Fix High Memory Use by MsMpEng.exe on Windows 11 During Idle Hours
🔍 WiseChecker

Fix High Memory Use by MsMpEng.exe on Windows 11 During Idle Hours

by

Quick fix: Add Defender’s own scan target list to an exclusion (the recursive-scan paradox), trim the Real-Time Protection working set with Set-MpPreference -DisableScanOnRealtimeEnable $false, and limit the scan CPU cap to 25. MsMpEng.exe memory creep at idle is almost always a recursive folder-watch loop on a deep nested directory.

Open Task Manager when the PC has been idle for an hour and you see Antimalware Service Executable (MsMpEng.exe) holding 1–3 GB of memory. CPU is low, disk is quiet, the system isn’t being scanned — yet Defender just keeps growing. The process is doing real-time inspection on file system events, and a misbehaving folder is generating a steady stream of events that Defender re-scans on every tick.

Symptom: MsMpEng.exe holds 1–3 GB of memory at idle on Windows 11, growing over hours of uptime.
Affects: Windows 11 with Microsoft Defender Antivirus enabled.
Fix time: 15 minutes diagnosis, varies to fix.

ADVERTISEMENT

What causes high MsMpEng memory at idle

Defender’s Real-Time Protection registers a kernel filter that intercepts every file open, close, and modification. Each intercept walks the file through the signature database and the cloud reputation lookup. Normally the cost is bounded by user activity. The memory creep happens when one of three things is true: a watched folder generates a constant stream of file events (sync services, dev environments, log writers), the cloud reputation cache grows unbounded for binaries it can’t classify quickly, or a scheduled scan is paused mid-run and its working set is held until next attempt.

Diagnosing this takes one PowerShell command (which folder is being scanned), one Task Manager view (which process is generating the events), and one adjustment (exclude the offending path).

Method 1: Find and exclude the noisy folder

  1. Open PowerShell as Administrator.
  2. Run Get-MpComputerStatus | Select-Object QuickScanStartTime, FullScanStartTime, RealTimeProtectionEnabled to confirm Real-Time is on (it should be).
  3. Run Get-MpThreatDetection | Sort-Object DetectionTime -Descending | Select-Object -First 10. If detections cluster around one path, that’s your suspect.
  4. Open Resource Monitor (resmon), go to the Disk tab, and watch the Disk Activity rows for MsMpEng.exe. The Files column shows what Defender is scanning right now.
  5. Add the noisy folder to exclusions: Add-MpPreference -ExclusionPath “C:\Users\YourName\AppData\Local\NoisyDevTool”.
  6. Restart Windows Defender Antivirus Service via services.mscMicrosoft Defender Antivirus Service → Restart. Wait 30 seconds and check Task Manager. Memory should drop back to ~200–300 MB.

Common culprits: WSL2 file systems, Docker image layers, Visual Studio Code remote folders, Node.js node_modules trees, Git working directories with thousands of small files.

ADVERTISEMENT

Method 2: Limit Defender’s scan CPU and memory budget

If excluding folders isn’t practical (you need them protected), constrain Defender’s resource use globally.

  1. In PowerShell as Admin, run:

    Set-MpPreference -ScanAvgCPULoadFactor 25

    Set-MpPreference -DisableCpuThrottleOnIdleScans $false

    Set-MpPreference -ScanScheduleQuickScanTime 02:00
  2. This caps active scans at 25% CPU and lets idle scans get throttled. Quick scans run at 2 AM only.
  3. For aggressive memory limits, add Set-MpPreference -CheckForSignaturesBeforeRunningScan $true — this clears signature buffers before each scan instead of keeping them resident.

The CPU cap is set in BIOS terms (a fraction of total cores). 25 on an 8-core CPU means 2 cores at full tilt, which is reasonable for a workstation.

Method 3: Disable Real-Time Protection temporarily to confirm the diagnosis

If you’re not sure Defender is the actual cause, turn off Real-Time briefly and observe.

  1. Open Windows Security → Virus & threat protection → Manage settings.
  2. Toggle Real-time protection off. Note that Windows re-enables it after a few hours; this is for diagnosis only.
  3. Wait 5 minutes and check MsMpEng.exe memory in Task Manager. If it drops, Real-Time was the cause and Methods 1–2 will help. If it stays high, Defender isn’t actually growing — something else is.
  4. Turn Real-Time protection back on immediately after the test.

Don’t leave Real-Time off as a workaround. It’s a diagnostic step only.

How to verify the fix worked

  • Reboot. Wait 1 hour of idle. Open Task Manager. MsMpEng.exe memory stays under 500 MB.
  • Run Get-MpPreference | Select-Object ExclusionPath, ScanAvgCPULoadFactor — confirm your exclusions and CPU cap are set.
  • Check Event Viewer → Applications and Services → Microsoft → Windows → Windows Defender → Operational. No repeating “Scan completed with errors” entries at 1–5 minute intervals.

If none of these work

If MsMpEng.exe keeps growing after exclusions and CPU cap, the issue may be the cloud-delivered protection service polling a path Defender can’t reach. Run Set-MpPreference -CloudBlockLevel 2 (default) instead of higher levels, and verify Internet connectivity to https://www.microsoft.com/wdsi isn’t blocked. For machines on metered or air-gapped networks, set Set-MpPreference -MAPSReporting Disabled to keep Defender from waiting on cloud responses. As a last resort, an in-place repair upgrade reinstalls the Defender platform from scratch — useful when a Defender Platform update partially failed and left the service in a bad state.

Bottom line: MsMpEng.exe memory creep is almost always a recursive scan on a noisy folder. Add an exclusion, restart the service, and the memory comes back. The CPU cap is your insurance for unattended growth.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You