ntoskrnl.exeT1547.001T1546.012T1112

NtCreateKey

Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.

Prototype

NTSTATUS NtCreateKey(
  PHANDLE            KeyHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  ULONG              TitleIndex,
  PUNICODE_STRING    Class,
  ULONG              CreateOptions,
  PULONG             Disposition
);

Arguments

Name	Type	Dir	Description
KeyHandle	PHANDLE	out	Receives the handle to the newly created or opened key.
DesiredAccess	ACCESS_MASK	in	Access mask, e.g. KEY_WRITE, KEY_ALL_ACCESS, KEY_SET_VALUE.
ObjectAttributes	POBJECT_ATTRIBUTES	in	OBJECT_ATTRIBUTES containing the registry path (e.g. \Registry\Machine\Software\...).
TitleIndex	ULONG	in	Reserved. Must be zero.
Class	PUNICODE_STRING	in	Optional class name for the key. Usually NULL.
CreateOptions	ULONG	in	Flags, e.g. REG_OPTION_NON_VOLATILE, REG_OPTION_VOLATILE, REG_OPTION_CREATE_LINK.
Disposition	PULONG	out	Receives REG_CREATED_NEW_KEY or REG_OPENED_EXISTING_KEY. May be NULL.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x1D	win10-1507
Win10 1607	0x1D	win10-1607
Win10 1703	0x1D	win10-1703
Win10 1709	0x1D	win10-1709
Win10 1803	0x1D	win10-1803
Win10 1809	0x1D	win10-1809
Win10 1903	0x1D	win10-1903
Win10 1909	0x1D	win10-1909
Win10 2004	0x1D	win10-2004
Win10 20H2	0x1D	win10-20h2
Win10 21H1	0x1D	win10-21h1
Win10 21H2	0x1D	win10-21h2
Win10 22H2	0x1D	win10-22h2
Win11 21H2	0x1D	win11-21h2
Win11 22H2	0x1D	win11-22h2
Win11 23H2	0x1D	win11-23h2
Win11 24H2	0x1D	win11-24h2
Server 2016	0x1D	winserver-2016
Server 2019	0x1D	winserver-2019
Server 2022	0x1D	winserver-2022
Server 2025	0x1D	winserver-2025

Kernel module

ntoskrnl.exe → NtCreateKey

Related APIs

RegCreateKeyExWRegOpenKeyExWNtOpenKeyNtOpenKeyExNtSetValueKeyNtDeleteKey

Syscall stub

4C 8B D1            mov r10, rcx
B8 1D 00 00 00      mov eax, 0x1D
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

`0x1D` has been the SSN since Windows 7 and remains unchanged through Win11 24H2 — one of the most reliable hardcoded numbers available. The call routes through CmpCallCallBacksEx and CmCreateKey inside the Configuration Manager (CM_KEY_BODY allocation). Because the ObjectAttributes path is parsed in the NT object namespace (`\Registry\Machine\...`, `\Registry\User\<SID>\...`), implants use it directly to dodge Win32 path-translation hooks that EDRs add at advapi32!RegCreateKeyEx.

Common malware usage

Persistence is the dominant use case. Operators create subkeys under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, `HKCU\...\Run`, `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` (Shell/Userinit/AppInit_DLLs), `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target.exe>` (Debugger value hijack), and `HKLM\System\CurrentControlSet\Services\<name>` for service-based persistence. Calling NtCreateKey directly bypasses any user-mode hooks on advapi32 and lets the actor write to keys without leaving CreateRemoteThread-style artifacts.

EmotetTrickBotQakbotTurlaAPT29 (Cozy Bear)Dridex

Detection opportunities

The Microsoft-Windows-Kernel-Registry ETW provider (`{70EB4F03-C1DE-4F73-A051-33D13D5413BD}`) fires `EventCreateKey` (Opcode 10) with the full key path and the creator's PID — this is the single best detection source and cannot be hidden from user mode. Sysmon Event ID 12 (RegistryEvent: CreateKey / DeleteKey) captures the same on endpoints without Defender for Endpoint. Hunt particularly on autostart keys, IFEO subkey creations targeting common LOLBins (`mmc.exe`, `taskmgr.exe`, `osk.exe`), and any new `Services\` entry with an ImagePath outside `\SystemRoot\System32\`. EDR hooks on advapi32!RegCreateKeyEx are easily evaded; kernel ETW is not.

Direct syscall examples

cCreate or open HKCU Run subkey

// Open / create HKCU\Software\Microsoft\Windows\CurrentVersion\Run via Nt path.
// Pair with NtSetValueKey to drop a persistence entry.
UNICODE_STRING path;
RtlInitUnicodeString(&path,
    L"\\Registry\\User\\<SID>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");

OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &path, OBJ_CASE_INSENSITIVE, NULL, NULL);

HANDLE hKey = NULL;
ULONG disposition = 0;
NTSTATUS s = NtCreateKey(&hKey, KEY_SET_VALUE, &oa,
                        0, NULL, REG_OPTION_NON_VOLATILE, &disposition);

asmDirect stub (SSN 0x1D)

NtCreateKey PROC
    mov  r10, rcx
    mov  eax, 1Dh
    syscall
    ret
NtCreateKey ENDP

rustntapi crate persistence helper

// Cargo: ntapi = "0.4", winapi = { version = "0.3", features = ["winnt"] }
use ntapi::ntregapi::NtCreateKey;
use ntapi::ntrtl::RtlInitUnicodeString;
use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, OBJ_CASE_INSENSITIVE, UNICODE_STRING};
use winapi::um::winnt::{KEY_SET_VALUE, REG_OPTION_NON_VOLATILE};
use std::ptr::null_mut;

pub unsafe fn open_run_key(sid_path: *const u16) -> *mut core::ffi::c_void {
    let mut us: UNICODE_STRING = core::mem::zeroed();
    RtlInitUnicodeString(&mut us, sid_path);
    let mut oa = OBJECT_ATTRIBUTES {
        Length: core::mem::size_of::<OBJECT_ATTRIBUTES>() as u32,
        RootDirectory: null_mut(),
        ObjectName: &mut us,
        Attributes: OBJ_CASE_INSENSITIVE,
        SecurityDescriptor: null_mut(),
        SecurityQualityOfService: null_mut(),
    };
    let mut h = null_mut();
    let mut disp = 0u32;
    NtCreateKey(&mut h, KEY_SET_VALUE, &mut oa, 0,
                null_mut(), REG_OPTION_NON_VOLATILE, &mut disp);
    h
}

MITRE ATT&CK mappings

T1547.001Registry Run Keys / Startup Folder
T1546.012Image File Execution Options Injection
T1112Modify Registry

Last verified: 2026-05-20