Geoff Chappell - Software Analyst
This page lists the 157 functions and variables that are newly exported from the Windows kernel for the original Windows NT 4.0. Almost all are still exported as of version 10.0.
Also listed are five exports that were added in service packs: three variables in SP3 and two functions in SP4.
To convey more detail with less text, the page relies heavily on several types of shortcut.
The first is that although a few of the kernel’s exports are of variables rather than functions, I tend to talk of all as functions, hoping that no confusion will be caused by the loose terminology. The variables are indicated by a parenthetical “data” after their first appearance in the Functions column.
Documentation status is summarised by colour coding. (Had the website’s scripts run as expected, then hovering over any colour-coded text would produce a tooltip that shows why the text is coloured.) (To decode a colour, hover for a tooltip.)
Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. If a function is documented as reserved or obsolete, it is shaded red or shaded grey, respectively. Otherwise, functions that have their own non-trivial documentation are left with no background colour.
Many undocumented functions and some variables have C-language declarations in one or another header file. To show them as being not completely undocumented they are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public disclosure even of the declaration was exceptional.
The default understanding is that exporting continues for all later versions, and in both the x86 and x64 builds. Exceptions are sketched in a column headed Export History.
The description “x86 only” means that the function is not exported from any known x64 build but is exported from the x86 build of at least some version that has an x64 build. If it had already ceased as an export before Windows Server 2003 SP1, the “x86 only” is left unstated.
That a function is “discontinued in” some version means that the function is exported up to but not including the stated version and not in any later version unless “restored”.
It’s nothing but fair to note that the majority of these functions were not documented immediately. Even more were then or later said to require later versions. These misrepresentations of actual availability show also in C-language declarations for the functions’ use in programming. Conveying these differences between what the kernel exported and what Microsoft presented for drivers to import is the concern of columns headed Documentation History and Declaration History.
Conventions still in development!
Many functions in these early versions may have got their first documentation or declaration because their use was specially anticipated for installable file system (IFS) drivers. Microsoft published a separate IFS Kit for these, apparently starting from Windows 2000. For Windows Vista, the IFS Kit was merged into the WDK. Between, there are known to have been IFS Kits for Windows XP and Windows Server 2003, but I have not obtained either for inspection. Where applicable DDK versions are left to the imprecision of “5.1 (IFS) to 6.0”, whatever is described is known from the IFS section of the WDK for Windows Vista and is excluded from the IFS Kit for Windows 2000 and from the ordinary DDK for all of Windows 2000, Windows XP and Windows Server 2003.
As much as I might like to condense into one table as much as might be imagined is possible to summarise about all these functions’ history of availability both in the binary and according to the documentation and headers, many functions both individually and in groups demand additional explanation in text. I therefore break the tabulation according to Microsoft’s scheme of prefixes for separate areas of functionality within the otherwise monolithic kernel. Each function has its own row in one table, but please be sure to check for explanatory text before and (more usually) after the table.
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| CcFastCopyRead | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 | |
| CcFastCopyWrite | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 | |
| CcFastMdlReadWait (data) | before 5.1 (IFS) to 6.0, undocumented | ||
| CcFastReadNotPossible (data) | discontinued in 6.0 | ||
| CcFastReadWait (data) | discontinued in 6.0 | ||
| CcSetBcbOwnerPointer | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
To say that the CcFastMdlReadWait, CcFastReadNotPossible and CcFastReadWait counters are indirectly documented would be a little generous even given the background that exported variables typically aren’t documented directly. Still, they are alluded to in documentation of FsRtlIncrementCcFastMdlReadWait, FsRtlIncrementCcFastReadNotPossible and FsRtlIncrementCcFastReadWait, except that what these functions increment are not variables that are exported from the kernel but the same-named members of the current processor’s KPRCB. Whether any or all were declared in NTIFS.H from an IFS Kit for versions 5.1 or 5.2 before two were discontinued for version 6.0 is not known.
| Function | Documentation History | Declaration History |
|---|---|---|
| DbgBreakPointWithStatus | before 5.0, declared; since 5.1, documented start is 5.0 |
since 6.0, declared start is 5.0 |
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| ExAllocateFromPagedLookasideList | since 6.0, x86 only | since 6.1 revision, documented start is 5.0 | |
| ExAllocatePoolWithTagPriority | starts in SP4 | since 6.1, documented start is 5.0 | since 6.0, declared start is 5.0 |
| ExDeleteNPagedLookasideList | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| ExDeletePagedLookasideList | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| ExDesktopObjectType (data) | before 10.0, undocumented; indirectly documented |
declared start is 10.0 | |
| ExEnumHandleTable | |||
| ExFreeToPagedLookasideList | since 6.0, x86 only | since 6.1 revision, documented start is 5.0 | |
| ExGetPreviousMode | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| ExInitializeNPagedLookasideList | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| ExInitializePagedLookasideList | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| ExInterlockedCompareExchange64 | x86 only | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
|
| ExInterlockedPopEntrySList | x86 only | since 6.1 revision, documented start is 5.0 | |
| ExInterlockedPushEntrySList | x86 only | since 6.1 revision, documented start is 5.0 | |
| ExIsProcessorFeaturePresent | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| ExSetResourceOwnerPointer | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| ExWindowStationObjectType (data) |
Although the ExDesktopObjectType variable is not itself documented, it does get a mention in the WDK for Windows 10, specifically in documentation of the OB_OPERATION_REGISTRATION structure. It is there said, presumably just for the page’s limited purpose, to be “supported in Windows 10 and not in the earlier versions of the operating system.”
| Function | Documentation History | Declaration History |
|---|---|---|
| FsRtlAddToTunnelCache | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| FsRtlDeleteKeyFromTunnelCache | before 5.0 (IFS), undocumented;
in 6.1, documented start is 5.0 |
since 6.0, declared start is 5.0 |
| FsRtlDeleteTunnelCache | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| FsRtlFindInTunnelCache | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| FsRtlGetFileSize | before 5.0 (IFS), undocumented;
before 5.1 (IFS) to 6.0, declared |
since 6.0, declared start is 5.0 |
| FsRtlInitializeTunnelCache | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| FsRtlMdlReadComplete | ||
| FsRtlMdlReadCompleteDev | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 |
| FsRtlMdlReadDev | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 |
| FsRtlMdlWriteComplete | ||
| FsRtlMdlWriteCompleteDev | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 |
| FsRtlPrepareMdlWriteDev | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 |
| Function | Export History | Documentation History |
|---|---|---|
| InterlockedCompareExchange | x86 only | since 6.1 revision, documented start is 5.0 |
| InterlockedExchangeAdd | x86 only | since 6.1 revision, documented start is 5.0 |
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| IoAttachDeviceToDeviceStack | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| IoCreateNotificationEvent | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| IoDeviceHandlerObjectSize (data) | |||
| IoDeviceHandlerObjectType (data) | |||
| IoFastQueryNetworkAttributess | before 5.0 (IFS), undocumented;
before 5.1 (IFS) to 6.0, declared |
since 6.0, declared start is 5.0 | |
| IoGetBaseFileSystemDeviceObject | before 5.0 (IFS), undocumented;
before 5.1 (IFS) to 6.0, declared |
since 6.0, declared start is 5.0 | |
| IoGetStackLimits | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
||
| IoOpenDeviceInstanceKey | discontinued in 5.0 | ||
| IoQueryDeviceEnumInfo | discontinued in 5.0 | ||
