I almost didn't write this article. Not because the topic is obscure — kernel anti-cheat is one of the most technically fascinating things happening in consumer software right now — but because every time I try to explain ring 0 security to someone at a coffee shop, they look at me like I just started speaking in assembly. My friend Derek, who works QA at a mid-tier game studio in Austin, once told me over a $6.75 cold brew that "anti-cheat is the one piece of software that has to be smarter than every single person trying to break it, simultaneously, forever." He's not wrong.
A deep dive published this week by security researcher s4dbrd hit 262 points on Hacker News, and it's one of the clearest explanations I've seen of how these systems actually operate under the hood. I've been reading kernel security research for about four years now, and this post made me rethink some assumptions I'd been carrying since my "just Google it" phase of understanding Windows internals.
Why Usermode Protections Are Fundamentally Broken
Here's the core problem, and it's elegant in its simplicity: any protection running at ring 3 (usermode) can be completely fooled by anything running at ring 0 (kernel). A usermode anti-cheat that calls ReadProcessMemory to verify game integrity can be defeated by a kernel driver that intercepts NtReadVirtualMemory and returns fabricated data. The anti-cheat literally cannot tell the difference between real memory and a lie.
I spent about 45 minutes on a Saturday afternoon trying to explain this to my roommate using a pizza delivery analogy. "Imagine you call the pizza place to confirm your order, but someone intercepted the phone line and is pretending to be the restaurant." He got it. Then he asked why games don't just run their own phone company. Which is... actually what kernel anti-cheat does.
The Four Kings: BattlEye, EAC, Vanguard, and GameGuard
Four systems dominate competitive gaming right now, and they each take slightly different philosophical approaches to the same problem:
BattlEye (PUBG, Rainbow Six Siege, DayZ, Arma) loads its kernel component BEDaisy.sys and has been the subject of detailed public reverse engineering. It relies heavily on kernel callbacks and periodic integrity scans. I've seen BattlEye catch cheats that cost developers $2,400 to build — and I've seen $30 subscription cheats evade it for months. The inconsistency is part of why the community is so divided.
Riot Vanguard takes the most aggressive approach: it loads at boot time, before Windows even finishes starting. When Valorant launched in 2020, the gaming community collectively lost its mind. "Why does my free-to-play shooter need a kernel driver that starts before my operating system?" was a question I saw asked approximately 14,000 times on Reddit in a single week. The answer, whether you like it or not, is that boot-time loading prevents cheat drivers from establishing themselves first.
Easy Anti-Cheat (Fortnite, Apex Legends, Rust) and GameGuard (MapleStory, Lost Ark) round out the major players, each with their own detection philosophy and blind spots.
The Escalation Timeline Nobody Talks About
This is where it gets genuinely unsettling. The arms race follows a predictable pattern that mirrors actual military escalation:
2015-2018: Usermode cheats give way to kernel cheats. Cheat developers load unsigned drivers using exploits in legitimately signed but vulnerable drivers — the BYOVD (Bring Your Own Vulnerable Driver) technique. A cheat developer in a Discord server I lurked in (research purposes, I swear) described finding vulnerable drivers as "shopping at a thrift store for lockpicks."
2019-2022: Anti-cheats implement driver blocklists. Cheat developers move to hypervisors — running below the kernel, virtualizing the entire operating system. At this point, the cheat is literally more privileged than Windows itself.
2023-present: PCIe DMA attacks. Cheat developers use hardware devices (often FPGA-based, costing $300-$800) that read game memory directly through the PCIe bus without ever touching the operating system. The OS cannot detect this because the read happens at the hardware level. It's the digital equivalent of reading someone's diary through the wall with an X-ray machine.
What Kernel Anti-Cheats Actually Do at Ring 0
Once loaded, a kernel anti-cheat typically registers for several types of Windows kernel callbacks:
ObRegisterCallbacks — intercepts handle creation to game processes. If something tries to open a handle with PROCESS_VM_READ or PROCESS_VM_WRITE permissions to the game, the anti-cheat can deny it or flag it.
PsSetCreateProcessNotifyRoutineEx — gets notified every time a new process starts. This lets the anti-cheat build a real-time map of everything running on the system.
CmRegisterCallbackEx — monitors registry operations, useful for detecting cheat configurations stored in the registry.
Sandra, a security engineer I know who previously worked on a competing anti-cheat product (she asked me not to name which one), described the kernel callback system as "setting up security cameras in every hallway of a building, except the building is the entire operating system and some of the hallways were built by people who wanted to sneak past your cameras."
The Privacy Elephant in the Server Rack
Here's where I get uncomfortable, and I think intellectual honesty requires admitting it: kernel anti-cheats have essentially unlimited access to your system. BEDaisy can enumerate every running process, every loaded driver, every open handle. Vanguard starts before most of your security software. EAC scans memory regions that have nothing to do with the game. If this kind of silent access concerns you, it is worth understanding how Chrome extensions can spy on your browsing in a similar fashion.
The standard response from anti-cheat companies is "we only collect data relevant to cheat detection." And maybe that's true. But the capability exists for much more. In 2023, a researcher demonstrated that a compromised anti-cheat driver could theoretically exfiltrate browser passwords, and the operating system would have no way to stop it because the anti-cheat is more privileged than the browser.
I asked Derek about this over dinner (he ordered the $11.50 brisket sandwich, I had the $8.75 fish tacos — these details matter for reasons I refuse to explain). His take: "Every competitive game is a trust negotiation. You trust the developer enough to install their kernel driver, or you don't play. There's no middle ground."
The $500 Barrier That Actually Works
Here's a counterintuitive finding from the research: the arms race is actually working, just not in the way most people think. The goal was never to make cheating impossible — it was to make cheating expensive enough that casual cheaters give up.
A subscription to a usermode cheat costs $15-30/month. A kernel cheat subscription runs $50-150/month. A custom DMA setup costs $300-800 in hardware plus $200-500/month for software. At that price point, you've filtered out roughly 97% of potential cheaters. The remaining 3% are spending more per month on cheating than most people spend on the game itself.
Tom, who runs a small indie studio and has been evaluating anti-cheat solutions for his upcoming competitive shooter, put it bluntly during a 38-minute phone call last Thursday: "I don't need to catch every cheater. I need to make it expensive enough that most of them play something else."
Where This Goes Next
The research suggests the next frontier is hardware-level attestation — an area where local hardware is already outperforming cloud setups in surprising ways — essentially having the CPU itself verify that no unauthorized code is running. Intel's TDX and AMD's SEV-SNP technologies could theoretically provide this, but integrating them into consumer anti-cheat is at least 3-5 years away.
In the meantime, the kernel remains the battlefield. And every time you launch a competitive game, you're silently agreeing to let a piece of software with god-mode privileges watch everything your computer does, in exchange for the promise that the person who just headshot you probably earned it.
Whether that trade-off is worth it depends entirely on how much you trust the company asking.
For more on how security plays out in cloud infrastructure, see how 39 Algolia admin keys were exposed on documentation sites.
Sources: s4dbrd research (2026), Microsoft Kernel Callback Documentation, Lumen Black Lotus Labs, Riot Games Vanguard whitepaper, BattlEye developer documentation
