Every flag the scanner can raise, what it means, and what kind of user behaviour usually triggers it. Some entries are only emitted by specific game builds and are tagged accordingly.
Lists Minecraft usernames associated with the user's launcher data. Useful for cross-referencing the player you're checking against the accounts they actually own.
Shows the Steam ID, account ID and username found in the user's local Steam state, so you can confirm which account the PC belongs to.
Outputs the Uplay account ID linked to Rainbow Six Siege on this PC. Helpful when checking that the account being scanned is the one actually playing.
The hardware serial number reported by the system. Useful for spoofer detection when combined with other hardware fingerprints across multiple scans of the same user.
When the current Windows install was first set up, with an "X ago" elapsed time. Compare with install-related warnings to spot factory resets or spoofed install dates.
Timestamp of when the current user signed in. Acts as the anchor for any flag labelled "Since Logon" - anything after this time happened during the active session.
When the scan itself started. Combined with logon time and process start times, this lets you build a quick timeline of what happened in the session before checking began.
Start timestamps for key processes (Explorer, Lsass, and the relevant game client - e.g. Javaw for Minecraft, FortniteClient for Fortnite). Used to verify a process actually ran during the session and to compare against artifacts that reference those processes.
A file name found in the local Anydesk transfer history. Bypass providers often use Anydesk to drop cheats onto a user's PC, so this is useful context when investigating remote-assistance abuse.
A log of executables that have been deleted at some point. Some entries include the original path, others only the file name - depending on what artifact still has a record of it. Useful for spotting cleanup before a check.
A file the user downloaded or saved that is either unsigned, missing on disk, or otherwise notable. Use it alongside browser download history to confirm where a file originated.
A program that crashed in the past but is no longer on disk. Common for one-shot loaders or cheats that wipe themselves after running.
A file Microsoft Defender has previously flagged on this PC, along with when it was seen. Many cheats and bypass loaders are detected by Defender first, so this often hints at past cheating attempts.
USB / PnP devices that were disconnected, separated by whether removal happened before or after the user signed in. Authenticate any unfamiliar vendor & device IDs at devicehunt.com - this is one of the easiest ways to spot hidden DMA or bypass hardware being unplugged before a check.
A disk partition has been created on this system. Often benign, but new partitions are sometimes used to host cheats in an isolated location that's easy to delete later.
No proxy or VPN connection was detected during the scan. Acts as an explicit "all clear" so you know the network-side check ran successfully.
The OS reports that Kernel DMA Protection (DMA Guard) is off. Disabled DMA Guard is normal on many older or non-modern PCs, but enabled DMA Guard would block several DMA attack surfaces - useful context when paired with DMA warnings.
The system crash dump folder is missing. Some users delete it to remove traces of cheats that crashed; others simply have it disabled via an optimizer. Treat as a hint, not proof.
An event log channel was cleared before the user signed in. Without context this is just noise - but mass clears or clears of System / Security logs are worth investigating.
A browser had its history cleared within a recent window. By itself, harmless; combined with "downloaded file" or "visited website" warnings that are missing entries, it can show the user cleaned tracks before the check.
The user changed their system clock. Often harmless, but useful evidence when timestamps on other artifacts look impossible - a manually-shifted clock is a common bypass aimed at making cheat activity appear to fall outside the session window.
The "recently opened files" registry list has been wiped. Treated as Info on Fortnite builds and as a Warning elsewhere - a common bypass attempt to hide which files were recently opened.
The Background Activity Monitor driver is in an unusual state. BAM tracks what the user has executed; disabling or pausing it is a known approach to weaken execution logging before a check.
Heuristics indicate the user has wiped their BAM data. A common bypass to erase the record of recently-run programs.
An individual BAM key was removed. Targeted deletions are often used to hide a specific program rather than clearing the whole record.
The reported Windows install date doesn't line up with other system evidence. Used as a bypass after a factory reset to make the install look older than it is.
An event log was cleared during the current session. Less critical channels appear here as a warning; the System log being cleared escalates to a Detection.
