ntoskrnl.exeT1559T1106

NtRequestPort

Sends a fire-and-forget LPC message on a connected port — no reply expected.

Prototype

NTSTATUS NtRequestPort(
  HANDLE         PortHandle,
  PPORT_MESSAGE  RequestMessage
);

Arguments

Name	Type	Dir	Description
PortHandle	HANDLE	in	Handle to a connected LPC port previously returned by NtConnectPort / NtSecureConnectPort.
RequestMessage	PPORT_MESSAGE	in	PORT_MESSAGE header followed by inline payload (≤ 256 bytes); enqueued at server then call returns.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x15D	win10-1507
Win10 1607	0x164	win10-1607
Win10 1703	0x16A	win10-1703
Win10 1709	0x16D	win10-1709
Win10 1803	0x16F	win10-1803
Win10 1809	0x170	win10-1809
Win10 1903	0x171	win10-1903
Win10 1909	0x171	win10-1909
Win10 2004	0x177	win10-2004
Win10 20H2	0x177	win10-20h2
Win10 21H1	0x177	win10-21h1
Win10 21H2	0x179	win10-21h2
Win10 22H2	0x179	win10-22h2
Win11 21H2	0x181	win11-21h2
Win11 22H2	0x184	win11-22h2
Win11 23H2	0x184	win11-23h2
Win11 24H2	0x186	win11-24h2
Server 2016	0x164	winserver-2016
Server 2019	0x170	winserver-2019
Server 2022	0x17F	winserver-2022
Server 2025	0x186	winserver-2025

Kernel module

ntoskrnl.exe → NtRequestPort

Related APIs

NtRequestWaitReplyPortNtReplyPortNtReplyWaitReceivePortNtConnectPortNtAlpcSendWaitReceivePort

Syscall stub

4C 8B D1            mov r10, rcx
B8 86 01 00 00      mov eax, 0x186
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtRequestPort is the asynchronous, no-reply variant of NtRequestWaitReplyPort on the legacy **LPC** path. The kernel copies the inline PORT_MESSAGE into the receiver's port queue and returns immediately — the caller never blocks for a server response. It is typically used for one-way notifications (e.g. CSRSS event posting on pre-Vista builds). Inline payload is capped at PORT_MAXIMUM_MESSAGE_LENGTH (256 bytes); larger payloads require a previously-negotiated PORT_VIEW shared section.

Common malware usage

On modern Windows, malware use of NtRequestPort is *negligible*. Historically a few pre-Vista user-mode rootkits employed it as a one-way fan-out signal (e.g. notify a co-resident component to flip state) precisely because no Win32 wrapper exists and userspace tooling rarely surfaces LPC traffic. Today an attacker who wants this semantic uses NtAlpcSendWaitReceivePort with `ALPC_MSGFLG_RELEASE_MESSAGE`, a writable mailslot, or a named-pipe write. Any raw LPC request from an unsigned process is in itself anomalous and worth chasing.

Legacy XP/2003-era user-mode rootkits (historical)Pre-ALPC IPC research / red-team educational tooling

Detection opportunities

There is no dedicated ETW provider for legacy LPC equivalent to `Microsoft-Windows-Kernel-ALPC`. Kernel-mode EDRs can hook the syscall directly; user-mode EDRs hook `ntdll!NtRequestPort`. The legitimate-caller baseline on Windows 10/11 is essentially zero (almost nothing inbox still uses raw LPC), so *any* hit from an unsigned or sandboxed process is high signal. WinObj reveals live port objects but not in-flight messages.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtRequestPort (SSN 0x186 on Win11 24H2)
NtRequestPort PROC
    mov  r10, rcx          ; PortHandle
    mov  eax, 186h         ; SSN — verify per-build
    syscall
    ret
NtRequestPort ENDP

cFire-and-forget LPC datagram

// Send a one-way LPC message on a connected port.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtRequestPort)(HANDLE, PVOID /*PPORT_MESSAGE*/);

NTSTATUS LpcNotify(HANDLE hPort, void *msgBuf) {
    pNtRequestPort fn = (pNtRequestPort)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtRequestPort");
    return fn(hPort, msgBuf);  // returns once the kernel queues the message
}

MITRE ATT&CK mappings

Last verified: 2026-05-20