MsMpEng.exe

[Cameo]

When this Security Essential program kicks in, it uses up almost 100% of
CPU. It slows down bootup to an annoying degree but it also kicks in
other times as well for a few minutes though I could not nail down a
pattern of that yet. Googling up this program, it seems a lot of people
have this same problem but I have not seen a satisfactory solution for
it. Has anybody found one on this NG?

 

[VanguardLH]

When this Security Essential program kicks in, it uses up almost 100% of
CPU. It slows down bootup to an annoying degree but it also kicks in
other times as well for a few minutes though I could not nail down a
pattern of that yet. Googling up this program, it seems a lot of people
have this same problem but I have not seen a satisfactory solution for
it. Has anybody found one on this NG?

MSSE does a lot of interrogation on Windows startup and login somewhat
in proportion to all the programs you choose to include on Windows
startup and your account login. So, yes, it can get in the way because
it runs its processes at normal priority. Also, when MSSE gets an
update your host will get whacked with high CPU consumption, too, and
also during any time that you schedule it to run an on-demand scan.

I had MSSE too often get in my way because of the host become overly
unresponsive when MSSE got busy. That occurred during Windows startup
and account login, during updates, and during scheduled scans (despite
configuring it to wait until the host became idle). I got rid of the
scheduled scans because all that does in any AV program is look for
quiescent pests (i.e., those that got deposited on the host while the AV
program was disabled since, if the AV program were enabled, then its
on-access scanner would detect the same pests as does its on-demand
scanner by byte signature and heuristics). Yet even getting rid of the
scheduled scans still had MSSE impact the use of my host during its
updates and always nailed me when I started Windows. I eventually went
back to Avast; however, I had to reinstall *without* their Script Shield
(disabling it wouldn't get rid of the problems it introduced) since, for
example, it interferes with apps that use internal scripts to regulate
their skins or color theme, like Windows Media Player). I can't use
Avira because a 4-year old bug reappeared in a recent version: any
program that queries a removable storage device (like using SMART to
gather drive stats or query its interface to determine the type of
device (neither of which actually access the drive's media) results in
Avira continually re-polling that device at 1-minute intervals which
means USB-attached drives won't sleep and the floppy drive keeps getting
re-accessed to wear it out. Also, although both Avast and Avira are
adware, the only time you see it in Adware is when you open its
configuration dialog whereas Avira shoves their adware in your face when
it collects an update (workarounds are available but I typically get rid
of adware-in-your-face-crap rather than workaround the insult).

The only way you'll get rid of the impact in responsiveness of your host
is to get rid of MSSE and move to a different AV program; however, every
security program you install on your host will impact it to some degree.
Interrogation always takes time and consumes resources. Some AV
proudcts less impact the host. When Avast or Avira gets their updates
then, yes, there is some impact to my host but it is much less than with
MSSE. There is also much less impact during Windows startup and account
login with the 3rd party AV products than with MSSE even with lots of
startup programs.

 

[Tim Meddick]

Open the MSSE control, by double-clicking it's tray-icon, and then click on
the "Settings" tab across the top.

In MSSE settings, click on "Exclude processes"

Now add to the list *every* process that is started from the registry "Run"
keys...

(e.g. HKCU or HKLM ...\Software\Microsoft\Windows\CurrentVersion\Run)

This is the main reason for MSSE taking up system resources - it's resident
detection scanning the activity of programs that are accessing system areas
it deems as "sensitive"

Placing possible targets of MSSE's scrutiny into the excluded
processes-list should sort the problem.

In addition to this, you may find system resources being overtaken, and CPU
usage going up to 100%, when accessing certain folders.

Usually, this will be folders that contain numbers of executable [*.exe]
files.

Again, the answer is to add the path of any folders you experience this
problem with, into the "Exclude files and locations" list in the same way
as you would do with the "Exclude processes" list.



==

Cheers, Tim Meddick, Peckham, London.

 

[Cameo]

Open the MSSE control, by double-clicking it's tray-icon, and then
click on the "Settings" tab across the top.

In MSSE settings, click on "Exclude processes"

Now add to the list *every* process that is started from the registry
"Run" keys...

(e.g. HKCU or HKLM ...\Software\Microsoft\Windows\CurrentVersion\Run)

This is the main reason for MSSE taking up system resources - it's
resident detection scanning the activity of programs that are
accessing system areas it deems as "sensitive"

Placing possible targets of MSSE's scrutiny into the excluded
processes-list should sort the problem.

In addition to this, you may find system resources being overtaken,
and CPU usage going up to 100%, when accessing certain folders.

Usually, this will be folders that contain numbers of executable
[*.exe] files.

Again, the answer is to add the path of any folders you experience
this problem with, into the "Exclude files and locations" list in the
same way as you would do with the "Exclude processes" list.

