Parent company

Denuvo Software Solutions GmbH is an Austrian company formed through the management buyout of Sony DADC DigitalWorks, the creators of SecuROM. Despite the management buyout, Denuvo Software Solutions and Sony DADC still have a close working relationship with the latter acting as a reselling partner of the former. Some games making use of the Denuvo Anti-Tamper product will therefor include mentions of this relationship in their EULAs, and refer to the product as one by Sony DADC or similar.[1] In early 2018, Denuvo Software Solutions was acquired by Irdeto.

Denuvo Anti-Cheat[edit]

Despite being listed on the official website since at least January 2017, this product from Denuvo does not seem to have received much fanfare or use among video games publishers. In August 2018, Irdeto announced the Anti-Cheat technology would soon launch as a full end-to-end solution. The following year, on 20 March 2019, a launch announcement was made about the new product. According to the announcement, Denuvo Anti-Cheat combines machine learning of game agnostic process metrics with the latest hardware security features[2] offered by Intel and AMD to detect and prevent cheating. The protection supposedly operates on the binary, not the source code, and integrates directly into the product build process, and also does not interfere with debuggers, instrumentation tools, or profilers, nor does it require additional APIs or SDKs to implement. Since it uses hardware-backed security, the protection goes beyond that which is offered by simple Windows kernel-mode drivers.

With this renewed focus on the Anti-Cheat product, it is expected that at least some upcoming games will make use of the technology.

Denuvo Anti-Tamper[edit]

Flowchart over launch procedure for Steam titles.
Flowchart over launch procedure for Steam titles.

Denuvo Anti-Tamper is the current de-facto standard for securing DRM schemes on modern titles. Since its original release back in 2014, it has been used to strengthen the DRM of over 150 titles; some with great success, others less so. At its core, it uses various obfuscation techniques, such as unique hardware-based code paths, virtualization, and more, to make tampering with the account-based DRM protection of a game (e.g. Microsoft Store, Origin, Steam, or Uplay) harder in an attempt to delay piracy. It is embedded in the executable of the game, and only stores licensing data (the "offline token" used to launch the game) separately on the storage drive. This licensing data is typically a couple of kilobytes in size, and is (re)created when the system environment changes enough to necessitate a new token.

A consequence of its use of unique hardware-based code paths, Denuvo Anti-Tamper requires an online connection periodically as the system environment of the operating system changes with new hardware and/or Windows updates. While everything that might invalidate the token stored on the storage drive is not fully known, this happens frequently enough for the anti-tamper protection to be described as requiring a periodic online connection every fortnight or so. This is generally not an issue or hindrance for those with an always present online connection, but can be an annoyance for people primarily using roaming data. Players gaming offline for a long period of time can also suffer if proper preparations are not made in advance to ensure the validity of the offline token. The lack of transparency on storefronts regarding this process from Denuvo Anti-Tamper is a hindrance for potential purchasers, as it means people might not be aware of Denuvo's presence before purchasing a game that, after purchase, the purchaser may have a game that harms their experience.

Limited to five daily activations per game, which resets 24 hours after the first activation.
Capable of offline token renewal through a support page (e.g. Metal Gear Solid V: The Phantom Pain) if supported by the platform. Origin and Uplay titles do not support this as their token generation is handled within the platforms respective internal activation process where offline is not an option.
Does not degrade storage drives lifetime,[3] performance in itself,[4] nor has it ever enforced a persistent online connection.[5][6]
Can increase the difficulty of executable binary modding, due to its obfuscation of certain parts of the executable. Doesn't necessarily disallow the practice,[7] nor debugging.[8]


Due to Denuvo Anti-Tamper having seen year-long successes early in its product life there was and have been quite a lot of fear, uncertainty, and doubt spread around it as a product. On top of this, the lack of transparency from Denuvo as well as the lack of proper in-depth analysis of its effect from third-parties have also contributed to the speculations and misleading reports spread around online.
Because of how Denuvo Anti-Tamper works and its functions are unknown to the average consumer, users tend to be quick to blame it for issues that is most likely caused by something else entirely.
This section strives to be more focused on specific controversies surrounding Denuvo Anti-Tamper. For general DRM controversies, please see the main DRM article.

