That's not really possible as long as the kernel allows the loading of arbitrary user-provided modules. Because the cheater will certainly run the cheat that requires kernel mode. If it's run in kernel mode, the API call can be intercepted.

How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.

One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.

On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.

Riot games use theirs (Vanguard) to improve detection of cheating software. basically the idea is by being on from the moment the computer is booted up it can validate the environment better.

Here's a recent blog post by riot detailing their recent deployment of the system for league of legends, the biggest online multiplayer game in the world

https://www.leagueoflegends.com/en-gb/news/dev/dev-vanguard-...

towards the end it talks about how and why it works