WinRing0x64.sys: Safe or Virus?

What to do first when Defender flags WinRing0x64.sys

1. Open the Defender alert and copy the exact path to WinRing0x64.sys.
2. Match the folder to a real utility such as OpenRGB, FanControl, Libre Hardware Monitor, MSI Afterburner, HWiNFO, EVGA Precision X1, Razer, SteelSeries, Dell, HP, or another hardware tool.
3. If the app is legitimate, update it from the official vendor source or uninstall it if you no longer need it.
4. If the file is in Temp, AppData, Downloads, a crack/cheat folder, or returns after the parent app was removed, treat it as malware-assisted vulnerable-driver abuse and scan the system.

This is the difference many search results blur: WinRing0x64.sys can be a legitimate driver, while the specific copy on your PC can still be unsafe to keep.

What is WinRing0x64.sys?

WinRing0x64.sys is a 64-bit driver from the WinRing0 driver family. It lets an application access low-level hardware data that normal Windows apps cannot read directly: CPU sensors, motherboard sensors, fan speeds, voltage, RGB controllers, and some overclocking-related information.

That access is why the file appears in legitimate utilities and in security alerts. A kernel driver runs with much higher privilege than a normal app. If a vulnerable driver is available on the system, malware may try to use it as a shortcut into privileged memory or driver-level actions.

Can I delete WinRing0x64.sys?

Yes, but usually not by deleting the file first. The clean fix is to remove or update the application that installed it. If you delete only WinRing0x64.sys, the parent app may recreate it after reboot or fail in a confusing way.

Delete or remove it when Defender flags it, when the parent utility is old, when you do not use the hardware tool anymore, or when you cannot verify where it came from. Keep it only when you trust the parent app, it is current, and Defender is not blocking it as vulnerable.

What legitimate software uses WinRing0x64.sys?

Legitimate tools can bundle WinRing0 or a renamed WinRing0-based driver. Microsoft’s own threat description for VulnerableDriver:WinNT/Winring0.A lists old versions of tools such as CapFrameX, EVGA Precision X1, FanCtrl, HWiNFO, Libre Hardware Monitor, MSI Afterburner, Open Hardware Monitor, OpenRGB, OmenMon, Panorama9, Razer Synapse, SteelSeries Engine, and ZenTimings.

Users also report similar alerts around FanControl/FanCtrl, OpenRGB profiles, OEM utilities, gaming laptops, RGB controllers, and hardware/firmware tools. A Dell, HP, MSI, Razer, SteelSeries, Cooler Master, or motherboard utility can be the source. The app name matters because the right fix is often an update from that vendor, not a manual file deletion.

Why Microsoft Defender flags WinRing0

Microsoft flags this driver family because some versions are known vulnerable drivers. The key issue is CVE-2020-14979, where affected WinRing0.sys and WinRing0x64.sys drivers allowed local users or low-privilege processes to read and write arbitrary memory and potentially gain SYSTEM privileges.

Microsoft’s vulnerable driver blocklist exists to stop non-Microsoft drivers that are known to be vulnerable, abused for certificate misuse, or used to bypass Windows security. Since Windows 11 2022 Update, the vulnerable driver blocklist is enabled by default for all devices, and it is also enforced when Memory integrity, Smart App Control, or S mode is active.

So the alert can be both “not a virus” and “not safe to keep”. That distinction is important. A legitimate old driver can still be risky.

The same compatibility logic applies when Windows Hello fingerprint stops working with Memory Integrity: first look for a supported OEM driver instead of turning off kernel protection permanently.

How to check if WinRing0x64.sys is legitimate

1. Open the Defender alert and copy the full file path.
2. Look at the parent folder. It often reveals the app: OpenRGB, FanControl, Libre Hardware Monitor, EVGA, MSI, SteelSeries, Razer, Dell, or another hardware utility.
3. Open Settings -> Apps -> Installed apps and sort by install date.
4. Right-click the file, open Properties, and check Details and Digital Signatures if available.
5. Use Task Manager and Services to see whether a hardware utility starts with Windows.
6. Advanced users can run PowerShell as administrator: Get-AuthenticodeSignature "C:pathtoWinRing0x64.sys".

Signs of legitimate usage

• The path is inside a known RGB, fan-control, monitoring, sensor, or overclocking utility you installed.
• The alert started after installing or updating that utility.
• Updating or uninstalling the parent app stops the alert.
• No other trojans, miners, suspicious services, or browser hijackers are detected.

Red flags for malicious usage

• The file is in %Temp%, %AppData%, Downloads, a crack folder, or a random ProgramData folder.
• It reappears after deletion and no trusted hardware utility is installed.
• Defender also detects a trojan, coin miner, suspicious PowerShell, or disabled security settings.
• The system has high CPU/GPU usage, browser redirects, unknown startup entries, or new scheduled tasks.
• The alert appeared after running a crack, cheat, fake driver updater, mod installer, or repacked game.

How to remove WinRing0x64.sys safely

Method 1: Update or remove the parent app

1. Identify the app that installed the driver.
2. Download the current version from the official vendor source.
3. If the current version no longer uses the vulnerable driver, update and reboot.
4. If you do not need the app, uninstall it.
5. Reboot and run a Full scan in Windows Security.

Method 2: remove leftover driver services

If the app was removed but the driver keeps returning, check Services, Task Scheduler, and startup entries. Advanced users can inspect driver services from an elevated Command Prompt with sc query type= driver. Do not delete a driver service unless you have confirmed it belongs to the removed utility.

Method 3: treat suspicious copies as malware

If WinRing0x64.sys came from a crack, cheat, fake optimizer, unknown installer, or Temp/AppData path, run a full Defender scan and a second-opinion scan. Check scheduled tasks, startup apps, Run registry keys, unknown services, and browser changes. Malware often uses vulnerable drivers as one part of a larger chain.

Should you disable the vulnerable driver blocklist?

No, not as a normal fix. Disabling the blocklist may make an old hardware utility work again, but it also reduces protection against abused vulnerable drivers. The better fix is to update the utility, replace it with a maintained alternative, or remove it if you do not need it.

For a vendor-service example that uses the same location, signature, and behavior checks, see our AppHelperCap.exe safety guide for HP App Helper HSA Service.

FAQ

Official references

1. Microsoft Support. “Microsoft Defender Antivirus alert: VulnerableDriver:WinNT/Winring0.” Microsoft, accessed June 7, 2026. https://support.microsoft.com/en-us/windows/microsoft-defender-antivirus-alert-vulnerabledriver-winnt-winring0-eb057830-d77b-41a2-9a34-015a5d203c42
2. Microsoft Security Intelligence. “VulnerableDriver:WinNT/Winring0.A.” Microsoft, accessed June 7, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VulnerableDriver%3AWinNT%2FWinring0.A
3. Microsoft Learn. “Microsoft recommended driver block rules.” Microsoft, accessed June 7, 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
4. National Vulnerability Database. “CVE-2020-14979.” NIST, accessed June 7, 2026. https://nvd.nist.gov/vuln/detail/CVE-2020-14979

Related Windows process checks

If you are checking unusual Windows processes after a Defender alert, review Trojan:Win32/Vigorf.A and WinRing0 false positives, AggregatorHost.exe, OmApSvcBroker.exe, and DWM.exe troubleshooting.

For the broader driver-trust question, our plug-and-play Windows driver safety guide explains why a signed or automatically installed driver can still need source, signature, and vulnerable-driver checks.