Geoff Chappell, Software Analyst
This page lists the functions and variables that are newly exported by name from the Windows kernel in the 1903 release for Windows 10. Two functions that are new to this release are exported only by ordinal and are listed among the Ordinal-Only Kernel Exports Added for Version 10.0.
For the table below, documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. (If you read this website with scripts enabled, then hovering the mouse over any coloured text will produce a tooltip that shows why the text is coloured.) Functions that have their own non-trivial documentation are shown with no background colour. If the function is documented as reserved or obsolete, it is shaded red or shaded grey, respectively. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. Many undocumented functions do at least have C-language declarations in one or another header file from the WDK. These are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public knowledge even of the declaration is exceptional.
| Name | Export History | Documentation History | Declaration History |
|---|---|---|---|
| ExActivationObjectType (data) | |||
| HvlQueryStartedProcessors | |||
| IoRemoveLinkShareAccessEx | declared start is 1809 | ||
| IoUpdateLinkShareAccessEx | declared start is 1809 | ||
| KeAllocateProcessorProfileStructures | |||
| KeSetTracepoint | x64 only | ||
| MmAllocateMemoryRanges | |||
| MmConfigureGraphicsPtes | |||
| MmFreeMemoryRanges | |||
| MmGetPageBadStatus | |||
| MmQueryMemoryRanges | |||
| MmSecureVirtualMemoryEx | documented start is 1809 | declared start is 1809 | |
| ObCreateObjectTypeEx | |||
| PoFxCompleteDirectedPowerDown | declared start is 1809 | ||
| RtlConstructCrossVmEventPath | |||
| RtlCreateUnicodeStringFromAsciiz | |||
| RtlFillMemoryNonTemporal | x64 only | ||
| RtlFillNonVolatileMemory | x64 only | ||
| RtlGetMultiTimePrecise | |||
| RtlInterlockedClearBitRunEx | x64 only | ||
| RtlInterlockedSetBitRunEx | x64 only | ||
| RtlNumberOfSetBitsInRangeEx | x64 only | ||
| RtlUdiv128 |
It’s not the ordinary practice for this survey to say anything for the Documentation History or Declaration History if what Microsoft says is correct or if Microsoft says nothing. Either ought to be completely unremarkable. But of the functions that are newly exported from the kernel in Version 1903, so few are documented or have declarations in any WDK header, and of these few almost all are said by Microsoft to be available in Version 1809. So, perhaps it’s as well to spell out that for RtlFillMemoryNonTemporal Microsoft gives no version information but that versions are specified for RtlFillNonVolatileMemory and are correct!
| Name | Documentation History |
|---|---|
| SeSetSessionIdTokenWithLinked | |
| WheaAddErrorSourceDeviceDriver | before 2004, declared documented start is 2004 |
| WheaAttemptClearPoison | |
| WheaHighIrqlLogSelEventHandlerRegister | before late 2019, declared |
| WheaHighIrqlLogSelEventHandlerUnregister | before late 2019, declared |
| WheaRemoveErrorSource | before late 2019, declared |
| WheaRemoveErrorSourceDeviceDriver | before 2004, declared documented start is 2004 |
| WheaReportHwErrorDeviceDriver | |
| WheaUnconfigureErrorSource | before late 2019, declared |
The WheaAddErrorSourceDeviceDriver function that is documented at Microsoft’s website today, 14th October 2020, is not the same-named function that is newly exported from the Version 1903 kernel. It is instead what the function was changed to for the 2004 release. In this sense, Microsoft’s documentation, dated 1st April 2020, is correct that the function requires at least Version 2004. This is a very rare case of a documented function being changed incompatibly. The original has four arguments. The new has three. The original continues to be exported from the kernel in Version 2004 but with the new name WheaAddErrorSourceDeviceDriverV1.
Having not looked for WheaAddErrorSourceDeviceDriver at Microsoft’s website in 2019, I can’t say certainly that its original form wasn’t documented for the 1903 release, but I detect a strong suggestion. The function’s obvious partner, WheaRemoveErrorSourceDeviceDriver, did not change for the 2004 release yet Microsoft dates this function’s documentation to 28th April 2020, not to 2019. Contrast with WheaReportHwErrorDeviceDriver, whose documentation is dated 5th March 2019 (and says correctly that the function’s availabilty starts at 1903).
From Microsoft’s own dates, documentation of four new Whea functions as reserved did not happen until 19th August 2019. This is too late to count as documentation for the 1903 release. They do all have declarations, however, in NTDDK.H from the WDK for Windows 10 Version 1903.
| Name | Documentation History |
|---|---|
| ZwSystemDebugControl |
As with many Zw functions, ZwSystemDebugControl has earlier history as a user-mode export from NTDLL.DLL—indeed, in this case all the way back to version 3.10. A declaration thus appears in the ZWAPI.H header that Microsoft published only in early editions of the WDK for Windows 10. It would otherwise be undocumented.
The 1903 release of the Windows 10 kernel stops exporting three functions. All had only brief lives. The versions in parentheses tells when the functions were first exported: