What Is a Kernel-Level Anti-Cheat?

"Kernel-level anti-cheat" is the term that turned a structural decision in operating-system architecture into a public-facing controversy. Kernel-mode anti-cheats run with the same privilege as the OS itself, which gives them powers user-mode software lacks — and creates risks user-mode software cannot create.

Ring 0 versus ring 3

Windows uses two CPU privilege levels for the OS: ring 0 (kernel mode) and ring 3 (user mode). Ring 3 programs — the typical applications you launch — go through OS-mediated APIs to do anything sensitive. Ring 0 code can directly read and write any physical memory, hook system calls, intercept I/O, install callbacks the OS exposes for security software, and bypass user-mode access checks entirely. A kernel-mode anti-cheat installs a signed driver that loads into ring 0 alongside Windows itself.

What kernel access enables

A kernel anti-cheat can: (1) register kernel callbacks (PsSetCreateProcessNotifyRoutineEx, PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, ObRegisterCallbacks) and see every process, thread, and image-load event system-wide; (2) walk kernel module lists (PsLoadedModuleList, MmUnloadedDrivers, PiDDBCacheTable) for traces of cheat drivers; (3) read and modify physical memory pages directly; (4) strip handle access rights to its protected process before user-mode code can use them; (5) verify driver signatures and detect test-signing/unsigned drivers; (6) hook into the integrity boundary at a level user-mode cheats cannot interpose; (7) communicate with hardware (TPM, PCI config space, IOMMU page tables) directly.

Who runs kernel mode

Kernel-mode: Easy Anti-Cheat (EAC, Epic Games), BattlEye (BEDaisy.sys), Riot Vanguard (vgk.sys, ELAM-loaded), Activision Ricochet, NeacSafe (NetEase, used by Marvel Rivals), Zakynthos (PUBG, launched Aug 2025 with ~100K bans week 1), FACEIT AC, ESEA AC.

User-mode: Valve Anti-Cheat (VAC), Blizzard Defense Matrix and Warden, most third-party server-side ACs that don''t require a client driver.

The trust trade-off

A kernel driver has root-equivalent access to your system. If it has a vulnerability, that vulnerability is exploitable with kernel privileges. If it crashes, it can blue-screen the system. If the publisher is compromised (cf. the late-2024/early-2025 supply-chain incidents in the AV space), an attacker can push code to every user. This is the legitimate trust concern with kernel ACs, and it''s why the Vanguard launch in 2020 became a public conversation rather than a footnote.

Why kernel mode wins at detection

Cheats themselves frequently use kernel drivers — manually mapped, signed via leaked certificates, or vulnerable-driver "BYOVD" techniques. To detect a kernel cheat, you need kernel access. User-mode anti-cheats are structurally outmatched by kernel cheats. The result: every AC for a serious competitive shooter has gone kernel-mode (Valorant, PUBG, Fortnite, Apex, ARC Raiders, COD, R6 Siege, Rust, Marvel Rivals). The lone holdout among AAA competitive titles is Overwatch (Defense Matrix), and that is in part what 2026''s ban-volume increase reflects.

Limits of kernel anti-cheat

A kernel AC running on your machine cannot see what runs on a separate machine. It cannot see read-only DMA from a properly-configured FPGA card with the IOMMU bypassed. It cannot read the contents of your private decisions during gameplay (it can only fingerprint the resulting input). Kernel ACs are powerful but not omniscient — and the next layer of escalation (Remote Attestation, hardware-rooted Pluton attestation) moves the trust boundary off the kernel driver entirely.

How this affects RawCheats users

RawCheats sells external software cheats with hardware-level spoofing. We do not bypass kernel anti-cheats — we operate within their tolerance window: don''t leave traces in the game process, don''t leave traces of unsigned drivers loaded, don''t hit behavioral ML, run a proper spoofer so HWID ban-wave correlation doesn''t catch your main account. See our HWID Spoofer 2026 Guide and Kernel Cheat answer for context.

The history of consumer kernel anti-cheat

The first widely-deployed consumer kernel AC was nProtect GameGuard (Korean origin, 2002-onward) followed by Hackshield (NCsoft, 2003-onward) and Xtrap (Wellbia, 2005-onward). These shipped on Asian online games years before Western consumer titles. The Western consumer market resisted kernel AC for over a decade — PunkBuster, VAC, the original EAC, and pre-2020 BattlEye were user-mode. The kernel turn in the West started with the Korean kernel ACs proving the architecture worked at scale, and accelerated when cheat developers shifted decisively into kernel-mode drivers (especially the BYOVD wave 2016-2020 exploiting leaked Microsoft signing certificates).

Riot Vanguard''s 2020 launch was the moment "kernel AC" entered mainstream Western gaming discourse. Within five years every AAA shooter except CS2 and Overwatch had shipped kernel-mode AC, and CS2 and Overwatch are notable mainly because they''re exceptions. The kernel-AC architecture is now the industry default, and the conversations about kernel AC are about implementation quality and privacy trade-offs, not whether to ship one.

The CrowdStrike lesson

The July 2024 CrowdStrike Falcon update incident — where a bad kernel-driver update blue-screened approximately 8.5 million Windows machines worldwide — is the most consequential cautionary tale for kernel-mode security software. It wasn''t a game AC, but it''s the same architectural pattern: privileged code with auto-update from a vendor. The risk profile is real, and game AC vendors should be (and reportedly are) more cautious about rollout cadence than CrowdStrike was. The fact that no game AC has caused an equivalent incident through 2024-2026 suggests the lessons have been internalized — but the structural risk remains for as long as kernel-mode AC is the architecture.