Thanks, but I have no idea which of the HKCU and HKLM files should go
into the excluded Processes list and which to the files and location
list.

 

[Cameo]

Are you using any other "real time" antimalware programmes?

No. I used to have AVG 2011 installed but got tired of it becoming
bloated, so I uninstalled it and installed MSSE instead. However, little
did I know at that time about MsMpEng.exe and its CPU-grabbing behavior.

 

[Cameo]

Have you tried the link I provided for the COMPLETE uninstall tools?

Yes.

 

[Tim Meddick]

There's no problem in placing all the entries into *both* the "Excluded
Processes" list and to the "Files and location" list.

Once there, MSSE is aware the entries in the exclude-lists are bona-fide
and so MSSE will no-longer keep focusing valuable resources, checking these
start-up programs/processes, over and over again...

==

Cheers, Tim Meddick, Peckham, London.

Open the MSSE control, by double-clicking it's tray-icon, and then click
on the "Settings" tab across the top.

In MSSE settings, click on "Exclude processes"

Now add to the list *every* process that is started from the registry
"Run" keys...

(e.g. HKCU or HKLM ...\Software\Microsoft\Windows\CurrentVersion\Run)

This is the main reason for MSSE taking up system resources - it's
resident detection scanning the activity of programs that are accessing
system areas it deems as "sensitive"

Placing possible targets of MSSE's scrutiny into the excluded
processes-list should sort the problem.

In addition to this, you may find system resources being overtaken, and
CPU usage going up to 100%, when accessing certain folders.

Usually, this will be folders that contain numbers of executable [*.exe]
files.

Again, the answer is to add the path of any folders you experience this
problem with, into the "Exclude files and locations" list in the same
way as you would do with the "Exclude processes" list.

Thanks, but I have no idea which of the HKCU and HKLM files should go
into the excluded Processes list and which to the files and location
list.

 

[Zaphod Beeblebrox]

Open the MSSE control, by double-clicking it's tray-icon, and then
click on the "Settings" tab across the top.

In MSSE settings, click on "Exclude processes"

Now add to the list *every* process that is started from the
registry "Run" keys...

(e.g. HKCU or HKLM
...\Software\Microsoft\Windows\CurrentVersion\Run)

This is the main reason for MSSE taking up system resources - it's
resident detection scanning the activity of programs that are
accessing system areas it deems as "sensitive"

Placing possible targets of MSSE's scrutiny into the excluded
processes-list should sort the problem.

In addition to this, you may find system resources being
overtaken, and CPU usage going up to 100%, when accessing certain
folders.

Usually, this will be folders that contain numbers of executable
[*.exe] files.

Again, the answer is to add the path of any folders you experience
this problem with, into the "Exclude files and locations" list in
the same way as you would do with the "Exclude processes" list.

Thanks, but I have no idea which of the HKCU and HKLM files should
go into the excluded Processes list and which to the files and
location list.

There's no problem in placing all the entries into *both* the
"Excluded Processes" list and to the "Files and location" list.

Once there, MSSE is aware the entries in the exclude-lists are
bona-fide and so MSSE will no-longer keep focusing valuable
resources, checking these start-up programs/processes, over and over
again...

Which seems like a bad idea - if one of those were to become infected
with or replaced by malware, it would no longer be scanned. If your
anti-virus scanner is that slow, the answer isn't to have it scan less
in an effort to speed it up, the answer is to either correct the
problem with the scanner or to replace it with a better one.

To the OP: My experiences with MSE have been, shall we say, less than
satisfying. Give Avast a try (free version available on their website
at http://www.avast.com/free-antivirus-download), it has worked well
for me. Others have had good experiences with Avira.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's
something big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.

 

[Tim Meddick]

If your PC is working so slowly as to not allow you to do any work, while
MSSE checks out whether Windows Explorer is who he says he is for the
10,000th time this year - then, personally, I would be willing to take the
risk.

But you are right.

==

Cheers, Tim Meddick, Peckham, London.

Open the MSSE control, by double-clicking it's tray-icon, and then
click on the "Settings" tab across the top.

In MSSE settings, click on "Exclude processes"

Now add to the list *every* process that is started from the registry
"Run" keys...

(e.g. HKCU or HKLM ...\Software\Microsoft\Windows\CurrentVersion\Run)

This is the main reason for MSSE taking up system resources - it's
resident detection scanning the activity of programs that are
accessing system areas it deems as "sensitive"

Placing possible targets of MSSE's scrutiny into the excluded
processes-list should sort the problem.

In addition to this, you may find system resources being overtaken,
and CPU usage going up to 100%, when accessing certain folders.

Usually, this will be folders that contain numbers of executable
[*.exe] files.

Again, the answer is to add the path of any folders you experience
this problem with, into the "Exclude files and locations" list in the
same way as you would do with the "Exclude processes" list.

