Windows Defender Now Flags WinRing0 Driver as Security Threat, Breaking Multiple PC Monitoring Tools

Windows Defender has begun identifying WinRing0 -- a kernel-level driver used by numerous hardware monitoring applications -- as malicious software, causing widespread functionality issues for affected tools. The driver, which provides low-level hardware access necessary for reading fan speeds, controlling RGB lighting, and monitoring system components, is being quarantined due to potential security vulnerabilities that could be exploited by malware.

WinRing0 gained popularity among developers because it's one of only two freely available Windows drivers capable of accessing the SMBus registers needed for hardware monitoring functions. The affected applications include Fan Control, OpenRGB, MSI Afterburner, LibreHardwareMonitor, and multiple others that rely on this driver to communicate with system hardware.

Don't complain

[Valgrus Thunderaxe]

Write a proper driver rather than relying on this type of nonsense.

Re:

[mysidia]

I'd say the driver is necessary, bc you can't access hardware without this kind of driver. This kind of monitoring software needs access to a bunch of low-level details there's no other way to get access to.

However... There needs to be a mechanism restricting it so that Malware cannot piggyback on the same mechanism, and so the programs that legitimately need access have to be assigned special privileges and cannot have malicious code injected into those programs.

Re:

[dfghjk]

No, A driver is necessary, but THE driver is not necessary.

A device driver exposes hardware FUNCTIONALITY, not hardware itself. That's the entire point of a driver and an OS the provides protection of hardware from applications.

"... restricting it so that Malware cannot piggyback on the same mechanism..."

Yes, that's getting the mechanism right, exactly what a driver does. A driver that exposes hardware to be manipulated by an application is an exploit, a driver cannot tell the difference between malware a

Re:Don't complain

[mysidia]

A device driver exposes hardware FUNCTIONALITY, not hardware itself.

That's not what these applications require. These applications require Generic access to the dedicated system management bus (SMBus)
from program code running inside Userland; not the kernel: so that they can submit and receive the PCRs on the bus in order to find all components and Poll all the registers for sensor values.

You cannot use traditional drivers for this. You don't even know what the exact hardware will be ahead of time.

Your Graphics card's drivers, Etc. Also. Don't have any feature for reading the hardware's respective values off the bus.

A driver cannot tell the difference between malware and any other client.

That's exactly what they need to change which is to make it so that Special permission has to be assigned To the specific client program
  to make calls to that specific kernel module. Similar to the manner in which other Kernel modules have some types of system call requests which are only available to programs running as the SYSTEM user.

Re:

[thegarbz]

A device driver exposes hardware FUNCTIONALITY, not hardware itself.

You mean like the functionality the SMBus communication chip provides? That functionality?

Re: Don't complain

[ArmoredDragon]

I'd say the driver is necessary, bc you can't access hardware without this kind of driver

Drivers are meant to safely abstract hardware access both for the purpose of security and system stability. This "driver" doesn't really do that, it's just a means of allowing userland code to indirectly access the hardware. That's a really bad idea.

If this is the kind of thing you want to do, then you should use an OS that runs in real mode instead of protected mode, and completely throws out the concept of hardware access controls, because if you need to do this, then you are taking it upon yourself to ma

Re:

[AmiMoJo]

TFA has some interesting detail. Apparently there was a known vulnerability in the driver, and it's been patched. The problem is that it costs real money to get Microsoft to review it and issue a certificate so it can be installed.

It would be better if manufacturers used USB instead of SMBUS, or a bridge chip.

Re:Don't complain

[mysidia]

Problem is that it costs real money to get Microsoft to review it and issue a certificate so it can be installed.

Sounds like it's about time for some users of these 3rd party programs to pony up some money then, right?

It costs real money, but I don't believe we should be persuadable that Logitech, Razer, MSI, and Panorama don't have enough real money to cover a $1000 Driver signing cert for at least 1 Dev. I mean.. Panorama literally in the business of selling System monitoring to large enterprises that's going to be at least a few million$ per year, Etc.

Razer Synapse
SteelSeries Engine
MSI Afterburner
Panorama9
OmenMon

Re:

[AmiMoJo]

It's the organizing part that is the difficult bit. You need someone to take charge, collect funds, and then work with Microsoft to get it certified. If it fails certification they need to fix the issues.

Re:

[Bert64]

At least one such vendor did write a driver and got it signed, and then keeps it to themselves so noone else can use it.
You'll end up with each for-profit vendor having their own driver each with their own set of bugs, and any individual developers or open source are simply left out.

Re:

[bleedingobvious]

Razer Synapse SteelSeries Engine MSI Afterburner Panorama9 OmenMon

However will I survive without these garbage apps?!

Oh, wait. Have been for many years now. Non-panic over.

Re:

[serafean]

I guess you don't work in tech...
Many software vendors use non-GPL software as much as possible, because "free". This is the same, but with a twist.

