Your anti-cheat software has the same system access as your antivirus
The video game you're playing probably has kernel access. So does your VPN. So does that hardware monitoring tool in your system tray. So does TeamViewer.
Kernel access means software can interact directly with your operating system's core—the same level as your antivirus, the same level that crashed 8.5 million computers when CrowdStrike pushed a bad update.
Most users don't know which applications have this access. They should.
You might be surprised:
| Category | Examples | Why They Request It |
|---|---|---|
| Anti-Cheat | Vanguard, EasyAntiCheat, BattlEye | Detect memory manipulation and hardware-level cheating |
| Security Software | Antivirus, EDR solutions | Intercept malicious activity at the system level |
| Virtualization | VMware, VirtualBox, Hyper-V | Direct hardware access for VMs |
| Hardware Monitors | MSI Afterburner, HWiNFO | Read CPU temperatures, voltages; enable overclocking |
| Remote Access | TeamViewer, RealVNC | Capture screens and input at low level |
| VPNs | Some enterprise solutions | Intercept network traffic efficiently |
| Backup Software | Acronis, Macrium Reflect | Access locked files, create disk images |
| Dev Tools | WinDbg, Sysinternals | Debug system crashes, inspect kernel memory |
Anti-cheat is the most surprising for many people. Playing Valorant means Riot's Vanguard driver loads at boot and runs continuously with kernel privileges—even when you're not playing.
Signs that software wants kernel-level access:
If you see these signs for software that doesn't obviously need kernel access, ask why.
Kernel access isn't inherently bad. Antivirus needs it to catch malware before it executes. Virtualization software needs it for near-native VM performance. The question is whether the access is proportional to the functionality.
Reasonable: Antivirus with kernel access to intercept malware Questionable: A game launcher with always-on kernel-level anti-cheat Red flag: An unsigned driver from an unknown publisher
If you want to minimize kernel-level attack surface:
Use alternatives when possible:
Before installing kernel-level software:
Protective measures:
Be skeptical when you see:
CrowdStrike was a trusted vendor with signed drivers and legitimate security functionality. Their kernel-level access was reasonable for the product category. It still crashed 8.5 million machines, causing over $10 billion in economic damage.1
Kernel access is sometimes necessary. It's never safe. Know what has it on your system.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions.2 Security software will be required to use user-mode APIs, significantly reducing the blast radius of similar failures. This represents the most fundamental change to Windows security architecture in nearly two decades.
The announcement validated what the CrowdStrike incident demonstrated: even trusted, well-intentioned software with legitimate kernel access needs can cause catastrophic failures. Microsoft's solution—reducing the attack surface by restricting access—trades some security functionality for system stability.
Economic estimates from Parametrix Insurance ($5.4B insured losses) and industry analysts (total impact $10B+). Delta's $500M lawsuit against CrowdStrike is ongoing as of January 2026. ↩
Announced at Microsoft Ignite 2024. The change will be phased in starting with Windows 12, with enterprise options for legacy compatibility. Security vendors including CrowdStrike, Symantec, and McAfee have expressed concerns about reduced effectiveness but acknowledged the stability benefits. ↩
Your anti-cheat software has the same system access as your antivirus
The video game you're playing probably has kernel access. So does your VPN. So does that hardware monitoring tool in your system tray. So does TeamViewer.
Kernel access means software can interact directly with your operating system's core—the same level as your antivirus, the same level that crashed 8.5 million computers when CrowdStrike pushed a bad update.
Most users don't know which applications have this access. They should.
You might be surprised:
| Category | Examples | Why They Request It |
|---|---|---|
| Anti-Cheat | Vanguard, EasyAntiCheat, BattlEye | Detect memory manipulation and hardware-level cheating |
| Security Software | Antivirus, EDR solutions | Intercept malicious activity at the system level |
| Virtualization | VMware, VirtualBox, Hyper-V | Direct hardware access for VMs |
| Hardware Monitors | MSI Afterburner, HWiNFO | Read CPU temperatures, voltages; enable overclocking |
| Remote Access | TeamViewer, RealVNC | Capture screens and input at low level |
| VPNs | Some enterprise solutions | Intercept network traffic efficiently |
| Backup Software | Acronis, Macrium Reflect | Access locked files, create disk images |
| Dev Tools | WinDbg, Sysinternals | Debug system crashes, inspect kernel memory |
Anti-cheat is the most surprising for many people. Playing Valorant means Riot's Vanguard driver loads at boot and runs continuously with kernel privileges—even when you're not playing.
Signs that software wants kernel-level access:
If you see these signs for software that doesn't obviously need kernel access, ask why.
Kernel access isn't inherently bad. Antivirus needs it to catch malware before it executes. Virtualization software needs it for near-native VM performance. The question is whether the access is proportional to the functionality.
Reasonable: Antivirus with kernel access to intercept malware Questionable: A game launcher with always-on kernel-level anti-cheat Red flag: An unsigned driver from an unknown publisher
If you want to minimize kernel-level attack surface:
Use alternatives when possible:
Before installing kernel-level software:
Protective measures:
Be skeptical when you see:
CrowdStrike was a trusted vendor with signed drivers and legitimate security functionality. Their kernel-level access was reasonable for the product category. It still crashed 8.5 million machines, causing over $10 billion in economic damage.1
Kernel access is sometimes necessary. It's never safe. Know what has it on your system.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions.2 Security software will be required to use user-mode APIs, significantly reducing the blast radius of similar failures. This represents the most fundamental change to Windows security architecture in nearly two decades.
The announcement validated what the CrowdStrike incident demonstrated: even trusted, well-intentioned software with legitimate kernel access needs can cause catastrophic failures. Microsoft's solution—reducing the attack surface by restricting access—trades some security functionality for system stability.
Economic estimates from Parametrix Insurance ($5.4B insured losses) and industry analysts (total impact $10B+). Delta's $500M lawsuit against CrowdStrike is ongoing as of January 2026. ↩
Announced at Microsoft Ignite 2024. The change will be phased in starting with Windows 12, with enterprise options for legacy compatibility. Security vendors including CrowdStrike, Symantec, and McAfee have expressed concerns about reduced effectiveness but acknowledged the stability benefits. ↩