afd.sys
Windows Ancillary Function Driver for WinSock (a core OS driver)
afd.sys is not a vendor utility you installed. It is a core part of Windows itself: the Ancillary Function Driver for WinSock, the kernel component that sits underneath nearly every network connection your PC makes. Every online game, every launcher, every update check goes through it. It is on every Windows machine, and there is nothing to uninstall.
It appears on the public LOLDrivers list because of CVE-2023-21768, an elevation-of-privilege flaw that let a local user on the machine gain SYSTEM, the highest level of access in Windows. Microsoft patched it in the January 2023 Patch Tuesday updates. What made it notable was the speed: working exploit code was public within about a day of the patch, and security firms (IBM X-Force, SentinelOne, Rapid7) analyzed it almost immediately.
This is the one entry in the Field Guide where the persistence story runs the other way. With a vendor's overclocking or RGB driver, the fix is to update or remove the bundled software. afd.sys is the operating system, so you do not remove it and you cannot; you keep Windows current. An unpatched copy is the risk, and Windows Update is the entire fix.
If afd.sys is on your system, that is correct and expected; it is on everyone's. The practical step is simply to make sure Windows Update is current. A machine patched past January 2023 is not running the vulnerable version.
afd.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “afd.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/afd-sys
