-
Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
ThrottleStop blocked by windows security.
- Thread starter turl
- Start date
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
@turl
Thanks for the info. Are you on Windows 11?
I use Windows Defender but my main computer is still running Windows 10 Pro. I manually checked and installed the most recent Defender Updates. I exited ThrottleStop after that and ThrottleStop restarted just fine without any complaints from Defender.
Is your computer part of a company network?
Thanks for the info. Are you on Windows 11?
I use Windows Defender but my main computer is still running Windows 10 Pro. I manually checked and installed the most recent Defender Updates. I exited ThrottleStop after that and ThrottleStop restarted just fine without any complaints from Defender.
Is your computer part of a company network?
In the meantime i've got a following comment from our IT (it was a corp network no access to add defender exclusions).
"security has blocked the list of signed drivers which are being actively exploited by malware"
Maybe it's related to CVE-2020–14979, however cannot get more info.
Currently I'm on 1.421.837.0 definitions (WIN10)
"security has blocked the list of signed drivers which are being actively exploited by malware"
Maybe it's related to CVE-2020–14979, however cannot get more info.
Currently I'm on 1.421.837.0 definitions (WIN10)
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
That CVE talks about the WinRing0 driver. ThrottleStop has not used the WinRing0 driver for years.
If your corporate IT department or Microsoft has decided to start blocking the ThrottleStop.sys driver, there is nothing I can do to solve that problem.
No one has ever contacted me about any malware that is actively exploiting the ThrottleStop.sys driver.
If I ever find out anything new, I will post it here. Defender will be gone the day that it starts blocking me from running ThrottleStop.
Edit - I was just reading about the latest Asus BIOS versions for their Z790 and Z690 motherboards.
It looks like Intel has been twisting some arms. Asus have removed the ability to toggle the C1E C state off from their recent BIOS versions. Users quickly found out that it was still possible to use ThrottleStop to disable C1E. Gamers and music creators love the reduced latency when the C states are disabled. Is this the real reason why the ThrottleStop.sys driver was suddenly put on the malware list? Who knows. The driver that ThrottleStop uses has been working flawlessly for more than 4 years without a single report of any exploits.
Last edited:
This is information i got from Microsoft support:
"We identified the vulnerable driver associated with ThrottleStop.exe – RwDrv.sys, part of RWEverything, a free utility that allows access to hardware components such as SPI flash memory chip states a system’s BIOS/UEFI firmware. We blocked this driver due to this vulnerability.
Here are some articles that further explain the vulnerability:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode | by Matt Graeber | Posts By SpecterOps Team Members
How To Remove HackTool:Win32/Rwdrv [Updated December 2024]"
I was able to get the info by : vulnerabledrivers@microsoft.com
Looks this might become wider issue when definitions are spread. The hint was that this is not a defender rule but rather :
"ASR Rules is a different block than Windows Defender" - Atack Surface Reduction
"We identified the vulnerable driver associated with ThrottleStop.exe – RwDrv.sys, part of RWEverything, a free utility that allows access to hardware components such as SPI flash memory chip states a system’s BIOS/UEFI firmware. We blocked this driver due to this vulnerability.
Here are some articles that further explain the vulnerability:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode | by Matt Graeber | Posts By SpecterOps Team Members
How To Remove HackTool:Win32/Rwdrv [Updated December 2024]"
I was able to get the info by : vulnerabledrivers@microsoft.com
Looks this might become wider issue when definitions are spread. The hint was that this is not a defender rule but rather :
"ASR Rules is a different block than Windows Defender" - Atack Surface Reduction
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
I agree. It could be lights out for ThrottleStop. It was fun while it lasted.
ThrottleStop.exe uses the ThrottleStop.sys driver. This is not the same as the RwDrv.sys driver that RWEverything uses.
It is interesting that I am still able to run ThrottleStop while using the newer 1.421.843.0 Windows Defender definitions without any problems. Do you have full Administrator privileges for your account?
Thanks for contacting Microsoft. I will continue to look into this issue.
