Syscall reference
Browse documented Nt*/Zw* syscalls across Windows versions.
- NtAllocateVirtualMemoryntoskrnl.exeT1055T1055.002
Reserves, commits or both a region of virtual memory in a target process.
- NtAllocateVirtualMemoryExntoskrnl.exeT1055T1620
Reserves or commits virtual memory with extended parameters (preferred NUMA node, CFG, address requirements).
- NtProtectVirtualMemoryntoskrnl.exeT1055T1055.002
Changes the protection on a region of committed virtual memory in a target process.
- NtWriteVirtualMemoryntoskrnl.exeT1055T1055.002
Writes a buffer from the caller into the virtual address space of a target process.
- NtReadVirtualMemoryntoskrnl.exeT1003.001T1057
Reads bytes from the virtual address space of a target process into a caller-supplied buffer.
- NtFreeVirtualMemoryntoskrnl.exeT1055T1027.009
Decommits or releases a region of virtual memory in a target process.
- NtQueryVirtualMemoryntoskrnl.exeT1057T1622
Retrieves information about pages in a target process's virtual address space.
- NtFlushVirtualMemoryntoskrnl.exeT1547T1027
Flushes dirty pages of a file-backed view to disk, similar to FlushViewOfFile.
- NtLockVirtualMemoryntoskrnl.exeT1027.011T1027
Pins a virtual memory region in the process's working set so its pages cannot be paged out.
- NtUnlockVirtualMemoryntoskrnl.exeT1027.011T1027
Releases a working-set lock previously taken by NtLockVirtualMemory.
- NtSetInformationVirtualMemoryntoskrnl.exeT1574T1055
Applies an information class to a list of virtual-memory ranges: prefetch, page priority, or CFG call-target opt-in.
- NtAllocateUserPhysicalPagesntoskrnl.exeT1106T1055
Allocates physical memory pages for use with Address Windowing Extensions (AWE).
- NtMapUserPhysicalPagesntoskrnl.exeT1106T1055
Maps AWE-allocated physical pages into a previously reserved virtual address window.
- NtFreeUserPhysicalPagesntoskrnl.exeT1106T1070
Releases physical pages previously allocated via NtAllocateUserPhysicalPages, returning them to the system page pool.
- NtFlushInstructionCachentoskrnl.exeT1620T1055.001
Invalidates the instruction cache for a region in a target process so freshly written code can be executed.
- NtFlushProcessWriteBuffersntoskrnl.exeT1106
Issues a system-wide memory barrier on every CPU running threads of the current process.
- NtOpenProcessntoskrnl.exeT1057T1003.001
Opens a handle to an existing process with a requested access mask.
- NtCreateSectionntoskrnl.exeT1055T1055.012
Creates a section object backed by a file or the system pagefile for shared memory mapping.
- NtCreateSectionExntoskrnl.exeT1055T1620
Creates a section object with extended parameters (NUMA node, address-requirements, user-physical pages).
- NtOpenSectionntoskrnl.exeT1574.001T1106
Opens a handle to an existing named section object (shared memory or image mapping).
- NtExtendSectionntoskrnl.exeT1620T1106
Grows an existing pagefile- or file-backed section to a larger maximum size.
- NtQuerySectionntoskrnl.exeT1562.001T1027.007
Retrieves basic or image-specific metadata about a section object.
- NtMapViewOfSectionntoskrnl.exeT1055T1055.012
Maps a view of a section object into the virtual address space of a target process.
- NtMapViewOfSectionExntoskrnl.exeT1055.012T1620
Windows 10 1809+ extended section-mapping syscall that accepts MEM_EXTENDED_PARAMETER constraints.
- NtUnmapViewOfSectionntoskrnl.exeT1055.012T1055
Unmaps a previously mapped section view from a process's virtual address space.
- NtAreMappedFilesTheSamentoskrnl.exeT1562.001T1106
Determines whether two mapped views are backed by the same file (file object identity test).
- NtGetWriteWatchntoskrnl.exeT1027.011T1027.013
Retrieves the set of pages written to within a MEM_WRITE_WATCH region since the last reset.
- NtResetWriteWatchntoskrnl.exeT1027.011T1106
Clears the write-tracking state of a MEM_WRITE_WATCH region without retrieving the dirty pages.
- NtCreatePartitionntoskrnl.exeT1106
Creates a memory partition object that isolates the physical-page working set of a group of processes.
- NtOpenPartitionntoskrnl.exeT1106
Opens an existing memory partition object by name and returns a handle for management or process attachment.
- NtManagePartitionntoskrnl.exeT1106
Queries or modifies an existing memory partition — add memory, transfer pages, set memory-list configuration.
- NtCreateThreadntoskrnl.exeT1055T1106
Legacy thread-creation syscall requiring a manually-built INITIAL_TEB; superseded by NtCreateThreadEx.