An .evtx log file has been flipped to read-only, which prevents Windows from writing further events into it. A common way to silently freeze logging without producing a "clear" event.
The same read-only eventlog tampering is also visible through deletion artifacts. Confirms the user actively changed log permissions to stop new entries.
An eventlog file was renamed off its expected name. Another way to detach a log channel from the service without producing a clear event.
The USN Journal max size has been shrunk well below normal. Tiny journals overwrite themselves within minutes, hiding deleted-file history that would otherwise be visible.
A drive that should have a USN Journal doesn't. Either the journal has been actively deleted, or the volume has been intentionally formatted in a way that doesn't keep one - both are deliberate moves to remove forensic record-keeping for that drive.
A Windows database artifact has been wiped via journal entries. Used to hide which programs were executed or registered on the system.
The Windows Timeline / activities cache has been cleaned out, removing one of the longer-lived records of recent user activity.
An NTFS junction has been removed. Junctions are sometimes used to host cheats in a "side" location that the USN Journal handles separately, allowing deletions inside the junction to slip past normal recovery.
A FAT-formatted drive is attached to the system. FAT has no USN Journal, so it is sometimes intentionally used as a "no-record" landing zone for cheats.
A file on a FAT-formatted drive has been modified. Because FAT lacks USN Journal coverage, this is treated as a tampering signal in its own right.
Specific file-level modification on a FAT drive (replace / rename). Useful for narrowing down exactly which file was touched, since FAT won't surface this through the USN Journal.
A file with no valid code signature was executed during this session. Most legitimate software is signed; unsigned binaries are common for loaders, cracked builds and homemade tooling.
A PE (executable) file was launched under a non-executable extension (for example renamed to .pdf). Mostly used to disguise cheats and avoid casual file-type filtering.
Lists every file that was executed from a drive other than the system (C:) drive. Doesn't necessarily mean anything malicious - it surfaces anything launched from a secondary, external, or removable volume so you can review where the file actually came from.
An unusual file was executed with administrator privileges during this session. Many bypasses require elevation, so this is a useful narrowing signal.
A batch script was executed. Batch is a popular wrapper for bypass automation (registry edits, log cleaning, service kills). Compare with the script's location and other artifacts.
A Python script was executed. Many recent bypasses are shipped as Python utilities; Python on a gaming PC is also less common than batch / PowerShell, so it stands out.
A Python script was executed during this session but is no longer on disk - meaning it ran and was cleaned up afterwards. Worth investigating since legitimate Python usage almost never deletes itself after running.
An AutoHotkey script with bypass-style content was found. AHK scripts are often paired with macros and small input automations, but specific patterns suggest bypass intent.
The maximum size of the PowerShell event log has been changed. Shrinking it forces history to roll over almost immediately, hiding recent PowerShell activity.
A PowerShell command was found in the user's command history that matches patterns typically used for tampering, downloading, or running encoded payloads. Worth reading the command verbatim before deciding intent.
The user has a non-standard PowerShell profile script - PowerShell runs this automatically on every launch. Profiles are sometimes used to silently re-arm bypasses or auto-execute scripts at startup.
A disk volume is mounted with no drive letter assigned. Sometimes a legitimate recovery / system partition, but it is also a common hiding spot for cheats since the volume doesn't appear in Explorer.
Users sometimes overwrite the contents of a real prefetch file with the contents of another one, using a type or echo command. Doing so wipes what the original prefetch entry would have told us about what actually ran, replaces it with the data of a different (innocent) prefetch, and leaves the file in place so it still looks like a legitimate prefetch entry. Duplicate hashes between two prefetch files are the giveaway that this swap has happened.
An NTFS Alternate Data Stream contains unusual content. ADS streams are invisible in normal file listings and are sometimes used to store cheat data attached to an innocent file/folder.
The Windows hosts file has been tampered with. Sometimes legitimate (ad-blocking), but also used to redirect game / anti-cheat traffic for man-in-the-middle style bypasses.
A service the scanner expects to be active isn't running. Many bypasses disable specific Windows services to weaken their logs - though optimizers also commonly disable some of these.