| IoQueueThreadIrp | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 | |
| IoSetThreadHardErrorMode | before 5.0, declared; since 6.1, documented start is 5.0 |
since 6.0, declared start is 5.0 |
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| KeBoostCurrentThread | discontinued in 5.0 | ||
| KeI386Call16BitCStyleFunction | x86 only; discontinued in 6.2 |
||
| KeInitializeTimerEx | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| KeRaiseUserException | |||
| KeRestoreFloatingPointState | before 5.0, undocumented; since 6.1 revision, documented start is 5.0 |
||
| KeRundownQueue | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 | |
| KeSaveFloatingPointState | before 5.0, undocumented; since 6.1 revision, documented start is 5.0 |
||
| KeSetAffinityThread | |||
| KeSetIdealProcessorThread | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 | |
| KeSetKernelStackSwapEnable | before 5.1 (IFS) to 6.0, undocumented;
before 6.1 revision, reserved; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| KeSetProfileIrql | |||
| KeSetSwapContextNotifyRoutine | discontinued in 5.1 | ||
| KeSetThreadSelectNotifyRoutine | discontinued in 5.1 | ||
| KeSetTimeUpdateNotifyRoutine | discontinued in 5.2 | before 5.1, declared | |
| KeSetTimerEx | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 | |
| KiBugCheckData (data) |
| Function | Export History |
|---|---|
| LdrFindResourceDirectory_U |
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| MmGrowKernelStack | |||
| MmHighestUserAddress (data) | starts in SP3 | ||
| MmMapLockedPagesSpecifyCache | starts in SP4 | since 6.1 revision, documented start is 5.0 | since 6.0, declared start is 5.0 |
| MmMapVideoDisplay | before 5.1, declared | since 6.0, declared start is 5.0 | |
| MmSystemRangeStart (data) | starts in SP3 | ||
| MmUnmapVideoDisplay | before 5.1, declared | since 6.0, declared start is 5.0 | |
| MmUserProbeAddress (data) | starts in SP3 |
The MmHighestUserAddress and MmUserProbeAddress variables allow for what was, in Windows NT 4.0 SP3, the new feature of dynamically reconfiguring how much of the virtual address space is accessible from user mode. The ancient MM_HIGHEST_USER_ADDRESS and MM_USER_PROBE_ADDRESS macros had evaluated to constants but could now—well, in the next DDK—be variable.
| Function | Export History |
|---|---|
| NlsAnsiCodePage (data) |
| Function | Export History |
|---|---|
| NtAddAtom | |
| NtDeleteAtom | |
| NtFindAtom | |
| NtQueryInformationAtom | |
| NtQueryOleDirectoryFile | discontinued in 5.0 |
| Function | Documentation History | Declaration History |
|---|---|---|
| ObAssignSecurity | ||
| ObCheckCreateObjectAccess | ||
| ObCheckObjectAccess | ||
| ObFindHandleForObject | ||
| ObGetObjectSecurity | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 |
| ObOpenObjectByName | ||
| ObQueryObjectAuditingByHandle | before 5.0 (IFS), undocumented;
before 5.1 (IFS) to 6.0, declared |
since 6.0, declared start is 5.0 |
| ObReferenceObjectByName | ||
| ObReleaseObjectSecurity | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 |
| ObSetSecurityDescriptorInfo | ||
| ObfReferenceObject | before 5.0, declared; before 2015-2018, indirectly documented; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 |
Who’s to know why, but although the DDK for Windows XP does not much change the documentation of ObGetObjectSecurity and ObReleaseObjectSecurity, it warns that “This is preliminary documentation and subject to change.”
As just an implementation detail for the ObReferenceObject macro, the ObfReferenceObject function is indirectly documented since version 5.0. But Microsoft nowadays gives the function its own page. When exactly this started is not known. It is not in the Windows 10 WDK documentation as integrated into Visual Studio 2015, but it is at Microsoft’s website today, 17th September 2020. As with almost all of Microsoft’s online WDK documentation since its reorganisation around which functions are declared in which headers, it is dated 30th April 2018.
