ntoskrnl.exeT1083T1486T1106

NtNotifyChangeDirectoryFileEx

Extended directory-change notification that lets the caller pick the FILE_NOTIFY_INFORMATION class returned in the buffer.

Prototype

NTSTATUS NtNotifyChangeDirectoryFileEx(
  HANDLE                          FileHandle,
  HANDLE                          Event,
  PIO_APC_ROUTINE                 ApcRoutine,
  PVOID                           ApcContext,
  PIO_STATUS_BLOCK                IoStatusBlock,
  PVOID                           Buffer,
  ULONG                           Length,
  ULONG                           CompletionFilter,
  BOOLEAN                         WatchTree,
  DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass
);

Arguments

Name	Type	Dir	Description
FileHandle	HANDLE	in	Handle to a directory opened with FILE_LIST_DIRECTORY access.
Event	HANDLE	in	Optional event signaled on completion. NULL when an APC or alertable wait is used.
ApcRoutine	PIO_APC_ROUTINE	in	Optional user-mode APC delivered on completion in an alertable thread.
ApcContext	PVOID	in	Caller-defined context passed to ApcRoutine.
IoStatusBlock	PIO_STATUS_BLOCK	out	Receives final status and the number of bytes written to Buffer.
Buffer	PVOID	out	DWORD-aligned buffer that receives records of the class selected by DirectoryNotifyInformationClass.
Length	ULONG	in	Size of Buffer in bytes.
CompletionFilter	ULONG	in	Bitmask of FILE_NOTIFY_CHANGE_* flags identical to NtNotifyChangeDirectoryFile.
WatchTree	BOOLEAN	in	TRUE to watch all subdirectories recursively; FALSE for the immediate directory only.
DirectoryNotifyInformationClass	DIRECTORY_NOTIFY_INFORMATION_CLASS	in	Record class: DirectoryNotifyInformation (legacy) or DirectoryNotifyExtendedInformation (adds FileId, ParentFileId, timestamps).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1709	0x10F	win10-1709
Win10 1803	0x111	win10-1803
Win10 1809	0x112	win10-1809
Win10 1903	0x113	win10-1903
Win10 1909	0x113	win10-1909
Win10 2004	0x118	win10-2004
Win10 20H2	0x118	win10-20h2
Win10 21H1	0x118	win10-21h1
Win10 21H2	0x119	win10-21h2
Win10 22H2	0x119	win10-22h2
Win11 21H2	0x11F	win11-21h2
Win11 22H2	0x120	win11-22h2
Win11 23H2	0x120	win11-23h2
Win11 24H2	0x122	win11-24h2
Server 2019	0x112	winserver-2019
Server 2022	0x11E	winserver-2022
Server 2025	0x122	winserver-2025

Kernel module

ntoskrnl.exe → NtNotifyChangeDirectoryFileEx

Related APIs

ReadDirectoryChangesExWReadDirectoryChangesWNtNotifyChangeDirectoryFileFindFirstChangeNotificationWNtQueryDirectoryFileNtQueryInformationFile

Syscall stub

4C 8B D1            mov r10, rcx
B8 22 01 00 00      mov eax, 0x122
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Added in Windows 10 1709 to back the new `ReadDirectoryChangesExW` Win32 API. The single addition over NtNotifyChangeDirectoryFile is the `DirectoryNotifyInformationClass` enumeration: passing `DirectoryNotifyExtendedInformation` yields `FILE_NOTIFY_EXTENDED_INFORMATION` records that include `FileId`, `ParentFileId`, `CreationTime`, `LastModificationTime`, `LastChangeTime`, `LastAccessTime`, `AllocatedLength`, `FileSize` and `FileAttributes` — i.e. everything the caller would otherwise need to stat each file for. This is a meaningful efficiency win for large directories: one syscall returns what would previously take a notification followed by NtQueryInformationFile per changed entry. Because of the 1709 minimum, code that targets older builds must keep a fallback path on NtNotifyChangeDirectoryFile.