A relevant service was restarted during the session. Restarts can be benign, but they're also used to flush in-memory artifacts before a check.
The recycle bin contents have changed. Often benign, but emptying it right before a check is a low-effort way to hide deleted-file traces.
A disk partition was deleted. Pairing this with "Disk Partition Created" can show a user who staged a cheat on a side partition and then removed it.
A virtual hard disk file (VHD / VHDX) was removed, with an indication of whether it happened before or after logon. VHDs are a popular way to launch cheats from an isolated container that can be discarded.
An autorun entry (Run keys, AppInit DLLs, KnownDLLs, Winlogon notifications, etc.) points to an unusual executable. Tagged either "Since Logon", "Before Logon", or "Modified" depending on when the entry was last touched.
A WMI persistence / execution pattern matches known bypass tooling. WMI is a stealthy execution path that leaves very few traditional artifacts.
A scheduled task has unusual properties - for example, an in-line script body or a payload outside expected directories. Task Scheduler is a popular launcher for bypasses because it leaves minimal classic execution artifacts.
A folder is pointed at an external drive that's no longer attached, or does not have a drive letter. Often used to keep cheat data outside the scanned filesystem while still being usable when the drive is plugged back in.
The PC's display connection looks inconsistent with what a normal monitor would report. HDMI fusers are external devices used to "merge" a second PC's video output - ask the user to record the cable run from PC to monitor.
A device's firmware fingerprint looks like a known DMA card trying to present itself as something else. Treated as a warning rather than a hard detection because spoofing is, by definition, designed to fool the check.
EFI firmware reports Secure Boot is off. Common with custom or modified bootloaders and several kernel-level bypasses.
NVIDIA ShadowPlay registry values were modified. A common change to make cheat overlays invisible to ShadowPlay recordings.
A proxy or VPN connection was detected. Worth knowing if the user is hiding their network location during the check.
A DLL has been injected into some process at some point in the past. Some entries are only file names, so use a disk search tool like "Everything" to find the matching file on disk.
Evidence that a cheat was previously PE-injected into a common Windows utility (Notepad, OSK, Calculator, PowerShell, etc.). Strong indicator of prior cheating, even if the cheat is long gone.
An application is showing data-usage patterns inconsistent with what it normally does. Sometimes a sign of PE-injected cheat code talking to a remote endpoint inside a legitimate process.
Discord usernames / IDs found in local Discord state. Useful for matching the user to accounts associated with cheat communities.
A custom string supplied to the scanner (via the dashboard) was found somewhere on the PC. Lets server-side checks add their own keywords without redeploying the client.
A name / keyword was found in the DNS Client Service memory, meaning a cheat-related host was looked up recently - even if the corresponding browser history has been cleared.
Cheat / bypass strings located inside live browser process memory (Chrome, Edge, Brave, Opera, Vivaldi, Firefox). Catches things the user visited that no longer appear in their history.
A cheat-related string or YARA match was found inside the registry. Some bypasses load their cheat payload entirely from the registry so it never has to sit on disk - this catches that pattern, as well as residual registry entries left behind after a cheat's actual files have been deleted.
Indicators of a third-party Minecraft JAR client being launched, including bypass paths used to side-load JARs that wouldn't show up in the normal launcher list.
The Minecraft instance the user is running isn't recognised as one of the common PvP clients. Worth a closer look - non-standard or repackaged launchers are a common way to ship pre-loaded cheats.
A server-supplied file hash was found (or was previously found but is gone now) in the Windows Amcache. Lets you add your own cheat signatures from the dashboard without a client update.
A generic YARA rule has matched a file on disk that looks suspicious but isn't a confirmed named cheat. Often used to surface custom or unknown loaders.
A prefetch file has been manually written or modified. Used to fake execution evidence for a non-existent program, or to overwrite an entry that would otherwise reveal a cheat.
icacls.exe - the Windows permissions editor - was executed. Frequently used in bypass scripts to lock the user out of, or unlock access to, sensitive directories and log files.