Examples of controversies:

  • Requires an online connection at the first launch of a game, after a game update or some Windows updates, when changing specific hardware, or the built-in expiration[citation needed] (if used) has passed.
    • This happens frequently enough for the anti-tamper protection to be described as requiring a periodic online connection every fortnight or so.
    • This is generally not an issue or hindrance for those with an always present online connection, but can be an annoyance for people primarily using roaming data. Players gaming offline for a long period of time can also suffer if proper preparations are not made in advance to ensure the validity of the offline token.
    • The lack of transparency on storefronts regarding this process from Denuvo Anti-Tamper is a hindrance for potential purchasers, as it means people might not be aware of its presence and periodic online requirement before purchasing a game that, after purchase, the purchaser may find unplayable when an online connection is unavailable.
  • Can have a noticeable impact on gameplay performance.
    • Denuvo Anti-Tamper functions in a way that is designed to impact performance, which may or may not be statistically significant or noticeable during gameplay. While the company insists[9] that they test to ensure minimal performance impact, they have yet to present their internal performance results for independent verification. Independent testing has also yet to confirm or refute their claims - seemingly entirely due to inadequate test methodology as current independent tests have produced inconsistent results and are sufficiently unreliable to be of no value.[10][11][12][13][14][15][16]
    • In some instances the anti-tamper protection checks was confirmed to be a part of performance critical functions and had a noticeable impact on gameplay performance on some systems. An example of this is with Tekken 7[17], where functions related to certain characters' abilities was used by the anti-tamper protection and impacted gameplay performance when used.
      • Typically fixed in updates as game developers notices the performance bug(s) and solves them by flagging the relevant functions as performance critical to prevent the use of them by the anti-tamper.
    • In some instances the bypasses for the anti-tamper checks in illegitimate copies have had an additional performance impact, such as with Sonic Mania[18] and Injustice 2[19].
  • Requires a persistent online connection / adds an always online requirement to games.
    • This has been found false multiple times as the protection only has a periodic online requirement when the offline token is found invalid and needs to be recreated.
    • In the case of Sonic Mania's "always online requirement" on release date, it was discovered to be caused by a bug due to the developers' incorrect use of the Steam API, and could be fixed without ever tampering with the anti-tamper protection of the game.[20]
  • Relies on the SSE4.1 CPU instruction set, causing incompatibility with AMD Phenom 2 and earlier CPUs.
    • Based on a cursory inspection into whether players were able to play many of the latest protected games on older CPUs or not, Denuvo Anti-Tamper does not seem to showcase on its own any reliance on the SSE4.1 instruction set,[22] which suggests that the requirement is caused by something else, such as the game code itself.
    • Game developers often track down and fix the issue in the game code without removing the anti-tamper protection.[23][24][25]
    • Ubisoft stands out in that many of their modern titles requires the SSE4.1 instruction set[22], even going as far as to specifying it in their minimum requirements for games.[26][27][28]
  • Server outages will prevents renewals of the offline token for new and some returning players, thereby preventing play until the outage have been solved.
    • The only players capable of continuing to play the game during an outage are those with a valid offline token on their systems already.
    • On a few occasions the service have also experienced partial service outages that only affects a few players.[citation needed]
    • Denuvo does not have any public service status page, nor do they publish information for end users when their service experiences outages, leaving players unaware what the issue can be or when the issue is expected to be solved.
    • This occurred most noticeably for the Warner Bros. server back in December 2017, and prevented some players from playing Mad Max and Batman Arkham Knight until the issue was solved.[29][Note 1]
  • Forced incompatibility with Linux through Wine/Steam Proton, or prevents native Linux ports from being developed and released.
    • Because earlier versions of Denuvo Anti-Tamper and/or Wine were incompatible with one another, the incompatibility was occasionally blamed as an intended consequence of the anti-tamper protection. Said incompatibility seems to have been fixed, and Steam Proton officially supported two protected titles on its initial release date (Tekken 7 and NieR: Automata), with other games, such as Hitman 2 also working on Proton, despite initially having Denuvo Anti-tamper at launch.
    • Note that modern versions of Wine might still not fully support older versions of Denuvo Anti-tamper used on older titles.
    • The use of Denuvo Anti-Tamper has never prevented official Linux ports from being developed and released either, as evidenced by Hitman and Rise of the Tomb Raider which have both gotten native Linux and/or macOS ports before the protection was removed from the Windows version.

