Excessive resource utilization by the Windows Defender Antimalware Engine (MsMpEng.exe) generally has nothing to do with the Windows Defender Scheduled Scan task. As it stands, this Automatic Maintenance task only runs a Defender Quick Scan about once
a week, if we’re lucky (this task has been dysfunctional since the Anniversary Update).
This thread illustrates typical failures for both the Windows Defender Scheduled Scan task (Automatic Maintenance scan) and for a scan scheduled by adding a trigger to the Windows Defender Scheduled Scan task as per Microsoft's recommendation:
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/what-is-the-meaning-of-idle-with-scheduled-scans/90fd954f-436a-4090-bc3b-632c289ab061
But if anyone thinks that the Windows Defender Scheduled Scan task is actually consuming resources when it’s not running, then just right-click on the listing for it and select “disable”. This will just cancel the (dysfunctional) Automatic Maintenance
Quick Scan, and won’t have any effect at all on Defender’s real-time protection.
Then either just run a manual scan occasionally, or schedule a more reliable scan:
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/windows-defender-how-to-schedule-a-scan/d4ba70ce-a70c-4d82-bb26-18902b4e8f9e
Furthermore, the Windows Defender Scheduled Scan task is triggered and run under conditions that are set by Windows Automatic Maintenance – and by design, this task is already running with the same only-on-system-idle priority
that’s assigned to all Automatic Maintenance tasks. You can confirm that this task belongs to Automatic Maintenance by enumerating the Automatic Maintenance package with this PowerShell command (courtesy Shawn Brink):
Right-click on the Start button and launch Windows PowerShell; and then copy, paste, and enter this command:
Get-ScheduledTask | ? {$_.Settings.MaintenanceSettings} | Out-GridView
https://www.tenforums.com/tutorials/96367-view-all-automatic-maintenance-tasks-windows-10-a.html
The documentation for Automatic Maintenance is scanty, but here’s an older article that explains how Automatic Maintenance works. The tasks in the Automatic Maintenance package are automatically triggered and run only during system idle periods, so
they actually don’t run according to a any strict schedule. If the user resumes activity before the initial run is complete, then the run will be cancelled within a couple of seconds in order to prevent the Automatic Maintenance tasks from putting a load on
the system’s resources when the system is in use. And then once the user ceases activity and the system returns to an idle state, any maintenance tasks that didn’t complete during the initial run will be restarted:
https://msdn.microsoft.com/en-us/windows/compatibility/automatic-maintenance
So the likelihood of the Windows Defender Scheduled Scan task being responsible for an overactive Antimalware Engine when you're actually using your PC is minimal, since this is prohibited by design
– and the real problem usually turns out to be with the Antimalware Engine's real-time monitoring of active files, which runs continuously from startup to shutdown as a System
Protected Process. Specifically, the Antimalware Engine's resource utilization is most often elevated due to Defender’s real-time tracking of “suspicious behavior”; which might be caused by undetected malware; or by a third-party antimalware processes
(or a component that wasn’t removed properly with an AV/Antimalware uninstall); or sometimes, just by a process that generates a high volume of
file system read/write operations.
So the general approach to calming down the Antimalware Engine is to first root out any undetected malware with some trusted malware-removal tools – and then clean up any antimalware remnants with the cleanup tools for previously installed or preinstalled
AV apps – and finally, to attempt the repair of any remaining system damage or corruption:
- Remove any undetected malware by scanning with several malware-removal apps, starting with Malwarebytes Free:
https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning-windows_other/list-of-malware-removal-tools/d824b9af-ebd8-4c47-94e2-8ee6c544c100
- Remove any antimalware remnants by running the cleanup utilities for any preinstalled or previously installed AV apps:
https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_start-windows_other/list-of-anti-malware-product-removal-tools/2bcb53f7-7ab4-4ef9-ab3a-6aebfa322f75
- Run the standard Windows 10 system integrity checks:
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93
Use exclusions for friendly apps:
When we see collateral high CPU usage from a friendly app, then it’s quite likely that the friendly app is being monitored by Windows Defender, and is thereby responsible for any elevated CPU usage by the Antimalware Engine. For example, Genie Timeline
is a continuous data protection (CDP) program – and exactly the kind of thing that we would expect to drive Windows Defender to distraction as it attempts to follow all of the read/write activity. So this is a textbook example of where we would apply both
path and process exclusions in order to deescalate the CPU utilization of the Antimalware Engine. The main executable should be covered with File and Process Exclusions; and any program, log, or backup folders should all be covered with Folder Exclusions:
https://www.tenforums.com/tutorials/5924-add-remove-windows-defender-exclusions-windows-10-a.html
If none of the above steps has the desired effect, then the best option is sometimes just to install a third-party AV app – which turns off Windows Defender’s Antimalware Engine and generally seems to resolve these issues with excessive CPU utilization:
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/how-to-stop-antimalware-service-executable-from/a3a57d31-4687-43c0-b274-261da7d89245
GreginMich
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
