Windows 10: Is Anyone Else Experiencing Higher 'Windows Security Health Service' Memory Usage Lately?

I've noticed this over the past few days, but I'm unsure when exactly this started; it might have been caused by the latest Cumulative Updates on the 14th or the latest Platform Update for Defender on the 23rdit's normal for Antimalware Service Executable to use 150-300MB of Memory during the day, but lately Windows Security Health Service has been using 200MB+, and the amount it uses will permanently increase if I open Windows Security; it does not decrease in Memory consumption even after restarting the computer, at least not in any meaningful waycurrently Windows Security Health Service is

:)

 

Windows Security Health Service Memory Usage and Registry Question

lately, the Windows Security Health Service process in Task Manager has been using the most memory out of all my other processes (excluding Chrome) on my Windows 10 22H2 PC. I want to preface that I have not done anything suspicious, downloaded anything, or visited any sited other than YouTube for the past several months

I'm not sure if this started after the latest Cumulative or Defender Platform update or not, but I've only just begun observing this over the past few days. Windows Security Health Service will use 300-330MB of Memory under the Processes tab, which then increases if I open Windows Security. Antimalware Service Executable is only 150-270MB throughout the day

furthermore, under the Details tab, the Memory usage is higher for Windows Security Health Service; if the process is using 333 Memory under Processes, then under Details, it could be using 341

I know the Details tab lists Memory with "k" and Processes lists Memory with "MB", but the usage is almost always accurate between the two. there's never such a discrepancy. and I verified that they are the same processes; clicking "Go to Details" on Windows Security Health Service takes me to the correct process

I also checked the File Location, which is indeed in System32, with a correct Digital Signature from Microsoft, signed in October, and the last modification date was November 16th, which was during an update

I'm confused as to why Windows Security Health Service suddenly uses this much Memory, as it only uses 7-8MB on my Windows 11 system and used to only use that much on my PC as well. I was wondering if anyone experiences this now too?

additionally, I have a question regarding the Registry. in the Windows Defender > Operational log in Event Viewer, there was a standalone 5007 event, with no updates or interaction, at 9:22am and the New Value was this:

"HKLM\Software\Microsoft\Windows Defender\Features\EcsConfigs\MpFC Kernel EnableFolderGuardOnPostCreate = 0x1"

I first want to ask what this is? there was no update at the time. I also checked the Registry pathway and looked inside a subfolder of EcsConfigs called "ETag"; on my Windows 11 system, this ETag folder has a Default Value with (Value Not Set)

but on my Windows 10 system, the Default Value has a bunch of random numbers and letters under the value column; I exported both folders and it says the last write time was today, at 9:22am when that standalone event occurred

I've scanned my PC with Windows Defender and MalwareBytes but nothing came up. I'm just looking to see if anyone is experiencing this memory issue, and if anyone can help make sense of the Registry stuff and want this standalone 5007 event is about?

 

antimalware service executable high memory usage

Hi Lwmct -

I'm Kevin B., I do apologize for the inconvenience that you're experiencing right now, let me help you sort things out.

The issue occurs due to its real-time protection on your windows computer. You can add the exe to its exclusion list and check if it helps

Kindly click on the link below and follow the steps suggested by JhakeSong, Independent Advisor, as he have an answer similar to your question.

https://answers.microsoft.com/en-us/protect/for...

Hope this will help and have a bless day!

Thanks.

Kevin B.

Independent advisor

 

Securing Windows 2000/XP/Server 2003 services HOW TO

This is all i could save. I dont know if people can see what I can in the Wiki, but I got this article the others he deleted b4 he posted them in the wiki and i dont have the powers even in my sections to bring them back...perhaps a back up but Im not sure we have one ill go see. He did a damn good job at making sure nothing of his existed after he left...Im at school but when i get home ill email him and see if i can get him back im not done fighting yet.-Solaris17




Securing Windows 2000/XP/Server 2003 services HOW TO
I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).


LOCAL SERVICE startable list (vs. LocalSystem Logon Default):


--------------------------------------------------------------------------------

Acronis Scheduler 2 Service
Alerter (needs Workstation Service Running)
COM+ System Application
GHOST
Indexing Service
NVIDIA Display Driver Service
Office Source Engine
O&O Clever Cache
Remote Registry
Sandra Service
Sandra Data Service
SmartCard
Tcp/IP NetBIOS Helper
Telnet
UserProfile Hive Cleanup Service
Volume Shadowing Service
Windows UserMode Drivers
Windows Image Acquisition
WinHTTP Proxy AutoDiscovery Service
NETWORK SERVICE startable list (vs. LocalSystem Logon Default):


--------------------------------------------------------------------------------

ASP.NET State Service
Application Layer Gateway
Clipbook (needs Network DDE & Network DDE DSDM)
Microsoft Shadow Copy Provider
Executive Software Undelete
DNS Client
DHCP Client
Error Reporting
FileZilla Server
Machine Debug Manager
Merger
NetMeeting Remote Desktop Sharing Service
Network DDE
Network DDE DSDM
PDEngine (Raxco PerfectDisk)
Performance Logs & Alerts
RPC
Remote Desktop Help Session Manager Service
Remote Packet Capture Protocol v.0 (experimental MS service)
Resultant Set of Policies Provider
SAV Roam
Symantec LiveUpdate
Visual Studio 2005 Remote Debug
PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.


--------------------------------------------------------------------------------

WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

ListSvc (shows services & drivers states of stopped or started)

Enable (starts up a service &/or driver)

Disable (stops a server &/or driver)

Which can turn them back on if/when needed

Last edited by APK on 03/04/2007
I.E. -> I removed Telephony, Symantec AntiVirus, & Virtual Disk Service!

(ON Virtual Disk Service being removed, specifically: This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

===============================================================
The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
==============================================
Anyone want to try a test CompletelyBonkers (new user here) turned me onto?

==============================================
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

(It's easy, & it works, & is necessary for the actual steps to do this, below)


--------------------------------------------------------------------------------

(Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs)


--------------------------------------------------------------------------------

STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

http://support.microsoft.com/kb/816297

Create and Define a New Security Template

(To define a new security template, follow these steps)

1. In the console tree, expand Security Templates. 2. Right-click %SystemRoot%\Security\Templates, and then click New Template. 3. In the Template name box, type a name for the new template.

(If you want, you can type a description in the Description box, and then click OK)

The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

1. To define a System Services policy, follow these steps: a. Expand System Services. b. In the right pane, double-click the service that you want to configure. c. Specify the options that you want, and then click OK.

==============================================
)
APK (added 03/08/2007)