Jump to content


vda

Windows defender causing 100% CPU load

Recommended Posts

Hi everyone,

I hope that someone may be able to shed some light on this topic. We've been getting reports from users who have a specific model that see spikes in CPU activity on 100% when the quick scan from Windows Defender starts. The notebook gets practically unusable in the next 10-20 minutes because of a huge lag in responsiveness. I've noticed that even though Defender will report the scan as finished, the sluggishness continues for several more minutes and finally ends after some time. The odd thing is that this is widely reported only on a specific model from Lenovo (ThinkPad P1 Gen2)

  • We are using SCCM 1806 and Windows 10 1809
  • The CPU usage for the antimalware scan is limited to 30% by SCCM and the usage stays around this number, but the scan causes other processes to spike
  • We've noticed the scan to cause other processes to spike: Skype for Business, Windows interrupts (this struck me as quite odd), Chrome, IntelliJ and others
  • We've tried excluding the whole drive from the scans - still happens 
  • We've tried excluding some processes used daily by some users (browser, development IDE, etc...) - still happens
  • Updated everything from the Lenovo System Update tool 2-3 weeks ago with one user - still happens
  • Windows event log shows nothing of value
  • I was not able to find anything in EndpointProtectionAgent.log that would indicate an issue

What is really confusing to me:

  • Out of all devices, only some users with P1 Gen2 models are reporting this issue
  • Some users experience this on a daily basis, while others have seen it only a handful of times in the past several months
  • The spike of CPU load for System interrupts in some cases leads me towards a possible driver issue, but I cannot pinpoint what exactly

I was not able to find any relevant information in the event viewer. The log files at C:\ProgramData\Microsoft\Windows Defender\Support do not seem much of use as well. I was not able to find information on the path of the scanned items or a way to produce a log with increased verbosity that is in readable format.

 

Is there any way we can troubleshoot this further with more details and pinpoint the exact cause of this problem?

Share this post


Link to post
Share on other sites

i feel your pain, if you'd like to pm me some numbers of users affected i can ask Lenovo Engineering to take a look

 

cheers

niall

Share this post


Link to post
Share on other sites

are these Lenovo's patched up with the latest BIOS and firmware updates ?

Share this post


Link to post
Share on other sites

are you also using the same version of Windows 10 as the original poster ? have you tried a newer release (like 1909 or 2004)

Share this post


Link to post
Share on other sites

and you are seeing it only on ThinkPad P1 Gen2  ? have you looked into any of the bios settings to see if enabling/disabling anything secure related (for testing) changes the behaviour ?

Share this post


Link to post
Share on other sites

No update so far. We've opened a support request with Microsoft as well, but still no answer from them.

Odd things seem to happen with this model in our environment. We have two people that reported crashes on Skype for Business during conference calls with audio/video/screen sharing as well, which is something that rarely happens in general, but this particular model seems to exhibit this once every several days. I tried doing a crash dump analysis, but this seems a bit over my expertise. What was interesting is that apart from regular Windows/Office DDLs, the stack trace included both DLLs from Intel and NVIDIA. I seem to recall that this model has a setting for hybrid graphics in the BIOS, so I will check how these devices are configured in the BIOS and see if switching to a different mode will yield some changes. Another thing that I am planning on exploring is ProcDump.

.

Share this post


Link to post
Share on other sites

this is what I got from Joe @ Lenovo

https://forums.lenovo.com/t5/Enterprise-Client-Management/Windows-defender-scans-cause-100-CPU-usage-on-P1-Gen2-model/m-p/5018214

For my next test, I patched the 1909 factory preload with the May 2020 cumulative update.  After doing this, I could not reproduce the problem. 

i guess it's your post also ? have you tried this ?

Share this post


Link to post
Share on other sites

but are you testing on windows 10 1909 with the may update ?

Share this post


Link to post
Share on other sites

Apologies, my answer was a bit unclear on the matter. I updated my devices with the may update, but on Windows 10 1809. I have not tried with 1909 yet.

Share this post


Link to post
Share on other sites

So the oddest of things happened: the issue does not manifest itself anymore. Users have reported that they haven't seen the issue in the past week or two, whereas some of them saw it on a daily basis. Apart from a change in the antimalware platform version to 4.18.2005.5-0 (previous was 4.18.2005.4-0) and the deployment of May updates, I cannot think of anything else that has been changed. I lean towards the antimalware platform version being the actual fix to the problem, since we also tried the May updates before and saw the issue still persisted.

Share this post


Link to post
Share on other sites

thanks for the update !

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...