Decrease in Performance after Meltdown Patch

Topic

New Reply

I just installed the Meltdown patch on my Win 7 machine and I noticed a bigger slowdown than I expected, well, I didn’t notice, the software I used noticed the slowdown. Here are all the problems I had with the update:

Firstly, Sandboxie stopped working after the patch, InSpectre also reported that my performance now is “Slower”, before the patch it was “Excellent”.
https://imgur.com/a/j4mon

I did two CPU performance tests, before and after the patch, and the decrease was bigger than expected.
https://imgur.com/a/hga89

I will probably uninstall the patch if it’s even possible. The decrease in performance is not worth the tiny security this patch provides me.

2 users thanked author for this post.

JDeC, HiFlyer

Reply | Quote

Replies

@ FakeNinja

But the tech journalists reported minimum performance hit (= about -1%?) by the Meltdown and Spectre patches for most ordinary home-users. Were they giving fake news? Were they pro-Wintel?

I have also noticed a slight slowdown of the Internet since Jan 2018.

Reply | Quote

Your benchmark shows a 2% slowing. That’s well within testing margin of error.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@ woody

Geekbench 4 scores are calibrated against a baseline score of 4000 (which is the score of an Intel Core i7-6600U). Higher scores are better, with double the score indicating double the performance.

https://browser.geekbench.com/processor-benchmarks
.
So, from FakeNinja’s Geekbench 4 CPU performance data, the performance hit is about 5% for Single-Core, ie 200/4000 X 100%; … and about 7% for Multi-Core, ie 300/4000 X 100%.
_______ Correct.?

1 user thanked author for this post.

HiFlyer

Reply | Quote

Well, I’m not gonna take that, I’d rather be vulnerable to malware. Is it okay to skip/hide the January rollup patches? Will the next months patches break anything if I didn’t install the previous months patches? In that case, I might as well stop updating my system completely.

Reply | Quote

It is OK to skip the Jan Rollup.

The Monthly Rollup patches are cumulative. That means the current one contains all that has gone before.

2 users thanked author for this post.

JDeC, HiFlyer

Reply | Quote

But cumulative ALSO means that the February Rollup will install the Meltdown patch even if you skip January.

However as per my other post (below?) the GRC InSpectre utility allows you to easily disable the Meltdown and Spectre patches while still benefiting from the rest of the Rollup content.

2 users thanked author for this post.

HiFlyer, FakeNinja

Reply | Quote

Will disabling the Meltdown exploit really give me back the lost performance though?

Reply | Quote

As far as has been documented the InSpectre’s option to disable the Microsoft code should be a simple switch – but it is easy to test. Run the utility with Admin privileges – reboot once disabled – and run your test again.

However as has been pointed out the margin for error/variation on the test is not small – so you would need to replicate the exact conditions to be able to compare test results with any hope of detecting the difference. Have you proved how consistent the test results are between subsequent test runs? You might be better taking an average of multiple runs if the results show significant variation. Plus one benchmark utility is most likely not an accurate test of the overall impact on your system. Better to run tests using a real life task that you actually need the computer to perform.

Reply | Quote

My interpretation would be:
Single Core Performance
4536-4354= Drop of 182
182 as % of original = Drop of 4%

Multicore Performance
14752-14433= Drop of 319
319 as % of original = Drop of 2.1%

Also if you run the GRC InSpectre utility with Admin privileges you can disable either of the patches without uninstalling the KB package (this option is via an MS documented registry setting – InSpectre just provides a GUI route to toggle the registry setting).

1 user thanked author for this post.

HiFlyer

Reply | Quote

KB4056897 /KB4056894 – WIN 7 SECURITY UPDATE – Unable to use Sandboxie – Compatibility issues[Fixed in beta 5.23.3]

GRC’s InSpectre doesn’t benchmark, it just uses the ‘expected’ result, that most CPUs will benchmark slower when patched…

Benchmark suites don’t tie in well with ‘real World’ performance or usage, relying on a single run of any of them isn’t recommended. Performance variations of less than ~8% are almost to impossible to detect during normal usage with a recent CPU that’s suited to the tasks in hand.

Your GeekBench score is probably within the normal range for your CPU model anyway, do you have the URL for your tests?

