Geoff Chappell, Software Analyst
Revision in progress. Use caution.
This page lists the functions that are newly exported from the Windows kernel in its 1709 release. Relative to the highly selective disclosure that Microsoft has established for previous releases of Windows 10, surprisingly many of these additions for the 1709 release are documented.
For the table below, documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. (If you read this website with scripts enabled, then hovering the mouse over any coloured text will produce a tooltip that shows why the text is coloured.) Functions that have their own non-trivial documentation are shown with no background colour. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. Many undocumented functions do at least have C-language declarations in one or another header file from the WDK. These are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public knowledge even of the declaration is exceptional.
| Name | Export History | Declaration History |
|---|---|---|
| AlpcCreateSecurityContext | ||
| CcGetNumberOfMappedPages | ||
| EtwTelemetryCoverageReport | ||
| ExGetFirmwareType | ||
| ExIsSoftBoot | ||
| FsRtlNotifyFilterReportChangeLiteEx | ||
| HvlInvokeFastExtendedHypercall | x64 only | |
| IoCheckLinkShareAccess | ||
| IoRemoveLinkShareAccess | ||
| IoSetLinkShareAccess | ||
| IoUpdateLinkShareAccess | ||
| KeSetLastBranchRecordInUse | x64 only | |
| MmGetSectionInformation | ||
| MmMapMdl | ||
| NtNotifyChangeDirectoryFileEx | ||
| NtQueryDirectoryFileEx | ||
| PoFxSetTargetDripsDevicePowerState | declared start is 10.0 | |
| PsGetParentSilo | ||
| PsGetProcessSilo | ||
| PsIsWin32KFilterAuditEnabledForProcess | ||
| PsIsWin32KFilterEnabledForProcess | ||
| PsPartitionType (data) | ||
| PsSetLoadImageNotifyRoutineEx | ||
| PsSetProcessFaultInformation |
Though PsGetProcessSilo is not an exported function until the 1709 release, it exists in the kernel as an internal routine even in the original Windows 10. It was perhaps meant to be exported all along, if only for Microsoft’s private use.
| Name | Export History | Declaration History |
|---|---|---|
| RtlCapabilityCheckForSingleSessionSku | ||
| RtlCheckSystemBootStatusIntegrity | ||
| RtlExtendCorrelationVector | declared start is 1703 | |
| RtlExtractBitMapEx | x64 only | |
| RtlGetSystemBootStatus | ||
| RtlGetSystemBootStatusEx | ||
| RtlIncrementCorrelationVector | declared start is 1703 | |
| RtlInitializeCorrelationVector | declared start is 1703 | |
| RtlIsCloudFilesPlaceholder | declared start is 1703 | |
| RtlIsPartialPlaceholder | declared start is 1703 | |
| RtlIsPartialPlaceholderFileHandle | declared start is 1703 | |
| RtlIsPartialPlaceholderFileInfo | declared start is 1703 | |
| RtlIsStateSeparationEnabled | before 1803, declared start is 1703 since 1803, declared start is 1803 |
|
| RtlOpenImageFileOptionsKey | ||
| RtlPcToFileName | ||
| RtlPcToFilePath | ||
| RtlQueryImageFileKeyOption | ||
| RtlQueryThreadPlaceholderCompatibilityMode | ||
| RtlRestoreSystemBootStatusDefaults | ||
| RtlSetSystemBootStatus | ||
| RtlSetSystemBootStatusEx | ||
| RtlSetThreadPlaceholderCompatibilityMode | ||
| RtlShiftLeftBitMap | ||
| RtlShiftLeftBitMapEx | x64 only | |
| RtlValidateCorrelationVector | declared start is 1703 |
Declaration of RtlIsStateSeparationEnabled is troubled. In the NTDDK.H from the WDK for Windows 10 Version 1709, its conditional-compilation block allows NTDDI_WIN10_RS2. In the next WDK, the comment that closes the block has been updated to requiring NTDDI_WIN10_RS3. Perhaps the whole block was briefly corrected while preparing the WDK for 1803, but then the declaration got caught up with that of the new RtlGetPersistedStateLocation and the #if jumps ahead to requiring NTDDI_WIN10_RS4.
| Name | Export History | Documentation History |
|---|---|---|
| VslGetSecurePciEnabled | ||
| ZwAlpcOpenSenderProcess | ||
| ZwGetNextThread | ||
| ZwNotifyChangeDirectoryFileEx | ||
| ZwQueryDirectoryFileEx | before December 2017, declared |
The only documentation of ZwQueryDirectoryFileEx at Microsoft’s website today, 27th September 2020, is well separated from other WDK documentation into a section for previous versions and carries a warning that Microsoft is “no longer updating this content regularly.” Microsoft’s date for the page is 12th December 2017 which would mean it was not published for the 1709 release.