T The Triage ManualTechnical Guides for IT Emergencies
P2 · Windows Server

Windows Post-Patch CPU/Memory Spike After Cumulative Update — TiWorker, Defender, SearchIndexer

Following installation of a cumulative update on Windows Server or Windows 10/11, some hosts exhibit sustained CPU spikes (80–100%) and/or progressive memory consumption in the hours immediately after reboot. The root cause is typically one or more background post-patch processes: Windows Update cleanup (TiWorker.exe / TrustedInstaller), Defender AV rescanning new binaries (MsMpEng.exe), Windows Search re-indexing (SearchIndexer.exe), or SysMain cache rebuilding. In a minority of cases, the cumulative update itself introduces a driver regression or service memory leak requiring update rollback. Resolution proceeds by identifying the offending process, suppressing or deferring the background task, and monitoring for natural resolution within 1–4 hours; rollback via WUSA or DISM is reserved for confirmed regressions.

Indicators

Likely causes

Diagnostic steps

  1. Open Task Manager (Ctrl+Shift+Esc > More details), sort by CPU then Memory. Note top consumers by name and PID. Then launch Resource Monitor (resmon.exe) and check CPU, Memory, Disk, and Network tabs for per-process breakdown.
    Identify which specific process(es) are driving the CPU/memory spike so remediation can be targeted rather than broad.
  2. Run in an elevated PowerShell: `Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Name, Id, CPU, WorkingSet | Format-Table -AutoSize`
    Provides a repeatable, shareable snapshot of process-level CPU and working-set memory consumption for team communication and trending over time.
  3. Confirm which KB was recently installed and correlate with the spike start time: `Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10` — cross-reference the install timestamp against the performance degradation onset.
    Establishes a causal link between the cumulative update and degradation, and identifies the specific KB number for Microsoft advisory and Update Catalog lookup.
  4. Open Event Viewer and review: System log for errors/warnings around the update install time; Application log for crash or hang events; Microsoft-Windows-Diagnostics-Performance/Operational log for Event IDs 100 (slow boot), 101/102 (app hang), 200/203 (slow shutdown).
    Surface logged errors, service failures, or performance warnings that correlate with the update and point to a specific component requiring attention.
  5. If MsMpEng.exe is the top consumer, check Defender scan state and configuration: `Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, QuickScanAge, FullScanAge, NISEnabled` `Get-MpPreference | Select-Object ScanScheduleDay, ScanScheduleTime, ExclusionPath`
    Determines whether an AV scan triggered by new patch binaries is the root cause and whether scan exclusions for known-safe paths are configured.
  6. Check Windows Search indexing status: open Control Panel > Indexing Options and note items remaining, or run `Get-Service WSearch | Select-Object Status, StartType`. Correlate SearchIndexer.exe disk I/O in Resource Monitor.
    Confirms whether Search re-indexing post-update is generating the I/O and CPU load observed.
  7. For suspected memory leaks (memory growing continuously, not plateauing), sample the offending process every 5 minutes: `Get-Process <ProcessName> | Select-Object Name, WorkingSet, VirtualMemorySize, PagedMemorySize`. If working set grows without bound, this is a regression, not a transient background task. Capture a Performance Monitor data collector set or use Process Explorer (Sysinternals) to log handle counts and memory over time.
    Differentiates a transient self-resolving background task from a persistent memory leak or driver regression that requires service restart or update rollback.
  8. If a svchost.exe instance is the culprit, identify the hosted services: `tasklist /svc /fi "imagename eq svchost.exe"` — match the PID from Task Manager/Resource Monitor to determine which service(s) are running inside that host process.
    Pinpoints the specific Windows service within a generic svchost.exe host so that service can be restarted independently without rebooting.

Resolution path

Prevention

Tools

References

windowscumulative-updatepatch-managementperformancecpu-spikememory-leakpost-patchwindows-defenderwindows-searchtiworkermsmpengsvchostsearchindexerincident-responserollbackwusadismpatch-tuesday