Skip to content

ulex/windows_defender_performance_tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github
.github
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Windows Defender Performance Tool

A .NET application that monitors Windows Defender ETW events and visualizes scan durations in real-time using a stacked bar chart. Can also visualize snapshots recorded offline with the New-MpPerformanceRecording PowerShell cmdlet.

Screenshot

Features

  • Listens to Microsoft-Antimalware-Engine/StreamScanRequestTask/Stop ETW events
  • Displays scan durations per process in a stacked bar chart
  • Drag and drop snapshots onto the window to analyse the dropped items
  • CSV export when more than one snapshot is dragged to the window

Lightweight CPU-time TUI

A companion console program (WindowsDefenderPerformanceTool_Light_CpuTimeOnly_TUI) tracks only CPU time consumed by MsMpEng.exe and renders a small bar chart of recent activity. It does not require elevation — CPU times are read via NtQuerySystemInformation, which is available to non-admin users.

TUI screenshot

Measuring Windows Defender impact

For more reliable results, perform each measurement after restarting the machine. Windows Defender appears to use internal in-memory caches, so repeated measurements without restarting may not show the real impact.

About scan duration

Windows Defender emits ETW start and stop events per scan operation. The durations shown are therefore wall-clock time, not CPU time - if the OS scheduler preempts the Defender thread in between, the reported duration will exceed the actual CPU time consumed.

License

MIT

About

Real-time Windows Defender scan performance monitor

Resources

Readme

License

MIT license
Activity

Stars

77 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 7

v1.6.0 Latest
Apr 30, 2026
+ 6 releases

Contributors

Languages