Why is Microsoft Defender always running?

Some Windows users are experiencing a weird issue where the main Antimalware Service Executable (MsMpEng) ends up using an absurd amount of CPU resources – sometimes over 80% of the available CPU processing power. This issue is reported to occur on Windows 10.

What is msmpeng.exe?

The Microsoft Malware Protection Engine, or Msmpeng.exe, is the main executable of the built-in antivirus program for Windows 10 computers.

Also known as the Antimalware service executable, this program runs in the background and scans your computer for threats such as harmful software, viruses, worms, and so on. Once these threats are identified, the program will quarantine or delete them.

What causes High CPU Usage by msmpeng.exe?

After investigating this issue, we realized this particular issue is actually rooted in a lot of different potential culprits. Here’s a list of scenarios where you can expect to experience an unusually high CPU usage caused by the MsMpEng component:

• File corruption affecting Windows Defender – One of the first scenarios that you should troubleshoot against is a scenario in which the reason why you are seeing this massive CPU usage is due to some type of corruption affecting the Windows Defender component. In this case, you can either use a 3rd party repair utility to get the issue fixed or you can go for a repair install. 
• The task frequency of MsMpEng is too high – According to a lot of affected users, a frequent reason why you’ll end up seeing this behavior is when an administrative task related to MsMpEng runs at very frequent intervals. To address this issue, you’ll need to use the Task Scheduler to tone down the frequency of the task that summons the MsMpEngprocess.
• Windows Defender is overlapping – As it turns out, another scenario where you can expect this issue is when Windows Defender is actually overlapping another 3rd party antivirus that is currently active. This usually happens when you’re using a security solution from a smaller company that is not yet verified by Microsoft. In this case, you will need to forcibly turn off Windows Defender – either via the Local Group Policy Editor or via Registry Editor. 
• The antiSpyware function is ON – According to a lot of Windows 10 community insiders, this problem might be caused by a Registry key that remains disabled despite the fact that Windows Defender is no longer the active antivirus. To address this problem, you’ll need to open up the Registry Editor and modify the value data of the DisableAntiSpyware key. 
• Internal Windows Defender conflict – This might seem like a weird fix, but a lot of users have confirmed that once they’ve added MsMpEng.exe to the exclusion list of Windows Defender, the CPU consumption went down drastically. This will be effective in scenarios where Windows Defender was re-activated after a long period where another 3rd party antivirus was active. 
• Malware infection – As ironic as this might sound, a high CPU usage by the security file MsMpEng.exe can also signal a virus infection. The MsMpEng.exe file might actually be malware posing as a system process in order to be allowed to tap into the system’s resources. To make sure that’s not the case, you’ll need to deploy a deep scan with a capable anti-malware utility. 
• Bad Windows update – Throughout the history of Windows Defender, there were dozens of bad virus definition updates that will cause false positives (legitimate files identified as malware or adware). If you know for a fact that you’re not dealing with a virus infection, you can treat this issue by removing the bad update via n elevated CMD prompt.
• Looping process mitigation – A less common cause of this error is a scenario where the process mitigation feature actually causes an Exploit Protection loop where Windows Defender is continuously trying to disable the activity of a folder or program (upon failing, it will try again endlessly which facilitates High CPU usage).
• Windows Defender is inefficient – One surefire way of getting rid of this issue permanently is to simply use an alternative antivirus. Go this route if every other fix featured in this article doesn’t work for you and you’re prepared to move away from the built-in Windows Defender suite. 

Now that we went over every potential cause that might be facilitating this behavior, let’s get to the part where we get to the bottom of this issue and fix it.

Below you’ll find a collection of verified methods that other affected users have successfully used to treat a scenario where the MsMpEng process takes up an unusually high amount of CPU resources.

1. Deal with System file corruption

The first thing you should do when you start troubleshooting this issue is to ensure that there are not any corrupted system files that are facilitating the apparition of this issue.

To make sure that’s not the case, you have two options:

1. Use Restoro (3rd party repair suite for Windows) to find and automatically address underlying system file corruption issues affecting your Windows installation.
2. Go for a Windows 10 repair install procedure to effectively replace every corrupted system file while leaving your applications, games, personal media, and documents intact. 

If you already followed one of the options above and ensured that the high usage of MsMpEng.exe is not caused by some type of system file corruption, move down to the next method below.

