
Insecure Code vs. the Entire RGB Industry - WinRing 0 Driver, ft. Wendell of Level1 Techs
video description
Date: 2025-04-20
Related videos
Comments and reviews: 20
AlainODea
WinRing0's code still exists and could be mixed directly into a purpose built driver. In my mind, it breaks Windows' security model to have a driver that provides user mode (ring 3) access to kernel mode (ring 0) direct memory. RGB _might_ need a standard driver. All the semi-standard ATX functions like fan control could live there too. Relying on unbounded 1980s MSDOS direct memory access and lack of security mode separation to do basic functions is very problematic. Having a standard driver for a standard set of interfaces to typical gaming PC hardware would be an excellent improvement.
Even in the worst case, it should be possible to make specific drivers for each vendor using WinRing0's code directly instead of as a DLL.
Except that it's GPLv3, which would force the drivers copying its source directly to be GPLv3 themselves. Doable, but likely to be a bit complicated to convince the vendors to Open Source their drivers.
The drivers in this case would be so trivial as to be pleasantly uninteresting and useless without the vendor's hardware, but some business people miss nuances like that and think all source code is sacred intellectual property.
reply
WinRing0's code still exists and could be mixed directly into a purpose built driver. In my mind, it breaks Windows' security model to have a driver that provides user mode (ring 3) access to kernel mode (ring 0) direct memory. RGB _might_ need a standard driver. All the semi-standard ATX functions like fan control could live there too. Relying on unbounded 1980s MSDOS direct memory access and lack of security mode separation to do basic functions is very problematic. Having a standard driver for a standard set of interfaces to typical gaming PC hardware would be an excellent improvement.
Even in the worst case, it should be possible to make specific drivers for each vendor using WinRing0's code directly instead of as a DLL.
Except that it's GPLv3, which would force the drivers copying its source directly to be GPLv3 themselves. Doable, but likely to be a bit complicated to convince the vendors to Open Source their drivers.
The drivers in this case would be so trivial as to be pleasantly uninteresting and useless without the vendor's hardware, but some business people miss nuances like that and think all source code is sacred intellectual property.
reply
marios97
If anybody here is looking for a slightly more security-conscious way to control their 3-pin ARGB devices, the Gelid Codi6 is probably the best hub they can buy.
Obviously it's not for everyone, as it's essentially an arduino, but it's theoretically much safer, as it communicates with your computer through a USB serial interface.
After I bought it I modified a FastLED starter project to work with it and flashed it to the memory. Software like OpenRGB can be set-up to control it over the Adalight protocol over this USB serial interface.
And it comes with a built-in fan splitter.
I've been running 3x3 Lian Li fans, 2 ARGB strips and the ARGB lightning on my GPU water block out of a single hub, with the ability to control every single LED manually.
It's such a shame Gelid killed it, but it makes sense that they wouldn't support such a niche product...
Instead of nice, perfectly addressable, open-source and self-programmable ARGB/fan hubs we are getting slop...
reply
If anybody here is looking for a slightly more security-conscious way to control their 3-pin ARGB devices, the Gelid Codi6 is probably the best hub they can buy.
Obviously it's not for everyone, as it's essentially an arduino, but it's theoretically much safer, as it communicates with your computer through a USB serial interface.
After I bought it I modified a FastLED starter project to work with it and flashed it to the memory. Software like OpenRGB can be set-up to control it over the Adalight protocol over this USB serial interface.
And it comes with a built-in fan splitter.
I've been running 3x3 Lian Li fans, 2 ARGB strips and the ARGB lightning on my GPU water block out of a single hub, with the ability to control every single LED manually.
It's such a shame Gelid killed it, but it makes sense that they wouldn't support such a niche product...
Instead of nice, perfectly addressable, open-source and self-programmable ARGB/fan hubs we are getting slop...
reply
solstice.1847
Hiyohiyo accidentally provided a general purpose driver, and because it was open source all sorts of commercial entities were able to use it for their specific purposes. His only mistake, solely of inexperience, was making it extremely general-purpose and powerful.
The underlying problem here is that MS doesn't provide the necessary APIs for things like controlling fan speed and making LEDs blink to the beat of whatever song you're playing. Specific APis for specific device classes.
