← All drivers
vulnerable
Driver

kevp64.sys

PowerTool kernel driver

From Beijing Hualing Bao Software Technology
Status
On a known-vulnerable list
Known variants
3 distinct hashes
Field notes

kevp64.sys is the 64-bit kernel driver for PowerTool, a free Chinese anti-rootkit and system-inspection utility. PowerTool is designed to give administrators raw visibility into processes, drivers, and kernel structures. Its driver exposes process termination, driver unloading, and memory access primitives through IOCTL calls, giving the utility the deep access it advertises.

The driver was signed with a VeriSign certificate valid from mid-2015 to mid-2016. It is on the public LOLDrivers list because those same process-killing and memory-access IOCTLs are useful as a BYOVD primitive. Security researchers have published proof-of-concept tools that load the signed driver and use it to terminate protected processes, including endpoint protection software. Trend Micro classifies it as HackTool.Win64.ToolPow.A.

Not a typical gaming-PC driver. If you find it and did not install PowerTool yourself, investigate what placed it there.

What the record shows

kevp64.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 3 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “kevp64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/kevp64-sys