Genshin Impact, like many modern online games, ships an anti-cheat that includes a kernel-level driver. One such driver became a widely cited example of why kernel-level code is a genuine security trade-off.
A kernel driver inside the game
To detect cheats effectively, Genshin's anti-cheat installs a component that runs in the Windows kernel — the most privileged layer of the system. From there it can inspect memory and processes deeply, which is what makes kernel anti-cheat effective against kernel-level cheats.
When the driver became the problem
Security researchers documented a serious case: the game's signed anti-cheat driver was abused by attackers in what is called a "bring your own vulnerable driver" attack. Because the driver was legitimately signed and had powerful kernel capabilities, attackers loaded it onto target systems — even systems that never had the game installed — and used it to disable security software before deploying ransomware.
Why this matters
The lesson is not that the game's developer acted maliciously. The lesson is about attack surface. Any widely distributed, signed kernel driver is a powerful tool. If it can be loaded independently of the game and has capabilities attackers want, it becomes a building block for attacks that have nothing to do with cheating. A driver does not have to be malware to be dangerous — it only has to be powerful and available.
The broader point
This case is the concrete version of the abstract worry about kernel anti-cheat. The concern was never mainly "the game is spying on me" — it is that adding more privileged, signed code to millions of PCs expands the attack surface for everyone, whether or not the code itself is trustworthy.
The takeaway
Genshin's anti-cheat driver is a real-world illustration of the kernel anti-cheat trade-off. Effective detection needs kernel depth — but kernel depth, distributed at scale, is also a security liability. It is the clearest answer to why "it's just an anti-cheat" understates what kernel-level code really is.