A Windows Defender bug can significantly affect Intel CPU performance. But we have the solution
Kevin Glynnaka “Uncle Webb”, author of associated software behind popular utilities such as ThrottleStop and RealTemp, has developed a new utility called Counter Control. This allows you to monitor and log the performance counters of the processors Intel Core dal 2008 (Core “Nehalem”). While developing ThrottleStop, Kevin discovered a fascinating bug with Windows Defender, the Windows built-in security software (here for more info). This causes a significantly greater performance impact on the processor than it normally should. Of course, security software is bound to have a (small) performance impact when protecting in real time, but this is much bigger.
Noticeable performance loss with the Windows Defender bug
The first sign that something is happening is that HWiNFO will report a reduced “actual clock” speed when the CPU is fully loaded. A much bigger problem is that when Defender is affected by the bug, the performance of your machine will be greatly reduced. For example, a Core i9-10850K running at 5.00 GHz all-core loses 1000 Cinebench points (or 6%). Such a performance loss has been reported by owners of Intel Core 8th, 9th, 10th and 11th generation CPUs, both desktop and mobile, on both Windows 10 and Windows 11. AMD processors are not affected.
The underlying problem that costs so much performance is that Windows Defender will start using in randomly all seven counters hardware performance provided by Intel Core processors, which includes three fixed function counters. Each of these counters can be programmed in one of four modes, to configure the privilege level that matters. Disabled, OS (ring-0), User (ring> 0) and All-Ring. Because these counters are a shared resource, multiple programs may want to access these counters at the same time.
The problem in detail
Popular system utilities such as HWiNFO, OCCT, Core Temp e ThrottleStop, set all these counters to “mode 3” or “All Ring Levels”. Since they all set the same mode, there are no problems with multiple programs using the same counter. Windows Defender, on the other hand, will set these counters to “mode 2”, at what appear to be random intervals, for random periods of time. This can happen when a computer starts up for the first time or it can happen anytime after. While Windows Defender is running in the background, it can start and stop or continually try to change these counters to Mode 2 at any time. Just to clarify, the performance loss will occur even without any monitoring software running – Defender will still use excessive CPU time.
The issue is not with Intel hardware, as manually setting the same timers as Windows Defender has no negative impact on performance. Also, if these counters are manually overwritten, Defender detects it immediately stops all operations and performance returns to normal, with no negative effect on the ability to detect viruses in real time.
Counter Control
Our Counter Control software monitors and records the “IA32_FIXED_CTR_CTRL” register of Intel Core processors, located at MSR 0x38D. This register provides access to the three performance monitoring counters fixed function mentioned above. Counter Control will notify users if any software uses Intel fixed function counters and for how long they have been used. Typical values reported by Counter Control can be as follows.
- Not used – 0x000: the three fixed function counters are stopped. None of the counters are currently in use.
- Defender – 0x222: All three fixed function counters are programmed in mode 2. This is the value Windows Defender sets these counters to when it uses them.
- Normal – 0x330: two counters are programmed in mode 3. One counter is programmed in mode 0 and is not used. It’s normal. Most monitoring programs that use these counters program the counter control register to this value.
- Warning – 0x332– Appears when two counters are being used normally by the monitoring software while the third counter has been set to mode 2, possibly by Windows Defender. This is a warning that two different programs may be in conflict for shared counter control. You may see the counter control register constantly changing between 0x222 and 0x332. This is what you will see when running HWiNFO if Windows Defender is trying to use the counters of the IA32_FIXED function at the same time.
If your system seems affected, showing the “Defender” reading, a quick fix is to click the “Reset Counters” button in the Counter Checker. By pressing the button, a timer will be reprogrammed in mode 3, which will be detected by Defender, and Defender will stop doing its thing and restore performance. Please check with the benchmarks.
Solutions
There are two ways to permanently mitigate this loss of performance. It’s possible disable real-time monitoring Windows Defender However, this is highly discouraged due to security implications. Or you could use the latest version 9.5 at ThrottleStop, which has a feature in the “Options” window called “Windows Defender Boost”. Selecting this option ensures maximum performance and accurate monitoring of the Core Effective Clock in all applications. Regardless of whether Windows Defender real-time protection is enabled or not. To achieve this, ThrottleStop immediately activates one of the programmable timers. When Windows Defender detects that some user software is attempting to use one of the programmable counters, it stops using all counters and leaves them alone as long as the counter is enabled. This brings the performance back to normal.
The button “Reset” in Counter Control it does the same and gives people a way to activate just this mechanism, without having to start ThrottleStop. Just to clarify, Windows Defender will continue to function correctly. It can still detect and notify users of any viruses. If started once, with the “Windows Defender Boost” option, ThrottleStop will make the timer run in mode 3, even when it is closed. This means that you can start ThrottleStop once on startup, close it right after, and your system will be protected from Defender performance issues. If “Windows Defender Boost” is not checked, the counter will initially be cleared. That is breaks the Window Defender algorithm. But ThrottleStop will no longer try to keep a counter running while it is being used and will not keep that counter running after exiting ThrottleStop.
And you? what do you think of this bug di Windows Defender ? tell us yours below in the comments and stay connected on TechGameWorld.com, for the latest news from the world of technology (and more!).