26.10.2025, 17:01
Sprache ändern
Registrieren
Anmelden
Du bist nicht angemeldet.
Shoggy
Sven - Admin
Information about Windows Defender warning "HackTool:Win32/Winring0" (AquaComputerService.sys)
Mittwoch, 12. März 2025, 11:47
Windows Defender and other antivirus software (repeatedly) detect the AquaComputerService.sys file as a threat or virus.
This is not a virus!
This file is a signed open source driver (WinRing0) that aquasuite has been using for many years for hardware monitoring (e.g. CPU temperature). The exact same driver is also used by numerous other, far more popular programs and companies.
A security vulnerability (CVE-2020-14979) has been known to exist in this driver for some time. The problem is that the driver lacks a security descriptor and can be accessed with user rights. Since the driver has deep access to the system, it is possible for malware to exploit the driver and gain system privileges to run malicious code.
Regardless of the version, aquasuite applies a security descriptor when installing the driver, which restricts access to system and admin rights. Based on current knowledge and our own tests, the mentioned attack scenario is no longer feasible.
Please note: If any other application installs the driver before aquasuite without a corresponding security descriptor, the driver is vulnerable. In this case, this is a failure on the part of the corresponding application.
We are already working on a solution by creating our own customized version of the driver and having it certified by Microsoft. However, this is a complex process and will therefore take some time. The main problem is the verification of our company in the Microsoft Partner Center. Microsoft switched this process to an AI-based system last year, and since then, nothing has been working properly. There are numerous reports of companies that had to wait several months before they were approved. Microsoft is aware of the problems and has been promising to solve them for months...
If you do not see any problems with using the driver, you can define it as an exception.
Alternatively, you can disable all hardware monitor modules in aquasuite via the aquasuite -> Service tab. This will prevent aquasuite from loading the corresponding driver. System data can still be transferred to aquasuite via HWiNFO or AIDA64 if required.
This is not a virus!
This file is a signed open source driver (WinRing0) that aquasuite has been using for many years for hardware monitoring (e.g. CPU temperature). The exact same driver is also used by numerous other, far more popular programs and companies.
A security vulnerability (CVE-2020-14979) has been known to exist in this driver for some time. The problem is that the driver lacks a security descriptor and can be accessed with user rights. Since the driver has deep access to the system, it is possible for malware to exploit the driver and gain system privileges to run malicious code.
Regardless of the version, aquasuite applies a security descriptor when installing the driver, which restricts access to system and admin rights. Based on current knowledge and our own tests, the mentioned attack scenario is no longer feasible.
Please note: If any other application installs the driver before aquasuite without a corresponding security descriptor, the driver is vulnerable. In this case, this is a failure on the part of the corresponding application.
We are already working on a solution by creating our own customized version of the driver and having it certified by Microsoft. However, this is a complex process and will therefore take some time. The main problem is the verification of our company in the Microsoft Partner Center. Microsoft switched this process to an AI-based system last year, and since then, nothing has been working properly. There are numerous reports of companies that had to wait several months before they were approved. Microsoft is aware of the problems and has been promising to solve them for months...
If you do not see any problems with using the driver, you can define it as an exception.
Alternatively, you can disable all hardware monitor modules in aquasuite via the aquasuite -> Service tab. This will prevent aquasuite from loading the corresponding driver. System data can still be transferred to aquasuite via HWiNFO or AIDA64 if required.
Speedy-VI
Senior Member
Freitag, 10. Oktober 2025, 03:38
Congrats on getting the new driver written and submitted to MS for certification. Is adding the exception to Windows Defender the only change in X.84?Update on the current status (October 9, 2025):
We have developed a completely new driver with a stricter security model.
Unfortunately, it is currently unclear how long Microsoft’s certification process will take.
The aquasuite X.84 setup now automatically adds an exception for the monitoring driver in Windows Defender..
camjo99
Newbie
Defender triggers even with exclusion - Workaround - C:\Windows\SystemTemp\
Dienstag, 14. Oktober 2025, 02:54
Happy to hear you guys are working on a new driver!
In the meantime, I recently started getting defender notifications every time I woke up my PC. Both from full shutdown or just sleep.
This is even though I already have "C:\Windows\System32\drivers\AquaComputerService.sys" excluded in Defender.
If anyone else is facing the same, read on. I found a decent work around to use until the new signed driver is available!
Upon system resume, Defender alerts on files with names that look like this:
C:\Windows\SystemTemp\UDDC168.tmp
There is always multiple files, and always inside C:\Windows\SystemTemp\
The filenames always start with UDD but the latter digits change, so excluding these files in Defender doesn't help.
You could exclude all of C:\Windows\SystemTemp\* in defender, but this felt overly broad to me - so I started digging with Process Monitor, and tracked down what was creating these files.
As it turns out they are being created by pcasvc - a component of windows. This is the Program Compatibility Assistant Service
This service Checks for legacy application behaviors or crash data, and can create temporary .tmp or .etl (event trace log) files.
