Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor

Article
03/20/2025

Tip

First, review common reasons for performance issues, such as high CPU usage. See Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand. Then, run the Microsoft Defender Antivirus Performance Analyzer. This tool will help identify the cause of high CPU usage in Microsoft Defender Antivirus, whether it's the Antimalware Service Executable, the Microsoft Defender Antivirus service, or MsMpEng.exe. If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of the high CPU utilization, proceed with running Processor Monitor. The final tool in your toolkit to run is Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line).

Capture process logs using Process Monitor

Process Monitor (ProcMon) is an advanced monitoring tool that provides real-time data on processes. It can be used to capture performance issues, such as high CPU usage, and to monitor application compatibility scenarios as they occur.

You can capture a Process Monitor (ProcMon) trace by using the MDE Client Analyzer or by using a manual process.

Using the MDE Client Analyzer

Download the MDE Client Analyzer.
Run the MDE Client Analyzer using Live Response or locally.

Tip

Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.

Run the MDE Client Analyzer with the -c and -v switches:

C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd -c -v

Manual process

Download Process Monitor v4.01 to a folder like C:\temp.
To remove the file's mark of the web:
1. Right-click ProcessMonitor.zip and select Properties.
2. Under the General tab, look for Security.
3. Check the box beside Unblock.
4. Select Apply.
Unzip the file in C:\temp so that the folder path is C:\temp\ProcessMonitor.
Copy Procmon.exe to the Windows client or Windows server you're troubleshooting.

Tip

Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Taking this step helps to minimize the number of processes to check.
You can launch ProcMon in two ways: using Procmon.exe or command line.
- To use Procmon.exe, download it, and open it as an administrator.
  1. If this is your first time using ProcMon, click Agree to accept the Process Monitor License Agreement.
  2. Since logging starts automatically, stop the capture by selecting the Capture button or pressing Ctrl+E.
  3. To confirm the capture has stopped, look for a pause icon on the Capture button, then delete the logged entries by selecting the Clear button or pressing Ctrl+X.
- To use command line, open Command Prompt as an administrator. Then, run the following command:
Tip

Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace
Set filters by selecting the Filter icon. Standard filters are set by default. You can also filter the results after the capture is complete. If you applied any filters, click Apply and then OK.
To start the capture, select the Capture button again.
Reproduce the problem.

Tip

Wait for the problem to be reproduced, then note the timestamp when the trace begins.
After capturing two to four minutes of process activity during high CPU usage, stop the capture by clicking the Capture button.
To save the capture with a unique name in the .pml format, go to File then click Save.... Ensure you select the radio buttons All events and Native Process Monitor Format (PML).
For better tracking, change the default path from C:\temp\ProcessMonitor\LogFile.PML to C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML where: