none
Why is MsMpEng.exe using so much CPU?

    Question

  • It's always running high on CPU when any process is using CPU.
    It really lags my Windows XP systems.

    Are there any ways of optimizing MsMpEng, which I understand is Microsoft Malware Protection.
    I run version 1.5.1958 on ForeFront Client Security on updated Windows XP Pro systems (all updates)
    Wednesday, May 06, 2009 11:52 AM

Answers

  • Hi,

     

    Thank you for your update.

     

    I am sorry for misunderstanding. As this issue is very common with OneCare and Windows Defender, I think the principle is the same. The MSMPENG.EXE may consume memory and CPU when a scan is running. Meanwhile, this issue may also occur when there is a conflict with other process or service.

     

    To narrow down this issue, we need more information. Could you show us more detail information?

     

    1. In which scenario MSMPENG.exe high CPU issue will happen (such as rebooting, or FCS scanning)?

    2. Is the high CPU issue always able to reproduce?

    3. How long the high CPU issue may last? High CPU forever? Or just last for several minutes?

    4. How many clients of all occur this issue?

     

    As FCS client leverages Automatic Update service, there is known issue for high CPU issue. You may have known it:

    http://support.microsoft.com/kb/927891/en-us

     

    We suggest to install this update to all client machines to avoid hitting this possible high cpu issue.

     

    Regards,


    Nick Gu - MSFT
    Tuesday, May 12, 2009 8:43 AM
    Moderator

All replies

  • Is it doing a scan possibly?  If not then  you can examine c:\documents and settings\all users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support and the MPlog-DATE.log file and see if you have any "Expensive" files listed during the time as it may be due to a file read/write pattern that is strange where you may need an exclusion for that file.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, May 06, 2009 7:54 PM
    Moderator
  • Hi,

     

    Thank you for your post.

     

    According to your description, I understand that: MSMPENG.exe are taking excessive CPU.

     

    Based on my experience, MSMPENG is the antimalware detection engine shared by OneCare and Windows Defender. If MSMPENG.EXE is constantly consuming excessive memory and CPU, there is a conflict on your PC with another process or service. I would recommend disabling all startup items via MSCONFIG. If the problem goes away, enable startup items one at a time until the conflict is identified.

     

    When the scanning is ended, your machine won’t have this MsMpEng.exe running, waiting for the next Quick Scan. You can do the following:

    1)      Immediately stop the scan by calling Windows Defender and stopping it.

    2)      Remove schedule scan form Windows Defender in Options. Recommendation is to keep it on schedule.

    3)      Change hour of this scheduled scanning to a more convenient for your activities, for instance during your lunch times.

     

    Regards,


    Nick Gu - MSFT
    Thursday, May 07, 2009 3:49 AM
    Moderator
  • I doubt this is a scan, since our group policy says that Forefront should scan each wednesday at 03:00

    Why do you talk of Windows Defender or OneCare? I'm using ForeFront.
    Friday, May 08, 2009 1:12 PM
  • Hi,

     

    Thank you for your update.

     

    I am sorry for misunderstanding. As this issue is very common with OneCare and Windows Defender, I think the principle is the same. The MSMPENG.EXE may consume memory and CPU when a scan is running. Meanwhile, this issue may also occur when there is a conflict with other process or service.

     

    To narrow down this issue, we need more information. Could you show us more detail information?

     

    1. In which scenario MSMPENG.exe high CPU issue will happen (such as rebooting, or FCS scanning)?

    2. Is the high CPU issue always able to reproduce?

    3. How long the high CPU issue may last? High CPU forever? Or just last for several minutes?

    4. How many clients of all occur this issue?

     

    As FCS client leverages Automatic Update service, there is known issue for high CPU issue. You may have known it:

    http://support.microsoft.com/kb/927891/en-us

     

    We suggest to install this update to all client machines to avoid hitting this possible high cpu issue.

     

    Regards,


    Nick Gu - MSFT
    Tuesday, May 12, 2009 8:43 AM
    Moderator
  • I am having problems with mapped drives getting scanned while running our corporate application. It is also happening while access a network url \\server\share.

