ntoskrnl.exeT1499T1106

NtCreatePagingFile

Creates or extends a Windows pagefile at the requested NT path; requires SeCreatePagefilePrivilege.

Prototype

NTSTATUS NtCreatePagingFile(
  PUNICODE_STRING PageFileName,
  PLARGE_INTEGER  MinimumSize,
  PLARGE_INTEGER  MaximumSize,
  ULONG           Priority
);

Arguments

Name	Type	Dir	Description
PageFileName	PUNICODE_STRING	in	NT-namespace path of the pagefile, e.g. \??\C:\pagefile.sys.
MinimumSize	PLARGE_INTEGER	in	Initial size in bytes; must be a multiple of 1 MB and >= 16 MB.
MaximumSize	PLARGE_INTEGER	in	Maximum size in bytes; must be >= MinimumSize and a multiple of 1 MB.
Priority	ULONG	in	Reserved; pass 0 on current Windows.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xA9	win10-1507
Win10 1607	0xAB	win10-1607
Win10 1703	0xAE	win10-1703
Win10 1709	0xAF	win10-1709
Win10 1803	0xB0	win10-1803
Win10 1809	0xB0	win10-1809
Win10 1903	0xB1	win10-1903
Win10 1909	0xB1	win10-1909
Win10 2004	0xB5	win10-2004
Win10 20H2	0xB5	win10-20h2
Win10 21H1	0xB5	win10-21h1
Win10 21H2	0xB6	win10-21h2
Win10 22H2	0xB6	win10-22h2
Win11 21H2	0xB9	win11-21h2
Win11 22H2	0xBA	win11-22h2
Win11 23H2	0xBA	win11-23h2
Win11 24H2	0xBC	win11-24h2
Server 2016	0xAB	winserver-2016
Server 2019	0xB0	winserver-2019
Server 2022	0xB8	winserver-2022
Server 2025	0xBC	winserver-2025

Kernel module

ntoskrnl.exe → NtCreatePagingFile

Related APIs

CreatePageFileWWin32_PageFileSetting (WMI)NtSetSystemInformation (SystemPageFileInformation)RemovePageFileW

Syscall stub

4C 8B D1                  mov r10, rcx
B8 BC 00 00 00            mov eax, 0xBC
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03                     jne short +3
0F 05                     syscall
C3                        ret
CD 2E                     int 2Eh
C3                        ret

Undocumented notes

The kernel routine behind `kernel32!CreatePageFile` and the `pagefileconfig.vbs` / `wmic pagefileset` plumbing. Creates or extends a backing pagefile and registers it with `MiPageFileInformation`. The privilege check is unambiguous: `SeCreatePagefilePrivilege` must be enabled in the caller's token, which by default is granted only to BUILTIN\Administrators and only takes effect on tokens not subject to UAC filtering (so a non-elevated admin shell will *not* succeed). The kernel writes the pagefile sparse-extended on NTFS, so creation completes quickly but actual disk consumption grows on demand. Passing a `MaximumSize` larger than free disk space succeeds at registration but later extensions fail with `STATUS_DISK_FULL`. On modern Windows the pagefile is automatically managed; manual creation is mostly used by performance specialists configuring dedicated dump volumes.

Common malware usage

Niche privileged-DoS / resource-exhaustion surface. Three observed patterns. First, **disk exhaustion**: register a pagefile with a huge `MaximumSize` on the system drive — when subsequent process memory pressure forces extensions, the kernel happily eats every remaining sector until services begin to fail. Second, **dump-volume hijack**: redirect the crash-dump pagefile to a controlled location to capture the next BSOD memory dump (which can contain decryption keys, plaintext credentials, etc.). Third, **forensic noise**: creating a fresh pagefile on a non-system volume forces the SMM/EFI memory manager to honour it, fragmenting any later disk-image carving. None of these are commodity-malware staples — they need `SeCreatePagefilePrivilege`, and an attacker who already has that level of admin can do many less noisy things. Real-world sightings are rare and tend to be red-team rather than crimeware.

Red-team DoS / resource-exhaustion tooling Crash-dump hijack research PoCs

Detection opportunities

Audit `SeCreatePagefilePrivilege` use via Security Event ID 4673 (subcategory `Sensitive Privilege Use` must be enabled — it is off by default). New pagefile registrations also surface as `Microsoft-Windows-Kernel-Memory` ETW event 3 (`PagefileCreated`) with the full NT path. Any pagefile path outside `\??\<drive>:\pagefile.sys` and `\??\<drive>:\swapfile.sys` (UWP modern-standby swap file) is unusual. Sysmon Event 11 (`FileCreate`) will fire if the destination is on a monitored volume. Defenders can also baseline expected pagefile count and total size via WMI (`Win32_PageFileSetting`) and alert on drift.

Direct syscall examples

cEnable SeCreatePagefilePrivilege then register a 1 GB pagefile

#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI* pNtCreatePagingFile)(
    PUNICODE_STRING, PLARGE_INTEGER, PLARGE_INTEGER, ULONG);

static BOOL enable_priv(LPCSTR name) {
    HANDLE tok; TOKEN_PRIVILEGES tp;
    OpenProcessToken(GetCurrentProcess(),
                     TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &tok);
    LookupPrivilegeValueA(NULL, name, &tp.Privileges[0].Luid);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(tok, FALSE, &tp, 0, NULL, NULL);
    BOOL ok = GetLastError() == ERROR_SUCCESS;
    CloseHandle(tok);
    return ok;
}

void add_pagefile(void) {
    enable_priv("SeCreatePagefilePrivilege");

    UNICODE_STRING path;
    RtlInitUnicodeString(&path, L"\\??\\C:\\extra_pagefile.sys");
    LARGE_INTEGER minSize = { .QuadPart = 1024LL * 1024 * 1024 };  // 1 GB
    LARGE_INTEGER maxSize = { .QuadPart = 2048LL * 1024 * 1024 };  // 2 GB

    pNtCreatePagingFile f = (pNtCreatePagingFile)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtCreatePagingFile");
    f(&path, &minSize, &maxSize, 0);
}

asmx64 direct stub (Win11 24H2 / Server 2025, SSN 0xBC)

NtCreatePagingFile PROC
    mov  r10, rcx
    mov  eax, 0BCh
    syscall
    ret
NtCreatePagingFile ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20