On Tuesday morning, some PC gamers woke up to discover their computers were seemingly under threat. A “HackTool” called WinRing0 had suddenly started triggering a Windows Defender alert, as if their PCs were under attack. Some of those computers even began behaving oddly — like blasting their fans at high speed — once the HackTool had been quarantined. I know, because it happened to me.
But my computer wasn’t actually under attack. At least, not yet.
When I checked where Windows Defender had actually detected the threat, it was in the Fan Control app I use to intelligently cool my PC. Windows Defender had broken it, and that’s why my fans were running amok. For others, the threat was detected in Razer Synapse, SteelSeries Engine, OpenRGB, Libre Hardware Monitor, CapFrameX, MSI Afterburner, OmenMon, FanCtrl, ZenTimings, and Panorama9, among many others.
“As of now, all third-party / open-source hardware monitoring softwares are screwed,” Fan Control developer Rémi Mercier tells me.
That’s because all these programs have something in common, nine of their developers tell The Verge. They do (or did) all contain a piece of kernel-level software that is indeed called WinRing0. And WinRing0 could genuinely be a threat as of today, one that has even been linked to some pretty nasty real-world malware that could theoretically hijack your PC.
But again, that’s not what’s happening on computers with these specific useful apps — there is no hijack underway. Rather, WinRing0 is being flagged because it’s an insecure way for these pieces of monitoring software to tell how fast my PC’s fans are spinning and the colors of its LED lights, among other readings. And yet, WinRing0 is widespread, several developers tell me, because it’s one of the only ways Microsoft and the PC industry let them tap that hardware from inside the Windows operating system.
“There are only two freely available Windows drivers I know of that are capable of accessing the SMBus registers we need to be able to control LEDs: InpOut32 and WinRing0,” says Adam Honse, developer of OpenRGB. “We used to use InpOut32, but it was conflicting with Riot’s Vanguard anti-cheat, so we switched to WinRing0 as it did not conflict.”
Honse and others freely admit that WinRing0 could be abused. “It’s not some secret vulnerability. It’s literally a library intended to give userspace applications access to something that only kernel drivers normally have access to,” he says.
Nor do they all begrudge Microsoft’s attempt to close that potential loophole. After the CrowdStrike outage that knocked out 8.5 million devices with a buggy update last year, Microsoft has been under pressure to restrict software that has special access to low level hardware, so nothing like that can happen again. Microsoft hasn’t said why it’s only getting around to addressing WinRing0 now, but it’s been gradually overhauling its driver requirements in yearly updates, and it’s pretty routine for the company to blacklist vulnerabilities on the go.
The fact remains that this vulnerable WinRing0 has found its way into all kinds of software because it was a useful loophole, and several developers now say they’re stuck because Microsoft would charge too much to fix it. Some are even calling Windows Defender’s detection a “false positive,” implying it should be safe to use WinRing0 anyhow, because their own apps aren’t malicious and there’s no other cost-effective way to get them working.
Microsoft doesn’t entirely seem to disagree. The company has already reportedly walked back its blanket ban on WinRing0 apps, telling The Verge that it’s continuing to investigate. Here’s Microsoft GM of Threat Protection Scott Woodgate:
We are aware of reports about gaming and monitoring applications being flagged as a threat due to the use of unsigned versions of the Winring0 driver. While we continue to investigate, Microsoft Defender still assesses unsigned drivers to be a threat and is re-evaluating detection logic to have a more durable coverage without leading into adverse side effects such as false positive.
Microsoft did not confirm or deny that it has paused its ban, or comment on whether it might come back. Microsoft would not tell The Verge whether WinRing0 is inherently dangerous, or possibly somewhat safe.
One notable developer says it’s absolutely dangerous. Martin Malik, developer of popular system monitoring tool HWiNFO, reached out after we first published to say:
The problem with WinRing0 is, that once it’s installed/active in the system it allows unrestricted access to protected resources. So, any app (even without admin rights) can for example use it and say “hey, read (or write) for me this part of memory.” And since the driver has access and doesn’t restrict the range, it can read/change other processes, secrets in memory or protected kernel registers. This is very dangerous.
Microsoft didn’t answer our question about whether the above statement is true or false. In the meanwhile, some developers are already claiming it’s safe enough you should feel confident letting it through. “If you wish to utilize the full feature set of CapFrameX, we recommend adding an exception for it in Defender,” reads a message forwarded by CapFrameX founder Mark Fangmeyer to The Verge. “Rest assured, this measure will allow seamless functionality without compromising security.”