Evidence the Windows Amcache (a long-lived record of executed programs) has been cleaned. One of the most common targets for bypasses because it's normally hard to clear.
A FiveM .rpf game asset file was deleted or modified. RPF tampering is a known route for client-side modifications.
A program that crashed during the session looks suspicious (unsigned, oddly placed, etc.). Crashes are often the cleanest record of an otherwise self-deleting cheat.
A URL associated with cheats or bypasses appears in the user's browser history. The actual URL is included so you can see exactly what was visited.
A file was downloaded from a source flagged as cheat / bypass related (or Discord). Includes the file path and (when available) the source URL.
The system is running with Test Signing mode on, which lets unsigned kernel drivers load. This essentially neuters several driver-level integrity checks - when this is on, the scan stops early because the environment isn't trustworthy.
The USN Journal - the running record of file changes on an NTFS volume - was modified or cleared. This is one of the strongest signals of intentional anti-forensic cleanup.
USN Journal tampering surfaced through a specific application-level event - confirms the journal was modified by a user-mode tool rather than incidentally by normal disk activity.
A folder structure characteristic of known USN-journal bypass tools was found on the system.
A file name matching a known cheat or bypass family was created on, modified on, or deleted from disk - surfaced from the USN Journal even though the file itself may be gone. The specific cheat name is included in the message, and the catalogue is tuned per game build.
The Windows Prefetch folder - which logs which executables have run - is missing entirely. Some optimizers disable prefetch, but in the context of a check this is almost always an active bypass.
A specific prefetch file was manually deleted, which is unusual: prefetch normally only rolls over on its own. Targeted deletions imply hiding a specific program.
The registry value that controls prefetch has been removed entirely - another way to stop execution tracking without obviously "turning prefetch off".
The prefetch registry value is present but switched off.
The prefetch registry value was modified or deleted and then put back. A telltale of a script that disabled prefetch long enough to run something, then restored the value.
A prefetch file is flipped to read-only, which prevents Windows from updating or removing the entry - a common way to "freeze" what's recorded.
FileInfo.sys - the kernel driver behind SysMain / Prefetch - has been modified.
The same kernel driver has been outright disabled, killing the data feed prefetch relies on.
A critical event log channel (such as System) was cleared during the current session. Critical channels record kernel, driver and service-level events that are essential for forensic review - intentional clearing here is treated as active tampering rather than routine maintenance.
An eventlog exploit pattern was found - i.e. someone actively interfered with how Windows stores or processes event log records.
ScriptBlockLogging has been disabled via the registry, which is a known way to silence PowerShell command history. There is no normal reason for a user to do this.
Certain Windows file extensions - such as .cpl, .msi, .reg and .inf - can be hijacked so that launching what looks like a legitimate file actually runs a cheat instead. For example a user opens appwiz.cpl expecting the Add / Remove Programs panel, but because the handler for that file has been tampered with, it silently launches a cheat. This flag fires when one of these handlers has been modified to act as a covert bypass launcher.
A scheduled task was created, executed, and then deleted - a classic "fire and forget" bypass pattern that avoids leaving the task behind for inspection.
A service the scanner expects to be alive was forcibly terminated. Service termination is a strong indicator of an active bypass trying to silence a specific check.
A specific worker thread in a relevant process has been suspended. The service appears to be running, but the suspended thread means parts of its work have effectively been stopped.
A legitimate file expected to be loaded by a Windows process has been replaced with another binary. The injected DLL then runs with the trust level of the original.
Specific Minecraft memory regions have been altered in a way only a cheat injection can produce. No normal mod or client should cause this pattern.
A file has attached to or interfered with the FiveM process - either obtaining read / write access to it, or directly injecting into it. Either way, the file has actively assisted with or itself performed an injection into the running game. The flag fires whether the file is still on disk or has since been deleted.
A DMA card (or a device whose vendor / device IDs match a known DMA card) was detected. DMA cards allow a second PC to read game memory directly - this is a high-confidence cheat hardware finding.
A more specific variant for DMA hardware that matches a known vendor. The vendor name is included in the message.
