Windows 10 Memory usage (overflow) by Windows defender

[daxxar]

Hi, I am using Windows 10 Enterprise on an IPC.
After a certain runtime I get a blackscreen and have to restart the IPC.

While troubleshooting, I noticed that in the task manager, Windows Defender takes more and more memory until it is used up, and the black screen appears.

If I turn off Windows Defender (+live monitoring), I no longer have this problem. In general probably the best decision

But I like to know which process (thread) keeps Windows Defender so busy. How can I find out?

Thanks in advance

 

[Mike]

Windows Defender may not always be able to provide specific details about what is causing it to use high memory. However, you can check Windows Defender's event logs to see if there are any related events that could provide more information about the issue.

To check Windows Defender's event logs, you can follow these steps:

1. Press the Windows key + R to open the Run dialog box.
2. Type "eventvwr.msc" and press Enter to open the Event Viewer.
3. In the left pane of the Event Viewer, navigate to "Applications and Services Logs" > "Microsoft" > "Windows" > "Windows Defender" > "Operational".
4. In the right pane, you should see a list of events related to Windows Defender.
5. Look for any events that may be related to high memory usage, such as warnings or errors, and see if they provide any additional information about the issue.

Keep in mind that event logs may not always provide a clear indication of the cause of high memory usage.

 

[daxxar]

Hi Mike,

thanks for your answer. I opened the log and it is full of errors. What is confussing me, is that the errors occur several times, at the same second

I suppose that is not normal.

////////////////////////////DETAILS////////////////////////
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" /> <EventID>2001</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2023-02-13T09:05:17.380523400Z" /> <EventRecordID>2822</EventRecordID> <Correlation /> <Execution ProcessID="4016" ThreadID="5400" /> <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> <Computer>DESKTOP-TV580PJ</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="Product Name">%%827</Data> <Data Name="Product Version">4.18.1807.18075</Data> <Data Name="Current Signature Version" /> <Data Name="Previous Signature Version">1.335.1700.0</Data> <Data Name="Update Source Index">6</Data> <Data Name="Update Source">%%851</Data> <Data Name="Unused" /> <Data Name="Domain">NT AUTHORITY</Data> <Data Name="User">NETWORK SERVICE</Data> <Data Name="SID">S-1-5-20</Data> <Data Name="Signature Type Index">1</Data> <Data Name="Signature Type">%%800</Data> <Data Name="Update Type Index">1</Data> <Data Name="Update Type">%%803</Data> <Data Name="Current Engine Version" /> <Data Name="Previous Engine Version">1.1.18000.5</Data> <Data Name="Error Code">0x80072ee7</Data> <Data Name="Error Description">The server name or address could not be resolved</Data> <Data Name="Update State Index">1</Data> <Data Name="Update State">%%852</Data> <Data Name="Source Path">https://go.microsoft.com/fwlink/?LinkID=851034&clcid=0x409&arch=x64&eng=1.1.18000.5&avdelta=1.335.1700.0&asdelta=1.335.1700.0&prod=77BDAF73-B396-481F-9042-AD358843EC24&ostype=0&signaturetype=0&beta=0&plat=4.18.1807.18075</Data> </EventData> </Event>
///////////DETAILS END/////////////////

But this seems to be only the Update for me. But the computer is not on the internet, so this should not be relevant, right?
That's all I get out of it, isnt it?

BR

 

[Mike]

Without Internet access, Windows Defender cannot connect to the Internet and download and install delta updates. You should probably give the Windows 10 system access and perform all necessary updates to the OS and see if the issue persists.