NtQueryInformationFile
Reads metadata about an open file — timestamps, size, EAs, streams, reparse points and more.
Prototype
NTSTATUS NtQueryInformationFile( HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass );
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| FileHandle | HANDLE | in | Handle to an open file or directory; required access depends on the information class queried. |
| IoStatusBlock | PIO_STATUS_BLOCK | out | Receives the NTSTATUS and the number of bytes actually written to FileInformation. |
| FileInformation | PVOID | out | Caller-allocated buffer; layout matches the requested FILE_INFORMATION_CLASS structure. |
| Length | ULONG | in | Size in bytes of the FileInformation buffer; STATUS_INFO_LENGTH_MISMATCH if too small. |
| FileInformationClass | FILE_INFORMATION_CLASS | in | Selector enum — FileBasicInformation, FileStandardInformation, FileEaInformation, FileStreamInformation, etc. |
Syscall IDs by Windows version
| Windows version | Syscall ID | Build |
|---|---|---|
| Win10 1507 | 0x11 | win10-1507 |
| Win10 1607 | 0x11 | win10-1607 |
| Win10 1703 | 0x11 | win10-1703 |
| Win10 1709 | 0x11 | win10-1709 |
| Win10 1803 | 0x11 | win10-1803 |
| Win10 1809 | 0x11 | win10-1809 |
| Win10 1903 | 0x11 | win10-1903 |
| Win10 1909 | 0x11 | win10-1909 |
| Win10 2004 | 0x11 | win10-2004 |
| Win10 20H2 | 0x11 | win10-20h2 |
| Win10 21H1 | 0x11 | win10-21h1 |
| Win10 21H2 | 0x11 | win10-21h2 |
| Win10 22H2 | 0x11 | win10-22h2 |
| Win11 21H2 | 0x11 | win11-21h2 |
| Win11 22H2 | 0x11 | win11-22h2 |
| Win11 23H2 | 0x11 | win11-23h2 |
| Win11 24H2 | 0x11 | win11-24h2 |
| Server 2016 | 0x11 | winserver-2016 |
| Server 2019 | 0x11 | winserver-2019 |
| Server 2022 | 0x11 | winserver-2022 |
| Server 2025 | 0x11 | winserver-2025 |
Kernel module
Related APIs
Syscall stub
4C 8B D1 mov r10, rcx B8 11 00 00 00 mov eax, 0x11 F6 04 25 08 03 FE 7F 01 test byte ptr [0x7FFE0308], 1 75 03 jne short +3 0F 05 syscall C3 ret CD 2E int 2Eh C3 ret
Undocumented notes
NtQueryInformationFile is the generic metadata reader for an open file or directory. The shape (handle, IOSB, buf, len, *information class*) is mirrored by `NtSetInformationFile` for the write side and `NtQueryDirectoryFile` for enumeration. SSN `0x11` has been stable since Windows 10 1507. Information classes worth knowing: `FileBasicInformation` (4 × LARGE_INTEGER timestamps + FileAttributes), `FileStandardInformation` (size, link count, delete-pending, directory flag), `FileEaInformation` (extended-attribute size), `FileStreamInformation` (ADS / alternate-data-stream enumeration), `FileAttributeTagInformation` (reparse-tag query — symbolic link, junction, IO_REPARSE_TAG_*), and `FileAlignmentInformation` (sector / device alignment).
Common malware usage
On the read side, NtQueryInformationFile is the primary syscall in **timestomping read-back** (T1070.006): an attacker reads `FileBasicInformation` of a benign neighbour file (e.g. `kernel32.dll`), then uses `NtSetInformationFile` with the same structure to copy CreationTime / LastWriteTime / ChangeTime onto a malicious payload — making it visually blend in directory listings and survive cursory timestamp-anomaly hunts. `FileStreamInformation` is used by infostealers and persistence frameworks to discover Alternate Data Streams (`file.txt:hidden.exe`) used to hide payloads on NTFS volumes. `FileAttributeTagInformation` lets stage-checking code distinguish a real directory from a junction/symlink before dropping persistence — important when targets sit on user-writable junction-able paths.
Detection opportunities
Like NtOpenFile, NtQueryInformationFile is extremely common in legitimate software (explorer.exe alone calls it thousands of times per second on busy systems) and is not a useful signal on its own. Useful inspection points are (1) the *information class* and (2) the *target*: a non-system process that calls NtQueryInformationFile + NtSetInformationFile both with `FileBasicInformation` on the same handle in quick succession is the canonical timestomp pattern. ETW `Microsoft-Windows-Kernel-File` exposes per-information-class metadata access events. EDR mini-filter drivers see the underlying `IRP_MJ_QUERY_INFORMATION`.
Direct syscall examples
asmx64 direct stub
; Direct syscall stub for NtQueryInformationFile (SSN 0x11, stable since Win10 1507)
NtQueryInformationFile PROC
mov r10, rcx ; FileHandle
mov eax, 11h ; SSN
syscall
ret
NtQueryInformationFile ENDPcRead FileBasicInformation timestamps
// Read CreationTime/LastAccessTime/LastWriteTime/ChangeTime + Attributes
// — the read-half of a classic timestomp.
#include <windows.h>
#include <winternl.h>
typedef struct _FILE_BASIC_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
NTSTATUS GetBasicInfo(HANDLE h, FILE_BASIC_INFORMATION *out) {
IO_STATUS_BLOCK iosb = {0};
return NtQueryInformationFile(h, &iosb, out, sizeof(*out),
FileBasicInformation);
}cEnumerate Alternate Data Streams
// FileStreamInformation walk — discovers hidden ADS payloads on NTFS.
#include <windows.h>
#include <winternl.h>
typedef struct _FILE_STREAM_INFORMATION {
ULONG NextEntryOffset;
ULONG StreamNameLength;
LARGE_INTEGER StreamSize;
LARGE_INTEGER StreamAllocationSize;
WCHAR StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
void ListStreams(HANDLE h) {
BYTE buf[4096]; IO_STATUS_BLOCK iosb = {0};
if (NtQueryInformationFile(h, &iosb, buf, sizeof(buf),
FileStreamInformation) < 0) return;
PFILE_STREAM_INFORMATION p = (PFILE_STREAM_INFORMATION)buf;
for (;;) {
wprintf(L"%.*s (%lld bytes)\n",
p->StreamNameLength / 2, p->StreamName,
p->StreamSize.QuadPart);
if (!p->NextEntryOffset) break;
p = (PFILE_STREAM_INFORMATION)((BYTE*)p + p->NextEntryOffset);
}
}MITRE ATT&CK mappings
Last verified: 2026-05-20