ntoskrnl.exeT1542.001T1106

NtSetSystemEnvironmentValue

Writes a legacy x86 BIOS/NV-RAM system environment variable (pre-UEFI interface).

Prototype

NTSTATUS NtSetSystemEnvironmentValue(
  PUNICODE_STRING VariableName,
  PUNICODE_STRING VariableValue
);

Arguments

Name	Type	Dir	Description
VariableName	PUNICODE_STRING	in	UNICODE_STRING naming the variable to write. Resolves through HAL-private NV-RAM stores.
VariableValue	PUNICODE_STRING	in	UNICODE_STRING carrying the new value. Empty/zero length typically deletes the entry.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x18C	win10-1507
Win10 1607	0x195	win10-1607
Win10 1703	0x19B	win10-1703
Win10 1709	0x19E	win10-1709
Win10 1803	0x1A0	win10-1803
Win10 1809	0x1A1	win10-1809
Win10 1903	0x1A2	win10-1903
Win10 1909	0x1A2	win10-1909
Win10 2004	0x1A8	win10-2004
Win10 20H2	0x1A8	win10-20h2
Win10 21H1	0x1A8	win10-21h1
Win10 21H2	0x1AA	win10-21h2
Win10 22H2	0x1AA	win10-22h2
Win11 21H2	0x1B3	win11-21h2
Win11 22H2	0x1B7	win11-22h2
Win11 23H2	0x1B7	win11-23h2
Win11 24H2	0x1BA	win11-24h2
Server 2016	0x195	winserver-2016
Server 2019	0x1A1	winserver-2019
Server 2022	0x1B0	winserver-2022
Server 2025	0x1BA	winserver-2025

Kernel module

ntoskrnl.exe → NtSetSystemEnvironmentValue

Related APIs

SetFirmwareEnvironmentVariableWNtSetSystemEnvironmentValueExNtQuerySystemEnvironmentValueRtlAdjustPrivilege

Syscall stub

4C 8B D1            mov r10, rcx
B8 BA 01 00 00      mov eax, 0x1BA
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Companion writer to NtQuerySystemEnvironmentValue: legacy BIOS NV-RAM persistence with no GUID namespace and a 16-bit length field. Requires SeSystemEnvironmentPrivilege, which is held by default only by SYSTEM and by administrators after explicit enablement via RtlAdjustPrivilege. On modern UEFI machines the firmware glue layer often refuses or no-ops these writes; real persistence work has migrated to NtSetSystemEnvironmentValueEx.

Common malware usage

Marginal modern offensive value. The interesting persistence surface (writing EFI variables that the OS loader trusts, e.g. the LoJax pattern) sits in the Ex counterpart. Legacy/old-machine implants and a few firmware-implant proof-of-concepts have used this call to flip BIOS knobs but it is rare in production tradecraft today.

Legacy BIOS-era implants (negligible modern offensive use)

Detection opportunities

Treat any successful call as high-fidelity: legitimate writers are limited to bcdedit-class tools and OEM firmware management. Audit the privilege-enable transition (SeSystemEnvironmentPrivilege adjustment via NtAdjustPrivilegesToken) — that is the earliest blue-team chokepoint. ETW Microsoft-Windows-Kernel-General fires firmware-access events.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtSetSystemEnvironmentValue (SSN 0x1BA, Win11 24H2)
NtSetSystemEnvironmentValue PROC
    mov  r10, rcx
    mov  eax, 1BAh
    syscall
    ret
NtSetSystemEnvironmentValue ENDP

cPrivilege enable + legacy write

// Enable SeSystemEnvironmentPrivilege first — otherwise the syscall returns STATUS_PRIVILEGE_NOT_HELD.
BOOLEAN was;
RtlAdjustPrivilege(SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE, FALSE, &was);

UNICODE_STRING name, value;
RtlInitUnicodeString(&name,  L"BootOrder");
RtlInitUnicodeString(&value, L"0001000200030004");

NTSTATUS s = NtSetSystemEnvironmentValue(&name, &value);
// On a UEFI box prefer NtSetSystemEnvironmentValueEx with a vendor GUID — modern firmware
// will not honour legacy-namespace writes.

MITRE ATT&CK mappings

Last verified: 2026-05-20