Last update of Windows Defender causes terribly slow app start when real time protection is active

It seems that something is broken with the last update of Windows Defender. 
COM objects initialization takes long time now.

Previously,  MediaMonkey app with "RegExp Find & Replace" addon started just in 3 seconds.
Now, it starts 60 seconds

If I disable real time protection then it starts in 3 seconds again (original report).

We found that it is caused by COM objects initializations/calls (OLE automation), when the addon is adding an item then new COM object is created and the Defender's real time protection seems to check the COM object creations somehow (via oleaut32.dll)

There is a delay between oleaut32.DispCallFunc callbacks e.g. it is without a delay 10 times and between 11th and 12th call of DispCallFunc there is 0.2 seconds delay.

Can this be looked into by Microsoft? Where could I report the issue to developers?

Moved from: Virus and Malware / Windows Defender / Updating Virus and Spyware Definitions / Windows 10.

Open start and search for feedback and open Feedback Hub app and report this issue.

If you are facing this issue with any third-party app, make sure report it to the app developers too.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

The OP is one of the programmers of the mentioned MediaMonkey program and I am the author of the mentioned add-on for their program. So, yes, the app developers are already informed about this problem.

You could blame our softwares about this slow down, but it is a fact that my add-on worked with their program for ten years since Windows XP without this problem. It started just recently after the April Windows 10 Update.

As the OP said, the slow down is only with the Windows Defender Real-Time Protection enabled; if you disable it, the program starts normally.

After detailed investigation, I have found the cause for this problem. It is  because of the MatchCollection object of the RegExp object, which is a part of the Windows scripting engine, that I am using extensively on the startup of the program for parsing of the add-on's presets.

You don't need to install MediaMonkey and my add-on to reproduce this problem. I made one short VBscript which you could try directly from the command line:


Option Explicit

Const iCount = 10000
Dim oRegEx
Dim oMatches
Dim dtTime
Dim i

Set oRegEx = New RegExp
oRegEx.IgnoreCase = True
oRegEx.Global = True
oRegEx.Multiline = False
dtTime = Timer
oRegEx.Pattern = "((?:^(?:Preset\d+ *= *)?|, *)ReplaceWith *: *)(\d+|(?:""(?:[^""]+|"""")*""))(?=( *,|$))"
For i = 0 To iCount
    Set oMatches = oRegEx.Execute("Preset230=Menu: ""Partial manipulations"", Name: ""Move right-specified part of <From Field> between (and including) specified strings to <Into Field>..."", Description: ""This preset modifies two fields at once! -  - If Assign is on, Opening string is """"("""", Closing string is """")"""", Part number = 2 (counting from the right), Copy opening, Copy closing, Remove opening and Remove closing are on: - The Wall (CD2) (41:55) [1979] (source field) -> The Wall (41:55) [1979] (source field) and (CD2) (destination field) -  - If Copy opening and Copy closing are off: - CD2 (destination field) -  - If Remove opening and Remove closing are off: - The Wall () (41:55) [1979] (source field) -  - If Use RegEx option is on, Opening string is """"[([]"""" and Closing string is """"[)\]]"""", it will be copied parts either between """"("""" and """")"""" or """"["""" and """"]""""."", Shortcut: """", Icon: """", Toolbar: 0, FindWhat: ""<If Caption=""""Assign to destination"""" Value=1 ID=1><If Caption=""""Only if destination is empty"""" Value=0 ID=3>^$<Else>^.*<End If><Else Caption=""""Append to:""""><If Caption=""""Only if destination is not empty"""" Value=0 ID=4><End If><If Caption=""""the start of destination"""" Value=1 ID=2>^<If ID:4>(?!$)<End If><Else Caption=""""the end of destination""""><If ID:4>(?!^)<End If>$<End If><End If>"", FindInto: ""Custom 1"", FindRegExp: 1, WholeWord: 0, ReplaceWith: ""LetVar(0, RegSub(<From Field>, """".*("""" & SetVar(1, <If Caption=""""Use RegEx to specify strings"""" Value=0 ID=5><Else>RegSub(<End If>""""<String Caption=""""Opening string"""" Value=""""("""">""""<If ID:5><Else>, """"[$^*()+[\]\\{}|.?]"""", """"\$$&"""")<End If>) & """")(.*)("""" & SetVar(2, <If ID:5><Else>RegSub(<End If>""""<String Caption=""""Closing string"""" Value="""")"""">""""<If ID:5><Else>, """"[$^*()+[\]\\{}|.?]"""", """"\$$&"""")<End If>) & """")(?:.*?"""" & GetVar(1) & """".*?"""" & GetVar(2) & """"){"""" & <Number Caption=""""Part number"""" Value=""""2"""" MinValue=""""1"""" ID=6> - 1 & """"}.*?$<If Caption=""""Move entire source if it doesn't contain specified strings"""" Value=""""0""""><Else>|.*<End If>"""", """"<If Caption=""""Copy opening string"""" Value=""""1"""">$1<End If>$2<If Caption=""""Copy closing string to destination"""" Value=""""1"""">$3<End If>"""")) & <If ID=1>GetVar(0)<Else><If ID:2>GetVar(0) & <End If>IIf(Len(""""$_"""") > 0 And Len(GetVar(0)) > 0, """"<String Caption=""""Separator"""" Value="""" - """">"""", """""""")<If ID:2><Else> & GetVar(0)<End If><End If> & Execute(""""<If ID:1><If ID:3>If Len(<Into Field>) = 0 Then <End If><Else><If ID:4>If Len(<Into Field>) > 0 Then <End If><End If><If Value=""""bReplacing""""><From Field><Else>sResultFrom<End If> = RegSub(<From Field>, """"""""(.*)("""""""" & GetVar(1) & """""""").*("""""""" & GetVar(2) & """"""""<If Caption=""""Remove opening string"""" Value=1 ID=-7>\s*<End If>)(?=(?:.*?"""""""" & GetVar(1) & """""""".*?"""""""" & GetVar(2) & """"""""){"""" & <ID:6> - 1 & """"}.*?$)"""""""", """"""""$1<If ID:-7><Else>$2<End If><If Caption=""""Remove closing string from source"""" Value=1><Else>$3<End If>"""""""")"""")"", ReplaceFrom: ""Title"", ReplaceRegExp: 0, ReplaceVBScr: 1, MatchCase: 0")
MsgBox FormatNumber(Timer - dtTime, 2) & " sec."