Instead, what we're going to get is a dozen different companies making their own closed-source drivers, each with their own bugs AND security issues. Hopefully the companies will make them restricted to their specific functionality or hardware to reduce the security footprint, but there's no real guarantee there. Being big enough to get a driver signed by MS is not any statement about code quality.
reply
Hiyohiyo accidentally provided a general purpose driver, and because it was open source all sorts of commercial entities were able to use it for their specific purposes. His only mistake, solely of inexperience, was making it extremely general-purpose and powerful.
The underlying problem here is that MS doesn't provide the necessary APIs for things like controlling fan speed and making LEDs blink to the beat of whatever song you're playing. Specific APis for specific device classes.
Instead, what we're going to get is a dozen different companies making their own closed-source drivers, each with their own bugs AND security issues. Hopefully the companies will make them restricted to their specific functionality or hardware to reduce the security footprint, but there's no real guarantee there. Being big enough to get a driver signed by MS is not any statement about code quality.
reply
siberx4
Great video. Note that it's not entirely true that _every_ hardware vendor must get their own driver created and signed independently if they want some ability to interface between the hardware and operating system. USB's HID (human interface device) spec has for many years had mechanisms to expose vendor-specific custom descriptors and endpoints that allow you to read/write addresses on USB devices in a somewhat controlled/standard way, without requiring the overhead of implementing your own driver since HID is standardized and built-in for support across basically all operating systems.
Unless you have very specific needs (or your peripheral can't work as a USB device) this is often sufficient, and is certainly good enough for the various RGB and fan controller scenarios that are the main subject of this video.
reply
Great video. Note that it's not entirely true that _every_ hardware vendor must get their own driver created and signed independently if they want some ability to interface between the hardware and operating system. USB's HID (human interface device) spec has for many years had mechanisms to expose vendor-specific custom descriptors and endpoints that allow you to read/write addresses on USB devices in a somewhat controlled/standard way, without requiring the overhead of implementing your own driver since HID is standardized and built-in for support across basically all operating systems.
Unless you have very specific needs (or your peripheral can't work as a USB device) this is often sufficient, and is certainly good enough for the various RGB and fan controller scenarios that are the main subject of this video.
reply
JackMacWindows
People crap on Apple for their walled garden, but they're ahead of the game in malware protection (not just because of low market share as haters will claim) - a few years ago they effectively killed all Ring 0 access period, requiring all drivers to run in essentially User mode with DriverKit. They've also required signing for basically everything, which does make it a hassle for smaller devs to make stuff, but as a smaller dev myself, $100/yr isn't a huge amount to pay for those certificates (less than Netflix, and much less than a certificate for Windows signing). Furthermore, System Integrity Protection and Sealed System Volumes stops malware from being able to edit any system files. Windows needs to step up and start trimming away vulnerabilities, no matter how much the big corporations complain.
reply
People crap on Apple for their walled garden, but they're ahead of the game in malware protection (not just because of low market share as haters will claim) - a few years ago they effectively killed all Ring 0 access period, requiring all drivers to run in essentially User mode with DriverKit. They've also required signing for basically everything, which does make it a hassle for smaller devs to make stuff, but as a smaller dev myself, $100/yr isn't a huge amount to pay for those certificates (less than Netflix, and much less than a certificate for Windows signing). Furthermore, System Integrity Protection and Sealed System Volumes stops malware from being able to edit any system files. Windows needs to step up and start trimming away vulnerabilities, no matter how much the big corporations complain.
reply
EmblemParade
Terrific overview and 99% accurate! :) I just want to point out that ring 0 is generally speaking not about Windows, it's an aspect of a feature of all modern CPUs, one that has revolutionized operating system security. So basically all serious operating systems (Linux, Mac, Android, etc.) make use of protection rings and tend to reserve ring 0 for the lowest-level parts of the operating system (e.g. the kernel).
By the way, there are operating system architectures that avoid running drivers in ring 0. Such user mode drivers have to interact with the kernel to gain access to protected hardware. There are pros and cons to this approach, but the big advantage is, of course, security. You don't have to fiddle with signing drivers because they are completely normal programs with no special privileges.
reply
Terrific overview and 99% accurate! :) I just want to point out that ring 0 is generally speaking not about Windows, it's an aspect of a feature of all modern CPUs, one that has revolutionized operating system security. So basically all serious operating systems (Linux, Mac, Android, etc.) make use of protection rings and tend to reserve ring 0 for the lowest-level parts of the operating system (e.g. the kernel).
