Windows Defender has flagged HackTool:Win32/Winring0 as a virus

[dogcalledholden]

This is in my Summary:

Located @ C:\Program Files (x86)\FanControl\FanControl.sys

Do I make an exception, do I quarantine? Ignore?

[Gruumshi]

same for me. with the same questions

[larry-martinez]

Detected: HackTool:Win32/Winring0
Status: Quarantine failed
This threat or app might not be completely remediated.

This program has potentially unwanted behavior.
Date: 3/11/2025 9:39 PM

Affected items:
file: C:\Program Files (x86)\ASUS\GameFirst\LibreHardwareMonitorLib.dll->[MSILRES:LibreHardwareMonitor.Resources.WinRing0x64.sys]

[alski]

So, I'm not the developer of FanControl, but I am a developer of another tool that also uses the same Hardware control library, i.e. LibreHardwareMonitor.

And today I am presented with the message
I can't see anything on https://github.com/LibreHardwareMonitor/LibreHardwareMonitor and I'm using the same nuget package from November (0.9.4) that I have been since it came out. Bizarrely Visual Studio was hanging, but not my application.

I have allowed it as an Exception personally.

Its a bit weird how the sys file name varies...

[LucyTheGoob]

Oh no... somebody might hack my mystic light program and mess with my RGB 🙄 So scary... not.

lmao but no that's not the main concern with it haha, wish it was tho would be funny. But this allows threat actors to gain kernel level access of everything and with that they can do pretty much whatever. 😔

[Klaus-Aschaber]

Oh no... somebody might hack my mystic light program and mess with my RGB 🙄 So scary... not.

If the door is open, the intruder will not only take the door mat.

[Omgimissed]

Oh no... somebody might hack my mystic light program and mess with my RGB 🙄 So scary... not.

If the door is open, the intruder will not only take the door mat.

Nobody's getting in my system regardless.

[Omgimissed]

Oh no... somebody might hack my mystic light program and mess with my RGB 🙄 So scary... not.

lmao but no that's not the main concern with it haha, wish it was tho would be funny. But this allows threat actors to gain kernel level access of everything and with that they can do pretty much whatever. 😔

If I went online completely naked I could understand the fear, but i don't. I use a combination of VPN, Cloud based browser, and a Virtual Machine when I access the internet.

[LucyTheGoob]

Oh no... somebody might hack my mystic light program and mess with my RGB 🙄 So scary... not.

lmao but no that's not the main concern with it haha, wish it was tho would be funny. But this allows threat actors to gain kernel level access of everything and with that they can do pretty much whatever. 😔

If I went online completely naked I could understand the fear, but i don't. I use a combination of VPN, Cloud based browser, and a Virtual Machine when I access the internet.

Then it does not apply to you lol but just explaining why it got flagged

[tswan137]

I also received this threat just now. Seems a lot of us got hit within the same hour. Is that concerning?

[BihtSift]

I'm here for the same issue. My file is:
C:\Program Files (x86)\GIGABYTE\RGBFusion\MODAPI.sys

[BihtSift]

More info: https://www.reddit.com/r/FanControl/

[dmolina3d]

I'm here for the same issue. My file is:
C:\Users\david\AppData\Roaming\HotSpot\StreamDock\plugins\com.hotspot.streamdock.system.monitor.sdPlugin\OpenHardwareMonitorLib.sys

No matter how much you quarantine the file or remove it, it will exit again after 5 seconds. I tried to delete the folder where it is located but it does not allow me to do so because it is being used

[Klaus-Aschaber]

I wrote a PowerShell Script to monitor Hardware Sensors using Datto-RMM and Libre Hardware Monitor, my file is "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.sys"

[Rem0o]

See #3016

[liquidocelot22]

Apparently malwarebytes doesnt detect it but windows does. Sounds like windows pushed an update thats fucking it up.

https://www.reddit.com/r/techsupport/comments/1j8jrs8/hack_tool_win32winring0/

[Omgimissed]

That's exactly what it is

[MBoutray]

I've got the same alert and all the sensors were out of whack in fancontrol. the alert disappeared when i closed the software.

[Omgimissed]

Tell it to allow the file, it's a false positive. Had the same thing happened when I booted my PC up and my RGB wasn't working right until I allowed the file instead of quarantining it.

[Sciolto66]

Tell it to allow the file, it's a false positive. Had the same thing happened when I booted my PC up and my RGB wasn't working right until I allowed the file instead of quarantining it.

It is not a false positive. Defender flagged it for a valid reason. The comment by the author of FanControl with the latest release baffles me. "Ostrich politics" at the very least. As long as Winring0 is part of the package you are definitely more vulnerable.

I have removed FanControl from my systems and won't consider a reinstall before the vulnerability has been addressed.

