Applies to:

Windows Server 2022, all editions
Windows Server 2019, all editions
Windows Server 2016, all editions
Windows Server 2012 R2, all editions
Windows Server 2012, all editions
Windows Server 2008 R2 SP1, all editions
Windows 11, all editions
Windows 10, all editions
Windows 8.1, all editions
Windows 7, all editions

Introduction

This article contains recommendations to help an administrator determine the cause of potential instability in the following scenario:

  • The issue occurs on a computer that is running a version of Windows or Windows Server that is listed in the “Applies to” section.

  • The local system is used together with antivirus software in an Active Directory domain environment or in a managed business environment.

Symptoms

Your Windows-based or Windows Server-based computer experiences the following issues:

  • System performance

    • High CPU or increased CPU use

      • User mode

      • Kernel mode

    • Kernel memory leaks

      • Nonpaged pool

      • Paged pool

      • Handle leak

    • Slowness

      • File copy when you use Windows Explorer

        • File copy when you use a console app (for example, cmd.exe)

      • Backup operations

  • Stability

    • Application slowness

      • Accessing a network share or a mapped drive

      • Windows Explorer temporary lack of response

    • Application failure

      • Access violation

    • Application stops responding

      • Deadlocks

        • Remote procedure call (RPC)

        • Named pipes

      • Race conditions

      • Private bytes memory leak

      • Virtual bytes memory leak

      • Virtual bytes memory fragmentation

  • Operating system reliability issues

    • System stops responding (you have to force a restart to recover)

      • Deadlocks

      • Race conditions

      • Handle leaks

      • Nonpaged pool leaks

      • Paged pool leaks

  • Stop errors (also known as bug checks)

More information

System-specific information

OS and antivirus

Exclusions requirement

Additional information

On Windows 10 and later versions, Microsoft Defender Antivirus is built-in

Does not require exclusions for the operating system files that are mentioned in the following sections.

Not applicable

On Windows Server 2016 and later versions, Microsoft Defender Antivirus is built-in

Does not require exclusions for the operating system files that are mentioned in the following sections.

Defender Antivirus on Windows Server 2016 and later versions automatically enroll you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusions lists that are shown in the Windows Security app. (See Configure Microsoft Defender Antivirus exclusions on Windows Server.)

Windows Server 2012 R2 using Microsoft Defender antivirus that's installed by using Microsoft Defender for Endpoint

Does not require exclusions for the operating system files that are mentioned in the following sections.

Not applicable

Windows Server 2012 R2 with System Center Endpoint Protection (SCEP)

Requires the exclusions for the operating system files that are mentioned in the following sections.

Not applicable

Windows Server 2008 R2 SP1 with System Center Endpoint Protection (SCEP)

Requires the exclusions for the operating system files that are mentioned in the following sections.

Not applicable

For more information, see the following articles:

You might experience various issues when you work with files over the network on a Windows Server 2003-based or Windows 2000 Server-based computer

System stops responding, slow file server performance, or delays occur when you work with files that are located on a file server

Resolution

Before you add antivirus exclusions, follow these steps:

  1. Update the definitions for your third-party antivirus program. If the issue persists, please submit a false positive (fp) to the third-party antivirus vendor support.

  2. Verify that you didn’t set a specific functionality in a hardened or aggressive mode that causes more of the following symptoms:

    • False positives

    • Application compatibility problems

    • Increased resource use (for example, high cpu (user mode or kernel mode) or high memory (user mode or kernel mode)

    • Slowdowns

    • Applications stop responding

    • Applications failures

    • The system stops responding

  3. Update the version of the third-party antivirus program. Or, for testing, see 
    How to temporarily deactivate the kernel mode filter driver in Windows

  4. Work with your third-party antivirus vendor to further troubleshoot. You might have to have the following type of advanced data available to help narrow down the problem:

Workaround

Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Warning

  • We do not recommend this workaround. However, we are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

  • This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. 

  • We recommend that you temporarily apply these settings to evaluate system behavior.

  • We are aware of the risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. Your system will be safer if you do not exclude any files or folders from scans.

  • When you scan these files, performance and operating system reliability problems may occur because of file locking.

  • Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the files that are described in this article.

  • This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder might be simpler but might not provide as much protection as excluding specific files based on file names.

  • Adding antivirus exclusions should always be the last resort if no other option is feasible. 

Turn off scanning of Windows Update or Automatic Update related files

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:

    %windir%\SoftwareDistribution\Datastore

  • Turn off scanning of the log files that are located in the following folder:

    %windir%\SoftwareDistribution\Datastore\Logs Specifically, exclude the following files:

    • Edb*.jrs

    • Edb.chk

    • Tmp.edb

  • The wildcard character (*) indicates that there may be several files.

Turn off scanning of Windows Security files

  • Add the following files in the %windir%\Security\Database path of the exclusions list:

    • *.edb

    • *.sdb

    • *.log

    • *.chk

    • *.jrs

    • *.xml

    • *.csv

    • *.cmtx

    Note If these files are not excluded, antivirus software may prevent appropriate access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

    These are the recommended exclusions. There may be other file types that are not included in this article that should be excluded.

