imfforcedelete.sys
IObit Malware Fighter ForceDelete driver
IMFForceDelete.sys is the kernel driver shipped with IObit Malware Fighter, IObit's consumer anti-malware and PC-cleanup product (the same company behind Advanced SystemCare and Driver Booster). Its user-facing job is mundane: force-delete files that another process is holding open, the way a security scanner needs to remove a malicious file that is still locked.
It is on the public LOLDrivers list because of CVE-2025-26125 (and, on the older 6.2 build, CVE-2019-6494): the driver exposes an IOCTL that lets any local user delete an arbitrary file, and the deletion runs as SYSTEM regardless of who owns the file. Removing the right system files can force Windows to load an attacker's replacement, which is how a file-delete primitive turns into privilege escalation.
Why it persists: it is the usual bring-your-own-vulnerable-driver story. The signed driver still loads on modern Windows, so an attacker can drop a copy onto an already-compromised machine without shipping any kernel code of their own. Security researchers at ESET documented the driver being dropped by the 'Gentlemen' extortion group's GentleKiller toolkit to disable endpoint protection.
On a gaming PC the boring explanation is the likely one: you installed IObit Malware Fighter. Update it to the current version or uninstall it through Windows' Apps and features; Microsoft's Vulnerable Driver Blocklist covers the older build.
imfforcedelete.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “imfforcedelete.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/imfforcedelete-sys