Common malware usage

Same operational patterns as NtNotifyChangeDirectoryFile (watchdog implants, trigger-driven C2, mid-encryption new-drive detection), with one specific upgrade: `DirectoryNotifyExtendedInformation` returns the **FileId** for every change without requiring a second roundtrip. Ransomware uses this to deduplicate work across hardlinks and junctions during multi-threaded encryption — the worker skips a change event if the FileId is already in the in-memory 'encrypted' set, avoiding double-pass on the same NTFS file. The added timestamp fields are also used by some infostealers to filter changes 'newer than my last beacon', producing differential exfil sets without a separate enumeration pass.

Royal ransomware (extended-info dedupe)Black Basta (worker-queue dedup)RedLine Stealer (differential exfil)

Detection opportunities

Identical telemetry surface to NtNotifyChangeDirectoryFile — Sysmon FileCreate (Event ID 11), the ETW Microsoft-Windows-Kernel-File provider, and EDR handle telemetry. The one differentiator a defender can use: requests with `DirectoryNotifyExtendedInformation` are still relatively rare in older third-party software (most stuck with `ReadDirectoryChangesW` for ABI compat), so a non-Explorer, non-Indexer, non-OneDrive process specifically requesting the extended class on a sensitive path is a slightly stronger signal than the legacy variant. Useful for tuning ML-based anomaly detectors that already consume per-syscall feature vectors.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtNotifyChangeDirectoryFileEx (SSN 0x122 on Win11 24H2)
NtNotifyChangeDirectoryFileEx PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 122h         ; SSN — varies per build
    syscall
    ret
NtNotifyChangeDirectoryFileEx ENDP

cExtended class — FileId without a second query

// Use ReadDirectoryChangesExW to receive FILE_NOTIFY_EXTENDED_INFORMATION.
// One syscall returns FileId + timestamps + size in addition to the name.
#include <windows.h>

typedef struct _FILE_NOTIFY_EXTENDED_INFORMATION {
    ULONG         NextEntryOffset;
    ULONG         Action;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastModificationTime;
    LARGE_INTEGER LastChangeTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER AllocatedLength;
    LARGE_INTEGER FileSize;
    ULONG         FileAttributes;
    ULONG         ReparsePointTag;
    LARGE_INTEGER FileId;
    LARGE_INTEGER ParentFileId;
    ULONG         FileNameLength;
    WCHAR         FileName[1];
} FILE_NOTIFY_EXTENDED_INFORMATION;

VOID WatchExtended(HANDLE hDir, BYTE* buf, DWORD cb) {
    DWORD got = 0;
    while (ReadDirectoryChangesExW(hDir, buf, cb, TRUE,
               FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_WRITE,
               &got, NULL, NULL,
               ReadDirectoryNotifyExtendedInformation)) {
        FILE_NOTIFY_EXTENDED_INFORMATION* p =
            (FILE_NOTIFY_EXTENDED_INFORMATION*)buf;
        for (;;) {
            // p->FileId is unique per NTFS volume — dedupe key
            HandleChange(p);
            if (!p->NextEntryOffset) break;
            p = (FILE_NOTIFY_EXTENDED_INFORMATION*)((BYTE*)p + p->NextEntryOffset);
        }
    }
}

rustDirect-syscall wrapper with class selector

// Cargo: ntapi = "0.4"
use std::ptr::null_mut;
use ntapi::ntioapi::{NtNotifyChangeDirectoryFileEx, IO_STATUS_BLOCK};

#[repr(C)]
#[allow(non_camel_case_types, dead_code)]
enum DirectoryNotifyInformationClass {
    DirectoryNotifyInformation = 1,
    DirectoryNotifyExtendedInformation = 2,
}

pub unsafe fn watch_extended(h_dir: isize, buf: &mut [u8]) -> i32 {
    let mut iosb: IO_STATUS_BLOCK = std::mem::zeroed();
    NtNotifyChangeDirectoryFileEx(
        h_dir as _, null_mut(), None, null_mut(),
        &mut iosb,
        buf.as_mut_ptr() as _, buf.len() as u32,
        0x1F, // all FILE_NOTIFY_CHANGE_* basics
        1,    // WatchTree = TRUE
        DirectoryNotifyInformationClass::DirectoryNotifyExtendedInformation as u32,
    )
}

MITRE ATT&CK mappings

Last verified: 2026-05-20