NtAlpcImpersonateClientOfPort
ALPC server's primary impersonation primitive — assumes the security context of the client that sent a message.
Prototype
NTSTATUS NtAlpcImpersonateClientOfPort( HANDLE PortHandle, PPORT_MESSAGE Message, PALPC_IMPERSONATE_INFO Flags );
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| PortHandle | HANDLE | in | Handle to the server-side ALPC communication port returned by NtAlpcAcceptConnectPort. |
| Message | PPORT_MESSAGE | in | The PORT_MESSAGE just received from the client whose token should be impersonated. Pre-Win10 builds accepted NULL. |
| Flags | PALPC_IMPERSONATE_INFO | in | ALPC_IMPERSONATE_INFO with requested impersonation level (anonymous / identify / impersonate / delegate) and required-token flags. NULL = use the QoS supplied at connect time. |
Syscall IDs by Windows version
| Windows version | Syscall ID | Build |
|---|---|---|
| Win10 1507 | 0x82 | win10-1507 |
| Win10 1607 | 0x82 | win10-1607 |
| Win10 1703 | 0x83 | win10-1703 |
| Win10 1709 | 0x83 | win10-1709 |
| Win10 1803 | 0x84 | win10-1803 |
| Win10 1809 | 0x84 | win10-1809 |
| Win10 1903 | 0x84 | win10-1903 |
| Win10 1909 | 0x84 | win10-1909 |
| Win10 2004 | 0x86 | win10-2004 |
| Win10 20H2 | 0x86 | win10-20h2 |
| Win10 21H1 | 0x86 | win10-21h1 |
| Win10 21H2 | 0x86 | win10-21h2 |
| Win10 22H2 | 0x86 | win10-22h2 |
| Win11 21H2 | 0x86 | win11-21h2 |
| Win11 22H2 | 0x86 | win11-22h2 |
| Win11 23H2 | 0x86 | win11-23h2 |
| Win11 24H2 | 0x88 | win11-24h2 |
| Server 2016 | 0x82 | winserver-2016 |
| Server 2019 | 0x84 | winserver-2019 |
| Server 2022 | 0x86 | winserver-2022 |
| Server 2025 | 0x88 | winserver-2025 |
Kernel module
Related APIs
Syscall stub
4C 8B D1 mov r10, rcx B8 88 00 00 00 mov eax, 0x88 F6 04 25 08 03 FE 7F 01 test byte ptr [0x7FFE0308], 1 75 03 jne short +3 0F 05 syscall C3 ret CD 2E int 2Eh C3 ret
Undocumented notes
`NtAlpcImpersonateClientOfPort` is the ALPC analogue of `ImpersonateNamedPipeClient`: the server thread that just received a message temporarily assumes the client's primary token, performs a privileged operation on the client's behalf, then calls `RevertToSelf`. The impersonation level is constrained by the client's `SECURITY_QUALITY_OF_SERVICE.ImpersonationLevel` at connect time, but a server requesting *Impersonate* with no client QoS override is the default for nearly every Windows service. Every Win32 / RPC `RpcImpersonateClient` call against an `ncalrpc` binding ends up here. Implementation is `AlpcpImpersonateClient` in `ntoskrnl.exe`, which calls `SeImpersonateClientEx`.
Common malware usage
**This is the highest-value ALPC syscall for privilege escalation** — but, critically, the bug is almost always in the *caller*, not in the syscall itself. The pattern: a SYSTEM-running service exposes an ALPC endpoint, accepts a connection from an unprivileged client, impersonates the client to do an access check ("is this user allowed to delete this file?"), then **forgets to revert** before performing the privileged action — or performs the check on a different object than the one acted upon (a TOCTOU). CVE-2018-8440 (SandboxEscaper's Task Scheduler ALPC LPE), CVE-2019-1130 (UMPS impersonation), CVE-2020-0668 (Windows Service Tracing LPE) and several Print-Spooler PrintNightmare variants all hinge on this kind of impersonation-misuse. Malware doesn't usually *call* this syscall — it sends the right ALPC message at the right moment to trick a SYSTEM service that does.
Detection opportunities
On the *caller* side: the syscall is invoked by essentially every Windows RPC server on every message — useless as a primary signal. On the *exploit* side: focus on the consequences. Sysmon Event ID 1 (Process Create) with `ParentImage=services.exe` / `spoolsv.exe` / `taskschd.exe` and `User=SYSTEM` but a token whose `IntegrityLevel` doesn't match expectations is a strong signal. ETW `Microsoft-Windows-Security-Auditing` Event ID 4624 (logon) with logon-type 9 (NewCredentials) bursts from a service host are suspicious. Kernel-level mitigations (Microsoft's `ImpersonateCheck` family, `RpcServerRegisterAuthInfoExW` with restricted SIDs) reduce exposure more reliably than detection rules.
Direct syscall examples
asmx64 direct stub (Win11 24H2)
; Direct syscall stub for NtAlpcImpersonateClientOfPort (SSN 0x88 on Win11 24H2)
NtAlpcImpersonateClientOfPort PROC
mov r10, rcx ; PortHandle
mov eax, 88h ; SSN — drifts per build
syscall
ret
NtAlpcImpersonateClientOfPort ENDPcALPC server-side impersonation (the canonical SAFE pattern)
// The bug class lives in callers that forget RevertToSelf, or that
// perform the privileged work on a different object than the one checked.
#include <windows.h>
#include <winternl.h>
typedef struct _ALPC_IMPERSONATE_INFO {
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
ULONG Flags;
ULONG RequiredImpersonationLevel;
} ALPC_IMPERSONATE_INFO, *PALPC_IMPERSONATE_INFO;
typedef NTSTATUS (NTAPI *pNtAlpcImpersonateClientOfPort)(
HANDLE, PPORT_MESSAGE, PALPC_IMPERSONATE_INFO);
NTSTATUS DoAsClient(HANDLE hCommPort, PPORT_MESSAGE pMsg,
NTSTATUS (*work)(void)) {
pNtAlpcImpersonateClientOfPort imp = (pNtAlpcImpersonateClientOfPort)
GetProcAddress(GetModuleHandleA("ntdll.dll"),
"NtAlpcImpersonateClientOfPort");
NTSTATUS st = imp(hCommPort, pMsg, NULL /* default QoS */);
if (!NT_SUCCESS(st)) return st;
st = work(); // ALL privileged work happens here
RevertToSelf(); // NEVER skip — exploit class is forgetting this
return st;
}cNote: typical CVE pattern (illustration only, not a working exploit)
// Real ALPC LPE chains (CVE-2018-8440, CVE-2020-0668, PrintNightmare variants) // trick a privileged service into calling NtAlpcImpersonateClientOfPort against // an attacker-controlled message, then performing FS / registry I/O AFTER the // impersonation has either been reverted or never applied to the right object. // The syscall itself behaves correctly — the vulnerability lives in the service. // This file documents the syscall only; PoCs belong with the CVE references.
MITRE ATT&CK mappings
Last verified: 2026-05-20