How to Fix High CPU Usage By Antimalware Service Executable (MsMpEng)

Antimalware Service Executable is the name of the process MsMpEng (MsMpEng.exe) used by the Windows Defender program. The service associated with this program is the Windows Defender Service. The two most common reason for it to be consuming high cpu usage are the real-time feature which is constantly scanning files, connections and other related applications in real time, which is what it is supposed to be doing (Protect In Real Time).

The second is the Full Scan feature which may be scanning all files, when the computer either wakes up from sleep or when it is connected to a network, or if it is scheduled to run daily. The bit to understand here, is that when it is doing a complete scan, your system will experience frequent lagging, hanging and delayed access/response from your input/interactions with the system, because the CPU is Hijacked by Defender. Don’t be afraid or lose patience here, instead let it run and scan, wait a few minutes and if there are lots of files etc, then it may even take a few hours, so let it run and finish what it is doing for the sake of your protection, once it has completed, it will release the CPU and the USAGE will drop down to its normal.

However, Full SCAN should only be done once in awhile and not everyday, what I’ve seen with most users is that they have scheduled the scan feature to run when the computer wakes up from sleep, or when it’s connected to network, or if scan is scheduled to run daily.

This issue may also apply to people using Windows 7 and hence on Microsoft Security Essentials. The methods are very similar if not the same.

So to fix this issue, follow the methods below.

Method 1: Repair Corrupt Defender Files

Download and run Reimage Plus to scan and repair corrupt/missing files from here, if files are found to be corrupt and missing repair them and then see if the CPU usage is still high, if YES then move to Method 2.

Method 2: Reschedule Windows Defender Properly

  1. Click the Start Menu on the left side, and type Administrative Tools. Click on it to open it.Antimalware Service Executable-1
  2. From the Administrative Tools, explorer Window, choose Task Scheduler. Double click on it to open it.Antimalware Service Executable-2
  3. From the left pane of Task Scheduler browse to the following path:
  4. Library/Microsoft/Windows/Windows defender
  5. Once you’re in the Windows Defender Folder, locate the Name called “Windows Defender Scheduled Scan”, click on it once to highlight it and then choose Properties.Antimalware Service Executable-3
  6. From the Properties Windows, Click on the Conditions Tab and Un-check the options under Idle, Power and Network and Click OK. Don’t Worry, we will schedule it properly in the steps to come.Antimalware Service Executable-4
  7. Once this is done, we will then reschedule it. Click the Properties from the right pane again, and this time choose the Triggers tab, and Click New. Here, choose the Weekly option or Monthly, as per your preference, and then choose the Day, Click OK and make sure it is enabled.2015-11-28_094849
  8. This will re-schedule the Defender to work as per your preference. Now, if the scan was previously running, wait for it to finish, you’ll see the results after the scan has finished, but when the scan does run as per your defined schedule, you will still get the High CPU Usage. Repeat the same for the three other schedules.
  9. Windows Defender Cache Maintenance, Windows Defender Cleanup, Windows Defender Verification
  10. Turn the conditions off, set the trigger to run once a week.

Method 3: Turning off Windows Defender

Disabling Windows Defender can help fix this issue as this was the only way that worked for a lot of users. When using this method, remember to install another antivirus as that will less likely consume less CPU time than Windows Defender. We will be using the Local Group Policy Editor for this, and this works on only Windows Enterprise and Pro Editions of Windows 10 and more advanced versions of earlier OS’s. If you can’t use the Local Group Policy Editor, then use the Registry Tweak below.

Using the Local Group Policy Editor

  1. Press the Windows Key + R, type in gpedit.msc in the Run dialog box and click OK to open the Local Group Policy Editor.
  2. In the Local Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender.
  3. At this Group Policy path, look for the setting named Turn off Windows Defender and double click it. Select the Enabled option to disable Windows Defender. Click Apply followed by OK.
  4. Windows Defender should be disabled instantly. If if doesn’t, restart the computer and check to see if it’s disabled.

Using the Registry

  1. Press the Windows Key + R, type in regedit in the Run dialog box and click OK to open the Windows Registry.
  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. If you see a registry entry named DisableAntiSpyware, double click to edit it and change its value to 1.

If you don’t find the entry there, double-click on [this] registry file and apply it to your registry.

Method 4: Adding Antimalware Service Executable to Windows Defender Exclusion List

Adding MsMpEng.exe to an exclusion list considerably reduces the CPU consumption.

