Where does the bug appear (feature/product)?
Cursor CLI
Describe the Bug
Environment
Cursor CLI Version: 2026.05.09-0afadcc
OS: Windows 11
Shells tested:
PowerShell 7
Windows Terminal
Warp
Endpoint Security:
Bitdefender Endpoint Security Tools (BEST)
Summary
After updating to recent Cursor CLI versions, using subagents from the CLI causes massive CPU spikes in Host for Endpoint Security (bdservicehost.exe).
This does NOT happen:
inside the Cursor IDE integrated terminal;
when using Cursor IDE subagents directly.
The issue only occurs when running Cursor CLI externally from Windows terminals.
Observations
Cursor IDE behavior
When using subagents inside Cursor IDE:
no additional visible pwsh.exe processes are created;
CPU usage remains stable;
Bitdefender does not react aggressively.
This suggests the IDE uses:
persistent workers;
shell reuse;
internal IPC/multiplexing.
Cursor CLI behavior
When using Cursor CLI externally:
many pwsh.exe processes are spawned;
parallel subagents increase process count significantly;
Host for Endpoint Security CPU usage scales linearly with subagent activity;
CPU can reach 50-100%.
Task Manager clearly shows:
multiple PowerShell child processes;
Node.js runtime orchestrating them;
low CPU per pwsh.exe;
very high CPU inside bdservicehost.exe.
This strongly suggests:
heavy CreateProcess activity;
PowerShell/AMSI inspection;
EDR behavioral analysis overhead.
Important finding
The issue appears tied to the new CLI subagent orchestration model introduced in recent versions.
Before recent updates:
CLI subagents either were not fully functional or did not spawn shells aggressively.
After updating to:
2026.05.09-0afadcc
the CLI now appears to:
spawn real subprocesses per subagent/task;
heavily use PowerShell process creation.
Steps to Reproduce
Reproduction
Open PowerShell 7 / Windows Terminal / Warp
Run Cursor CLI agent workflow with parallel subagents
Observe Task Manager
Expected Behavior
Result:
multiple pwsh.exe
Host for Endpoint Security CPU spikes massively
Operating System
Windows 10/11
Version Information
CLI Version: 2026.05.09-0afadcc
Model: Opus 4.6 1M High
OS: win32 (x64)
Terminal: windows-terminal
Shell: cmd
User Email: [email protected]
Additional Information
Additional tests
Does NOT reproduce
Cursor IDE integrated terminal
Cursor IDE subagents
Reproduces consistently
external PowerShell
Windows Terminal
Warp
Hypothesis
Cursor IDE and Cursor CLI appear to use different orchestration models.
IDE
Likely:
persistent shell/session reuse;
worker pooling;
fewer OS process creations.
CLI
Likely:
shell-per-task;
shell-per-subagent;
repeated pwsh.exe spawning.
This creates major overhead in enterprise EDR environments.
Request / Feature suggestion
Would it be possible to add:
persistent shell reuse;
shell pooling;
reduced subprocess spawning;
a “reuse existing shell” mode;
or a CLI execution model closer to the IDE implementation?
This would significantly improve:
Windows enterprise environments;
PowerShell performance;
compatibility with EDR solutions like:
Bitdefender
CrowdStrike
SentinelOne
Defender for Endpoint
Sophos
Workarounds found
Temporary mitigations:
use Cursor IDE integrated terminal;
use Bash/WSL instead of PowerShell;
reduce subagent parallelism.
But these are only partial solutions.
Does this stop you from using Cursor
No - Cursor works, but with this issue