> Windows Syscalls
ntoskrnl.exeT1106T1027

NtClearEvent

Drives an event object to the non-signaled state without returning the previous state.

Prototype

NTSTATUS NtClearEvent(
  HANDLE  EventHandle
);

Arguments

NameTypeDirDescription
EventHandleHANDLEinHandle to the event with EVENT_MODIFY_STATE access.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x3Ewin10-1507
Win10 16070x3Ewin10-1607
Win10 17030x3Ewin10-1703
Win10 17090x3Ewin10-1709
Win10 18030x3Ewin10-1803
Win10 18090x3Ewin10-1809
Win10 19030x3Ewin10-1903
Win10 19090x3Ewin10-1909
Win10 20040x3Ewin10-2004
Win10 20H20x3Ewin10-20h2
Win10 21H10x3Ewin10-21h1
Win10 21H20x3Ewin10-21h2
Win10 22H20x3Ewin10-22h2
Win11 21H20x3Ewin11-21h2
Win11 22H20x3Ewin11-22h2
Win11 23H20x3Ewin11-23h2
Win11 24H20x3Ewin11-24h2
Server 20160x3Ewinserver-2016
Server 20190x3Ewinserver-2019
Server 20220x3Ewinserver-2022
Server 20250x3Ewinserver-2025

Kernel module

ntoskrnl.exeNtClearEvent

Related APIs

ResetEventNtResetEventNtSetEventNtPulseEventNtWaitForSingleObject

Syscall stub

4C 8B D1            mov r10, rcx
B8 3E 00 00 00      mov eax, 0x3E
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtClearEvent is the slimmest of the event-state-mutating syscalls: it only takes a handle, drops the event to non-signaled and returns NTSTATUS. Internally the kernel calls the same `KeResetEvent` routine as NtResetEvent — the only difference is that NtClearEvent discards the previous state instead of writing it back to userland, saving a probe and write to the `PreviousState` pointer. SSN `0x3E` has been frozen across every Windows 10/11 build. Most user-mode code reaches it indirectly via `ResetEvent` in Win32, which actually dispatches to NtClearEvent (not NtResetEvent) when the caller passes no out-pointer.

Common malware usage

Same role as NtResetEvent in *sleep-mask* and *event-paced* implant loops, picked when the caller doesn't need the previous state and wants the smallest syscall footprint. Some shellcode loaders prefer NtClearEvent over the Win32 `ResetEvent` precisely because it is one indirection less for an EDR user-mode hook to land on. Otherwise overwhelmingly legitimate.

Cobalt Strike (user-defined sleep mask)SliverBrute Ratel C4

Detection opportunities

Like NtResetEvent, NtClearEvent is high-volume legitimate traffic and not a signal on its own. The detection story is identical: look for tight `Set→Wait→Clear` loops out of unbacked memory, or out of threads whose only mapped image is suspicious. ETW does not separately surface clear vs reset. If you've already hooked NtResetEvent at the user-mode boundary, make sure NtClearEvent is hooked too — otherwise a one-line code swap defeats the hook.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtClearEvent (SSN 0x3E, stable Win10 1507+)
NtClearEvent PROC
    mov  r10, rcx          ; EventHandle
    mov  eax, 3Eh          ; SSN
    syscall
    ret
NtClearEvent ENDP

cMinimal one-arg clear

// One-shot reset; cheaper than ResetEvent because no PreviousState writeback.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtClearEvent)(HANDLE);

NTSTATUS ClearEvt(HANDLE hEvent) {
    pNtClearEvent fn = (pNtClearEvent)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtClearEvent");
    return fn(hEvent);
}

MITRE ATT&CK mappings

Last verified: 2026-05-20