- NtCreateThreadExntoskrnl.exeT1055T1055.002
Creates a new thread in a target process, optionally suspended, with rich attribute list support.
- NtQueueApcThreadntoskrnl.exeT1055.004T1055
Queues a user-mode asynchronous procedure call (APC) to a target thread.
- NtQueueApcThreadExntoskrnl.exeT1055.004T1055
Queues a user APC to a thread with optional reserve object or special-user-APC flag for forced delivery.
- NtTestAlertntoskrnl.exeT1055T1055.004
Tests whether the calling thread has a pending alert and, if so, delivers any queued user-mode APCs.
- NtContinuentoskrnl.exeT1027.011T1620
Restores a CPU CONTEXT into the current thread and resumes execution at CONTEXT.Rip.
- NtAlertThreadByThreadIdntoskrnl.exeT1106T1027
Wakes a single thread, identified by its TID, that is parked in NtWaitForAlertByThreadId — the kernel side of WakeByAddressSingle.
- NtWaitForAlertByThreadIdntoskrnl.exeT1106T1027
Parks the calling thread until NtAlertThreadByThreadId wakes it — the kernel side of WaitOnAddress.
- NtAllocateReserveObjectntoskrnl.exeT1055.004T1055
Pre-allocates a kernel reserve object (APC or completion) so future operations cannot fail under memory pressure.
- NtCreateProcessntoskrnl.exeT1055.012T1055
Legacy NT-style process creation from a pre-built section object — predecessor of NtCreateProcessEx and NtCreateUserProcess.
- NtCreateUserProcessntoskrnl.exeT1134.004T1106
Creates a new user-mode process and its initial thread from an executable image.
- NtCreateProcessExntoskrnl.exeT1055.012T1134.004
Creates a new process from a section handle without running ntdll process initialization — building block of process hollowing.
- NtTerminateProcessntoskrnl.exeT1562.001T1489
Terminates a target process and all of its threads with a given exit status.
- NtSuspendProcessntoskrnl.exeT1055T1562.001
Suspends every thread in a target process by incrementing each thread's suspend count.
- NtResumeProcessntoskrnl.exeT1055.012T1055
Decrements every thread's suspend count in a target process, resuming threads that reach zero.
- NtGetNextProcessntoskrnl.exeT1057T1106
Walks the kernel's process list and returns a handle to the next process after a given one.
- NtIsProcessInJobntoskrnl.exeT1497.001T1497
Tests whether a process is running inside a specific (or any) job object.
- NtOpenThreadntoskrnl.exeT1055.003T1057
Opens a handle to an existing thread identified by CLIENT_ID with requested access rights.
- NtSuspendThreadntoskrnl.exeT1055.003T1003.001
Increments the suspend count of a target thread, halting its execution.
- NtResumeThreadntoskrnl.exeT1055T1055.012
Decrements the suspend count of a thread, resuming execution when the count reaches zero.
- NtAlertResumeThreadntoskrnl.exeT1055T1055.004
Resumes a suspended thread and simultaneously alerts it so any pending APCs are delivered.
- NtTerminateThreadntoskrnl.exeT1562.001T1055.003
Terminates the specified thread with the supplied exit status. NULL handle terminates the current thread.
- NtGetContextThreadntoskrnl.exeT1622T1055.003
Retrieves the CPU register context (CONTEXT structure) of a suspended thread.
- NtSetContextThreadntoskrnl.exeT1055.003T1055.004
Sets the CPU register context of a thread — the kernel primitive behind thread hijacking and shellcode redirection.
- NtGetNextThreadntoskrnl.exeT1057T1055.003
Returns a handle to the next thread within a target process by walking the kernel thread list.
- NtOpenProcessTokenntoskrnl.exeT1134T1134.001
Opens the access token associated with a process and returns a handle to it.
- NtOpenProcessTokenExntoskrnl.exeT1134T1134.001
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesTokenntoskrnl.exeT1134T1134.001
Enables or disables privileges in a specified access token.
- NtAdjustGroupsTokenntoskrnl.exeT1134T1134.001
Enables or disables groups (SIDs) in an access token, or resets group attributes to their default state.
- NtQueryInformationTokenntoskrnl.exeT1134T1033
Retrieves a specified class of information about an access token.
- NtSetInformationTokenntoskrnl.exeT1134T1548.002
Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.
- NtDuplicateTokenntoskrnl.exeT1134T1134.001
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtFilterTokenntoskrnl.exeT1134T1134.002
Creates a restricted (filtered) copy of an existing access token by disabling SIDs, deleting privileges, or adding restricted SIDs.
- NtImpersonateAnonymousTokenntoskrnl.exeT1134T1134.001
Assigns the well-known ANONYMOUS LOGON token to the specified thread.
- NtImpersonateThreadntoskrnl.exeT1134T1134.001
Causes the server thread to impersonate the security context of the client thread.