Reply | Quote

I did some of my own informal unscientific testing of patching and firmware updates for Meltdown/Spectre.  The firmware kills I/Os.  We know Meltdown and one variant of Spectre are already software patched.  I wonder, given the surface area of Spectre variant 2, whether the firmware update performance hit is even worth considering.  Unless you are a government or financial entity, is it worth suffering such a performance hit?  I recommend holding off on firmware updates.  See below.

1. The difference between having the firmware patched almost doubled application load times on my test laptop.  An app that took 7 seconds to load before patching took 13 seconds after patching on a 3 year old machine.  This was on the Lenovo E550 before and after firmware loads.

I ran for a week and witnessed zero reboots or instability.  I have some suspicion that Intel pulled the firmware because of performance, not instability.

I am a little concerned about verification tools.  I patched my the E550 firmware and OS and passed Inspectre’s testing.  Then I back leveled the firmware.  Inspectre still showed my system was completely secure.  Microsoft’s powershell script showed the E550 was secure on Winodws 10 1703.  Inspectre wouldn’t verify the E550 was secure until it was on Win 10 1709.  We need better verification tools.

Below are some other informal unscientific load times.  The T430 has a slightly faster processor than the E550, but the E550 is much newer and most every other piece of hardware should be faster.
Machine 1: Lenovo T430 – No Spectre Firmware Patch.
Core i7, 12GB RAM, 512GB SSD, Bitlocker
Machine 2: Lenovo E550 – Spectre Firmware Patch
Core i7, 16GB RAM, 512GB SSD, Bitlocker

Edit to remove HTML. Post may not appear as author intended.
Please convert to plain text (.txt) before cut/paste operation from Word document

Reply | Quote

I am unsure if the InSpectre utility actually detects active Microcode/BIOS patches or just the presence of a vulnerable CPU and the Microsoft KB patching status. I have submitted a support query to GRC to ask about this – will report back when I get an answer.

Reply | Quote

Respectfully, I don’t understand why people make such a big deal of small CPU performance drop. If your computer is one year old, you could argue you have a performance drop of more than a few percent compared to this year model. Unless you run very specific apps that require maximum performance, you won’t likely see any difference in your day to day tasks.

If that was that important, you should maybe change your computer every year to extract the maximum power available at the time. Yes, it is sad that a bad design ends up removing some performance of the computer to ensure security. Not sure that Intel could predict this issue at the time. Maybe they could, but they dismissed the risk as not too important and preffered to focus on showing better performance. But I don’t find that fort most people it should justify not patching when an exploit shows up if not before when patches are stable.

Over minimal performance differences in real day to day computing experience, I’d rather choose stability and security, which the patches unfortunately don’t seem to offer yet, though.

That being said, I appreciate that people tests the performance to get a general idea of what happens and try to see if the pr campaign tries to minimize a situation that is in fact worse than they say. I think Noel’s approach looking at IO is interesting in that respect, as it probably represents more a realistic usage scenario.

1 user thanked author for this post.

MrBrian

Reply | Quote

DougCuk wrote:

I am unsure if the InSpectre utility actually detects active Microcode/BIOS patches or just the presence of a vulnerable CPU and the Microsoft KB patching status. I have submitted a support query to GRC to ask about this – will report back when I get an answer.

InSpectre does attempt to detect any active Microcode patches running within Windows – the “Show Tech Details” option within the utility reports this as a specific test result. The help screens show the following details:

“CPU microcode updated” indicates that this system is using recently updated Intel or AMD microcode which provides the control over branch prediction speculation required to allow an aware operating system to protect the system from the Spectre vulnerabilities.

However I am still unsure if the utility detects the presence of an updated BIOS/UEFI firmware on the motherboard.

Reply | Quote

Well, I’ve something weird to report.
I installed january group B security patches on win 7 , 2 days ago. The cpu is a xeon E5205 ( 2 of them ), and there’s NO microcode offered ( and doubt it’ll ever happen ).
I have the pc under the SAME load daily, and weirdly I GAINED 10% cpu… I’m still very puzzled.

Major gain was on skype.. before was sitting at 25% , now at most goes to 21 but averages at 19%

Reply | Quote