Reclaim your CPU and disk throughput when Threat Protection hogs everything.
Why? • Install • Usage • How it works • FAQ
NordVPN's Threat Protection service (nordsec-threatprotection-service) scans every file touched by the system in real time. During legitimate heavy I/O operations it can eat:
- 90%+ CPU continuously
- 300+ MB/s disk throughput sampling files it will never block
Symptoms users notice:
- 7-Zip, WinRAR, or built-in extraction stuck at near-zero speed
- Copying folders to an external drive takes hours
explorer.exespinning at 100% CPU while disk queue sits empty- Fresh, powerful hardware behaving like a 2010 laptop
And unlike Windows Defender, Threat Protection does not honor Defender's exclusion list — you cannot simply whitelist a folder.
This repo ships two files:
| File | Purpose |
|---|---|
Toggle-NordTP.ps1 |
PowerShell script that pauses or resumes the service |
Toggle-NordTP.bat |
Double-click launcher (calls the .ps1 with the right flags) |
One click → service pauses, auto-restart policy is disabled, CPU freed. Click again → service starts back up, normal policy restored.
No config, no registry hacks, no NordVPN reinstall.
- Download both files from this repository (or
git clone):Toggle-NordTP.ps1Toggle-NordTP.bat
- Drop them in the same folder — Desktop is fine.
- Done.
No dependencies. No PATH changes. No scheduled tasks.
- Double-click
Toggle-NordTP.bat - Accept the UAC prompt
- Green banner =
PAUSED - Window closes in 5 seconds
- Double-click
Toggle-NordTP.batagain - Accept UAC
- Green banner =
RESTORED
Same button, opposite effect. The script inspects the current state and decides.
| State | CPU used by Threat Protection | Typical disk throughput |
|---|---|---|
| Running (default) | 80 – 120 % | near zero during extraction |
| Paused | 0 % | full drive speed |
┌──────────────────────────────┐
│ Double-click Toggle-NordTP │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ .bat launches PowerShell │
│ with ExecutionPolicy Bypass │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ .ps1 self-elevates via UAC │
└──────────────┬───────────────┘
▼
┌──────────────────────────────┐
│ Detects service state │
└──────────────┬───────────────┘
│
┌─────────┴─────────┐
▼ ▼
Running Stopped
│ │
▼ ▼
Disable recovery Restore recovery
Set start=disabled Set start=auto
Stop-Service Start-Service
Kill process if ─────────────
still alive
On pause the script:
- Clears the service's failure-recovery policy (otherwise Windows SCM restarts it after a few seconds)
- Sets
StartType = Disabledso it will not come back at reboot - Stops the service and kills the process as a safety net
On resume the script:
- Restores
StartType = Automatic - Restores default recovery actions (
restart/60sthree times, 1-day reset window) - Starts the service
Is this safe? Yes. The script only starts/stops a service you already have installed. It does not touch binaries, files, registry (beyond the service's own config), VPN config, or your NordVPN subscription.
Will my VPN connection drop?
No. Threat Protection and the VPN tunnel are separate services (nordvpn-service is untouched here).
Can Windows Defender replace Threat Protection while paused? Defender keeps running the whole time. You stay protected by Microsoft's real-time AV — you just stop paying the performance tax on top of it.
Will the service come back on its own? No. The script disables the SCM recovery policy and the auto-start flag when pausing. It stays paused until you toggle it again or reboot after manually re-enabling.
Will a NordVPN update re-enable it?
A NordVPN update may restore the service to Automatic. Just click the toggle once to pause again.
Does this work if the service has a different name? The script checks three known candidate names. If none match it prints a diagnostic listing how to find your local service name, and exits cleanly.
Does it require admin rights? Yes. Stopping a Windows service requires elevation. The script self-elevates via UAC — you only need to accept the prompt.
| Component | Requirement |
|---|---|
| OS | Windows 10 (1809+) or Windows 11 |
| PowerShell | 5.1 (shipped by default) or newer |
| NordVPN | Version with Threat Protection feature (~2022 or newer) |
| Privileges | Local administrator (UAC prompt handles this) |
The UAC prompt never appears. Make sure your user account is a member of the local Administrators group, and that User Account Control is enabled in Windows.
I see "service NOT FOUND". Open PowerShell and run:
Get-Service | Where-Object { $_.Name -match "nord|threat" }If a Nord-related service name appears that is not in the script's candidate list, open an issue with the exact Name value and we will add it.
The script ran, but my extraction is still slow. Threat Protection may be one of several bottlenecks. Also check:
- Windows Defender real-time scanning (add the target folder to its exclusion list)
- Windows Search indexing on the destination drive
- USB connection speed (USB 2.0 caps around 30 MB/s real-world)
- The destination drive being a QLC SSD with a small SLC cache (sustained writes can fall to 80–100 MB/s after the cache fills)
Issues and pull requests are welcome. Please include your NordVPN version and the output of:
Get-Service | Where-Object { $_.Name -match "nord|threat" }MIT — see LICENSE.
Maintained by @MastroMimmo.
⚠️ This project is not affiliated with, endorsed by, or sponsored by Nord Security. "NordVPN" and "Threat Protection" are trademarks of their respective owners.