← All drivers
vulnerable
Driver

msr.sys

Model-Specific Register access driver (Intel Processor Counter Monitor)

From Intel Corporation
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Field notes

msr.sys is the name of the kernel driver built and loaded by Intel's Processor Counter Monitor (PCM), an open-source Intel project for reading low-level CPU performance and energy telemetry. The 'MSR' is the processor's Model-Specific Registers, the control and measurement registers that user-mode software cannot reach on its own. Performance-monitoring, benchmarking, and power-telemetry tools built on Intel PCM install a driver by this name to read them.

It is on the public LOLDrivers list for a capability rather than a specific CVE. A signed driver that grants read and write access to Model-Specific Registers is a well-known building block in the bring-your-own-vulnerable-driver pattern, because those registers govern how the processor behaves at the lowest level. Security researchers at ESET, Cisco Talos, and CyberArk have written broadly about this whole class of MSR-access drivers; the public record covers the category, and no single named incident is tied to this exact file.

One caution on identification: 'msr.sys' is a generic name, and more than one small monitoring tool has shipped a driver called that. The Intel PCM driver is the best-documented one. If you have it, the likely source is a CPU performance or telemetry utility.

If you find msr.sys and do not run low-level Intel performance tooling, identify the monitoring utility that placed it and update or remove it. Microsoft's Vulnerable Driver Blocklist blocks known-bad builds from loading.

What the record shows

msr.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “msr.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/msr-sys