Windows 11/10 is flagging "Winring0" on your PC monitoring, fan control apps, here's why

For the last few days or so, various users online have reported that their fan control and/or other PC hardware monitoring applications are being flagged by Microsoft Defender. Affected apps include ones from Razer, SteelSeries, and many more. These applications are getting flagged due to an underlying "WinRing0x64.sys" system driver that Microsoft warns as "HackTool:Win32/Winring0" and Defender is quarantining the threat immediately upon detection.

As it turns out "WinRing0 is a hardware access library for Windows" and allows Windows apps to "access I/O ports, MSR (Model-Specific Register), and PCI" bus.

OpenRGB for example states on its GitHub repo that it "uses the WinRing0 driver to access the SMBus interface" on Windows PCs. SMBus or system management bus helps in communication between low-bandwidth requirement devices. You may have come across the term for chipset drivers like that of AMD's.

Interestingly, it is not entirely wrong on Microsoft's part to flag it since the driver is indeed vulnerable. The developer of the popular free fan control app called "Fan Control" has explained that applications like these which rely on the open-source LibreHardwareMonitorLib driver (WinRing0x64.sys) are technically correctly being flagged. That is because the driver can theoretically be exploited as it remains unpatched.

They write:

Many of you reported that Defender started to flag the LibreHardwareMonitorLib driver (WinRing0x64.sys), you do not need to report it furthermore, I\u0027m aware of it.

 

This kernel driver always had a known vulnerability that could be theoretically be exploited on an infected machine. The driver or the program itself are not malicious and are not more or less secure than before it got flagged. It is good practice to review the risk before any action is taken with Defender

These drivers were first detected as vulnerable back in 2020 and have been tracked under ID "CVE-2020-14979." The NVD (National Vulnerability Database) says that it can read and write to arbitrary memory locations (pointers) which are characteristics of buffer or stack overflow security flaws. It notes:

The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITY\SYSTEM privileges by mapping \Device\PhysicalMemory into the calling process.

Meanwhile, Razer has also issued an update about its Synapse app and recommends users upgrade to Synapse 4 from Synapse 3, or otherwise, update to the latest version of the latter. A Razer community forum official wrote:

Synapse 3 rolled out a security patch on February 20, 2025, to move away from these drivers.

 

Synapse 4 did not use these drivers.

 

We encourage anyone facing this issue to check that they are using the latest version of Synapse 3, or upgrade to Synapse 4 for the most advanced protection and features.

 

This is in line with what’s being handled throughout the industry. We went ahead and made sure everything is secure ahead of time, but it’s very important that users are up to date with their Windows security patches and any others where required.

Thus this is simply not the case of a false positive or PUA which Microsoft will have dealt with its Smart Control app, something which it highlighted recently as a major improvement on Windows 11, and recommends users move on Windows 10 move to via a clean install.

Also, in recent Defender news, Microsoft released the latest version of security intelligence updates for Windows 11, 10, and Server installation images.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of February): 874

RIP Matrix | Farewell my friend