For some reason, at least on my system, this service was tripping up on AquaComputerService.sys on every boot - Maybe assuming the driver is having an issue on resume.
(now that I type that out, this makes sense. When I first put together this rig I had to manually create a custom task to restart the aquasuite service 30s after any "workstation unlock". I have never had the service properly resume after sleep mode, I would always lose HW monitoring data)
So, as soon as pcasvc sees whatever issue happen, it must be extracting the winring0 driver (or a part of it) and creating an error/dump file inside C:\Windows\SystemTemp\
This then gets picked up by defender, as I did not have this path excluded!
So - instead of excluding the whole SystemTemp folder in Defender, The workaround is to block pcasvc from reading AquaComputerService.sys
This can be done like so in an administrative command prompt:
This will add an ACL entry to deny the service from reading the file. And if it can't read it - it can't copy it to SystemTemp!
This resolved my issue and I don't get a defender popup when I wake from sleep anymore.
If anyone else is having this issue - hopefully this helps while we wait for the new driver!
Here's hoping the new driver will natively handle wake from sleep better as well...
In the meantime, I recently started getting defender notifications every time I woke up my PC. Both from full shutdown or just sleep.
This is even though I already have "C:\Windows\System32\drivers\AquaComputerService.sys" excluded in Defender.
If anyone else is facing the same, read on. I found a decent work around to use until the new signed driver is available!
Upon system resume, Defender alerts on files with names that look like this:
C:\Windows\SystemTemp\UDDC168.tmp
There is always multiple files, and always inside C:\Windows\SystemTemp\
The filenames always start with UDD but the latter digits change, so excluding these files in Defender doesn't help.
You could exclude all of C:\Windows\SystemTemp\* in defender, but this felt overly broad to me - so I started digging with Process Monitor, and tracked down what was creating these files.
As it turns out they are being created by pcasvc - a component of windows. This is the Program Compatibility Assistant Service
This service Checks for legacy application behaviors or crash data, and can create temporary .tmp or .etl (event trace log) files.
For some reason, at least on my system, this service was tripping up on AquaComputerService.sys on every boot - Maybe assuming the driver is having an issue on resume.
(now that I type that out, this makes sense. When I first put together this rig I had to manually create a custom task to restart the aquasuite service 30s after any "workstation unlock". I have never had the service properly resume after sleep mode, I would always lose HW monitoring data)
So, as soon as pcasvc sees whatever issue happen, it must be extracting the winring0 driver (or a part of it) and creating an error/dump file inside C:\Windows\SystemTemp\
This then gets picked up by defender, as I did not have this path excluded!
So - instead of excluding the whole SystemTemp folder in Defender, The workaround is to block pcasvc from reading AquaComputerService.sys
This can be done like so in an administrative command prompt:
|
Source code |
1 |
icacls "C:\Windows\System32\drivers\AquaComputerService.sys" /deny "NT SERVICE\PcaSvc":(R) |
This will add an ACL entry to deny the service from reading the file. And if it can't read it - it can't copy it to SystemTemp!
This resolved my issue and I don't get a defender popup when I wake from sleep anymore.
If anyone else is having this issue - hopefully this helps while we wait for the new driver!
Here's hoping the new driver will natively handle wake from sleep better as well...
Speedy-VI
Senior Member
RE: Defender triggers even with exclusion - Workaround - C:\Windows\SystemTemp\
Mittwoch, 15. Oktober 2025, 22:57
Interesting. I wonder if this is related to the constant stream of Catalog DB errors I have been seeing in C:\Windows\System32\catroot2\dberr.txt since the day I updated Aquasuite to X.83. Here is a LINK to my post detailing my observations about the behavior of the AquaComputerService.sys driver file on my main Windows 10 machine. Strangely, my other machine also running Windows 10 had totally different behavior. I never did figure out why, but I am still getting these errors on my main Windows 10 machine. Here is a partial screenshot of today’s errors. I never got any response from Aquacomputer about this.If anyone else is facing the same, read on. I found a decent work around to use until the new signed driver is available!
The entries look like this: CatalogDB: 8:29:43 PM 9/14/2025: catadnew.cpp at line #1977 encountered error 0x800700c1. This error (0x800700C1 = ERROR_BAD_EXE_FORMAT) normally means Windows rejected a malformed or unsigned driver file. Based on timing, I suspect it’s related to the AquaComputerService.sys driver. Do you know if there is a way to stop these errors from being logged?
Ähnliche Themen
-
English forum »-
Hacktool in AquaComputerService.sys
(11. März 2025, 10:30)
-
- Überwachung und Steuerung »
-
AquaComputerService.sys als HackTool:Win32/Winring0 erkannt
(11. März 2025, 18:38)
-
- Überwachung und Steuerung »
-
Aquasuite HackTool:Win32/Winring0
(12. März 2025, 07:53)