> Windows Syscalls
ntoskrnl.exeT1622T1055.003T1106

NtGetContextThread

Retrieves the CPU register context (CONTEXT structure) of a suspended thread.

Prototype

NTSTATUS NtGetContextThread(
  HANDLE    ThreadHandle,
  PCONTEXT  ThreadContext
);

Arguments

NameTypeDirDescription
ThreadHandleHANDLEinHandle to the target thread. Requires THREAD_GET_CONTEXT access.
ThreadContextPCONTEXTin/outArchitecture-specific CONTEXT struct. ContextFlags (input) selects which register groups to return; struct must be 16-byte aligned on x64.

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070xE3win10-1507
Win10 16070xE6win10-1607
Win10 17030xE9win10-1703
Win10 17090xEAwin10-1709
Win10 18030xEBwin10-1803
Win10 18090xECwin10-1809
Win10 19030xEDwin10-1903
Win10 19090xEDwin10-1909
Win10 20040xF2win10-2004
Win10 20H20xF2win10-20h2
Win10 21H10xF2win10-21h1
Win10 21H20xF3win10-21h2
Win10 22H20xF3win10-22h2
Win11 21H20xF8win11-21h2
Win11 22H20xF9win11-22h2
Win11 23H20xF9win11-23h2
Win11 24H20xFBwin11-24h2
Server 20160xE6winserver-2016
Server 20190xECwinserver-2019
Server 20220xF7winserver-2022
Server 20250xFBwinserver-2025

Kernel module

ntoskrnl.exeNtGetContextThread

Related APIs

GetThreadContextWow64GetThreadContextNtSetContextThreadNtSuspendThreadRtlCaptureContext

Syscall stub

4C 8B D1            mov r10, rcx
B8 FB 00 00 00      mov eax, 0xFB
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The CONTEXT structure is architecture-specific and chunky: on x64 it is 1232 bytes (CONTEXT) plus an extended XSTATE area whose size depends on enabled CPU features (AVX-512 enclaves can push it past 2.5 KB). Callers must set ContextFlags before the call — CONTEXT_CONTROL (Rip, Rsp, EFlags), CONTEXT_INTEGER (Rax..R15), CONTEXT_SEGMENTS, CONTEXT_DEBUG_REGISTERS (DR0..DR7), CONTEXT_FLOATING_POINT, CONTEXT_XSTATE. The thread should be suspended; reading the context of a running thread returns a snapshot that may be stale by the time it lands.

Common malware usage

The read half of the thread-hijacking primitive: suspend → get context → patch Rip/Rsp → set context → resume. Also used by anti-debug code to read DR0–DR3 of its own threads and detect hardware breakpoints installed by an analyst (`if (ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3) bail();`). Some sandboxes mark threads with sentinel values in unused segment selectors, and packers check for those. Cobalt Strike's `inject` BOFs, Sliver migrate, ScareCrow, and most Early Bird APC variants pass through here.

Cobalt StrikeSliverScareCrowVMProtect packed loadersThemida packed loadersDonut loader

Detection opportunities

On its own, NtGetContextThread is moderate-volume — debuggers, .NET runtime, profilers, and exception handlers all read context. Cross-process reads against non-debugged targets are far rarer; pair Microsoft-Windows-Threat-Intelligence ETW telemetry with process-relationship context (parent/child, signer). The most actionable detection is the *sequence* NtSuspendThread → NtGetContextThread → NtSetContextThread → NtResumeThread within a short window on a remote thread.

Direct syscall examples

cHardware-breakpoint anti-debug self-check

// Detect analyst-set DR0..DR3 on our own primary thread.
CONTEXT ctx = { .ContextFlags = CONTEXT_DEBUG_REGISTERS };
if (NT_SUCCESS(NtGetContextThread(NtCurrentThread(), &ctx))) {
    if (ctx.Dr0 | ctx.Dr1 | ctx.Dr2 | ctx.Dr3) {
        // Hardware breakpoint installed -> exit silently.
        NtTerminateProcess(NtCurrentProcess(), 0);
    }
}

asmx64 stub (Win11 24H2)

NtGetContextThread PROC
    mov  r10, rcx              ; ThreadHandle
    mov  eax, 0FBh             ; Win11 24H2 SSN
    syscall
    ret
NtGetContextThread ENDP

rustRead RIP of suspended thread

use windows_sys::Win32::System::Diagnostics::Debug::*;

unsafe fn read_rip(h_thread: isize) -> Option<u64> {
    let mut ctx: CONTEXT = std::mem::zeroed();
    ctx.ContextFlags = CONTEXT_CONTROL_AMD64;   // RIP, RSP, SegCS, EFlags
    // Direct-syscall wrapper omitted for brevity.
    if nt_get_context_thread(h_thread, &mut ctx) >= 0 { Some(ctx.Rip) } else { None }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20