On Tuesday morning, some PC gamers woke up to discover their computers were seemingly under threat. A “HackTool” called WinRing0 had suddenly started triggering a Windows Defender alert, as if their PCs were under attack. Some of those computers even began behaving oddly — like blasting their fans at high speed — once the HackTool had been quarantined. I know, because it happened to me.
But my computer wasn’t actually under attack — at least, not yet.
When I checked where Windows Defender had actually detected the threat, it was in the Fan Control app I use to intelligently cool my PC. Windows Defender had broken it, and that’s why my fans were running amok. For others, the threat was detected in Razer Synapse, SteelSeries Engine, OpenRGB, Libre Hardware Monitor, CapFrameX, MSI Afterburner, OmenMon, FanCtrl, ZenTimings, and Panorama9, among many others.
“As of now, all third-party / open-source hardware monitoring softwares are screwed,” Fan Control developer Rémi Mercier tells me.
That’s because all these programs have something in common, eight of their developers tell The Verge. They do (or did) all contain a piece of kernel-level software that is indeed called WinRing0. And WinRing0 could genuinely be a threat as of today, one that has even been linked to some pretty nasty real-world malware that could theoretically hijack your PC.
But again, that’s not what’s happening on computers with these specific useful apps — there is no hijack underway. Rather, WinRing0 is being flagged because it’s an insecure way for these pieces of monitoring software to tell how fast my PC’s fans are spinning and the colors of its LED lights, among other readings. And yet, WinRing0 is widespread, several developers tell me, because it’s one of the only ways Microsoft and the PC industry let them tap that hardware from inside the Windows operating system.
“There are only two freely available Windows drivers I know of that are capable of accessing the SMBus registers we need to be able to control LEDs: InpOut32 and WinRing0,” says Adam Honse, developer of OpenRGB. “We used to use InpOut32, but it was conflicting with Riot’s Vanguard anti-cheat, so we switched to WinRing0 as it did not conflict.”
Honse and others freely admit that WinRing0 could be abused. “It’s not some secret vulnerability. It’s literally a library intended to give userspace applications access to something that only kernel drivers normally have access to,” he says.
Nor do they all begrudge Microsoft’s attempt to close that potential loophole. After the CrowdStrike outage that knocked out 8.5 million devices with a buggy update last year, Microsoft has been under pressure to restrict software that has special access to low level hardware, so nothing like that can happen again. Microsoft hasn’t said why it’s only getting around to addressing WinRing0 now, but it’s been gradually overhauling its driver requirements in yearly updates, and it’s pretty routine for the company to blacklist vulnerabilities on the go.
The fact remains that this vulnerable WinRing0 has found its way into all kinds of software because it was a useful loophole, and several developers now say they’re stuck because Microsoft would charge too much to fix it. Some are even calling Windows Defender’s detection a “false positive,” implying it should be safe to use WinRing0 anyhow, because their own apps aren’t malicious and there’s no other cost-effective way to get them working.
SignalRGB founder Timothy Sun says the security risk is more complicated than that, though. “Since WinRing0 installs system-wide, we realized we were dependent on whatever version was first installed on a user’s system. This made it extremely difficult to verify whether other applications had installed potentially vulnerable versions, effectively putting our users at risk despite our best efforts,” he says.
That’s why his company invested in its own RGB interface instead, eventually ditching WinRing0 in 2023 in favor of a proprietary SMBus driver. But the developers I spoke to, including Sun, agree that’s an expensive proposition.
“I won’t sugarcoat it — the development process was challenging and required significant engineering resources,” says Sun. “Small open source projects do not have the financial ability to go that route, nor dedicated Microsoft kernel development experience to do so,” says OpenRGB’s Honse.
But there may be a simpler alternative: why not fix the vulnerability in WinRing0 itself? To my surprise, three developers tell me that WinRing0 has already been patched, but the open source community doesn’t believe they can afford to get a new version signed by Microsoft — and without Microsoft’s digital signature, Windows won’t let users install it to begin with.
WinRing0 “was a ‘one of its kind driver’ in that its source was open and it was signed,” Mercier explains. “Nothing else like it exists, as enterprises do not develop open-source kernel drivers.”
According to PhyxionNL, the developer of the popular Libre Hardware Monitor that underpins many monitoring apps (including Fan Control), WinRing0 dates back to a time when Windows didn’t require Microsoft to sign such drivers; its author Noriyuki Miyazaki (also see: CrystalDiskMark) apparently signed it himself.
But to get a new copy signed, developers would need Microsoft’s approval — and they’d need to pay up.
It is not feasible to demand not-for-profit hobby [free open source software] projects to pay the same costs for driver signing as for-profit companies. It also appears that driver signing is a limited-time thing that would need continuous renewal, so it would be a recurring cost. Also, from preliminary searching, you need to be a company to be able to even get a kernel signing certificate. Microsoft has stacked the deck against us.
OmenMon’s Piotr Szczepanski says it’s not good enough to submit your entire app to Microsoft and VirusTotal for inspection, either, “as despite OmenMon being whitelisted each time, eventually the exact same executable can become repeatedly flagged again, as definition versions get updated and signatures get purged.”
“Microsoft has stacked the deck against us.”
Szczepanski, ZenTimings’ Ivan Rusanov, and Fan Control’s Mercier all say there’s nothing they can really afford to do in the absence of a newly signed driver that functions like WinRing0. “I would definitely replace it with something else the moment it gets available, but for now, obviously, I can’t advise the users to ignore it and add an exception to Defender,” says Rusanov.
But there is some hope. Prebuilt gaming PC manufacturer iBuyPower, whose Hyte Nexus monitoring software also uses WinRing0 and got flagged by Windows Defender, tells The Verge it will endeavor to get an updated WinRing0 signed — and give the results back to developers.
“If this solution works, we’ll share our updated and signed version of the library, so the community of developers can distribute new versions of their apps with validated Microsoft drivers,” Hyte product director Robert Teller tells us.
Teller says he’s awaiting Microsoft’s reply. Microsoft didn’t have any comment for The Verge.
I asked SignalRGB’s Sun if he might share his proprietary SMBus driver, but he said no, as “we’ve invested significant resources into developing this solution specifically for our needs and user base.”
As for Razer and Steelseries users, you may simply want to update your software to the latest version to avoid WinRing0, as both companies tell me they’ve recently ditched it. But know that you may lose some functionality as a result. Steelseries has just removed its System Monitor app entirely to address the vulnerability, meaning gamers can no longer see system data on the screens of its peripherals.
Razer software VP Quyen Quach says Synapse 4 and Synapse 2 never used WinRing0 at all and that the company patched Synapse 3 to remove it just three weeks ago.
Correction, March 13th: Razer says Synapse 2 didn’t use WinRing0 either, so no current versions of Synapse are affected.
