Antimalware Service Executable High CPU Fix: 5 Ways to Stop the Lag

Antimalware Service Executable eating your CPU? Cap Defender CPU limit via Group Policy, stop the self-scanning loop, and fix corrupted definitions fast.

Ekin Yalgın

December 11, 2025·5 min read

Antimalware Service Executable High CPU Fix: 5 Ways to Stop the Lag

The Antimalware Service Executable process locking your CPU at 100% is usually triggered by a self-scanning loop within Windows Defender or a corrupted definition file. You do not need to leave your system completely vulnerable by disabling your antivirus just to regain system performance. Here is how you can cap the CPU limit and resolve the underlying loop safely.

Time needed: 5 to 10 minutes Safest solution: CPU capping via Group Policy Editor Common culprit: Windows Defender scanning its own folder Required tools: Registry Editor, Task Scheduler, Command Prompt

Why is MsMpEng.exe Using So Much CPU?

The MsMpEng.exe process handles the real-time protection feature of Windows Defender. It is different from MRT.exe, which is the standalone Malicious Software Removal Tool that only runs occasionally. It continuously scans downloaded files, network connections, and background applications for threats. When it encounters large compiled developer folders or accidentally scans its own executable, it enters an infinite loop. This loop instantly consumes all available processing power and freezes your workflow.

Method 1: Cap Windows Defender CPU Usage (The Safe Fix)

Disabling your security software completely is a massive security risk. Capping the maximum processing power Windows Defender can use is a much smarter approach. You maintain full real-time protection while keeping your system responsive.

Limit CPU via Group Policy Editor (GPO)

Press Win + R, type gpedit.msc, and press Enter. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan.

Double-click on Specify the maximum percentage of CPU utilization during a scan. Select Enabled and change the percentage to a value between 20 and 50 (50% is a reasonable default for most systems). Click Apply and restart your computer.

Method 2: Stop the Self-Scanning Loop

Windows Defender has a known quirk where it tries to scan its own directory. This creates a feedback loop that instantly maximizes your disk and processor usage. Telling the software to ignore its own files stops this behavior immediately.

Add Windows Defender to Exclusions

Open Windows Security and go to Virus & threat protection. Click on Manage settings under the Virus & threat protection settings section.

Scroll down to Exclusions and click Add or remove exclusions. Select Add an exclusion, choose Folder, and select the C:\Program Files\Windows Defender path.

Exclude Developer Folders (node_modules, VMs)

Developer environments contain thousands of tiny files that trigger constant real-time scans. If you write code or run virtual machines, these folders are likely the root cause of your slowdowns. Use the same exclusion menu to add your node_modules directories, game libraries, and VM storage paths.

Method 3: Reschedule Windows Defender Scans

Background scans often trigger during active working hours because of improper scheduling configurations. You can adjust the system scheduler to prevent these heavy tasks from running with maximum system authority.

Disable Highest Privileges in Task Scheduler

Press Win + S, type Task Scheduler, and open it. Navigate to Task Scheduler Library > Microsoft > Windows > Windows Defender. Double-click on Windows Defender Scheduled Scan.

Uncheck the box that says Run with highest privileges. Go to the Conditions tab and uncheck all options to prevent unexpected triggers while you are actively working.

Method 4: Fix Corrupted Definition Updates

Sometimes the antimalware service gets stuck trying to apply a broken signature update. Clearing the update cache forces the system to download a fresh, working copy.

Clear Definition Loop via CMD

Open Command Prompt as an administrator. Type cd C:\Program Files\Windows Defender and press Enter. Then type mpcmdrun.exe -removedefinitions -all and hit Enter again.

Once that completes, type mpcmdrun.exe -signatureupdate and execute it. This clears the broken files and pulls the latest definitions directly from Microsoft.

Repair System Files with SFC /Scannow

Corrupted core Windows files can also cause the Defender service to malfunction. Run sfc /scannow in your elevated Command Prompt. Wait for the verification to reach 100 percent and restart your system if the tool repairs any corrupted files.

Method 5: The Nuclear Option (Disable Antimalware Service Executable)

If the previous methods fail and your system is still unusable, you can shut down the service completely. You must install an alternative antivirus immediately after doing this to stay protected.

Warning: Turn Off Tamper Protection First (Windows 11)

This is a critical step that most guides miss. Windows 11 blocks any unauthorized registry changes to security services through a feature called Tamper Protection.

Open Windows Security, go to Virus & threat protection settings, and toggle Tamper Protection to off. If you skip this, the registry edits below will simply fail silently.

Disable via Services (services.msc)

Press Win + R, type services.msc, and hit Enter. Scroll down and locate Windows Defender Antivirus Service or WinDefend. Right-click it and select Properties. Change the Startup type to Disabled and click Stop.

Disable via Registry Editor

Open the Registry Editor by typing regedit in the Run dialog. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.

Right-click an empty space, select New > DWORD (32-bit) Value, and name it DisableAntiSpyware. Double-click it and set the Value data to 1. You can restart your PC via the command line to apply the change.

Identifying Software Conflicts

Other security software or background applications can conflict with Windows Defender. This clash forces both programs to constantly scan each other, consuming maximum resources.

Perform a Clean Boot

Open the System Configuration tool by typing msconfig in the Run dialog. Go to the Services tab, check Hide all Microsoft services, and click Disable all. Go to the Startup tab and disable all items in Task Manager. Restart your computer to see if a specific third-party application is causing the high CPU usage.

If a conflict is identified, uninstall or disable the conflicting program and re-enable the Microsoft services through msconfig. If none of the methods above resolved the issue, running Windows Update and allowing any pending Defender definition updates to complete will clear most remaining edge cases.

FAQ

Frequently Asked Questions

Disabling it completely removes your real-time malware protection. It is only safe if you install a third-party antivirus immediately after. For most users, capping the CPU usage via Group Policy is a safer alternative.

The most common cause is Windows Defender scanning its own installation folder, creating a loop. It also spikes when processing large developer folders like node_modules or applying corrupted definition updates.

You can disable it permanently via the Registry Editor by setting the DisableAntiSpyware DWORD value to 1, or through services.msc by setting WinDefend to Disabled. On Windows 11, you must first turn off Tamper Protection in Windows Security settings.

You can end the process temporarily, but it will restart on the next system scan or reboot. Task Manager termination is a short-term workaround, not a fix.

Yes, significantly. Adding large folders like node_modules, VM storage directories, and the Windows Defender folder itself to the exclusion list removes the heaviest scanning targets and usually resolves the problem without disabling protection.

Windows Defender runs an initial scan when the system boots to check any files that changed while the machine was off. This startup spike is normal and typically lasts a few minutes. If it continues for longer, a corrupted definition file is usually the cause.

Published in

Operating Systems