ntoskrnl.exeT1027.011T1055.004T1029

NtSetTimer

Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.

Prototype

NTSTATUS NtSetTimer(
  HANDLE              TimerHandle,
  PLARGE_INTEGER      DueTime,
  PTIMER_APC_ROUTINE  TimerApcRoutine,
  PVOID               TimerContext,
  BOOLEAN             ResumeTimer,
  LONG                Period,
  PBOOLEAN            PreviousState
);

Arguments

Name	Type	Dir	Description
TimerHandle	HANDLE	in	Handle to a timer created by NtCreateTimer with TIMER_MODIFY_STATE access.
DueTime	PLARGE_INTEGER	in	Expiry time in 100-ns units; negative = relative to now, positive = absolute UTC FILETIME.
TimerApcRoutine	PTIMER_APC_ROUTINE	in	Optional user-mode routine queued as APC on the calling thread when the timer expires.
TimerContext	PVOID	in	Context value passed to TimerApcRoutine as its first argument.
ResumeTimer	BOOLEAN	in	TRUE requests a wake timer that can resume the system from suspend (S1-S3).
Period	LONG	in	Period in milliseconds for a recurring timer; 0 makes it a one-shot.
PreviousState	PBOOLEAN	out	Optional; receives the prior signaled state of the timer.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x62	win10-1507
Win10 1607	0x62	win10-1607
Win10 1703	0x62	win10-1703
Win10 1709	0x62	win10-1709
Win10 1803	0x62	win10-1803
Win10 1809	0x62	win10-1809
Win10 1903	0x62	win10-1903
Win10 1909	0x62	win10-1909
Win10 2004	0x62	win10-2004
Win10 20H2	0x62	win10-20h2
Win10 21H1	0x62	win10-21h1
Win10 21H2	0x62	win10-21h2
Win10 22H2	0x62	win10-22h2
Win11 21H2	0x62	win11-21h2
Win11 22H2	0x62	win11-22h2
Win11 23H2	0x62	win11-23h2
Win11 24H2	0x62	win11-24h2
Server 2016	0x62	winserver-2016
Server 2019	0x62	winserver-2019
Server 2022	0x62	winserver-2022
Server 2025	0x62	winserver-2025

Kernel module

ntoskrnl.exe → NtSetTimer

Related APIs

SetWaitableTimerSetWaitableTimerExCancelWaitableTimerNtCreateTimerNtCancelTimerNtSetTimerExCreateTimerQueueTimer

Syscall stub

4C 8B D1            mov r10, rcx
B8 62 00 00 00      mov eax, 0x62
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Arms a timer object created by `NtCreateTimer` via `KeSetTimerEx` / `ExpSetTimer` inside ntoskrnl.exe. SSN `0x62` has been stable across every Win10/11 build. `DueTime` is in NT 100-ns units (negative for relative). When `TimerApcRoutine` is non-NULL, on each expiry the kernel queues a *normal user APC* on the **thread that called `NtSetTimer`** — not on any other thread — and the APC fires only when that thread enters an alertable wait. A non-zero `Period` makes the timer recurring (`SetWaitableTimer` semantics); subsequent expiries continue to enqueue APCs until `NtCancelTimer`.

Common malware usage

**The detonator for Ekko-style sleep masks.** The implant builds a chain: NtCreateTimer → NtSetTimer with `TimerApcRoutine` pointing at a `RtlCaptureContext` / `SystemFunction032` / `NtProtectVirtualMemory` ROP gadget series → NtWaitForSingleObject(alertable). On expiry the APC runs each ROP stage in turn: capture context, decrypt RWX implant region, then on next expiry re-encrypt + sleep again. The result is a beacon whose memory image at any *non-active* moment is unreadable to a memory scanner. Foliage, Cronos and Zilean ship variations; Havoc enables an Ekko sleep mask by default. Also abused as a low-noise persistence beacon — periodic timer + small APC that polls C2.

Cobalt Strike (Ekko sleep mask)Havoc Brute Ratel C4 Foliage sleep mask Cronos sleep mask Sliver

Detection opportunities

ETW Threat Intelligence emits the queued-APC event for the kernel-queued user APC on each expiry, which means *every* tick of an Ekko sleep mask is loggable in principle — though most EDRs throttle volume. The cleanest detection is to memorise that the source `NtSetTimer` callsite RIP lies in unbacked memory, and that the APC routine address lies in the same RWX region — a self-modifying timer arm-and-fire from anonymous memory is extremely rare in benign software. Wake-timer abuse can also be enumerated offline via `powercfg /waketimers`.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtSetTimer (SSN 0x62, stable across Win10/11)
NtSetTimer PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 62h          ; SSN
    syscall
    ret
NtSetTimer ENDP

cEkko sleep-mask one-shot arm

// hTimer was just created with NtCreateTimer(SynchronizationTimer).
// hEvent is the rendezvous the APC will signal at end of the ROP chain.
LARGE_INTEGER due;
due.QuadPart = -(LONGLONG)(60 * 1000 * 10000); // 60s relative

NtSetTimer(hTimer,
           &due,
           (PTIMER_APC_ROUTINE)EkkoStage1, // ROP gadget: encrypt → sleep → decrypt
           (PVOID)hEvent,                  // ctx forwarded as APC arg1
           FALSE,                          // not a wake timer
           0,                              // one-shot; we re-arm at end of chain
           NULL);

// Implant thread then alertably waits on hEvent; APC fires on expiry.
NtWaitForSingleObject(hEvent, TRUE, NULL);

cRecurring beacon timer (T1029 Scheduled Transfer)

// Beacon every 30s with a small callback that issues an HTTPS check-in.
LARGE_INTEGER due;
due.QuadPart = -(LONGLONG)(30 * 1000 * 10000); // first fire +30s
NtSetTimer(hTimer,
           &due,
           (PTIMER_APC_ROUTINE)BeaconTickApc,
           NULL,
           FALSE,
           30 * 1000,   // period 30s
           NULL);

for (;;) NtWaitForSingleObject(hTimer, TRUE, NULL); // alertable, APC fires each tick

MITRE ATT&CK mappings

Last verified: 2026-05-20