Have you ever wondered what is causing your ‘Antimalware service executable’ (Defender Antivirus) to spike the CPU for longer times?
If yes, you are not alone. But where are the logs or insight of the real-time protection process showing which file(s), file extensions or process causing the issue ? I have not found them 🙂
Therefore, I was really happy when Microsoft in September 2021 launched Microsoft Defender Antivirus Performance Analyzer.
For many, it seems hidden, but I hope with this blog, that I can get more people to learn to use it, so you can optimize, if you experience any performance issues on your endpoints.
What is Microsoft Defender Antivirus performance analyzer?
Performance analyzer for Microsoft Defender Antivirus in Windows 10, Windows 11, and Windows Server, is a PowerShell command-line tool that helps you determine files, file extensions, and processes that might be causing performance issues on individual endpoints during antivirus scans.
You can use the information gathered by performance analyzer to assess performance issues and apply remediation actions.
Some options to analyze include:
- Top paths that impact scan time
- Top files that impact scan time
- Top processes that impact scan time
- Top file extensions that impact scan time
- Combinations – for example:
- top files per extension
- top paths per extension
- top processes per path
- top scans per file
- top scans per file per process
Using performance analyzer
To start recording system events, open PowerShell in administrative mode and perform the following steps:
- Run the following command to start the recording:
New-MpPerformanceRecording -RecordTo <recording.etl>
where-RecordTo
parameter specifies full path location in which the trace file is saved. - If there are processes or services thought to be affecting performance, reproduce the situation by carrying out the relevant tasks.
- Press ENTER to stop and save recording, or Ctrl+C to cancel recording.
- Analyze the results using the performance analyzer’s
Get-MpPerformanceReport
parameter. For example, on executing the commandGet-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10
, the user is provided with a list of top-ten scans for the top 3 files affecting performance.
Step 1 – how to make the performance recording (New-MpPerformanceRecording)
First I started a Powershell session as Admin
Then I started a recording logging using New-MpPerformanceRecording with the -RecordTo <file-path>
New-MpPerformanceRecording -RecordTo C:\tmp\MDAV_Performance_Analyze\MDAV_Recording.etl
Simulation of activities – For the demo, I created a simple Powershell script, that added 10.000 lines to the txt-file, c:\tmp\mdav_performance_analyze_file.txt
$Number = 10000
$Line = 0
Do
{
$Line = 1 + $Line
Add-Content -Path C:\tmp\MDAV_Performance_Analyze_file.txt -Value "This is a line" -Encoding UTF8 -Force
Write-Output $line
}
Until ($Line -eq $Number)
When the file changes completed, I went to my Powershell window – and pressed ENTER so the recording stopped
Step 2 – Analyze the Recording (Get-MpPerformanceReport)
In order to analyze the performance recording, you will use another powershell cmdlet, Get-MpPerformanceReport.
Below is an example, where I wanted to see the top-10 files, top-10 extensions and top-10 processes.
Get-MpPerformanceReport -Path .\MDAV_Recording.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10
As you can see, the recording picked up the 10.000 transactions – both in
- File – c:\tmp\mdav_performance_analyze_file.txt
- Extension – txt
- Process – Windows Powershell
Performance Optimization recommendations
Recently, Microsoft added some logic to help you understand potential bottlenecks, which should be considered for optimizations.
Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under “SkipReason” column. The possible values are:
- Not Skipped
- Optimization (typically due to performance reasons)
- User skipped (typically due to user-set exclusions)
Exporting the results
For CSV
- To export:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | Export-CSV -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation
- To convert:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:100). TopScans | ConvertTo-Csv -NoTypeInformation
For JSON
- To convert:
(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1
To ensure machine-readable output for exporting with other data processing systems, it is recommended to use -Raw parameter for Get-MpPerformanceReport.
More ways to do the Performance Recording
Collect a performance recording for remote PowerShell session
$s = New-PSSession -ComputerName Server02 -Credential Domain01\User01
New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -Session $s
The above command collects a performance recording on Server02 (as specified by argument $s of parameter Session) and saves it to the specified path: C:\LocalPathOnServer02\trace.etl on Server02.
Collect a performance recording in non-interactive mode (timer)
New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl -Seconds 60
The above command collects a performance recording for the duration in seconds specified by parameter -Seconds. This is recommended for users conducting batch collections that require no interaction or prompt.
Get-MpPerformanceReport parameters
See samples of how to use the below commands using this link
Get-MpPerformanceReport [-Path] <String>
[-TopScans [<Int32>]]
[-TopPaths [<Int32>] [-TopPathsDepth [<Int32>]]]
[-TopScansPerPath [<Int32>]]
[-TopFilesPerPath [<Int32>]
[-TopScansPerFilePerPath [<Int32>]]
]
[-TopExtensionsPerPath [<Int32>]
[-TopScansPerExtensionPerPath [<Int32>]]
]
[-TopProcessesPerPath [<Int32>]
[-TopScansPerProcessPerPath [<Int32>]]
]
]
[-TopFiles [<Int32>]
[-TopScansPerFile [<Int32>]]
[-TopProcessesPerFile [<Int32>]
[-TopScansPerProcessPerFile [<Int32>]]
]
]
[-TopExtensions [<Int32>]
[-TopScansPerExtension [<Int32>]
[-TopPathsPerExtension [<Int32>] [-TopPathsDepth [<Int32>]]
[-TopScansPerPathPerExtension [<Int32>]]
]
[-TopProcessesPerExtension [<Int32>]
[-TopScansPerProcessPerExtension [<Int32>]]
]
[-TopFilesPerExtension [<Int32>]
[-TopScansPerFilePerExtension [<Int32>]]
]
]
[-TopProcesses [<Int32>]
[-TopScansPerProcess [<Int32>]]
[-TopExtensionsPerProcess [<Int32>]
[-TopScansPerExtensionPerProcess [<Int32>]]
]
[-TopPathsPerProcess [<Int32>] [-TopPathsDepth [<Int32>]]
[-TopScansPerPathPerProcess [<Int32>]]
]
[-TopFilesPerProcess [<Int32>]
[-TopScansPerFilePerProcess [<Int32>]]
]
]
[-MinDuration <String>]
[-Raw]
Requirements
Microsoft Defender Antivirus performance analyzer has the following prerequisites:
- Supported Windows versions: Windows 10, Windows 11, and Windows Server 2016 and above
- Platform Version: 4.18.2108.7+
- PowerShell Version: PowerShell Version 5.1, PowerShell ISE, remote PowerShell (4.18.2201.10+), PowerShell 7.x (4.18.2201.10+)
I noticed there is now a „-overview“ parameter for get-mpperformancereport which also includes some info für MDE.