Windows antimalware service excecutable running amost all the time

[MGsubbie]

This has been happening for a while. For some reason, that thing will almost never stop running. I used task scheduler yesterday to make it a weekly scan starting tomorrow, but as I booted up my PC it immediately started doing it's thing again. I have set pretty aggressive fan curves, so they constantly change between quiet and going MWEEEEEH which is annoying as hell.

 

So far the only other fix I have is disabling Windows Defender as a whole, but I don't want to do that. I just want this software to not try to scan all my files every single fucking day.

[captain_to_fire]

It is turned on all the time because it needs to be to enable real time protection. 

[Tabs]

19 minutes ago, MGsubbie said:

This has been happening for a while. For some reason, that thing will almost never stop running. I used task scheduler yesterday to make it a weekly scan starting tomorrow, but as I booted up my PC it immediately started doing it's thing again. I have set pretty aggressive fan curves, so they constantly change between quiet and going MWEEEEEH which is annoying as hell.

 

So far the only other fix I have is disabling Windows Defender as a whole, but I don't want to do that. I just want this software to not try to scan all my files every single fucking day.

 

@captain_to_fire is correct. The service runs all the time and scans files on-demand. You're right that it also does full scans, but this only happens when the machine is idle or on a schedule you set.

 

If it isn't running, you get no on-demand protection. Your only choice if you don't want it running at all would be to disable it, which you already said you don't want to do.

 

Basically: Having the process running doesn't mean it's constantly scanning your files - it only scans files that are actually accessed, when they are accessed. If you want specific directories to be excluded, like your games library if you're worried it's slowing down loading times, then you can set up an exclusion for specific directories in the Windows defender settings. 

[williamcll]

Or you can just turn them off entirely like linus

[captain_to_fire]

2 minutes ago, williamcll said:

Or you can just turn them off entirely like linus

and get hacked

[Hugs12343]

50 minutes ago, MGsubbie said:

This has been happening for a while. For some reason, that thing will almost never stop running. I used task scheduler yesterday to make it a weekly scan starting tomorrow, but as I booted up my PC it immediately started doing it's thing again. I have set pretty aggressive fan curves, so they constantly change between quiet and going MWEEEEEH which is annoying as hell.

 

So far the only other fix I have is disabling Windows Defender as a whole, but I don't want to do that. I just want this software to not try to scan all my files every single fucking day.

You could get around this by excluding parts of your computer files.

 

For example I only scan the C:\ Drive (not including my documents, downloads, pictures, music, and other media)

[MGsubbie]

1 hour ago, Tabs said:

 

@captain_to_fire is correct. The service runs all the time and scans files on-demand. You're right that it also does full scans, but this only happens when the machine is idle or on a schedule you set.

 

If it isn't running, you get no on-demand protection. Your only choice if you don't want it running at all would be to disable it, which you already said you don't want to do.

 

Basically: Having the process running doesn't mean it's constantly scanning your files - it only scans files that are actually accessed, when they are accessed. If you want specific directories to be excluded, like your games library if you're worried it's slowing down loading times, then you can set up an exclusion for specific directories in the Windows defender settings. 

Can I set it up so that it only checks new files like things I downloaded in my browser, and especially .exe files? I am not really worried about loading times or anything.

But my fans continuously ramp up and back down (multiple times per minute), I don't think those constant fluctuations are good for them. And even if that doesn't matter, my system constantly going from quiet to loud to quiet again etc is really working on my nerves.

 

1 hour ago, Tabs said:

 

@captain_to_fire

Basically: Having the process running doesn't mean it's constantly scanning your files - it only scans files that are actually accessed, when they are accessed. If you want specific directories to be excluded, like your games library if you're worried it's slowing down loading times, then you can set up an exclusion for specific directories in the Windows defender settings. 

 

The reason I assumed it's scanning all the time, is because the increase of CPU usage always goes hand in hand with disk utilization at dozens of MB/s.

[Tabs]

54 minutes ago, MGsubbie said:

Can I set it up so that it only checks new files like things I downloaded in my browser, and especially .exe files? I am not really worried about loading times or anything.

But my fans continuously ramp up and back down (multiple times per minute), I don't think those constant fluctuations are good for them. And even if that doesn't matter, my system constantly going from quiet to loud to quiet again etc is really working on my nerves.

 

 

The reason I assumed it's scanning all the time, is because the increase of CPU usage always goes hand in hand with disk utilization at dozens of MB/s.

 

Are you certain that Windows defender is the cause of those disk utilisation spikes though? The way on-access scanning works means if another program is accessing files on your drive, Windows Defender will scan them at the same time if they aren't excluded. It could be hiding the true cause of these ramps.

