Geoff Chappell, Software Analyst
The table below lists the 50 functions that are first exported by the Windows kernel in the version 5.2 from Windows Server 2003 SP1. Two more are listed as additions for Windows XP SP3 because the latter has the lower version number. All these added functions are still exported as of version 10.0, except that one was discontinued in 6.3. These additions represent by far the largest expansion of the kernel’s exported functionality for any service-pack release in the history of Windows. Indeed, more functions were added for Windows Server 2003 SP1 than for the original Windows Server 2003. An explanation is that this is the first Windows version (known to this study) that has an x64 build. Many of the new functions are exported only from x64 builds.
Documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. Functions that have their own non-trivial documentation are shown with no background colour. If the function is documented as reserved or obsolete, with or without a prototype, it is shaded red or shaded grey, respectively. An undocumented function that is at least declared in one or another header file from the Windows Driver Kit (WDK) is shaded orange. If the only declaration that Microsoft is known to have disclosed publicly is from the “minwin” directory of the Enterprise WDK for Windows 10 version 1511, specifically, then the function is highlighted orange. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but is known not to have been documented in the first contemporaneous Device Driver Kit (DDK), WDK or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status as undocumented.
Barely a quarter of the new functions are documented. For only a few does the documentation state the applicable versions as beginning with Windows Server 2003 SP1 specifically. Unusually, one function that is documented is not declared in any WDK header file. Another half of the functions are not documented but do at least get declared in one or another WDK header file. Declarations, both of these and the documented functions, are mostly for Windows Server 2003 SP1 and higher, but some have no version constraint at all, and one dates the function to Windows XP.
| Function | Remarks |
|---|---|
| ExAcquireFastMutex | x64 only; supported for x86 as export from HAL version 3.51 and higher |
| ExAcquireRundownProtectionCacheAware | |
| ExAcquireRundownProtectionCacheAwareEx | |
| ExAllocateCacheAwareRundownProtection | |
| ExEnterCriticalRegionAndAcquireFastMutexUnsafe | |
| ExEnterCriticalRegionAndAcquireResourceExclusive | |
| ExEnterCriticalRegionAndAcquireResourceShared | |
| ExEnterCriticalRegionAndAcquireSharedWaitForExclusive | |
| ExFreeCacheAwareRundownProtection | |
| ExInitializeRundownProtectionCacheAware | |
| ExQueryDepthSList | x64 only; conditionally defined inline; supported (and long documented) for x86 by macro definition |
| ExReInitializeRundownProtectionCacheAware | |
| ExReleaseFastMutex | x64 only; supported for x86 as export from HAL version 3.51 and higher |
| ExReleaseFastMutexUnsafeAndLeaveCriticalRegion | |
| ExReleaseResourceAndLeaveCriticalRegion | |
| ExReleaseRundownProtectionCacheAware | |
| ExReleaseRundownProtectionCacheAwareEx | |
| ExRundownCompletedCacheAware | |
| ExSizeOfRundownProtectionCacheAware | |
| ExTryToAcquireFastMutex | x64 only; supported for x86 as export from HAL version 3.51 and higher |
| ExWaitForRundownProtectionReleaseCacheAware | |
| ExfReleasePushLockExclusive | |
| ExfReleasePushLockShared | |
| ExfTryToWakePushLock | |
| ExiAcquireFastMutex | x86 only |
| ExiReleaseFastMutex | x86 only |
| ExiTryToAcquireFastMutex | x86 only |
| ExpInterlockedFlushSList | x64 only |
| ExpInterlockedPopEntrySList | x64 only |
| ExpInterlockedPushEntrySList | x64 only |
| InitializeSListHead | x64 only; defined inline for x86; also exported from KERNEL32 version 5.1 and higher; documentation is in SDK for KERNEL32, and requires Windows XP and higher |
| IoIs32bitProcess | x64 only; documented before available, at least as early as 2002 |
| IoTranslateBusAddress | |
| IoWMIDeviceObjectToProviderId | x64 only; documented before available, at least as early as 2000; supported for x86 by macro |
| KdChangeOption | |
| KdSystemDebugControl | |
| KeAcquireGuardedMutex | documentation requires Windows Server 2003 and higher |