| Function | Export History |
|---|---|
| PoSetDeviceIdleDetection | discontinued in 5.0 |
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| PsAssignImpersonationToken | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.0 | |
| PsCreateWin32Process | discontinued in 5.0 | ||
| PsGetCurrentProcessId | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| PsGetCurrentThreadId | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| PsGetVersion | before 5.0, declared; before 5.1, documented |
since 6.0, declared start is 5.0 | |
| PsImpersonateClient | before 5.1 (IFS), undocumented;
documented start is 5.1 |
since 6.0, declared start is 5.0 | |
| PsRevertToSelf | before 5.1 (IFS), undocumented;
before 6.1, declared; documented start is 5.1 |
since 6.0, declared start is 5.0 | |
| PsSetCreateThreadNotifyRoutine | before 5.0, declared; since 6.1 revision, documented start is 5.0 |
since 6.0, declared start is 5.0 | |
| PsSetLegoNotifyRoutine |
| Function | Documentation History | Declaration History |
|---|---|---|
| RtlAddAtomToAtomTable | ||
| RtlAnsiCharToUnicodeChar | before 6.1, undocumented; documented start is 5.0; documented but not declared |
|
| RtlAreAnyAccessesGranted | ||
| RtlCompressChunks | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.1 |
| RtlCreateAtomTable | ||
| RtlDecompressChunks | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.1 |
| RtlDeleteAtomFromAtomTable | ||
| RtlDeleteNoSplay | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| RtlDescribeChunk | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.1 |
| RtlDestroyAtomTable | ||
| RtlEmptyAtomTable | ||
| RtlGetDefaultCodePage | ||
| RtlLookupAtomInAtomTable | ||
| RtlMultiByteToUnicodeSize | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| RtlPinAtomInAtomTable | ||
| RtlQueryAtomInAtomTable | ||
| RtlRaiseException | ||
| RtlReserveChunk | before 5.1 (IFS) to 6.0, undocumented | since 6.0, declared start is 5.1 |
| Function | Documentation History | Declaration History |
|---|---|---|
| SeAuditingFileOrGlobalEvents | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| SeDeleteObjectAuditAlarm | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| SeOpenObjectForDeleteAuditAlarm | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| SeSetAccessStateGenericMapping | before 5.0 (IFS), undocumented | since 6.0, declared start is 5.0 |
| SeTokenImpersonationLevel |
| Function | Documentation History | Declaration History |
|---|---|---|
| ZwLoadKey | ||
| ZwQueryDefaultLocale | ||
| ZwQueryObject | before 6.1, undocumented; documented start is 5.0 |
declared start is 5.0 |
| ZwQuerySystemInformation | ||
| ZwReplaceKey | ||
| ZwSaveKey | before 6.2, undocumented | declared start is 6.1 |
| ZwSetInformationObject | ||
| ZwSetSystemTime | ||
| ZwTerminateProcess | before 6.0, undocumented; since 6.1 revision, documented start is 5.0 |
|
| ZwUnloadDriver | before 5.1 (IFS), undocumented;
documented start is 5.1 |
since 6.0, declared start is 5.0 |
| ZwUnloadKey | ||
| ZwYieldExecution |
| Function | Export History |
|---|---|
| _alldiv | x86 only |
| _allmul | x86 only |
| _allrem | x86 only |
| _allshl | x86 only |
| _allshr | x86 only |
| _aulldiv | x86 only |
| _aullrem | x86 only |
| _aullshr | x86 only |
| _strnset | |
| _strrev | |
| _strset | |
| _wcslwr | |
| _wcsnset | |
| _wcsrev | |
| _wcsupr | |
| mbtowc | |
| strcat | |
| strcmp | |
| strcpy | |
| strlen | |
| strncat | |
| strspn | |
| towlower | |
| towupper | |
| wcsncat | |
| wcsspn | |
| wcstombs | |
| wctomb |
The eight functions _alldiv to _aullshr are the age-old means by which Microsoft’s 32-bit compiler generates code for arithmetic on 64-bit integers, whether signed or unsigned. Microsoft has long published assembly-language source files for these functions along with other CRT library source code in the Visual Studio package. If you believe that source code is everything, then these functions are as fully documented as can be. Yet formal documentation is surprisingly thin. For instance, within the C Run-Time Library Reference for Visual Studio 2015 (roughly contemporaneous with the original Windows 10) they don’t rate a mention in either the Alphabetical Function Reference or the list of Internal CRT Globals and Functions.
Version 4.0 stops exporting a few functions. For each, the version in parentheses tells when the function was first exported:
None had yet been documented. For who knows what reason, three of these functions cease as exports from version 4.0 but then are restored for version 5.0. The function for Power Management seems to have been a first thought that was replaced by a second thought for version 4.0 but then was revived for the large redevelopment of the functionality in version 5.0.