The Software That Watches Without Telling You What It Sees

You install a game. You click through the terms of service the way everyone does, scrolling fast, looking for the Accept button, and somewhere in that blur of legalese a second piece of software lands on your machine. It starts at boot. It runs with kernel-level access. And by design, it will not tell you exactly what it's looking at.

This isn't paranoia. It's just how modern anti-cheat works.

Games like Valorant, Fortnite, and Genshin Impact all ship with anti-cheat systems (Vanguard, Easy Anti-Cheat, and mhyprot2 respectively) that sit at a layer of your operating system most applications never touch. Understanding what they actually do, and why the opacity is deliberate, is less about fear and more about knowing what you agreed to.

Why They Live in the Kernel, Not the Attic

Most software runs in what's called user space. Your browser, your music app, your game itself: all of them operate under rules the operating system enforces. They can't directly reach hardware. They can't see what other processes are doing at a low level.

Cheats figured this out fast.

If your wallhack or aimbot also lives in user space, anti-cheat software running at the same level can spot it. So cheat developers went deeper, writing cheats as kernel-mode drivers and giving them the same elevated access as hardware drivers. From that position, a user-space anti-cheat is essentially blind, like a bouncer checking IDs outside a building while the fake guests are already inside running the bar.

So anti-cheat followed them down.

Kernel-mode anti-cheat (running at what Windows calls Ring 0) can see driver loads, memory reads across processes, and hardware-level inputs in ways no ordinary application can. Riot's Vanguard loads a driver called vgk.sys at system startup, before the game even opens. That's not incidental. It's specifically designed to catch cheats that try to hide by loading before security software does.

The arms race is real, and it has been running for over a decade.

What It's Actually Watching (And Why the List Is Secret)

Here's the part that makes privacy researchers genuinely uncomfortable, and rightly so. Anti-cheat systems are deliberately vague about their specific detection signatures. Ask any of the major vendors for a precise list of what behaviors trigger a flag and you'll get a broad answer: "we monitor for unauthorized memory modifications" or "we detect software that manipulates game processes."

That vagueness is load-bearing.

If Riot published every exact condition that triggers a Vanguard ban, cheat developers would have a checklist to work around. Security through obscurity is normally a bad principle in software, but in adversarial cat-and-mouse systems it's one of the few tools that actually buys time. I think it's the right call. I also think vendors use it as cover for not being more transparent about things that have nothing to do with cheat signatures.

What we do know, from academic research, court filings, and reverse-engineering work by security professionals, is roughly this: anti-cheat systems scan running processes, check which DLLs are loaded into game memory, monitor for unusual patterns of memory reads (a classic aimbot behavior is reading enemy position data at inhuman speed and regularity), inspect hardware input timing to flag inhuman precision, and in some cases fingerprint your hardware to enforce bans across reinstalls.

Some systems go further. mhyprot2, the driver used by Genshin Impact, was notably found to expose a vulnerability that could let malicious software exploit its elevated access. That's the uncomfortable math of kernel-level code: powerful enough to catch cheaters, and powerful enough that a bug in it becomes a serious security hole.

Two Players, Same Game, Different Outcomes

Marcus and Priya both play the same competitive shooter. Marcus uses a custom mechanical keyboard with firmware that lets him set rapid-fire macros. Priya runs an older AMD driver that happens to hook into game memory in a way the anti-cheat flags as suspicious.

Marcus gets a warning. Priya gets banned.

Neither was cheating. Marcus's macro technically violates the terms of service even if he didn't know it. Priya was caught by a false positive, a notoriously common problem in kernel-level detection. She appeals, waits three weeks, and gets her account restored. Marcus quietly disables the firmware feature and plays on.

This is the daily texture of anti-cheat enforcement. It isn't surgical. False positive rates across major titles aren't publicly disclosed, but community data from ban appeal threads and third-party trackers consistently shows legitimate players getting caught, especially after major anti-cheat updates that tighten detection thresholds. That pattern should bother you more than it does.

What People Misread About the Privacy Trade-Off

The common objection is framed wrong. Most players ask "is this software spying on me?" and conclude it's fine because they're not cheating.

That's not quite the right question.

So ask yourself this: what guarantees exist about what this kernel-level driver can't do, and what happens if it's compromised?

A driver running at Ring 0 with network access is, in principle, capable of reading nearly anything on your system. Anti-cheat vendors argue, correctly, that they have no business interest in your personal files and that their code is audited. Some, like Epic with Easy Anti-Cheat, have published architecture overviews. But "we don't look at your files" is a policy claim, not a technical constraint. The technical capability is there regardless.

This is different from a browser extension with limited permissions. The permission model for kernel drivers is essentially: all of it.

There's also the supply chain angle. Vanguard or EAC aren't installed by shadowy strangers. They're installed by you, via a game you chose. But they update silently, and each update could theoretically expand what they examine. You'd never know, because the detection logic is proprietary by design.

None of this means you shouldn't play games that use them. It means you should understand the trade you're making: a reduction in cheat-enabled frustration, in exchange for software with sweeping access and intentional opacity about how it uses that access.

Millions of people make that trade every day, usually without reading the terms. Whether it's worth it comes down to one thing: how much do you trust the company holding the keys to your kernel?