← All anti-cheats
Field Guide · Anti-cheat

miHoYo anti-cheat (mhyprot)

miHoYo's in-house kernel anti-cheat ships the Windows driver mhyprot2.sys, catalogued in this guide's drivers section. Signed and independent of the game, it became the textbook bring-your-own-vulnerable-driver case in 2022 when ransomware actors used it to disable antivirus from kernel mode.

kernel · with gameLoads a kernel-level driver while the game runs, then unloads it when you quit.
How it loads
While a protected game runs
Firmware it asks for
None catalogued
Games catalogued
1
Catalogued as of
June 2026
What it can and cannot see

miHoYo's anti-cheat runs as a signed Windows kernel driver, loaded for the game. Its place in the public record is less about what it watches and more about what was done with it: in 2022, ransomware crews loaded this legitimate signed driver onto machines that never ran a miHoYo game, and used its kernel access to switch off antivirus. That is the bring-your-own-vulnerable-driver pattern, and it is why a signed driver is not the same as a safe one.

The same boundary applies to every anti-cheat here. Anti-cheat that runs on your PC can examine what happens on that PC, to the depth its design allows. It cannot see a second computer, a capture device, or hardware placed between an input device and the port it plugs into. That is why the presence of an anti-cheat is not, on its own, proof of anything about a player, in either direction. Vera describes what runs; it does not decide what it means.
The kernel driver

The part of this anti-cheat that runs in the Windows kernel, catalogued in the Field Guide's drivers section:

Source

Catalogued by Vera from the anti-cheat maker's own documentation and named public reporting (Ars Technica, PC Gamer, Eurogamer, BleepingComputer, and others). Anti-cheats change; these notes reflect the public record as of June 2026. What is here is public evidence, never an accusation about a person.