2. Lessen the frequency of MsMpEng.exe related task

Many users who are impacted by this behavior report that it is often caused by an administrative task related to MsMpEng running at very frequent intervals.

To resolve this issue, you can use Task Scheduler to reduce the frequency of the task that launches the MsMpEng process.

In order to do this, you’ll need to access the Task Scheduler utility (under Administrative Tools and modify the Windows Defender Scheduled scan task (under Windows Defender) so that it only occurs once a week or once a month (depending on your preference).

Note: This will help tremendously in scenarios where you are running Windows 10 on a low-end PC with not a lot of CPU processing power available. 

For step-by-step instructions on lessening the frequency of MsMpEng.exe task, follow the steps below:

1. Press Windows key + R to open up a Run dialog box. 
2. Next, type ‘taskschd.msc’ inside the Run box, then press Ctrl + Shift + Enter to open up Task Scheduler with admin access. 
   
   Opening the Task Scheduler
3. At the User Account Control prompt, click Yes to grant admin access. 
4. Once you’re finally inside Task Scheduler, use the side menu on the left to navigate to the following location:

   Microsoft > Windows > Windows Defender

5. With the Windows Defender folder selected from the side menu on the left, move over to the central pane and double-click on Windows Defender Scheduled Scan. 
   
   Accessing the Windows Defender Scheduled Scan
6. From the Windows Defender Scheduled Scan Properties window, access the General tab and uncheck the box associated with ‘Run with Highest Privileges‘.
7. Next, access the Conditions tab and uncheck all the options under Idle, Power, and Network before clicking on Ok to save the changes. 
   
   Unchecking all the options

   Note: Don’t worry as this is only temporary – we will schedule them properly in the steps below. 

8. Now to the rescheduling part. Access the Triggers tab and click New. Here, choose the Weekly option or Monthly, as per your preference, and then choose the Day, Click OK, and make sure the box related to Enabled is checked at the bottom of the screen. 
   
   Lessening the frequency of the task

   Note: This will reschedule Windows Defender to stop abusing the frequency of the scan. Now, if the scan was previously running, wait for it to finish, you’ll see the results after the scan has finished, but when the scan does run as per your defined schedule, you will still get the High CPU Usage.

9. Repeat the same for the three other schedules – Windows Defender Cache Maintenance, Windows Defender Cleanup, Windows Defender Verification

In case the same problem is still occurring despite the fact that you’ve just reconfigured the frequency of the scan, move down to the next method below.

3. Disable the Windows Defender Overlap

It seems that this problem can also occur when Windows Defender is running at the same time as another third-party antivirus. This often happens when you’re using a security solution from a smaller company that isn’t verified by Microsoft.

In this case, you’ll need to turn off Windows Defender forcibly the best way to do it is via the Local Group Policy Editor.

Note: This method works on the Windows Enterprise and Pro Editions of Windows 10, as well as more advanced versions of earlier OS. If you can’t use the Local Group Policy Editor, then fall back to the Registry tweak directly under.

Here’s what you need to do in order to disable a potential Windows Defender overlap:

1. Press the Windows Key + R, type in gpedit.msc in the Run dialog box.
   
   Open the Gpedit utility
2. Next, press Ctrl + Shift + Enter to open up the  Local Group Policy Editor with admin access.
3. Once you’re inside the home screen of the Local Group Policy Editor, navigate to the following location using the side menu on the left:

    Computer Configuration > Administrative Templates > Windows Components > Windows Defender

4. After you’re inside the correct Group Policy path, select Windows Defender, then move to the central pane and look for the setting named Turn off Windows Defender and double click it. Select the Enabled option to disable Windows Defender. Click Apply followed by OK.
   
   Disabling Windows Defender via the Local Group Policy Editor
5. After you do this, the Windows Defender will instantly be Disabled. Now all that’s left to do is perform a simple restart.
6. Check Task Manager and you should notice that MsMpEng is no longer appearing among the system processes.

In case this method didn’t work in your case or you’re looking for a different approach, move down to the next method below.

4. Disable the AntiSpyware Function

Insiders of the Windows 10 community say that this issue might be caused by a Registry key that is still disabled even though Windows Defender is no longer the active antivirus.

To fix this problem, you will need to open the Registry Editor and change the value data of the DisableAntiSpyware key.

