ntoskrnl.exeT1106

NtManagePartition

Queries or modifies an existing memory partition — add memory, transfer pages, set memory-list configuration.

Prototype

NTSTATUS NtManagePartition(
  HANDLE                       TargetHandle,
  HANDLE                       SourceHandle,
  PARTITION_INFORMATION_CLASS  PartitionInformationClass,
  PVOID                        PartitionInformation,
  ULONG                        PartitionInformationLength
);

Arguments

Name	Type	Dir	Description
TargetHandle	HANDLE	in	Handle to the target partition being queried or modified.
SourceHandle	HANDLE	in	Optional source partition (used by SystemMemoryPartitionMoveMemory to donate pages); else NULL.
PartitionInformationClass	PARTITION_INFORMATION_CLASS	in	Operation selector: 0 PageInformation, 1 AllocationInformation, 2 ClearAddedRanges, 3 AddMemory, 4 MoveMemory, 5 DepositPages, 6 WithdrawPages, 7 OpenHandle, 8 MemoryEvent, 9 EmptyCompressionStore, 10 PageCombiningInformation.
PartitionInformation	PVOID	in/out	Class-specific input/output buffer (e.g. MEMORY_PARTITION_PAGE_INFORMATION).
PartitionInformationLength	ULONG	in	Size in bytes of the PartitionInformation buffer.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xFF	win10-1507
Win10 1607	0x104	win10-1607
Win10 1703	0x108	win10-1703
Win10 1709	0x109	win10-1709
Win10 1803	0x10A	win10-1803
Win10 1809	0x10B	win10-1809
Win10 1903	0x10C	win10-1903
Win10 1909	0x10C	win10-1909
Win10 2004	0x111	win10-2004
Win10 20H2	0x111	win10-20h2
Win10 21H1	0x111	win10-21h1
Win10 21H2	0x112	win10-21h2
Win10 22H2	0x112	win10-22h2
Win11 21H2	0x118	win11-21h2
Win11 22H2	0x119	win11-22h2
Win11 23H2	0x119	win11-23h2
Win11 24H2	0x11B	win11-24h2
Server 2016	0x104	winserver-2016
Server 2019	0x10B	winserver-2019
Server 2022	0x117	winserver-2022
Server 2025	0x11B	winserver-2025

Kernel module

ntoskrnl.exe → NtManagePartition

Related APIs

NtCreatePartitionNtOpenPartitionGetMemoryErrorHandlingCapabilities

Syscall stub

4C 8B D1                  mov r10, rcx
B8 1B 01 00 00            mov eax, 0x11B
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03                     jne short +3
0F 05                     syscall
C3                        ret
CD 2E                     int 2Eh
C3                        ret

Undocumented notes

The Swiss-army-knife sister of `NtCreatePartition` and `NtOpenPartition`. The `PARTITION_INFORMATION_CLASS` selector decides everything: `0` (PageInformation) returns live counters comparable to `MEMORYSTATUSEX` but scoped to the partition; `3` (AddMemory) hands a physical-memory range from the parent to the target; `4` (MoveMemory) re-homes already-attached pages between two partitions and is the only class that uses both `TargetHandle` and `SourceHandle`; `9` (EmptyCompressionStore) flushes the partition's compressed-page store back to either pageable memory or pagefile. All modify classes require `SeLockMemoryPrivilege` (in addition to `MEMORY_PARTITION_MODIFY_ACCESS` on the handle).

Common malware usage

Very weak commodity-malware signal. The interesting research angle is `EmptyCompressionStore`: forcing a parent partition to flush its MemCompression-backed pages can be used as a coarse cache-timing side channel against a co-resident process, and there is academic work demonstrating this. None of that has migrated to in-the-wild ransomware or stealers. Most defenders can safely treat any non-Microsoft caller of `NtManagePartition` as worth a hard look.

(no documented malware abuse)

Detection opportunities

Pair Sysmon Event ID 1 (process create) with kernel ETW: the `Microsoft-Windows-Kernel-Memory` provider emits granular events for partition modify operations including the information class. Hunt for any image outside `vmcompute.exe`, `vmwp.exe`, `vmms.exe`, and the few game-mode services calling `NtManagePartition` with information class `3`, `4`, `5`, `6`, or `9`. Query-only class `0` calls also surface from `taskmgr.exe` / `procexp.exe` and are not interesting on their own.

Direct syscall examples

cQuery partition page accounting

#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI* pNtManagePartition)(
    HANDLE, HANDLE, ULONG /*info class*/, PVOID, ULONG);

typedef struct _MEMORY_PARTITION_PAGE_INFORMATION {
    SIZE_T TotalCommittedPages;
    SIZE_T TotalCommitLimit;
    SIZE_T CurrentCommittedPages;
    SIZE_T PageCombinesAttempted;
    SIZE_T PageCombinesSucceeded;
} MEMORY_PARTITION_PAGE_INFORMATION;

void query_partition_pages(HANDLE hPart) {
    MEMORY_PARTITION_PAGE_INFORMATION info = { 0 };
    pNtManagePartition f = (pNtManagePartition)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtManagePartition");
    f(hPart, NULL, 0 /* SystemMemoryPartitionPageInformation */,
      &info, sizeof(info));
}

asmx64 direct stub (Win11 24H2 / Server 2025, SSN 0x11B)

NtManagePartition PROC
    mov  r10, rcx
    mov  eax, 11Bh
    syscall
    ret
NtManagePartition ENDP

MITRE ATT&CK mappings

T1106 Native API mitre ↗

Last verified: 2026-05-20