NtLoadKey2

Prototype

NTSTATUS NtLoadKey2(
  POBJECT_ATTRIBUTES TargetKey,
  POBJECT_ATTRIBUTES SourceFile,
  ULONG              Flags
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 11 01 00 00      mov eax, 0x111
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

`NtLoadKey2` is a thin, deprecated wrapper introduced alongside Windows 2000 / XP that forwards to the same kernel path as `NtLoadKey`/`NtLoadKeyEx` (`CmLoadKey` inside `ntoskrnl.exe`). It only accepts the legacy `Flags` argument and lacks the modern `TrustClassKey`, `Event`, `TokenHandle` and `IoPriority` parameters of `NtLoadKeyEx`. Microsoft considers it superseded but the export is still present in every shipping ntdll up to and including 24H2, and the SSN still maps to a real handler — exactly the kind of deprecated-but-callable corner attackers prefer because hooks and EDR rules often forget it.

Common malware usage

Offline credential-dump tradecraft: `secretsdump`-style attackers copy a victim hive (SAM, SYSTEM, SECURITY) via VSS / raw NTFS, then mount it under an arbitrary key with `NtLoadKey`/`NtLoadKey2` to enumerate it through normal `RegOpenKeyEx` / `NtOpenKey` APIs without parsing the binary hive format themselves. `NtLoadKey2` is reached when an operator deliberately swaps the obvious `RegLoadKeyW` (which routes to `NtLoadKeyEx`) for the older variant to dodge naive hook lists. Requires `SeRestorePrivilege` and `SeBackupPrivilege` — i.e. local administrator.

Detection opportunities

Any call to `NtLoadKey*` from a non-Microsoft binary is high-signal because the legitimate consumers are essentially `regedit.exe`, `reg.exe`, `appidcertstorecheck.exe`, the user-profile loader and a handful of imaging tools. Sysmon Event ID 12/13/14 (Registry) does **not** fire for hive loads themselves — the kernel only emits ETW via the `Microsoft-Windows-Kernel-Registry` provider (event ID 9 = HiveLoaded). EDRs that track privileged-token enable-events for `SeRestorePrivilege` followed by hive opens of `\??\...\config\SAM` paths catch the canonical SAM-dump pattern; the file open is usually the better tripwire than the syscall itself.

Direct syscall examples

; Direct syscall stub for NtLoadKey2 (SSN 0x111 on Win11 24H2)
NtLoadKey2 PROC
    mov  r10, rcx          ; TargetKey
    mov  eax, 111h         ; SSN — drifts per build
    syscall
    ret
NtLoadKey2 ENDP

// Requires SeRestorePrivilege + SeBackupPrivilege enabled on the caller.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtLoadKey2)(POBJECT_ATTRIBUTES, POBJECT_ATTRIBUTES, ULONG);

NTSTATUS MountHive(LPCWSTR ntMountPath, LPCWSTR ntHiveFile) {
    UNICODE_STRING uMount, uFile;
    OBJECT_ATTRIBUTES oaMount, oaFile;
    RtlInitUnicodeString(&uMount, ntMountPath);   // e.g. L"\\REGISTRY\\USER\\OfflineSAM"
    RtlInitUnicodeString(&uFile,  ntHiveFile);    // e.g. L"\\??\\C:\\temp\\SAM_copy"
    InitializeObjectAttributes(&oaMount, &uMount, OBJ_CASE_INSENSITIVE, NULL, NULL);
    InitializeObjectAttributes(&oaFile,  &uFile,  OBJ_CASE_INSENSITIVE, NULL, NULL);
    pNtLoadKey2 fn = (pNtLoadKey2)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtLoadKey2");
    return fn(&oaMount, &oaFile, 0x4 /* REG_NO_LAZY_FLUSH */);
}

MITRE ATT&CK mappings

• T1003.002OS Credential Dumping: Security Account Managermitre ↗
• T1106Native APImitre ↗