Home Windows

Fix: Antimalware Service Executable High Memory

By Deep Shrestha

Fix: Antimalware Service Executable High Memory

Antimalware Service Executable takes high system memory, especially when Windows Defender’s Virus & threat protection is running a scan. While it releases the memory once the scan completes, you may notice a significant drop in performance during this process.

Although you cannot end this task since it is a system process, you can stop the scan and release the memory. If Windows Defender is not performing any scan, features like Real-time protection or cloud-delivered protection might still cause the process to take high memory resources.

Disabling these features should, in theory, stop the high memory usage. If it does not resolve the issue, there are a few things you can try to fix the problem with high memory usage.

Before that, let’s know a little about this background process.

What is Antimalware Service Executable?

Antimalware Service Executable (MsMpEng.exe) is a system application that automatically runs on startup if you do not have any third-party antivirus application installed. 

antimalware-service-executable

Once the system turns on, the Windows Defender antivirus will run a quick scan which can result in the Antimalware Service Executable consuming high resources for a couple of minutes. 

If it is not running any scan, the background process should take about 150 MB to 200MB of memory resources. This number should not go higher than 300MB on idle conditions. If it is, we recommend that you start by checking Virus & threat protection.

Check Virus & Threat Protection

Windows Defender and its background process and services use a high CPU, memory, Disk, and CPU resources when it scans the PC. This number is even higher when it is running a full scan.

You can simply cancel the scanning process to lower memory, CPU, and disk resource usage.

  1. Press the Windows + R key.
  2. Type windowsdefender: and press Enter.
    windows-defender-antimalware-service
  3. Click on Virus and threat protection.
    virus-and-threat-protection-windows-defender
  4. Click on Cancel if it is running a system scan.
    cancel-full-scan-virus-and-threat-protection

Once you cancel the scan, check if Antimalware Service Executable uses lower system resources. This number should decrease gradually and after some time, Windows Defender’s CPU and Disk usage will be close to 0, and its memory usage should stay around 150 MB to 300 MB.

Disable Virus & Threat Protection Features

If the system is not running any scan, but the Antimalware background process is still using high memory usage, it might be using features included in Virus & Threat protection.

These features include locating and scanning new files on the system, providing protection to data in the cloud, and sending sample files to protect the system from potential threats. 

You can disable them to lower system resources, but this will leave your system vulnerable. 

  1. Open Windows Defender.
  2. Select Virus and Threat Protection.
    virus-and-threat-protection-windows-defender
  3. Under Virus & threat protection settings, click on Manage Settings.
    manage-settings-virus-and-threat-protection
  4. Turn off Real-time protection, Cloud-delivered protection, Automatic sample submission, and Tamper Protection.
    disable-virus-and-threat-protection-features
  5. Now open the Task Manager and check if it lowers memory usage.

Even if you turn off Real Time protection, Windows automatically enables it when you restart the system. However, you can permanently disable Real-time protection. 

Note: Permanently disabling Real-Time protection is not recommended as your system will not scan new files and folders.

Before you can disable Real-time protection permanently, make sure that Tamper Protection is disabled.

  1. Open Run.
  2. Type gpedit.msc and press Enter.
    open-gpedit-antimalware-service
  3. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
  4. Click on Real-time Protection.
  5. In the left panel, double-click on Turn off real-time protection.
    turn-off-real-time-protection-antimalware-service
  6. Check Enabled.
  7. Select Apply then OK.
    disable-real-time-protection-antimalware-service
  8. To Enable Real-time protection, you can simply enable Tamper Protection.
Note: Group Policy Editor is only available on Pro or Enterprise Windows Edition.

Update Windows

MsMpEng.exe (Microsoft Malware Protection Engine) had a significant performance issue where it uses unreasonably high computation when the Real-time protection feature is active. This simultaneously causes high system resource usage, especially when using browsers like Firefox.

Fortunately, Microsoft pushed a patch update that fixed the mpengine.dll file in Security Intelligence update version 1.387.695.0 on April 4, 2023. You can install this update to fix the issue with Antimalware service executable high memory usage.

  1. Press Windows + I and select Windows Update.
  2. Click on Check for Updates or Install Updates.
    check-for-update-antimalware-service
  3. Restart your PC once the installation is complete.
  4. Open Task Manager and check if the high memory usage issue is fixed.

Add Exclusion

Users in numerous online forums have also reported that adding the MsMpEng.exe file to the exclusion list in Windows Defender fixed the issue for them. To add Microsoft Malware Protection Engine to exclusion,

  1. Open Windows Defender and click on Virus and threat protection.
    virus-and-threat-protection-windows-defender
  2. Under Virus and threat protection settings, click on Manage Settings.
    manage-settings-virus-and-threat-protection
  3. Scroll down and click on Add or Remove exclusions.
    add-exclusion-antimalware-service
  4. Click on Add an Exclusion and select File.
    add-an-exclusion-antimalware-1
  5. Navigate to C:\Program Files\Windows Defender.
  6. Select MsMpEng.exe and press Open.
    add-msmpeng-to-exclusion
  7. Now, check if the Antimalware service is still causing the high memory issue.

Change Scheduled Scan Properties

Your system can automatically start the Windows Defender scan if the process is scheduled to run via the Task Scheduler. On top of that, Windows runs the scan with the highest priority. This enables Windows Defender services and background processes to use higher system resources. 

Tweaking Defender’s task scheduler properties allows the user to control when the system runs Windows Defender scheduled scan and even lower its priorities.

  1. Open Run.
  2. Type taskschd.msc and press Enter.
  3. On the left panel, navigate to Task Scheduler Library > Microsoft > Windows.
  4. Click on Windows Defender.
  5. On the middle panel, double-click on Windows Defender Scheduled Scan.
    task-scheduled-windows-defender-scan
  6. In the General tab, uncheck Run with the highest privileges.
    disable-run-with-highest-previlage-scheduled-scan
  7. Go to Conditions, and uncheck Start the task only if the computer is on AC power.
    disable-conditions-on-windows-defender
  8. Go to the Settings tab and uncheck everything.
    disable-additional-settings-antimalware
  9. Finally, go to the Triggers tab and click on New.
    create-new-triggers-defender-scan
  10. Here, you can set a preferred date and time to run the scheduled scan. I recommend that you scan the PC at least once a week.
    create-new-task-trigger-antimalware-service
  11. Once you set the triggers, click on OK.
  12. Again, select OK.
  13. Restart your PC and check the memory usage.

Disable Virus & Threat Protection

Finally, if none of the solutions work, you can try disabling the entire Virus and threat protection. When you disable Virus and threat protection, it will not use any background process or defender services such as the Antivirus Service.

  1. Press the Windows + R key.
  2. Type regedit and press Enter.
    open-regedit-antimalware-service
  3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  4. On the right panel, right-click and select New.
  5. Click on DWORD (32-Bit) Value.
    create-d-word-value-antimalware-service
  6. Name it DisableAntiSpyware.
  7. Double-click on it and set the Value Data to 1.
    disable-anti-spyware-regedit-key
  8. Click OK.
  9. Restart your PC and open Windows Defender.
  10. Check if the Antimalware Service Executable still runs.

Disabling the Virus and Threat Protection makes your entire system vulnerable to malware attacks. So make sure that you install a separate antivirus application once you disable Windows Defender.

If you are installing a third-party application, the OS will automatically disable Virus and Threat protection feature and use the installed antivirus application.

Note: Third party antivirus application may also use high resource usage when performing a scan.