Re:

[2TecTom]

The problem is that it costs real money to get Microsoft to review it and issue a certificate so it can be installed.

It would be better if M$ wasn't a classist and corrupt criminal organization and these problems were handled in a professional and responsible manner. Economic ransom is exactly what happens in a corrupt economy.

Re: Don't complain

[drinkypoo]

Which part do you disagree with, besides the facts?

Re:

[AmiMoJo]

Ideally they should provide a nice API for this, like they do for USB.

Re:

[Z00L00K]

The SMBUS has been used by motherboard manufacturers for decades. The bus itself isn't really the big deal, it's that it's possible to not only read information but also control features through it that's the issue.

Replacing it with USB wouldn't solve anything and it could open a new can of worms.

SMBUS can be used to read and control fans, but also in some cases control voltages. So abusing it means that it's possible to overheat or overvoltage parts of the computer.

I don't really care about tweaking RBG LE

Re:

[MerlynEmrys67]

And yet our mission critical software still relies on a backwards compatible design from the 1980s designed for an 80386 with 16MB of RAM.

Wait Linux didn't come out until the 90s, What are you talking about

Re:

[peppepz]

386s tipically had 1 or 2 MB of RAM. An availability of 16 MB of RAM was more common in the Pentium era, ten years later.

Re: 1 word

[drinkypoo]

My 386 had 8MB of RAM, you insensitive clod! All DIP, it took up a ton of space on the board. Luckily it was full AT sized, because of course it was.

This came in very handy for running Linux. That was enough RAM to rebuild the kernel back then! (1.1.47)

Seems like MS should write a driver+dll combo

[williamyf]

With such functionality, and market it along the lines of "DirectRGB" "DirectFanControl" "DirectSMBus" or somesuch.

That way, all third party HW monitoring sw would be covered by an unified AND MS-Vetted framework, and, for a change, Win11-25H2 would have and ACTUALLY USEFULL feature.

Re:

[sabbede]

Aren't they already doing RGB?

Re:

[ebunga]

If it can't be turned into a subscription, Microsoft wants no part of it.

Should never have been allowed

[laughingskeptic]

I used this driver circa 2008 when doing some driver development, but would never have created a product that included shipping it. Kernel access should be specific, not generic. A fan-speed monitor needs to read/write one specific IO port configured at install time, installing a kernel driver that does not provide parameter checking as part of a software release because it saves you from having to get a driver signed is a really bad idea.

The list of people complaining about this breaking their tool is the list of people who either did not understand implications of bundling this or did not care. Either way these are not the people you want delivering kernel mode drivers to your system.

Re:

[mysidia]

Should not have been allowed MAYBE, but Too late. We are already there. And critical functionality is dependent on this.
We need a real proper fix for this. I would say this is Microsoft's responsibility. And Defender false-flagging a vulnerable program as malware is not the fix. For the people relying on FanControl; It's actually as damaging or possibly more damaging than Malware to have your fans no longer controlled. That's Microsoft causing potential hardware damage here. In thi

Re:

[Mal-2]

Too bad. Just like kernel-level anti-cheat, it doesn't matter who "needs" it if it's a major security threat. Replace it with something that isn't, even if that means not being able to use an already signed-despite-sucking module. This should have gone away a quarter century ago with Windows 2000.

Re:

[DarkOx]

Nonsense.

It just boils down to whose computer is it. The kernel controls access to resources. You can't install / load a kernel driver unless you have Administrative access. If the driver does something other that what it says on the box so to speak, or perhaps if it were buggy and did not perform correct authorization checks on whatever interface to/from user land it provides that might be reason to treat it as malware.

Otherwise yes kernel code can do bad things, a driver that lets you poke/tweak hardware

Re: Should never have been allowed

[Ilove_Noname]

If your fan is uncontrolled it will just spin at max speed all the time. There is no way for it to hurt your system at all. It will just make it noisier because you will always hear the fans even when the system is idling.

MS Trying to GPU/CPU Use?

[BrendaEM]

For years, Microsoft has been setting the stage to blockchain on people's computer, so why not AI spy, too.

These people _really_ have no clue

[gweihir]

Well, maybe they will eventually do it right (by accident) and flag the whole Windows installation als malware.

surprised, not surprised

[roc97007]

Not surprised that Windows Defender is flagging important services as a security threat.

I am surprised that people are still using Windows Defender.

WTF?

[dnaumov]

A kernel-level driver can only exist if it was signed by Microsoft, so now they are openly admitting they sign malicious software?

already solved on Linux

[drinkypoo]

You can use udev rules to control device permissions. You can run openrgb in daemon mode as a specific user with access to those devices. No problem.

Microsoft sees your computer as their property.

P.S. anyone doing this just for RGB is probably using crappy RGB anyway. I got a nollie 8ch USB ARGB controller for like $11. Works great. I let my BIOS control fan speed. It lets me create curves. I monitor with lm-sensors. Get a real OS.