Four Stealth Layers FaangCoder Stacks at the Windows Kernel
Most AI interview tools in 2026 ship one stealth feature: they call SetWindowDisplayAffinity with WDA_EXCLUDEFROMCAPTURE and call it a day. That's a single bit, set in user mode, on a flag every modern proctor knows to query. It is the cheapest possible answer to a category of problems that needs four independent ones.
FaangCoder ships four. They live below the user-mode boundary, they don't talk to each other, and they each fail closed — meaning if a proctor lands a query that should reveal us, the wrong layer answering correctly is enough. This post is the architectural tour. It is engineer-to-engineer; we describe the shape of each layer, not the source.
Key takeaways
- One stealth layer — the user-mode
WDA_EXCLUDEFROMCAPTUREflag — is what every consumer competitor ships, and it is queryable in one syscall by anyone watching for it. - FaangCoder stacks four independent layers at ring 0: display-pipeline filtering before DWM compositing, process concealment from EPROCESS-walking enumerators, window-list blocking inside the win32k subsystem, and detection-query spoofing that returns benign answers to fingerprinting probes.
- The architecture is the inverse of commercial anti-cheat — same kernel construct surface (BattlEye, EAC), same depth, applied to evade detection rather than to perform it.
- Each layer hardens a different question a proctor can ask. To beat all four, the proctor needs their own ring-0 driver running inside the candidate machine — which they do not ship.
Why one layer isn't enough
The default architecture for an AI interview overlay in 2026 looks like this: a borderless WPF or Electron window, top-most, transparent background, and a single call to SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE) so DWM excludes that window from the desktop bitmap that screen-capture APIs read.
That works against a screen recorder. It does not work against a proctor.
The failure mode is direct: any proctoring stack with a content script that calls GetWindowDisplayAffinity on every visible window — which is one Win32 syscall, no privilege required — sees the flag set and now has a positive signal. The candidate has a window deliberately excluded from screen capture. That's a fingerprint, not a defense. CoderPad Enterprise's content script does roughly this; so does Karat's pre-round local check; so does any tool built in the last two years that read the public docs on SetWindowDisplayAffinity.
The deeper problem: a single flag answers a single question. Real proctoring asks five questions in parallel. Is this window in the capture bitmap? Is this process in the task list? Is this process in the window-enumeration list? Does this process show up in WMI's Win32_Process? Are there any threads with capture-exclusion attributes? Five queries. A single-flag tool answers one of them honestly and four of them with whatever the OS happens to return — usually the truth.
The fix is not a louder flag. The fix is to answer all five questions, at the layer where the question is resolved, with a story that holds together. That requires kernel residence.
Layer 1 — Display-pipeline filtering
The Windows graphics stack, simplified, runs: application → DWM (Desktop Window Manager) → DXGI swap chain → display miniport driver → output. Every screen-capture API a proctor can call — DXGI Output Duplication, the GDI BitBlt path, the Windows.Graphics.Capture WinRT API — reads a frame that DWM has already composited. The composite is the choke point.
A user-mode tool with the WDA_EXCLUDEFROMCAPTURE flag asks DWM, politely, to omit one window from the composite. DWM honors it, mostly. But the composite still happens, the flag is queryable, and the request is satisfied at the same layer where the proctor is asking.
A kernel-resident tool sits earlier. The overlay's surface never enters the composite path the screen-capture APIs read. It is presented to the user through a different rendering path that DWM is not asked to include — and from DXGI's perspective, the surface effectively doesn't exist as far as Output Duplication is concerned. There is no flag for the proctor to query because there is no entry in the table the flag would set a bit on.
Architecturally, this means the proctor's screen-capture frame is mathematically identical with or without the overlay running. Not "the overlay is excluded" — not present in the input to compositing. Two different statements. The first one leaves a fingerprint; the second leaves nothing.
Microsoft's WDDM design documentation describes the boundary between the user-mode display driver, the kernel-mode display miniport, and DWM's composition engine. Anyone who has shipped a custom miniport — common in commercial graphics, niche-but-real in commercial anti-cheat — knows the shape of this boundary. We are not going to walk the reader through implementing it. The point is that the boundary exists, that it is below DWM, and that anything operating below it does not show up in the bitmap the proctor's content script can read.
For more on why this matters versus the screenshot-and-OCR pipeline most competitors ship, see our memory-read versus screenshot-OCR engineering deep-dive. Display-pipeline filtering is the output side; memory read is the input side. A complete stealth tool needs both.
Layer 2 — Process concealment
If a proctor cannot see the overlay window, the next move is to find the overlay process. Process enumeration in user mode is one of three calls: CreateToolhelp32Snapshot + Process32First/Next, EnumProcesses from psapi, or NtQuerySystemInformation with the SystemProcessInformation info class. All three end up reading the same kernel data — a walk of the EPROCESS list maintained by the executive.
WMI does the same thing through a different transport. Win32_Process queries are translated by the WMI service into the same NT API path. So is Task Manager. So is the Process tab in any commercial endpoint protection product.
