> Windows Syscalls
ntoskrnl.exeT1106

NtSerializeBoot

Triggers serialization of the boot trace buffer — finalizes performance data collected during early system start.

Prototype

NTSTATUS NtSerializeBoot(VOID);

Arguments

NameTypeDirDescription

Syscall IDs by Windows version

Windows versionSyscall IDBuild
Win10 15070x16Bwin10-1507
Win10 16070x173win10-1607
Win10 17030x179win10-1703
Win10 17090x17Cwin10-1709
Win10 18030x17Ewin10-1803
Win10 18090x17Fwin10-1809
Win10 19030x180win10-1903
Win10 19090x180win10-1909
Win10 20040x186win10-2004
Win10 20H20x186win10-20h2
Win10 21H10x186win10-21h1
Win10 21H20x188win10-21h2
Win10 22H20x188win10-22h2
Win11 21H20x190win11-21h2
Win11 22H20x193win11-22h2
Win11 23H20x193win11-23h2
Win11 24H20x195win11-24h2
Server 20160x173winserver-2016
Server 20190x17Fwinserver-2019
Server 20220x18Ewinserver-2022
Server 20250x195winserver-2025

Kernel module

ntoskrnl.exeNtSerializeBoot

Related APIs

NtQuerySystemInformation (SystemPrefetcherInformation)PrefetchVirtualMemory

Syscall stub

4C 8B D1            mov r10, rcx
B8 95 01 00 00      mov eax, 0x195
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Performance-diagnostics primitive: called once by the Session Manager (smss.exe) and prefetcher infrastructure to signal that the boot phase is complete and the kernel may serialize the in-memory boot trace to disk (e.g. for `xperf -on Base+Boot` style sessions and the SuperFetch boot prefetcher). No arguments, no inputs to forge. Calling it outside the legitimate one-shot context is effectively a no-op or returns STATUS_UNSUCCESSFUL. Microsoft documentation is minimal because the routine is part of the prefetcher contract rather than a public Win32 surface.

Common malware usage

Minimal offensive value. There is no privilege-escalation primitive here, no information disclosure beyond what the prefetcher already writes to %SystemRoot%\Prefetch, and no behavioural change. Occasionally referenced as a curiosity in syscall-table tooling but not part of any documented malware family's TTPs.

Detection opportunities

Treat as a baseline curiosity. Microsoft-Windows-Kernel-Prefetch ETW provider records prefetcher state transitions; if NtSerializeBoot is invoked from anything other than smss.exe (or the prefetcher service) it is anomalous, but the practical false-positive cost of alerting is low because the legitimate caller count is one. Defenders generally do not need to track this — focus telemetry budget elsewhere.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtSerializeBoot (SSN 0x195, Win11 24H2)
NtSerializeBoot PROC
    mov  r10, rcx
    mov  eax, 195h
    syscall
    ret
NtSerializeBoot ENDP

cSmss-style finalize call

// This is what smss.exe does once the boot phase completes. Calling it again from
// a user-mode process is a no-op in practice.
extern NTSTATUS NTAPI NtSerializeBoot(VOID);

NTSTATUS s = NtSerializeBoot();
// s == STATUS_SUCCESS only inside the one legitimate caller's lifetime.

MITRE ATT&CK mappings

Last verified: 2026-05-20