- NtImpersonateClientOfPortntoskrnl.exeT1134T1134.001
Legacy LPC: lets a server thread impersonate the security context of the client that sent a port message.
- NtCompareTokensntoskrnl.exeT1106
Decides whether two tokens grant the same access — same user, same groups, same restricted SIDs, same privileges.
- NtCreateTokenntoskrnl.exeT1134.003T1003.001
Forges an access token from scratch with caller-specified user, groups, privileges, owner, default DACL and source — gated by SeCreateTokenPrivilege.
- NtCreateLowBoxTokenntoskrnl.exeT1134T1106
Derives a LowBox (AppContainer) token from an existing token — sets the package SID and capability list that gate broker IPC access.
- NtRevertContainerImpersonationntoskrnl.exeT1611T1134
Reverts a Server Silo / Argon Container impersonation back to the host security context.
- NtAccessCheckntoskrnl.exeT1106T1087
Performs a security access check of a security descriptor against an impersonation token, returning the granted access mask.
- NtAccessCheckByTypentoskrnl.exeT1087.002T1069.002
Performs a security access check against a security descriptor honoring a typed object hierarchy (OBJECT_TYPE_LIST).
- NtAccessCheckByTypeResultListntoskrnl.exeT1106
Performs a typed access check returning a per-object-type result list, without writing audit events.
- NtPrivilegeCheckntoskrnl.exeT1106T1033
Tests whether the privileges named in a PRIVILEGE_SET are enabled in an impersonation token.
- NtGetCachedSigningLevelntoskrnl.exeT1553T1518.001
Reads the Code Integrity cached signing-level result stored as an NTFS extended attribute on a file.
- NtCompareSigningLevelsntoskrnl.exeT1106T1553
Compares two SE_SIGNING_LEVEL values using Code Integrity's policy ordering and returns whether the first dominates the second.
- NtAccessCheckAndAuditAlarmntoskrnl.exeT1562.002T1106
Performs a standard access check and writes an audit-alarm entry to the Security event log.
- NtAccessCheckByTypeAndAuditAlarmntoskrnl.exeT1562.002T1106
Performs a typed access check and writes an audit-alarm entry to the Security event log.
- NtAccessCheckByTypeResultListAndAuditAlarmntoskrnl.exeT1562.002T1106
Typed access check returning a per-type result list, while writing audit-alarm entries to the Security event log.
- NtPrivilegeObjectAuditAlarmntoskrnl.exeT1562.002T1134
Emits a Security event-log entry reporting the use of one or more privileges on a specific object.
- NtPrivilegedServiceAuditAlarmntoskrnl.exeT1562.002T1547.006
Emits a Security event-log entry reporting a privileged service operation (event 4673).
- NtCloseObjectAuditAlarmntoskrnl.exeT1562.002T1106
Emits the Security event-log entry that pairs with an earlier audit-alarm open, marking a handle's close.
- NtDeleteObjectAuditAlarmntoskrnl.exeT1562.002T1070.004
Emits the Security event-log entry that records the deletion of an audited object.
- NtQueryInformationProcessntoskrnl.exeT1622T1057
Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.
- NtSetInformationProcessntoskrnl.exeT1622T1562.001
Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.
- NtQueryInformationThreadntoskrnl.exeT1622T1057
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
- NtSetInformationThreadntoskrnl.exeT1622T1106
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtQuerySystemInformationntoskrnl.exeT1057T1014
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtSetSystemInformationntoskrnl.exeT1068T1014
Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.
- NtRaiseHardErrorntoskrnl.exeT1485T1529
Raises a 'hard error' that the kernel routes to CSRSS for UI prompting — or, with SeShutdownPrivilege and FATAL severity, triggers an immediate bugcheck (BSOD).
- NtQueryInformationByNamentoskrnl.exeT1083T1106
Queries file information by path without an open handle, introduced in Windows 10 RS5.
- NtCreateProfilentoskrnl.exeT1106
Creates a kernel-mode sampling profiler object that buckets the program counter into a histogram.
- NtQueryPerformanceCounterntoskrnl.exeT1497.003T1497
Returns the current value of the high-resolution performance counter and optionally its frequency.
- NtGetCurrentProcessorNumberntoskrnl.exeT1497.001T1497
Returns the zero-based logical-processor index the calling thread is currently executing on.
- NtTraceEventntoskrnl.exeT1106T1562
Writes a user-mode event to an ETW session via a registered trace handle.
- NtTraceControlntoskrnl.exeT1562.006T1562
Multiplexed control IOCTL for the ETW subsystem — start, stop, query, flush sessions and enable/disable providers.
- NtCreateDebugObjectntoskrnl.exeT1622T1106
Creates a kernel DebugObject — the per-debugger port that receives debug events from attached processes.
- NtDebugActiveProcessntoskrnl.exeT1622T1106
Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.