  1. Press Ctrl + Shift + Esc on your keyboard to open the Windows Task Manager. In the list of processes, look for the Antimalware Service Executable process.
  2. Right-click on it and select “Open File Location” to see the full path of the executable. You will see the file MsMpEng highlighted. Click on the address bar and copy the location of this file path.
  3. Hold the Windows Key and Press I, Choose Update and Security, Then Choose Windows Defender from the left pane, scroll down and choose > Add an exclusion “under exclusion” > Exclude a .exe, .com or .scr process or File Type, and paste the path to MsMpEng.exe
  4. Come back to your Task Manager and this process will be consuming just a little fraction of your processor. Paste the full path to the folder you copied and then add \MsMpEng.exe to it. Click OK to save changes.

Method 5: Scan For Malware

There is a likelihood a malware has infected the MsMpEng.exe process. Try scanning with an anti-malware application like MalwareBytes and AdwCleaner to scan for and delete any malware which could be present on your PC.

Method 6: Removing Bad Updates

Sometimes, Windows Defender acquires bad definition updates and that causes it to identify certain Windows’ files as viruses. Therefore, in this step, we will be removing these updates using Command Prompt. In order to do that:

  1. Press “Windows” + “R” keys simultaneously to open the run prompt.
  2. Type in “cmd” and press “Shift” + “Ctrl” + “Enter” simultaneously to provide administrative privileges to the command prompt.
    Typing cmd in the Run Prompt and pressing Shift + Alt + Enter to open an elevated Command Prompt
  3. Click on “yes” in the prompt.
  4. Type in the following command and pressEnter
    "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All

    Note: Keep the commas in the command

  5. After that, type in the following command and pressEnter
    "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -SignatureUpdate
  6. Wait for the process to be completed and check to see if the issue persists.


  1. i had similar problem. i had read that it easy for the windows antivirus to get infected. after i have seen such solution as here to add the antimalware itself into its own exclusions, i have come to idea that it is infected itself. so, then i have reinstalled windows.

    warning: you will need to reinstall all programs if you reinstall windows!

    warning: if you connect your hdd to other computer not with usb cable, but directly, i am afraid you may boot from it and infect the healthy hdd, so you sould carefully choose boot device. also you should be afraid of running programs from the infected hdd manually or by some autostart mechanism, though as far as i know that autostart was in windows xp, but it is not very actual with more new versions of windows, since it is disabled by default.

    warning: you may lose your windows’ activation! i think my windows key was saved in efi partition, you may need to find and write your windows product key to a paper.

    for that (reinstalling windows), i have connected its hdd via external case with usb cable to a linux, and deleted windows and program files (except some configuraion files of programs in appdata), (also i deleted users directory and others, moving my files to another folder before that), (just deleting whole c: partition, moving your files to other place before that, may be faster, if you have files of little total size), and deleted some partitions, except EFI boot partition, though that was dangerous, i hoped it (the EFI partition) was not infected. then, i created new windows 10 iso and dvd and reinstalled windows using it.

    about not deleting efi partition: i thought my windows key was saved in it. i think i could get windows product key using some command or program from inside the old infected windows, i am not sure whether i could get windows key from that partition by other method. i think i could, if i had windows key, alternatively change gpt partition scheme to mbr and delete it (the EFI). i had seen that windows did not install due to GPT if i put laptop to non-EFI mode. or, if i was sure i can get windows key from the efi later, i could remove boot flag from it instead of deleting it.

    alternatively, instead of reinstalling windows, you can try to check your windows hdd with other antivirus, installing it to same system, or, better, to other machine, and connecting this infected hdd to it, and booting from the healthy hdd.

    why i did not just run windows installer from inside the old infected windows installation? because it was recommended to me to format all hdd and to boot from the installer dvd in order to not infect fresh installation. i believe in this principle, and, as i said, i just delete some files instead of deleting/formatting all partitions, because formatting would require a new hdd to move files to it.

    alternatively, you can try to get old state of your system from some backup system… (there are also windows’ built-in system or systems, and you may have one from laptop manufacturer and you may have made backups manually or get them automatically). (this may delete your latest changes to your files, so you may need to save such files somewhere).

    alternatively, you can reinstall windows from laptop manufacturers’ special partition. i have not used this way, because windows 8 was there, and i wanted to try to install a “vanilla” windows, ie without the additional preinstalled soft.

  2. Method 4 worked for me, I was only seeing the slowdown when running Thunderbird Email. So I added the folder containing Thunderbird profiles (C:UsersJohnAppDataRoamingThunderbirdProfiles) to the Defender Exclusion list and that fixed it.

Leave a Reply

Your email address will not be published.