ntoskrnl.exeT1106

NtCreatePartition

Creates a memory partition object that isolates the physical-page working set of a group of processes.

Prototype

NTSTATUS NtCreatePartition(
  PHANDLE            PartitionHandle,
  HANDLE             ParentPartitionHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  ULONG              PreferredNode
);

Arguments

Name	Type	Dir	Description
PartitionHandle	PHANDLE	out	Receives the handle to the newly created partition object.
ParentPartitionHandle	HANDLE	in	Optional parent partition; NULL inherits from the system partition. Used to build hierarchies.
DesiredAccess	ACCESS_MASK	in	Access mask; commonly MEMORY_PARTITION_ALL_ACCESS (0x000F0003).
ObjectAttributes	POBJECT_ATTRIBUTES	in	Object name (e.g. \KernelObjects\MyPartition) and security descriptor.
PreferredNode	ULONG	in	NUMA node hint for backing memory; 0xFFFFFFFF for no preference.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xAA	win10-1507
Win10 1607	0xAC	win10-1607
Win10 1703	0xAF	win10-1703
Win10 1709	0xB0	win10-1709
Win10 1803	0xB1	win10-1803
Win10 1809	0xB1	win10-1809
Win10 1903	0xB2	win10-1903
Win10 1909	0xB2	win10-1909
Win10 2004	0xB6	win10-2004
Win10 20H2	0xB6	win10-20h2
Win10 21H1	0xB6	win10-21h1
Win10 21H2	0xB7	win10-21h2
Win10 22H2	0xB7	win10-22h2
Win11 21H2	0xBA	win11-21h2
Win11 22H2	0xBB	win11-22h2
Win11 23H2	0xBB	win11-23h2
Win11 24H2	0xBD	win11-24h2
Server 2016	0xAC	winserver-2016
Server 2019	0xB1	winserver-2019
Server 2022	0xB9	winserver-2022
Server 2025	0xBD	winserver-2025

Kernel module

ntoskrnl.exe → NtCreatePartition

Related APIs

NtOpenPartitionNtManagePartitionNtSetInformationProcess (ProcessAttachToMemoryPartition)

Syscall stub

4C 8B D1                  mov r10, rcx
B8 BD 00 00 00            mov eax, 0xBD
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03                     jne short +3
0F 05                     syscall
C3                        ret
CD 2E                     int 2Eh
C3                        ret

Undocumented notes

Introduced in Windows 10 Redstone 2 (1703) as part of the memory-partition subsystem originally built for game-mode and Hyper-V container memory isolation. A partition owns its own page lists, available pages, modified-page-writer thread, and standby cache; processes associated with the partition (`ProcessInformationClass = ProcessAttachToMemoryPartition`) draw their physical memory exclusively from it. The standard wrapper `CreatePartition` lives in `api-ms-win-core-memorypartition-l1` (kernel32-side stub), but most use is internal — Hyper-V, the Windows container runtime, and `SystemSettings` for the Game Mode reservation all consume it. Requires `SeLockMemoryPrivilege` plus the `MEMORY_PARTITION_ALL_ACCESS` SD on the parent.

Common malware usage

Very low offensive signal. The privilege requirement (`SeLockMemoryPrivilege`) gates almost every interesting use, and the operational complexity of moving processes between partitions doesn't buy malware much that simpler section-mapping doesn't. The only genuine research-level use is **side-channel isolation in red-team telemetry sandboxes** — partitioning a sensor's working set so that pagefile-pressure timing leaks from the victim no longer correlate with the sensor's measurements. No public commodity-malware family is documented as using it.

(no documented commodity malware abuse)Red-team telemetry-isolation tooling (research)

Detection opportunities

`NtCreatePartition` calls from anything outside `lsass.exe` (briefly during boot), `vmcompute.exe`, `vmwp.exe`, `SystemSettings.exe`, and a few dedicated game-mode services are inherently suspicious. The provider `Microsoft-Windows-Kernel-Memory` emits event 8 (`PartitionCreated`) with the calling image path. Auditing `SeLockMemoryPrivilege` adjustments on non-service tokens is the cheapest upstream signal — the privilege is required and rarely held legitimately by user-mode code.

Direct syscall examples

cCreate a named child partition under the system partition

// Requires SeLockMemoryPrivilege and a writable SD on the parent.
#include <windows.h>
#include <winternl.h>

#define MEMORY_PARTITION_ALL_ACCESS 0x000F0003

typedef NTSTATUS (NTAPI* pNtCreatePartition)(
    PHANDLE, HANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, ULONG);

void make_partition(void) {
    UNICODE_STRING name;
    RtlInitUnicodeString(&name, L"\\KernelObjects\\Sandbox1");
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);

    pNtCreatePartition f = (pNtCreatePartition)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtCreatePartition");

    HANDLE h = NULL;
    NTSTATUS st = f(&h, NULL /* parent = system */,
                    MEMORY_PARTITION_ALL_ACCESS, &oa,
                    0xFFFFFFFF /* any NUMA node */);
}

asmx64 direct stub (Win11 24H2 / Server 2025, SSN 0xBD)

NtCreatePartition PROC
    mov  r10, rcx
    mov  eax, 0BDh
    syscall
    ret
NtCreatePartition ENDP

MITRE ATT&CK mappings

T1106 Native API mitre ↗

Last verified: 2026-05-20