miHoYo anti-cheat (mhyprot)
miHoYo's in-house kernel anti-cheat ships the Windows driver mhyprot2.sys, catalogued in this guide's drivers section. Signed and independent of the game, it became the textbook bring-your-own-vulnerable-driver case in 2022 when ransomware actors used it to disable antivirus from kernel mode.
miHoYo's anti-cheat runs as a signed Windows kernel driver, loaded for the game. Its place in the public record is less about what it watches and more about what was done with it: in 2022, ransomware crews loaded this legitimate signed driver onto machines that never ran a miHoYo game, and used its kernel access to switch off antivirus. That is the bring-your-own-vulnerable-driver pattern, and it is why a signed driver is not the same as a safe one.
The part of this anti-cheat that runs in the Windows kernel, catalogued in the Field Guide's drivers section:
Catalogued by Vera from the anti-cheat maker's own documentation and named public reporting (Ars Technica, PC Gamer, Eurogamer, BleepingComputer, and others). Anti-cheats change; these notes reflect the public record as of June 2026. What is here is public evidence, never an accusation about a person.