- NtRemoveProcessDebugntoskrnl.exeT1622T1106
Detaches a DebugObject from a process — the kernel side of DebugActiveProcessStop.
- NtWaitForDebugEventntoskrnl.exeT1622T1106
Waits for the next debug event delivered to a debug object, returning a DBGUI_WAIT_STATE_CHANGE.
- NtDebugContinuentoskrnl.exeT1622T1106
Resumes a debuggee thread after a debug event with a given NTSTATUS continue code.
- NtCreateEventntoskrnl.exeT1106T1027.011
Creates a named or unnamed event synchronization object and returns a handle to it.
- NtOpenEventntoskrnl.exeT1106T1497
Opens a handle to an existing named event object.
- NtSetEventntoskrnl.exeT1106T1027.011
Sets an event object to the signaled state, releasing waiting threads.
- NtResetEventntoskrnl.exeT1106T1027.013
Resets an event object to non-signaled and returns its previous signaled state.
- NtPulseEventntoskrnl.exeT1106
Signals an event, releases currently-waiting threads, then immediately resets it to non-signaled.
- NtClearEventntoskrnl.exeT1106T1027
Drives an event object to the non-signaled state without returning the previous state.
- NtWaitForSingleObjectntoskrnl.exeT1055.004T1497
Waits until a dispatcher object becomes signaled or the optional timeout expires.
- NtWaitForMultipleObjectsntoskrnl.exeT1055.004T1497
Waits on up to MAXIMUM_WAIT_OBJECTS dispatcher objects with either WaitAny or WaitAll semantics.
- NtSignalAndWaitForSingleObjectntoskrnl.exeT1027.011T1027
Atomically signals one dispatcher object and waits on another in a single, race-free transition.
- NtCreateKeyedEventntoskrnl.exeT1106
Creates a keyed event object — a lightweight kernel sync primitive that pairs waits and wakes by virtual-address key.
- NtWaitForKeyedEventntoskrnl.exeT1027T1106
Blocks the calling thread on a keyed event until another thread releases the same (event, key) pair.
- NtReleaseKeyedEventntoskrnl.exeT1027T1106
Wakes exactly one thread waiting on the same (keyed-event, key) pair, blocking if no waiter is present yet.
- NtCreateMutantntoskrnl.exeT1480T1106
Creates or opens a named or unnamed mutant (mutex) object and optionally takes initial ownership.
- NtCreateTimerntoskrnl.exeT1027.011T1106
Creates a kernel timer object that can be armed later with NtSetTimer.
- NtSetTimerntoskrnl.exeT1027.011T1055.004
Arms a timer object with a due time, optional period and an optional APC routine fired on expiry.
- NtCancelTimerntoskrnl.exeT1106T1027
Cancels a pending NtSetTimer arm and reports whether the timer was still active at cancel time.
- NtCreateTimer2ntoskrnl.exeT1027.011T1055
Creates a modern high-resolution timer object supporting manual-reset and no-wake flags in one call.
- NtSetTimer2ntoskrnl.exeT1027.011T1106
Arms a Timer2 object with a due time, optional period and a T2_SET_PARAMETERS block describing callback and flags.
- NtCancelTimer2ntoskrnl.exeT1027.011T1106
Cancels a previously armed Timer2 object and reports whether it was still pending.
- NtDelayExecutionntoskrnl.exeT1497T1497.003
Suspends the calling thread for a specified interval, optionally in an alertable state.
- NtQuerySystemTimentoskrnl.exeT1497T1497.003
Returns the current system time as a 64-bit count of 100-ns intervals since 1601-01-01 UTC.
- NtCreateNamedPipeFilentoskrnl.exeT1571T1090
Creates the server end of a named pipe in the \Device\NamedPipe device namespace.
- NtCreateMailslotFilentoskrnl.exeT1559T1071
Creates the server side of a mailslot — a legacy, one-way, datagram-style IPC primitive accessed via \Device\Mailslot.
- NtAlpcCreatePortntoskrnl.exeT1068T1559
Creates a server-side ALPC connection port that clients can reach with NtAlpcConnectPort.
- NtAlpcConnectPortntoskrnl.exeT1068T1559
Establishes a client ALPC connection to a named server port and exchanges an initial message.
- NtAlpcAcceptConnectPortntoskrnl.exeT1559T1106
Server-side ALPC accept — completes a pending client connection request and returns a per-client communication port.
- NtAlpcSendWaitReceivePortntoskrnl.exeT1068T1559
Sends an ALPC message on a port and optionally waits for a reply or the next inbound message.
- NtAlpcQueryInformationntoskrnl.exeT1057T1106
Queries metadata about an ALPC port — owning process, message stats, server SID, port attributes.
- NtAlpcImpersonateClientOfPortntoskrnl.exeT1068T1134.001
ALPC server's primary impersonation primitive — assumes the security context of the client that sent a message.
