Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor

Tip

First, review common reasons for performance issues, such as high CPU usage. See Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (rtp) or scans (scheduled or on-demand. Then, run the **Microsoft Defender Antivirus Performance Analyzer**This tool will help identify the cause of high CPU usage in Microsoft Defender Antivirus, whether it's the Antimalware Service Executable, the Microsoft Defender Antivirus service, or MsMpEng.exe. If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of the high CPU utilization, proceed with running Processor Monitor. The final tool in your toolkit to run is Windows Performance Recorder UI (WPRUI) or Windows Performance Recorded (WPR command-line).

Capture process logs using Process Monitor

Process Monitor (ProcMon) is an advanced monitoring tool that provides real-time data on processes. It can be used to capture performance issues, such as high CPU usage, and to monitor application compatibility scenarios as they occur.

There are two ways to capture a Process Monitor (ProcMon) trace:

1. Using the MDE Client Analyzer

2. Manually

Using the MDE Client Analyzer

1. Download the MDE Client Analyzer.

2. Run the MDE Client Analyzer using Live Response or locally.

   Tip

   Before starting the trace, please make sure that the issue is reproducible. Additionally, close any applications that do not contribute to the reproduction of the issue.

3. Run the MDE Client Analyzer with the -c and -v switches

   C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd -c -v
   

Manually

1. Download Process Monitor v3.89 to a folder like C:\temp.

2. To remove the file's mark of the web:

   1. Right-click ProcessMonitor.zip and select Properties.

   2. Under the General tab, look for Security.

   3. Check the box beside Unblock.

   4. Select Apply.

      

3. Unzip the file in C:\temp so that the folder path is C:\temp\ProcessMonitor.

4. Copy ProcMon.exe to the Windows client or Windows server you're troubleshooting.

   Tip

   Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Taking this step helps to minimize the number of processes to check.

5. You can launch ProcMon in two ways.

   1. Right-click ProcMon.exe and select Run as administrator.

   • Since logging starts automatically, stop the capture by selecting the magnifying glass icon or pressing Ctrl+E.

     

   2. To confirm the capture has stopped, look for a red X on the magnifying glass icon.

      

   3. Run the command line as admin, then from the Process Monitor path, run:

      

   Tip

   Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace.

6. After completing step 6, set filters by selecting OK. You can filter the results after the capture is complete.

   

7. To start the capture, select the magnifying glass icon again.

8. Reproduce the problem.

   Tip

   Wait for the problem to be reproduced, then note the timestamp when the trace begins.

9. After capturing two to four minutes of process activity during high CPU usage, stop the capture by clicking the magnifying glass icon.

10. To save the capture with a unique name in the .pml format, go to File then click Save.... Ensure you select the radio buttons All events and Native Process Monitor Format (PML).

    

11. For better tracking, change the default path from C:\temp\ProcessMonitor\LogFile.PML to C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML where:

• %ComputerName% is the device name
• MMDDYEAR is the month, day, and year
• Repro_of_issue is the name of the issue you're trying to reproduce

Tip

If you have a working system, you might want to get a sample log to compare.

12. Zip the .pml file and submit it to Microsoft Support.