ntoskrnl.exeT1106

NtPulseEvent

Signals an event, releases currently-waiting threads, then immediately resets it to non-signaled.

Prototype

NTSTATUS NtPulseEvent(
  HANDLE  EventHandle,
  PLONG   PreviousState
);

Arguments

Name	Type	Dir	Description
EventHandle	HANDLE	in	Handle to the event with EVENT_MODIFY_STATE access.
PreviousState	PLONG	out	Optional; receives the signaled state of the event before the pulse (1 = was signaled, 0 = was not).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x127	win10-1507
Win10 1607	0x12D	win10-1607
Win10 1703	0x131	win10-1703
Win10 1709	0x133	win10-1709
Win10 1803	0x135	win10-1803
Win10 1809	0x136	win10-1809
Win10 1903	0x137	win10-1903
Win10 1909	0x137	win10-1909
Win10 2004	0x13D	win10-2004
Win10 20H2	0x13D	win10-20h2
Win10 21H1	0x13D	win10-21h1
Win10 21H2	0x13E	win10-21h2
Win10 22H2	0x13E	win10-22h2
Win11 21H2	0x144	win11-21h2
Win11 22H2	0x146	win11-22h2
Win11 23H2	0x146	win11-23h2
Win11 24H2	0x148	win11-24h2
Server 2016	0x12D	winserver-2016
Server 2019	0x136	winserver-2019
Server 2022	0x143	winserver-2022
Server 2025	0x148	winserver-2025

Kernel module

ntoskrnl.exe → NtPulseEvent

Related APIs

PulseEventNtSetEventNtResetEventNtClearEventNtWaitForSingleObject

Syscall stub

4C 8B D1            mov r10, rcx
B8 48 01 00 00      mov eax, 0x148
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtPulseEvent performs a *set-then-reset* on an event object as a single atomic operation. For a manual-reset event it releases *all* threads currently waiting on the event then immediately drops the event back to non-signaled, so any thread that arrives a microsecond later misses the pulse entirely. For a sync (auto-reset) event it releases at most one waiter. Microsoft has long discouraged user-mode use because the window where the event is signaled is racy: PulseEvent is largely a relic from the original NT design. The kernel still implements it (KePulseEvent) and ntoskrnl uses it internally in a few burst-style signaling paths.

Common malware usage

Mostly *legitimate*. Some implants and packers use a pulse-style signal to release a pool of worker threads in a single burst (e.g. orchestrating a thread-pool of decryptors). Because PulseEvent racy semantics mean the wait must already be in place, attackers more commonly choose NtSetEvent followed by NtResetEvent or use a counted semaphore instead. Not a meaningful detection signal on its own.

Generic packers / loaders using burst-style worker wakeup

Detection opportunities

Not a high-signal call. Microsoft-Windows-Kernel-EventTracing and the synchronization-object events do not separately surface PulseEvent. EDR hooks on `ntdll!NtPulseEvent` are uncommon. Investigate only in conjunction with other anomalies — for example a pulse on an event whose name (visible via NtQueryObject) looks suspicious or impersonates a well-known synchronization primitive.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtPulseEvent (SSN 0x148 on Win11 24H2)
NtPulseEvent PROC
    mov  r10, rcx          ; EventHandle
    mov  eax, 148h         ; SSN — verify per-build
    syscall
    ret
NtPulseEvent ENDP

cRelease a burst of waiters

// Wake every thread currently parked on hEvent, then immediately drop signaled state.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtPulseEvent)(HANDLE, PLONG);

NTSTATUS PulseBurst(HANDLE hEvent) {
    LONG previous = 0;
    pNtPulseEvent fn = (pNtPulseEvent)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtPulseEvent");
    return fn(hEvent, &previous);
}

MITRE ATT&CK mappings

T1106 Native API mitre ↗

Last verified: 2026-05-20