- NtAlpcOpenSenderProcessntoskrnl.exeT1068T1134
Server-side helper that opens a HANDLE to the process that sent a given ALPC message.
- NtAlpcOpenSenderThreadntoskrnl.exeT1068T1134
Server-side helper that opens a HANDLE to the thread that sent a given ALPC message.
- NtAlpcDisconnectPortntoskrnl.exeT1559T1106
Closes the client-side of an ALPC connection cleanly, signalling the server before the handle is freed.
- NtAlpcDeleteSecurityContextntoskrnl.exeT1559T1106
Frees an ALPC SECURITY_QOS context previously created with NtAlpcCreateSecurityContext.
- NtAlpcRevokeSecurityContextntoskrnl.exeT1559T1106
Invalidates a cached ALPC SECURITY_QOS context without freeing its handle slot.
- NtCreatePortntoskrnl.exeT1559T1106
Creates a named server-side LPC port object — the legacy pre-ALPC IPC listener primitive.
- NtConnectPortntoskrnl.exeT1559T1106
Client-side connect to a legacy LPC server port, the pre-ALPC equivalent of NtAlpcConnectPort.
- NtAcceptConnectPortntoskrnl.exeT1559T1106
Server-side acceptance of a legacy LPC connection request, optionally mapping a shared view.
- NtRequestPortntoskrnl.exeT1559T1106
Sends a fire-and-forget LPC message on a connected port — no reply expected.
- NtRequestWaitReplyPortntoskrnl.exeT1559T1106
Sends a synchronous LPC request and blocks until the server replies — the legacy RPC primitive.
- NtReplyPortntoskrnl.exeT1559T1106
Sends a reply on a server-side LPC port to a previously received request, without waiting.
- NtReplyWaitReceivePortntoskrnl.exeT1559T1106
Server-side LPC primitive: atomically reply to the previous request and block for the next one.
- NtCreateJobObjectntoskrnl.exeT1106T1564
Creates a job object — the kernel container used to apply limits, accounting and termination policy to a set of processes.
- NtAssignProcessToJobObjectntoskrnl.exeT1106T1564
Attaches a process to a job object so that the job's limits, accounting and termination policy apply to it.
- NtSetInformationJobObjectntoskrnl.exeT1106T1564
Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.
- NtQueryInformationJobObjectntoskrnl.exeT1497.001T1497
Retrieves accounting, limits or UI-restriction information about a job object.
- NtTerminateJobObjectntoskrnl.exeT1562.001T1106
Terminates every process currently assigned to a job object atomically.
- NtCreateIoCompletionntoskrnl.exeT1055T1106
Creates an I/O completion port — the kernel queue that backs threadpool work delivery, async I/O notification, and (in PoolParty) injected work items.
- NtSetIoCompletionntoskrnl.exeT1055T1106
Posts a completion packet to an I/O completion port — the kernel side of PostQueuedCompletionStatus and the delivery vector for PoolParty's forged work items.
- NtRemoveIoCompletionntoskrnl.exeT1106T1027.011
Dequeues a single completion packet from an I/O completion port, blocking until one is available or the timeout expires.
- NtRemoveIoCompletionExntoskrnl.exeT1106
Dequeues up to a caller-specified number of completion packets from an I/O completion port in a single syscall.
- NtCancelIoFilentoskrnl.exeT1562.001T1106
Cancels every outstanding I/O request issued by the calling thread on a file handle.
- NtCancelIoFileExntoskrnl.exeT1562.001T1106
Cancels a specific outstanding I/O request on a file, regardless of which thread issued it.
- NtCancelSynchronousIoFilentoskrnl.exeT1562.001T1106
Cancels a synchronous I/O call that is currently blocking another thread.
- NtCancelWaitCompletionPacketntoskrnl.exeT1055T1106
Cancels a previously associated wait-completion packet, removing the dispatcher-object binding.
- NtAssociateWaitCompletionPacketntoskrnl.exeT1055T1106
Binds a wait-completion packet to a dispatcher object so its signal posts an entry to an IOCP.
- NtCreateWorkerFactoryntoskrnl.exeT1055T1106
Creates a kernel worker factory object — the threadpool primitive that PoolParty injection abuses to spawn shellcode without NtCreateThreadEx.
- NtShutdownWorkerFactoryntoskrnl.exeT1055T1106
Signals a worker factory to stop creating new threads and reports how many workers are still pending.
- NtSetInformationWorkerFactoryntoskrnl.exeT1055T1106
Sets a configuration class on a worker factory — including, in some PoolParty variants, the StartRoutine that worker threads will execute.
- NtQueryInformationWorkerFactoryntoskrnl.exeT1055T1106
Queries configuration and runtime state of a worker factory, including the current StartRoutine and worker counts.
- NtWorkerFactoryWorkerReadyntoskrnl.exeT1106
Signals to the kernel that a threadpool worker is ready to receive work — part of the internal ntdll!TppWorkerThread handshake.