Epic Games Launcher[edit]

Uses the same general procedure and servers as Steam-based titles, based on testing performed on Metro Exodus.[30]
The offline token is stored in %LocalAppData%\EpicGamesLauncher\ in a file with just a bunch of numbers as the filename and without a file extension.


A flowchart of the procedure can be found further up the page.

Based on data gathered from Steam-based Denuvo protected titles by monitoring operations performed by Denuvo protected titles through the use of Process Monitor, Fiddler, and in some instances also Wireshark, the basic overview in how the anti-tamper components interacts with the system is quite minimal:

  1. At the launch of a game a validation of the offline token is performed.
  2. If the offline token is invalid or missing, an appropriate request code is generated based on the system environment and sent to an online server.
  3. The online server responds with a corresponding response code.
  4. The local anti-tamper component uses the response code to write a new valid offline token to the local storage drive.
  5. The game continues to launch along with the now valid offline token.
  6. On subsequent launches the anti-tamper protection will automatically load and make use of the offline token stored on the storage drive, up until said token is made invalid again.

If the online connection fails the user will get a manual "offline" activation option where they can make use of a secondary online connected device to retrieve the corresponding response code, an option not available for either Origin, Uplay, or possibly other supported platforms either. The availability of this second option means a local token generator is theoretically possible for a fully offline procedure, as was confirmed in 2017 with the release of an unofficial offline token generator for Dishonored 2.[31]

Beyond the mentioned online connection above, as well as the drive read, and drive write if the offline token is invalid, no other online connection nor drive reads/writes are performed during play.
The offline token is stored in Steam\userdata\<user-id>\<app-id>\ in a file with just a bunch of numbers as the filename and without a file extension. Note that the filename differs between versions of the game, so it is normal to have more than one of these files lying around. Only the latest modified file is actively being used; the older ones are inert and can be safely removed.

Technical information[edit]

All servers seems to be hosted on Amazon Web Services (AWS) datacenter EU West 1, Ireland.
Domain Description Responsible for the support pages and manual activation pages for both the anti-tamper protection as well as Redeem.exe for Steam-based games.
These domains are the primary ones used to retrieve a valid token in Steam-based games. If srv01 does not respond with a proper response code, srv02 is used instead. If srv02 also fails, srv03 is used instead. If all three fails, the user receives instructions on how to perform a manual "offline" activation using the relevant page.

Advanced: Load-balanced between two AWS instances using round-robin DNS. Unknown usage. Possibly a test server of sorts as it is capable of generating valid response codes for Steam-based games.
These two domains are also registered, but their use is currently unknown to this article.

Advanced: Points to the same two aforementioned AWS instances.

Request/Response API

Advanced: The web API expects Content-Type: text/plain to be used in the request message.

The online component relies solely on standardized HTTPS communications and a simple web API, and fully respects and makes use of system-wide proxy configuration and internet settings. Basically the client (the game executable) sends the locally generated request code in the body of a HTTP request message to the online server using the POST method, and receives the appropriate response code back in the body of the response message. This single exchange (one sent request, one received response) is all that is needed for the anti-tamper component of the game executable to generate the appropriate offline token for the system.

Target URI Description
Used for the automatic activation process for Steam-based titles. Used for the manual activation process for Steam-based titles. Unknown usage. Possibly a test server of sorts as it is capable of generating valid response codes for Steam-based games.

