NtQueryInformationWorkerFactory

Prototype

NTSTATUS NtQueryInformationWorkerFactory(
  HANDLE                     WorkerFactoryHandle,
  WORKERFACTORYINFOCLASS     WorkerFactoryInformationClass,
  PVOID                      WorkerFactoryInformation,
  ULONG                      WorkerFactoryInformationLength,
  PULONG                     ReturnLength
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 5B 01 00 00      mov eax, 0x15B
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The symmetric query side of NtSetInformationWorkerFactory. `WorkerFactoryBasicInformation` returns a `WORKER_FACTORY_BASIC_INFORMATION` (see ntexapi.h / phnt) including the current `StartRoutine`, `StartParameter`, `ProcessId`, thread counts, timeouts, and the binding count. The structure is one of the only documented ways to programmatically observe what a threadpool worker factory is currently configured to execute — useful both for diagnostics (taskmgr, PerfView) and for offensive recon of an already-targeted process.

Common malware usage

Used by PoolParty StartRoutine-overwrite variants as the read step before writing back a mutated structure via NtSetInformationWorkerFactory. Also used by toolkits that enumerate worker factories in a victim — once a handle is duplicated in (via NtDuplicateObject), querying tells the attacker which threadpool is the busiest, which target process it lives in, and what StartRoutine it currently dispatches. EDR identification is also possible in reverse: an attacker can query their *own* process's worker factories to see if a third-party DLL has hooked or replaced the StartRoutine.

Detection opportunities

Query operations are read-only and ubiquitous in normal threadpool maintenance — this syscall alone is not a useful signal. It becomes meaningful when paired with a subsequent NtSetInformationWorkerFactory on the same handle (the classic read-modify-write pattern), or when issued cross-process. Kernel callbacks on the WorkerFactory object type can correlate the query/set pair; user-mode telemetry is essentially unobtainable because EDR hooks on the query side are routinely bypassed by direct syscalls.

Direct syscall examples

WORKER_FACTORY_BASIC_INFORMATION info;
ULONG ret = 0;
NTSTATUS s = NtQueryInformationWorkerFactory(
    hWf, WorkerFactoryBasicInformation,
    &info, sizeof(info), &ret);
if (NT_SUCCESS(s)) {
    printf("StartRoutine = %p in PID %llu, %u workers (%u waiting)\n",
           info.StartRoutine, (uint64_t)info.ProcessId,
           info.TotalWorkerCount, info.WaitingWorkerCount);
}

// hWfRemote was opened in our process via NtDuplicateObject(target, source, ours, ...)
// and now points to the *victim's* worker factory.
use ntapi::ntexapi::{NtQueryInformationWorkerFactory, WORKER_FACTORY_BASIC_INFORMATION};
let mut info: WORKER_FACTORY_BASIC_INFORMATION = unsafe { core::mem::zeroed() };
let mut ret: u32 = 0;
let status = unsafe {
    NtQueryInformationWorkerFactory(
        h_wf_remote,
        0, // WorkerFactoryBasicInformation
        &mut info as *mut _ as *mut _,
        core::mem::size_of_val(&info) as u32,
        &mut ret,
    )
};
assert_eq!(status, 0);
println!("victim StartRoutine: {:p}", info.StartRoutine);

MITRE ATT&CK mappings

• T1055Process Injectionmitre ↗
• T1106Native APImitre ↗