Complete List of WNF_ Names with Descriptions (Windows Notification Facility)

By /

Listen to this Post

Featured Image
The Windows Notification Facility (WNF) is a lesser-known but powerful internal Windows mechanism used for system-wide notifications and state tracking. Below is a (likely incomplete) list of `WNF_` constants, including some undocumented ones like WNF_WTD_SENSOR_MONITORING_STATE.

GitHub Repository: rbmm/WnfNames

You Should Know: How to Explore WNF Internals

1. Enumerate WNF States with PowerShell

 List all WNF states (requires admin) 
Get-WmiObject -Namespace "root\subscription" -Class "__EventFilter" | Where-Object { $_.Name -like "WNF" } | Select Name, Query

2. Monitor WNF Events using WinDbg

 Attach WinDbg to a process and break on WNF calls 
bp nt!NtQueryWnfStateData 
bp nt!NtUpdateWnfStateData

3. Dump WNF Data via Kernel Debugging

 Use WinDbg to dump WNF state info 
!wnf state 
!wnf name WNF_WTD_SENSOR_MONITORING_STATE
  1. Extract WNF Info via C++ (Undocumented API)
    include <windows.h> 
include <wnf.h> </li>
</ol>

NTSTATUS status; 
WNF_STATE_NAME stateName; 
WNF_CHANGE_STAMP changeStamp; 
PVOID buffer; 
ULONG bufferSize = 0;

// Example: Query WNF_SHELL_ states 
status = NtQueryWnfStateData( 
&stateName, 
NULL, 
NULL, 
&changeStamp, 
&buffer, 
&bufferSize 
);

    5. Detect Malicious WNF Usage (Security Research)

     Check for suspicious WNF access in Procmon 
procmon.exe /Filter "Operation contains WNF"

    What Undercode Say

    The Windows Notification Facility remains a goldmine for Windows internals research, malware analysis, and rootkit detection. Since many `WNF_` states are undocumented, reverse engineering (IDA Pro/Ghidra) is often required. Expect more discoveries as Windows 11 evolves.

    Expected Output:

    • A structured list of `WNF_` constants.
    • Practical debugging & monitoring techniques.
    • Security implications of undocumented WNF usage.

    Prediction:

    Future Windows versions may restrict WNF access due to its abuse potential in malware persistence. Researchers should document findings before Microsoft locks it down.

    IT/Security Reporter URL:

    Reported By: Alex S – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 Telegram

Related Posts: