ntoskrnl.exeT1486T1491.001T1106

NtSetVolumeInformationFile

Modifies writable volume properties — primarily the volume label — for the volume backing a file handle.

Prototype

NTSTATUS NtSetVolumeInformationFile(
  HANDLE                 FileHandle,
  PIO_STATUS_BLOCK       IoStatusBlock,
  PVOID                  FsInformation,
  ULONG                  Length,
  FS_INFORMATION_CLASS   FsInformationClass
);

Arguments

Name	Type	Dir	Description
FileHandle	HANDLE	in	Handle to the volume root or a file on it; opened with FILE_WRITE_ATTRIBUTES.
IoStatusBlock	PIO_STATUS_BLOCK	out	Receives the completion status of the set operation.
FsInformation	PVOID	in	Caller-supplied input buffer holding the structure matching FsInformationClass (e.g. FILE_FS_LABEL_INFORMATION).
Length	ULONG	in	Size in bytes of the FsInformation buffer.
FsInformationClass	FS_INFORMATION_CLASS	in	Class to set; almost always FileFsLabelInformation (2) or FileFsControlInformation (6) in practice.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x196	win10-1507
Win10 1607	0x19F	win10-1607
Win10 1703	0x1A5	win10-1703
Win10 1709	0x1A8	win10-1709
Win10 1803	0x1AA	win10-1803
Win10 1809	0x1AB	win10-1809
Win10 1903	0x1AC	win10-1903
Win10 1909	0x1AC	win10-1909
Win10 2004	0x1B2	win10-2004
Win10 20H2	0x1B2	win10-20h2
Win10 21H1	0x1B2	win10-21h1
Win10 21H2	0x1B4	win10-21h2
Win10 22H2	0x1B4	win10-22h2
Win11 21H2	0x1BD	win11-21h2
Win11 22H2	0x1C1	win11-22h2
Win11 23H2	0x1C1	win11-23h2
Win11 24H2	0x1C4	win11-24h2
Server 2016	0x19F	winserver-2016
Server 2019	0x1AB	winserver-2019
Server 2022	0x1BA	winserver-2022
Server 2025	0x1C4	winserver-2025

Kernel module

ntoskrnl.exe → NtSetVolumeInformationFile

Related APIs

SetVolumeLabelWGetVolumeInformationWNtQueryVolumeInformationFileFSCTL_SET_OBJECT_IDNtSetInformationFile

Syscall stub

4C 8B D1            mov r10, rcx
B8 C4 01 00 00      mov eax, 0x1C4
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Far rarer than its `Query` sibling because the FS_INFORMATION_CLASS values that filesystems actually accept on the `Set` path are limited: `FileFsLabelInformation` (rename the volume), `FileFsControlInformation` (quota policy on NTFS), and `FileFsObjectIdInformation` (NTFS object-id assignment). Most other classes return `STATUS_INVALID_INFO_CLASS`. The IRP routes through `IRP_MJ_SET_VOLUME_INFORMATION` and reaches NTFS at `NtfsFsdSetVolumeInformation`. Renaming a volume requires `SE_MANAGE_VOLUME_NAME` privilege, which is held by interactive administrators and `LocalSystem` — not by standard users — so use of this syscall from a non-admin context is itself unusual telemetry.

Common malware usage

Niche but visible. A handful of ransomware families — most notoriously **Petya/NotPetya** (2017, MBR-encrypter) and some **Babuk** / **DarkSide** affiliates — issue `FileFsLabelInformation` to overwrite the volume name with their brand or a `READ_ME_*` string, so that any pre-boot recovery screen or `dir C:\` shows the ransom marker before the user opens the note. **BlackMatter** (2021) renamed labels to a short hash matching its ransom ID. Beyond ransomware the call is essentially unused by commodity malware — there is no offensive primitive here, only branding.

Petya / NotPetya Babuk (selected affiliates)BlackMatter DarkSide (selected affiliates)

Detection opportunities

Microsoft Defender for Endpoint surfaces label changes via `DeviceEvents` ActionType `VolumeMounted` / `VolumeRenamed`. Sysmon does *not* cover this directly but ETW `Microsoft-Windows-Kernel-File` IRP traces show `IRP_MJ_SET_VOLUME_INFORMATION` with class 2 (`FileFsLabelInformation`). Because the privileged path is so narrow, *any* `NtSetVolumeInformationFile(FileFsLabelInformation)` from a non-trusted process — anything that is not `explorer.exe`, `cmd.exe label`, `format.com`, or a known backup product — should be considered high-confidence ransomware indication, especially when chained with `NtQueryVolumeInformationFile` enumeration of all drive letters seconds earlier.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtSetVolumeInformationFile (SSN 0x1C4 on Win11 24H2 / Server 2025)
NtSetVolumeInformationFile PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 1C4h         ; SSN — drifts; resolve dynamically for portability
    syscall
    ret
NtSetVolumeInformationFile ENDP

cPetya-style volume relabel

// Requires SE_MANAGE_VOLUME_NAME privilege. Petya/NotPetya stamped
// volume labels with their ransom marker — visible in pre-boot UI.
#include <ntstatus.h>

typedef struct _FILE_FS_LABEL_INFORMATION {
    ULONG VolumeLabelLength;        // bytes, not chars
    WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION;

WCHAR  label[] = L"READ_ME_NOW";
SIZE_T bytes   = sizeof(label) - sizeof(WCHAR);
BYTE   buf[sizeof(FILE_FS_LABEL_INFORMATION) + sizeof(label)];
FILE_FS_LABEL_INFORMATION* p = (FILE_FS_LABEL_INFORMATION*)buf;
p->VolumeLabelLength = (ULONG)bytes;
memcpy(p->VolumeLabel, label, bytes);

IO_STATUS_BLOCK iosb;
NTSTATUS st = NtSetVolumeInformationFile(
    hVolumeRoot, &iosb, p,
    (ULONG)(sizeof(FILE_FS_LABEL_INFORMATION) + bytes),
    2 /* FileFsLabelInformation */);

rustSetVolumeLabelW wrapper (windows-sys)

// Cargo: windows-sys = "0.59" (Win32_Storage_FileSystem)
use windows_sys::Win32::Storage::FileSystem::SetVolumeLabelW;
use std::ffi::OsStr;
use std::os::windows::ffi::OsStrExt;

// Internally calls NtSetVolumeInformationFile(FileFsLabelInformation).
fn relabel(root: &str, label: &str) -> bool {
    let to_wide = |s: &str| -> Vec<u16> { OsStr::new(s).encode_wide().chain(Some(0)).collect() };
    let r = to_wide(root);
    let l = to_wide(label);
    unsafe { SetVolumeLabelW(r.as_ptr(), l.as_ptr()) != 0 }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20