ntoskrnl.exeT1542.001T1106

NtQueryDriverEntryOrder

Reads the platform's UEFI DriverOrder list — the sequence in which UEFI Driver#### entries load at boot.

Prototype

NTSTATUS NtQueryDriverEntryOrder(
  PULONG Ids,
  PULONG Count
);

Arguments

Name	Type	Dir	Description
Ids	PULONG	out	Caller-allocated array that receives the ordered list of Driver#### IDs.
Count	PULONG	in/out	On input: capacity of Ids in entries. On output: number of IDs returned.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x12C	win10-1507
Win10 1607	0x132	win10-1607
Win10 1703	0x137	win10-1703
Win10 1709	0x13A	win10-1709
Win10 1803	0x13C	win10-1803
Win10 1809	0x13D	win10-1809
Win10 1903	0x13E	win10-1903
Win10 1909	0x13E	win10-1909
Win10 2004	0x144	win10-2004
Win10 20H2	0x144	win10-20h2
Win10 21H1	0x144	win10-21h1
Win10 21H2	0x145	win10-21h2
Win10 22H2	0x145	win10-22h2
Win11 21H2	0x14B	win11-21h2
Win11 22H2	0x14D	win11-22h2
Win11 23H2	0x14D	win11-23h2
Win11 24H2	0x14F	win11-24h2
Server 2016	0x132	winserver-2016
Server 2019	0x13D	winserver-2019
Server 2022	0x14A	winserver-2022
Server 2025	0x14F	winserver-2025

Kernel module

ntoskrnl.exe → NtQueryDriverEntryOrder

Related APIs

NtSetDriverEntryOrderNtEnumerateDriverEntriesNtAddDriverEntryNtModifyDriverEntryNtDeleteDriverEntrybcdedit /enum FIRMWARE

Syscall stub

4C 8B D1            mov r10, rcx
B8 4F 01 00 00      mov eax, 0x14F
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Companion to the BCD `NtQueryBootEntryOrder` family but operating on UEFI **driver** entries rather than OS-loader entries. The DriverOrder NVRAM variable controls which platform drivers (Driver0000, Driver0001, ...) the firmware loads before handing control to the OS loader; querying it is the read-only inspection path. Requires SeSystemEnvironmentPrivilege. On non-UEFI/CSM systems the syscall returns STATUS_NOT_IMPLEMENTED. The `bcdedit /enum FIRMWARE` command is the user-mode surface most commonly seen exercising this path.

Common malware usage

Reconnaissance value during firmware-focused tradecraft: an attacker about to attempt UEFI persistence may enumerate DriverOrder to (a) understand which OEM/platform drivers run first, (b) identify a slot whose number is unused so a planted Driver#### entry will be picked up, or (c) confirm that an already-planted Driver#### sits ahead of the OS loader handoff. Pair with NtQuerySystemEnvironmentValueEx for full enumeration. Read-only on its own — no direct kernel-level damage.

Pre-attack UEFI reconnaissance (BlackLotus, MoonBounce, ESPecter)

Detection opportunities

Volume of legitimate calls is extremely low — essentially bcdedit.exe, manage-bde, and OEM firmware tools. Microsoft-Windows-Kernel-General ETW logs firmware-read access including DriverOrder. The privilege-enable transition (SeSystemEnvironmentPrivilege via NtAdjustPrivilegesToken) is the earliest defensive checkpoint. Pair process-context telemetry with the audit event to flag user-mode malware enumerating boot configuration.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtQueryDriverEntryOrder (SSN 0x14F, Win11 24H2)
NtQueryDriverEntryOrder PROC
    mov  r10, rcx
    mov  eax, 14Fh
    syscall
    ret
NtQueryDriverEntryOrder ENDP

cEnumerate UEFI DriverOrder

// Privilege gate first.
BOOLEAN was;
RtlAdjustPrivilege(SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE, FALSE, &was);

ULONG ids[32] = {0};
ULONG count = ARRAYSIZE(ids);
NTSTATUS s = NtQueryDriverEntryOrder(ids, &count);
if (NT_SUCCESS(s)) {
    for (ULONG i = 0; i < count; ++i) {
        // ids[i] is the Driver#### identifier in load order.
        // Pair with NtQuerySystemEnvironmentValueEx(L"Driver####", EFI_GLOBAL_VARIABLE,...)
        // to dereference each entry's device-path and load-options.
    }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20