Gandalf_The_Grey
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,773
For the last few days or so, various users online have reported that their fan control and/or other PC hardware monitoring applications are being flagged by Microsoft Defender. Affected apps include ones from Razer, SteelSeries, and many more. These applications are getting flagged due to an underlying "WinRing0x64.sys" system driver that Microsoft warns as "HackTool:Win32/Winring0" and Defender is quarantining the threat immediately upon detection.
As it turns out "WinRing0 is a hardware access library for Windows" and allows Windows apps to "access I/O ports, MSR (Model-Specific Register), and PCI" bus.
OpenRGB for example states on its GitHub repo that it "uses the WinRing0 driver to access the SMBus interface" on Windows PCs. SMBus or system management bus helps in communication between low-bandwidth requirement devices. You may have come across the term for chipset drivers like that of AMD's.
Interestingly, it is not entirely wrong on Microsoft's part to flag it since the driver is indeed vulnerable. The developer of the popular free fan control app called "Fan Control" has explained that applications like these which rely on the open-source LibreHardwareMonitorLib driver (WinRing0x64.sys) are technically correctly being flagged. That is because the driver can theoretically be exploited as it remains unpatched.

Windows 11/10 is flagging "Winring0" on your PC monitoring, fan control apps, here's why
Microsoft Defender has been flagging Winring0 in system monitor and fan control apps on Windows 10 and 11 PCs, and it is not quite a false positive.
