NtSetSystemEnvironmentValueEx

Prototype

NTSTATUS NtSetSystemEnvironmentValueEx(
  PUNICODE_STRING VariableName,
  LPGUID          VendorGuid,
  PVOID           Value,
  ULONG           ValueLength,
  ULONG           Attributes
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 BB 01 00 00      mov eax, 0x1BB
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

The high-value sibling of NtQuerySystemEnvironmentValueEx. This is the kernel path that backs `bcdedit /set` for many platform-level switches (test signing, debug mode, hypervisor launch type), writes Secure Boot policy variables (PK/KEK/db/dbx — most of which require authenticated writes the OS cannot mint on its own), and is the surface an attacker reaches for when planting **firmware-level persistence**: write an EFI variable that the OS loader or a vulnerable shim reads at boot. Requires SeSystemEnvironmentPrivilege. The firmware itself, not just the kernel, enforces signature checks on authenticated writes — modifications to PK/KEK/db without a valid auth payload are rejected at the SMM boundary.

Common malware usage

Centre of gravity for UEFI-persistence tradecraft. **LoJax** (Sednit / APT28, 2018) was the seminal example: a user-mode component armed RWEverything's RwDrv to write directly to SPI flash, but parallel implants in the wild use NtSetSystemEnvironmentValueEx to plant payload pointers or auxiliary state into NVRAM that the bootkit reads after rerouting the boot chain. **BlackLotus** (2022, CVE-2022-21894 "baton drop") writes attacker-chosen MOK/dbx entries and uses NVRAM to stage its second-stage bootkit configuration. **ESPecter**, **CosmicStrand**, and **MoonBounce** (APT41) all rely on the broader UEFI-variable surface either for configuration storage or for staging. Defensive note: writing dbx — i.e. *revoking* loader hashes — has been used both legitimately (KB5025885 dbx push) and offensively (DoS the user's own bootloader).

Detection opportunities

Microsoft-Windows-Kernel-General ETW emits firmware-write events with variable name, GUID, and result. Defenders should track three things: (1) which processes ever call this, (2) the privilege-enable transition on SeSystemEnvironmentPrivilege, and (3) any write to GUIDs matching EFI_GLOBAL_VARIABLE or EFI_IMAGE_SECURITY_DATABASE_GUID from non-trusted-installer / non-OEM binaries. Microsoft Defender for Endpoint and CrowdStrike Falcon both surface UEFI-variable writes in their device-control / boot-integrity dashboards. On Windows 11 24H2 and Server 2025, the OS additionally cross-checks against the System Guard Secure Launch state; mismatches surface in Microsoft-Windows-Kernel-Boot.

Direct syscall examples

; Direct syscall stub for NtSetSystemEnvironmentValueEx (SSN 0x1BB, Win11 24H2)
NtSetSystemEnvironmentValueEx PROC
    mov  r10, rcx
    mov  eax, 1BBh
    syscall
    ret
NtSetSystemEnvironmentValueEx ENDP

// Sketch only: a real bootkit ALSO needs a vulnerable / unsigned bootloader on the
// machine, a SecureBoot-disabled or signature-bypass state, and a SMM-friendly
// firmware. Modern attested boot, Secure Launch and KB5025885-class dbx pushes
// foreclose most of this on patched 2024+ systems.
#include <windows.h>

#define EFI_VARIABLE_NON_VOLATILE       0x00000001
#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002
#define EFI_VARIABLE_RUNTIME_ACCESS     0x00000004

static const wchar_t* kVendorGuid =
    L"{8BE4DF61-93CA-11D2-AA0D-00E098032B8C}"; // EFI_GLOBAL_VARIABLE

BOOL plant_persistence_marker(const wchar_t* name, const void* blob, DWORD len) {
    BOOLEAN old;
    // Privilege is the first gate. Without admin + SeSystemEnvironmentPrivilege
    // the syscall returns STATUS_PRIVILEGE_NOT_HELD immediately.
    if (RtlAdjustPrivilege(SE_SYSTEM_ENVIRONMENT_PRIVILEGE, TRUE, FALSE, &old) < 0)
        return FALSE;

    return SetFirmwareEnvironmentVariableExW(
        name, kVendorGuid, (PVOID)blob, len,
        EFI_VARIABLE_NON_VOLATILE |
        EFI_VARIABLE_BOOTSERVICE_ACCESS |
        EFI_VARIABLE_RUNTIME_ACCESS);
}

// Cargo: windows = { version = "0.59", features = ["Win32_System_Environment"] }
use windows::core::*;
use windows::Win32::System::Environment::*;

fn delete_marker(name: &str, guid: &str) -> windows::core::Result<()> {
    let hn = HSTRING::from(name);
    let hg = HSTRING::from(guid);
    // ValueLength = 0 + Value = NULL + attributes = 0 => delete (per UEFI 2.x spec).
    unsafe {
        SetFirmwareEnvironmentVariableExW(
            PCWSTR(hn.as_ptr()),
            PCWSTR(hg.as_ptr()),
            None,
            0,
            0,
        )
    }?;
    Ok(())
}

MITRE ATT&CK mappings

• T1542.001Pre-OS Boot: System Firmwaremitre ↗
• T1542.003Pre-OS Boot: Bootkitmitre ↗
• T1547Boot or Logon Autostart Executionmitre ↗