By the way, there are operating system architectures that avoid running drivers in ring 0. Such user mode drivers have to interact with the kernel to gain access to protected hardware. There are pros and cons to this approach, but the big advantage is, of course, security. You don't have to fiddle with signing drivers because they are completely normal programs with no special privileges.
reply
dannotech2062
I might be the only independent developer on the planet who wrote my own MSR (model specific register) driver so I didn't have to rely on WinRing0 for my program called Statuscore, which shows you the IPC of your CPU core in real-time. It's actually rather hard and I completely understand why big companies can't do it.
A driver that runs in Ring0 can literally do anything it wants, completely unrestricted access to everything in the computer. Everything. My understanding is that CPU-ID and HWINFO64 also use WinRing0 to provide access to the hardware. They secretly (and temporarily) load that driver into the temp directory of your computer without your knowledge.
reply
I might be the only independent developer on the planet who wrote my own MSR (model specific register) driver so I didn't have to rely on WinRing0 for my program called Statuscore, which shows you the IPC of your CPU core in real-time. It's actually rather hard and I completely understand why big companies can't do it.
A driver that runs in Ring0 can literally do anything it wants, completely unrestricted access to everything in the computer. Everything. My understanding is that CPU-ID and HWINFO64 also use WinRing0 to provide access to the hardware. They secretly (and temporarily) load that driver into the temp directory of your computer without your knowledge.
reply
Fuxy22
Yep, it's what I suspected, it's basically a signed driver that gives full low level access to hardware from the highest security area of the OS ring 0 meaning, no security at all, direct road through to hardware.
I see why people would use it though if the alternative is going through tons of paperwork with Microsoft every time you want to release a driver for your RGB thing...
Honestly the simplest solution would be to turn it into an unsigned library locked to the certain application needing it and require everyone to get their implementation using the library signed... few code changes just a lot of politics and money to get it signed...
reply
Yep, it's what I suspected, it's basically a signed driver that gives full low level access to hardware from the highest security area of the OS ring 0 meaning, no security at all, direct road through to hardware.
I see why people would use it though if the alternative is going through tons of paperwork with Microsoft every time you want to release a driver for your RGB thing...
Honestly the simplest solution would be to turn it into an unsigned library locked to the certain application needing it and require everyone to get their implementation using the library signed... few code changes just a lot of politics and money to get it signed...
reply
rohansampat1995
Yeah suure bud, just use USB... How on earth do you expect to get a RAM stick's rgb to plug into usb U really gonna buy a ram stick that says plug me into usb, when the rest of them light up by themselves
A reasonable solution would be to let users authorize applications with a certain hash on their executable to utilize winring0. This would give control BACK to users and ofc the access list can be controlled by an administrator. REASONABLE solutions also dont involve paying money to msofft for this crap. Users should be able to tell the OS for FREE that this is secure, I trust it WITHOUT putting it into an untrusted/test mode.
reply
Yeah suure bud, just use USB... How on earth do you expect to get a RAM stick's rgb to plug into usb U really gonna buy a ram stick that says plug me into usb, when the rest of them light up by themselves
A reasonable solution would be to let users authorize applications with a certain hash on their executable to utilize winring0. This would give control BACK to users and ofc the access list can be controlled by an administrator. REASONABLE solutions also dont involve paying money to msofft for this crap. Users should be able to tell the OS for FREE that this is secure, I trust it WITHOUT putting it into an untrusted/test mode.
reply
gamersnexus
Oh man, the amount of times I caught bunk expressing this sentiment in PC-building spaces. Ahh, sweet vindication. It feel SO good to be a pessimist right now.
I've always compared the software and firmware side of RGB to printers. Printers make exploits that none of the modern hardware on its network would otherwise be vulnerable to become threats again, because at the bottom of their driver code are the remnants of civilizations so ancient, little-known, and even lesser-understood, that they're converting to fossil fuel. It's all tar down there. And that tar will #### your network if somebody digs it out and puts flame to it.
reply
Oh man, the amount of times I caught bunk expressing this sentiment in PC-building spaces. Ahh, sweet vindication. It feel SO good to be a pessimist right now.