The EPROCESS list is a doubly-linked list of EPROCESS structures, threaded through the ActiveProcessLinks field. Every process the kernel knows about is in that list. Every user-mode enumerator gets a copy of a snapshot of that list. That is the surface to defend.
Commercial anti-cheat — BattlEye, EasyAntiCheat — uses kernel-resident drivers to find processes that have unlinked themselves from this list, treating that unlinking as an indicator of game cheating. The same construct, inverted, is what process concealment looks like for an overlay that wants to be invisible to a proctor's enumeration: the process is present and operational from the kernel scheduler's perspective, but the snapshot returned to user-mode callers does not include its row.
This has been a known kernel-rootkit construct for two decades. We are not pretending we invented it. What we will say is that the public Windows internals literature — Ionescu, Russinovich, the WRK source that leaked years ago — describes the structures involved well enough that any senior Windows kernel engineer can reason about the architecture. We will not link to the recipe.
The practical effect, from a proctor's perspective: WMI returns a process list that does not include FaangCoder. Task Manager doesn't show it. Sysinternals' Process Explorer, in user mode, doesn't show it. Endpoint protection products that walk the same list don't show it. The same machinery that hides a malicious rootkit hides the overlay — only here the engineering goal and the trust model are inverted, because the candidate is the one running the driver on their own machine.
The combination matters: Layer 1 hides the window; Layer 2 hides the process. A proctor who fails to find the window via screen capture and then walks the process list expecting to find a suspicious binary finds nothing in either place.
Layer 3 — Window-enumeration blocking
Window enumeration is a sibling to process enumeration but it lives in a different kernel subsystem. EnumWindows, EnumChildWindows, FindWindowEx, GetTopWindow — all of these resolve through the win32k.sys subsystem, not through ntoskrnl's process manager. The kernel-side data structure is a list of tagWND (or WND in older builds) records owned by the windowing subsystem on a per-desktop basis.
User-mode EnumWindows ends up calling into the win32k syscall layer, which traverses that list and returns handles. There is a syscall — NtUserBuildHwndList is the name commonly cited in public Windows internals references — that does the actual walk. A proctor's content script that uses Win32 window enumeration to look for "an application window with no taskbar entry, top-most, with a known foreground hook" is reading the result of that syscall.
The architectural pattern at this layer: filter the enumeration result before it crosses back to user mode. The overlay's tagWND record is present from the windowing subsystem's perspective — the window can receive messages, can be focused, can render — but the buffer returned to a calling user-mode EnumWindows does not include that record's handle. From the proctor's perspective, there is no such window. From the OS's perspective, the window exists and works.
This is the layer that defeats the simplest possible proctor heuristic: "list every visible top-level window, look for one with the title FaangCoder or a class name that matches a known overlay." The heuristic is fine. The data feeding it is filtered. The heuristic returns nothing.
This is also the layer that defeats Fair Screen — the free, HN-launched OS-level scanner candidates increasingly worry about. Per its creator's HN comment, Fair Screen "identifies windows that are non-shareable, click-through, or overlaying the main screen" via "OS-level window enumeration (non-invasive, metadata only)." Every primitive Fair Screen reads is downstream of NtUserBuildHwndList. Layer 3 filters that list before it reaches Fair Screen's calling process, so the scan returns nothing — structurally invisible, same architectural reason EnumWindows returns nothing. You can verify the in-browser correlate of this on /proctor's useFairScreenSimulation hook.
Note that Layer 1 and Layer 3 are not the same layer. Layer 1 strips the surface from the display compositor. Layer 3 hides the window object from the enumeration syscall. A proctor querying via EnumWindows is asking a different question than a proctor querying via DXGI Output Duplication, and a defense at one layer does not implicitly defend the other. Both questions, both layers, both answers — coherent.
Layer 4 — Detection-query spoofing
The first three layers harden against three categories of question: capture frames, process lists, window lists. The fourth layer handles everything else.
Modern proctoring stacks run heuristic queries that don't fall into the prior three. Examples:
- "Is there a window with a title containing the substring
Interview?" - "Is there a process with the name
python.exerunning with a parent process other thancmd.exe?" - "Is there a thread on this desktop with a thread-level capture-exclusion attribute set?"
- "Does the foreground window's PID match the foreground audio session's PID?"
- "Are there any handles open on
\Device\Afdfrom processes that aren't in the visible task list?"
These are fingerprint queries. Each one is cheap, each one returns a small piece of evidence, and the proctoring stack stitches them together. A user-mode AI tool that lies on these queries — by hooking the Win32 API in its own process — leaves a fingerprint of its own: the syscall trace from the process making the query no longer matches the kernel's record, and any cross-check (the proctor making the same query through a different transport, like WMI) catches the discrepancy.
Layer 4 answers fingerprint queries at the kernel level, with consistent answers across transports. WMI gets the same view as NtQuerySystemInformation, which gets the same view as EnumProcesses, which gets the same view as the named-pipe DCOM call WMI uses internally. A proctor that asks twice through two transports gets the same story twice. That is what coherence means at this layer.
The principle: don't lie in user mode, where lies are caught by syscall fingerprinting. Spoof at the layer where the truth is generated. The kernel decides what's true; if the kernel says it, every transport reads it the same way.
