You've already agreed to give more software kernel access than your antivirus
On July 19, 2024, a routine CrowdStrike update pushed a faulty configuration file to its Falcon sensor. Within hours, 8.5 million Windows machines were bricked—airlines grounded, hospitals operating on paper, 911 services down. Total economic damage topped $10 billion.1
CrowdStrike had signed drivers. Microsoft-certified code. A legitimate reason to be in the kernel. And it still happened.
Now look at your system tray. The video game running there probably has the same privileges. So does your VPN. So does the hardware monitor you installed once to check CPU temps. So does TeamViewer.
You've already agreed to give more software kernel access than your antivirus. Most of it didn't need it.
Kernel access means software can interact directly with your OS core—reading any memory, modifying any file, inspecting any process. It's the same level your antivirus operates at, and the same level that crashed 8.5 million computers.
The most honest example is Riot's Vanguard. To play Valorant, you install a kernel driver that loads at boot—before Windows finishes starting, before you log in, before you've even decided to play. It runs continuously. You cannot play the game without it, and you cannot stop it without uninstalling.
Why does a multiplayer shooter need to start running before your operating system does? Because cheaters write kernel-mode cheats, and anti-cheat has to be at least as privileged as what it's fighting. That arms race is the justification for every driver Riot, Epic, and EA ship to your machine.
TeamViewer, BattlEye, EasyAntiCheat, MSI Afterburner, most enterprise VPNs, Acronis backup, VMware—all kernel-resident. You clicked "agree" on a EULA and loaded a driver with the same authority as your antivirus. That was the bargain for watching a temperature graph or playing a round of Valorant.
Kernel access isn't inherently bad. Antivirus needs it to catch malware before it executes. Virtualization needs it for VMs to run at near-native speed. The kernel is the only place some of these jobs can be done at all.
The question is whether the access is proportional to the functionality—and whether the vendor can be trusted to never ship a bad update. Those are two different risks, and most people evaluate neither.
Antivirus with kernel access to intercept malware is defensible. The threat model justifies the privilege. A game launcher with always-on kernel-level anti-cheat, loaded before boot, running even when the game is closed, is a much harder sell. The threat it mitigates—cheaters in a ranked match—does not obviously justify the same system authority you'd grant enterprise security software. And yet you agreed to it to play a free game.
The CrowdStrike incident proved the second risk is real even for vendors who pass every other test. Signed drivers from a publicly traded company with billions in revenue and a dedicated QA team still bricked 8.5 million endpoints. Every kernel driver on your machine has the same failure mode. The vendor's reputation only changes how likely it is to happen—not how bad it gets when it does.
The honest answer is that for most of these categories, there isn't a real alternative. You can't play Valorant without Vanguard. You can't monitor GPU voltages from user space. You can't remote into a coworker's machine at the keystroke level without hooking input at the driver layer.
What you can do is audit. Windows lists installed drivers under driverquery or in Device Manager. Most people have a dozen third-party kernel drivers and can't name half of them—leftovers from games they uninstalled, utilities they ran once, peripherals they replaced years ago. Each one is a piece of code from a vendor you may or may not still trust, loaded at boot, with full system authority. Removing the ones you don't actively need is the single highest-leverage thing you can do.
Before you install the next one, assume it will fail the way CrowdStrike did and ask whether the functionality is worth it. Sometimes it is. Often it isn't.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions.2 Security software—the category where kernel access was least controversial—will be pushed to user-mode APIs. It's the most fundamental change to Windows security architecture in nearly two decades.
Microsoft looked at CrowdStrike and decided that even their own vendors, running signed code for legitimate reasons, couldn't be trusted inside the kernel anymore.
The game in your system tray has not received the same scrutiny.
Economic estimates from Parametrix Insurance ($5.4B insured losses) and industry analysts (total impact $10B+). Delta's $500M lawsuit against CrowdStrike is ongoing as of January 2026. ↩
Announced at Microsoft Ignite 2024. The change will be phased in starting with Windows 12, with enterprise options for legacy compatibility. Security vendors including CrowdStrike, Symantec, and McAfee have expressed concerns about reduced effectiveness but acknowledged the stability benefits. ↩
You've already agreed to give more software kernel access than your antivirus
On July 19, 2024, a routine CrowdStrike update pushed a faulty configuration file to its Falcon sensor. Within hours, 8.5 million Windows machines were bricked—airlines grounded, hospitals operating on paper, 911 services down. Total economic damage topped $10 billion.1
CrowdStrike had signed drivers. Microsoft-certified code. A legitimate reason to be in the kernel. And it still happened.