 

If you want to add exclusions, you can do so on a file type basis, a folder basis, an individual file, or from a specific process. If you can find a process that's causing disk activity that is therefore also causing Windows Defender to ramp up (Resource Monitor > disk tab, sort by total and then expand "Disk activity" to get a breakdown of file accesses), you can exclude that process and it should return to normal with the least amount of potential impact on your device protection.

[MGsubbie]

14 minutes ago, Tabs said:

 

Are you certain that Windows defender is the cause of those disk utilisation spikes though? The way on-access scanning works means if another program is accessing files on your drive, Windows Defender will scan them at the same time if they aren't excluded. It could be hiding the true cause of these ramps.

I did a reboot with all non-Windows services disabled through msconfig, the issue remained.

[Tabs]

6 minutes ago, MGsubbie said:

I did a reboot with all non-Windows services disabled through msconfig, the issue remained.

 

 

That's not really what I was getting at mate, task manager isn't as useful as resource monitor for getting into what actual work is being done by the software on your pc. It's almost impossible to see directly from Task Manager whether some other program running on your machine - Microsoft or not - is accessing the drive, and causing Windows Defender to ramp up. You can with resource monitor and a little work, though.

 

Even if you were to disable every non-Microsoft service and every single startup entry (remember, msconfig doesn't disable startup entries anymore, task manager does), you might still see the same issue.

 

At what utilisation does your fan speed start to ramp up? I'm assuming it's not the 1.3% shown on your previous screenshot, since that would be an incredibly aggressive fan profile.

[MGsubbie]

8 minutes ago, Tabs said:

 

That's not really what I was getting at mate, task manager isn't as useful as resource monitor for getting into what actual work is being done by the software on your pc. It's almost impossible to see directly from Task Manager whether some other program running on your machine - Microsoft or not - is accessing the drive, and causing Windows Defender to ramp up. You can with resource monitor and a little work, though.

 

Even if you were to disable every non-Microsoft service and every single startup entry (remember, msconfig doesn't disable startup entries anymore, task manager does), you might still see the same issue.

 

At what utilisation does your fan speed start to ramp up? I'm assuming it's not the 1.3% shown on your previous screenshot, since that would be an incredibly aggressive fan profile.

Usually after 6%. The CPU tends to float at around 35-40°C when idling, when the fans spin up it goes above 50°C. Well the other way around but you know what I mean.

[Tabs]

3 minutes ago, MGsubbie said:

Usually after 6%. The CPU tends to float at around 35-40°C when idling, when it spins up it goes above 50°C.

I can understand wanting to ensure your machine lasts a long time, but that's a much more aggressive fan profile than normal. 6% is effectively idle, your original post made it seem like you were reaching >50% just with Windows Defender.

 

Other than disabling Windows Defender, I don't think there's much you can do here except for changing your fan curve.

[MGsubbie]

 

4 minutes ago, Tabs said:

I can understand wanting to ensure your machine lasts a long time, but that's a much more aggressive fan profile than normal. 6% is effectively idle, your original post made it seem like you were reaching >50% just with Windows Defender.

 

Other than disabling Windows Defender, I don't think there's much you can do here except for changing your fan curve.

6-8% might not be high on the surface, but it does seem to be excessive for an overclocked 8700k.

[Tabs]

1 minute ago, MGsubbie said:

 

6-8% might not be high on the surface, but it does seem to be excessive for an overclocked 8700k.

You'll still want to go ahead and check on Resource Monitor using my previous instructions to find the actual process causing the disk activity then and either exclude that program or the file(s)/folder(s) it's accessing. 

 

[MGsubbie]

2 minutes ago, Tabs said:

You'll still want to go ahead and check on Resource Monitor using my previous instructions to find the actual process causing the disk activity then and either exclude that program or the file(s)/folder(s) it's accessing. 

 

I will, and I will get back to you later. Thanks.

[MGsubbie]

 

7 hours ago, Tabs said:

You'll still want to go ahead and check on Resource Monitor using my previous instructions to find the actual process causing the disk activity then and either exclude that program or the file(s)/folder(s) it's accessing. 

 

I have a whole bunch of "system" running, not sure what any of it is. The top picture is with CPU utilization at around 8%, the second one with 0-0.1% usage. The list quickly grew smaller and smaller as the CPU usage kept lowering.

 

Edit : I did some googling and it turns out those files are related to firefox. I got a google hit for mozilla's support page about antimalware usage, but sadly it's a dead link.

 

Edit 2 : Looks like I'm not the only one with this issue : https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-defender-constantly-creates-and-reads/f5d48ecf-6446-40fd-b9e3-32ae5962b688

 

 

 

[Tabs]

23 minutes ago, MGsubbie said:

 

I have a whole bunch of "system" running, not sure what any of it is. The top picture is with CPU utilization at around 8%, the second one with 0-0.1% usage. The list quickly grew smaller and smaller as the CPU usage kept lowering.