[Rem0o]

@Sciolto66 had to make some kind of message because I was getting swarmed with the same message over and over. As far as the head in the sand, you can call it that, but then the whole project from the very beginning has been using that driver, there's nothing new here. It's basically because this driver even exists that a project like LHM is possible, which then enables FanControl.

I understand the reason for your frustration if you feel like you were misinformed, but I can't just create a new signed kernel driver out of thin air. It's more complicated than you might think.

Now if this is part communication issue, that I can do something about immediately. I may for example add some kind of warning next to the LHM sensor source in the software, informing that WinRing0 will be installed if LHM is enabled.

[Omgimissed]

Tell it to allow the file, it's a false positive. Had the same thing happened when I booted my PC up and my RGB wasn't working right until I allowed the file instead of quarantining it.

It is not a false positive. Defender flagged it for a valid reason. The comment by the author of FanControl with the latest release baffles me. "Ostrich politics" at the very least. As long as Winring0 is part of the package you are definitely more vulnerable.

I have removed FanControl from my systems and won't consider a reinstall before the vulnerability has been addressed.

It's legitimately part of my software and has been since I got this PC over a year ago🤦🏼‍♂️
Microsoft Windows Defender is flawed and attacks legit software from time to time

[b1k3rdude]

It is NOT a false positive, its a valid positive! WinRing0 is extremely unsecure - https://www.youtube.com/watch?v=H_O5JtBqODA

[Omgimissed]

It's a false positive guys. My fan RGB wasn't working until I told it to allow the file HackTool:Win32/Winring0. It's a flawed security update from Defender

[Fr0stX76]

Its not a false positive. But it's not a direct threat either. If you are aware of the risks, it's up to you. See this post, It‘s a good recap.#3016 (comment)

[Omgimissed]

It's a false positive like I said. Microsoft Windows Defender has on several occasions attempted to quarantine legitimate software. Microsoft has become shit software compared to what it used to be hence why defender is so flawed. The flagged file has been a legitimate part of my software since I got my current computer. You github geeks are clueless

[Fr0stX76]

Its not. there are multiple post explaining exactly what this is. You need to read a bit and stop spreading innacurate information. You are the clueless one.

https://www.theverge.com/report/629259/winring0-windows-defender-fan-control-pc-monitoring-alert-quarantine

But I'll give you that, defender is, in my opinion too, a sub-par option.

I guess even a broken clock is right twice a day.

[b1k3rdude]

It is NOT a false positive, its a valid positive! WinRing0 is extremely unsecure - https://www.youtube.com/watch?v=H_O5JtBqODA

[gringrant]

I took the time to make a write up an explanation w/ sources of the WinRing0 vulnerability and how it impacts Fan Control on Reddit:

https://www.reddit.com/r/FanControl/comments/1j93doq/why_does_defender_hate_fan_control_an_explanation/

You can also just read my sources directly:

https://medium.com/@matterpreter/cve-2020-14979-local-privilege-escalation-in-evga-precisionx1-cf63c6b95896
https://nvd.nist.gov/vuln/detail/cve-2020-14979
LibreHardwareMonitor/LibreHardwareMonitor#984

[Somebody-12345678]

Good reddit article thanks.

[powpow-git]

Also having Windows defender detecting this software as a hack recently. Had to tell it to ignore for it to work. Issue might be on Microsofts end who knows at this point:

[GMB19001]

I came across this article regarding a Defender content release, specific to HackTool:Win32/Winring0
Content update for Malware Detected: HackTool:Win32/Winring0 was released on 3/7/2025 8:54:27 AM
https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.423.270.0

[Somebody-12345678]

My Win Defender flagged "HackTool:Win32/Winring0" as High Threat this morning. Researching it lead me to this thread - good read. The only difference in my situation is the offending file is "OpenHardwareMonitorLib.sys" not "FanControl.sys". Looks like "OpenHardwareMonitorLib.sys" is only used to monitor hw ... but if it uses Winring0 then it has the potential to manipulate in kernel space. If either of these *.sys are Quarantined, will this cause any computer hardware damage if it's a needed file? Research suggests it's not used by Windows11 so should be no impact. Properties of "OpenHardwareMonitorLib.sys" says Embedded Signatures: Noriyuki MIYAZAKI 2008 but the file was created 2025Feb18 which is more recent than the other files in the same folder. Thx.

[oddtoddy]

I do not use FanControl at all but I just got this error today and this site was among the first results that came back. Mine is in C:\Windows\system32\Drivers\WinRing0x64.sys (Created/modified May 2024)
I'm pretty sure this is a Windows Defender/Update fuckup (again)

[BushMasterJM]

Windows warned me about it just now. I dont use FanControl either unless hits baked into Omen bloatware. This is where mine was located: "file: C:\WINDOWS\system32\Drivers\WinRing0x64.sys" pretty general location. I have not noticed any hard use of my GPU or CPU so I dont think I was being used for mining but idk.

