Kernel-level anti-cheat installs a driver that runs with the highest privileges on Windows — the same privilege ring as the operating system core. It can see and block cheats that hide from normal game software, but it also loads at boot, can block other drivers, and expands your trust surface to whatever company shipped the driver.
That trade-off is why the topic keeps coming up: competitive games want fair matches; PC owners worry about stability, privacy, and what else a Ring 0 driver can touch. This guide explains how the technology works, what can go wrong, and how it differs from lighter anti-cheat. For a searchable list of titles, see every game with kernel-level anti-cheat.
User-mode vs kernel-mode anti-cheat
Most software on your PC runs in user mode. It cannot freely read other programs’ memory or block drivers from loading. Traditional anti-cheat scans the game process, hashes files, and looks for known cheat signatures — enough for casual cheating, not for kernel-level aimbots and DMA tools.
| Layer | Examples | What it can do | Typical load behavior |
|---|---|---|---|
| User-mode | Valve VAC, older Warden | Scan game process and files; ban accounts | Runs with the game |
| Kernel-mode | Easy Anti-Cheat, BattlEye, Vanguard, Ricochet, EA AntiCheat | Monitor system-wide; block vulnerable or cheat drivers | Often at boot or before game launch |
Kernel drivers operate in Ring 0. User applications sit in Ring 3 with fewer privileges. Device drivers sit between them. A cheat running in the kernel can hide from user-mode scanners — so anti-cheat followed it there.
What “kernel-level” actually means
The kernel is the core of the operating system. It schedules processes, manages memory, and talks to hardware. Code in Ring 0 can affect the entire machine — not just one game window.
Kernel anti-cheat typically ships as a .sys driver (for example Riot’s vgk.sys for Vanguard). Common behavior:
- Loads early — at system boot or before the game starts
- Watches for unsigned, vulnerable, or known-cheat drivers
- Blocks or quarantines those drivers so cheats cannot use them as a bridge
- Reports integrity violations to the game’s servers
Because it runs outside the game process, it can detect tools that never touch the game’s .exe directly — external readers, injected kernel modules, and hardware DMA cheat cards that sit on PCIe and read memory from outside the game process.
The cost: anything with Ring 0 access can, in theory, misbehave or be exploited. A bug in a browser is contained to Ring 3. A bug in a kernel driver is a system-level problem. The 2024 League of Legends Vanguard rollout produced a wave of blue-screen reports from players who said issues started only after install — Riot attributed problems to a small subset of configs, but the pattern repeated in 2026 after IOMMU enforcement updates.
Who uses it in 2026
Kernel anti-cheat is standard in competitive online shooters and many live-service games — not a fringe experiment.
| Solution | Type | Notable titles |
|---|---|---|
| Easy Anti-Cheat (Epic) | Third-party | Fortnite, Apex Legends, many UE titles |
| BattlEye | Third-party | PUBG, Rainbow Six Siege, Destiny 2 |
| Riot Vanguard | Proprietary | Valorant, League of Legends |
| Ricochet | Proprietary (Activision) | Call of Duty: Warzone, Modern Warfare series |
| EA AntiCheat | Proprietary | EA Sports FC, Battlefield, Apex (historically mixed) |
| XIGNCODE3 / GameGuard | Third-party | Many Korean MMOs and older titles |
Proprietary drivers like Vanguard and Ricochet tend to draw the most attention because they are tied to one publisher and often stay loaded longer than a single game session.
Not kernel-level (included for contrast): Valve VAC and much of Blizzard Warden operate primarily in user mode. They are less invasive but also easier for advanced cheats to evade — one reason competitive titles moved down the stack.
Full title-by-title coverage lives in our kernel anti-cheat games list.
Why developers deploy it
Online cheating erodes ranked modes and drives players away. Aimbots, wallhacks, and radar cheats sold as subscriptions are a business; user-mode bans alone did not keep pace.
Developers argue kernel drivers let them:
- Block cheats that never appear in the game process list
- Deny access to known-vulnerable drivers used as exploit paths
- Raise the cost of building and selling cheats
For esports and ranked playlists, that matters commercially. For single-player or offline-only games, the same justification is weaker — which is why always-on kernel drivers in primarily offline titles triggered backlash (see Doom Eternal below).
Risks and real-world problems
Security vulnerabilities
A kernel anti-cheat driver is only as trustworthy as its code. Historically, high-privilege anti-cheat and DRM components have had serious CVEs — local privilege escalation, arbitrary code execution, and pre-boot flaws. Riot has run bug bounty programs for Vanguard; patches ship through game clients, but the underlying risk never goes away: you are installing vendor code at Ring 0.
Treat kernel anti-cheat like any other deep system integration: install only from official sources, keep the client updated, and understand you cannot fully audit closed-source drivers yourself.
Driver and software conflicts
Kernel anti-cheat often blocks drivers it classifies as unsafe or abusable. Collateral damage hits legitimate tools:
- CPU temperature monitors (Core Temp and similar)
- Fan controllers and overclocking utilities
- Some USB or input-device drivers
- Virtualization or debugging tools
If Vanguard or BattlEye disables a driver your cooling stack relies on, you may see higher temps without obvious cause. See safe CPU temperatures and CPU overheating when troubleshooting — the game may be fine while monitoring software is blocked.
False positives happen. Updating the blocked program, checking the anti-cheat’s support page, or temporarily uninstalling the driver-heavy tool are the usual fixes.
Stability and boot issues
Deep integration means blue screens and boot failures show up in support threads when a driver conflicts with new Windows builds, BIOS settings, or hardware generations. Vanguard requires Secure Boot and compatible UEFI configurations on many setups; vgk.sys errors appear in Microsoft and Riot support docs for specific CPU and board combinations.