There are limits. A proctor with their own kernel driver could, in principle, bypass our Layer 4 by reading EPROCESS directly. Commercial anti-cheat does this — that's what BattlEye is. But proctoring vendors don't ship signed kernel drivers to candidate machines. Doing so would mean every candidate has to install a kernel driver from the proctor before every interview, which is a category of consent and platform-trust that the candidate-software market does not support. So Layer 4's threat model is "everything a proctor can do from user mode," which is everything they actually do.
For a worked example of how a real proctoring stack composes these queries, see our CoderPad Enterprise anti-cheat detection breakdown — it walks through the specific vectors that stack runs and which of them each of our four layers answers.
Why all four matter
The layers are independent. Each one defeats a different question. The composition is what makes the whole thing structurally robust.
- One layer alone: A proctor query that misses your defended layer reveals you. Single-flag stealth — every consumer competitor — is here.
- Two layers: Most queries fail, but the proctor only needs one through-line. The fingerprint stack is wide enough that two layers leave gaps.
- Three layers: Substantially harder. The remaining gap is heuristic queries that don't fit the first three categories, which is exactly the surface Layer 4 covers.
- Four independent layers: No single user-mode query reveals the overlay. To beat all four, the proctor needs their own ring-0 driver running on the candidate machine — which, again, they don't ship.
This is the same architecture commercial anti-cheat uses. BattlEye and EasyAntiCheat don't ship one detection technique; they ship a stack — kernel-mode hooks, integrity checks across multiple kernel subsystems, cross-transport coherence checks. The arms race in game security is decided by the depth of the stack, not the cleverness of any one layer. The candidate-side of the proctoring arms race is the same shape, with the sides reversed.
FaangCoder ships the four layers above as a single product — kernel driver included on every plan. If you're going into a CoderPad Enterprise round, a Karat-administered Amazon loop, or anywhere the proctoring stack is more than a single content-script flag check, the four-layer kernel stack is what you're getting.
FAQ
Is this signed? Will it install cleanly on a modern Windows 11 machine? Yes. The driver is signed. Windows 11 with Secure Boot and HVCI enabled installs it the same way it installs any other signed kernel driver — through the standard driver-install path. No test-signing toggle, no driver signature enforcement bypass. For the full breakdown of how a kernel driver actually gets to "signed and trusted by Windows," see Why Windows Kernel Drivers Require Microsoft Attestation (And What That Means for Stealth Tools) — EV signing, WHQL versus attestation, and why this multi-month gauntlet is the real moat.
Can a proctor detect that some kernel driver is loaded on my machine?
They can detect that drivers are loaded — EnumDeviceDrivers is public — but the list of loaded drivers on a typical Windows 11 machine is dozens of entries deep, and "this candidate has drivers loaded" is not a flag. What they cannot do, from user mode, is identify which of those drivers is the one mediating their queries.
Does this slow down the machine? No measurable user-perceived impact. The driver is small, runs cold most of the time, and only activates on the specific syscall paths it filters. CPU and memory overhead are well under 1% in steady state.
Why doesn't every AI interview tool ship this? Two answers. First, kernel driver development is years of work — the public Windows internals literature gets you the shape; signing, stability under Patch Tuesday, surviving WHQL, and not bricking the driver across a kernel update is the actual cost. Second, the legal-risk profile of shipping a kernel driver as a candidate-side product scares off anyone whose business is closer to "AI overlay" than "Windows kernel engineering." We picked Windows kernel engineering on purpose.
Do I need a special tier for the kernel layers? No — the legacy Plus / Pro split is dead. FaangCoder is now a single product with all four layers; both the $399 lifetime plan and the $199 monthly plan ship the same kernel-resident stack. The plan choice is just payment cadence.
Try it yourself
The whole point of writing this post is that the architecture is verifiable from the candidate's side. Use /proctor to run the same detection vectors a real proctoring stack runs — visibility flag query, screen-capture differential, window enumeration, process enumeration, hotkey leakage. Run any tool through it before your round. Run FaangCoder through it. The architecture is the proof.
For more from the engineering cluster, see Ring-0 Memory Read vs Screen-Capture OCR on the input-side architecture, WDDM and the Windows Display Pipeline — A 30-Minute Tour for AI Engineers for the graphics-stack tour Layer 1 sits on top of, How Proctor Browser Content Scripts Actually Work for the proctor-side JavaScript teardown, and How CoderPad Enterprise's Anti-Cheat Actually Detects AI Tools for the worked-example proctoring teardown. The candidate-side complement to this engineering tour is 11 of 14 AI Tools Will Get You Caught (2026 Stealth Audit) — same architecture argument, applied to 14 named competitor tools across HackerRank, CoderPad, CodeSignal, and Karat. For the workstation setup that puts these layers to work in a real interview, see The Windows Setup Mac Stealth Guides Won't Tell You About.
If you'd rather see the whole free-resource surface before deciding, the Resources hub collects /proctor, every engineering deep-dive, the comparison set, and the platform field guides in one page.
Get FaangCoder for $399 lifetime. Single product, both plans ($399 lifetime / $199 monthly) ship the four-layer kernel stack described above.