> Windows Syscalls
ntoskrnl.exeT1559T1106

NtAlpcDisconnectPort

Closes the client-side of an ALPC connection cleanly, signalling the server before the handle is freed.

Prototype

NTSTATUS NtAlpcDisconnectPort(
  HANDLE  PortHandle,
  ULONG   Flags
);

Arguments

NameTypeDirDescription
PortHandleHANDLEinHandle to the ALPC communication port to disconnect (the per-connection client handle returned by NtAlpcConnectPort).
FlagsULONGinALPC_DISCONNECT_* flags. ALPC_DISCONNECT_FLAG_NO_DISCONNECT_MESSAGE (1) suppresses the LPC_PORT_CLOSED notification to the server.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x80win10-1507
Win10 16070x80win10-1607
Win10 17030x81win10-1703
Win10 17090x81win10-1709
Win10 18030x82win10-1803
Win10 18090x82win10-1809
Win10 19030x82win10-1903
Win10 19090x82win10-1909
Win10 20040x84win10-2004
Win10 20H20x84win10-20h2
Win10 21H10x84win10-21h1
Win10 21H20x84win10-21h2
Win10 22H20x84win10-22h2
Win11 21H20x84win11-21h2
Win11 22H20x84win11-22h2
Win11 23H20x84win11-23h2
Win11 24H20x86win11-24h2
Server 20160x80winserver-2016
Server 20190x82winserver-2019
Server 20220x84winserver-2022
Server 20250x86winserver-2025

Kernel module

ntoskrnl.exeNtAlpcDisconnectPort

Related APIs

NtAlpcConnectPortNtAlpcSendWaitReceivePortNtAlpcAcceptConnectPortNtCloseRpcBindingFree

Syscall stub

4C 8B D1            mov r10, rcx
B8 86 00 00 00      mov eax, 0x86
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

`NtAlpcDisconnectPort` is the polite goodbye on an ALPC connection — it sends a `LPC_PORT_CLOSED` message to the server's queue and tears down the connection-port pair. `NtClose` on the same handle would *also* terminate the connection, but without the in-band notification, leaving the server to discover the dead client only when it next tries to reply. Most user-mode callers go through `NtClose` directly; explicit `NtAlpcDisconnectPort` is mainly used by the RPC runtime (`rpcrt4.dll`) when an LRPC binding is shut down with `RpcBindingFree`. Per-connection ALPC views, security contexts and message reservations are released as part of the disconnect.

Common malware usage

Low offensive interest — this is housekeeping. The one notable usage is *exploit cleanup*: ALPC LPE PoCs that abused server-side state typically call `NtAlpcDisconnectPort` (or close the handle) immediately after winning the race, so the server's view of the exchange looks normal and crash dumps don't keep the malicious connection-port object resident. The `ALPC_DISCONNECT_FLAG_NO_DISCONNECT_MESSAGE` flag can be used to deliberately starve a server of a `LPC_PORT_CLOSED` notification — useful if the server only cleans up per-connection state on receipt of that message; a fuzzer or a CVE PoC may use it to leak server-side state across runs.

CVE-2018-8440 ALPC LPE PoC (SandboxEscaper) — cleanup phaseGeneric ALPC fuzzers (RpcView / NtObjectManager / WinAFL-RPC) — connect/disconnect loops

Detection opportunities

Not a useful detection signal on its own. Disconnects are the dominant ALPC traffic on any active workstation. The only fruitful angle is *correlation*: a client process that issues a flurry of `NtAlpcConnectPort` … `NtAlpcSendWaitReceivePort` … `NtAlpcDisconnectPort` cycles against the same server in quick succession is a candidate for ALPC fuzzing or exploit triggering. ETW provider `Microsoft-Windows-Kernel-ALPC` (when enabled) logs disconnects; the corresponding RPC tear-down shows up in `Microsoft-Windows-RPC`.

Direct syscall examples

cPolite client teardown

// Cleanly close an LRPC client port. The server receives an LPC_PORT_CLOSED message
// before the handle is freed, allowing prompt per-connection cleanup on its side.
#include <windows.h>
#include <winternl.h>

NTSTATUS NTAPI NtAlpcDisconnectPort(HANDLE, ULONG);

void CloseLrpcClient(HANDLE hPort) {
    NtAlpcDisconnectPort(hPort, 0); // 0 = send the courtesy LPC_PORT_CLOSED
    NtClose(hPort);                  // release the handle table entry
}

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtAlpcDisconnectPort (SSN 0x86 on Win11 24H2 / Server 2025)
NtAlpcDisconnectPort PROC
    mov  r10, rcx          ; PortHandle
    mov  eax, 86h          ; SSN
    syscall
    ret
NtAlpcDisconnectPort ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20