ntoskrnl.exeT1485T1529T1106

NtRaiseHardError

Raises a 'hard error' that the kernel routes to CSRSS for UI prompting — or, with SeShutdownPrivilege and FATAL severity, triggers an immediate bugcheck (BSOD).

Prototype

NTSTATUS NtRaiseHardError(
  NTSTATUS                 ErrorStatus,
  ULONG                    NumberOfParameters,
  ULONG                    UnicodeStringParameterMask,
  PULONG_PTR               Parameters,
  HARDERROR_RESPONSE_OPTION ResponseOption,
  PHARDERROR_RESPONSE      Response
);

Arguments

Name	Type	Dir	Description
ErrorStatus	NTSTATUS	in	Status code; the high bits encode severity (STATUS_SEVERITY_FATAL = 0xC0000000-class with bit 30 set drives bugcheck path).
NumberOfParameters	ULONG	in	Count of entries in Parameters (max 4).
UnicodeStringParameterMask	ULONG	in	Bitmask indicating which of the Parameters entries point to UNICODE_STRING (rather than raw ULONG_PTR).
Parameters	PULONG_PTR	in	Array of up to 4 substitution parameters for the error template.
ResponseOption	HARDERROR_RESPONSE_OPTION	in	Which response set to offer the user. OptionShutdownSystem (6) is the BSOD-triggering value when paired with FATAL severity and SeShutdownPrivilege.
Response	PHARDERROR_RESPONSE	out	Receives the user's chosen response. Irrelevant on the BSOD path because the call never returns.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x14D	win10-1507
Win10 1607	0x154	win10-1607
Win10 1703	0x15A	win10-1703
Win10 1709	0x15D	win10-1709
Win10 1803	0x15F	win10-1803
Win10 1809	0x160	win10-1809
Win10 1903	0x161	win10-1903
Win10 1909	0x161	win10-1909
Win10 2004	0x167	win10-2004
Win10 20H2	0x167	win10-20h2
Win10 21H1	0x167	win10-21h1
Win10 21H2	0x169	win10-21h2
Win10 22H2	0x169	win10-22h2
Win11 21H2	0x170	win11-21h2
Win11 22H2	0x173	win11-22h2
Win11 23H2	0x173	win11-23h2
Win11 24H2	0x175	win11-24h2
Server 2016	0x154	winserver-2016
Server 2019	0x160	winserver-2019
Server 2022	0x16E	winserver-2022
Server 2025	0x175	winserver-2025

Kernel module

ntoskrnl.exe → NtRaiseHardError

Related APIs

RtlAdjustPrivilegeExitWindowsExInitiateSystemShutdownExWNtShutdownSystemNtTerminateProcess

Syscall stub

4C 8B D1            mov r10, rcx
B8 75 01 00 00      mov eax, 0x175
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtRaiseHardError has two completely different personalities depending on parameter combinations. The benign path posts a hard-error LPC message to CSRSS, which paints the familiar 'A device attached to the system is not functioning' dialog. The famous BSOD path: pass any STATUS_SEVERITY_FATAL status (high two bits = 11), ResponseOption = OptionShutdownSystem (6), and hold SeShutdownPrivilege enabled — the kernel jumps straight into ExpRaiseHardError → KeBugCheckEx with bugcheck code 0xF4 (CRITICAL_OBJECT_TERMINATION) or 0xC1 (SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION) depending on the specific status. Wininit.exe and Csrss.exe legitimately use the same call to take the system down when a critical process dies; malware piggybacks on the same machinery.

Common malware usage

The textbook 'crash the box from userland' primitive. Ransomware uses NtRaiseHardError as a stage-3 anti-forensics step: after encryption is complete and shadow copies wiped, force a BSOD to disrupt any in-memory forensics, EDR live-response sessions, or recovery attempts. Some destructive wipers (HermeticWiper, CaddyWiper) call it as the final action so the next boot lands in WinRE with no usable user volume. Defense-evasion families also use the non-FATAL form to spawn convincing 'critical update' dialogs in social-engineering chains. The privilege gate is mild — any process running as Administrator with default-enabled SeShutdownPrivilege can BSOD the host.

HermeticWiper CaddyWiper Petya / NotPetya Conti ransomware BlackCat (ALPHV)LockBit

Detection opportunities

Set the audit-policy bit for 'Process Creation' on wininit.exe and csrss.exe, and additionally use Microsoft-Windows-Threat-Intelligence ETW (EtwTiLogRaiseHardError where exposed). On the survivable path, Event Log channel Application records hard errors as Event ID 1023 (DrWatson) and the System channel records BugCheck (Event ID 1001) on the reboot after a hard-error-induced bugcheck. The most useful prevention is removing SeShutdownPrivilege from non-privileged service accounts — most application service accounts do not need it, and removing it neutralises the userland-BSOD threat entirely.

Direct syscall examples

cUserland BSOD trigger

// Requires SeShutdownPrivilege enabled in the token.
// Result: instant 0xF4 CRITICAL_OBJECT_TERMINATION bugcheck.
BOOLEAN wasEnabled;
RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, &wasEnabled);

ULONG response;
NtRaiseHardError(
    STATUS_ASSERTION_FAILURE,    // 0xC0000420 - severity FATAL
    0, 0, NULL,
    OptionShutdownSystem,        // 6 -> kernel routes to KeBugCheckEx
    &response);
// Never returns.

cBogus 'critical update' dialog

// Non-FATAL severity -> CSRSS displays a hard-error dialog with template text.
UNICODE_STRING msg;
RtlInitUnicodeString(&msg, L"Critical Windows component compromised. Restart now.");
ULONG_PTR params[1] = { (ULONG_PTR)&msg };
ULONG response;
NtRaiseHardError(
    STATUS_FATAL_APP_EXIT,
    1,
    1,                   // bit 0 = first param is a UNICODE_STRING*
    params,
    OptionOk,
    &response);

asmx64 stub (Win11 24H2)

NtRaiseHardError PROC
    mov  r10, rcx
    mov  eax, 175h         ; Win11 24H2 SSN
    syscall
    ret
NtRaiseHardError ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20