NtAlpcQueryInformation
Queries metadata about an ALPC port — owning process, message stats, server SID, port attributes.
Prototype
NTSTATUS NtAlpcQueryInformation( HANDLE PortHandle, ALPC_PORT_INFORMATION_CLASS PortInformationClass, PVOID PortInformation, ULONG Length, PULONG ReturnLength );
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| PortHandle | HANDLE | in | Handle to an ALPC connection, communication or server port. NULL for class AlpcBasicInformation queries against the calling process's port table. |
| PortInformationClass | ALPC_PORT_INFORMATION_CLASS | in | AlpcBasicInformation (0), AlpcPortInformation (1), AlpcAssociateCompletionPortInformation (2), AlpcConnectedSIDInformation (3), AlpcServerInformation (4), AlpcMessageZoneInformation (5), AlpcRegisterCompletionListInformation (6), AlpcUnregisterCompletionListInformation (7), AlpcAdjustCompletionListConcurrencyCount (8), AlpcRegisterCallbackInformation (9), AlpcCompletionListRundownInformation (10), AlpcWaitForPortReferences (11). |
| PortInformation | PVOID | in/out | Buffer for the information class-specific structure (e.g. ALPC_BASIC_INFORMATION, ALPC_SERVER_INFORMATION). |
| Length | ULONG | in | Size of PortInformation in bytes. |
| ReturnLength | PULONG | out | Receives the number of bytes written; on STATUS_INFO_LENGTH_MISMATCH receives the required size. |
Syscall IDs by Windows version
| Windows version | Syscall ID | Build |
|---|---|---|
| Win10 1507 | 0x85 | win10-1507 |
| Win10 1607 | 0x85 | win10-1607 |
| Win10 1703 | 0x86 | win10-1703 |
| Win10 1709 | 0x86 | win10-1709 |
| Win10 1803 | 0x87 | win10-1803 |
| Win10 1809 | 0x87 | win10-1809 |
| Win10 1903 | 0x87 | win10-1903 |
| Win10 1909 | 0x87 | win10-1909 |
| Win10 2004 | 0x89 | win10-2004 |
| Win10 20H2 | 0x89 | win10-20h2 |
| Win10 21H1 | 0x89 | win10-21h1 |
| Win10 21H2 | 0x89 | win10-21h2 |
| Win10 22H2 | 0x89 | win10-22h2 |
| Win11 21H2 | 0x89 | win11-21h2 |
| Win11 22H2 | 0x89 | win11-22h2 |
| Win11 23H2 | 0x89 | win11-23h2 |
| Win11 24H2 | 0x8B | win11-24h2 |
| Server 2016 | 0x85 | winserver-2016 |
| Server 2019 | 0x87 | winserver-2019 |
| Server 2022 | 0x89 | winserver-2022 |
| Server 2025 | 0x8B | winserver-2025 |
Kernel module
Related APIs
Syscall stub
4C 8B D1 mov r10, rcx B8 8B 00 00 00 mov eax, 0x8B F6 04 25 08 03 FE 7F 01 test byte ptr [0x7FFE0308], 1 75 03 jne short +3 0F 05 syscall C3 ret CD 2E int 2Eh C3 ret
Undocumented notes
The introspection counterpart of `NtAlpcSetInformation`. The most commonly used classes are `AlpcBasicInformation` (port flags, attributes, ref counts), `AlpcServerInformation` (resolves a port handle to the *server* process — given a client port, returns the PID hosting the connection port), and `AlpcConnectedSIDInformation` (returns the SID on the other end of the connection). The `AlpcServerInformation` class is unusual in that it accepts a `ProcessId` on input and returns server-port info — historically a fingerprinting / enumeration trick. There is no public Win32 wrapper; SystemInformer and ProcessHacker call this directly to populate their ALPC port lists.
Common malware usage
Used by ALPC-aware reconnaissance tooling: given an `ncalrpc` endpoint, `AlpcServerInformation` resolves it to the hosting PID — useful for verifying that you're actually talking to (e.g.) `services.exe` and not a fake endpoint, or conversely for identifying which process owns a high-value LRPC port before launching an LPE. Sandbox-evasion checks occasionally enumerate ALPC ports for the presence of Cuckoo / Joe Sandbox agent endpoints (older versions exposed identifiable LRPC names). Otherwise this is a passive query syscall with minimal direct-abuse signal.
Detection opportunities
Low value as a primary detection. ALPC introspection is performed by half of the diagnostic tools shipped in Windows itself (`tasklist /svc`, `wmic`, the new `Get-Process` PowerShell cmdlets, `sysinternals` suite). The ETW provider `Microsoft-Windows-Kernel-ALPC` does emit query events but they are extraordinarily noisy. The blue-team play is to ignore this syscall and instead alert on what follows: an `NtAlpcConnectPort` from a non-system binary to a high-value LRPC port whose owner was just queried.
Direct syscall examples
asmx64 direct stub (Win11 24H2)
; Direct syscall stub for NtAlpcQueryInformation (SSN 0x8B on Win11 24H2)
NtAlpcQueryInformation PROC
mov r10, rcx ; PortHandle
mov eax, 8Bh ; SSN — drifts per build
syscall
ret
NtAlpcQueryInformation ENDPcResolve an ALPC client port to its server PID
// AlpcServerInformation (class 4) accepts a ProcessId in the IN side of the
// ALPC_SERVER_INFORMATION struct and returns the server-port name & flags.
#include <windows.h>
#include <winternl.h>
typedef enum _ALPC_PORT_INFORMATION_CLASS {
AlpcBasicInformation = 0,
AlpcServerInformation = 4,
AlpcConnectedSIDInformation = 3,
} ALPC_PORT_INFORMATION_CLASS;
typedef struct _ALPC_SERVER_INFORMATION_IN {
HANDLE ProcessId;
} ALPC_SERVER_INFORMATION_IN;
typedef struct _ALPC_SERVER_INFORMATION_OUT {
BOOLEAN ThreadBlocked;
HANDLE ConnectedProcessId;
UNICODE_STRING ConnectionPortName;
} ALPC_SERVER_INFORMATION_OUT;
typedef union _ALPC_SERVER_INFORMATION {
ALPC_SERVER_INFORMATION_IN In;
ALPC_SERVER_INFORMATION_OUT Out;
} ALPC_SERVER_INFORMATION;
typedef NTSTATUS (NTAPI *pNtAlpcQueryInformation)(
HANDLE, ALPC_PORT_INFORMATION_CLASS, PVOID, ULONG, PULONG);
NTSTATUS WhoOwnsPort(HANDLE hClientPort, ALPC_SERVER_INFORMATION_OUT *out) {
ALPC_SERVER_INFORMATION info = {0};
ULONG ret = 0;
pNtAlpcQueryInformation fn = (pNtAlpcQueryInformation)GetProcAddress(
GetModuleHandleA("ntdll.dll"), "NtAlpcQueryInformation");
NTSTATUS st = fn(hClientPort, AlpcServerInformation,
&info, sizeof(info), &ret);
if (NT_SUCCESS(st)) *out = info.Out;
return st;
}MITRE ATT&CK mappings
Last verified: 2026-05-20