Note: This method will only work as long as Windows defender is the active AV solution on your computer or it was disabled recently without being replaced with a different AV suite. Normally, once a new 3rd party antivirus takes the place of Windows Defender, the AntiSpyware function of Windows Defender should get disabled automatically.

To investigate whether this scenario is applicable or not, follow the instructions below to use the Registry Editor to disable the antispyware function if applicable:

1. Start by opening a Run box by pressing the Windows key + R. 
2. Next, inside the Run box, type ‘regedit’ and press Ctrl + Shift + Enter to open up the Registry Editor with administrative privileges. 
   
   Accessing the regedit menu
3. When you see the User Account Control (UAC) prompt, click Yes to grant admin access. 
4. Once you’re finally inside the Registry Editor, use the menu on the left to navigate to the following location:

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

   Note: You can either navigate to this location manually or you can paste the path above directly into the navigation bar and hit Enter to get there instantly. 

5. If you are inside the correct location, move over to the right-hand pane and double-click on the registry entry named DisableAntiSpyware. 
   
   Accessing the DisableAntiSpyware key

   Note: In case the Registry key is missing from the Windows Defender folder, you can download and apply this registry file on your PC in order to automatically add it to your registry. 

6. Once you’re inside the Edit World (32-bit) Value window for DisableAntiSpyware, set the Base to Hexadecimal and the Value data to 1 in order to ensure that the Anti Spyware function remains disabled. 
7. Close Registry Editor and reboot your PC in order to enforce the change that you just did.
8. After your PC boots back up, check to see if you’re still experiencing the same kind of High CPU usage by Msmpeng.exe.

If the problem is still ongoing despite you following the instructions above, move down to the next method below. 

5. Scan for Malware

While it may sound ironic, a high CPU usage by the security file MsMPEng.exe can also indicate a virus infection. The MsMpEng.exe file might actually be malware in disguise, posing as a system process in order to gain access to the system’s resources.

To be sure that this is not the case, you should run a deep scan with a reliable anti-malware program.

There are a lot of options available when it comes to doing this, but our recommendation is to deploy a deep Malwarebytes scan since it’s one of the most robust security scanners that’s just as effective with malware as it is with adware. 

After you complete the scan, remove every infected instance as instructed, then restart your PC and open Task Manager again (Ctrl + Shift + Esc) to see if the CPU consumption is related to MsMpEng.exe has gone down. 

If the same kind of issue is still ongoing, move down to the next method below. 

6. Adding Msmpeng.exe to the Windows Defender Exclusion list (if applicable) 

This could appear to be a strange fix, but a number of users have testified that after they added MsMpEng.exe to the exemption list of Windows Defender, the CPU utilization decreased noticeably.

This will work in cases where Windows Defender was enabled again after a prolonged stretch where another 3rd party antivirus was Turned on.

Note: Since some malicious programs are known to disguise themselves as the Msmpeng executable in order to avoid being detected by security suites like Windows Defender, there’s also a possibility that Windows Defender (or a different 3rd party antivirus) will end up scanning the file continuously due to a false positive.

If you previously followed Method 5 and ensured that your computer is not infected, you have nothing to worry about and this is probably just a false positive that is somewhat common on Windows 10 (when Windows Defender is being used by default).

If this scenario is applicable, you can simply add the MsMpEng.exe file to the exclusion list and you’ll notice how this will immediately reduce the CPU consumption immediately.

Here’s what you need to do:

1. Press Ctrl + ALT + Del on your keyboard and open the Windows Task Manager.
   
   Accessing the More details menu

   Note: If the simple interface opens by default, click on More Details to bring up the expert interfaced. 

2. In the list of processes, look for the Antimalware Service Executable process.
3. Next, once you’re inside the Expert interface, click on the Processes tab, then look for the Antimalware Service Executable (MsMpEng.exe). 
4. When you see it, simply right-click on it and click on Open File Location to see the full path of the executable. You will see the file MsMpEng highlighted. Click on the address bar and copy the location of this file path.
5. Next, hold the Windows Key and Press I, Choose Update and Security, Then Choose Windows Defender from the left pane, scroll down and choose > Add an exclusion “under exclusion” > Exclude a .exe, .com or .scr process or File Type, and paste the path to MsMpEng.exe.
   
   
   Accessing the Update and Security Menu
6. Once you’ve done this, restart your PC and see if the CPU resource consumption goes down by a lot after your PC boots back up. 

If the resource consumption is still high or Windows Defender is not your active antivirus, move down to the next method below. 

