ntoskrnl.exeT1106T1564T1070

NtSetInformationJobObject

Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.

Prototype

NTSTATUS NtSetInformationJobObject(
  HANDLE             JobHandle,
  JOBOBJECTINFOCLASS JobObjectInformationClass,
  PVOID              JobObjectInformation,
  ULONG              JobObjectInformationLength
);

Arguments

Name	Type	Dir	Description
JobHandle	HANDLE	in	Handle to the job object (JOB_OBJECT_SET_ATTRIBUTES required).
JobObjectInformationClass	JOBOBJECTINFOCLASS	in	Selects the policy: JobObjectExtendedLimitInformation, JobObjectBasicUIRestrictions, JobObjectAssociateCompletionPortInformation, JobObjectCpuRateControlInformation, etc.
JobObjectInformation	PVOID	in	Pointer to the class-specific structure (e.g. JOBOBJECT_EXTENDED_LIMIT_INFORMATION).
JobObjectInformationLength	ULONG	in	Size in bytes of the structure at JobObjectInformation. Must match the class exactly.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x17B	win10-1507
Win10 1607	0x184	win10-1607
Win10 1703	0x18A	win10-1703
Win10 1709	0x18D	win10-1709
Win10 1803	0x18F	win10-1803
Win10 1809	0x190	win10-1809
Win10 1903	0x191	win10-1903
Win10 1909	0x191	win10-1909
Win10 2004	0x197	win10-2004
Win10 20H2	0x197	win10-20h2
Win10 21H1	0x197	win10-21h1
Win10 21H2	0x199	win10-21h2
Win10 22H2	0x199	win10-22h2
Win11 21H2	0x1A2	win11-21h2
Win11 22H2	0x1A6	win11-22h2
Win11 23H2	0x1A6	win11-23h2
Win11 24H2	0x1A9	win11-24h2
Server 2016	0x184	winserver-2016
Server 2019	0x190	winserver-2019
Server 2022	0x19F	winserver-2022
Server 2025	0x1A9	winserver-2025

Kernel module

ntoskrnl.exe → NtSetInformationJobObject

Related APIs

SetInformationJobObjectQueryInformationJobObjectCreateJobObjectWAssignProcessToJobObjectNtCreateJobObjectNtAssignProcessToJobObjectNtQueryInformationJobObject

Syscall stub

4C 8B D1            mov r10, rcx
B8 A9 01 00 00      mov eax, 0x1A9
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtSetInformationJobObject is the policy-application syscall for jobs. The JobObjectInformationClass enum selects what is being set: JobObjectExtendedLimitInformation (the workhorse — process count caps, working-set caps, JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE, JOB_OBJECT_LIMIT_BREAKAWAY_OK, JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK), JobObjectBasicUIRestrictions (deny clipboard, USER handles, system parameters — used by every modern sandbox), JobObjectAssociateCompletionPortInformation (turn the job into an event source for JOB_OBJECT_MSG_* notifications on an IOCP — `event-driven` monitoring of process exits and limit violations), JobObjectCpuRateControlInformation, and the Win10 `JobObjectNetRateControlInformation` family. The SSN drifts almost every feature update.

Common malware usage

Predominantly defensive. Offensive interest concentrates in two corners: (1) setting JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE on a job containing the implant's helpers so closing the implant handle reaps every artifact — a clean-exit primitive; (2) flipping JOB_OBJECT_LIMIT_BREAKAWAY_OK or JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK on a controlled job to allow children to escape, which is exactly what sandbox-escape exploits do once they get any code running with sufficient access to the job. JobObjectAssociateCompletionPortInformation can also be misused by surveillance malware to monitor process lifecycle of targets it owns.

Generic clean-exit / sandbox-escape PoCs

Detection opportunities

ETW Microsoft-Windows-Kernel-Process and Microsoft-Windows-Win32k expose some job-policy changes, but not all classes are equally instrumented. The high-signal target is JobObjectExtendedLimitInformation with KILL_ON_JOB_CLOSE or BREAKAWAY_OK set by a non-sandbox process. EDRs that hook ntdll!NtSetInformationJobObject should decode the class and flag (a) unusual setters of BREAKAWAY_OK (sandbox-escape preparation) and (b) KILL_ON_JOB_CLOSE on a job that contains the calling process's own helpers (clean-exit infrastructure). Pair with NtAssignProcessToJobObject events to reconstruct the full sandbox topology.

Direct syscall examples

asmx64 direct stub (Win11 24H2 SSN)

; Direct syscall stub for NtSetInformationJobObject (SSN 0x1A9 on Win11 24H2 / Server 2025)
NtSetInformationJobObject PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 1A9h         ; SSN for win11-24h2
    syscall
    ret
NtSetInformationJobObject ENDP

cSandbox-spawn skeleton (step 3 — apply kill-on-close)

// Make sure every process in the job dies when the last handle to it closes.
JOBOBJECT_EXTENDED_LIMIT_INFORMATION limits = { 0 };
limits.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE
                                        | JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;

NTSTATUS s = NtSetInformationJobObject(hJob,
                                       JobObjectExtendedLimitInformation,
                                       &limits,
                                       sizeof(limits));

// Optional: associate an IOCP for event-driven monitoring
JOBOBJECT_ASSOCIATE_COMPLETION_PORT cp = { (PVOID)0xCAFE, hIoCompletion };
NtSetInformationJobObject(hJob,
                          JobObjectAssociateCompletionPortInformation,
                          &cp, sizeof(cp));

rustwindows-sys + naked syscall stub

// Cargo: windows-sys = "0.59"  (Win32_System_JobObjects)
use std::arch::asm;

#[unsafe(naked)]
unsafe extern "system" fn nt_set_information_job_object_stub() {
    asm!(
        "mov r10, rcx",
        "mov eax, 0x1A9",   // Win11 24H2; resolve dynamically for other builds
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

Last verified: 2026-05-20