What just happened? PC gamers recently encountered an unexpected issue when their computers triggered Windows Defender alerts due to a kernel-level driver called WinRing0. This software, used by various hardware monitoring applications, was flagged as a potential threat, causing some systems to behave erratically.
For instance, fan control applications were affected, leading to fans running at high speeds after the tool was quarantined. However, this was not an actual attack but rather a false alarm caused by Windows Defender detecting WinRing0 in apps like Fan Control, Razer Synapse, SteelSeries Engine, and others.
WinRing0 is a kernel-level driver that allows these applications to access hardware components such as fans and LED lights. It has been widely used because it provides developers with a way to interact with hardware that is typically restricted within the Windows operating system.
"There are only two freely available Windows drivers I know of that are capable of accessing the SMBus registers we need to be able to control LEDs: InpOut32 and WinRing0," Adam Honse, developer of OpenRGB, told The Verge.
OpenRGB switched to WinRing0 after InpOut32 conflicted with Riot's Vanguard anti-cheat software.
Image: Github
Microsoft's decision to flag WinRing0 has left many developers in a difficult position. The company requires drivers to be digitally signed, a process that is costly and often unfeasible for many open-source projects. "It is not feasible to demand not-for-profit hobby [free open-source software] projects to pay the same costs for driver signing as for-profit companies," Honse said. As a result, some developers are considering alternative solutions, such as creating proprietary drivers, though this is a resource-intensive task.
SignalRGB, for example, has developed its own proprietary SMBus driver to replace WinRing0. However, this approach is not viable for smaller projects due to the significant engineering resources required. "I won't sugarcoat it – the development process was challenging and required significant engineering resources," said SignalRGB's Timothy Sun.
Microsoft has acknowledged the issue and is re-evaluating its detection logic to avoid false positives, according to Scott Woodgate, the company's General Manager of Threat Protection.
While Microsoft continues its investigation, some developers suggest that fixing the vulnerability in WinRing0 itself could be a simpler solution. However, getting a patched version signed by Microsoft remains a challenge due to the associated costs.
There is some hope for a resolution. iBuyPower, a prebuilt gaming PC manufacturer, plans to obtain an updated and signed version of WinRing0 to share with developers. This could provide a cost-effective solution for many affected applications. "If this solution works, we'll share our updated and signed version of the library so the community of developers can distribute new versions of their apps with validated Microsoft drivers," said Hyte product director Robert Teller.
In the meantime, users of affected software may need to update their applications or add exceptions in Windows Defender to maintain functionality. Razer and SteelSeries have already moved away from using WinRing0 in their latest software versions, though this may result in some lost functionality.
Windows Defender misidentifies key driver, disrupting popular PC monitoring tools
