Riot's Vanguard is considered the most aggressive anti-cheat in gaming. Understanding how it works reveals exactly why external tools bypass it.
Kernel-Level Access
Vanguard installs a kernel driver (vgk.sys) that loads at boot — before any cheat could start. It runs at Ring 0, the same privilege level as Windows itself. This gives it visibility into every process, driver, and memory operation on your system.
What Vanguard Scans
- Process Memory: Scans game process for injected DLLs, detours, and hooks
- Driver Stack: Blocks unsigned or suspicious kernel drivers
- System Calls: Monitors NtReadVirtualMemory, NtWriteVirtualMemory for unauthorized access to Valorant's process
- Hardware IDs: Tracks HWID for ban enforcement across accounts
- Hypervisor: Detects virtualization-based cheats
What Vanguard Cannot See
Vanguard monitors interactions with the game process. It does not — and cannot — monitor every Windows API call on your system. Standard operations like screen capture (DXGI), mouse input (SendInput), and audio analysis (WASAPI) are used by thousands of legitimate applications. Blocking them would break OBS, Discord, Spotify, and every streaming tool.
This is the fundamental gap that external tools exploit. Skyrant reads pixels via DXGI, runs AI inference via WinML, and moves the mouse via standard input APIs. From Vanguard's perspective, it's indistinguishable from a legitimate application.