NtSetSystemPowerState
Transitions the system into the requested sleep, hibernate or working power state.
Prototype
NTSTATUS NtSetSystemPowerState( POWER_ACTION SystemAction, SYSTEM_POWER_STATE MinSystemState, ULONG Flags );
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| SystemAction | POWER_ACTION | in | Action: PowerActionNone, Reserved, Sleep, Hibernate, Shutdown, ShutdownReset, ShutdownOff, WarmEject, DisplayOff. |
| MinSystemState | SYSTEM_POWER_STATE | in | Lowest acceptable power state, e.g. PowerSystemSleeping1..3, PowerSystemHibernate, PowerSystemShutdown. |
| Flags | ULONG | in | POWER_ACTION_* flags: QUERY_ALLOWED, UI_ALLOWED, OVERRIDE_APPS, LIGHTEST_FIRST, DISABLE_WAKES, CRITICAL. |
Syscall IDs by Windows version
| Windows version | Syscall ID | Build |
|---|---|---|
| Win10 1507 | 0x18F | win10-1507 |
| Win10 1607 | 0x198 | win10-1607 |
| Win10 1703 | 0x19E | win10-1703 |
| Win10 1709 | 0x1A1 | win10-1709 |
| Win10 1803 | 0x1A3 | win10-1803 |
| Win10 1809 | 0x1A4 | win10-1809 |
| Win10 1903 | 0x1A5 | win10-1903 |
| Win10 1909 | 0x1A5 | win10-1909 |
| Win10 2004 | 0x1AB | win10-2004 |
| Win10 20H2 | 0x1AB | win10-20h2 |
| Win10 21H1 | 0x1AB | win10-21h1 |
| Win10 21H2 | 0x1AD | win10-21h2 |
| Win10 22H2 | 0x1AD | win10-22h2 |
| Win11 21H2 | 0x1B6 | win11-21h2 |
| Win11 22H2 | 0x1BA | win11-22h2 |
| Win11 23H2 | 0x1BA | win11-23h2 |
| Win11 24H2 | 0x1BD | win11-24h2 |
| Server 2016 | 0x198 | winserver-2016 |
| Server 2019 | 0x1A4 | winserver-2019 |
| Server 2022 | 0x1B3 | winserver-2022 |
| Server 2025 | 0x1BD | winserver-2025 |
Kernel module
Related APIs
Syscall stub
4C 8B D1 mov r10, rcx B8 BD 01 00 00 mov eax, 0x1BD F6 04 25 08 03 FE 7F 01 test byte ptr [0x7FFE0308], 1 75 03 jne short +3 0F 05 syscall C3 ret CD 2E int 2Eh C3 ret
Undocumented notes
Lower-level cousin of `NtInitiatePowerAction` — `NtSetSystemPowerState` skips the policy-manager arbitration and is the function the kernel itself calls once the power manager has finished its negotiations. The Win32 wrapper `SetSystemPowerState` lands here. The caller must hold `SeShutdownPrivilege` (interactive sessions) or `SeRemoteShutdownPrivilege` (for cross-machine variants). The function does not return until the system has either resumed from the target state or refused the transition (e.g. a driver vetoed Sleep). Passing `POWER_ACTION_DISABLE_WAKES | POWER_ACTION_CRITICAL` is the 'shut up and do it' combination that bypasses most application-level Sleep vetoes.
Common malware usage
Three real-world patterns. (1) **Wipers**: HermeticWiper, IsaacWiper and CaddyWiper have all been observed calling reboot-class power actions at the end of their destruction pass to force the machine to come up with corrupted boot data — the user sees a BSOD or 'Inaccessible Boot Device' screen the next time the box powers on. (2) **Ransomware post-encryption reboot**: Royal, BlackCat/ALPHV and BlackSuit have all triggered a reboot via this family of syscalls after dropping their note, both to enforce a clean state for the encrypted volume and to make sure any opened files are closed and locked down. (3) **Sandbox evasion**: a small set of red-team loaders call PowerSystemSleeping3 or DisplayOff inside an automated analysis VM hoping the sandbox harness treats the transition as 'execution complete' and tears down before the real payload runs. Often combined with `NtDelayExecution` to skew clocks the harness uses to compute runtime.
Detection opportunities
`SetSystemPowerState` and its underlying syscall are tracked by the Microsoft-Windows-Kernel-Power ETW provider — every Sleep/Hibernate/Shutdown transition emits well-defined events that include the initiating process. Sysmon does not have a dedicated event but the System log records 1074 (clean shutdown initiated) and 6008 (unexpected shutdown), both useful for retroactive reconstruction. The strongest single rule: a non-system process calling a Shutdown-class POWER_ACTION while also writing to many files in the previous minute is essentially a wiper or ransomware fingerprint. SeShutdownPrivilege should be off for most service accounts — alert on the privilege adjustment that immediately precedes the call.
Direct syscall examples
asmx64 direct stub (Win11 24H2)
; Direct syscall stub for NtSetSystemPowerState (SSN 0x1BD on Win11 24H2)
NtSetSystemPowerState PROC
mov r10, rcx ; syscall convention
mov eax, 1BDh ; SSN — varies per build
syscall
ret
NtSetSystemPowerState ENDPcWiper finale — force reboot into corrupted boot
// Final stage of a destructive payload: enable shutdown privilege then
// request an immediate Shutdown-Reset, bypassing user prompts.
#include <windows.h>
#include <winternl.h>
static VOID EnableShutdownPriv(VOID) {
HANDLE hTok; LUID luid; TOKEN_PRIVILEGES tp = { 0 };
OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hTok);
LookupPrivilegeValueW(NULL, SE_SHUTDOWN_NAME, &luid);
tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hTok, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hTok);
}
typedef NTSTATUS (NTAPI *pNtSetSystemPowerState)(ULONG, ULONG, ULONG);
VOID WiperReboot(VOID) {
EnableShutdownPriv();
pNtSetSystemPowerState NtSetSystemPowerState = (pNtSetSystemPowerState)
GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtSetSystemPowerState");
// PowerActionShutdownReset = 6, PowerSystemShutdown = 6,
// DISABLE_WAKES | CRITICAL = 0x40000000 | 0x80000000
NtSetSystemPowerState(6, 6, 0xC0000000);
}rustDirect-syscall sleep request (sandbox evasion attempt)
// Cargo: windows-sys = "0.59"
use std::arch::asm;
#[unsafe(naked)]
unsafe extern "system" fn nt_set_system_power_state_stub(
_action: u32, _min_state: u32, _flags: u32) -> i32 {
asm!(
"mov r10, rcx",
"mov eax, 0x1BD", // Win11 24H2 SSN
"syscall",
"ret",
options(noreturn),
);
}
fn try_sleep_evasion() {
// PowerActionSleep = 2, PowerSystemSleeping3 = 5, UI_ALLOWED=4
let _ = unsafe { nt_set_system_power_state_stub(2, 5, 4) };
}MITRE ATT&CK mappings
Last verified: 2026-05-20