Windows Defender is the first thing that I disable on a new Windows 10 or Windows 11 installations. Despite its small size, it does not work as well as many free antivirus software and tends to consume a lot of resources, especially during background scanning. I often observe excessive CPU consumption caused by MsMpEng.exe which slows the system down to a crawl, requiring me to terminate the MsMpEng.exe task, or disable real time protection, only for it to be automatically re-enabled a short time later. Free antivirus/anti-malware software such as BitDefender or AVG Antivirus or even BKAV Antivirus can do much better than this.
Recently I came across an interesting phenomenon. After disabling Windows Defender for a new installation as usual, the machine would take as long as 5 minutes to open certain EXE files, which were not large or heavy by any means. A particular setup file for Notepad++, for example, took more than 10 minutes to open! Once successfully opened, the setup went flawlessly – opening the file again and the issue did not recur for the same file. It took me a while to realize that the issue only happened for .EXE files that had just been downloaded from the Internet, pointing to a problem with perhaps some background virus scanning mechanism. This suspicion is further reinforced by the fact that I have just disabled Windows Defender, using Ultimate Windows Tweaker 5.
By using Process Monitor, I quickly realized that there were thousands of attempts to read the registry and several files relating to Windows Defender every time a newly downloaded .EXE file is opened. Each attempt could last between a few hundred milliseconds to a few seconds, explaining why the .EXE file took a long time to open:
Among the entries in the screen above, the entry which refers to QueryEAFile on the file “revosetup.exe” is the most suspicious. The OS was most likely trying to query the file extended attributes before deciding whether the file is free of virus or spyware and therefore safe to open. After researching on this topic I came across this Microsoft article which explains how Windows Explorer determines whether a file is safe by querying its extended attribute which will then trigger Windows Defender that will open several Code Integrity Policies (CIP) files (among other things). Perhaps these CIP files were corrupted following my tweaks, resulting in issues opening these .EXE files.
By opening the directory C:\Windows\System32\CodeIntegrity\CiPolicies\Active, the default location for the CIP files as specified here, I was able to locate several such files:
It was a long shot but I decided to boot to a Ubuntu Live USB and remove these CIP files, in the hope that the problem would go away since there would no longer be any CIP files for Windows to query. The CIP files and other files in the Windows Defender directory at C:\ProgramData\Microsoft\Windows Defender\Platform\4.18 can’t be deleted from Windows Explorer without substantial efforts to bypass Microsoft security policies. Guess what, it actually worked! After the deletion, my computer could now open newly downloaded .EXE almost instantly without any delay.
I spent a few hours researching on this issue but could not identify what caused the system to repeatedly query these CIP files after Windows Defender had been disabled via Ultimate Windows Tweaker 5. I repeated the steps on another brand new Windows 11 installation and the issues did not recur. Nevertheless, I hope these notes will be useful for anyone who may encounter such issues.