Why Do Anti-Cheats Need Kernel Access?
Anti-cheats need kernel access because cheat developers use kernel drivers. A user-mode anti-cheat cannot reliably detect a kernel-mode cheat — the kernel cheat operates at higher privilege than the user-mode AC and can hide from it. To level the playing field, modern AAA anti-cheats (EAC, BattlEye, Vanguard, NeacSafe, Ricochet) ship signed kernel drivers that run in ring 0 alongside Windows itself. This is the structural reason kernel anti-cheat became standard 2020-2026.
The "why does anti-cheat need to run in the kernel" question is the one players are asking when they''re uncomfortable with Vanguard or EAC. The answer is unsatisfying but technically correct: because the cheats are also in the kernel, and you can''t detect a kernel cheat from user mode.
The privilege escalation problem
Windows uses two main CPU privilege levels: ring 0 (kernel) and ring 3 (user). Code running in ring 0 has access to physical memory, can modify the OS itself, can hide its own presence from user-mode software, and can intercept system calls before user-mode programs see them. Code running in ring 3 — including ordinary applications, including any user-mode anti-cheat — operates under OS-enforced restrictions and cannot directly observe what kernel-mode code is doing.
If a cheat developer ships their cheat as a signed kernel driver (via leaked certificate, vulnerable-driver "Bring Your Own Vulnerable Driver" technique, or manually mapped via an exploit), the cheat runs at the same privilege as the OS. From user mode, it can become structurally invisible. A user-mode anti-cheat asking the OS "is this driver loaded?" gets answered "no" because the cheat has unlinked itself from the documented driver list.
What kernel access gives the anti-cheat
With a kernel driver loaded, the AC can:
- Walk the actual kernel module list including unlinked or hidden drivers
- Register kernel callbacks for process creation, thread creation, image load, registry, and object handle events
- Strip handle access rights to the protected game process before user-mode code can use them
- Read physical memory to verify what user-mode and kernel-mode reads return (catching API hooks)
- Validate driver signatures and detect test-signing mode or unsigned drivers
- Communicate directly with hardware (TPM, PCIe config space, IOMMU page tables) for attestation purposes
Without kernel access, the AC has visibility roughly equivalent to a savvy user-mode antivirus — useful, but structurally outmatched by kernel-mode threats.
The historical arc
2010-2018: most consumer ACs were user-mode (VAC, PunkBuster, Hackshield, original EAC, original BattlEye). Cheat developers responded by moving cheats into kernel drivers, especially as the Windows Driver Signature Enforcement landscape created "Bring Your Own Vulnerable Driver" (BYOVD) as a viable cheat technique using leaked Microsoft signing certificates.
2018-2024: AAA AC went kernel-mode in succession. EAC kernel mode (2018), Vanguard launch (2020), BattlEye''s BEDaisy era (2017+, deepened 2020+), Ricochet launch (2021), NeacSafe Marvel Rivals deployment (2024). The transition was driven entirely by the technical reality that user-mode AC could not keep up with kernel cheats.
2024-2026: every AAA shooter except Overwatch uses kernel-mode AC. Overwatch is the exception because Blizzard has strategic reasons (Battle.net catalog spanning many titles) to avoid shipping a kernel driver, and accepts the higher cheating rate as a trade-off. The result: Overwatch has higher cheating prevalence than Valorant or Fortnite, which validates the kernel-AC architectural choice for the other titles.
The legitimate trust concern
Kernel access is dangerous for users. A kernel driver vulnerability is exploitable at ring 0 privilege. A compromised AC vendor could push malicious code to every user. A poorly-implemented driver can blue-screen the system. These risks are real, and they are the legitimate reason AC kernel-mode is controversial. The trade-off players make: accept the kernel-mode AC for AAA competitive play, or play games that don''t use kernel AC.
The case-study disasters: the July 2024 CrowdStrike incident (admittedly an enterprise AV, but the same architectural pattern) blue-screened 8.5M Windows machines worldwide. Kernel-mode security software is one bad update away from disaster. Game AC vendors know this, ship updates more cautiously, but the risk is structural.
What kernel access does NOT give
Even with kernel access, the AC cannot:
- See what runs on a separate machine (DMA cheat setups with a second PC)
- Defeat hardware attestation issues with the local machine itself
- Read user thought or intent — only resulting input
- Catch cheats that operate at hypervisor level above the AC
- Defeat properly tuned humanized cheats that don''t produce detectable signatures
The kernel AC is necessary but not sufficient. The full AC stack is kernel surveillance + behavioral ML + server-side validation + hardware attestation.
RawCheats position
RawCheats ships external software cheats that operate within the kernel-AC tolerance window. We don''t ship a kernel driver competing with EAC''s or BattlEye''s — we operate at the layer where the kernel AC''s detection is signature-based and behavioral, which is the actual battleground. Combined with Raw Spoofer''s kernel-driver-layer HWID rotation, the practical model is: the AC sees your hardware (clean fingerprint, no ban-list hits) and doesn''t see your cheat as a signature match, and you don''t hit behavioral ML.
Forward look
Kernel AC is here to stay for AAA shooters. The trajectory is deeper kernel integration — Pluton attestation, ELAM-loaded drivers, hardware-rooted boot validation. The privacy concession players make to participate in competitive AAA gaming will keep growing. Whether or not that''s a good societal trade-off is a separate question; technically, the architecture has been settled.
Related Pages
Sources
- Windows Kernel-Mode Drivers — Microsoft Learn
- Vanguard Kernel Rationale — Riot Games
- Easy Anti-Cheat — Epic Games
Related Questions
Yes — kernel-mode anti-cheats (EAC, BattlEye, Vanguard, NeacSafe, Ricochet) can see essentially every running process, every loaded driver, every kernel callback, and the SMBIOS/firmware-level identifiers of your hardware. They have full system visibility while loaded. User-mode anti-cheats (VAC, Warden, Defense Matrix) see less — only what user-mode APIs return — but still enumerate running processes, hash loaded modules, and report findings to servers. Yes, the AC can see your screenshot tool, your Discord, and your unrelated apps.
Anti-cheats detect virtual machines through CPUID hypervisor bits, timing attacks against rdtsc/rdtscp instructions, MSR (Model Specific Register) inconsistencies, device enumeration (VirtIO/VMware/Hyper-V device IDs), SMBIOS strings revealing virtualization (VMware Inc, QEMU, innotek GmbH, Microsoft Corporation), and behavioral patterns (typing timing, mouse-event distributions inconsistent with native input). Most AAA anti-cheats block VM-based play entirely — Vanguard, EAC (in heavy-protection mode), and Ricochet all reject VM environments.
A kernel cheat is a video-game cheat that operates from Windows kernel mode (ring 0) rather than user mode (ring 3). The cheat is implemented as a signed or manually-mapped kernel driver that has direct access to all system memory, can bypass user-mode anti-cheat restrictions, and can intercept anti-cheat scans before they reach the cheat's data. Kernel cheats emerged as the response to kernel-level anti-cheats like Vanguard, EAC, and BattlEye, which themselves run in ring 0.
A kernel-level anti-cheat is anti-cheat software that runs in ring 0 — the same privilege level as the Windows kernel — via a signed driver loaded into the OS. This gives it visibility into all processes, threads, drivers, kernel callbacks, and physical memory on the system. Examples: Easy Anti-Cheat (EAC), BattlEye (BEDaisy.sys), Riot Vanguard (vgk.sys), Activision Ricochet, NeacSafe, Zakynthos. Defense Matrix and VAC are NOT kernel-level — they run in user mode.
