← All drivers
vulnerable
Driver

mhyprot2.sys

Genshin Impact anti-cheat kernel driver

From miHoYo / HoYoverse
Part of the miHoYo family
Status
On a known-vulnerable list
Known variants
8 distinct hashes
Field notes

mhyprot2.sys is the anti-cheat kernel driver associated with miHoYo / HoYoverse titles, notably Genshin Impact. It was registered as a kernel service at install time, which means it can be loaded on a machine even if the game itself is no longer present.

The driver's IOCTL surface gives a caller read and write access to arbitrary kernel memory and the ability to terminate processes with kernel-level privilege. Proof-of-concept exploits have been public on GitHub since 2020. The signing certificate has not been revoked, so the driver still loads on modern Windows.

On the public record: Trend Micro published a detailed write-up in 2022 documenting criminal data-extortion operators using mhyprot2.sys on machines that never had Genshin ImpactGameGenshin ImpactOpen plate → installed, loading it specifically to terminate endpoint-protection processes before deploying their payload. BleepingComputer, PC Gamer, SecurityWeek, and others covered the story. It became one of the cleanest cautionary examples of why an anti-cheat driver is part of every gamer's security surface.

If you have ever installed a HoYoverse title, the driver may be registered on your system regardless of whether the game is currently installed. Removing the game does not always remove the kernel service; check Windows services for mhyprot2 and remove it if you are not playing.

What the record shows

mhyprot2.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 8 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the miHoYo family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “mhyprot2.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/mhyprot2-sys