7. Reverting a Bad Windows Defender Definition Update

Windows Defender has a long history of bad virus definition updates that can cause false positives. If you’re sure you don’t have a virus infection, you can remove the bad update by opening an elevated CMD prompt.

Note: Strangely enough, this problem is almost exclusive to Windows 10 as Microsoft seems to have fixed this issue for their latest OS. Regardless, we’re still regularly seeing bad Windows Defender definition updates coming on Windows 10. 

If this scenario is applicable and you suspect that you’re experiencing this high CPU usage by MsMpEng.exe, the quickest way to fix it is to use an elevated Command Prompt interface to remove the bad update.

Important: Keep in mind that this method assumes that you are actively using Windows Defender as the default security suite. 

For step by step instructions on how to do this, follow the instructions below:

1. Start by pressing the Windows key + R to open up a Run dialog box. 
2. Next, type ‘cmd’ inside the Run text box, then press Ctrl + Shift + Enter at the same time to open a Command Prompt window with admin access. 
   
   Open an elevated CMD window
3. When you’re prompted by the User Account Control (UAC), click Yes to grant admin access. 
4. Once you’re inside the elevated CMD prompt, type the following command to remove all the definitions currently associated with WindowsDefender:
   

   "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All

   Note: It’s important to keep all the commas inside the command, otherwise it won’t work. 

5. Once the first command is processed successfully, type in the second command and press Enter in order to update the fleet of virus signatures for Windows Defender:

   "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -SignatureUpdate

6. Wait until the second command is processed successfully, then restart your PC and open up Task Manager to see if the CPU consumption went down.

In case the same type of issue is still occurring, move down to the next method below.

8. Fixing the Process Mitigation Loop

A less common cause of this error is a scenario where the process mitigation feature actually causes an Exploit Protection loop. It’s possible that Windows Defender is continuously trying to disable the activity of a folder or program, but upon failing, it will try again endlessly. This facilitates High CPU usage.

If this scenario is applicable, the proper fix is to address the process mitigation loop – this will stop the Exploit Protection Service which can drastically help you reduce CPU Usage. 

Note: Exploit Protection can cause a Loop where Windows Defender is trying to disable the activity of a folder/program but when it’s not successful it tries to do it again and again which ends up in High CPU Usage. 

In order to deploy this particular fix, follow the instructions below:

1. Press Windows key + R to open up a Run dialog box. 
2. Next, inside the Run dialog box that just appeared, type ‘powershell’ inside the text box, then press Ctrl + Shift + Enter to open up an elevated Powershell window with admin access. 
   
   Accessing the PowerShell menu
3. At the User Account Control, click Yes to grant admin access and open an elevated Powershell window with admin access. 
4. Once you’re inside the Elevated Powershell window, type or paste the following command to effectively disable the Exploit Protection and prevent the process mitigation loop:

   powershell “ForEach($v in (Get-Command -Name \”Set-ProcessMitigation\”).Parameters[\”Disable\”].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString().Replace(\” \”, \”\”).Replace(\”`n\”, \”\”) -ErrorAction SilentlyContinue}”

5. You will most likely get some warning, but ignore them and wait until the process is complete.
6. After the command is processed successfully, restart your PC and open Task Manager once the next startup is complete by checking if the usage by the Antimalware Service Executable (MsMpEng) is still high. 

If the problem is still not resolved or this method is not applicable to your particular scenario, move down to the final potential fix below. 

9. Using a different antivirus

If none of the methods above have worked, one surefire way of getting rid of this issue permanently is to simply use an alternative antivirus. Go this route if every other fix featured in this article doesn’t work for you and you’re prepared to move away from the built-in Windows Defender suite. 

You can try to use an alternative AV scanner engine frequently such as “Malwarebytes”, but you still need a real-time antivirus that is less aggressive.

Here are a few variants that you should consider:

• BitDefender
• Norton 360
• Intrusta
• Webroot

If you’re trying to figure out which of these options are right for you, consult this article where we analyze the 5 best antivirus suites for Windows 10. 

Note: Using another antivirus will basically disable the Windows Defender and use its own services/process to defend your computer and your computer will be used much anymore. So you will stay protected and your problem will be resolved as well.

How do I stop Windows Defender from running all the time?

Why is Windows Defender constantly running?

Why is antimalware always running?

Why is Microsoft Defender taking up so much CPU?