Share via

MsMpEng.exe Utilizing High Amounts of Memory

Anonymous
2023-02-20T17:11:24+00:00

My issue is with the Antimalware Service Executable > Windows Defender Antivirus Service from the file path C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0

running the MsMpEng.exe service. It is utilizing 30-40% of my memory and spiking to even higher of 50-60% at times.

Checked for windows updates > Installed needed updates and rebooted

MSMpEng.exe still started on launch utilizing between 30-40% of my memory

I then ran:

sfc /scannow

DISM /Online /Cleanup-Image /CheckHealth

DISM /Online /Cleanup-Image /ScanHealth

DISM /Online /Cleanup-Image /RestoreHealth

All completed and I rebooted

MSMpEng.exe still started on launch utilizing between 30-40% of my memory

Disabled Real time protection, Tamper control, Sample sending and rebooted

MSMpEng.exe still started on launch utilizing between 30-40% of my memory

Went into group policy editor > Administrative Templates > Windows Components > Microsoft Defender > Turn off Microsoft defender > Enabled

Restarted

MSMpEng.exe still started on launch utilizing between 30-40% of my memory even after disabling windows defender

Tried to kill MsMpEng.exe service - Access Denied

Tried to Set affinity - Access Denied

Scheduled tasks for once a month, on the 30th

Restarted

MSMpEnd.exe still started on launch utilizing between 30-40% of my memory

At this point I am at a loss of what else I can do besides a full reinstall of Windows to fix this issue. Causing massive performance issues to the point where I cannot even use the laptop at times.

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

16 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-17T08:52:50+00:00

    My colleague found the following solution:

    cd "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.7-0"

    MpCmdRun.exe -ResetPlatform

    After these actions, the RAM consumption drops to normal values

    10+ people found this answer helpful.
    0 comments
  2. Ramesh 176.1K Reputation points Volunteer Moderator
    2023-02-20T17:20:47+00:00

    A third-party program/service (that frequently triggers the on-demand scanner) may be the culprit. You can start a clean boot by turning off all third-party services and startup programs using MSCONFIG.

    How to perform a clean boot in Windows

    Image

    (Source: Microsoft)

    (If your problem does not occur while the computer is in a clean boot environment, you can determine which startup application or service is causing the problem by systematically turning them on or off and restarting the computer.)

    Additional Information

    Please check out the following tweet by the PM, Microsoft Defender for Endpoint.

    Paul (DEFENDER) on Twitter: "This. When you observe msmpeng.exe high CPU usage. It’s most likely a symptom, not the disease. Diagnosis helps." / Twitter: https://twitter.com/Threatzman/status/1575654650644402182

    SwiftOnSecurity on Twitter: "Mystery: CPU fan at max, high Defender usage, but no current scan. Launch New-MpPerformanceRecording -recordto c:\1.etl , run for bit, Get-MpPerformanceReport c:\1.etl -topprocesses 100 Result: Dell SupportAssist was poking all EXE files on drive, triggering on-access scans." / Twitter: https://twitter.com/SwiftOnSecurity/status/1575625955766194176

    For more information, check out: Performance analyzer for Microsoft Defender Antivirus

    If you'd like to run a trace, start the <program> and repro the issue. When MsMpEng.exe CPU usage shoots up, do the following:

    Open admin PowerShell and run:

    • New-MpPerformanceRecording -recordto C:\Defender.ETL

    Stop the trace after 60 seconds.

    Then run:

    • Get-MpPerformanceReport -Path:C:\Defender.ETL -TopFiles:100 -TopExtensions:10 -TopProcesses:10 -TopScans:100 | out-file c:\scans.txt

    and then

    • tasklist /svc >>c:\scans.txt

    Go to Pastebin.com and paste the contents of c:\scans.txt, and share the link here.

    Note: Trace is meant to be run when Defender's resources usage is high. In an idle state, it's perfectly normal to see msmpeng.exe consuming 100-130 MB of memory.

    Additionally, ProcMon trace will help you determine which program triggers the on-demand scanning.

    10 people found this answer helpful.
    0 comments
  3. Anonymous
    2023-02-20T18:14:36+00:00

    So it's idling about 200mb of memory and spiking upwards of 250mb of memory. Having a laptop with only 8 gb of ram makes this pretty noticeable.

    I did run that trace here are the results for you - https://pastebin.com/KayeuzKV

    I tried to disable any third party program using the MSCONFIG and rebooting, when I rebooted the pin was not able to be entered and it said I needed to install it from the store. When I tried launching in safemode the pin was still not available and I ended up having to restore to a point from about a month ago. After this I was able to login to my laptop but still having the issue.

    5 people found this answer helpful.
    0 comments
  4. Anonymous
    2023-04-25T20:08:22+00:00

    Hi Will, I'm a Windows user and I've been struggling with the same sh*tt* service MsMpEng.exe for weeks.

    After a long time it seems I've found the definitve solution and it consists in replace the MsMpEng.exe file for a blank file with the same name. You can only do this after booting in Safe Mode so here are the steps I've made:

    • Boot in Safe Mode
    • Go to the file location inside your Drive where you've installed Windows (in my case is C drive): C:\Windows\Help\Windows
    • Once you are inside this directory you will find the MsMpEng.exe file. I've just renamed it, you can delete it if you want.
    • Create a New File and name it same as the .exe: "MsMpEng.exe"

    Reboot in normal mode and that's it!! Good luck.

    Regards.

    3 people found this answer helpful.
    0 comments
  5. Ramesh 176.1K Reputation points Volunteer Moderator
    2023-02-20T18:34:11+00:00

    It appears that Edge Setup caused Defender to run amok. I think any other installer will cause the same thing. You may add these three folders to the Defender exclusions list, as a workaround.

    C:\Program Files (x86)\Microsoft\Edge

    C:\Program Files (x86)\Microsoft\EdgeCore

    C:\Program Files (x86)\Microsoft\EdgeUpdate

    //I tried to disable any third party program using the MSCONFIG and rebooting, when I rebooted the pin was not able to be entered and it said I needed to install it from the store.//

    I think you have disabled ALL services (including the MSFT services). Doing so causes the PIN sign-in issues you describe.

    In the image I posted, please see step 2. It's a most important step. You need to disable only the 3rd party services.

    Image

    That said, you may want to try the clean-boot procedure again and monitor the resource usage by Defender.

    2 people found this answer helpful.
    0 comments