Windows 11 + Device Guard slows down CreateProcess + pipe output capture (ReadFile waits longer)

Question

Windows 11 + Device Guard slows down CreateProcess + pipe output capture (ReadFile waits longer)

S, Ananth 0

Hi Microsoft Support Team,

We are seeing a significant performance difference between Windows 10 and Windows 11 when Device Guard (VBS/HVCI/WDAC) is enabled, and we would like your guidance on why this occurs.

Issue description (technical)

Our application repeatedly launches child processes (both .exe and cmd.exe /C calls for .bat scripts) using CreateProcess with redirected stdout/stderr via anonymous pipes. After launching each child, the parent reads stdout/stderr using blocking ReadFile() loops until ERROR_BROKEN_PIPE (i.e., until the child and any inheriting descendants close the stdout/stderr write handles).

On Windows 10 with Device Guard enabled, the overall runtime is ~5–7 minutes. On Windows 11 with Device Guard enabled, the same workload takes ~20–35 minutes (varies by machine). The additional time is consistently observed while waiting for the redirected pipe reads to complete (the “read until broken pipe” logic), which effectively means the child process chain takes longer to finish/close handles.

Key technical points

Child creation: CreateProcess(..., bInheritHandles=TRUE, ...)
Stdout/stderr are redirected using CreatePipe and passed via STARTUPINFO (STARTF_USESTDHANDLES)
Parent reads stdout/stderr using ReadFile() in a loop until ERROR_BROKEN_PIPE
This pattern runs many times (for each external command)

Requested clarifications

Are there known Windows 11 behavioral changes or performance regressions under Device Guard (VBS/HVCI/WDAC) that increase:
- process creation / image validation time (CreateProcess),
  - module/DLL load validation time, and/or
    - the lifetime/behavior of cmd.exe / console-hosted processes with redirected std handles?
    - Can Device Guard on Windows 11 cause additional delay in closing inherited stdout/stderr handles (e.g., due to extra helper processes or different console host behavior), making ReadFile() wait longer for ERROR_BROKEN_PIPE?
    - Are there specific Windows event logs/counters you recommend to confirm whether the delay is due to Code Integrity validation overhead (even when no blocks/audits occur)?

Observed behavior

No CodeIntegrity “error” events are present, but runtime increases significantly only when Device Guard is enabled on Windows 11.
Without Device Guard, the same workload is fast on both OS versions.

Please let us know what Windows 11 + Device Guard components could explain this increased wait time and what diagnostic data you would like us to collect (ETW providers, event channels, performance counters, etc.) to validate the root cause.

Thanks,
Ananth S
<PII removed>

Taki Ly (WICLOUD CORPORATION) 1,500 Reputation points Microsoft External Staff Moderator

2026-04-17T10:34:24.49+00:00

Hi @S, Ananth ,

I am looking into this and will response back to you as soon as possible.

1 answer

Your answer

Taki Ly (WICLOUD CORPORATION) 1,500 Reputation points Microsoft External Staff Moderator

2026-04-17T10:34:24.49+00:00

Hi @S, Ananth ,

I am looking into this and will response back to you as soon as possible.

Answer 1

Hi @S, Ananth ,

It is difficult to point to a single exact cause without analyzing system traces, but based on similar issues, the extra checking from Device Guard and Antimalware is likely the problem. You can check a few things below:

1. Antimalware Inspection Delays (Defender + WDAC) ReadFile() is waiting longer to receive the ERROR_BROKEN_PIPE state usually means that the write end of the anonymous pipe is being kept open longer than expected.

On Windows 11 with Device Guard enabled, security components like Windows Defender's Real-Time Protection (RTP) and its file system filter (AMFilter) often perform much deeper, synchronous scanning for every new cmd.exe or .bat process created.
While these security processes inspect the child environment, they can temporarily hold onto the inherited pipe handles, delaying the process termination and the ERROR_BROKEN_PIPE signal.
A quick troubleshooting step is to try adding a temporary folder exclusion in Windows Security (for the directory containing your .bat scripts or the parent application). If the runtime drops from 30 minutes back to 5-7 minutes, the Antimalware inspection under the Device Guard environment is your bottleneck.

2. Code Integrity (CI) and HVCI Overhead Windows 11 has updated and applied stricter enforcement for VBS and HVCI (Memory Integrity). Even if there are no audit/block events, the image validation process (calculating hashes, checking signatures) inside ci.dll during CreateProcess can consume more resources compared to Windows 10. When your application repeatedly spawns hundreds of short-lived child processes, this overhead accumulates very quickly.

