Kernel Cheats Explained: What Ring 0 Means in 2026

Why some cheats need the kernel and others do not

A cheat that worked fine five years ago on most games will crash silently on Valorant or refuse to read a single byte of Fortnite's memory. The game did not get harder to play. The layer of software watching the game got much harder to fool.

Modern anti-cheat systems, Vanguard, Easy Anti-Cheat, Ricochet, BattlEye, no longer sit at the application layer waiting to catch suspicious behavior. They sit inside the operating system itself, at the level where hardware meets software, with authority over every process running on the machine. A cheat that stays at the application layer is fighting from the outside of a locked room. It can knock, but the door answers to a higher authority.

That higher authority is Ring 0. Understanding what it means, and why a cheat either operates there or loses, is the difference between knowing what you are buying and hoping the marketing page told the truth.

The privilege ring model: what Ring 0 actually grants

Windows runs on a hardware-enforced permission model called the privilege ring hierarchy. The CPU itself enforces it, not software. There are four rings, numbered 0 through 3, and the lower the number, the more authority the code has over the machine.

Ring 3 is where every normal application lives: games, browsers, media players, and usermode cheats. Code here has limited access; it cannot read another process's memory directly, it cannot touch hardware registers, and it has to ask the operating system for every privileged operation. The OS can say no.

Ring 0 is where the operating system kernel lives. Code here has no intermediary. It can read and write any memory address, load and unload drivers, intercept every system call before it executes, and watch every process that starts or terminates. The OS does not say no to Ring 0 code because Ring 0 code is the OS.

Anti-cheat vendors moved their software to Ring 0 because a Ring 3 watcher is inherently defeatable: a cheat running at the same privilege level can interfere with it. A Ring 3 cheat cannot interfere with a Ring 0 anti-cheat the same way you cannot override a referee by talking loudly from the stands. The referee is on the field and you are not.

A kernel cheat solves this by getting onto the field.

Normal injection versus manual mapping

Getting code onto the field is the injection problem. There are two broad approaches. One uses the front door. The other skips it entirely.

Normal injection uses the operating system's own module loader. The process is clean and simple, but every step produces a notification. When Windows loads a DLL through the official path, it fires a kernel callback called PsSetLoadImageNotifyRoutine, which every anti-cheat driver registers for. The cheat announces itself at the door. Manual mapping skips the loader entirely: the code is copied into memory as raw bytes, imports are resolved by hand, and the resulting region has no name, no module list entry, and a zeroed PE header so it looks like working memory rather than executable code.

The tradeoff is complexity. Manual mapping requires the developer to replicate what the OS loader does automatically, correctly, on every Windows version and every update. That engineering cost is part of why serious kernel cheats are expensive and slow to build.

How anti-cheat hunts kernel cheats

Anti-cheat vendors know manual mapping exists. Their answer is the VAD tree walk.

VAD stands for Virtual Address Descriptor. The Windows kernel maintains a VAD tree for every running process: a data structure that records every memory region, its size, its permissions, and critically, whether it has a backing file on disk. A legitimately loaded module always has a backing file; a manually mapped cheat does not. The anti-cheat walks the tree looking for executable memory with no file behind it, which shows up as a Private Executable region, and flags it for review.

Cheats respond to this in a few ways. Zeroing the PE header is the first move; without the header a memory scanner cannot confirm the region contains compiled code. A more advanced approach is code caves: injecting cheat instructions into the gaps inside an already-loaded legitimate module, so the code's address falls inside a region that does have a file backing it. The BYOVD and kernel driver traces guide covers the driver-side version of this problem in detail.

The anti-cheat then checks kernel driver integrity. It maintains a list of known legitimate signed drivers and flags anything that was loaded without a valid signature or that matches a known vulnerable driver used for BYOVD exploitation. On a heavily defended title like Valorant, Vanguard loads at boot and establishes its own driver as trusted before any user code runs. Getting anything else into Ring 0 after that point requires defeating a system that has been watching since before Windows finished starting.

Most attempts fail here. That is also why the few builds that survive here command the prices they do.

Which games require a kernel-level approach

Not every game runs kernel-level protection. Knowing which ones do changes how you evaluate a provider's claim that their build works on a specific title.

Vanguard is the hardest target. It loads at boot, operates continuously whether Valorant is running or not, and uses a hypervisor layer on machines with VBS enabled to protect its own process from tampering. A usermode Valorant cheat is not a slightly weaker option; it is not a functioning option at all. Our Valorant cheat is built specifically against this architecture.

Easy Anti-Cheat runs on Fortnite, Apex Legends, Rust, and a large part of the current game catalog. EAC's kernel driver is loaded when the game launches rather than at boot, which gives it slightly different coverage than Vanguard, but the core problem for usermode cheats is the same: EAC registers kernel callbacks that intercept memory read requests before they reach the game process, and any read using the standard Windows API gets blocked or stripped of its handle permissions at the kernel level.

BattlEye covers PUBG, Rainbow Six Siege, DayZ, and Arma Reforger. Its kernel component runs a continuous scan loop checking driver integrity and memory regions. The four-layer detection architecture, kernel scan, memory signature scan, behavioral telemetry, and network reconciliation, is explained in the PUBG BattlEye detection guide. For Escape from Tarkov, BattlEye operates under similar constraints; the Tarkov cheat runs a kernel driver that has been updated through every patch cycle BattlEye has shipped this season.

Ricochet, Activision's system for Warzone and the Call of Duty titles, takes a different enforcement path: it runs a kernel driver that embeds itself as a software BIOS table entry, allowing it to survive some driver unload attempts. Each of these systems demands a different bypass approach; a build that defeats BattlEye's scan loop does not automatically pass Vanguard's boot-time check.

Fake kernel cheats versus real ones

The gap between what a storefront claims and what the software actually does is widest here. "Kernel-level" has become a marketing adjective, and half the products using it are running entirely in Ring 3 with administrator privileges. That is not a kernel cheat. That is a cheat with a UAC prompt.

The difference is observable before you pay, if you know what to look for.

The fastest single check: ask whether the software requires you to disable the game's anti-cheat first. A genuine kernel cheat operates alongside the anti-cheat driver; it does not need you to remove the thing it is supposed to defeat. If the setup guide's first step is "disable Vanguard," the product is not a kernel cheat.

What the price difference actually buys

A usermode cheat for a game without kernel protection might run $10 to $20 a month. A maintained kernel cheat for a Vanguard or EAC title runs $100 to $240. That range is not branding. It reflects the actual cost structure behind the build.

A kernel driver needs a valid code-signing certificate, or a strategy for loading without one that survives Microsoft's driver signing enforcement updates. It needs a developer who can read Windows kernel internals documentation and write code that interacts with structures the OS does not officially expose. Every Windows update and every anti-cheat patch is a potential break, and the break has to be found and repaired before the next ranked session. That repair cycle is ongoing; there is no version that is finished.

The subscription is not paying for a file. It is paying for the team running that cycle. At ZhexCheats the benchmark is hours, not days, and their average response time after each anti-cheat update is the number worth asking any provider before committing. On titles like Valorant and the games protected by BattlEye, that time window between a patch dropping and a maintained build going back online is measured in hours, not days. When you are mid-season and BattlEye ships a definition update at midnight, the difference between a provider who patches by 4 AM and one who patches "soon" is a full night of ranked play.

The Arena Breakout cheat and the PUBG cheat both run against kernel anti-cheat; status per title updates in real time after each patch, which is the most direct way to see the maintenance cycle in action rather than taking a storefront's word for it.