No widely documented commodity family abuses this syscall directly; research/PoC only.

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

2 syscalls cited

NtFreezeRegistry
Temporarily blocks all registry write operations system-wide, used by VSS for consistent snapshots.
NtThawRegistry
Releases a previous registry freeze so writes resume; counterpart of NtFreezeRegistry.