ntoskrnl.exeT1055T1106

NtReleaseWorkerFactoryWorker

Requests the kernel to make at least one worker available in the factory — used by the user-mode threadpool to wake the pool on work submission.

Prototype

NTSTATUS NtReleaseWorkerFactoryWorker(
  HANDLE  WorkerFactoryHandle
);

Arguments

Name	Type	Dir	Description
WorkerFactoryHandle	HANDLE	in	Handle to the worker factory whose pending worker count should be incremented.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x155	win10-1507
Win10 1607	0x15C	win10-1607
Win10 1703	0x162	win10-1703
Win10 1709	0x165	win10-1709
Win10 1803	0x167	win10-1803
Win10 1809	0x168	win10-1809
Win10 1903	0x169	win10-1903
Win10 1909	0x169	win10-1909
Win10 2004	0x16F	win10-2004
Win10 20H2	0x16F	win10-20h2
Win10 21H1	0x16F	win10-21h1
Win10 21H2	0x171	win10-21h2
Win10 22H2	0x171	win10-22h2
Win11 21H2	0x179	win11-21h2
Win11 22H2	0x17C	win11-22h2
Win11 23H2	0x17C	win11-23h2
Win11 24H2	0x17E	win11-24h2
Server 2016	0x15C	winserver-2016
Server 2019	0x168	winserver-2019
Server 2022	0x177	winserver-2022
Server 2025	0x17E	winserver-2025

Kernel module

ntoskrnl.exe → NtReleaseWorkerFactoryWorker

Related APIs

SubmitThreadpoolWorkNtSetIoCompletionNtCreateWorkerFactoryNtWaitForWorkViaWorkerFactoryNtWorkerFactoryWorkerReady

Syscall stub

4C 8B D1            mov r10, rcx
B8 7E 01 00 00      mov eax, 0x17E
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The internal counterpart of `SubmitThreadpoolWork`'s 'wake a worker' step. The user-mode wrapper `TpPostWork` posts a packet to the completion port and then calls NtReleaseWorkerFactoryWorker if it sees no waiting worker — the syscall increments the factory's release counter and, if necessary, asks the kernel to spawn an additional thread up to `ThreadMaximum`. Together with NtWorkerFactoryWorkerReady and NtWaitForWorkViaWorkerFactory it forms the three-call worker lifecycle.

Common malware usage

In a PoolParty 'worker via completion port' variant the attacker posts a forged work item with NtSetIoCompletion and then calls NtReleaseWorkerFactoryWorker to guarantee a worker thread will pick it up promptly — useful when the victim's pool is idle and would otherwise leave the malicious packet queued indefinitely. Calling it cross-process (on a duplicated remote worker factory handle) is rare in legitimate code; it is a useful corroborating signal in conjunction with a cross-process NtCreateWorkerFactory.

PoolParty PoC (completion-port variant)

Detection opportunities

Intra-process invocations are noisy and not actionable. The actionable signature is cross-process: a Release on a worker factory whose owning process is *not* the caller. Kernel callbacks can identify this by walking the WorkerFactory object's `ProcessId` and comparing it to PsGetCurrentProcessId at the syscall site. There is no documented user-mode telemetry for this syscall.

Direct syscall examples

cWake a worker after posting a forged item

// PoolParty completion-port variant — after NtSetIoCompletion delivered the
// payload, nudge the factory to guarantee a worker thread services it.
NtSetIoCompletion(hIoCompletion, NULL, NULL, STATUS_SUCCESS, 1);
NtReleaseWorkerFactoryWorker(hWorkerFactory);

asmx64 direct stub (Win11 24H2 SSN 0x17E)

NtReleaseWorkerFactoryWorker PROC
    mov  r10, rcx
    mov  eax, 17Eh
    syscall
    ret
NtReleaseWorkerFactoryWorker ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20