elrawdsk.sys
EldoS RawDisk direct disk access driver
elrawdsk.sys is the kernel driver for EldoS RawDisk, a legitimate toolkit that gives user-mode applications direct read/write access to raw disk sectors, bypassing the file system. EldoS (now part of /n software) sold it as a developer tool for backup, forensics, and disk-imaging applications.
The driver became widely known in the security community because it was used in the destructive Shamoon/Disttrack incidents in 2012 and again in 2016-2017, where criminal threat actors used the legitimate signed driver to overwrite disk sectors and destroy data on thousands of machines in targeted organizations. The driver's presence on a gaming PC would be unusual.
If you find it and did not install a disk-imaging or forensics tool, investigate what placed it there.
elrawdsk.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “elrawdsk.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/elrawdsk-sys
