Game Hacking Guides

Trace Cleaning Explained: What Stays on Your PC After a Ban

July 14, 2026Nathan Reed8 min read

Registry keys, prefetch files, driver load history: the records anti-cheat reads after a ban, and why a cleaner and an HWID spoofer are not the same tool.

Trace Cleaning Explained: What Stays on Your PC After a Ban

What traces actually are

When you run a game, the game leaves records of its presence on your machine. Registry keys, prefetch files, event log entries, driver load history. Normal software does this; it is not sinister. The problem arises when anti-cheat systems use those records to identify machines that were banned, even after the original account is gone and a new one is created.

The same applies to cheat software. A cheat driver that loads and then unloads does not disappear cleanly. Windows keeps tables of what has been loaded. The anti-cheat reads those tables. The record is still there, pointing at something that should not have existed.

Trace cleaning is the process of removing those records before the anti-cheat has a chance to read them on your next session. Not spoofing hardware. Not faking identifiers. Deleting the actual artifacts the system accumulated while you were running software you should not have been running.

Where they hide on your system

// WHERE BAN-RELEVANT ARTIFACTS LIVE ON A WINDOWS SYSTEM

Location What it stores AC reads it? Cleanable
PiDDBCacheTable Every driver loaded this Windows session, incl. unloaded ones Yes, BattlEye / Vanguard YES
MmUnloadedDrivers Last 50 kernel drivers unloaded, names and timestamps Yes, kernel-level AC YES
Windows Event Log Service installs, driver failures, policy errors, crash records Sometimes YES
Prefetch files Recently launched executables: name, path, last run time Sometimes YES
Registry (game keys) Game install paths, cheat loader config entries, last-run flags Yes, most AC YES
USN Journal NTFS file system change log: files written, renamed, deleted Rarely, advanced AC PARTIAL
Hardware serials (Disk, MAC, GPU) Physical identifiers burned into hardware at manufacture Yes, HWID ban systems NOT BY CLEANER

The last row is the one that catches people. A cleaner handles software artifacts. It cannot change what a hard drive reports as its serial number, what a network adapter reports as its MAC address, or what the GPU reports as its device ID. Those values sit in firmware. Cleaning registry keys and prefetch files does not touch them.

This is why trace cleaning and HWID spoofing are different tools, not interchangeable ones. One removes the paper trail. The other changes what the hardware says it is.

Cleaner versus HWID Spoofer: not the same thing

// WHAT EACH TOOL ACTUALLY DOES (AND DOES NOT DO)

TRACE CLEANER

Deletes PiDDBCacheTable entries
Clears MmUnloadedDrivers list
Removes cheat-related registry keys
Wipes prefetch and event log entries
Removes game launcher history linking banned account
Cannot change hardware serials
Cannot remove HWID ban from AC server

HWID SPOOFER

Intercepts hardware serial queries at kernel level
Returns randomized or preset values for Disk, MAC, GPU
Makes the machine look like new hardware to the AC
Allows fresh account on same physical machine post-ban
Does not remove software artifact traces
Does not clean registry / driver history

The practical read is this: if you were banned and want to play again on the same machine, you need both. The cleaner removes the software trail that would link your new session to the banned one. The spoofer changes what hardware the anti-cheat sees, so the HWID ban that was recorded against your old hardware fingerprint does not match the new session.

Running only one of the two is what gets new accounts flagged within the first few hours. The cleaner without the spoofer means the hardware IDs still match the ban record. The spoofer without the cleaner means the AC sees clean hardware but finds driver history and registry artifacts pointing at known cheat tooling. Either path is enough for a fast re-ban.

ZhexCheats includes both a cleaner and an HWID Spoofer in full-tier builds. They run in sequence before you launch the game, not as a one-time-after-ban operation.

What anti-cheat scans for after a ban

When a fresh account joins a game from a machine that was previously banned, the anti-cheat does not start from scratch. It has a record of what the banned session looked like. The scan on the new session compares against that record.

BattlEye and EAC prioritize the kernel tables. PiDDBCacheTable and MmUnloadedDrivers are read early in the session, before the game is even fully loaded. If the cheat driver name or its compile-time hash appears in either table, the match is immediate. The ban lands before you reach the main menu. That is why cleaning those two tables is the highest-priority step, not an optional one.