Thanks, but I have no idea which of the HKCU and HKLM files should go
into the excluded Processes list and which to the files and location
list.

There's no problem in placing all the entries into *both* the "Excluded
Processes" list and to the "Files and location" list.

Once there, MSSE is aware the entries in the exclude-lists are bona-fide
and so MSSE will no-longer keep focusing valuable resources, checking
these start-up programs/processes, over and over again...

Which seems like a bad idea - if one of those were to become infected
with or replaced by malware, it would no longer be scanned. If your
anti-virus scanner is that slow, the answer isn't to have it scan less in
an effort to speed it up, the answer is to either correct the problem
with the scanner or to replace it with a better one.

To the OP: My experiences with MSE have been, shall we say, less than
satisfying. Give Avast a try (free version available on their website at
http://www.avast.com/free-antivirus-download), it has worked well for me.
Others have had good experiences with Avira.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's something
big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.

 

[Cameo]

There's no problem in placing all the entries into *both* the
"Excluded Processes" list and to the "Files and location" list.

Once there, MSSE is aware the entries in the exclude-lists are
bona-fide and so MSSE will no-longer keep focusing valuable resources,
checking these start-up programs/processes, over and over again...

That's exactly what I did but I could not see any difference in the
outcome. What's interesting is that on my 64-bit Win7 laptop, that also
runs MSSE, I don't see the MsMpEng.exe process running at all. Instead,
there is this one: msseces.exe. It does not use much CPU.

 

[Tim Meddick]

XP also uses the process : "msseces.exe" - started from the
HKEY_LOCAL_MACHINE 's "run-key" :

HKLM\Software\Microoft\Windows\CurrentVersion\Run

"MSC"=""C:\Program Files\Microsoft Security
Client\msseces.exe" -hide -runkey"

That is, if you are using the latest version [2.0.657.0]

But, anyway, the [MsMpEng.exe] process is the Anti-Malware "resident
sheild" service part of MSSE's protection, and is the part that is
responsible for implimenting real-time monitoring of other processes
[potentially suspicious] behaviour.

[MsMpEng.exe] is started as a background service which you can see in the
"Local Services" mmc console (services.msc) as the Microsoft Antimalware
Service.

==

Cheers, Tim Meddick, Peckham, London.

 

[Cameo]

OK but have you used all of them?

Yes, AVG and TrendMicro was all I've had before MSSE.

1. It may be that if you bought a previously set up system such as a
Dell, they often come with pre-installed 30-day "free trials" for
Norton or McAfee or the like. Uninstalling them still leaves registry
entries and they need to be removed.

I built this XP system myself from component, so that does not apply.
That's also the reason I've been hanging on to it this long (emotional
attachment ;-)

2. You may have tried other "freebies" in the past, just uninstalled
them and forgotten about them.

Well, if I have forgotten about them, I still can't remember them.

3. As other posters have suggested, have you checked what runs at
start up? Unnecessary start up programmes cause processes to run that
MSE has to check. Start>Run>msconfig>enter will enable you to click
the startup tab and allow you to see the programmes listed. How many?
Do you really need them running? If not, open the relevant application
and go into Options/Preferences. There is usually an option to
untick/uncheck to stop them running at start up.

I've checked all the startup stuff with MsConfig and don't have anything
there that should not be started.

4. In XP, MSE should have uninstalled Windows Defender when itself was
installed. Did it? If not, uninstall it.

I've never had W. Defender installed.

I'm afraid this MsMpEng problem is too widespread to be just a problem
with my particular XP config. Just Google it up.

 

[VanguardLH]

Which seems like a bad idea - if one of those were to become infected
with or replaced by malware, it would no longer be scanned.

Alas, most AV products that have an exclude list do not save a hash of
the file(s) specified or all the file(s) under a folder specified. That
would be the only way the AV program would know the file got modified
either due to an update, by the user, or by malware (and require you to
reauthenticate the file(s) for exclusion if it noticed the hash change).
Most exclude lists are merely a path operation and the file could change
without the AV program ever being aware of the change.

Excluding a file punches a hole in the product's security unless THAT
particular file by its calcuated hash value is tracked at the time of
exclusion.

 

[VanguardLH]

What's interesting is that on my 64-bit Win7 laptop, that also runs
MSSE, I don't see the MsMpEng.exe process running at all.

So maybe you disabled the on-access (realtime) scanner for MSSE. Go
look at Settings -> Real Time Protection.

 

[Cameo]

So maybe you disabled the on-access (realtime) scanner for MSSE. Go
look at Settings -> Real Time Protection.

All the boxes are checked on the Real-time protection panel on both
the XP and W7 system. Interesting though that the W7 panel has a box
that does not exist on XP: its title is "Enable Network Inspection
System."