NtResetWriteWatch

Prototype

NTSTATUS NtResetWriteWatch(
  HANDLE  ProcessHandle,
  PVOID   BaseAddress,
  SIZE_T  RegionSize
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1                  mov r10, rcx
B8 88 01 00 00            mov eax, 0x188
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03                     jne short +3
0F 05                     syscall
C3                        ret
CD 2E                     int 2Eh
C3                        ret

Undocumented notes

NtResetWriteWatch is the standalone reset companion to NtGetWriteWatch. Most callers prefer the atomic form `NtGetWriteWatch(WRITE_WATCH_FLAG_RESET, ...)` because it eliminates the race window between query and reset. The separate syscall is useful when the caller wants to discard dirty information entirely (e.g. after a full re-encryption pass) without paying for the array copy-out of NtGetWriteWatch. The kernel implementation walks the same PTE-level dirty bits cleared by `MiResetWriteWatch`.

Common malware usage

Used by sleep-mask implants that perform a full memory re-encrypt at startup or after a configuration update — the implant doesn't care which pages were dirty, it's encrypting everything anyway, but it still needs to reset the watch state so the *next* incremental encryption pass sees only the truly-dirty pages from the next awake window. Less commonly used standalone than NtGetWriteWatch since the atomic-reset flag exists, but appears in some early-generation sleep masks (pre-Ekko) that decoupled the two phases. Forensic analysis of a paused implant snapshot can sometimes catch the reset call mid-cycle when the dirty bits are momentarily clean.

Detection opportunities

Same kernel-level signal as NtGetWriteWatch — the VAD's `VadWriteWatch` flag is the prerequisite for either syscall to do anything meaningful. NtResetWriteWatch without a preceding (or pending) NtGetWriteWatch on the same range is unusual outside of the .NET GC's start-of-cycle reset path. EDRs with VAD-walk capability can flag any user-mode process holding a sizeable MEM_WRITE_WATCH region with PAGE_EXECUTE_READ or PAGE_EXECUTE_READWRITE protection — that combination is essentially never seen in benign software and is a hallmark of dirty-page-aware sleep masks.

Direct syscall examples

// After a full memory rescan / full re-encrypt, drop the dirty bits without
// the cost of copying out the dirty-page array.
#include <windows.h>

void reset_tracking(PVOID region, SIZE_T size) {
    // ResetWriteWatch is the documented Win32 wrapper around NtResetWriteWatch.
    if (ResetWriteWatch(region, size) != 0) {
        // Region was not allocated with MEM_WRITE_WATCH.
    }
}

NtResetWriteWatch PROC
    mov  r10, rcx
    mov  eax, 188h
    syscall
    ret
NtResetWriteWatch ENDP

// Phase 1: encrypt every page (full pass), then reset the watch state.
// Phase 2 (next cycle): NtGetWriteWatch reports only newly dirtied pages.
void full_encrypt_and_reset(PVOID region, SIZE_T size) {
    encrypt_full(region, size);
    ResetWriteWatch(region, size);   // ntdll!NtResetWriteWatch under the hood
}

MITRE ATT&CK mappings

• T1027.011Fileless Storagemitre ↗
• T1106Native APImitre ↗