Operations

Antimalware Service Executable High CPU Usage? Don’t Rush to Disable Defender

A practical guide to troubleshooting Antimalware Service Executable high CPU usage: identify the trigger, adjust scan schedules, add exclusions carefully, and understand the risks of disabling Windows Defender.

Antimalware Service Executable is the core process of Windows Defender, usually named MsMpEng.exe. It handles real-time protection, file scanning, and scheduled security checks. Occasional CPU spikes are normal, but if it keeps the CPU busy for a long time, startup, games, builds, decompression, and video editing can all become noticeably slower.

When this happens, do not make permanently disabling Windows Defender your first step. A safer approach is to find out why CPU usage is high, then fix the specific trigger. Very few cases truly require turning off protection, and if you do, you need an alternative security plan.

First Check Whether It Is Normal Scanning

Open Task Manager. If Antimalware Service Executable uses CPU for a short period, watch it for a few minutes first. These situations commonly trigger scans:

  • Right after startup;
  • After a Windows update;
  • Downloading or extracting many files;
  • Opening a large code repository;
  • Building a project or generating many temporary files;
  • Games, editing software, or virtual machines frequently reading and writing cache;
  • Defender running a scheduled scan.

If CPU usage lasts only briefly and then returns to normal, you usually do not need to do anything. The cases worth optimizing are long-running high usage, or repeated freezes whenever you open a specific folder or application.

Method 1: Adjust the Windows Defender Scheduled Scan

If high CPU usage often appears at fixed times, such as after startup, during lunch, or when the PC is idle, it may be caused by a scheduled scan.

You can adjust it like this:

  1. Press Win + S, search for and open “Task Scheduler.”
  2. Expand “Task Scheduler Library > Microsoft > Windows > Windows Defender.”
  3. Find Windows Defender Scheduled Scan.
  4. Right-click it and open “Properties.”
  5. In “Triggers,” move the scan time to a period when you rarely use the computer.
  6. In “Conditions,” disable wake or idle triggers that you do not need.

Do not delete Defender’s scheduled task directly. It is better to move scanning to a time when you are not using the PC. That reduces stutter while keeping basic security checks.

Method 2: Add Exclusions for High-Write Directories

If Defender spikes every time you open a project, game, virtual machine, or editing cache, consider adding exclusions.

Good candidates are usually directories like:

  • Local code repositories, such as large node_modules, build directories, or cache directories;
  • Game installation directories or shader caches;
  • Video editing caches, proxy files, and export caches;
  • Virtual machine disk file directories;
  • Large trusted datasets.

The path is:

  1. Press Win + I to open “Settings.”
  2. Go to “Privacy & security > Windows Security.”
  3. Click “Open Windows Security.”
  4. Go to “Virus & threat protection.”
  5. Under “Virus & threat protection settings,” click “Manage settings.”
  6. Scroll to the bottom and open “Add or remove exclusions.”
  7. Click “Add an exclusion,” then choose a folder or file type.

Be careful: more exclusions are not better. Only exclude large directories that you trust, clearly understand, and know are read or written frequently. Do not casually exclude Downloads, Desktop, browser cache, or temporary folders, because unknown files are more likely to appear there.

Do not exclude the entire system drive. That severely weakens real-time protection and carries high risk.

Method 3: Avoid Defender Scanning Itself in a Loop

Sometimes Defender may repeatedly scan its own activity or security software logs, causing a scanning loop. Instead of disabling all protection, the safer choice is to add only the necessary process or folder exclusion.

The common approach is to check what Defender is scanning during the high-CPU period. If Resource Monitor, Event Viewer, or Windows Security shows a specific path, exclude only that confirmed trusted directory.

Do not blindly copy long exclusion lists from the internet. Many lists exclude critical system folders, Downloads, and script directories. That may reduce CPU usage in the short term, but it also lowers protection quality.

Method 4: Update, Repair, or Reset Defender State

If high CPU usage is not triggered by one specific directory and remains abnormal, try basic repair steps first:

  • Check Windows Update and install the latest security intelligence and system patches;
  • Restart the computer to rule out a stuck scan task;
  • Run a quick scan in Windows Security;
  • Check whether multiple antivirus tools are installed and scanning each other;
  • Clean unusually large temporary files and build caches;
  • Check whether the disk is nearly full or has bad blocks.

In many cases, Defender itself is not broken. A directory may simply be generating many new files continuously. Build caches, log files, virtual machine images, and sync conflicts can all make real-time protection scan again and again.

Disabling Windows Defender through Group Policy can indeed stop Antimalware Service Executable from using CPU, but it is not a recommended routine fix.

The reason is simple: it solves the CPU issue by also removing the system’s basic protection. For ordinary users, the risk usually outweighs the benefit. A computer that often downloads software, opens archives, uses browser extensions, runs scripts, or receives unknown files should not run without protection.

Only consider disabling built-in protection in situations like:

  • You have already installed and enabled reliable third-party security software;
  • The PC is in a controlled environment, such as an offline test machine, virtual machine, or temporary build machine;
  • You clearly understand the risk of disabling protection;
  • Disabling it is only for short-term troubleshooting, not the long-term default.

If your goal is only to reduce CPU usage, adjust scan timing and exclude specific trusted directories first instead of disabling all protection.

Practical Troubleshooting Order

Use this order:

  1. Check whether it is only a short normal scan.
  2. Recall whether high CPU usage is tied to startup, updates, builds, games, editing, or decompression.
  3. Adjust the trigger time of Windows Defender Scheduled Scan.
  4. Add exclusions only for trusted large project or cache directories.
  5. Update Windows and Defender security intelligence.
  6. Check whether multiple antivirus tools are scanning each other.
  7. If it is still abnormal, consider system repair or temporarily disabling protection for comparison testing.

Conclusion

High CPU usage from Antimalware Service Executable is most commonly caused by Defender scanning many files, build caches, virtual machine images, or scheduled tasks. The reliable fix is not to immediately turn off Windows Defender, but to find the triggering path, adjust the scan schedule, and add exclusions for trusted high-frequency read/write directories.

If you only want the PC to stop freezing, start with exclusions and scheduled task adjustments. If you truly need to disable Defender, prepare alternative security software first and understand that it reduces system protection.

© 2022 - 2026 KnightLi Blog
记录并分享
Built with Hugo
Theme Stack designed by Jimmy