Her screen filled with one last line, printed in the debugger’s monospaced font:
NtQueryWnfStateData(\CurrentUser\Aris_Thorne\Consciousness) = UNKNOWN_STATE. Initiating process termination.
Her own name. Her clearance level. Omegas had no business looking at this process. But the state data claimed she had initiated an override.
The data was tiny—exactly 64 bytes. She formatted it as ASCII. What she saw made her push her chair back. ntquerywnfstatedata ntdll.dll
00000000`774a2f40 : ntdll!NtQueryWnfStateData 00000000`774a2e1f : ntdll!RtlQueryWnfStateData+0x2a She froze. NtQueryWnfStateData .
When the machine went dark, the last thing she saw was her own reflection in the black screen—wondering if, somewhere in the kernel’s non-paged pool, a tiny state flag labeled ARIS_THORNE_ACTIVE was still set to TRUE .
Aris ran the GUID through a hash reverse lookup. Nothing in public databases. But her kernel debugger had a live pipe to the machine. She decided to peek at the actual state data being returned. Her screen filled with one last line, printed
NtQueryWnfStateData(\System\ProcessMon\Thread_4428)
She dumped the parameters. The StateName GUID wasn’t a standard Microsoft identifier. It was custom. She traced the bytes:
Then the debugger detached. The word processor vanished again. But this time, her own desktop flickered. A command prompt opened by itself. It typed: Her clearance level
She had exactly three seconds to pull the power cable. She lunged.
All signs pointed to a deadlock in user mode. But after three weeks, Aris was desperate. She loaded WinDbg, attached to the live process, and began walking up the call stack of the suspended thread.
And something else was still querying it.
Her thread ID. 4428. The system was querying her active state data.
“Why is a word processor spying on WNF?” she whispered.