ntoskrnl.exeT1068T1559T1106

NtAlpcConnectPort

Establishes a client ALPC connection to a named server port and exchanges an initial message.

Prototype

NTSTATUS NtAlpcConnectPort(
  PHANDLE                    PortHandle,
  PUNICODE_STRING            PortName,
  POBJECT_ATTRIBUTES         ObjectAttributes,
  PALPC_PORT_ATTRIBUTES      PortAttributes,
  ULONG                      Flags,
  PSID                       RequiredServerSid,
  PPORT_MESSAGE              ConnectionMessage,
  PULONG                     BufferLength,
  PALPC_MESSAGE_ATTRIBUTES   OutMessageAttributes,
  PALPC_MESSAGE_ATTRIBUTES   InMessageAttributes,
  PLARGE_INTEGER             Timeout
);

Arguments

Name	Type	Dir	Description
PortHandle	PHANDLE	out	Receives the handle to the new client ALPC connection.
PortName	PUNICODE_STRING	in	Server port name in the object namespace, e.g. \RPC Control\foo, \Sessions\1\... .
ObjectAttributes	POBJECT_ATTRIBUTES	in	Optional object attributes for the client port; typically NULL.
PortAttributes	PALPC_PORT_ATTRIBUTES	in	Client-side port attributes (max message length, view size, security QoS).
Flags	ULONG	in	ALPC_MSGFLG_* and connection flags (e.g. ALPC_PORFLG_ALLOW_LPC_REQUESTS).
RequiredServerSid	PSID	in	Optional SID the kernel must verify on the server side before accepting the connection.
ConnectionMessage	PPORT_MESSAGE	in/out	Connect message payload; updated with the server's connect-accept reply on return.
BufferLength	PULONG	in/out	On input, size of ConnectionMessage; on output, size of the server's reply.
OutMessageAttributes	PALPC_MESSAGE_ATTRIBUTES	in/out	Message attributes (handle, security context, view) the client sends in the connect message.
InMessageAttributes	PALPC_MESSAGE_ATTRIBUTES	in/out	Receives the server's reply message attributes (e.g. shared view handles).
Timeout	PLARGE_INTEGER	in	Optional timeout for the connect handshake (100-ns units, negative = relative).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x75	win10-1507
Win10 1607	0x75	win10-1607
Win10 1703	0x76	win10-1703
Win10 1709	0x76	win10-1709
Win10 1803	0x77	win10-1803
Win10 1809	0x77	win10-1809
Win10 1903	0x77	win10-1903
Win10 1909	0x77	win10-1909
Win10 2004	0x79	win10-2004
Win10 20H2	0x79	win10-20h2
Win10 21H1	0x79	win10-21h1
Win10 21H2	0x79	win10-21h2
Win10 22H2	0x79	win10-22h2
Win11 21H2	0x79	win11-21h2
Win11 22H2	0x79	win11-22h2
Win11 23H2	0x79	win11-23h2
Win11 24H2	0x7B	win11-24h2
Server 2016	0x75	winserver-2016
Server 2019	0x77	winserver-2019
Server 2022	0x79	winserver-2022
Server 2025	0x7B	winserver-2025

Kernel module

ntoskrnl.exe → NtAlpcConnectPort

Related APIs

RpcBindingFromStringBindingWRpcStringBindingComposeWNtAlpcSendWaitReceivePortNtAlpcCreatePortNtAlpcDisconnectPortNtAlpcAcceptConnectPort

Syscall stub

4C 8B D1            mov r10, rcx
B8 7B 00 00 00      mov eax, 0x7B
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

ALPC (Advanced/Asynchronous Local Procedure Call) is the modern, undocumented successor to the legacy LPC subsystem and the substrate of nearly every Windows RPC service that does not use SMB or TCP. `NtAlpcConnectPort` is the client-side handshake — the equivalent of `connect()` for ALPC ports. There is **no public Win32 surface**; consumers reach it indirectly through RPC runtime (`RpcBindingFromStringBindingW` with the `ncalrpc` protocol sequence) or, deeper, through ETW's TraceLogging IPC. The 11-argument signature is faithfully reproduced by phnt and SystemInformer.

Common malware usage

ALPC is a privilege-escalation surface, not a code-execution one. CVE-2018-8440 (SandboxEscaper's *ALPC Task Scheduler* LPE) abused a SetSecurityInfo call reachable over an ALPC connection from any user to take SYSTEM-owned files. PrintNightmare (CVE-2021-1675 / 34527) and Follina-adjacent exploits also reach the Print Spooler and Diagnostic Services over ALPC. Beyond exploitation, advanced implants occasionally use ALPC as a stealthy intra-process or intra-host C2 channel between cooperating components (loader ↔ injected DLL ↔ persistence service) because ALPC traffic is invisible to Sysmon network events and to most EDRs.

CVE-2018-8440 ALPC LPE PoC (SandboxEscaper)PrintNightmare exploits (CVE-2021-1675 / 34527)Cobalt Strike (lateral RPC tooling)Cobalt Strike (lateral movement via RPC)Brute Ratel C4

Detection opportunities

ETW provider `Microsoft-Windows-Kernel-ALPC` exposes per-port connect/send/receive events but is rarely enabled by default — switching it on at scale is expensive. EDRs that hook `NtAlpcConnectPort` in user-mode (or in `kernel.appcore.dll`) can correlate the port name with the calling process: connections from a non-system process to high-value ports (`\RPC Control\AppInfo`, `\RPC Control\SECLOGON`, `\Sessions\1\Windows\BaseNamedObjects\spoolss`) are worth alerting on. Forensic tools like SystemInformer enumerate ALPC ports per-process, which is the most reliable post-incident discovery method.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtAlpcConnectPort (SSN 0x7B on Win11 24H2)
NtAlpcConnectPort PROC
    mov  r10, rcx          ; PortHandle
    mov  eax, 7Bh          ; SSN — drifts per build
    syscall
    ret
NtAlpcConnectPort ENDP

cConnect to an LRPC server port

// Connect from a user-mode client to a named ALPC server port.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtAlpcConnectPort)(
    PHANDLE, PUNICODE_STRING, POBJECT_ATTRIBUTES, PVOID,
    ULONG, PSID, PVOID, PULONG, PVOID, PVOID, PLARGE_INTEGER);

HANDLE OpenServerPort(LPCWSTR name) {
    UNICODE_STRING us; RtlInitUnicodeString(&us, name);
    HANDLE hPort = NULL;
    ULONG bufLen = 0;
    pNtAlpcConnectPort fn = (pNtAlpcConnectPort)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtAlpcConnectPort");
    fn(&hPort, &us, NULL, NULL, 0, NULL, NULL, &bufLen, NULL, NULL, NULL);
    return hPort;
}

cRPC ncalrpc binding (high-level equivalent)

// What 99% of legitimate callers actually do — RpcBindingFromStringBindingW
// drives NtAlpcConnectPort under the hood for the ncalrpc transport.
#include <windows.h>
#include <rpc.h>

RPC_BINDING_HANDLE BindLrpc(LPCWSTR ep) {
    LPWSTR bindStr = NULL;
    RpcStringBindingComposeW(NULL, (RPC_WSTR)L"ncalrpc", NULL,
                             (RPC_WSTR)ep, NULL, (RPC_WSTR*)&bindStr);
    RPC_BINDING_HANDLE h = NULL;
    RpcBindingFromStringBindingW((RPC_WSTR)bindStr, &h);
    RpcStringFreeW((RPC_WSTR*)&bindStr);
    return h;
}

MITRE ATT&CK mappings

Last verified: 2026-05-20