Warner Bros. titles[edit]

Currently only known to be used for Mad Max and Batman Arkham Knight.
All servers seems to be hosted on Amazon Web Services (AWS) datacenter US East 1, Virginia.
Domain / Website Description Only domain used by the protection in the Steam-based copies of Mad Max and Batman Arkham Knight.

Advanced: Load-balanced between two AWS instances using round-robin DNS. Support page for Mad Max. Support page for Batman Arkham Knight. Secondary support page for Mad Max, hosted on the generic Steam-based server. Secondary support page for Batman Arkham Knight, hosted on the generic Steam-based server.

Request/Response API

Behaves the same as defined in the Technical information section above, just with different target URIs.
The generic Steam-based servers listed above can be used to generate valid offline tokens if Warner Bros. custom server would ever go down.
Target URI Description Used for the automatic activation process of these two titles. Used for the manual activation process of these two titles.


Official support page
Adds a requirement of having an optical disc drive available when purchasing physical copies of games to obtain the Steam key.
Also known as GIP or GIP Client.

This is a DRM scheme employed on the retail discs of some games (e.g. Deus Ex: Mankind Divided, NieR: Automata) in some regions and is used to authenticate the physical disc as well as a one-time serial key located on a leaflet in the disc case. After the authentication of both, a Steam activation key for the game is redeemed from an online database and granted to the user in the application window, which can then be used in the Steam client to unlock a copy of the game.

Issues fixed[edit]

Currently your game purchase cannot be re-validated successfully[edit]

Full error message: Currently your game purchase cannot be re-validated successfully, please wait 24 hours and try again.
Wait 24 hours before trying to launch the game again[32]
This error message is given when the daily limit of five activations is reached for the user for the particular game, at which point no new activations will be granted until 24 hours has passed.
If this issue persists the system might be in a state of flux and require constant renewals of the offline token of Denuvo Anti-Tamper. Ensure that the system have been restarted recently and verify that the operating system and drivers are up-to-date, and no installations or updates are pending.

Cannot start Redeem.exe on retail discs[edit]

Please see the game-specific articles for available workarounds for various issues affecting Redeem.exe, such as for Deus Ex: Mankind Divided.
If no workaround is available, the official support page can be used instead to make a manual redemption.

Refresh the offline token for Steam protected titles[edit]

Requires an online connection.
This procedure results in the offline token being refreshed and generated anew.
While forcing a refresh manually typically is not needed, it can be useful in troubleshooting purposes or as preparation before going offline for an extended period of time.
The general procedure might also work for games on Epic Games Launcher.
Refresh the offline token[33]
  1. Ensure that the system have been restarted recently and verify that the operating system and drivers are up-to-date, and no installations or updates are pending.
  2. Navigate to the location of the offline token, stored in Steam\userdata\<user-id>\<app-id>\.
    • Use SteamDB to retrieve the app ID if you are unsure where it can be located.
  3. Locate the current offline token, stored in a file with just a bunch of numbers as the filename and without a file extension. Note that the filename differs between versions of the game, so it is normal to have more than one of these files lying around. Only the latest modified file is actively being used; the older ones are inert and can be safely removed.
  4. Move the file to another location, such as a temporary subfolder, so the file is available if it would need to be restored in case of an issue.
  5. Launch the game as usual. The game should connect online, retrieve a new offline token, and store it in Steam\userdata\<user-id>\<app-id>\ with the same name as the old one.
    • If an issue occurs, simply move/delete the new offline token and restore the previous one from where you temporarily moved it.
  6. The previous offline token can now be safely removed.

List of games using Denuvo Anti-Tamper[edit]

List of games formerly using Denuvo Anti-Tamper[edit]

  1. DSOGaming's source for the outage also affecting Middle-earth: Shadow of War is a patch note about fixing an issue with the game that resulted in Windows Defender blocking access to save files, which resulted in a crash on launch. That game does not rely on, which is the online server that Denuvo Anti-Tamper in Mad Max and Batman Arkham Knight relies upon, and was most likely the one experiencing an outage back in December, 2017.


