Windows NT on 600MHz machine opens apps instantly. What happened?

I'm gonna guess here that the biggest chunk is the antivirus. Turning off Windows Defender's protection(s) should give the first visible speed boost, if that's what you prefer.

Another big chunk of this likely happened when they hardened the graphics subsystem for security. Win32 user calls are unbelievably expensive nowadays. SendMessage etc. have a ton of overhead.

Another chunk is likely the sheer number of expensive DLLs that need to be loaded and initialized with most apps. For example, IIRC, the moment you load COM or WinSock DLLs, your app stops loading snappily. Pretty much anything will load COM even without intending to.

Another chunk is IMM - the ctfmon process you love, for multi-language/keyboard support. ImmDisable(0) can make loading a bit snappier, but then good luck with keyboard switching and the like. It uses window hooks, which are slow Win32 calls as mentioned.

People think it's just a matter of writing plain Win32, but that's not the whole story, although it certainly helps compared to more heavyweight frameworks.

> Turning off Windows Defender's protection(s) should give the first visible speed boost, if that's what you prefer.

It's extremely hard to do that in recent versions of Windows. The most I managed to do the last time I tried was to disable it temporarily but it always comes back after a while.

Yeah, unfortunately you need to do it with group policy.

The AV stuff is huge. It’s always why windows Windows 8 era PCs were maybe the most brutally slow.

SSDs mitigate those issues but it is so painful to run things on mechanical drives, a lot of which is down to the antivirus processes. The practical realities have changed.

(Also things being snappy and fast I don’t think is a common memory of people when the machines the author is writing about were contemporary. The world of software is much bigger than notepad and cmd.exe)

There is a great script on GitHub which will disable it to the core.

A couple of years ago I was doing a mass copy of files from one SSD to another. It was a few hundred GB, not terribly big on modern machines but it did have a large number of tiny files. Windows was doing the copy but it was estimating that the whole thing would need 8 hours to complete, and the estimate was pretty solid after 20 minutes. I cancelled the copy to investigate and tried turning off Windows Defender (but only temporarily as you said) and restarted the copy. It finished in 35 minutes. Probably would have been even faster if I didn't have one of the drives hooked to an old USB->SATA adapter.

This is also why your browser will stall out when it finishes downloading a large file. Windows Defender kicks in an does a full scan before returning from the close call.

> The AV stuff is huge. It’s always why windows Windows 8 era PCs were maybe the most brutally slow.

IIRC Win8's also the first Windows I found unusable on spinning rust. Part of it may have been AV, but things like opening the start menu had significantly worse delays there than on a flash disk. It seems like they'd simply disregarded all development/design discipline about disk I/O, across the OS.

... which, you keep doing that everywhere, lots of devs making lazy choices to just grab this from disk here or just write a little data synchronously there, and it'll add up to non-negligible delay, even on a flash disk. And it'll make an HDD craaaawl. Which is exactly what happened.

As far as I can tell they've removed the ability to turn off real-time scanning with group policy, so you have to disable the entire thing and not get on-demand or scheduled or download scans.

Defender will disable itself if it detects another AV product is installed...maybe someone should make one that acts as a no-op AV scanner.

You don't need to turn off Windows Defender, you need to disable the file system filters entirely.

You can do that with Dev Drive [0][1] which is currently on the Win 11 dev branch.

You can't do this for your boot volume, but you can do it for a [dynamically expanding] VHDX, secondary partition, or secondary volume. It will use ReFS (oddly enough, with 4 KiB clusters by default -- though it makes sense for the target scenario, unlike past uses of ReFS).

[0] https://learn.microsoft.com/en-us/windows/dev-drive/

[1] https://blogs.windows.com/windowsdeveloper/2023/06/01/dev-dr...

> You don't need to turn off Windows Defender, you need to disable the file system filters entirely.

> You can't do this for your boot volume

How would this help with firing up all the built-in OS apps (Explorer, Notepad, etc.) being tested in the video?

It certainly wouldn't (though I don't experience the same issue, so not sure what to say to the video). Presumably your heavier apps would be installed to the Dev Drive.

Seems to be working for me still, though I set the GPO back on Win10 and it carried over to Win11 through an upgrade. I see some reports of needing to disable tamper protection first but should still work.

Ah yes, you need to disable tamper protection as well. (Which is kind of strange... if a virus can disable the first one can't it also disable the second one??)

It's interesting too because AV feels somewhat less useful than ever - we're not in the days of common worms flying around the internet anymore, we're in the days of script kiddies using commercial "FUD packers" to bypass most AV scanners with their password and token stealers so they can resell the accounts.

Tools like that are basically hit-and-run and they don't need to stick around to do lasting damage.

I’ve wanted to use one of those “gaming focused” stripped down windows installs for the longest time because all of the garbage is removed. It’s like Linux but not a pain in the ass for playing games and doing mundane shit. Too bad I care about security

Yes a lot of them don’t stick around, so the only real solution is to bear the cost of real-time AV scanning

It's easy to do. You set exclusions for whole root drive letters. It scans nothing for me on Windows 11

Yes. It’s a combination of those factors for sure. There are just so many more constant disk hits from 8 and on, and a good deal of them are from Defender. I do PC service and repair on the side and tossing in a cheap SSD makes most people happy because the drive being slammed was the only thing “wrong” with their computer.

Thankfully we’re largely past that.

That said, I rarely see malware on most of the machines I touch. I get more calls about automatically fullscreened browser windows with scare text and a phone number to call than any actual software problems.

Defender does work well enough for any average person and I’m happy if only because the vast majority of AV software is sold in the most disgusting way. Just as bad as the malware scare tactics honestly.

How did I not hear about this before on HN? This is pretty cool.

Real-time AV scanning is useless against even a cheap (<$10) packer though. Sure, they'll update their definitions and find it eventually, but if it doesn't have a definition for it now, having a definition for it later simply doesn't matter, the damage is done. I'd argue you're actually better to run it through something like VirusTotal where they'll have a larger assessment from many scanners and sandboxing tools to increase the odds of catching something compared to real-time scans with 1 AV.