- NtReleaseWorkerFactoryWorkerntoskrnl.exeT1055T1106
Requests the kernel to make at least one worker available in the factory — used by the user-mode threadpool to wake the pool on work submission.
- NtWaitForWorkViaWorkerFactoryntoskrnl.exeT1055T1027.011
Blocks a threadpool worker until a work item is available on the factory's completion queue — the hot loop hijacked by PoolParty.
- NtCreateTransactionntoskrnl.exeT1055.013T1027
Creates a new KTM (Kernel Transaction Manager) transaction object used to wrap NTFS operations atomically.
- NtOpenTransactionntoskrnl.exeT1055.013T1106
Opens an existing KTM transaction object by name or unit-of-work GUID.
- NtCommitTransactionntoskrnl.exeT1055.013T1055.012
Commits a KTM transaction, atomically persisting every change made under it to disk.
- NtRollbackTransactionntoskrnl.exeT1055.013T1027
Rolls back a KTM transaction, discarding every change made under it.
- NtCreateEnclaventoskrnl.exeT1620T1574
Allocates a new enclave (SGX or VBS/VTL1) inside a target process's address space.
- NtInitializeEnclaventoskrnl.exeT1620T1574
Finalises an enclave after image load — verifies signatures and transitions it to executable state.
- NtCallEnclaventoskrnl.exeT1620T1574
Transitions execution from VTL0 host code into a routine inside an initialised enclave.
- NtTerminateEnclaventoskrnl.exeT1620T1106
Tears down an enclave, releasing its VTL1 memory and signalling any threads still inside.
- NtLoadEnclaveDatantoskrnl.exeT1620T1574
Copies a page-aligned buffer (code or data) from VTL0 host memory into an enclave's VTL1 range before initialisation.
- NtCreateKeyntoskrnl.exeT1547.001T1546.012
Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.
- NtOpenKeyntoskrnl.exeT1003.002T1003.004
Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.
- NtOpenKeyExntoskrnl.exeT1003.002T1003.004
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.
- NtDeleteKeyntoskrnl.exeT1112T1070.001
Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.
- NtDeleteValueKeyntoskrnl.exeT1112T1070.009
Removes a single named value from an open registry key, leaving the key itself intact.
- NtSetValueKeyntoskrnl.exeT1547.001T1546.012
Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.
- NtQueryValueKeyntoskrnl.exeT1552.002T1555
Reads a value from a registry key — the targeted credential and config harvest primitive.
- NtQueryMultipleValueKeyntoskrnl.exeT1552.002T1012
Atomically reads several registry values from a single key in one syscall.
- NtEnumerateKeyntoskrnl.exeT1518T1012
Enumerates subkeys of a registry key — used to walk AutoRun, IFEO and Services for persistence discovery.
- NtQueryKeyntoskrnl.exeT1012T1082
Returns metadata about an open registry key — name, class, subkey/value counts, last-write time.
- NtRenameKeyntoskrnl.exeT1112T1547.001
Renames an existing registry key in place — no Win32 wrapper, callable only via the NT API.
- NtLoadKeyntoskrnl.exeT1003.002T1003.004
Mounts a registry hive file under a target key — the syscall behind offline SAM/SYSTEM loading.
- NtLoadKey2ntoskrnl.exeT1003.002T1106
Loads a registry hive into the configuration tree with a 2-flag wrapper around NtLoadKey.
- NtLoadKeyExntoskrnl.exeT1003.002T1574
Modern hive-load syscall — backs RegLoadKeyW, RegLoadAppKeyW and the AppContainer registry virtualization layer.
- NtUnloadKeyntoskrnl.exeT1003.002T1112
Detaches a previously-loaded registry hive from the configuration manager.
- NtRestoreKeyntoskrnl.exeT1112T1547.001
Overwrites a registry key's contents from a hive file — replaces subtrees in bulk.
- NtSaveKeyntoskrnl.exeT1003.002T1003.004
Writes a live registry key (with subtree) to a hive file — the kernel side of SAM/SECURITY theft.
- NtFlushKeyntoskrnl.exeT1547.001T1112
Forces all pending changes to a registry key to be written to its backing hive on disk.
- NtCompressKeyntoskrnl.exeT1106
Forces defragmentation / compaction of a loaded registry hive backing file.
- NtNotifyChangeKeyntoskrnl.exeT1547.001T1112
Registers an asynchronous notification for changes to a registry key and (optionally) its subtree.
- NtNotifyChangeMultipleKeysntoskrnl.exeT1547.001T1112
Registers a single notification request that fires when any of several registry keys changes.
- NtFreezeRegistryntoskrnl.exeT1562.001T1106
Temporarily blocks all registry write operations system-wide, used by VSS for consistent snapshots.
