ntoskrnl.exeT1562.001T1106

NtTerminateJobObject

Terminates every process currently assigned to a job object atomically.

Prototype

NTSTATUS NtTerminateJobObject(
  HANDLE   JobHandle,
  NTSTATUS ExitStatus
);

Arguments

Name	Type	Dir	Description
JobHandle	HANDLE	in	Handle to the job object, requiring JOB_OBJECT_TERMINATE access. All processes in the job — and in any nested child jobs — are killed.
ExitStatus	NTSTATUS	in	Exit code reported for every terminated process via GetExitCodeProcess.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x1A2	win10-1507
Win10 1607	0x1AB	win10-1607
Win10 1703	0x1B1	win10-1703
Win10 1709	0x1B5	win10-1709
Win10 1803	0x1B7	win10-1803
Win10 1809	0x1B8	win10-1809
Win10 1903	0x1B9	win10-1903
Win10 1909	0x1B9	win10-1909
Win10 2004	0x1BF	win10-2004
Win10 20H2	0x1BF	win10-20h2
Win10 21H1	0x1BF	win10-21h1
Win10 21H2	0x1C1	win10-21h2
Win10 22H2	0x1C1	win10-22h2
Win11 21H2	0x1CB	win11-21h2
Win11 22H2	0x1CF	win11-22h2
Win11 23H2	0x1CF	win11-23h2
Win11 24H2	0x1D2	win11-24h2
Server 2016	0x1AB	winserver-2016
Server 2019	0x1B8	winserver-2019
Server 2022	0x1C7	winserver-2022
Server 2025	0x1D2	winserver-2025

Kernel module

ntoskrnl.exe → NtTerminateJobObject

Related APIs

TerminateJobObjectNtTerminateProcessNtCreateJobObjectNtAssignProcessToJobObjectNtIsProcessInJob

Syscall stub

4C 8B D1            mov r10, rcx
B8 D2 01 00 00      mov eax, 0x1D2
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtTerminateJobObject is the kernel side of `TerminateJobObject`. The kernel walks the job's process list (under PspJobLock) and issues `PspTerminateProcess` against each, so the kill is effectively atomic from any single process's point of view — no race window in which a child can fork itself out. The SSN moves on every major release (`0x1B9` Win10 1903, `0x1BF` 2004, `0x1D2` Win11 24H2 / Server 2025), so dynamic resolution is mandatory for cross-build payloads. The flagship legitimate caller is the Chromium browser process recycling its renderer / GPU / utility jobs, and `cmd /c taskkill /T /F` on a process-tree root that lives inside a job.

Common malware usage

Comparatively rare in offensive tooling — most attackers prefer `NtTerminateProcess` against named EDR processes individually (Conti, LockBit, BlackCat all do this). Where NtTerminateJobObject *does* show up is in (1) anti-analysis ransomware that, once it has detected and obtained a handle to its Cuckoo / Joe Sandbox containing job, kills the entire sandbox cohort to disrupt artifact collection; (2) custom backdoors that wrap victim user-mode helpers in a job specifically so they can be torn down with a single syscall on uninstall; (3) red-team tooling that, having abused PROCESS_SET_QUOTA / JOB_OBJECT_ASSIGN_PROCESS to bring an EDR sensor into a controlled job, kills the whole job to bypass per-process self-protection. The technique is loud, easy to detect, and almost never seen in commodity loaders.

Custom red-team frameworks (rare)Anti-analysis crypters (proof-of-concept stage)

Detection opportunities

ETW `Microsoft-Windows-Kernel-Process/ProcessStop` will fire once per killed process with a shared, very-close-in-time timestamp cluster — the smoking gun for a job-wide termination versus a sequential `taskkill` loop. PsSetCreateProcessNotifyRoutineEx callbacks see the same pattern. Sysmon Event ID 5 (`ProcessTerminate`) lacks the terminating-PID field but the timing burst is still characteristic. High-fidelity rule: 5+ processes in the same job ending within a 50 ms window, terminated by a process not in their parent chain. EDR self-protection (PPL on `MsMpEng.exe`, the Defender protected-process flag on `MsSense.exe`) prevents NtTerminateJobObject from killing Defender / MDE even from SYSTEM — making this technique a known dead end against modern protected-process EDRs.

Direct syscall examples

asmx64 stub (Win11 24H2 SSN 0x1D2)

; Direct syscall stub for NtTerminateJobObject
NtTerminateJobObject PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 1D2h         ; SSN (Win11 24H2 / Server 2025)
    syscall
    ret
NtTerminateJobObject ENDP

cBrowser-style sandbox recycle

// Recycle a renderer cohort: open the named job we own and terminate it.
#include <windows.h>

DWORD RecycleSandbox(const wchar_t *job_name) {
    HANDLE h = OpenJobObjectW(JOB_OBJECT_TERMINATE, FALSE, job_name);
    if (!h) return GetLastError();
    DWORD err = 0;
    if (!TerminateJobObject(h, 0xDEAD0001))  // STATUS-style exit
        err = GetLastError();
    CloseHandle(h);
    return err;
}

cAnti-sandbox: tear down Cuckoo monitor cohort

// Hostile (defensive PoC): if we detect we're inside a sandbox job and
// can open a handle to it with TERMINATE rights, kill every sibling.
// In practice the monitor strips JOB_OBJECT_TERMINATE from descendants —
// this rarely works, hence why ransomware prefers per-process killing.
#include <windows.h>

typedef NTSTATUS (NTAPI *pNtTerminateJobObject)(HANDLE, NTSTATUS);

BOOL NukeContainingJob(void) {
    // Acquire a handle via OpenProcess + duplicating the job from a sibling
    // is a non-trivial dance; abbreviated here.
    HANDLE h_job = /* ... */ NULL;
    if (!h_job) return FALSE;
    pNtTerminateJobObject NtTerminateJobObject = (pNtTerminateJobObject)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtTerminateJobObject");
    return NtTerminateJobObject(h_job, 0) == 0;
}

MITRE ATT&CK mappings

Last verified: 2026-05-20