> Windows Syscalls
ntoskrnl.exeT1559T1106

NtAlpcRevokeSecurityContext

Invalidates a cached ALPC SECURITY_QOS context without freeing its handle slot.

Prototype

NTSTATUS NtAlpcRevokeSecurityContext(
  HANDLE       PortHandle,
  ULONG        Flags,
  ALPC_HANDLE  ContextHandle
);

Arguments

NameTypeDirDescription
PortHandleHANDLEinHandle to the ALPC port that owns the security context.
FlagsULONGinReserved. Must be 0.
ContextHandleALPC_HANDLEinOpaque ALPC_HANDLE returned by NtAlpcCreateSecurityContext; the context to mark revoked.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x87win10-1507
Win10 16070x87win10-1607
Win10 17030x88win10-1703
Win10 17090x88win10-1709
Win10 18030x89win10-1803
Win10 18090x89win10-1809
Win10 19030x89win10-1903
Win10 19090x89win10-1909
Win10 20040x8Bwin10-2004
Win10 20H20x8Bwin10-20h2
Win10 21H10x8Bwin10-21h1
Win10 21H20x8Bwin10-21h2
Win10 22H20x8Bwin10-22h2
Win11 21H20x8Bwin11-21h2
Win11 22H20x8Bwin11-22h2
Win11 23H20x8Bwin11-23h2
Win11 24H20x8Dwin11-24h2
Server 20160x87winserver-2016
Server 20190x89winserver-2019
Server 20220x8Bwinserver-2022
Server 20250x8Dwinserver-2025

Kernel module

ntoskrnl.exeNtAlpcRevokeSecurityContext

Related APIs

NtAlpcCreateSecurityContextNtAlpcDeleteSecurityContextNtAlpcImpersonateClientOfPortNtAlpcQueryInformation

Syscall stub

4C 8B D1            mov r10, rcx
B8 8D 00 00 00      mov eax, 0x8D
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

`NtAlpcRevokeSecurityContext` is the **soft-disable** to `NtAlpcDeleteSecurityContext`'s **destructor**. It flips a flag on the context entry so that any subsequent `NtAlpcImpersonateClientOfPort` referencing it fails with `STATUS_ALPC_HANDLE_REVOKED`, but the entry stays valid until the natural delete. Two reasons a server would prefer revoke over delete: (1) the same handle is still referenced by in-flight `PORT_MESSAGE`s and a delete would race; (2) the server wants to log which messages tried to use the now-invalid token. The kernel sets `AlpcSecurityContext->Revoked` and lets the reference count drop to zero naturally, at which point the underlying token reference is released.

Common malware usage

Almost no offensive interest — it is *less* powerful than `NtAlpcDeleteSecurityContext` (no UAF risk, no immediate freeing). A red-team operator who has compromised a privileged ALPC server might revoke an existing context to **deny service** to a specific client (a noisy EDR agent, for example) without dropping the whole connection — surgical degradation rather than tear-down. Otherwise the syscall is invoked only as part of normal RPC server cleanup.

Generic ALPC fuzzers (RpcView / NtObjectManager / WinAFL-RPC) — context lifetime probes

Detection opportunities

Functionally invisible to defenders — revocation has no externally observable effect except that a subsequent impersonation will fail with `STATUS_ALPC_HANDLE_REVOKED`, which is normal during shutdown. Treat anomalies the same way as for `NtAlpcDeleteSecurityContext`: look at the **pattern** (frequent revoke-then-create cycles on the same port suggests a fuzzer or a TOCTOU prober), not the syscall itself. The Microsoft-Windows-Kernel-ALPC ETW provider records the call when enabled.

Direct syscall examples

cSoft-disable a cached client QoS

// Mark a cached client context as revoked without disturbing in-flight messages.
// Later, NtAlpcDeleteSecurityContext finishes the job when the ref-count is zero.
#include <windows.h>
#include <winternl.h>

typedef PVOID ALPC_HANDLE;
NTSTATUS NTAPI NtAlpcRevokeSecurityContext(HANDLE, ULONG, ALPC_HANDLE);

void SoftRevoke(HANDLE serverPort, ALPC_HANDLE ctx) {
    // After this call, NtAlpcImpersonateClientOfPort referencing ctx returns
    // STATUS_ALPC_HANDLE_REVOKED instead of impersonating.
    NtAlpcRevokeSecurityContext(serverPort, 0, ctx);
}

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtAlpcRevokeSecurityContext (SSN 0x8D on Win11 24H2 / Server 2025)
NtAlpcRevokeSecurityContext PROC
    mov  r10, rcx          ; PortHandle
    mov  eax, 8Dh          ; SSN
    syscall
    ret
NtAlpcRevokeSecurityContext ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20