Registry checks come next. Known cheat loader paths, service installation keys, and cheat configuration files all leave registry entries. A loader that installs itself as a Windows service for persistence is especially visible; the service key survives a reboot by design.

Vanguard extends the scan to TPM-based hardware attestation on Windows 11. That is outside what any cleaner can address, because the TPM endorsement key is hardware-burned and cannot be spoofed by software. For Valorant specifically, an HWID ban backed by a TPM record is categorically different from a BattlEye or EAC HWID ban. Physical hardware replacement is the only path off a TPM-based Vanguard ban.

The right order to clean

// POST-BAN CLEANUP SEQUENCE: RUN IN THIS ORDER

1

Uninstall game and cheat software completely

Do not clean first. Remove the software, then clean. Cleaning while files still exist leaves partial artifacts.

2

Run the cleaner (kernel tables + registry + prefetch)

Target locations in order:

HKLM\SYSTEM\CurrentControlSet\Services\ [cheat service keys] HKCU\Software\ [game and launcher entries] C:\Windows\Prefetch\ [cheat loader .pf files] kernel: PiDDBCacheTable + MmUnloadedDrivers [needs driver-level cleaner]
3

Reboot (do not skip this)

PiDDBCacheTable and MmUnloadedDrivers are in-memory structures. They reset on reboot. If the cleaner wrote to them, the clean state only persists through the reboot.

4

Run the HWID Spoofer before reinstalling the game

Spoofer active before the game's anti-cheat driver loads. Do not launch the game first, then spoof. Order matters.

5

Reinstall game on a new account, verify clean session

New account. New email. Do not link the old account through any social login, launcher, or payment method the AC vendor could cross-reference.

The reboot step is the one most people skip and then wonder why the clean did not hold. Both PiDDBCacheTable and MmUnloadedDrivers are runtime kernel structures. A cleaner that patches them in memory is effective until the next reboot, at which point Windows rebuilds them from disk. If the cleaner did not also remove the on-disk sources before that reboot, the tables come back populated with the same data.

When cleaning alone is not enough

There are scenarios where a complete cleaning routine does not result in a clean session. Most of them involve one of three things: a ban that was already tied to hardware before you cleaned, a scan surface the cleaner does not cover, or a server-side fingerprint the AC vendor retained.

Vanguard with TPM attestation is the clearest example of the third category. When Riot records a ban, they store the TPM EkPub alongside the account and hardware fingerprint. That value is tied to the physical TPM chip, which cannot be changed by software. Even a perfect software clean, followed by a spoofer that changes every other identifier, still returns the same TPM EkPub. The ban matches.

The same logic applies to any anti-cheat that has moved beyond runtime hardware ID checks into cryptographic attestation. Cleaning handles the evidence on your machine. It cannot erase what the vendor's servers already recorded. For most games, those server-side records are limited to account-level data. For Valorant, the record extends to hardware. That is a meaningful distinction.

For Tarkov and PUBG, BattlEye's ban model stays closer to the software and HWID layer, which is why the cleaner-plus-spoofer combination holds up reliably on those titles. The HWID Spoofer article covers how spoofing works against BattlEye specifically, and why Tarkov's particular scan profile is one of the reasons the spoofer tier matters as much as it does on that game.

What to look for in a cleaner

A cleaner that only handles user-mode artifacts, registry keys and prefetch files, is doing about half the job. Kernel table cleaning requires the cleaner to run at kernel privilege level, which means it needs its own signed driver or a loader that can achieve kernel access. A cleaner without that cannot touch PiDDBCacheTable or MmUnloadedDrivers. Those two tables are what most modern anti-cheats actually check.

The other thing to verify is update cadence. Anti-cheat vendors change what they scan and where they look after every major patch cycle. A cleaner whose target list was written in 2023 may miss registry paths the AC added in 2025. Not because the cleaner is broken, but because no one updated its target list.

ZhexCheats bundles a maintained cleaner alongside the HWID Spoofer in full-tier builds. Both are updated on the same patch cadence as the cheat builds themselves. Running them as a paired sequence before each session, not just after a ban, is the approach that keeps new accounts clean over weeks rather than days. The ban history guide explains how to verify that a vendor's tools are actually being maintained before you commit to a subscription.

// More articles