SignalRGB founder Timothy Sun says the security risk was too much for his company, though. “Since WinRing0 installs system-wide, we realized we were dependent on whatever version was first installed on a user’s system. This made it extremely difficult to verify whether other applications had installed potentially vulnerable versions, effectively putting our users at risk despite our best efforts,” he says.
That’s why he invested in SignalRGB’s own RGB interface instead, eventually ditching WinRing0 in 2023 in favor of a proprietary SMBus driver. But the developers I spoke to, including Sun, agree that’s an expensive proposition.
“I won’t sugarcoat it — the development process was challenging and required significant engineering resources,” says Sun. “Small open source projects do not have the financial ability to go that route, nor dedicated Microsoft kernel development experience to do so,” says OpenRGB’s Honse.
Some suggest there may be a simpler alternative: why not fix the vulnerability in WinRing0 itself? To my surprise, three developers tell me that WinRing0 has already been patched, but the open source community doesn’t believe they can afford to get a new version signed by Microsoft — and without Microsoft’s digital signature, Windows won’t let users install it to begin with.
WinRing0 “was a ‘one of its kind driver’ in that its source was open and it was signed,” Mercier explains. “Nothing else like it exists, as enterprises do not develop open-source kernel drivers.”
According to PhyxionNL, the developer of the popular Libre Hardware Monitor that underpins many monitoring apps (including Fan Control), WinRing0 dates back to a time when Windows didn’t require Microsoft to sign such drivers; its author Noriyuki Miyazaki (also see: CrystalDiskMark) apparently signed it himself.
But to get a new copy signed, developers would need Microsoft’s approval — and they’d need to pay up.
Honse says:
It is not feasible to demand not-for-profit hobby [free open source software] projects to pay the same costs for driver signing as for-profit companies. It also appears that driver signing is a limited-time thing that would need continuous renewal, so it would be a recurring cost. Also, from preliminary searching, you need to be a company to be able to even get a kernel signing certificate. Microsoft has stacked the deck against us.
OmenMon’s Piotr Szczepanski says it’s not good enough to submit your entire app to Microsoft and VirusTotal for inspection, either, “as despite OmenMon being whitelisted each time, eventually the exact same executable can become repeatedly flagged again, as definition versions get updated and signatures get purged.”
“Microsoft has stacked the deck against us.”
Szczepanski, ZenTimings’ Ivan Rusanov, and Fan Control’s Mercier all say there’s nothing they can really afford to do in the absence of a newly signed driver that functions like WinRing0. “I would definitely replace it with something else the moment it gets available, but for now, obviously, I can’t advise the users to ignore it and add an exception to Defender,” says Rusanov.
But there is some hope. Prebuilt gaming PC manufacturer iBuyPower, whose Hyte Nexus monitoring software also uses WinRing0 and got flagged by Windows Defender, tells The Verge it will endeavor to get an updated WinRing0 signed — and give the results back to developers.
“If this solution works, we’ll share our updated and signed version of the library, so the community of developers can distribute new versions of their apps with validated Microsoft drivers,” Hyte product director Robert Teller tells us.
Teller says he’s awaiting Microsoft’s reply. Microsoft didn’t have any comment for The Verge.
I asked SignalRGB’s Sun if he might share his proprietary SMBus driver, but he said no, as “we’ve invested significant resources into developing this solution specifically for our needs and user base.”
HWiNFO’s Malik warns, though, that signing a patched WinRing0 won’t address the underlying risk, because the patch only addresses accessing the driver without admin elevation, which could be as simple as fooling a user into clicking yes. Microsoft would not answer whether that’s true, and whether WinRing0 is inherently a threat.
“Creating a reliable and secure driver is the most complicated thing as it requires complete rewrite of driver, interface to user-mode and also the application. Such driver needs to be tailored to particular application’s needs, so it would be quite difficult to also create a driver that would fit multiple apps,” he says.
As for Razer and Steelseries users, you may simply want to update your software to the latest version to avoid WinRing0, as both companies tell me they’ve recently ditched it. But know that you may lose some functionality as a result. Steelseries has just removed its System Monitor app entirely to address the vulnerability, meaning gamers can no longer see system data on the screens of its peripherals.
Razer software VP Quyen Quach says Synapse 4 and Synapse 2 never used WinRing0 at all and that the company patched Synapse 3 to remove it just three weeks ago.
Correction, March 13th: Razer says Synapse 2 didn’t use WinRing0 either, so no current versions of Synapse are affected.
Update, March 17th: Added statements from Microsoft and HWiNFO’s Malik, and that Microsoft would not answer our specific fact-check questions.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.