- Joined
- May 14, 2004
- Messages
- 28,959 (3.75/day)
| Processor | Ryzen 7 5700X |
|---|---|
| Memory | 48 GB |
| Video Card(s) | RTX 4080 |
| Storage | 2x HDD RAID 1, 3x M.2 NVMe |
| Display(s) | 30" 2560x1600 + 19" 1280x1024 |
| Software | Windows 10 64-bit |
I think an older version of TS used that driver? Maybe MS just blocked TS and assumed all builds use the same driver?
- Joined
- Dec 25, 2020
- Messages
- 8,944 (5.38/day)
- Location
- São Paulo, Brazil
| Processor | 13th Gen Intel Core i9-13900KS |
|---|---|
| Motherboard | ASUS ROG Maximus Z790 Apex Encore |
| Cooling | Pichau Lunara ARGB 360 + Honeywell PTM7950 |
| Memory | 32 GB G.Skill Trident Z5 RGB @ 7600 MT/s |
| Video Card(s) | Palit GameRock OC GeForce RTX 5090 32 GB |
| Storage | 500 GB WD Black SN750 + 4x 300 GB WD VelociRaptor WD3000HLFS HDDs |
| Display(s) | 55-inch LG G3 OLED |
| Case | Cooler Master MasterFrame 700 benchtable |
| Audio Device(s) | EVGA NU Audio + Sony MDR-V7 headphones |
| Power Supply | EVGA 1300 G2 1.3kW 80+ Gold |
| Mouse | Microsoft Classic IntelliMouse |
| Keyboard | IBM Model M type 1391405 |
| Software | Windows 10 Pro 22H2 |
| Benchmark Scores | I pulled a Qiqi~ |
No, any settings that are enforced by the security system or through group policy show as managed by organization on Windows 11's control panel. Microsoft has been really hard at work hardening (pun intended) Windows, if I remember correctly, the Local Security Authority system will enforce vulnerable driver protection if credential guard, core isolation, memory integrity check and/or app control are enabled in Windows Security, the operating system will completely refuse to load these drivers. It is the default behavior on all officially supported hardware and in new installs of Windows 11, this is why Microsoft has been pushing for modern hardware that supports TPM, virtualization extensions, etc. - the modern Windows security architecture relies on these things.
The result is that software like ThrottleStop, which is designed to access hardware registers at a relatively low level become a huge no-no under these conditions.
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
Maybe. It is all a blur now. That was 15 years ago!
I think all of the versions before TS 9.0 were using the WinRing0 driver which has some known security issues. There have been no complaints since the WinRing0 driver was replaced by the ThrottleStop.sys driver.
Here is some info about Attack Surface Reduction. There might be a solution hiding in there.
Enable attack surface reduction rules - Microsoft Defender for Endpoint
Enable attack surface reduction rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
learn.microsoft.com
Not sure if you can convince your IT department to make an exception for ThrottleStop.sys
If you cannot run ThrottleStop, you are going to miss out on a Christmas surprise. Lots of new features are finally done including per profile power limits, per profile Speed Shift Min and Max values, per profile PROCHOT Offset values as well as V/F Tuning for the unlocked K and HX CPUs. Intel should thank me for the work I do.
A little off topic but I am seeing a lot of
on the horizon for this new version.
D
Deleted member 242843
Guest
Just for kicks, I loaded up a fresh copy of windows 11 pro on a modest office rig with an i5-12400. Nothing but windows with all updates and drivers coming from windows update. defender updated too. I disabled virtualization based security and core isolation memory integrity. Then downloaded and ran TS 9.6. was able to monitor and disable/enable things. Windows Defender did not try to eat it or block it in any way.
I'll leave it running for a while to see if it tries to eat it, but so far, i haven't been able to get defender to block it.
I'll leave it running for a while to see if it tries to eat it, but so far, i haven't been able to get defender to block it.
Maybe Attack Surface Reduction is some extra functionality, enabled only on corporate PCs by IT using group policy.
