NtSetInformationFile

Prototype

NTSTATUS NtSetInformationFile(
  HANDLE                 FileHandle,
  PIO_STATUS_BLOCK       IoStatusBlock,
  PVOID                  FileInformation,
  ULONG                  Length,
  FILE_INFORMATION_CLASS FileInformationClass
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 27 00 00 00      mov eax, 0x27
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Stable at SSN `0x27` across every supported Windows build. The interesting power lies entirely in the `FILE_INFORMATION_CLASS` enum — over 70 classes, but four matter most operationally: `FileRenameInformation` / `FileRenameInformationEx` (move/rename, even atop locked names with FLAGS_POSIX_SEMANTICS on modern builds), `FileDispositionInformation` / `FileDispositionInformationEx` (mark for delete; the Ex variant added in Win10 RS1 supports `FILE_DISPOSITION_FORCE_PERMANENTLY_CHECK_ACCESS` and `FILE_DISPOSITION_POSIX_SEMANTICS` for unlink-while-open semantics), `FileAllocationInformation` (preallocate disk for fast ransomware writes), and `FileEndOfFileInformation` (truncate). Dispose/rename go through IRP_MJ_SET_INFORMATION and are seen by every minifilter in the stack.

Common malware usage

Two dominant abuses: (1) **ransomware extension swaps and atomic rename**. Encrypt a file in place, then `FileRenameInformation` to `<original>.locked` — works even when the file is opened by another process if `FILE_RENAME_POSIX_SEMANTICS` is set. (2) **Self-deletion that survives EDR holding the handle open**. Open the running EXE, call `NtSetInformationFile` with `FileRenameInformationEx` to a long alternate path, then `FileDispositionInformationEx` with `FILE_DISPOSITION_POSIX_SEMANTICS | FILE_DISPOSITION_DELETE` — the file unlinks immediately even though the handle is still in use, a technique documented by Jonas Lykkegaard / LloydLabs as `delete-self-poc`. Also used by wipers to truncate critical files to zero before final disposition.

Detection opportunities

Sysmon Event ID 23 (FileDelete) and 26 (FileDeleteDetected — captures content of deleted files when archive store is enabled) detect dispose operations after the fact. Microsoft-Windows-Kernel-File ETW `SetInformation` event carries the FileInformationClass; filtering on classes 10, 13, 64, and 65 (FileRenameInformationEx) gives a focused signal. Mass renames in a short window with consistent new-extension patterns (`.locked`, `.encrypted`, random 5-char suffixes) is the classic ransomware indicator — most EDRs implement this as a minifilter heuristic since user-mode hooks miss direct syscalls. The self-delete technique specifically appears as a rename of a process's main image followed by FileDispositionInformationEx while the image section is still mapped — an extremely high-fidelity tell.

Direct syscall examples

// FileRenameInformation == 10
typedef struct _FILE_RENAME_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE  RootDirectory;
    ULONG   FileNameLength;
    WCHAR   FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;

WCHAR newName[] = L"\\??\\C:\\Users\\v\\report.docx.locked";
SIZE_T nameLen = wcslen(newName) * sizeof(WCHAR);
SIZE_T size = FIELD_OFFSET(FILE_RENAME_INFORMATION, FileName) + nameLen;

PFILE_RENAME_INFORMATION info = LocalAlloc(LPTR, size);
info->ReplaceIfExists = TRUE;
info->RootDirectory   = NULL;
info->FileNameLength  = (ULONG)nameLen;
memcpy(info->FileName, newName, nameLen);

IO_STATUS_BLOCK iosb;
NtSetInformationFile(hFile, &iosb, info, (ULONG)size, FileRenameInformation);

// LloydLabs delete-self-poc primitive.
// FileRenameInformationEx == 65, FileDispositionInformationEx == 64
typedef struct _FILE_DISPOSITION_INFORMATION_EX {
    ULONG Flags;
} FILE_DISPOSITION_INFORMATION_EX, *PFILE_DISPOSITION_INFORMATION_EX;

#define FILE_DISPOSITION_DELETE                       0x1
#define FILE_DISPOSITION_POSIX_SEMANTICS              0x2
#define FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK    0x4
#define FILE_DISPOSITION_ON_CLOSE                     0x8

// 1) Open current image with DELETE | SYNCHRONIZE.
// 2) Rename to an ADS (`:wat`) via FileRenameInformationEx.
// 3) Re-open with DELETE access.
// 4) Mark for delete:
FILE_DISPOSITION_INFORMATION_EX d = {
    .Flags = FILE_DISPOSITION_DELETE | FILE_DISPOSITION_POSIX_SEMANTICS
};
IO_STATUS_BLOCK iosb;
NtSetInformationFile(hSelf, &iosb, &d, sizeof(d), FileDispositionInformationEx);

NtSetInformationFile PROC
    mov  r10, rcx
    mov  eax, 27h
    syscall
    ret
NtSetInformationFile ENDP

MITRE ATT&CK mappings

• T1486Data Encrypted for Impact
• T1070.004File Deletion
• T1485Data Destruction
• T1106Native API