Is your PC running slow with Intel? Blame it on Windows Defender

Kevin Glynn (aka “Uncle Webb”) is a software developer who works on the TechPowerUp medium. During the development of ThrottleStop, Glynn discovered a rather interesting bug that he had to do with Windows Defender. He would have detected that Windows Defender consumes more processor resources than it should in real-time protection.

Windows Defender consumes a lot of resources on Intel processors

The first sign that something “abnormal” was happening was given by the HwiNFO tool. This tool displays a lower than intended “effective clock” speed when the CPU was fully loaded. It seems that the anomaly is more present when Defender is affected by a software conflictfurther slowing down the system.

According to Glynn, his processor Core i9-10850K clocked at 5.0 GHz on all cores lose 1000 points in Cinebench. This represents a loss of performance of approximately 6%, which is a lot. A problem that affects any user who has an Intel Core from 2008 onwards.

The funny thing is that it affects users with desktop and laptop Intel Core processors, but does not affect AMD Ryzen processors.

It seems that the problem lies in the use by Windows Defender of the accountants of the Intel processors. Within these counters, three of fixed functions are included. Each of the counters can be programmed within each of the software execution rings.

It can be disabled, run on ring 0 which has more control over the hardware, on rings 1 and 2 for drivers, or on ring 3 which is the applications ring. Rings are shared resources and multiple programs may want to access them at the same time.

Wearing the rings seems to be the problem

HWiNFO, OCCT, Core Temp and ThrottleStop, among others, they are usually executed in ring 3, although at specific times they may need to be executed in other rings. That several programs share the same ring is not a problem, it is normal.

What Windows Defender seems to do is move them to ring 2 in random situations, for random periods of time. This can happen when the system boots for the first time or at any time. When Windows Defender is running in the background, you can start or stop, and even constantly switch, those tools to mode 2 at any time.

We must be clear that the problem existsthough monitoring software is not used. Defender will continue to overuse the processor on a recurring basis.

It should be noted that this is not a problem on Intel processors. The manual configuration of the same timers Windows Defender has no negative impact on performance. If a manual overwrite of the counters occurs, Defender detects it, stops its work, and performance returns to normal. This does not affect virus detection at any time.

How can I solve it?

To make it easy they have developed the counter control tool which monitors the registry of Intel processors. This tool informs the user if any software is using Intel’s fixed feature counters and usage time.

A series of values ​​will appear on the screen, which mean:

  • 0x000 – Not used: Indicates that none of the drivers are being used currently
  • 0x222 – Defend: The three controllers are configured in ring 2. This value indicates that they are being used by Windows Defender
  • 0x330 – Normal: There are two of the controllers are configured in ring 3Y one of the controllers is configured in ring 0 and is not being used. This is normal
  • 0x332 – Warning: We have two controllers are used by monitoring software while the third is configured in ring 2, possibly by Windows Defender. It may be a warning that two software are fighting for control of these resources. We may see a constant register change between 0x222 and 0x332. It can appear when we use HwiNFO and Windows Defender tries to use the drivers


If we are in the case 0x332, inside the counter control softwarewe can click on reset drivers. What this does is that a driver moves to ring 3. Defender will detect it, stop working and restore performance.

We additionally have two other solutions we can apply. These are:

  • Disable Windows Defender real-time monitoring, something that is not recommended at all
  • Use the ThrottleStop 9.5 softwarewhich within the window of “Options” includes the function “Windows Defender Boost”. Such action ensures maximum performance and precise control of the effective clock.

We do not know if Microsoft will take action on this matter and fix it in future updates. Most likely, having such a limited impact, it will end up being left like that. They could only correct it if it affects a significant number of users, something that does not seem to be the case.

Related Articles

Leave a Reply

Your email address will not be published.