    Application is launched and MSMPENG.exe takes 50-98% of the CPU for several minutes. I have run Filemon while launching and MSMPENG.EXE hits every file on the mapped drive.

    occurs on all clients..

    so.
    1. FCS MSMPENG.exe (Malware protection??) scanning when launching an application or accessing a network resource.
    2. always reproduceable
    3. several minutes if only one network resource... so if using network resources continuously... it lasts continuously.
    4. all clients that use the corporate software and access network resources.

    Regards,

    Thursday, June 11, 2009 11:44 PM
  • Just exclude the processes and folders from forefront scanning. AV software puts a burden on any machine because it interupts I/O operations, so in all likelyhood your going to have to configure it not to scan certain heavily used files. Typically you exclude log files, database files, and directories that do group processing. That can be configured on the client locally or via group policy. To configure exclusion on your machines, to this:

    1. Right click the green check box in your system tray
    2. Click tools
    3. Click Options

    There you can exlude files by types, paths, or accessing process (like SQL.exe)

    Please give me points if this helps, I only need 2000 to get to the next level. (Vote as Helpful)
    • Edited by MGMNVA Tuesday, June 30, 2009 2:25 PM Edited typos
    Wednesday, June 17, 2009 9:45 PM
  • Just exclude the processes and folders from forefront scanning. AV software puts a burden on any machine because it interupts I/O operations, so it all likelyhood your going to have to configure it not to scan certain heavily used files. Typically you exclude log files, database files, and directories that do group processing. That can be configured on the client locally or via group policy. To configure exclusion on your machines, to this:

    1. Right click the green check box in your system tray
    2. Click tools
    3. Click Options

    There you can exlude files by, types, paths, or accessing process (like SQL.exe)

    Please give me points if this helps, I only need 2000 to get to the next level. (Vote as Helpful)

    File types and paths can be set on the management server, processes must be set by either the user (you must allow the user to do this in the management console), or you have to add them to the registry through some scripting process.  I haven't had too many issues with running processes though...
    Thursday, June 18, 2009 11:56 AM
  • HAL07,

    We had a similar problem, a couple important things to note:

    File exclusions: 
    I don't know what your file exclusions look like, be sure to follow what is recommended here:
    http://support.microsoft.com/default.aspx/kb/822158/
    Also, exclude any expensive files..

    Forefront Client Security Assessment Service:
    I disabled the Forefront Client Security Assessment Service as it was resulting in high CPU usage, this can be done through the Forefront Management Console.  In addition, you may want to disable the FcsSas service on your clients as it's not being utilized.  I'm not sure what your infrastructure looks like, but if you have SCCM or SMS you can script this to turn it off.  Let me know if you need an example.

    Definition updates:

    An issue has been identified with the way Forefront client handles definition updates, resulting in the entire catalog being cached down unnecessarily; from what I hear the issue is being worked on.  Until then, I had to increase the amount of time clients looked for definition updates to 20-24 hours; the default is set at 6 hours. 

    You can also run the diagnostic utility located here:
    C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware
    Run mpcmdrun  –trace
     
    Let it run for about a minute and open it with SMS Trace (beware the file is quite large).  It will alert you to any expensive files (which can be excluded, be cautious when doing this) and also what  the application is doing.

    I hope this helps!
    Thursday, June 18, 2009 12:04 PM
  • Michaelk123,
    I'm very interested in the tool you've mentioned (MPCMDRUN).

    however, when I run it on trace mode it generates a BIN file. I could not read it using SMS Trace 2003. When I open it, it shows a blank screen.

    I could only open it using Notepad++ but as it is on BIN mode, it just displays garbage.

    can you help?