This is not universal — millions of players run these drivers daily — but it is a real compatibility class, not paranoia.
Performance
Pure FPS overhead from the driver itself is usually small. Perceived slowdown often comes from blocked tuning tools, extra background scanning at launch, or unrelated game patches blamed on anti-cheat. Measure with and without the game running, not from forum anecdotes alone.
Privacy
Kernel drivers can, in principle, inspect much of the system. Vendors state they do not log unrelated data; you largely take that on trust. Riot has published technical posts arguing user-mode clients already had broad visibility and that Vanguard does not phone home independently — contested, but that is the official line.
The practical question: do you trust this publisher to maintain a Ring 0 driver on a PC that also holds your accounts, files, and work data? There is no neutral third-party audit for most players. Declining the driver means declining the game.
Case studies worth knowing
Riot Vanguard (Valorant and League of Legends)
Vanguard launched with Valorant in 2020 and rolled out to League of Legends on Windows in 2024 after years of scripting and bot problems. The driver (vgk.sys) starts at boot on Windows; the user-mode client activates with Riot’s games.
Riot’s stated design goals: block kernel cheats, require Secure Boot, and keep the driver minimal. Player friction includes reinstall cycles for users who only want Valorant occasionally, blocked monitoring tools, and mandatory trust in Riot’s security team. Riot runs a HackerOne bounty for Vanguard flaws.
macOS League clients use a different embedded model (mVG) without a standalone boot driver — cheats may target whichever platform is weaker.
Motherboard firmware and VAN:Restriction (December 2025)
Riot’s Vanguard team found a UEFI flaw on many ASUS, Gigabyte, MSI, and ASRock boards: firmware could report pre-boot DMA protection as enabled while the IOMMU had not initialized early enough. That gap let DMA cheat hardware touch memory before Windows and anti-cheat loaded — effectively bypassing kernel protections.
Riot coordinated BIOS fixes with vendors (The Verge coverage). Affected players saw VAN:Restriction pop-ups blocking Valorant and League until they flashed updated firmware and enabled the required security options.
That crossed a new line for many players: a game publisher pushing motherboard BIOS updates as a play requirement, not just installing a driver.
The “$6k paperweight” DMA crackdown (May 2026)
In May 2026, Riot tightened Vanguard’s IOMMU enforcement against DMA cheat cards — external PCIe devices that read game memory from a second machine, long considered the hardest class of cheat to detect in software.
Riot posted a photo of seized cheat hardware with the caption “congrats to the owners of a brand new $6k paperweight.” Cheaters claimed Vanguard had bricked entire PCs; Riot clarified within a day that only purpose-built cheat devices were affected, not normal components — though some reports said cheat firmware on certain DMA setups was corrupted and needed removal or OS reinstall.
The episode reignited debate on three fronts:
- How far anti-cheat should go when cheats are physical hardware sold for thousands of dollars
- Whether kernel drivers should enforce IOMMU system-wide, with side effects for unrelated PCIe devices
- Whether a snarky corporate post about “bricking” hardware — even cheat hardware — was responsible given how fast “my PC is bricked” rumors spread
Legitimate players mostly cheered; security commentators noted the same Ring 0 power that blocks cheats is exactly what makes Vanguard dangerous if abused or buggy. TweakTown and others reported ongoing vgk.sys blue-screen threads on some Windows 11 configs after the update — disputed territory where driver conflicts and cheat hardware overlap.
This followed Riot’s December 2025 work with board vendors; together the two episodes show anti-cheat moving from “block cheat drivers” to “enforce firmware and IOMMU policy on the whole machine.”
Doom Eternal and Denuvo Anti-Cheat (2020)
id Software added Denuvo Anti-Cheat in a post-launch update — including for single-player users who never joined multiplayer. Steam reviews tanked; the driver ran at kernel level and could not be disabled while installed. Bethesda removed it within weeks.
The lesson publishers learned unevenly: scope matters. Mandatory boot drivers for offline play are a harder sell than the same tech in a ranked-only multiplayer mode.
ESEA bitcoin miner (2013)
Competitive platform ESEA shipped a Bitcoin miner inside its anti-cheat client — unauthorized use of player GPUs. It remains the canonical example of why “anti-cheat” is not automatically benign, even from esports brands.
How gamers have responded
Pushback follows the same pattern: review bombs, refund requests, and threads about DRM history (SecuROM, StarForce). Kernel anti-cheat feels like giving a game vendor permanent admin access.
Some players uninstall Vanguard between sessions; others dual-boot or use separate machines for competitive titles. Linux gaming growth also matters: many kernel anti-cheats are Windows-only, so cheats may target platforms where drivers do not exist yet.
What you can do
- Check before you buy — our games list shows which anti-cheat a title uses.
- Read the publisher’s FAQ — Secure Boot, TPM, and driver block lists vary.
- Keep monitoring and tuning tools updated — reduces false-positive blocks.
- Uninstall unused anti-cheat services — many installers leave boot drivers behind; use official uninstallers (Riot, Epic, etc.).
- Decide your trust line — if Ring 0 access is unacceptable, skip the game or use hardware you can wipe/reimage.
You generally cannot “turn off” kernel anti-cheat and still play ranked on titles that require it. User-mode workarounds and bypass discussions exist online; using them violates terms of service and risks bans.
Bottom line
Kernel-level anti-cheat is the industry’s answer to kernel-level cheats: effective for ranked integrity, invasive by design. It is not new — Easy Anti-Cheat and BattlEye have done this for years — but proprietary always-on drivers on major franchises keep the debate alive.
Understand what installs on your PC, what it can block, and who maintains it. Then choose whether the game is worth the trade.
More PC & tech guides
More PC guides live on our PC & Tech hub, covering resolutions, hardware tuning, and software topics.