Microsoft Defender Flags Fan Control Applications: What You Need to Know
Recently, many online users have reported that Microsoft Defender is flagging their fan control and PC hardware monitoring programs. Notable applications from brands like Razer and SteelSeries are among those affected. This issue arises due to the detection of the “WinRing0x64.sys”system driver, which is labeled by Microsoft as “HackTool:Win32/Winring0″and is promptly quarantined upon detection.
Understanding WinRing0: Functionality and Risks
The WinRing0 driver serves as a hardware access library for Windows, enabling applications to interact with I/O ports, Model-Specific Registers (MSR), and the PCI bus. For instance, OpenRGB, a popular RGB lighting control application, confirms on its GitHub repository that it relies on the WinRing0 driver to communicate with the SMBus interface, which facilitates low-bandwidth communication between devices.
Legitimate Concerns: Vulnerabilities in the Driver
While Microsoft’s actions may seem excessive, they are not without merit. The driver has been recognized as vulnerable, prompting caution. For example, the developer of the widely-used “Fan Control”application has indicated that software depending on the open-source LibreHardwareMonitorLib driver (WinRing0x64.sys) is indeed correctly flagged. Potential exploits could occur since this driver remains unpatched.
Many of you reported that Defender started to flag the LibreHardwareMonitorLib driver (WinRing0x64.sys), you do not need to report it furthermore, I’m aware of it.
This kernel driver always had a known vulnerability that could theoretically be exploited on an infected machine. The driver or the program itself are not malicious and are not more or less secure than before it got flagged. It is good practice to review the risk before any action is taken with Defender.
Vulnerability Details
The vulnerabilities associated with WinRing0 were first identified in 2020 and are tracked under the identifier “CVE-2020-14979.”According to the National Vulnerability Database (NVD), this driver can read and write to arbitrary memory locations, showcasing characteristics typical of buffer and stack overflow flaws. The NVD highlights:
The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITY\SYSTEM privileges by mapping \Device\PhysicalMemory into the calling process.
Razer’s Response and Recommendations
In light of these developments, Razer has issued a statement regarding its Synapse application, advising users to upgrade to Synapse 4, which does not utilize these problematic drivers. A representative on the Razer community forum stated:
Synapse 3 rolled out a security patch on February 20, 2025, to move away from these drivers.
Synapse 4 did not use these drivers. We encourage anyone facing this issue to check that they are using the latest version of Synapse 3, or upgrade to Synapse 4 for the most advanced protection and features.
This is in line with what’s being handled throughout the industry. We went ahead and made sure everything is secure ahead of time, but it’s very important that users are up to date with their Windows security patches and any others where required.
Conclusion and Best Practices
This situation illustrates that it is not merely a false positive or a Potentially Unwanted Application (PUA) detection. Microsoft has been actively enhancing its Smart Control application as part of the ongoing improvements in Windows 11, suggesting a clean install for users still on Windows 10.
Moreover, Microsoft recently released a new version of security intelligence updates for both Windows 11 and 10, as well as for Windows Server installations, reflecting their ongoing commitment to user security.
Related Articles:
Windows 11 25H2 Build 26200 Leak: Is It a Minor Update Compared to Windows 11 24H2?
0:27
Play Alien: Isolation and NHL 25 During Xbox Free Play Days This Weekend
22:50
Microsoft Introduces Native PyTorch Arm Support for Windows Devices
19:57
Leave a Reply ▼