Can Anti-Cheats See What Is Running on My PC?

Yes — kernel-mode anti-cheats (EAC, BattlEye, Vanguard, NeacSafe, Ricochet) can see essentially every running process, every loaded driver, every kernel callback, and the SMBIOS/firmware-level identifiers of your hardware. They have full system visibility while loaded. User-mode anti-cheats (VAC, Warden, Defense Matrix) see less — only what user-mode APIs return — but still enumerate running processes, hash loaded modules, and report findings to servers. Yes, the AC can see your screenshot tool, your Discord, and your unrelated apps.

How Do Anti-Cheats Fingerprint Hardware?

Anti-cheats fingerprint hardware by collecting and hashing identifiers across multiple sources: SMBIOS (motherboard, BIOS, system UUID), NIC MAC addresses, disk serial numbers, GPU device IDs, CPU identifiers (CPUID brand string, microcode revision), TPM 2.0 endorsement key certificate, USB peripheral descriptors, and monitor EDID data. The combined fingerprint becomes the HWID — and the EK certificate plus motherboard SMBIOS are the most durable elements. Riot logged 2.3M+ HWID bans in 2025 alone.

What Hardware Identifiers Do Anti-Cheats Track?

Modern anti-cheats fingerprint a composite of 16+ identifiers: SMBIOS UUID, motherboard serial, all disk serials (SATA + NVMe), every NIC''s MAC address, GPU UUID, MachineGuid (Windows registry), Windows Product ID, Windows install date, RAM SPD strings, USB controller IDs, PCI device IDs, monitor EDID, BIOS strings, TPM 2.0 endorsement key (unspoofable from user-mode), CPU ID, and Microsoft Remote Attestation. Raw Spoofer randomizes 13 of these; TPM EK and Pluton are firmware-baked and out of reach.

What Is a Kernel-Level Anti-Cheat?

A kernel-level anti-cheat is anti-cheat software that runs in ring 0 — the same privilege level as the Windows kernel — via a signed driver loaded into the OS. This gives it visibility into all processes, threads, drivers, kernel callbacks, and physical memory on the system. Examples: Easy Anti-Cheat (EAC), BattlEye (BEDaisy.sys), Riot Vanguard (vgk.sys), Activision Ricochet, NeacSafe, Zakynthos. Defense Matrix and VAC are NOT kernel-level — they run in user mode.

Why Do Anti-Cheats Need Kernel Access?

Anti-cheats need kernel access because cheat developers use kernel drivers. A user-mode anti-cheat cannot reliably detect a kernel-mode cheat — the kernel cheat operates at higher privilege than the user-mode AC and can hide from it. To level the playing field, modern AAA anti-cheats (EAC, BattlEye, Vanguard, NeacSafe, Ricochet) ship signed kernel drivers that run in ring 0 alongside Windows itself. This is the structural reason kernel anti-cheat became standard 2020-2026.

Can Anti-Cheats See What's Running on My PC? 2026

"Can the anti-cheat see what I''m running" is one of the most common honest questions players have, and the honest answer depends on whether the AC is kernel-mode or user-mode. The privacy implications are real, and the variation across AC vendors matters more than most players realize.

What kernel-mode anti-cheats can see

A kernel anti-cheat loaded into ring 0 has, in principle, read access to all of physical memory and all running processes. In practice, they don''t walk every byte — they perform targeted reads. But the targets include:

Full process list via PsGetNextProcess or callbacks; the AC sees every running process on your machine
Loaded module list per process via PsGetProcessSectionBaseAddress and module-walking; the AC sees every DLL loaded into every process
Driver list via PsLoadedModuleList; every kernel-mode driver loaded into Windows
SMBIOS, motherboard model, BIOS version, CPU info via firmware tables in physical memory
TPM 2.0 EK certificate via the TPM device interface
NIC MACs, disk serials, GPU device IDs via the appropriate device interfaces
Loaded screen-capture tools, OBS, recording software — present in the process and driver lists
Window titles and class names of all top-level windows
Network connections via the Windows networking subsystem (if the AC chooses to look)

This includes "you have Discord open with three friends in voice" and "you have OBS recording" and "you have Chrome with these tabs" if the AC chooses to read window titles, which most do for cheat-name detection.

What user-mode anti-cheats can see

A user-mode AC (VAC, Warden) is limited to what Windows allows user-mode processes to do. This is still a lot:

Process enumeration via EnumProcesses / CreateToolhelp32Snapshot — full process list visible
Loaded modules per process via EnumProcessModules for accessible processes
Window titles via EnumWindows
Registry reads for hardware ID strings, software inventories
WMI queries for hardware information

User-mode ACs cannot directly read other processes'' memory at kernel privilege, cannot see kernel drivers (without using elevated APIs), and cannot bypass Windows security tokens. They can still see basically every process and basically every loaded DLL — Windows considers most of that public information for user-mode software.

What the AC actually does with this visibility

The AC reports what it sees to its backend servers. Process names, module hashes, and window titles get sent for backend analysis. The AC doesn''t care that you''re running Spotify — but the same enumeration that catches "Spotify.exe" also catches "AimbotV3.exe" or anything window-title or process-name matching known cheats. The privacy implication is structural: to detect cheats, the AC must look at everything you''re running.

What ACs typically don''t do

Most major ACs (EAC, BattlEye, Vanguard) have public privacy statements describing what data they collect and what they don''t. They generally:

Don''t read browser histories or saved passwords
Don''t read documents or non-game files
Don''t persistently retain personal data beyond fingerprints needed for HWID ban enforcement
Don''t monetize the data they collect (no advertising sales of player activity)

Vanguard''s privacy implications were a major early-2020 controversy precisely because Riot is owned by Tencent, and the prospect of "Tencent kernel driver running on all my hardware" was non-trivial. Riot has been notably public about its privacy practices since. See the Vanguard privacy FAQ.

When the AC is loaded

Most kernel ACs only run while the protected game is launched. EAC, BattlEye, NeacSafe, and Ricochet typically unload (or stop scanning) when the game exits. Vanguard is the exception — its vgk.sys driver is registered as ELAM and loads at Windows boot, persisting in memory until reboot regardless of whether Valorant is running. The trade-off: more boot-time detection capability, more "AC running while I''m not playing" surface area.

What this means for users

If you''re worried about privacy: every kernel AC sees your machine''s full process state while loaded. If you''re worried specifically about cheat detection: yes, the AC sees that you have cheat tools installed regardless of whether you''re using them — many cheats keep the AC scope smaller by being run from secondary machines or USB devices, not from the cheating-protected PC itself.

RawCheats positioning

RawCheats are external software cheats that run from the cheating PC — meaning yes, the AC can see them while loaded. The defense isn''t "hide from the AC entirely" — it''s "look like normal software, don''t leave detectable signatures, use a clean HWID via Raw Spoofer, and use proper account isolation." The AC seeing files exist isn''t the problem; the AC matching them to known-bad signatures is. See our HWID Spoofer 2026 Guide for the operational layer.

Forward look

ACs are getting more visibility, not less. TPM-attested boot state, full-system fingerprinting via Pluton, deeper telemetry pipelines — the privacy trade-off cheaters accept becomes more burdensome over time. There is no "AC that doesn''t see your system" path for AAA shooters in 2026.