Recently, many PC users and gamers noticed Microsoft Defender (the Windows built-in security app) is flagging specific PC monitoring and fan control applications as perceived threats. The culprit? A system driver that goes by the name WinRing0. Let's explain why this happens and what measures you should take as a Windows operating system user.

Firstly, what is WinRing0?

WinRing0 is a kernel-mode driver that allows software access to low-level hardware functions, such as reading and writing to memory or gaining system control of components with cooling fans. The tool is widely used in various PC monitoring and fan control applications, including popular tools from brands like Razer, Steelseries, and many others.

Why are PC monitoring and fan apps being flagged?

Microsoft Defender has begun identifying WinRing0 as a potential threat, explicitly labeling it HackToolWin32/WinRing0. The main culprit is the driver has a known vulnerability that a malicious code could theoretically exploit. Specifically, anyone locally accessing Windows can read and write to any memory location, leading to escalated attacks.

The vulnerability tracked under CV-2020-14979 and was first identified in  2020. Despite its age, the issue remains unpatched in several applications that rely heavily on WinRing0, making it concerning for Windows users.

What application is Malicious?

It's worth noting the applications themselves are not innately malicious. Despite the driver's vulnerabilities, the developer of tools such as Fan Control and OpenRGB has clarified that it is not actively harmful unless the system is already exploited. Microsoft has taken a proactive approach by addressing vulnerabilities and protecting users from threats.

What measures should you take?

You should periodically update the software if you use a PC monitoring or fan control app that relies on WinRing0. Check if the developer has released a version that no longer relies on WinRing0. Razer recently updated its Synapse software, which removes this particular driver.

The measure you should take is to review all Defender alerts. Before taking any action, asses whether the flagged application is usefyand can be trusted. With caution, add flagged applications to Defender's exclusion list.
The measure you should take is to review all Defender alerts. Before taking any action, asses whether the flagged application is valid and can be trusted. With caution, add flagged applications to Defender's exclusion list.

Epilogue

While the flagging of WinRing0 may be inconvenient for some users, it highlights the importance of maintaining secure and up-to-date software. By addressing the vulnerabilities like this, Microsoft aims to protect users from potential threats, even if they seem unlikely. For enthusiasts who rely on these tools, staying informed and proactive is key to balancing functionality and security.