ntoskrnl.exeT1562.001T1106

NtThawRegistry

Releases a previous registry freeze so writes resume; counterpart of NtFreezeRegistry.

Prototype

NTSTATUS NtThawRegistry(VOID);

Arguments

Name	Type	Dir	Description

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x1A4	win10-1507
Win10 1607	0x1AD	win10-1607
Win10 1703	0x1B3	win10-1703
Win10 1709	0x1B7	win10-1709
Win10 1803	0x1B9	win10-1803
Win10 1809	0x1BA	win10-1809
Win10 1903	0x1BB	win10-1903
Win10 1909	0x1BB	win10-1909
Win10 2004	0x1C1	win10-2004
Win10 20H2	0x1C1	win10-20h2
Win10 21H1	0x1C1	win10-21h1
Win10 21H2	0x1C3	win10-21h2
Win10 22H2	0x1C3	win10-22h2
Win11 21H2	0x1CD	win11-21h2
Win11 22H2	0x1D1	win11-22h2
Win11 23H2	0x1D1	win11-23h2
Win11 24H2	0x1D4	win11-24h2
Server 2016	0x1AD	winserver-2016
Server 2019	0x1BA	winserver-2019
Server 2022	0x1C9	winserver-2022
Server 2025	0x1D4	winserver-2025

Kernel module

ntoskrnl.exe → NtThawRegistry

Related APIs

NtFreezeRegistryZwThawRegistryVSS IVssWriter::OnThawNtSaveKeyEx

Syscall stub

4C 8B D1            mov r10, rcx
B8 D4 01 00 00      mov eax, 0x1D4     ; Win11 24H2 SSN
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Zero-argument counterpart to `NtFreezeRegistry`. Hits `CmpRegistryThaw`, which releases the global freeze lock; pending writers that were blocked in the kernel `KeWaitForSingleObject` chain get unblocked. Also requires `SeBackupPrivilege`. Calling `NtThawRegistry` when the registry is not frozen returns `STATUS_INVALID_PARAMETER` — useful when probing whether a freeze is in effect (an unusual diagnostic an attacker might use to confirm the success of a paired `NtFreezeRegistry`).

Common malware usage

Same weak-signal caveat as `NtFreezeRegistry`: no widely reported commodity family uses it. The only realistic offensive patterns are paired use with a freeze (DoS, TOCTTOU race) or explicit cleanup after a malicious snapshot attempt to avoid leaving the system in a degraded state and tripping watchdogs. Note that the kernel auto-thaw timeout means an attacker who *only* freezes still has the system recover on its own; calling `NtThawRegistry` is essentially a politeness primitive.

No widely documented commodity family abuses this syscall directly; research/PoC only.

Detection opportunities

Treat freeze/thaw as a pair. A `NtThawRegistry` event from a process that did not itself call `NtFreezeRegistry` (i.e. cleaning up someone else's mess) is itself anomalous. Detection rules should look for the *holder* of `SeBackupPrivilege` issuing freeze→thaw outside the well-known VSS writers (`VSSVC.exe`, `svchost.exe -k swprv`, vendor backup agents on a known allowlist).

Direct syscall examples

cPolitely thaw after a freeze

NTSTATUS st = NtFreezeRegistry(30);
if (NT_SUCCESS(st)) {
    do_snapshot_work();
    NtThawRegistry();    // explicit; the 30s timeout would also auto-thaw
}

asmx64 direct stub

; NtThawRegistry direct syscall (Win11 24H2 SSN 0x1D4)
NtThawRegistry PROC
    mov  r10, rcx
    mov  eax, 1D4h
    syscall
    ret
NtThawRegistry ENDP

rustProbe freeze state

// STATUS_INVALID_PARAMETER (0xC000000D) from NtThawRegistry means 'not frozen'.
use windows_sys::Win32::System::LibraryLoader::*;
type NtThawFn = unsafe extern "system" fn() -> i32;
unsafe fn is_frozen() -> bool {
    let nt = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let f: NtThawFn = std::mem::transmute(
        GetProcAddress(nt, b"NtThawRegistry\0".as_ptr()).unwrap()
    );
    // Caller must already have stored a prior freeze if they actually want to probe;
    // otherwise this is a destructive test.
    let st = f();
    st == 0 // success means we just thawed an active freeze
}

MITRE ATT&CK mappings

Last verified: 2026-05-20