Turn off scanning of Group Policy-related files

  • Group Policy user registry information. These files are located in the following folder:

    %allusersprofile%\ Specifically, exclude the following file:

    NTUser.pol

  • Group Policy client settings files. These files are located in the following folder:

    %SystemRoot%\System32\GroupPolicy\Machine\
    %SystemRoot%\System32\GroupPolicy\User\ Specifically, exclude the following files:

    Registry.pol
    Registry.tmp

Turn off scanning of user profile files

  • User registry information and supporting files. The files are located in the following folder:

    userprofile%\

  • Specifically, exclude the following files:

    NTUser.dat*

Running antivirus software on domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to reduce the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller.

Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This causes too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.

  • Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.

  • Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.
    For more information, see the following article in the Microsoft Knowledge Base:

    815263Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service

  • Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.

  • We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.

  • Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.

Turn off scanning of Active Directory and Active Directory-related files

  • Exclude the Main NTDS database files. The location of these files is specified in the following registr subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database File The default location is %windir%\Ntds. Specifically, exclude the following files:

    Ntds.dit
    Ntds.pat

  • Exclude the Active Directory transaction log files. The location of these files is specified in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
      The default location is %windir%\Ntds. Specifically, exclude the following files:

    • EDB*.log

    • Res*.log

    • Edb*.jrs

    • Ntds.pat

  • Exclude the files in the NTDS Working folder that is specified in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory Specifically, exclude the following files:

    • Temp.edb

    • Edb.chk

Turn off scanning of SYSVOL files

  • Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:

    • edb.chk in the %windir%\Ntfrs\jet\sys folder

    • Ntfrs.jdb in the %windir%\Ntfrs\jet folder

    • *.log in the %windir%\Ntfrs\jet\log folder

  • Turn off scanning of files in the FRS Database Log files that are specified in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory The default location is %windir%\Ntfrs. Exclude the following files.

    Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.

    • Edb*.log (if the registry key is not set)

    • FRS Working Dir\Jet\Log\Edb*.jrs

  • Turn off scanning of the NTFRS Staging folder as specified in the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage By default, staging uses the following location:

    %systemroot%\Sysvol\Staging areas

  • Turn off scanning of the DFSR Staging folder as specified in the msDFSR-StagingPath attribute of the object CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DomainControllerName,OU=Domain Controllers,DC=DomainName in AD DS. This attribute contains the path to the actual location that DFS replication uses to stage files. Specifically, exclude the following files:

    • Ntfrs_cmp*.*

    • *.frx

  • Turn off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder.

    The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol and SYSVOL_DFSR\Sysvol folders use the following locations by default:

    %systemroot%\Sysvol\Domain
    %systemroot%\Sysvol_DFSR\Domain

    The path to the currently active SYSVOL is referenced by the NETLOGON share and can be determined by the  SysVol value name in the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters

  • Exclude the following files from this folder and all its subfolders:

    • *.adm

    • *.admx

    • *.adml

    • Registry.pol

    • Registry.tmp

    • *.aas

    • *.inf

    • Scripts.ini

    • *.ins

    • Oscfilter.ini

  • Turn off scanning of files in the FRS Preinstall folder that is in the following location:

    Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory The Preinstall folder is always open when FRS is running.

    Exclude the following files from this folder and all its subfolders:

    • Ntfrs*.*

  • Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path In this registry subkey, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."

    The default location is the following hidden folder:

    %systemdrive%\System Volume Information\DFSR Exclude the following files from this folder and all its subfolders:

    If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

    • $db_normal$

    • FileIDTable_*

    • SimilarityTable_*

    • *.xml

    • $db_dirty$

    • $db_clean$

    • $db_lost$

    • Dfsr.db

    • Fsr.chk

    • *.frx

    • *.log

    • Fsr*.jrs

    • Tmp.edb

Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based or Windows Server 2008-based member computers or domain controllers.

Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:

%systemroot%\System32\DHCP Exclude the following files from this folder and all its subfolders:

  • *.mdb

  • *.pat

  • *.log

  • *.chk

  • *.edb

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

Turn off scanning of DNS files

By default, DNS uses the following folder:

%systemroot%\System32\Dns Exclude the following files from this folder and all its subfolders:

  • *.log

  • *.dns

  • BOOT

Turn off scanning of WINS files

By default, WINS uses the following folder:

%systemroot%\System32\Wins
  Exclude the following files from this folder and all its subfolders:

  • *.chk

  • *.log

  • *.mdb

For computers that are running Hyper-V based versions of Windows

In some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it may be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, see the following article in the Microsoft Knowledge Base:

  • 961804 Virtual machines are missing, or error 0x800704C8, 0x80070037, or 0x800703E3 occurs when you try to start or create a virtual machine

Next steps

If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.

Note  Your third-party antivirus vendor will be able to work with Microsoft Customer Service and Support (CSS) team on a commercially reasonable efforts.

References

Microsoft Customer Support Service Agreement

Agreement for Microsoft Services

Microsoft Virus Initiative

Change history

 The following table summarizes some of the most important changes to this topic.

Date

Description

August 17, 2021

Updated the note in the More Information section: "Note On Windows 10, Windows Server 2016, and later..." 

November 2, 2021

Updated the note in the More Information section: "This also applies to Windows Server 2012 R2..."

March 14, 2022

Revision of whole article. Added "Symptoms" and "Resolution" sections, and reorganized the remaining content.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×