MsMpEng.exe (1.1.1051.0) 95% CPU and heavy disk usage

[Guest]

The process MsMpEng.exe (1.1.1051.0) is using 95% of my CPU and creates heavy
disk usage for a very long time. After a few hours tired of waiting to use my
computer, I killed the process and my computer is back to normal again. I
have had no problems with Antispyware, but this Defender 2 is giving me lots
of problems. It seems a lot of other people are having problems too. Normally
beta 2s are a lot more stable than beta 1, but this beta 2 is the worst I
have seen in about 20 MS beta programs I have been part of. Please re-release
beta1 until you have a descent beta 2 refresh.

Is there an update coming out soon? Is 1.1.1051.0 the only one released so
far?

 

[Bill Sanderson]

Take a look at Help, about, for the engine version. This has reved once
since release, as part of the signature update to 1.13.1282.6.

I believe this is the Windows Defender service, responsible for real-time
protection. Not sure what might be happening in your case--what other
real-time scanners are active at the same time? Was mpcmdrun.exe active at
the same time? mpcmdrun does scans in the background, and signature
updates-- I don't know if msmpeng.exe sees an increase in cpu usage as part
of a scheduled background scan, for example.

 

[Guest]

I'm getting the same results doing a Full Scan. The only processes running
are MSASCui.exe and MsMpEng.exe. MsMpEng.exe is the one hogging the
resources. I noticed it when trying to scan a .JPG file. This .JPG file is
packed inside a rather large (358 MB) ZIP File. I never had this problem
when doing a Full Scan with Windows Antispyware Beta 1. Any suggestions?

 

[Bill Sanderson]

Not really--about all I can suggest is this:

based on a description in these groups from a Microsoft poster, I've adopted
the following general methodology on scans:

1) do a quickscan. If something is found, follow up with a fullscan.

I do fullscans on servers late at night, just to catch anything not active
that might get left lying around by a user.

The intent is that a quickscan be enough to detect an actual active
infection--so I think the default of quickscans on workstations is probably
enough. A fullscan is much more intensive--more files, and checksums on all
of them.

--

 

[Guest]

Yes I think it is the service of Defender. I don't have other AntiSpyware on
my machine. The only thing I have is the Symantec Antivirus 10.0.2.1000 (the
latest I believe).

I have a brand new AMDx2 cpu and 2GB ram and no other programs services
running more than 0-2% cpu. MsMpEng.exe runs on full CPU on one of my cores
and the disk is really working. I left it for about 5 hours before killing it
to see if it could complete the action, but it never does.

This happened when I clicked apply actions (ignore or always allow VNC
application).

I re-installed beta 1 which works fine apart (apart from the user-hostile
GUI).

/Niklas

 

[Bill Sanderson]

I've a similar action on at least 3 or 4 machines (clicked ignore always
after a scheduled scan detection of a VNC variant)--with no such effects,
I'm pleased to say.

I have, however, seen a situation in which the operation of doing the
cleaning steps after a scan seemed to go on forever--i.e. across several
restarts of a machine. I didn't observe the CPU being pegged, however--it
was an old and not speedy Windows 2000 pro machine.

--

 

[Guest]

I have similar behavior on a 3GHz 1GB HT Xeon workstation where MsMpEng.exe
uses close to 95% of the CPU and heavy disk usage. My brief experiments
suggest that this happens during a full scan, which, if scheduled, appears to
take place in the background without the Defender GUI being visible. A
method that I tried to get back control of my PC was to open Defender
whereupon it will say that is is scanning. Stopping the scan doesn't stop
the MsMpEng.exe process, but does stop it from using CPU time and disk usage.
Of course, this defeats the purpose, but at least you get your PC back and
you can defer the scan to a later time. I assume that killing the process
fails (it restarts) due to some recovery and/or robustness built into the
process. When I let the full scan run at off hours, it does take all the CPU
time it can get and takes hours to finish, but that's another issue I don't
want to get into here. My Defender Help About version is 1.1.1347.0.

Maybe this will at least help you "reclaim" your PC back from Defender.

Regards,
Ray

 

[Dave M]

Hello Ray, Mr_Grimm, Niklas;
Can you confirm for me that your machine has Hyper-Threading enabled in the
Bios, if it's capable of that. I've been able to reproduce high CPU levels
with peaks at 100% CPU when I've disabled Hyper-Threading during a full
system scan. My CPU never exceeds 50% if Hyper-Threading is enabled during
such scans. I believe by default WD is set to have processor affinity,
since 50% maximum CPU would be the expected result.

The Ms recommendation is to run quick scans unless something is detected,
and then follow up with a full system scan, although you may want to run a
full scan manually perhaps on a monthly basis at a time when you can afford
the performance impact.

 

[Guest]

Hello Dave,

I can confirm that Hyper-Threading is enabled in my BIOS. The 95% I was
referring to was loose terminology referring to a single CPU hyperthread.
Specifically, the WD CPU load varies greatly depending upon what appears to
be the size and locations of files on the disk. I have a 4-disk RAID-0
configuration which can often keep the CPU fully busy if the file region
being scanned is more or less contiguous or has a small number of large
files. Other areas, where the files are small or widely scattered, result in
disk-limited performance and much lower CPU usage. The worst-case CPU usage
regions use about 95% of one hyperthread and about 25% of the other (maybe
file system OS threads servicing the file accesses?) for a total CPU usage
around 50 - 60% with an average around 55%. These numbers come from watching
Win XP's Task Manager.

If the algorithm requires reading the contents of every file, disk and CPU
usage will inevitably be high. One other possibility is to spread out the
usage over time (let the scan run slowly all day) or make the scan process
priority as low as possible so foreground tasks get precedence. Tha latter
is simple to implement, so I assume that that may already be done.

I wasn't aware of MS's recommendations, but I came to pretty much the same
conclusions and agree with them and have configured by system use quick scans
nightly and full scans manually.

If MS is looking for WD feedback, a better scheduling system that would
allow separate schedules for quick (nightly) and full (weekly) scans with of
choice of day of week (Saturday or Sunday) and start time would be valuable
for creating a "set and forget" environment.

Regards,
Ray

 

[Bill Sanderson MVP]

Full scans are intense. The help file recommends regularly scheduled quick
scans, and a full scan if something is found. The quick scan is smart--it
starts with ram and what is running, and works outward from there--so the
content and length of a scan can vary, even if you run several in quick
succession. I do see reports here, however, of scans taking hours even with
a quick scan, and don't have a clear picture of what's going on with those
systems. On the range of systems I work with quick scans take from 45
seconds to perhaps 20 minutes or so.

--

 

[Bill Sanderson MVP]

I can test that--I'll see if I can remember, once OneCare finishes it's
(interminable!) tuneup.

--

 

[Bill Sanderson MVP]

If MS is looking for WD feedback, a better scheduling system that would
allow separate schedules for quick (nightly) and full (weekly) scans with
of
choice of day of week (Saturday or Sunday) and start time would be
valuable
for creating a "set and forget" environment.

Feedback is definitely sought, and this is the place to post it. A
Microsoft staffer has already posted that the scheduling within the app is
not likely to change. However:

The scheduled scan is done as a hidden scheduled task, using the Windows
Scheduled task facility--if you open that, and (on XP) go to advanced, show
hidden tasks, you can see the command line used.

mpcmdrun.exe is a console mode program, in the windows defender installation
folder, and you can see the parameters it takes by just running it at a
command prompt. You can schedule scans to your taste, including definition
updates, using the Windows scheduled tasks facility.