Now look at your system tray. The video game running there probably has the same privileges. So does your VPN. So does the hardware monitor you installed once to check CPU temps. So does TeamViewer.
You've already agreed to give more software kernel access than your antivirus. Most of it didn't need it.
Kernel access means software can interact directly with your OS core—reading any memory, modifying any file, inspecting any process. It's the same level your antivirus operates at, and the same level that crashed 8.5 million computers.
The most honest example is Riot's Vanguard. To play Valorant, you install a kernel driver that loads at boot—before Windows finishes starting, before you log in, before you've even decided to play. It runs continuously. You cannot play the game without it, and you cannot stop it without uninstalling.
Why does a multiplayer shooter need to start running before your operating system does? Because cheaters write kernel-mode cheats, and anti-cheat has to be at least as privileged as what it's fighting. That arms race is the justification for every driver Riot, Epic, and EA ship to your machine.
TeamViewer, BattlEye, EasyAntiCheat, MSI Afterburner, most enterprise VPNs, Acronis backup, VMware—all kernel-resident. You clicked "agree" on a EULA and loaded a driver with the same authority as your antivirus. That was the bargain for watching a temperature graph or playing a round of Valorant.
Kernel access isn't inherently bad. Antivirus needs it to catch malware before it executes. Virtualization needs it for VMs to run at near-native speed. The kernel is the only place some of these jobs can be done at all.
The question is whether the access is proportional to the functionality—and whether the vendor can be trusted to never ship a bad update. Those are two different risks, and most people evaluate neither.
Antivirus with kernel access to intercept malware is defensible. The threat model justifies the privilege. A game launcher with always-on kernel-level anti-cheat, loaded before boot, running even when the game is closed, is a much harder sell. The threat it mitigates—cheaters in a ranked match—does not obviously justify the same system authority you'd grant enterprise security software. And yet you agreed to it to play a free game.
The CrowdStrike incident proved the second risk is real even for vendors who pass every other test. Signed drivers from a publicly traded company with billions in revenue and a dedicated QA team still bricked 8.5 million endpoints. Every kernel driver on your machine has the same failure mode. The vendor's reputation only changes how likely it is to happen—not how bad it gets when it does.
The honest answer is that for most of these categories, there isn't a real alternative. You can't play Valorant without Vanguard. You can't monitor GPU voltages from user space. You can't remote into a coworker's machine at the keystroke level without hooking input at the driver layer.
What you can do is audit. Windows lists installed drivers under driverquery or in Device Manager. Most people have a dozen third-party kernel drivers and can't name half of them—leftovers from games they uninstalled, utilities they ran once, peripherals they replaced years ago. Each one is a piece of code from a vendor you may or may not still trust, loaded at boot, with full system authority. Removing the ones you don't actively need is the single highest-leverage thing you can do.
Before you install the next one, assume it will fail the way CrowdStrike did and ask whether the functionality is worth it. Sometimes it is. Often it isn't.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions.2 Security software—the category where kernel access was least controversial—will be pushed to user-mode APIs. It's the most fundamental change to Windows security architecture in nearly two decades.
Microsoft looked at CrowdStrike and decided that even their own vendors, running signed code for legitimate reasons, couldn't be trusted inside the kernel anymore.
The game in your system tray has not received the same scrutiny.
Economic estimates from Parametrix Insurance ($5.4B insured losses) and industry analysts (total impact $10B+). Delta's $500M lawsuit against CrowdStrike is ongoing as of January 2026. ↩
Announced at Microsoft Ignite 2024. The change will be phased in starting with Windows 12, with enterprise options for legacy compatibility. Security vendors including CrowdStrike, Symantec, and McAfee have expressed concerns about reduced effectiveness but acknowledged the stability benefits. ↩