on Reset drivers . What this does is that a driver moves to ring 3. Defender will detect it, stop working and restore performance.
We additionally have two other solutions that we can apply . These are:
- Disable real-time monitoring of Windows Defender, something that is not recommended at all
- Use the ThrottleStop 9.5 software , which in the “Options” window includes the “Windows Defender Boost” function. Such action ensures maximum performance and precise control of the effective clock.
We do not know if Microsoft will take action on this matter and fix it in future updates. Most likely, having such a limited impact, it will end up being left like that. They could only correct it if it affects a significant number of users, something that does not seem to be the case.
