Windows defender causing 100% CPU load

[vda 0]

Hi everyone,

I hope that someone may be able to shed some light on this topic. We've been getting reports from users who have a specific model that see spikes in CPU activity on 100% when the quick scan from Windows Defender starts. The notebook gets practically unusable in the next 10-20 minutes because of a huge lag in responsiveness. I've noticed that even though Defender will report the scan as finished, the sluggishness continues for several more minutes and finally ends after some time. The odd thing is that this is widely reported only on a specific model from Lenovo (ThinkPad P1 Gen2)

• We are using SCCM 1806 and Windows 10 1809
• The CPU usage for the antimalware scan is limited to 30% by SCCM and the usage stays around this number, but the scan causes other processes to spike
• We've noticed the scan to cause other processes to spike: Skype for Business, Windows interrupts (this struck me as quite odd), Chrome, IntelliJ and others
• We've tried excluding the whole drive from the scans - still happens 
• We've tried excluding some processes used daily by some users (browser, development IDE, etc...) - still happens
• Updated everything from the Lenovo System Update tool 2-3 weeks ago with one user - still happens
• Windows event log shows nothing of value
• I was not able to find anything in EndpointProtectionAgent.log that would indicate an issue

What is really confusing to me:

• Out of all devices, only some users with P1 Gen2 models are reporting this issue
• Some users experience this on a daily basis, while others have seen it only a handful of times in the past several months
• The spike of CPU load for System interrupts in some cases leads me towards a possible driver issue, but I cannot pinpoint what exactly

I was not able to find any relevant information in the event viewer. The log files at C:\ProgramData\Microsoft\Windows Defender\Support do not seem much of use as well. I was not able to find information on the path of the scanned items or a way to produce a log with increased verbosity that is in readable format.

 

Is there any way we can troubleshoot this further with more details and pinpoint the exact cause of this problem?

[anyweb 472]

i feel your pain, if you'd like to pm me some numbers of users affected i can ask Lenovo Engineering to take a look

 

cheers

niall

[Ranjithckm7 0]

Is there any progress on this issue? I have similar scenario in my environment

[anyweb 472]

are these Lenovo's patched up with the latest BIOS and firmware updates ?

[Ranjithckm7 0]

Yes. Using Thin installer.

[anyweb 472]

are you also using the same version of Windows 10 as the original poster ? have you tried a newer release (like 1909 or 2004)

[Ranjithckm7 0]

We're in 1909. We're not prepared to go 2004.

[anyweb 472]

and you are seeing it only on ThinkPad P1 Gen2  ? have you looked into any of the bios settings to see if enabling/disabling anything secure related (for testing) changes the behaviour ?

[Ranjithckm7 0]

I think the model is P52. I haven't tried really.

[vda 0]

No update so far. We've opened a support request with Microsoft as well, but still no answer from them.

Odd things seem to happen with this model in our environment. We have two people that reported crashes on Skype for Business during conference calls with audio/video/screen sharing as well, which is something that rarely happens in general, but this particular model seems to exhibit this once every several days. I tried doing a crash dump analysis, but this seems a bit over my expertise. What was interesting is that apart from regular Windows/Office DDLs, the stack trace included both DLLs from Intel and NVIDIA. I seem to recall that this model has a setting for hybrid graphics in the BIOS, so I will check how these devices are configured in the BIOS and see if switching to a different mode will yield some changes. Another thing that I am planning on exploring is ProcDump.

.

[anyweb 472]

this is what I got from Joe @ Lenovo

https://forums.lenovo.com/t5/Enterprise-Client-Management/Windows-defender-scans-cause-100-CPU-usage-on-P1-Gen2-model/m-p/5018214

For my next test, I patched the 1909 factory preload with the May 2020 cumulative update.  After doing this, I could not reproduce the problem. 

i guess it's your post also ? have you tried this ?

[vda 0]

Yep, that's my post. Unfortunately, the issue is still present.

[anyweb 472]

but are you testing on windows 10 1909 with the may update ?

[vda 0]

Apologies, my answer was a bit unclear on the matter. I updated my devices with the may update, but on Windows 10 1809. I have not tried with 1909 yet.

[vda 0]

So the oddest of things happened: the issue does not manifest itself anymore. Users have reported that they haven't seen the issue in the past week or two, whereas some of them saw it on a daily basis. Apart from a change in the antimalware platform version to 4.18.2005.5-0 (previous was 4.18.2005.4-0) and the deployment of May updates, I cannot think of anything else that has been changed. I lean towards the antimalware platform version being the actual fix to the problem, since we also tried the May updates before and saw the issue still persisted.

[anyweb 472]

thanks for the update !