"To use the entire feature-set of attack surface reduction rules, you need:
"To use the entire feature-set of attack surface reduction rules, you need:
- Microsoft Defender Antivirus as primary AV (real-time protection on)
- Cloud-Delivery Protection on (some rules require that)
- Windows 10 Enterprise E5 or E3 License"
- Joined
- Oct 15, 2011
- Messages
- 2,680 (0.53/day)
- Location
- Springfield, Vermont
| System Name | KHR-1 |
|---|---|
| Processor | Ryzen 9 5900X |
| Motherboard | ASRock B550 PG Velocita (UEFI-BIOS P3.40) |
| Memory | 64 GB G.Skill RipJaws V F4-3200C16D-64GVK |
| Video Card(s) | Sparkle Titan Arc A770 16 GB |
| Storage | Samsung 990 Pro 1 TB NVMe SSD |
| Display(s) | Alienware AW3423DWF OLED-ASRock PG27Q15R2A (backup) |
| Case | Corsair 275R |
| Audio Device(s) | Technics SA-EX140 receiver with Polk VT60 speakers |
| Power Supply | eVGA Supernova G3 750W |
| Mouse | Logitech G Pro (Hero) |
| Software | Windows 11 Pro x64 24H2 |
I suspect libraries are going to get this, because of all the malicious-hacker-activity lately.
- Joined
- Aug 27, 2023
- Messages
- 333 (0.48/day)
I was curious so had a look with W11 Pro. Downloading Windows latest driver vulnerability list (Dec 16th) didn't show throttlestop.sys but there were a few Winring0 entries and one IIRC rweverything driver. Seems messy and don't get the nice report seen with your system @turl.
Here's a custom setting denying / blocking GPUZ.
If GPUZ didn't report (likely GetLastError) then probably have to dig into the Event Viewer.
Personally I like access to my HW so won't be using that especially as I have nothing interesting.
Here's a custom setting denying / blocking GPUZ.
If GPUZ didn't report (likely GetLastError) then probably have to dig into the Event Viewer.
Personally I like access to my HW so won't be using that especially as I have nothing interesting.
Fairly long time ThrottleStop user - I had Defender stopping my ThrottleStop as well. I received suddenly the error msg at startup - driver could not be started, I/O error. I couldnt even start ThrottleStop by double clicking the exe. After some experimentation, Defender was the culprit (disabling Defender allows starting ThrottleStop). For me, it wasnt even enough to add the ThrottleStop folder as an exclusion - I had to specifically add the process to the exclusion (Defender=>Add an exclusion=>Process). At least this seems to have resolved the issue. I assume it was related to this update: KB2267602 (Version 1.421.1418.0).
pineault.jonathan
New Member
- Joined
- Mar 18, 2025
- Messages
- 1 (0.01/day)
Same here, Throttlestop was blocked by BitDefender protection today.
Similar to what is posted on Reddit
I can't run it anymore
Any clues?
Similar to what is posted on Reddit
I can't run it anymore
Any clues?
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
If you need to run ThrottleStop you will need to find a new antivirus program or add ThrottleStop to Bitdefender's safe list if it has one.
I am running Windows 11 - 23H2 on my laptop while using the default Windows Defender antivirus program. ThrottleStop starts and runs without any problems.
Gardner95x
New Member
- Joined
- Mar 18, 2025
- Messages
- 1 (0.01/day)
Same issue here with Bitdefender, tired adding ThrottleStop as an exception but it keeps quarantining itSame here, Throttlestop was blocked by BitDefender protection today.
Similar to what is posted on Reddit
I can't run it anymore
Any clues?
unclewebb
ThrottleStop & RealTemp Author
- Joined
- Jun 1, 2008
- Messages
- 8,469 (1.35/day)
Here is a user who finally had to give up trying to run ThrottleStop with Bitdefender installed.
community.bitdefender.com
I just can not believe BD has done this to me AGAIN! Throttlestop - Expert Community
Throttlestop is the most useful utility in my entire laptop application arsenal, and I would lose any other app before I lost that. I also know for a fact it's safe. BD kept blocking the app from running and saying it was a PUP. So I kept restoring it but that didn't help. THEN I added it as an...