    Thanks!
    Saturday, October 31, 2009 7:11 PM
  • Does MsMpEng continually monitor new files that are created on the filesystem? Including those in "Local Settings", such as those in the Internet Explorer temporary file filder? If so, will staying logged into web sites, such as Facebook, that continually update web pages cause MsMpEng to keep doing work? What about with applications such as Thunderbird? If I have a 1GB mailbox on disk, will it rescan the entire mailbox every time I download a new email or delete an email or send a new email (which gets copied to my local Sent folder) or just mark on as read? (The file has changed, so...) Or is there some other reason why MsMpEng needed to spike up its CPU% just for my visit this web site? (Task Manager was open in a window new to IE) While sitting here typing in this window, I've seen it jump as high as 48%. Applications running included IE, Thunderbird and TaskManager. Is there any way to have it learn about "Trusted" web sites in IE's configuration so that if I tell it *.microsoft.com is "Trusted" that there's no need to scan html/jpeg files downloaded from social.technet.microsoft.com for virii? On the other hand, I'm quite happy for it to rerun every time I download a new email with Outlook Express because that is a very well known source of security issues and just can't be trusted.
    Monday, December 14, 2009 3:20 AM
  • I had same problem and turned off ICS sharing in the firewall and things turned back to normal. 30 percent usage down to 18 is now average range.
    • Proposed as answer by csdm Thursday, February 18, 2010 5:27 AM
    Thursday, February 18, 2010 5:23 AM
  • I turned off ICS sharing in the firewall and everything returned to normal.  cpu usage 30% down to 18 average.  was 75-90 most of the time. 
    Thursday, February 18, 2010 5:30 AM
  • I had the same problem, MSE was using up to 99% RAM (4GB installed). The logfile (MPlog-DATE.log) contained lots of messages about GamingAccess.exe: Resource Schema:samplefileexpensive Resource Path:D:\Pro Evolution Soccer 2010\GamingAccess.exe->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO]->[EPO-V-0]->[SiEPO] Result Count:1 Unknown File Identifier:10853481087552716798 Number of Resources:1 Once i excluded that file from being scanned, MSE runs normal again.
    Thursday, April 29, 2010 6:37 PM
  • Emtri

    I solve my problem.

    The crack for PES2010 Patch 1.03 started to loop Security Essencial and it consumes the maximum of memory..

    Just put the old crack for 1.0 version and the problem is solved.
    • Proposed as answer by n.jking Friday, April 30, 2010 12:21 PM
    Friday, April 30, 2010 4:16 AM
  • NICK, I am not picking on you but I wanted to weigh in on this issue with an EeePC 900a with XP. This hardware equates to about a normal five year old or so PC. So when it boots up and I get the desktop, I run Task Manager and see MsMpEng.exe consuming major amounts of CPU for up to maybe five minutes. If I run a program, especially a browser, the XP Netbook will freeze for extended periods of time to run whatever and sometimes acts like it is permanently damaged due to my normal expectations. I use Security Essentials and it is a great AV that is inobtrusive, always updated or updatable, and scans swiftly. Outside the INTERNET arena I can run a video once i get the desktop without freezing, as apparently I have the hardware resources to let Security Essentials do it's thing plus run a video simultaneously without interfering with the AntiVirus program setting itself up. [My opinion as a user].

    I do not notice the MsMpEng.exe on my normal desktops a x3 Phenom Win7 Home Premium or my flagship i7 950 Sabertooth Win7 Ultimate I use and update with Security Essentials.

    I CONCLUDE my lowend wimpy netbook just is handicapped. I merely have to work with a five minute delay before internet browsing or see that the Task Manager is running a real low line on CPU utilization before surfing.

    PEOPLE IN THIS THREAD - if you have five year old hardware I am afraid you will have to live with issues like new 2011 programs hogging the hardware resources you have.

    Thursday, March 03, 2011 9:33 PM
  • Hi,

     

    I had this problem, I found that the usual problem for MsMpEng.exe eating up CPU power is a conflicting program in my case 'Windows Live Essentials' appeared to conflict with Microsoft security Essentials and it also floors the CPU when running a virus scan.

    Thursday, March 31, 2011 5:44 PM
  • I had this problem, Microsoft Security Essentails(Green Lock in System Stray) opened and uncheck the Scheduled scan...HardFaults/min by MsMpEng.exe was brought down to zero...

    Hope it helps,


    HydPhani
    Tuesday, August 23, 2011 4:28 PM
  • Just had this problem myself, all i done was to restart the service and  the high CPU usage dropped to normal.

    hope this helps.

