a2177b22-0401-4c31-8ae4-40a7e2a53653
dtr_ec.sys
Description
dtr_ec.sys is a Dell kernel driver that ships as part of the Dell Feature Enhancement Pack (DFEP) on Dell laptops and desktops. The driver provides unrestricted read/write access to Embedded Controller (EC) registers across 5 ACPI address spaces from usermode with no validation on the register addresses or values. The Embedded Controller manages critical hardware functions including thermal management, battery charging, fan control, power states, and keyboard input. Unrestricted EC register access allows manipulation of thermal thresholds to cause hardware damage or forced shutdowns, modification of fan speed controls, interference with battery charging logic, and alteration of power management behavior. Dell PSIRT has confirmed the vulnerability and triaged it as P2 severity on Bugcrowd.
- UUID: a2177b22-0401-4c31-8ae4-40a7e2a53653
- Created: 2026-04-13
- Author: Michael Haag
- Acknowledgement: Patrick Saif | @weezerOSINT
Block dtr_ec.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create dtr_ec binPath=C:\windows\temp\dtr_ec.sys type=kernel && sc.exe start dtr_ec
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | dtr_ec.sys |
| Creation Timestamp | |
| MD5 | |
| SHA1 | |
| SHA256 | d6cc311cd7f8232549a5597512facac44e63d5c808878f54c0c1c12482cf270f |
| Authentihash MD5 | |
| Authentihash SHA1 | |
| Authentihash SHA256 | |
| RichPEHeaderHash MD5 | |
| RichPEHeaderHash SHA1 | |
| RichPEHeaderHash SHA256 | |
| Company | Dell Technologies |
| Description | Dell Thermal Resource |
| Product | Dell Feature Enhancement Pack |
Imports
Expand
Imported Functions
Expand
Exported Functions
Expand
Sections
Expand
Signature
Expand
last_updated: 2026-05-04