- NtThawRegistryntoskrnl.exeT1562.001T1106
Releases a previous registry freeze so writes resume; counterpart of NtFreezeRegistry.
- NtClosentoskrnl.exeT1622T1106
Closes a kernel object handle (file, key, event, process, thread, section, etc.).
- NtCreateFilentoskrnl.exeT1564.001T1547.001
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.
- NtOpenFilentoskrnl.exeT1083T1005
Opens a handle to an existing file or device — the lighter no-create counterpart of NtCreateFile.
- NtReadFilentoskrnl.exeT1003.001T1555.003
Reads bytes from a file, device, named pipe or mapped section into a user buffer — the kernel primitive behind ReadFile.
- NtWriteFilentoskrnl.exeT1486T1561.001
Writes data to an open file, pipe, or device — the kernel companion to NtCreateFile for dropping payloads.
- NtDeleteFilentoskrnl.exeT1070.004T1106
Deletes a file by path without first opening a handle — a rare anti-forensics primitive.
- NtSetInformationFilentoskrnl.exeT1486T1070.004
Sets file metadata via FILE_INFORMATION_CLASS — rename, dispose (delete), allocate, end-of-file, etc.
- NtQueryInformationFilentoskrnl.exeT1070.006T1564.004
Reads metadata about an open file — timestamps, size, EAs, streams, reparse points and more.
- NtQueryDirectoryFilentoskrnl.exeT1083T1014
Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.
- NtDeviceIoControlFilentoskrnl.exeT1068T1562.001
Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.
- NtFsControlFilentoskrnl.exeT1564.004T1574.005
Sends FSCTL codes to a filesystem — used to plant reparse points, access ADS, and abuse junction traversal.
- NtLockFilentoskrnl.exeT1497T1486
Acquires a byte-range lock on an open file, optionally exclusive and optionally asynchronous.
- NtUnlockFilentoskrnl.exeT1497T1486
Releases a previously-acquired byte-range lock on an open file.
- NtNotifyChangeDirectoryFilentoskrnl.exeT1083T1497
Registers an asynchronous notification request for filesystem changes within an opened directory handle.
- NtNotifyChangeDirectoryFileExntoskrnl.exeT1083T1486
Extended directory-change notification that lets the caller pick the FILE_NOTIFY_INFORMATION class returned in the buffer.
- NtQueryVolumeInformationFilentoskrnl.exeT1083T1486
Retrieves filesystem and volume properties (label, size, device type, attributes) for the volume backing a file handle.
- NtSetVolumeInformationFilentoskrnl.exeT1486T1491.001
Modifies writable volume properties — primarily the volume label — for the volume backing a file handle.
- NtSetEaFilentoskrnl.exeT1564.004T1564
Writes NTFS extended attributes (EAs) attached to a file handle.
- NtQueryEaFilentoskrnl.exeT1564.004T1564
Reads NTFS extended attributes (EAs) from a file handle, optionally filtered or paged.
- NtDuplicateObjectntoskrnl.exeT1003.001T1134.001
Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.
- NtQueryObjectntoskrnl.exeT1622T1003.001
Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.
- NtSetInformationObjectntoskrnl.exeT1622T1106
Sets handle-level attributes (inheritance, protect-from-close) on a kernel object handle.
- NtCompareObjectsntoskrnl.exeT1106
Returns STATUS_SUCCESS when two handles refer to the same underlying kernel object.
- NtMakePermanentObjectntoskrnl.exeT1106
Sets the OBJ_PERMANENT attribute on a named kernel object so it survives after the last handle closes.
- NtMakeTemporaryObjectntoskrnl.exeT1106T1070
Clears the OBJ_PERMANENT attribute so the kernel object is freed once its last handle closes.
- NtCreateDirectoryObjectntoskrnl.exeT1559T1106
Creates a new directory object in the Windows object manager namespace.
- NtOpenDirectoryObjectntoskrnl.exeT1083T1518.001
Opens an existing directory object in the Windows object manager namespace.
- NtQueryDirectoryObjectntoskrnl.exeT1083T1518.001
Enumerates the entries (name + type) inside an object-manager directory.
- NtCreateSymbolicLinkObjectntoskrnl.exeT1546T1574
Creates an object-manager symbolic link from a name to an arbitrary NT target string.
- NtOpenSymbolicLinkObjectntoskrnl.exeT1574T1083
Opens an existing object-manager symbolic link by name, returning a handle for later query or deletion.
- NtAddAtomntoskrnl.exeT1055T1559
Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.
- NtFindAtomntoskrnl.exeT1055T1559
Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.
- NtDeleteAtomntoskrnl.exeT1055T1106
Decrements the reference count of a global atom and removes it when the count reaches zero.
- NtQueryInformationAtomntoskrnl.exeT1055T1559
Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.
- NtQuerySecurityObjectntoskrnl.exeT1069T1087
Retrieves a self-relative SECURITY_DESCRIPTOR from any kernel object exposed via a handle.
