ntoskrnl.exeT1112T1070.001T1070.009

NtDeleteKey

Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.

Prototype

NTSTATUS NtDeleteKey(
  HANDLE KeyHandle
);

Arguments

Name	Type	Dir	Description
KeyHandle	HANDLE	in	Handle previously opened with the DELETE access right (or KEY_ALL_ACCESS).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xC5	win10-1507
Win10 1607	0xC8	win10-1607
Win10 1703	0xCB	win10-1703
Win10 1709	0xCC	win10-1709
Win10 1803	0xCD	win10-1803
Win10 1809	0xCE	win10-1809
Win10 1903	0xCF	win10-1903
Win10 1909	0xCF	win10-1909
Win10 2004	0xD3	win10-2004
Win10 20H2	0xD3	win10-20h2
Win10 21H1	0xD3	win10-21h1
Win10 21H2	0xD4	win10-21h2
Win10 22H2	0xD4	win10-22h2
Win11 21H2	0xD9	win11-21h2
Win11 22H2	0xDA	win11-22h2
Win11 23H2	0xDA	win11-23h2
Win11 24H2	0xDC	win11-24h2
Server 2016	0xC8	winserver-2016
Server 2019	0xCE	winserver-2019
Server 2022	0xD8	winserver-2022
Server 2025	0xDC	winserver-2025

Kernel module

ntoskrnl.exe → NtDeleteKey

Related APIs

RegDeleteKeyWRegDeleteKeyExWRegDeleteTreeWNtDeleteValueKeyNtEnumerateKeyNtClose

Syscall stub

4C 8B D1            mov r10, rcx
B8 DC 00 00 00      mov eax, 0xDC
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Single-argument syscall, but with a subtle semantic: the key is *marked* for deletion and is actually removed only when the handle is closed — concurrent readers retain access until they release their own handles. The key must be **leaf** (no subkeys) or the call returns `STATUS_CANNOT_DELETE`; defense-evasion tooling that wipes a tree must recurse depth-first, calling `NtEnumerateKey` and `NtDeleteKey` from the bottom up. SSN drifts substantially across builds (0xC5 on 1507 → 0xDC on 24H2), so dynamic resolution is mandatory.

Common malware usage

Pure **defense evasion (T1112 + T1070)**. Two recurring patterns. (1) **Persistence cleanup post-execution**: once an implant has staged its payload or no longer needs the autorun, it removes its own Run / RunOnce / Image File Execution Options / scheduled-task-cache registry footprint to break forensic reconstruction. Self-destruct stubs typically issue `NtDeleteKey` on `\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Run\<implant>` and on the COM CLSID hijack key they planted earlier. (2) **Indirect Event Log tampering (T1070.001)**: while the canonical attack is `wevtutil cl` or service-stop on EventLog, several stealers (LummaC2 variants, Atomic Stealer's Win port) instead null the audit subscription keys under `\Registry\Machine\System\CurrentControlSet\Services\EventLog\Security\Channels\*` via NtDeleteKey, breaking subsequent logging without raising the audible Event-ID 1102 (audit log cleared).

LummaC2 RedLine Stealer AsyncRAT RemcosRAT BlackCat / ALPHV FIN7 BIRDDOG

Detection opportunities

Microsoft-Windows-Kernel-Registry ETW emits a registry-delete event with full path and PID. Sysmon Event ID 12 with type=DeleteKey is the direct catch. Critically, an EDR registering `CmRegisterCallbackEx` receives `RegNtPreDeleteKey` and `RegNtPostDeleteKey` notifications even when user-mode hooks are bypassed by a direct syscall — kernel callbacks see the operation post-dispatch. High-value hunts: deletion of any path under `\Microsoft\Windows\CurrentVersion\Run*`, `\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*`, `\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*`, or `\Services\EventLog\*`. Defender's tamper-protection list flags writes/deletes against AV-relevant registry trees; correlation with the original CreateKey/SetValue from the same SHA-256 image hash provides an end-to-end staging-then-cleanup graph.

Direct syscall examples

cRemove our own Run-key persistence entry

// Open the value's parent key with DELETE access, then NtDeleteKey on the leaf.
UNICODE_STRING name;
RtlInitUnicodeString(&name,
    L"\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater");

OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);

HANDLE hKey = NULL;
if (NT_SUCCESS(NtOpenKey(&hKey, DELETE, &oa))) {
    NtDeleteKey(hKey);     // marks for deletion
    NtClose(hKey);          // actually deletes
}

asmDirect stub (SSN 0xDC, Win11 24H2)

; SSN drifts heavily; resolve dynamically before targeting multiple builds.
NtDeleteKey PROC
    mov  r10, rcx
    mov  eax, 0DCh         ; Win11 24H2
    syscall
    ret
NtDeleteKey ENDP

rustDepth-first key-tree wipe helper

use ntapi::ntregapi::{NtDeleteKey, NtEnumerateKey, NtOpenKey, KEY_BASIC_INFORMATION};
use winapi::shared::ntdef::HANDLE;

pub unsafe fn delete_tree(h_root: HANDLE) {
    let mut buf = vec![0u8; 0x400];
    let mut len = 0u32;
    loop {
        let s = NtEnumerateKey(
            h_root, 0,
            0 /* KeyBasicInformation */,
            buf.as_mut_ptr() as *mut _, buf.len() as u32, &mut len);
        if s != 0 { break; }
        let bi = &*(buf.as_ptr() as *const KEY_BASIC_INFORMATION);
        // open subkey here, recurse, then delete the leaf
    }
    NtDeleteKey(h_root);
}

MITRE ATT&CK mappings

Last verified: 2026-05-20