If the Antimalware Service Executable or the Windows Defender Advanced Threat Protection Service Executable is constantly hogging your CPU while you’re trying to get work done, or draining the battery of your laptop, you’re likely constantly changing files it deems necessary to scan.
On my work machine, I had two culprits: A virtual machine disk image that was being written to when the VM was running, and the cache directory for GitHub copilot and syntax highlighting in my IDE.
The solution is to add the files and/or directories that are constantly being scanned to the exclusions list for Windows Defender. You can access this list easily by going to “Virus & threat protection” => “Virus and threat protection settings (Manage settings)” => Exclusions (Add or remove exclusions)”.
To figure out which files are being scanned, you can use the MpPerformanceRecording tool. The following commands, in an Administrator PowerShell session, while Windows Defender is doing its thing (you may have to use the tools that make it suck up all the CPU cycles, while running this), should help track down the culprit(s). The time spent scanning each file (over and over again) is listed in the output.
> New-MpPerformanceRecording -RecordTo C:\recording.etl
> Get-MpPerformanceReport -Path:C:\recording.etl -TopFiles:100 -TopExtensions:10 -TopProcesses:10 -TopScans:100 | Out-File C:\output.txt
Let it record for quite some time, while the Antimalware Service is acting up, then get the performance report and consider adding exclusions. Keep in mind a few things:
- Adding exclusions mean the files won’t be scanned. Don’t ever add things you don’t completely trust, like your downloads directory, file servers, mailboxes or anything of the sort.
- Try to keep your exclusions specific. Don’t add all of AppData just because some program in there has a cache directory inside of its own directory somewhere in there. Premature optimization is a potential hazard here.
- You will most likely have to reboot for the changes to take effect
Hope this helps.