← All drivers
vulnerable
Driver

ampa.sys

AOMEI utility driver (backup / partition software)

From Chengdu AOMEI Tech Co., Ltd.
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Field notes

ampa.sys is a signed kernel driver from AOMEI, the company behind consumer backup and partition tools such as AOMEI Backupper and Partition Assistant. Some gamers have AOMEI software for disk cloning and backups, which is where this driver would come from. The signed binary loads on modern Windows.

Northwave Cyber Security disclosed a vulnerability in the driver, scored 8.8 (high), and an independent technical writeup was published in 2025. The disclosed issue lets a local user reach privileged disk and registry operations the driver exposes, with both privilege-escalation and destructive potential. No CVE has been assigned, but the finding is documented and named.

If you use an AOMEI backup or partition tool, the driver is expected. If you do not, identify what installed it and remove it. Microsoft's Vulnerable Driver Blocklist blocks known-bad builds from loading.

What the record shows

ampa.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “ampa.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/ampa-sys