Why MsMpEng.exe Spikes CPU Usage and How to Tame It
🔍 WiseChecker

Why MsMpEng.exe Spikes CPU Usage and How to Tame It

by

Quick fix: MsMpEng.exe is Windows Defender’s real-time scanner. High CPU usually means it’s scanning a folder with constant file changes (Visual Studio builds, OneDrive sync, Docker). Add the heavy folder to Defender exclusions: Settings → Privacy & security → Windows Security → Virus & threat protection → Manage settings → Exclusions → Add an exclusion.

Task Manager shows Antimalware Service Executable (MsMpEng.exe) using 30–90% CPU for extended periods. The PC slows down. Defender is scanning files in real time; on systems with many file changes (developer environments, large media collections), the scanner can’t keep up. Targeted exclusions fix it.

Symptom: Antimalware Service Executable (MsMpEng.exe) sustained high CPU usage.
Affects: Windows 11 (and Windows 10) with Windows Defender Real-time Protection.
Fix time: ~15 minutes.

ADVERTISEMENT

What causes this

Windows Defender scans files when they’re accessed, written, or executed. On developer machines with builds, this means every compile produces hundreds of file events, each triggering a scan. On OneDrive-synced folders, every sync event triggers a scan. On Docker containers, every container start triggers scans of image layers. The cumulative CPU load can be massive.

Method 1: Add exclusions for known-safe folders

The right balance of security and performance.

  1. Identify the heavy folders. Common offenders:
    • C:\Users\<you>\source\repos (Visual Studio projects)
    • C:\Users\<you>\projects (general dev work)
    • C:\Users\<you>\node_modules (Node.js)
    • %LocalAppData%\Microsoft\OneDrive (OneDrive cache)
    • %LocalAppData%\Docker
    • Game install folders (Steam library, Epic Games)
  2. Open Settings → Privacy & security → Windows Security → Virus & threat protection → Manage settings.
  3. Scroll to Exclusions. Click Add or remove exclusions.
  4. Click Add an exclusion:
    • Folder: select your project folder.
    • File: specific large file.
    • File type: specific extension (e.g., .tmp).
    • Process: specific EXE (e.g., node.exe).
  5. Add each heavy folder. Within 1–2 minutes, MsMpEng.exe CPU should drop.
  6. Don’t exclude system folders (C:\Windows, C:\Program Files) — those need scanning.

Exclusions reduce CPU without weakening security in critical areas.

ADVERTISEMENT

Method 2: Adjust Defender’s scheduled scan timing

For PCs where the spikes correlate with scheduled scans.

  1. Open Task Scheduler. Navigate to Microsoft → Windows → Windows Defender.
  2. Find Windows Defender Scheduled Scan. Right-click → Properties.
  3. On Triggers tab: edit the schedule to run during off-hours (e.g., 3 AM weekly).
  4. On Conditions tab: tick Start the task only if the computer is idle for and set to 10 minutes — scans only when idle.
  5. Also tick Stop if the computer ceases to be idle. Scans pause when you start using the PC.
  6. Open Settings → Privacy & security → Windows Security → Virus & threat protection → Scan options. Confirm what scan types run.
  7. For PCs that run weekly Full Scans: switch to Quick Scan weekly + Full Scan monthly via scheduled task.

This shifts scan work to times you don’t use the PC.

Method 3: Use Tamper Protection and Exclusion management via PowerShell

For IT-managed environments.

  1. Open Terminal (Admin).
  2. Add folder exclusion programmatically: 
    Add-MpPreference -ExclusionPath "C:\Users\me\projects"
  3. Add process exclusion: 
    Add-MpPreference -ExclusionProcess "node.exe"
  4. List current exclusions: 
    Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess
  5. For deployment: script these into a setup batch run at first login or via Intune Configuration Profile.
  6. For PCs with too many exclusions slowing real-time scan: consider disabling real-time entirely on developer machines via Group Policy. Trade-off: weaker security. Use only on isolated dev VMs or build agents.
  7. For developer-specific tuning: Set-MpPreference -CloudBlockLevel Default -CloudExtendedTimeout 0. Cloud lookups slow scans; reduced timeout helps.

This is the right path for sysadmins.

How to verify the fix worked

  • Open Task Manager → Processes. Antimalware Service Executable CPU usage drops to single digits when idle.
  • Run heavy file operations (build, sync). MsMpEng spikes briefly but returns to baseline quickly.
  • Check exclusions list: Windows Security → Exclusions. Your folders are listed.

If none of these work

If MsMpEng still spikes after exclusions, the cause may be: Signature update download: Defender downloads signatures periodically. The brief CPU spike is normal — can’t be disabled without breaking security. Cloud-protection lookups: every unknown file triggers cloud lookup. On metered or slow connections, lookups time out and retry. Settings → Privacy & security → Windows Security → Virus & threat protection → Cloud-delivered protection → toggle off if your network can’t keep up. For PCs with both Defender and third-party AV: turn off one. Running two AVs causes mutual scanning loops. Defender controlled folder access: Settings → Virus & threat protection → Manage Ransomware Protection → Controlled folder access — if enabled, it intercepts every write to specific folders. Disable if it’s the cause of writes-triggered slowdowns. Last resort: replace Defender with third-party AV: free Bitdefender or Kaspersky often have lower idle CPU than Defender, with comparable protection.

Bottom line: Add developer/sync folders to Defender exclusions. Adjust scheduled scan to off-hours. PowerShell Add-MpPreference -ExclusionPath for scripted management.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You