ntoskrnl.exeT1542.001T1106

NtQuerySystemEnvironmentValueEx

Reads a UEFI variable identified by a (name, vendor GUID) pair and returns its data plus attributes.

Prototype

NTSTATUS NtQuerySystemEnvironmentValueEx(
  PUNICODE_STRING VariableName,
  LPGUID          VendorGuid,
  PVOID           Value,
  PULONG          ValueLength,
  PULONG          Attributes
);

Arguments

Name	Type	Dir	Description
VariableName	PUNICODE_STRING	in	UEFI variable name, e.g. L"BootOrder", L"dbx", L"PK", L"SecureBoot".
VendorGuid	LPGUID	in	Vendor GUID namespace. EFI_GLOBAL_VARIABLE for boot config, EFI_IMAGE_SECURITY_DATABASE_GUID for Secure Boot keys.
Value	PVOID	out	Caller-allocated buffer that receives the raw variable data (binary).
ValueLength	PULONG	in/out	On input: buffer capacity. On output: number of bytes actually returned.
Attributes	PULONG	out	Receives EFI variable attribute flags (NON_VOLATILE, BOOTSERVICE_ACCESS, RUNTIME_ACCESS, AUTHENTICATED_WRITE_ACCESS, ...).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x146	win10-1507
Win10 1607	0x14D	win10-1607
Win10 1703	0x153	win10-1703
Win10 1709	0x156	win10-1709
Win10 1803	0x158	win10-1803
Win10 1809	0x159	win10-1809
Win10 1903	0x15A	win10-1903
Win10 1909	0x15A	win10-1909
Win10 2004	0x160	win10-2004
Win10 20H2	0x160	win10-20h2
Win10 21H1	0x160	win10-21h1
Win10 21H2	0x161	win10-21h2
Win10 22H2	0x161	win10-22h2
Win11 21H2	0x168	win11-21h2
Win11 22H2	0x16B	win11-22h2
Win11 23H2	0x16B	win11-23h2
Win11 24H2	0x16D	win11-24h2
Server 2016	0x14D	winserver-2016
Server 2019	0x159	winserver-2019
Server 2022	0x166	winserver-2022
Server 2025	0x16D	winserver-2025

Kernel module

ntoskrnl.exe → NtQuerySystemEnvironmentValueEx

Related APIs

GetFirmwareEnvironmentVariableExWGetFirmwareEnvironmentVariableWNtSetSystemEnvironmentValueExNtQuerySystemEnvironmentValueRtlAdjustPrivilege

Syscall stub

4C 8B D1            mov r10, rcx
B8 6D 01 00 00      mov eax, 0x16D
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The modern UEFI variable read interface. Identifies a variable by (name, vendor GUID) — name alone is ambiguous because Secure Boot, BCD, vendor firmware utilities, and OEM management all reuse common short names under distinct GUID namespaces. Returns the variable's raw bytes plus its EFI attribute mask, letting callers see whether a variable is non-volatile, runtime-accessible, or authenticated-write-only. Requires SeSystemEnvironmentPrivilege. Win32 surface is GetFirmwareEnvironmentVariableExW.

Common malware usage

Primary reconnaissance call for firmware-aware threat actors. Reading `SecureBoot`, `SetupMode`, `PK`, `KEK`, `db`, `dbx`, and `BootOrder` reveals whether Secure Boot is enforcing, what keys are enrolled, and which loader runs first. TrickBoot (the TrickBot UEFI module) used the matching Win32 wrapper to fingerprint vulnerable firmware. APT41's MoonBounce and Sednit/APT28's LoJax both surveyed UEFI state via this pathway before deciding whether to attempt persistence via the Ex *setter*. Reading is by itself low-impact; the value is in selecting victims and avoiding signed-firmware machines.

TrickBoot (TrickBot UEFI reconnaissance module)LoJax (Sednit / APT28)MosaicRegressor (APT41-adjacent)MoonBounce (APT41)ESPecter

Detection opportunities

Microsoft-Windows-Kernel-General ETW emits firmware-read events including the variable name and GUID. Defenders should baseline which processes legitimately read Secure Boot state (System, mountvol, manage-bde, vendor agents) and treat any other reader — especially user-mode malware that just elevated and enabled SeSystemEnvironmentPrivilege — as high-fidelity suspicious. CrowdStrike and Microsoft Defender for Endpoint surface direct calls through their EDR sensor; the Win32 wrappers are also commonly hooked.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtQuerySystemEnvironmentValueEx (SSN 0x16D, Win11 24H2)
NtQuerySystemEnvironmentValueEx PROC
    mov  r10, rcx
    mov  eax, 16Dh
    syscall
    ret
NtQuerySystemEnvironmentValueEx ENDP

cRead SecureBoot state via Win32

// GUID for EFI_GLOBAL_VARIABLE: {8BE4DF61-93CA-11D2-AA0D-00E098032B8C}
// Win32 string-form is required by GetFirmwareEnvironmentVariableExW.
static const wchar_t* kGlobal = L"{8BE4DF61-93CA-11D2-AA0D-00E098032B8C}";
BOOLEAN was;
RtlAdjustPrivilege(SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE, FALSE, &was);

BYTE secureBoot = 0;
DWORD attrs = 0;
DWORD n = GetFirmwareEnvironmentVariableExW(
    L"SecureBoot", kGlobal, &secureBoot, sizeof(secureBoot), &attrs);
if (n == 1 && secureBoot == 1) {
    // Secure Boot is active. Variable attribute mask is in `attrs`.
}

rustDirect syscall query of BootOrder

// windows-sys = "0.59" — naked stub omitted for brevity (see x64 stub above).
// Demonstrates the call shape — privilege gating must be performed beforehand.
#[repr(C)]
struct UnicodeString { length: u16, max: u16, buf: *const u16 }

extern "system" {
    fn NtQuerySystemEnvironmentValueEx(
        name: *const UnicodeString,
        guid: *const windows_sys::core::GUID,
        value: *mut u8,
        value_len: *mut u32,
        attributes: *mut u32,
    ) -> i32;
}

const EFI_GLOBAL_VARIABLE: windows_sys::core::GUID = windows_sys::core::GUID {
    data1: 0x8BE4DF61, data2: 0x93CA, data3: 0x11D2,
    data4: [0xAA, 0x0D, 0x00, 0xE0, 0x98, 0x03, 0x2B, 0x8C],
};

MITRE ATT&CK mappings

Last verified: 2026-05-20