I've always compared the software and firmware side of RGB to printers. Printers make exploits that none of the modern hardware on its network would otherwise be vulnerable to become threats again, because at the bottom of their driver code are the remnants of civilizations so ancient, little-known, and even lesser-understood, that they're converting to fossil fuel. It's all tar down there. And that tar will #### your network if somebody digs it out and puts flame to it.
reply
nico_thenico
Microsoft still consider an admin user as part of the Trusted Computing Base.
That means they are not going to patch escalation from usermode admin to kernelmode ring0.
That's why a winring0 patched to be restricted to the builtin Administrators group is not going to be revoked.
The original one granted access to Everyone aka reducing the security of the whole system to none.
The renderer process of your browser that people worked a lot to restrict can talk to it.
In other term, find a tiny security hole in the javascript engine running as a unprivilieged user, instant escalation to kernel mode.
reply
Microsoft still consider an admin user as part of the Trusted Computing Base.
That means they are not going to patch escalation from usermode admin to kernelmode ring0.
That's why a winring0 patched to be restricted to the builtin Administrators group is not going to be revoked.
The original one granted access to Everyone aka reducing the security of the whole system to none.
The renderer process of your browser that people worked a lot to restrict can talk to it.
In other term, find a tiny security hole in the javascript engine running as a unprivilieged user, instant escalation to kernel mode.
reply
clinttube
Great report. If Hyte takes up the mantle of providing an open source signed alternative I will massively gain respect for them. Even just them talking about it/raising awareness makes me curious what they're doing that I could get for my new build. But if they actually do it in some semi-official capacity, I'd buy something of theirs most other things equal.
My impression (from zero recent experience desktop pc building from scratch in literally 10 years) was mixed, but I really liked how they were taking risks doing different new stuff, just wasn't a fan of the aquarium style for my build.
reply
Great report. If Hyte takes up the mantle of providing an open source signed alternative I will massively gain respect for them. Even just them talking about it/raising awareness makes me curious what they're doing that I could get for my new build. But if they actually do it in some semi-official capacity, I'd buy something of theirs most other things equal.
My impression (from zero recent experience desktop pc building from scratch in literally 10 years) was mixed, but I really liked how they were taking risks doing different new stuff, just wasn't a fan of the aquarium style for my build.
reply
username7763
One of my past employers wrote a driver for a hardware card that we sold. I was curious about it, as I didn't have much experience writing drivers. So I took a look at the code and all the driver did is take in a request to map hardware address space to a process. Then, the actual logic of communicating with the hardware ran in user-land. It was sloppy, lazy and a horrible security risk. Any process could request the driver to map any address space! As I was a junior programmer at the time, no one listened to me. I'm not surprised that this is a common thing people do in drivers.
reply
One of my past employers wrote a driver for a hardware card that we sold. I was curious about it, as I didn't have much experience writing drivers. So I took a look at the code and all the driver did is take in a request to map hardware address space to a process. Then, the actual logic of communicating with the hardware ran in user-land. It was sloppy, lazy and a horrible security risk. Any process could request the driver to map any address space! As I was a junior programmer at the time, no one listened to me. I'm not surprised that this is a common thing people do in drivers.
reply
mibj01
So based on my research, recreating the WinRing0, as something that is up to todays standards for Kernel Driver in Windows, you would roughly have to eat a budget, if it is run as a commercial project, at about $450k... and with a time to completion from start to end in about 6 months time.
The roles you would need are rather standard as you would need Lead Kernel Engineer, Security Engineer, Hardware Abstraction Specialist, Userland API Engineer, QA/Compliance Engineer, Project Manager/Product Owner, and an optional Technical Writer...
Any takers
reply
So based on my research, recreating the WinRing0, as something that is up to todays standards for Kernel Driver in Windows, you would roughly have to eat a budget, if it is run as a commercial project, at about $450k... and with a time to completion from start to end in about 6 months time.
The roles you would need are rather standard as you would need Lead Kernel Engineer, Security Engineer, Hardware Abstraction Specialist, Userland API Engineer, QA/Compliance Engineer, Project Manager/Product Owner, and an optional Technical Writer...
Any takers
reply
Liriq
I have a friend with a Gigabyte mobo. I do his BIOS updates, manually via a usb. He says there's this easy and useful gui tool, that can update BIOS from within the OS. So useful! I've been telling him for years not to install that, as it is an enormous security risk. It shouldn't exist at all.