3. Suggested Diagnostic Tools To see exactly what Windows 11 is doing during that 20-35 minute window, capturing an Event Tracing for Windows (ETW) log is the best approach. I suggest recording the trace by these steps below:

Open the Start menu, type wprui (Windows Performance Recorder), and select Run as administrator.
Click on More options. Then, under "Select additional profiles", expand Resource Analysis and check CPU usage along with File I/O activity. (You can uncheck First level triage).
On the right side, change the Logging mode from Memory to File.
Click Start. (If the software throws an "Access Denied - 0x80070005" error, it proves that your strict WDAC policy completely blocks ETW tracing, and you may need to test this on a machine with Device Guard configured in Audit mode).
Reproduce the slow CreateProcess behavior for about 5 to 8 minutes, then click Save in the WPR window to output the .etl trace file.

Afterward, you can open this .etl file using Windows Performance Analyzer (WPA):

Open the System Activity -> Generic Events graph. Look at the Provider Name column.
Check if providers like Microsoft-Antimalware-Engine, Microsoft-Antimalware-RTP, or Microsoft-Windows-CodeIntegrity show massive event counts that align perfectly with the Microsoft-Windows-Kernel-Process (process creation) events.

Hope these suggestions help narrow down the issue. If you found my response helpful or informative, I would greatly appreciate it if you could provide feedback by following this guide.

Thank you.

Taki Ly (WICLOUD CORPORATION) 1,500 Reputation points Microsoft External Staff Moderator

2026-04-24T10:23:15.2133333+00:00

Hi @S, Ananth ,

I’ve shared an answer. Did you get a chance to look at it? If you have any questions, just drop a comment and I’ll try my best to help.
Taki Ly (WICLOUD CORPORATION) 1,500 Reputation points Microsoft External Staff Moderator

2026-04-28T09:56:42.77+00:00

Hi @S, Ananth ,

Just checking in, do you have any update on this post?
S, Ananth 0 Reputation points

2026-05-06T10:27:17.4066667+00:00

Hi,

I tried the suggested troubleshooting step by adding a temporary folder exclusion in Windows Security for the directory containing the .bat scripts / parent application. However, the issue still persists and there is no noticeable improvement in execution time.

Additionally, I am unable to run WPA traces when Device Guard is enabled, even in Audit Mode.

Please let me know if any other way to troubleshoot the issue

Warm regards,
Ananth
Taki Ly (WICLOUD CORPORATION) 1,500 Reputation points Microsoft External Staff Moderator

2026-05-07T09:38:34.75+00:00

Hi @S, Ananth ,

Thanks for the update and for sharing the screenshot.

Regarding the WPR error (0x80070032), I noticed in your screenshot that the Profile Id says CPU.Verbose.Memory, FileIO.Verbose.Memory. The word Memory means the tool is still trying to log to RAM. Please double-check that the Logging mode on the right side of the WPR window is changed from Memory to File. Also, you might want to open an admin Command Prompt and run wpr -cancel to clear any stuck sessions before trying again.

If WPR still refuses to run due to your Device Guard policies, we can use an alternative tool: Sysinternals Process Monitor (ProcMon). It is very user-friendly and often bypasses ETW blocking.

You could try these steps to capture the data:

Download ProcMon from the official Microsoft site, extract it, and run Procmon64.exe as administrator.

It will start capturing. Reproduce your application's slow behavior for about 5 to 8 minutes.

Click the magnifying glass icon on the toolbar to stop the capture.

Save the trace as a .pml file.

Inside ProcMon, you can filter for Process Create and ReadFile events. It will show you how long process creation takes and what background processes might be holding the pipe handles open.

As a side note, because creating new processes is inherently expensive under Windows 11 Device Guard, you might want to review the application code. If you can avoid launching .bat scripts repeatedly, perhaps by batching commands into a single script or using direct API calls instead of spawning cmd.exe, it could reduce the total runtime.

Let me know if you can get a trace with ProcMon or the updated WPR settings.

Thank you.

Share via

Windows 11 + Device Guard slows down CreateProcess + pipe output capture (ReadFile waits longer)

Issue description (technical)

Key technical points

Requested clarifications

Observed behavior

1 answer

Your answer