ntoskrnl.exeT1622T1562.001T1106

NtSetInformationProcess

Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.

Prototype

NTSTATUS NtSetInformationProcess(
  HANDLE           ProcessHandle,
  PROCESSINFOCLASS ProcessInformationClass,
  PVOID            ProcessInformation,
  ULONG            ProcessInformationLength
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the target process. Required access depends on class; many classes demand PROCESS_SET_INFORMATION or higher.
ProcessInformationClass	PROCESSINFOCLASS	in	Settable class. Notable: ProcessDebugFlags=31, ProcessInstrumentationCallback=40, ProcessSignaturePolicy=44, ProcessDynamicEnforcedCetCompatibleRanges=80, ProcessRaiseUMExceptionOnInvalidHandleClose, ProcessThreadStackAllocation.
ProcessInformation	PVOID	in	Input buffer whose layout depends on the class. Some classes accept a single ULONG/HANDLE, others a structured descriptor.
ProcessInformationLength	ULONG	in	Size in bytes of the ProcessInformation buffer.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x1C	win10-1507
Win10 1607	0x1C	win10-1607
Win10 1703	0x1C	win10-1703
Win10 1709	0x1C	win10-1709
Win10 1803	0x1C	win10-1803
Win10 1809	0x1C	win10-1809
Win10 1903	0x1C	win10-1903
Win10 1909	0x1C	win10-1909
Win10 2004	0x1C	win10-2004
Win10 20H2	0x1C	win10-20h2
Win10 21H1	0x1C	win10-21h1
Win10 21H2	0x1C	win10-21h2
Win10 22H2	0x1C	win10-22h2
Win11 21H2	0x1C	win11-21h2
Win11 22H2	0x1C	win11-22h2
Win11 23H2	0x1C	win11-23h2
Win11 24H2	0x1C	win11-24h2
Server 2016	0x1C	winserver-2016
Server 2019	0x1C	winserver-2019
Server 2022	0x1C	winserver-2022
Server 2025	0x1C	winserver-2025

Kernel module

ntoskrnl.exe → NtSetInformationProcess

Related APIs

SetProcessInformationSetProcessMitigationPolicyNtQueryInformationProcessNtSetInformationThreadAddVectoredExceptionHandler

Syscall stub

4C 8B D1            mov r10, rcx
B8 1C 00 00 00      mov eax, 0x1C
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

SSN 0x1C since Windows 10 1507 — paired with NtQueryInformationProcess's 0x19, this is one of the rare process-control slots Microsoft has explicitly frozen. The write side is much more privileged than the read side: many classes (ProcessAccessToken, ProcessSignaturePolicy, ProcessHandleTracing) demand PROCESS_SET_INFORMATION + specific privileges (SeDebugPrivilege, SeTcbPrivilege) and several refuse to apply once the process has loaded a non-system DLL. Some classes are *one-shot* — once ProcessSignaturePolicy enables MicrosoftSignedOnly, the kernel will not let you turn it back off.

Common malware usage

Three high-value abuse classes. (1) Self-anti-debug: writing ProcessDebugFlags (31) with value 1 silently clears the kernel-tracked NoDebugInherit flag and disables child-process debug inheritance — also widely used as a placeholder write to confuse AV heuristics. (2) ACG / CIG bypass: ProcessSignaturePolicy (44) can be queried to detect CIG enforcement, and ProcessDynamicEnforcedCetCompatibleRanges (80) is used by EDR-evasion frameworks to register attacker shellcode regions as 'CET-compatible' so indirect-branch-tracking does not abort on first execution. (3) Instrumentation hijack: ProcessInstrumentationCallback (40) installs a function called by the kernel on every syscall return — an attacker who controls this gets a userland choke point on *all* syscalls in the target process, perfect for hooking and unhooking detection (and notorious as an unhooking technique against EDR user-mode patches).

Cobalt Strike VMProtect packed loaders Themida packed loaders Bumblebee ScareCrow Donut loader

Detection opportunities

Set-information calls are far rarer than queries — every legitimate caller should be auditable. The high-signal classes (31, 40, 44, 80) almost never appear in benign software. Microsoft-Windows-Threat-Intelligence ETW exposes EtwTiLogSetProcessInfo for a subset of classes; the rest must be observed via TI events or kernel instrumentation. Defender for Endpoint specifically alerts on ProcessInstrumentationCallback writes from non-system processes. CET 'compat range' writes (class 80) are particularly suspicious from any non-image-backed caller — these have essentially no legitimate consumers outside Microsoft's own runtime components.

Direct syscall examples

cSelf-anti-debug: clear ProcessDebugFlags

// Setting ProcessDebugFlags=1 turns OFF NoDebugInherit, which paradoxically
// causes later NtQueryInformationProcess(ProcessDebugFlags) reads to return 1
// (i.e. 'no debugger ever attached'). Used to defeat naive anti-debug detectors.
ULONG debugFlags = 1;
NtSetInformationProcess(NtCurrentProcess(),
                        ProcessDebugFlags,   // 31
                        &debugFlags, sizeof(debugFlags));

cProcessInstrumentationCallback unhook hook

// Install a callback that fires on every syscall return. The kernel jumps to it
// with RAX = original RIP, R10 = original return address. Used both offensively
// (unhook EDR ntdll patches) and by EDRs themselves (Defender once shipped one).
typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {
    ULONG Version;     // 0
    ULONG Reserved;
    PVOID Callback;    // function to call on every syscall return
} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;

PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION info = {
    .Version = 0, .Reserved = 0, .Callback = MyCallback
};
NtSetInformationProcess(NtCurrentProcess(),
                        ProcessInstrumentationCallback, // 40
                        &info, sizeof(info));

asmx64 stub (stable across builds)

; SSN 0x1C — stable Win10 1507 .. Win11 24H2.
NtSetInformationProcess PROC
    mov  r10, rcx
    mov  eax, 1Ch
    syscall
    ret
NtSetInformationProcess ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20