I don't have Windows 10, but here are the reports of some users of my add-on that tried this script. The first user reported this:
"Using your code with 10,000 iterations the results:
10,000 iterations
   11.70 secs
   11.41 secs
   11.14 secs
   11.34 secs
Using your code but changing 10,000 iterations to 1,000 iterations
1,000 iterations
   1.13 secs
   1.15 secs
   1.16 secs
   1.15 secs
NO R-T Protection for 10,000 (10k) iterations is 1.83 and 1.84 secs - I ran 4 times. WITH R-T Protection I get 11.53 and 11.45 secs respectively for same iterations."

The same user even tried the same script with the much shorter string for the Execute command, but got just slightly shorter execution:
"Test 1 - shorter Execute: 2 tests 9.64 and 9.57 secs respectively."

Here is that shorter string:
"Preset17=Menu: ""Basic manipulations"", Name: ""Increment Play counter by 1"", Description: """", Shortcut: """", Icon: """", Toolbar: 1, FindWhat: ""^.*"", FindInto: ""Played #"", FindRegExp: 1, WholeWord: 0, ReplaceWith: ""<Into Field> + 1"", ReplaceFrom: ""Track #"", ReplaceRegExp: 0, ReplaceVBScr: 1, MatchCase: 0"

The other user reported this:
"RegExTest2.vbs time is 40.52 seconds"

And the report of the third user:
"I don't have an option to turn of the Win Defender Realtime Protection.
I guess my Kaspersky Antivirus disabled it. But I tried with and without
my antivirus, and it turned out with Kaspersky enabled, the script was
running about 39 secs and with Kaspersky disabled it only took 2 seconds
to complete.

Being curious I tested it on my laptop running Win 10 too but having
Avira Antivirus installed. Interestingly it runs even with Avira RT
Protection enabled in 1.5 secs! Disabling Avira makes it runs in 1.3 secs.

I went further and ran the script on a virtual machine in VirtalBox I'm
using now and then. With Windows Defender enabled it took about 16 secs
to finish, disabling the Win Defender RT Protection made it finish
within 1.6 secs."

I don't know what is going on in the background with Kaspersky AV, but I suppose that it has not disabled Windows Defender and because of that it is slow. Maybe it just removed it from the GUI, but I guess that Defender service is still running.

So, you could see that the Real-Time Protection of the latest Windows Defender update is slowing down such trivial script about 10 times or even more. The MediaMonkey is even slower with the similar short add-on that I made for the test; it executes the same part of code on startup about 100 times slower than latter, when started from the toolbar, which I reported here:

I suppose it will slow down any program using the mentioned MatchCollection object of MS scripting engine on startup as well, so it is not that only my add-on and MediaMonkey are affected.

1 person found this reply helpful


Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.


Question Info

Last updated December 9, 2020 Views 1,183 Applies to: