ntoskrnl.exeT1027.011T1106T1029

NtCreateTimer

Creates a kernel timer object that can be armed later with NtSetTimer.

Prototype

NTSTATUS NtCreateTimer(
  PHANDLE            TimerHandle,
  ACCESS_MASK        DesiredAccess,
  POBJECT_ATTRIBUTES ObjectAttributes,
  TIMER_TYPE         TimerType
);

Arguments

Name	Type	Dir	Description
TimerHandle	PHANDLE	out	Receives the handle to the newly created timer object.
DesiredAccess	ACCESS_MASK	in	Access mask, typically TIMER_ALL_ACCESS or TIMER_MODIFY_STATE \| SYNCHRONIZE.
ObjectAttributes	POBJECT_ATTRIBUTES	in	Optional object attributes; NULL for anonymous, name under \BaseNamedObjects for IPC use.
TimerType	TIMER_TYPE	in	NotificationTimer (broadcast, stays signaled) or SynchronizationTimer (auto-reset).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xB4	win10-1507
Win10 1607	0xB7	win10-1607
Win10 1703	0xBA	win10-1703
Win10 1709	0xBB	win10-1709
Win10 1803	0xBC	win10-1803
Win10 1809	0xBD	win10-1809
Win10 1903	0xBE	win10-1903
Win10 1909	0xBE	win10-1909
Win10 2004	0xC2	win10-2004
Win10 20H2	0xC2	win10-20h2
Win10 21H1	0xC2	win10-21h1
Win10 21H2	0xC3	win10-21h2
Win10 22H2	0xC3	win10-22h2
Win11 21H2	0xC8	win11-21h2
Win11 22H2	0xC9	win11-22h2
Win11 23H2	0xC9	win11-23h2
Win11 24H2	0xCB	win11-24h2
Server 2016	0xB7	winserver-2016
Server 2019	0xBD	winserver-2019
Server 2022	0xC7	winserver-2022
Server 2025	0xCB	winserver-2025

Kernel module

ntoskrnl.exe → NtCreateTimer

Related APIs

CreateWaitableTimerWCreateWaitableTimerExWCreateTimerQueueCreateTimerQueueTimerNtCreateTimerExNtSetTimerNtCancelTimer

Syscall stub

4C 8B D1            mov r10, rcx
B8 CB 00 00 00      mov eax, 0xCB
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Allocates an executive `KTIMER` object via `ExCreateTimer` / `ObCreateObject`. The object is *unarmed* at creation — it does nothing until `NtSetTimer` provides a due time and optional APC routine. SSN drifts across builds (`0xB4` on 1507 → `0xCB` on Win11 24H2 / Server 2025), so direct-syscall implementations must resolve dynamically. `NotificationTimer` keeps the dispatcher object signaled after expiry (all waiters released and stay through), while `SynchronizationTimer` auto-resets after releasing one waiter — the latter is what sleep-mask designs use.

Common malware usage

The first half of the **Ekko sleep-mask engine** (Austin Hudson, 2022) — and the design copied wholesale by Foliage, Cronos, Zilean and most modern fork-derived crypter loaders. A timer is created, then `NtSetTimer` arms it with `TimerApcRoutine = RtlCaptureContext`/`SetEvent`/`VirtualProtect` chain stages, and the implant performs an alertable wait. Each timer expiry queues an APC, the APC runs a ROP-stage that re-encrypts the implant memory and re-arms — producing a beacon whose code is RWX → RW → encrypted on every cycle, defeating naive memory scanners. NtCreateTimer alone is benign; the *triad* (timer + event + alertable wait inside private memory) is the IOC.

Cobalt Strike (Ekko sleep mask)Havoc Brute Ratel C4 Foliage sleep mask Cronos sleep mask

Detection opportunities

No dedicated Sysmon event for timer creation. ETW `Microsoft-Windows-Kernel-Object` with the `Timer` keyword exposes object creation; correlating timer handles held by a thread whose RIP at the moment of `NtSetTimer` lies in unbacked / RWX memory is the high-fidelity signal. Most EDRs that defeat Ekko do it by scanning the suspended thread's stack and walking back through KiUserApcDispatcher frames at the moment a special user APC delivers — they catch the encryption stage in flight rather than the timer creation itself.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtCreateTimer (SSN 0xCB on Win11 24H2 / Server 2025)
NtCreateTimer PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 0CBh         ; SSN — drifts; resolve dynamically for portability
    syscall
    ret
NtCreateTimer ENDP

cEkko-style sleep-mask timer setup

// Step 1 of the sleep-mask triad: a synchronization timer the APC chain will arm.
HANDLE             hTimer = NULL;
OBJECT_ATTRIBUTES  oa     = { sizeof(oa), 0 };
NTSTATUS st = NtCreateTimer(&hTimer,
                            TIMER_ALL_ACCESS,
                            &oa,
                            SynchronizationTimer);
if (!NT_SUCCESS(st)) return st;
// hTimer will be armed by NtSetTimer with TimerApcRoutine pointing at the ROP gadgets.

rustwindows-sys CreateWaitableTimerW wrapper

// Cargo: windows-sys = "0.59" (Win32_System_Threading)
use windows_sys::Win32::System::Threading::CreateWaitableTimerW;
use std::ptr::null;

unsafe fn make_timer() -> *mut core::ffi::c_void {
    // bManualReset = 0 → SynchronizationTimer kernel-side.
    CreateWaitableTimerW(null(), 0, null())
}

MITRE ATT&CK mappings

Last verified: 2026-05-20