Jump to content


  • 0
vda

Windows defender causing 100% CPU load

Question

Hi everyone,

I hope that someone may be able to shed some light on this topic. We've been getting reports from users who have a specific model that see spikes in CPU activity on 100% when the quick scan from Windows Defender starts. The notebook gets practically unusable in the next 10-20 minutes because of a huge lag in responsiveness. I've noticed that even though Defender will report the scan as finished, the sluggishness continues for several more minutes and finally ends after some time. The odd thing is that this is widely reported only on a specific model from Lenovo (ThinkPad P1 Gen2)

  • We are using SCCM 1806 and Windows 10 1809
  • The CPU usage for the antimalware scan is limited to 30% by SCCM and the usage stays around this number, but the scan causes other processes to spike
  • We've noticed the scan to cause other processes to spike: Skype for Business, Windows interrupts (this struck me as quite odd), Chrome, IntelliJ and others
  • We've tried excluding the whole drive from the scans - still happens 
  • We've tried excluding some processes used daily by some users (browser, development IDE, etc...) - still happens
  • Updated everything from the Lenovo System Update tool 2-3 weeks ago with one user - still happens
  • Windows event log shows nothing of value
  • I was not able to find anything in EndpointProtectionAgent.log that would indicate an issue

What is really confusing to me:

  • Out of all devices, only some users with P1 Gen2 models are reporting this issue
  • Some users experience this on a daily basis, while others have seen it only a handful of times in the past several months
  • The spike of CPU load for System interrupts in some cases leads me towards a possible driver issue, but I cannot pinpoint what exactly

I was not able to find any relevant information in the event viewer. The log files at C:\ProgramData\Microsoft\Windows Defender\Support do not seem much of use as well. I was not able to find information on the path of the scanned items or a way to produce a log with increased verbosity that is in readable format.

 

Is there any way we can troubleshoot this further with more details and pinpoint the exact cause of this problem?

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

So the oddest of things happened: the issue does not manifest itself anymore. Users have reported that they haven't seen the issue in the past week or two, whereas some of them saw it on a daily basis. Apart from a change in the antimalware platform version to 4.18.2005.5-0 (previous was 4.18.2005.4-0) and the deployment of May updates, I cannot think of anything else that has been changed. I lean towards the antimalware platform version being the actual fix to the problem, since we also tried the May updates before and saw the issue still persisted.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.