Can one prevent Antimalware Executable to start hogging CPU for extended periods each time some network adapter gets active?

Hi Michael,

Thank you for choosing Windows 8 and joining us on our Community.

From the issue description, I understand that Windows Defender runs the security scan when the system wakes up from sleep mode or when you try to plug a network cable to the computer. And you don’t want this.

You would have scheduled Windows Defender to do so. So I would suggest you to unschedule Windows Defender to do so and check.

Follow these steps:

a.      Press Windows key + W and type administrative tools.

b.      Select Administrative Tools and select Task Scheduler.

c.       Follow this path in the left hand pane. Task Scheduler Library/Microsoft/Windows/Windows defender

d.      Uncheck all the boxes under Idle, Power and Network.

e.      Now it won’t scan your computer.

For any further queries related to Windows defender, feel free to get back to us any time. We will be glad to assist you.

Hi and thanks for responding!

I followed your advice up to item c., but I am lost at item d. I don't see anything referring to idle, power or network on these.

What I noticed while walking through the tree is that there seem to be THREE locations that all refer in some way to Windows Defender. I list the "path" (in Task Scheduler) to those tasks, their name, and their action (i.e. the program being triggered and the options):

Task Scheduler Library => Microsoft => Microsoft Antimalware:  1 task:

     Microsoft Antimalware Scheduled Scan

           c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges

Task Scheduler Library => Microsoft => Windows => Windows Defender:  4 tasks:

     Windows Defender Cache Maintenance

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance

     Windows Defender Cleanup

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup

     Windows Defender Scheduled Scan

          %ProgramFiles%\Windows Defender\MpCmdRun.exe Scan -ScheduleJob

     Windows Defender Verification

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification

Task Scheduler Library => Microsoft => Windows Defender: 2 tasks:

     MP Scheduled Scan

          c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan

     MpIdleTask

          c:\program files\windows defender\MpCmdRun.exe -IdleTask -TaskName MpIdleTask

What I find odd, is that there are TWO different paths to an executable of the same name MpCmdRun.exe, i.e.:

- c:\Program Files\Microsoft Security Client\MpCmdRun.exe

- c:\Program Files\Windows Defender\MpCmdRun.exe

Is this the same program or are these different programs and/or versions?

And are really ALL of these tasks necessary? Or have I inherited some old settings (my Windows 8 installation was upgraded in-place from an earlier Windows 7 installation)?

Michael

The CPU problem reported here isn’t being caused by a scan that was scheduled by a user – the issue is either that the daily Windows Defender scheduled scan (that’s run by Automatic Maintenance) is failing to yield to user activity as it should; or perhaps that some kind of intensive network activity is being monitored by the Windows Defender filter driver (real-time protection); or that normal network activity is being monitored by multiple filter drivers, etc.

Assuming that the problem is a runaway scan, you can’t “unschedule” it by modifying the items in the task's “Conditions” tab as the “Most Helpful Reply” would have it. The Windows Defender Scheduled Scan task only has one of these items checked – and that’s the “Start the task only if the computer is on AC power” option. Unchecking that option won’t prevent the task from running; and in fact it will have just the opposite effect, because it will allow the task to run on a laptop that’s on battery power. Unchecking any of the “only if” options in the “Conditions” tab for any task will always increase the chances of that task running, rather than prevent it from running.

You can disable the scheduled scan task by right-clicking and selecting “Disable”, but that won’t stop the other Automatic Maintenance tasks from running shortly after startup; so what you should do is reschedule Automatic Maintenance for a time when the PC will be on but not in use (by clicking on the “Change maintenance settings” link in the Action Center) and see if that makes any difference.

Since Automatic Maintenance runs strictly on idle-time in its default mode, and stops almost immediately with any user activity, it shouldn’t be causing a problem like this – while on the other hand, the excessive CPU utilization would make perfect sense if you had upgraded without uninstalling MSE, or if the old Windows Defender service somehow wasn’t disabled with the upgrade. But I can’t really tell what’s going on there, because you appear to have leftover scheduled scan tasks from both of those programs.

[Edited for additional resources 11/10/2015]

Excessive CPU utilization by Windows Defender’s Antimalware Service (MsMpEng.exe) usually means that Windows Defender’s real-time protection (on-access scanning) is being overworked by having to scan files that are being accessed by an unwanted or errant process. The troublesome process might turn out to be malware, a bad device driver, or an overactive logging utility – but in most cases the problematic process will be a component of a third-party AV app, and this can be removed by uninstalling the third-party app and then downloading and running its cleanup utility.

Conversely, if you install a third-party AV app that isn't fully compatible with Windows 10, it might not register properly with the Windows Security Center, in which case the Security Center might not automatically disable Windows Defender like it's supposed to in order to prevent it from conflicting with the new AV app. In this case you might need to turn off Windows Defender via Group Policy:

How do I deal with excessive CPU utilization by the Windows Defender Antimalware Service?

The Windows Defender Scheduled Scan task is a Windows system task that’s run by Windows Automatic Maintenance (not a user-scheduled task). Automatic Maintenance is scheduled to run daily, but it won’t start until the system enters an idle state. Then whenever you start using your PC, Automatic Maintenance should cease almost immediately. You can determine whether or not Automatic Maintenance is functioning normally by just leaving the Windows Defender interface open and monitoring the scheduled scan’s behavior. If Automatic Maintenance isn’t yielding when you start using your PC, then disabling the scheduled scan task might be helpful:

How do I edit a scheduled task?

What do the task’s conditions settings do?

How do I disable a scheduled task?

[End edit]

GreginMich

Only this group of tasks is part of Windows 8:

Task Scheduler Library => Microsoft => Windows => Windows Defender:  4 tasks:

     Windows Defender Cache Maintenance

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance

     Windows Defender Cleanup

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup

     Windows Defender Scheduled Scan

          %ProgramFiles%\Windows Defender\MpCmdRun.exe Scan -ScheduleJob

     Windows Defender Verification

          %ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification

So you can either disable or delete the others. But the more important questions is whether Security Essentials is installed, or whether the old Windows Defender might still be active; since both of those programs are incompatible with Windows 8 (and they’re also mutually incompatible).

GreginMich

> ... whether Security Essentials is installed, or whether the old Windows Defender might still be active...

From a decent upgrade installer I would have expected to take care of such issues! But it fits into my picture of Windows 8 by now. If there were an easy way to retrograde, I wouldn't hesitate for a second!

I consider it my worst IT-related decision of the last half year to upgrade to Win8!

M.

I’m not sure how the upgrade handles things when the old Windows Defender is enabled; but it probably does a better job with the old Windows Defender than it does with Security Essentials: If Security Essentials is installed, you might have to remove it with the Microsoft “Fix it” uninstaller:

http://support.microsoft.com/mats/Program_Install_and_Uninstall

...following the directions provided here:

http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/uninstalling-mse/a63b8c4b-58ed-437e-8086-fa08d80725a4

GreginMich