ntoskrnl.exeT1055T1106

NtSetIoCompletion

Posts a completion packet to an I/O completion port — the kernel side of PostQueuedCompletionStatus and the delivery vector for PoolParty's forged work items.

Prototype

NTSTATUS NtSetIoCompletion(
  HANDLE     IoCompletionHandle,
  PVOID      KeyContext,
  PVOID      ApcContext,
  NTSTATUS   IoStatus,
  ULONG_PTR  IoStatusInformation
);

Arguments

Name	Type	Dir	Description
IoCompletionHandle	HANDLE	in	Handle to the target completion port. Requires IO_COMPLETION_MODIFY_STATE.
KeyContext	PVOID	in	Caller-defined CompletionKey returned to the dequeuer via lpCompletionKey.
ApcContext	PVOID	in	Caller-defined pointer returned as lpOverlapped — usually an OVERLAPPED* in legitimate code, attacker-controlled in PoolParty.
IoStatus	NTSTATUS	in	Status code written into the packet's IO_STATUS_BLOCK.Status field.
IoStatusInformation	ULONG_PTR	in	Caller-defined value written into IO_STATUS_BLOCK.Information — typically a transferred byte count.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x185	win10-1507
Win10 1607	0x18E	win10-1607
Win10 1703	0x194	win10-1703
Win10 1709	0x197	win10-1709
Win10 1803	0x199	win10-1803
Win10 1809	0x19A	win10-1809
Win10 1903	0x19B	win10-1903
Win10 1909	0x19B	win10-1909
Win10 2004	0x1A1	win10-2004
Win10 20H2	0x1A1	win10-20h2
Win10 21H1	0x1A1	win10-21h1
Win10 21H2	0x1A3	win10-21h2
Win10 22H2	0x1A3	win10-22h2
Win11 21H2	0x1AC	win11-21h2
Win11 22H2	0x1B0	win11-22h2
Win11 23H2	0x1B0	win11-23h2
Win11 24H2	0x1B3	win11-24h2
Server 2016	0x18E	winserver-2016
Server 2019	0x19A	winserver-2019
Server 2022	0x1A9	winserver-2022
Server 2025	0x1B3	winserver-2025

Kernel module

ntoskrnl.exe → NtSetIoCompletion

Related APIs

PostQueuedCompletionStatusNtCreateIoCompletionNtRemoveIoCompletionNtRemoveIoCompletionExNtWaitForWorkViaWorkerFactorySubmitThreadpoolWork

Syscall stub

4C 8B D1            mov r10, rcx
B8 B3 01 00 00      mov eax, 0x1B3
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Direct equivalent of `PostQueuedCompletionStatus`. The packet is appended to the port's KQUEUE and one waiter (in NtRemoveIoCompletion, NtRemoveIoCompletionEx, or NtWaitForWorkViaWorkerFactory) is woken. The kernel does not interpret `KeyContext` or `ApcContext` — they are echoed back verbatim. That opacity is what makes the syscall so versatile both for legitimate async I/O dispatch and for malicious forged-packet injection.

Common malware usage

The 'Worker via Completion Port' PoolParty variant: open the victim's threadpool completion port (often via a leaked handle or NtDuplicateObject), then issue NtSetIoCompletion with `ApcContext` pointing at a structure shaped like a `TP_DIRECT` — when ntdll!TppWorkerThread dequeues the packet, its dispatcher will follow the pointers and call the function the attacker chose. Crucially, no new memory needs to be allocated in the victim if a usable gadget already exists; the entire injection collapses to a single syscall once the handle is obtained. Forged completion packets have also been used historically by exploit chains targeting Win32k callback flaws and by various sandbox escapes in browsers (Chromium's IO thread, Edge's broker).

PoolParty PoC — 'Worker via Completion Port'Browser sandbox escapes (historical, various — Chromium / Edge research)

Detection opportunities

Like NtCreateIoCompletion, the syscall is far too common in legitimate code to alert on directly. The cross-process variant is the actionable signal: NtSetIoCompletion on a handle whose underlying object's owning process differs from the caller is essentially never legitimate. ETW Microsoft-Windows-Kernel-IoCompletion can expose post events at high cost; a lower-overhead approach is ObRegisterCallbacks on the IoCompletion object type, gating on cross-process handle duplications. Forged-packet content inspection is theoretically possible but expensive — TP_DIRECT-shaped contexts dereferenced into RWX VAD regions are a credible heuristic.

Direct syscall examples

cForged delivery — PoolParty 'Worker via Completion Port'

// hRemoteIocp is a handle in OUR address space that maps to the VICTIM's
// threadpool completion port (obtained via NtDuplicateObject or handle leak).
// pVictimGadget is a writable+executable address in the victim already shaped
// like a TP_DIRECT entry whose callback field points at shellcode.
NTSTATUS s = NtSetIoCompletion(
    hRemoteIocp,
    NULL,                  // KeyContext — irrelevant for TP_DIRECT path
    pVictimGadget,         // ApcContext — what TppWorkerThread will dispatch through
    STATUS_SUCCESS,
    0);                    // Information

cBenign use — wake a custom worker

// Plain PostQueuedCompletionStatus equivalent — every server you've written
// uses this under the hood.
NtSetIoCompletion(hIocp,
                  (PVOID)42,           // your CompletionKey
                  (PVOID)pOverlapped,  // your OVERLAPPED*
                  STATUS_SUCCESS,
                  bytesTransferred);

asmx64 direct stub (Win11 24H2 SSN 0x1B3)

NtSetIoCompletion PROC
    mov  r10, rcx
    mov  eax, 1B3h
    syscall
    ret
NtSetIoCompletion ENDP

MITRE ATT&CK mappings

Last verified: 2026-05-20