- NtSetSecurityObjectntoskrnl.exeT1222T1222.001
Writes a new SECURITY_DESCRIPTOR (owner / DACL / SACL / label) onto a kernel object by handle.
- NtSetCachedSigningLevelntoskrnl.exeT1553T1574
Writes a Code Integrity cached signing-level result into an NTFS extended attribute on the target file.
- NtAddBootEntryntoskrnl.exeT1542.003T1542
Registers a new BOOT_ENTRY in the Boot Configuration Database (BCD) and returns its assigned ID.
- NtModifyBootEntryntoskrnl.exeT1542.003T1542
Replaces an existing BOOT_ENTRY in the Boot Configuration Database with a new descriptor, keyed by its ID.
- NtDeleteBootEntryntoskrnl.exeT1542.003T1490
Removes a BOOT_ENTRY from the Boot Configuration Database by ID, deleting the corresponding firmware variable on UEFI.
- NtEnumerateBootEntriesntoskrnl.exeT1542.003T1082
Returns a packed array of BOOT_ENTRY structures describing every registered firmware boot option.
- NtQueryBootEntryOrderntoskrnl.exeT1542.003T1082
Reads the firmware's ordered list of BOOT_ENTRY IDs — the sequence the platform will attempt at next power-on.
- NtSetBootEntryOrderntoskrnl.exeT1542.003T1542
Writes the firmware boot-attempt order — the array of BOOT_ENTRY IDs the platform will try in sequence.
- NtQueryBootOptionsntoskrnl.exeT1497T1106
Reads the system's BCD boot options blob — debug flags, OS load options, hypervisor settings, test signing.
- NtAddDriverEntryntoskrnl.exeT1542.001T1542.003
Registers a new EFI_DRIVER_ENTRY in the firmware so the UEFI environment loads a driver before the OS.
- NtModifyDriverEntryntoskrnl.exeT1542.001T1014
Overwrites an existing EFI_DRIVER_ENTRY identified by its ID, rewriting the UEFI Driver#### NVRAM variable in place.
- NtDeleteDriverEntryntoskrnl.exeT1542.001T1014
Removes a registered EFI_DRIVER_ENTRY by ID, deleting the corresponding UEFI Driver#### NVRAM variable.
- NtEnumerateDriverEntriesntoskrnl.exeT1542.001T1082
Returns a packed list of every registered EFI_DRIVER_ENTRY — the UEFI Driver#### variables dispatched before the boot manager.
- NtQueryDriverEntryOrderntoskrnl.exeT1542.001T1106
Reads the platform's UEFI DriverOrder list — the sequence in which UEFI Driver#### entries load at boot.
- NtSetDriverEntryOrderntoskrnl.exeT1542.001T1542.003
Rewrites the platform's UEFI DriverOrder list, controlling which UEFI drivers load first at boot.
- NtQuerySystemEnvironmentValuentoskrnl.exeT1542.001T1106
Reads a legacy x86 BIOS/NV-RAM system environment variable by name (pre-UEFI interface).
- NtSetSystemEnvironmentValuentoskrnl.exeT1542.001T1106
Writes a legacy x86 BIOS/NV-RAM system environment variable (pre-UEFI interface).
- NtQuerySystemEnvironmentValueExntoskrnl.exeT1542.001T1106
Reads a UEFI variable identified by a (name, vendor GUID) pair and returns its data plus attributes.
- NtSetSystemEnvironmentValueExntoskrnl.exeT1542.001T1542.003
Writes or deletes a UEFI variable identified by (name, vendor GUID) — the canonical firmware-persistence surface.
- NtSerializeBootntoskrnl.exeT1106
Triggers serialization of the boot trace buffer — finalizes performance data collected during early system start.
- NtLoadDriverntoskrnl.exeT1068T1543.003
Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.
- NtUnloadDriverntoskrnl.exeT1562.001T1068
Unloads a previously loaded kernel-mode driver — the BYOVD cleanup primitive.
- NtSystemDebugControlntoskrnl.exeT1014T1622
Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.
- NtSetSystemPowerStatentoskrnl.exeT1529T1485
Transitions the system into the requested sleep, hibernate or working power state.
- NtInitiatePowerActionntoskrnl.exeT1529T1485
Requests the power manager to perform a system-wide power action (sleep, hibernate, shutdown, reboot).
- NtShutdownSystemntoskrnl.exeT1529T1485
Kernel-mode shutdown trigger — powers off, reboots or shuts down the system in one syscall.
- NtCreatePagingFilentoskrnl.exeT1499T1106
Creates or extends a Windows pagefile at the requested NT path; requires SeCreatePagefilePrivilege.
- NtVdmControlntoskrnl.exeT1068T1106
Legacy NT Virtual DOS Machine control entry point — 16-bit DOS/Windows support, defunct on x64.