Ntquerywnfstatedata Ntdlldll Better

On 64-bit Windows, 32-bit processes calling NtQueryWnfStateData may behave differently. Always test.

Using undocumented APIs carries risks. Here’s how to do it better and safely: ntquerywnfstatedata ntdlldll better

The better pattern for a monitoring loop: Using undocumented APIs carries risks

ULONG lastStamp = 0;
while (monitoring) 
    ULONG newStamp = 0;
    ULONG dataSize = 0;
    NTSTATUS status = NtQueryWnfStateData(stateHandle, &lastStamp, NULL, 0, &dataSize, &newStamp);
    if (status == 0 && newStamp != lastStamp) 
        // State changed, now fetch actual data with large buffer
        BYTE buffer[1024];
        NtQueryWnfStateData(stateHandle, NULL, buffer, sizeof(buffer), NULL, NULL);
        ProcessStateChange(buffer);
        lastStamp = newStamp;
Sleep(100); // Or better: wait on a WNF subscription handle

You must load the library at runtime to get the address of the function. You must load the library at runtime to

HMODULE hNtdll = LoadLibraryA("ntdll.dll");
if (!hNtdll) 
    // Handle error
pNtQueryWnfStateData NtQueryWnfStateData = (pNtQueryWnfStateData)GetProcAddress(hNtdll, "NtQueryWnfStateData");
if (!NtQueryWnfStateData) 
// Handle error