The IOMMU is reporting a blocked DMA access - in plain terms, the firmware caught something trying to do a DMA the OS didn't authorise.
The connected display's EDID data has a non-standard size. Real monitors report a fixed-format EDID; fusers and display emulators commonly mess this up.
The connected display's EDID block reports an invalid checksum. Real monitors ship with a correctly-checksummed EDID - a bad one strongly suggests a fuser or display emulator is sitting in line between the PC and the actual monitor.
The detected display reports a resolution that no real consumer monitor would report. Strong indicator of a fuser device sitting in line.
A NVIDIA display DLL has been modified in a way that's consistent with a known overlay bypass. The DLL is supposed to be vendor-signed and untouched.
ShadowPlay / Streamproof registry values have been tampered with in a way the NVIDIA driver would never produce on its own. Indicates an active bypass aimed at hiding cheat overlays from in-game recordings.
The registry claims Secure Boot is enabled, but the firmware itself disagrees. This kind of mismatch is a hallmark of EFI-level bypasses.
A fake PolicyPublisher GUID is present in firmware variables - another EFI-level tampering pattern.
A file signed with a certificate associated with cheat / bypass distribution was executed during this session.
A file with a forged or non-verifying signature was executed. No legitimate vendor ships software in this state - this is bypass tooling.
A cheat that has tried to hide itself was identified through indirect evidence. The cheat file may be deleted or obfuscated, but the indicators remain.
An AI-assisted aim / target cheat was identified. These tools usually wrap themselves around the game externally rather than injecting, which makes the indicator set different from traditional cheats.
A specific named cheat / bypass / cleaner was found to have run during the current session, traced through service memory artifacts. Sometimes only the file name is recoverable - use a disk search like "Everything" to locate the file.
A Lua script on the mouse / its software was identified as a known recoil or aim script. These run on the mouse itself, outside the PC's normal anti-cheat surface.
A Java VM argument in the user's Minecraft launch profile matches patterns used to side-load cheats into the JVM.
lsass.exe retains traces of outbound network connections. If a recognised cheat-related endpoint shows up here, a file on the PC has talked to a cheat backend - treated as actionable evidence.
The Program Compatibility Assistant Service keeps short-lived in-memory traces of executable headers. When other artifacts have been wiped, PcaSvc can still catch a cheat that ran.
A cheat name was found in Explorer's process memory. Explorer tends to keep this data alive until the next restart (and sometimes longer), so it catches cheats that were already deleted from disk.
A cheat-related string was found inside the live Roblox game process. Direct evidence of cheating in the current Roblox session.
The scanner inspects the in-memory state of a range of Windows services and integrations (SysMain, DiagTrack, DPS, SgrmBroker, Task Scheduler, AppInfo, MpsSvc, DusmSvc, CryptSvc, Logitech G HUB, Discord, EventLog, Taskhostw, Sihost, RuntimeBroker, PowerShell, and game / launcher processes). A match here means a known cheat-related string was found in that process's memory.
The Detection-level variant of "Custom String Found" - raised when a server-supplied keyword matches inside a process memory region or scan target marked as high-confidence.
A file hash matching a known cheat / bypass appears in the Windows Amcache and the file is still present on disk. Strong, durable evidence - Amcache is one of the hardest artifacts to clean.
A file hash matching a known cheat or bypass appears in the Windows Amcache but is no longer on disk - the user has since deleted it. The Amcache record survives long after deletion, so this still proves the file was on the PC at some point.
The detection-level variant for server-supplied hashes - lets you push your own high-confidence file hashes from the dashboard and have them flagged like a built-in cheat signature.
A YARA rule matched a specific known cheat or bypass family on disk. The cheat name is included in the message, and an optional suffix indicates whether the file was found on a hidden drive or had a hidden-character filename.
The user has modified Discord to abuse an ASAR vulnerability that lets malicious .js files load through Discord. The bypass file name is included in the message.
A file with a known cheat-family name was deleted from disk. Surfaced from the USN Journal - covers cases where the cheat is gone but its life on the PC is still recorded.