 

Thanks for getting back to us mate.

 

Those are all SQLite databases being accessed from the temp folder. I can't imagine why something on your system is accessing so many SQLite databases from the temp folder - Windows uses MSSQL databases internally for some programs, but not SQLite, so this is definitely a third party program.

 

The issue with the System process is it means that an application with lower privilege has basically "asked" for access to somewhere it can't access directly; process and access isolation.

 

Do you know of any software running on your system that uses SQLite databases internally? Especially something of low privilege (since it's accessing the temp folder instead of a system directory).

 

Edit: I've looked around more thoroughly for this and Firefox seems to be a heavy user of SQLite databases for it's history, cache and cookie storage.

If you close Firefox, does the issue remain?

Edited July 14, 2018 by Tabs
More info

[MGsubbie]

1 minute ago, Tabs said:

 

Thanks for getting back to us mate.

 

Those are all SQLite databases being accessed from the temp folder. I can't imagine why something on your system is accessing so many SQLite databases from the temp folder - Windows uses MSSQL databases internally for some programs, but not SQLite, so this is definitely a third party program.

 

The issue with the System process is it means that an application with lower privilege has basically "asked" for access to somewhere it can't access directly; process and access isolation.

 

Do you know of any software running on your system that uses SQLite databases internally? Especially something of low privilege (since it's accessing the temp folder instead of a system directory).

I edited my post with a link to others having the same issue with firefox.

 

I do not know anything about SQLite, so I used the Wikipedia page to look at common users. The only one besides Firefox that I use is Skype (yeah yeah I know, but I know people who only use Skype.)

 

Perhaps this can shed more light?

 

 

[Tabs]

Firefox is pretty much the only one I would expect to use their databases in this fashion - Skype stores it's data either in %appdata% (for the win32 version) or in the C:\Program Files\WindowsApps folders (for the uwp version), so it never touches the systemwide Temp folder.

 

Firefox is designed implicitly to work with all platforms, so it uses the system %temp% or %tmp% variable to determine where to store these, which on windows defaults to C:\Windows\Temp.

 

 

 

 

[MGsubbie]

2 minutes ago, Tabs said:

Firefox is pretty much the only one I would expect to use their databases in this fashion - Skype stores it's data either in %appdata% (for the win32 version) or in the C:\Program Files\WindowsApps folders (for the uwp version), so it never touches the systemwide Temp folder.

 

Firefox is designed implicitly to work with all platforms, so it uses the system %temp% or %tmp% variable to determine where to store these, which on windows defaults to C:\Windows\Temp.

 

 

 

 

I tried setting that folder as an exception in Windows Defender, but it didn't change one bit.

[Tabs]

@MGsubbie 

 

I went back and had a look at your updates, sorry, I missed them in my last response.

 

Firefox is the most likely culprit here but due to it being a low privilege process, you can't directly set firefox as an exclusion due to the way it accesses this directory.

 

You have one option here that I don't fully recommend but believe it may help your situation: Set C:\Windows\Temp as an excluded directory in Windows Defender, but this also means that any other programs that use C:\Windows\Temp might no longer be fully protected by the on-access scanner.

[MGsubbie]

I tried that al

3 minutes ago, Tabs said:

@MGsubbie 

 

I went back and had a look at your updates, sorry, I missed them in my last response.

 

Firefox is the most likely culprit here but due to it being a low privilege process, you can't directly set firefox as an exclusion due to the way it accesses this directory.

 

You have one option here that I don't fully recommend but believe it may help your situation: Set C:\Windows\Temp as an excluded directory in Windows Defender, but this also means that any other programs that use C:\Windows\Temp might no longer be fully protected by the on-access scanner.

I tried that already, unfortunately it did not work.

[Tabs]

6 minutes ago, MGsubbie said:

I tried setting that folder as an exception in Windows Defender, but it didn't change one bit.

 

Again, you posted this when I was in the middle of typing that post for you.

 

I'm not going to suggest that you change web browser, but the issue with Windows Defender seems tied to Firefox.

 

Assuming you don't want to change web browser or antivirus program, I don't think much more can be helpful here. Sorry.

[MGsubbie]

1 minute ago, Tabs said:

 

Again, you posted this when I was in the middle of typing that post for you.

 

I'm not going to suggest that you change web browser, but the issue with Windows Defender seems tied to Firefox.

 

Assuming you don't want to change web browser or antivirus program, I don't think much more can be helpful here. Sorry.

No problem, thanks for the help anyway.

[Tabs]

2 minutes ago, MGsubbie said:

No problem, thanks for the help anyway.

When was the last time you cleared your history/cache in firefox out of interest? You seem to have quite a lot of data stored, and it's exacerbating the problem by having more to scan each time firefox accesses it's history.