NtDeleteFile

Prototype

NTSTATUS NtDeleteFile(
  POBJECT_ATTRIBUTES  ObjectAttributes
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 DB 00 00 00      mov eax, 0xDB
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtDeleteFile is the rare path-based delete primitive: instead of opening a file with `DELETE` access and then issuing `NtSetInformationFile` with `FileDispositionInformation`, it does both atomically from a single path argument. There is no Win32 wrapper that uses it directly — `DeleteFileW` always goes via `NtOpenFile` + `FileDispositionInformation`, and `SHFileOperation` (when invoked from a shell context) inserts even more layers including Recycle Bin handling. Calling NtDeleteFile is therefore a *signature* in itself: legitimate software almost never uses it.

Common malware usage

NtDeleteFile is favored in **indicator-removal** chains because it skips both `kernel32!DeleteFileW` (commonly hooked by user-mode EDRs) and the shell's Recycle Bin redirection. Ransomware families that wipe their own droppers and stage logs (LockBit 3.0, Conti, BlackCat/ALPHV) and loaders that self-delete after handing off to a persisted copy occasionally pick this primitive specifically for the bypass property. Note that `NtDeleteFile` still fails on files with open handles by other processes unless they were opened with `FILE_SHARE_DELETE` — for those, the `Posix delete` flavor of `FileDispositionInformationEx` is preferred.

Detection opportunities

Because legitimate use is extremely rare, *any* call to NtDeleteFile is high-signal. Kernel-mode mini-filter drivers see deletes via `IRP_MJ_SET_INFORMATION` with `FileDispositionInformation` regardless of whether the originating syscall was NtDeleteFile or NtSetInformationFile — the IRP layer normalizes the path. ETW `Microsoft-Windows-Kernel-File` exposes a Delete event tied to the FILE_OBJECT. Sysmon Event 23 (FileDelete with archival) and Event 26 (FileDeleteDetected, no archive) are the main host-based indicators; archive captures are essential because the file content is gone immediately afterward.

Direct syscall examples

; Direct syscall stub for NtDeleteFile (SSN 0xDB on Win11 24H2 — drifts per build)
NtDeleteFile PROC
    mov  r10, rcx          ; ObjectAttributes
    mov  eax, 0DBh         ; SSN
    syscall
    ret
NtDeleteFile ENDP

// Loader self-deletes its on-disk copy after persisting a clone elsewhere.
// Skips kernel32!DeleteFileW and shell Recycle Bin path.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtDeleteFile)(POBJECT_ATTRIBUTES);

NTSTATUS Vanish(LPCWSTR ntpath) {
    UNICODE_STRING us; RtlInitUnicodeString(&us, ntpath);
    OBJECT_ATTRIBUTES oa;
    InitializeObjectAttributes(&oa, &us, OBJ_CASE_INSENSITIVE, NULL, NULL);
    pNtDeleteFile fn = (pNtDeleteFile)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtDeleteFile");
    return fn(&oa);
}

// Caller: Vanish(L"\\??\\C:\\ProgramData\\loader.bin");

// Cargo: windows-sys = { version = "0.59", features = [
//   "Wdk_Foundation", "Wdk_Storage_FileSystem",
// ] }
use windows_sys::Wdk::Storage::FileSystem::NtDeleteFile;
use windows_sys::Wdk::Foundation::OBJECT_ATTRIBUTES;

unsafe fn vanish(oa: *mut OBJECT_ATTRIBUTES) -> i32 {
    NtDeleteFile(oa)
}

MITRE ATT&CK mappings

• T1070.004Indicator Removal: File Deletionmitre ↗
• T1106Native APImitre ↗