    Sunday, June 03, 2012 12:39 PM
  • I installed Microsoft Security Essentials on a  Windows XP SP3 system that was running really slowly using Symantec Endpoint Protection.  I noted that SEP processes were taking up most of the CPU and a big memory footprint, so I uninstalled SEP and installed MSE, which I run on my Windows 7 system just fine.

    MsMpEng.exe stayed between 50% and 80%, which was actually an improvement but not good enough.  I tried adding the three directories to not scan, but that made no difference.  I stopped non-essential processes from loading at startup, but that made no difference.

    I ran Malwarebytes full scan, Superantispyware scan, eset scan, and adwcleaner (very cool, very fast).  I found lots of additional things and removed them.  Also checked for rootkit with TDSSKiller.

    What finally worked was cleaning junk off my disk; I removed my appdata Symantec files (many thousands of files) and did a Microsoft accessories system tools disk cleanup.  After that, MsMpEng runs between 0 and 20, usually around 15 percent of the CPU.

    Friday, January 04, 2013 5:27 PM
  • I have read numerous posts on many boards as to this program being a problem. Thanks to reading some of those posts I have solved the problem on my computer. Some how I no longer have windows defender in my tray. I suspected by the way my hard drive was cranking and my computer crawling that windows defender might have started. The problem was I could not find the tray icon so I had no way to tell. I finally went to start programs, found windows defender and clicked on it to find it was running a scan. Some might find this helpful.
    Thursday, January 10, 2013 10:10 AM
  • If the Scheduled Scans consume too many resources, click on Settings > Scheduled Scan, and you will see an option called "Limit CPU usage during scan".  Reduce this to a number you can live with like 10%, and you should be good.  Worked great for me.
    Thursday, March 14, 2013 10:48 PM
  • Just open task manager and set the priority of MsMpEng.exe to low... then it won't interfere with the rest of the processes on the computer so badly.
    Monday, May 13, 2013 8:41 PM
  • With a recent update, this priority-reset is no longer an option, and returns the following message: "The operation can not be completed, Access Denied". Being able to reset to a lower priority task is no longer allowed. And yes, this error IS received under "Administrator Account" as well. Being a IT Professional I find this "Security Essentials Software" rather intrusive, even on a Quad-Core PC.

    "Microsoft Security Essentials" is NO LONGER ESSENTIAL, because it's always running between 50% and 75% of the quad-core total load. Analysis shows it has been running non-stop for 72 hours straight since initial installation.

    Monitoring shows it has run constantly at no less than 50% (two whole cores), non-stop, and at max point, a full 83% (three+ cores) and has scanned all drives over 29 times looking for infections over and over again without stopping, or even realizing none were found in the first place.

    Therefore:

    This software receives a "ZERO STARS" rating due to it's total intrusion on productivity. NO OTHER Antivirus software has, to date, ever tested this badly.

    software is supposed to help the consumer, not totally hinder them in their day-to-day life.

    Shame on you Microsoft, for developing and deploying such bullshit software.

    Tuesday, May 21, 2013 1:53 AM
  • On XP, I turned off the scheduler as suggested somewhere above.  That seems to be working.
    Friday, August 23, 2013 5:54 PM
  • Adding C:\Program Files\Microsoft SQL Server to the Excluded files and locations in Microsoft Security Essentials helped in my case.
    Saturday, October 05, 2013 12:59 AM
  • JonathanC2005 - I agree. MS Security essentials used to be great and I've recommended it countless times for years. Now that they've removed the priority setting capability, it slams my brand new top of the line PC (8 core i7 with SSD) outrageously and uncontrollably.  I'm sorry to see MS Security Essentials go.
    Saturday, March 01, 2014 7:49 PM
  • Windows Defender + ConTEXT text editor = 50% CPU load on msmpeng.exe + 30 seconds delay when starting the editor. This was not happening before (a year ago). Adding the editor to 'do not scan these files' seems to be the only solution.
    Sunday, April 06, 2014 4:55 PM