[GMB19001]

Thank you all for your comments. I experienced a very similar issue, which for us, was related to the file: "OpenHardwareMonitorLib.sys." This began to occur on the morning of 3/11/2025
My opinion is that this is related to a recent MS Content update, but I am hoping to ask for validation.
Would anyone know the answer to this and if so, has Microsoft acknowledged the issue or fixed this?
My current version info is:

Antispyware Version: 1.423.263.0
Antimalware Client Version: 4.18.25010.11
Engine Version: 1.1.25010.7
Antispyware Version: 1.423.263.0
Antivirus Version: 1.423.263.0

Thank you.

[BushMasterJM]

From my understanding, the volnerability was found a few years ago at least, Microsoft said we are gonna flag it in future updates but gave people enough time to update. Now Microsoft has finally added it to defender. This means that as long as you have winring0, there is a greator risk if you got malware on your computer. Its always been a risk, Microsoft Security is just now acknowleging its risk.

[b1k3rdude]

It is NOT a false positive, its a valid positive! WinRing0 is extremely unsecure. In a nutshell the driver is running at Ringbus 0, the same level as the windows kernal and has been exploited multiple times over the years.

• https://nvd.nist.gov/vuln/detail/CVE-2020-14979
• https://gitlab.com/CalcProgrammer1/OpenRGB/-/issues/2227
• https://www.youtube.com/watch?v=H_O5JtBqODA

[SimonZerafa]

Hi All,

Yes, WinRing0 and it's derivitives are a potential security issue and it's been known for YEARS this is the case.

At this time there is no other way for an application (even with admin rights) to be able to interface with hardware directly. The way that Windows has evolved from Windows XP to Windows 11 now means that drivers which validated my Microsoft and digitally signed won't have Ring0 or direct hardware access.

Many apps use WinRing0 not just FanControl and LibreHardware Monitor. Even commercial applications from major PC hardware OEM's used it. That's why Microsoft hasn't blocked it earlier.

Apparently the makers of OCCT (OCBase) are working on a more secure driver which they are hoping will be digitally signed so that it can be used going forward under Windows 11 with it's enhanced security.

Please see the recent YouTube Episodes on the Gamers Nexus Channel and the OCBASE channel for more information, if you need it.

KInd Regards

Simon Zerafa

[EBPaanda]

This one sums it up pretty much. — Many programs use it; the user is the one deciding if he is okay with that risk or not. Though, nothing changed, it has always been that way with WinRing0. — It’s not a direct threat like being infected or you've gotten hacked, but more like having a backdoor that could be used by bad actors and makes it easier for those.

In theory, it’s a very good thing that Windows is trying to get rid of software with access lower than layer 2-3. BUT at the very least, Microsoft should properly implement an API for monitoring tools (and other cases where needed) so people don’t have to develop software like this, let alone so many others relying on it. — The WinRing0 developer discontinued this software in 2010 with a statement along the lines of "This software was a mistake and shouldn’t exist in this day and age anymore."

[OutsideOctaves]

So, the question is:
Should I go ahead and just take the FanControl off of my system for now, as it's win11 and I can not restore winring0 as it gets flagged immediately now and I can't even restore it from within defender!?

[SimonZerafa]

Hi,

Risk assessments are personal, what are the risks and their frequency and severity and consequences?

For myself I would exclude the folder that you've installed FanControl within Microsoft/Windows Defender.

Make a note that that folder is marked as such in your documentation 😉

Hopefully OCCT will eventually come through with a community signed driver which others can use that won't give Defender spasms of distress.

It's not just FanControl which uses this driver or it's variations so if you stop using all of them then quite a few apps will stop working.

Kind Regards

Simon Zerafa

[jgwillson628492-wq]

How do you uninstall this software. It is not in the list of program under settings. When I search for the program, the only place I see it listed in the download folder created when I installed it. But it doesn't contain an executable. Did I install something that has permanently welded into my machine? I am not a programmer. I installed this thinking it would be a benefit. It has become a curse. I want it off!

[aDjentleman]

I highly recommend Revo Uninstaller for anything and everything you remove from your PC. It is amazing.

[jgwillson628492-wq]

Yes, used it about a year ago. Then it wanted an annual subscription. I don't uninstall that many programs to justify the cost.

How can I uninstall the fan control, if it is not in the program list?

[Rem0o]

The readme has an uninstall section.

[qmarsn]

FYI: I got this as well:

[Fr0stX76]

Openhardwaremonitor is not the same software as librehardwaremonitor used by fancontrol