I've always thought the same of all rgb control software, and never installed any of them. I have cool rgb lights that I don't have a way to control. I got used to them as they are. Hardware control software is nightmare fuel.
reply
I have a friend with a Gigabyte mobo. I do his BIOS updates, manually via a usb. He says there's this easy and useful gui tool, that can update BIOS from within the OS. So useful! I've been telling him for years not to install that, as it is an enormous security risk. It shouldn't exist at all.
I've always thought the same of all rgb control software, and never installed any of them. I have cool rgb lights that I don't have a way to control. I got used to them as they are. Hardware control software is nightmare fuel.
reply
catnipfyi
attributing this all to crowdstrike is a bit much. windows has been revoking old drivers for a long time now and also making alot of those drivers obsolete by providing secure alternatives.
this is public information because to revoke a certificate microsoft has to put it on the crl (certificate revocation list). there have also been alot of kernelmode exploit mitigations especially since windows 11 which are supposed to make exploiting vulnerable drivers much harder and sometimes even impossible (in some cases).
reply
attributing this all to crowdstrike is a bit much. windows has been revoking old drivers for a long time now and also making alot of those drivers obsolete by providing secure alternatives.
this is public information because to revoke a certificate microsoft has to put it on the crl (certificate revocation list). there have also been alot of kernelmode exploit mitigations especially since windows 11 which are supposed to make exploiting vulnerable drivers much harder and sometimes even impossible (in some cases).
reply
gamersnexus
It is up the user (in this case the corporations) to condone a research to make sure the software is actively maintained, cannot be used in malicious intent that will damage the company's reputations etc.
Not the FOSS dev that developed and shared their software.
The dev shouldn't feel anyway responsible for their software used irresponsibly by many corporations, and the companies should have forked and maintained the software in the first place if they were ever to heavily depend on it to this day.
reply
It is up the user (in this case the corporations) to condone a research to make sure the software is actively maintained, cannot be used in malicious intent that will damage the company's reputations etc.
Not the FOSS dev that developed and shared their software.
The dev shouldn't feel anyway responsible for their software used irresponsibly by many corporations, and the companies should have forked and maintained the software in the first place if they were ever to heavily depend on it to this day.
reply
notsam498
I'm a little confused why they ever used this method I've built a number of wled displays, and done a fair amount of various microcontroller programming and it seems like it would have been simpler to use a pwm attached to an internal USB/serial I mean that's what I would do if I wanted RGB in my case. From a driver's perspective there are a lot of routes to go but the operation would be the same once you have the serial device.
reply
I'm a little confused why they ever used this method I've built a number of wled displays, and done a fair amount of various microcontroller programming and it seems like it would have been simpler to use a pwm attached to an internal USB/serial I mean that's what I would do if I wanted RGB in my case. From a driver's perspective there are a lot of routes to go but the operation would be the same once you have the serial device.
reply
halycon404
Or. We could get Intel and AMD to come together to write one standard for controlling this, integrate it into the chipset & driver, author a unified API between them so vendors don't have direct access to the Kernel, and be done with it. One platform agnostic solution. Who cares what Microsoft does. They have done things like this in the past. So, maybe Oh, and it'll have the bonus of also fixing this problem on Linux.
reply
Or. We could get Intel and AMD to come together to write one standard for controlling this, integrate it into the chipset & driver, author a unified API between them so vendors don't have direct access to the Kernel, and be done with it. One platform agnostic solution. Who cares what Microsoft does. They have done things like this in the past. So, maybe Oh, and it'll have the bonus of also fixing this problem on Linux.
reply
TheMechanator
Why doesn't Microsoft or some vendor of hardware provide a standard library to read the smbus for fans and offer controls in a management driver Microsoft had to do something similar for video capture cards since the released driver was buggy and crashing since windwos 98 up til windows xp. The other vendors then can submit their i/o address and function templates for calls and this whole ring0driver is moot
reply
Why doesn't Microsoft or some vendor of hardware provide a standard library to read the smbus for fans and offer controls in a management driver Microsoft had to do something similar for video capture cards since the released driver was buggy and crashing since windwos 98 up til windows xp. The other vendors then can submit their i/o address and function templates for calls and this whole ring0driver is moot
reply
Add a review, comment















