NtFlushKey

Prototype

NTSTATUS NtFlushKey(
  HANDLE  KeyHandle
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 F2 00 00 00      mov eax, 0xF2
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtFlushKey commits all in-memory changes for the *hive* containing the supplied key to its backing disk file. Despite the per-key signature, the kernel flushes the entire hive — the configuration manager does not maintain per-key dirty bits at flush granularity. Note the difference from `NtFlushBuffersFile`: that targets a file via FILE_OBJECT, NtFlushKey targets a hive via a key handle. The Win32 wrapper is `RegFlushKey`. The lazy flusher normally writes dirty hives every five seconds (`CmpLazyFlushIntervalInSeconds`); NtFlushKey forces immediate write-back.

Common malware usage

The principal abuse pattern is **anti-forensics around persistence**: after writing a Run key, scheduled-task config, service entry, or COM-hijack value, malware calls NtFlushKey to guarantee the change is persisted to disk *before* the next unclean reboot — which is meaningful when the lazy-flush window is wider than the expected window of opportunity (BSOD-triggering exploit, planned hard-reset, host-killing ransomware). A secondary pattern: some droppers flush a freshly written autorun entry, then immediately delete the on-disk binary they referenced, leaving Run-key metadata pointing at content that may or may not still exist at boot — a tiny anti-analysis nuisance.

Detection opportunities

On its own, NtFlushKey is uninteresting — explorer.exe and many drivers call it routinely. The useful signal is the *sequence*: Sysmon Event 13 (registry value set) on a known persistence key, immediately followed by a flush from the same PID, particularly when that PID is unsigned or recently created. ETW `Microsoft-Windows-Kernel-Registry` exposes flush events with key path and PID. Correlate against Sysmon Event 11 (file create / delete) for the binary the persistence entry references.

Direct syscall examples

; Direct syscall stub for NtFlushKey (SSN 0xF2 on Win11 24H2 — drifts per build)
NtFlushKey PROC
    mov  r10, rcx          ; KeyHandle
    mov  eax, 0F2h         ; SSN
    syscall
    ret
NtFlushKey ENDP

// Write a Run key and immediately flush — defeats lazy-flush race on hard reboot.
#include <windows.h>

LONG PersistAndFlush(LPCWSTR name, LPCWSTR cmd) {
    HKEY hRun = NULL;
    LONG s = RegCreateKeyExW(HKEY_CURRENT_USER,
        L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
        0, NULL, 0, KEY_SET_VALUE, NULL, &hRun, NULL);
    if (s != ERROR_SUCCESS) return s;
    s = RegSetValueExW(hRun, name, 0, REG_SZ,
                       (const BYTE*)cmd,
                       (DWORD)((wcslen(cmd) + 1) * sizeof(WCHAR)));
    if (s == ERROR_SUCCESS) RegFlushKey(hRun);   // ← NtFlushKey under the hood
    RegCloseKey(hRun);
    return s;
}

// Cargo: ntapi = "0.4"
use ntapi::ntregapi::NtFlushKey;
use winapi::shared::ntdef::{HANDLE, NTSTATUS};

unsafe fn flush(key: HANDLE) -> NTSTATUS {
    NtFlushKey(key)
}

MITRE ATT&CK mappings

• T1547.001Registry Run Keys / Startup Foldermitre ↗
• T1112Modify Registrymitre ↗
• T1106Native APImitre ↗