> Windows Syscalls
ntoskrnl.exeT1559T1106

NtAcceptConnectPort

Server-side acceptance of a legacy LPC connection request, optionally mapping a shared view.

Prototype

NTSTATUS NtAcceptConnectPort(
  PHANDLE            PortHandle,
  PVOID              PortContext,
  PPORT_MESSAGE      ConnectionRequest,
  BOOLEAN            AcceptConnection,
  PPORT_VIEW         ServerView,
  PREMOTE_PORT_VIEW  ClientView
);

Arguments

NameTypeDirDescription
PortHandlePHANDLEoutReceives a handle to the newly created communication port if the connection is accepted.
PortContextPVOIDinOpaque server-side context pointer associated with this connection, returned in later messages.
ConnectionRequestPPORT_MESSAGEinThe LPC_CONNECTION_REQUEST message previously received via NtListenPort / NtReplyWaitReceivePort.
AcceptConnectionBOOLEANinTRUE to accept the connection, FALSE to reject it (the client receives STATUS_PORT_CONNECTION_REFUSED).
ServerViewPPORT_VIEWin/outOptional shared section view exposed to the client; updated with the mapped client-side address.
ClientViewPREMOTE_PORT_VIEWoutReceives the client's shared section view (if the client offered one in the connect message).

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x2win10-1507
Win10 16070x2win10-1607
Win10 17030x2win10-1703
Win10 17090x2win10-1709
Win10 18030x2win10-1803
Win10 18090x2win10-1809
Win10 19030x2win10-1903
Win10 19090x2win10-1909
Win10 20040x2win10-2004
Win10 20H20x2win10-20h2
Win10 21H10x2win10-21h1
Win10 21H20x2win10-21h2
Win10 22H20x2win10-22h2
Win11 21H20x2win11-21h2
Win11 22H20x2win11-22h2
Win11 23H20x2win11-23h2
Win11 24H20x2win11-24h2
Server 20160x2winserver-2016
Server 20190x2winserver-2019
Server 20220x2winserver-2022
Server 20250x2winserver-2025

Kernel module

ntoskrnl.exeNtAcceptConnectPort

Related APIs

NtCreatePortNtListenPortNtCompleteConnectPortNtReplyWaitReceivePortNtConnectPortNtAlpcAcceptConnectPort

Syscall stub

4C 8B D1            mov r10, rcx
B8 02 00 00 00      mov eax, 0x2
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtAcceptConnectPort is the server half of the legacy **LPC** (Local Procedure Call) handshake — the pre-Vista predecessor of ALPC. It is still present in ntoskrnl.exe for backward compatibility and is still reachable from user mode, but virtually all modern RPC traffic now flows over ALPC (`NtAlpc*`). The SSN has been frozen at `0x2` since the introduction of the table, which itself is an artifact of LPC's age. The companion calls are NtCreatePort (server), NtListenPort, NtReplyWaitReceivePort, NtCompleteConnectPort, and NtConnectPort (client).

Common malware usage

Direct abuse of LPC by modern malware is rare; the surface has been largely supplanted by ALPC and named pipes. Historically (Windows XP / 2003 era) LPC was occasionally used by user-mode rootkits as an intra-process or intra-host C2 channel between cooperating components because no Win32 API existed and traffic was invisible to network monitors. Today the relevance is mostly *historical and educational* — knowing the legacy interface helps red teamers recognize it in old codebases and helps defenders avoid blind spots on long-tail Windows installs where the LPC tables are still wired up.

Legacy XP/2003-era user-mode rootkits (historical)Education / red-team LPC research tooling

Detection opportunities

There is no dedicated ETW provider for legacy LPC the way `Microsoft-Windows-Kernel-ALPC` exists for ALPC; the most reliable signal is the *absence* of legitimate callers — almost no in-box Windows component uses raw LPC on Windows 10/11. EDRs that hook the syscall table in the kernel can flag any user-mode process calling NtAcceptConnectPort outside of a handful of legacy components (a few CSRSS / SMSS paths still touch it). Forensically, SystemInformer's port enumeration shows LPC ports alongside ALPC ports — unexpected named LPC ports in `\RPC Control\` or `\BaseNamedObjects\` warrant investigation.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtAcceptConnectPort (SSN 0x2, stable since Win10 1507)
NtAcceptConnectPort PROC
    mov  r10, rcx          ; PortHandle
    mov  eax, 02h          ; SSN
    syscall
    ret
NtAcceptConnectPort ENDP

cLegacy LPC server accept skeleton

// Educational LPC server skeleton — modern code should use ALPC instead.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtAcceptConnectPort)(
    PHANDLE, PVOID, PVOID /*PPORT_MESSAGE*/, BOOLEAN, PVOID, PVOID);

NTSTATUS AcceptOrReject(PVOID connReq, BOOL allow) {
    HANDLE hComm = NULL;
    pNtAcceptConnectPort fn = (pNtAcceptConnectPort)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtAcceptConnectPort");
    // PortContext = NULL, no shared views
    return fn(&hComm, NULL, connReq, allow ? TRUE : FALSE, NULL, NULL);
}

rustFFI declaration via ntapi

// Cargo: ntapi = "0.4"
use ntapi::ntlpcapi::NtAcceptConnectPort;
use winapi::shared::ntdef::{HANDLE, BOOLEAN, NTSTATUS};

unsafe fn accept(req: *mut u8) -> Result<HANDLE, NTSTATUS> {
    let mut h: HANDLE = std::ptr::null_mut();
    let s = NtAcceptConnectPort(
        &mut h,
        std::ptr::null_mut(),
        req as *mut _,
        1 as BOOLEAN,
        std::ptr::null_mut(),
        std::ptr::null_mut(),
    );
    if s == 0 { Ok(h) } else { Err(s) }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20