| KeAcquireGuardedMutexUnsafe | documentation requires Windows Server 2003 and higher |
| KeAcquireInStackQueuedSpinLock | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.1 and higher |
| KeAcquireInStackQueuedSpinLockRaiseToSynch | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.1 and higher |
| KeAcquireQueuedSpinLock | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.0 and higher |
| KeAcquireQueuedSpinLockRaiseToSynch | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.0 and higher |
| KeAcquireSpinLockRaiseToDpc | x64 only; declaration requires Windows 2000 and higher |
| KeAcquireSpinLockRaiseToSynch | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 4.0 and higher |
| KeAreAllApcsDisabled | documentation requires Windows Server 2003 and higher |
| KeEnterGuardedRegion | documentation requires Windows Server 2003 and higher |
| KeExpandKernelStackAndCallout | x64-only in 5.2; undocumented until 2005-2006 |
| KeGetCurrentIrql | x64 only; defined inline to read cr8; supported for x86 as export from HAL version 3.51 and higher |
| KeInitializeCrashDumpHeader | not declared |
| KeInitializeGuardedMutex | documentation requires Windows Server 2003 and higher |
| KeIsWaitListEmpty | |
| KeLastBranchMSR (data) | x64 only |
| KeLeaveGuardedRegion | documentation requires Windows Server 2003 and higher |
| KeLowerIrql | x64 only; defined inline to write cr8; supported for x86 as export from HAL version 3.51 and higher |
| KeQueryMultiThreadProcessorSet | x64 only |
| KeQueryPrcbAddress | x64 only |
| KeRaiseIrqlToDpcLevel | x64 only; supported for x86 as export from HAL version 4.0 and higher |
| KeReleaseGuardedMutex | documentation requires Windows Server 2003 and higher |
| KeReleaseGuardedMutexUnsafe | documentation requires Windows Server 2003 and higher |
| KeReleaseInStackQueuedSpinLock | x64 only; supported for x86 as export from HAL version 5.1 and higher |
| KeReleaseQueuedSpinLock | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.0 and higher |
| KeReleaseSpinLock | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 3.51 and higher |
| KeTryToAcquireGuardedMutex | documentation requires Windows Server 2003 and higher |
| KeTryToAcquireQueuedSpinLock | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.0 and higher |
| KeTryToAcquireQueuedSpinLockRaiseToSynch | x64 only; also x86 in 6.2 and higher; supported for x86 as export from HAL version 5.0 and higher |
| KeTryToAcquireSpinLockAtDpcLevel | documented before available, as early as 2002 |
| KfRaiseIrql | x64 only; redefined as inline function to read and write cr8; supported for x86 as export from HAL version 3.51 and higher |
| KiCpuId | x64 only; also x86 in 6.2; discontinued in 6.3 |
| MmAllocatePagesForMdlEx | undocumented until 2005-2006 |
| PsGetCurrentProcessWin32Process | |
| PsGetCurrentProcessWow64Process | x64 only |
| PsGetCurrentThreadProcess | |
| PsGetCurrentThreadProcessId | |
| PsGetCurrentThreadTeb | |
| PsGetCurrentThreadWin32Thread | |
| PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion | |
| PsGetProcessWow64Process | x64 only |
| PsIsSystemProcess | |
| PsWrapApcWow64Thread | |
| RtlCopyMemory | x64 only; redefined by macro using memcpy (x86 also) |
| RtlCopyMemoryNonTemporal | x64 only; redefined by macro as RtlCopyMemory (x86 only) |
| RtlLookupFunctionEntry | x64 only; also exported as export from contemporaneous KERNEL32 versions; documentation and declaration are in SDK for KERNEL32 |
| RtlPcToFileHeader | x64 only; x86 also in 10.0 and higher; also exported as export from contemporaneous KERNEL32 versions; documentation and declaration are in SDK for KERNEL32 |
| RtlRestoreContext | x64 only; also exported as export from contemporaneous KERNEL32 versions; documentation and declaration are in SDK for KERNEL32 |
| RtlUnwindEx | x64 only; also exported as export from contemporaneous KERNEL32 versions; documentation and declaration are in SDK for KERNEL32 |
| RtlVirtualUnwind | x64 only; also exported as export from contemporaneous KERNEL32 versions; documentation and declaration are in SDK for KERNEL32 |
| SeReportSecurityEvent | |
| SeSetAuditParameter | |
| ZwSecureConnectPort | |
| __C_specific_handler | x64 only |
| __chkstk | x64 only |
| __misaligned_access | x64 only |
| _local_unwind | x64 only |
| _setjmp | x64 only |
| _setjmpex | x64 only |
| longjmp | x64 only |
| memcmp | x64 only; also x86 in 6.2 and higher |