Geoff Chappell, Software Analyst
The large table on this page lists the 375 exports that were added to the Windows kernel for version 6.0., i.e., for the original Windows Vista. These represent by far the biggest change in the kernel’s exported functionality over the whole history of Windows.
Also listed are 35 additions for Windows Vista SP1 and Windows Server 2008. This is among the largest of changes for a service pack. Curiously, twenty functions from the original do not survive. Windows Vista SP2 was much more typical as a service pack: it contributes one more to the list.
For the table below, documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. (If you read this website with scripts enabled, then hovering the mouse over any coloured text will produce a tooltip that shows why the text is coloured.) Functions that have their own non-trivial documentation are shown with no background colour. If the function is documented as reserved or obsolete, it is shaded red or shaded grey, respectively. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. Many undocumented functions do at least have C-language declarations in one or another header file from the WDK. These are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public knowledge even of the declaration is exceptional.
Barely a sixth of these new exports for version 6.0 were documented for the contemporaneous WDK, though many more have got documented since. Most are then said (correctly) to be available starting with Windows Vista, but without even hinting that this availability was not generally disclosed until a later WDK. One function is documented only as being reserved. Not quite half of the new functions, and five exports of data, are undocumented but with declarations in one or another of the WDK header files. Declarations, both of these and the documented functions, are mostly for Windows Vista and higher, but some have no version constraint and a few are declared for much older versions. The other third of the new functions had neither documentation nor declaration for nearly a decade. Then, though possibly only as an oversight, Microsoft published declarations for very many of them!
| Function | Documentation History |
|---|---|
| AlpcGetHeaderSize | |
| AlpcGetMessageAttribute | |
| AlpcInitializeMessageAttribute | |
| CcGetFileObjectFromSectionPtrsRef | before 6.1 revision, undocumented |
| CcIsThereDirtyDataEx | before 6.1, undocumented |
| CcSetFileSizesEx | |
| CcSetParallelFlushFile | |
| CcTestControl | |
| CmCallbackGetKeyObjectID | |
| CmGetBoundTransaction | |
| CmGetCallbackVersion | |
| CmRegisterCallbackEx | |
| CmSetCallbackObjectContext | |
| DbgSetDebugPrintCallback | |
| EmClientQueryRuleState | before 6.2, declared |
| EmClientRuleDeregisterNotification | before 6.2, declared |
| EmClientRuleEvaluate | before 6.2, declared |
| EmClientRuleRegisterNotification | before 6.2, declared |
| EmProviderDeregister | before 6.2, declared |
| EmProviderDeregisterEntry | before 6.2, declared |
| EmProviderRegister | before 6.2, declared |
| EmProviderRegisterEntry | before 6.2, declared |
| EmpProviderRegister |
To be clear, for the situation is unusual, the small family of Em functions started as declared but undocumented, and then those declarations disappear (from WDM.H). Their only known public disclosure by Microsoft since Windows 8 is the NTOSP.H from early editions of the WDK for Windows 10.
| Function | Export History | Documentation History |
|---|---|---|
| EtwActivityIdControl | ||
| EtwEnableTrace | ||
| EtwEventEnabled | ||
| EtwProviderEnabled | ||
| EtwRegister | ||
| EtwRegisterClassicProvider | starts in SP1 | |
| EtwSendTraceBuffer | starts in SP1 | |
| EtwUnregister | ||
| EtwWrite | ||
| EtwWriteEndScenario | ||
| EtwWriteStartScenario | ||
| EtwWriteString | ||
| EtwWriteTransfer | ||
| ExAcquireCacheAwarePushLockExclusive | ||
| ExAcquireSpinLockExclusive | starts in SP1 | before 6.2, undocumented |
| ExAcquireSpinLockExclusiveAtDpcLevel | starts in SP1 | before 6.2, undocumented |
| ExAcquireSpinLockShared | starts in SP1 | before 6.2, undocumented |
| ExAcquireSpinLockSharedAtDpcLevel | starts in SP1 | before 6.2, undocumented |
| ExAllocateCacheAwarePushLock | ||
| ExDeleteLookasideListEx | before 6.1 revision, declared | |
| ExEnterPriorityRegionAndAcquireResourceExclusive | starts in SP1 | |
| ExEnterPriorityRegionAndAcquireResourceShared | starts in SP1 | |
| ExFetchLicenseData | ||
| ExFlushLookasideListEx | before 6.1 revision, declared | |
| ExFreeCacheAwarePushLock | ||
| ExGetLicenseTamperState | ||
| ExInitializeLookasideListEx | before 6.1 revision, declared | |
| ExInitializePushLock | before 1809, declared documented start is 1809 |
|
| ExReleaseCacheAwarePushLockExclusive | ||
| ExReleaseResourceAndLeavePriorityRegion | starts in SP1 | |
| ExReleaseSpinLockExclusive | starts in SP1 | before 6.2, undocumented |
| ExReleaseSpinLockExclusiveFromDpcLevel | starts in SP1 | before 6.2, undocumented |
| ExReleaseSpinLockShared | starts in SP1 | before 6.2, undocumented |
| ExReleaseSpinLockSharedFromDpcLevel | starts in SP1 | before 6.2, undocumented |
| ExSetLicenseTamperState | ||
| ExTryConvertSharedSpinLockExclusive | starts in SP1 | before 6.2, undocumented |
| ExUpdateLicenseData | discontinued in 6.2; restored in 10.0 and higher |
|
| ExfTryAcquirePushLockShared |
Somehow I must have missed Microsoft’s documentation of ExInitializePushLock in an online inspection on 13th October 2018. As I find it today, 17th September 2020, it’s not only there but is dated 30th September 2018. Presumably, it was documented concurrently with the 1809 release of Windows 10. Either that or some reason should be found for why Microsoft says that a (simple) function from 2006 needs a kernel from 2018.
| Function | Documentation History |
|---|---|
| FirstEntrySList | in 5.1 and 5.2, declared |
The FindEntrySList function is declared in both WDM.H and NTDDK.H before it is ever exported from the kernel or documented.
| Function | Export History | Documentation History |
|---|---|---|
| FsRtlAcknowledgeEcp | before 6.1, declared | |
| FsRtlAddBaseMcbEntryEx | before 2018, declared | |
| FsRtlAllocateExtraCreateParameter | before 6.1, declared | |
| FsRtlAllocateExtraCreateParameterFromLookasideList | before 6.1 revision, declared | |
| FsRtlAllocateExtraCreateParameterList | before 6.1, declared | |
| FsRtlAreVolumeStartupApplicationsComplete | before 6.1, declared | |
| FsRtlCancellableWaitForMultipleObjects | ||
| FsRtlCancellableWaitForSingleObject | ||
| FsRtlChangeBackingFileObject | ||
| FsRtlCheckOplockEx | starts in SP1 | documented start is 6.0 |
| FsRtlCurrentOplock | before 6.1, declared | |
| FsRtlDeleteExtraCreateParameterLookasideList | before 6.1 revision, declared | |
| FsRtlFindExtraCreateParameter | before 6.1, declared | |
| FsRtlFreeExtraCreateParameter | before 6.1, declared | |
| FsRtlFreeExtraCreateParameterList | before 6.1, declared | |
| FsRtlGetEcpListFromIrp | before 6.1, declared | |
| FsRtlGetNextExtraCreateParameter | before 6.1, declared | |
| FsRtlIncrementCcFastMdlReadWait | before 6.2, declared | |
| FsRtlInitExtraCreateParameterLookasideList | before 6.1 revision, declared | |
| FsRtlInitializeBaseMcbEx | before 2018, declared | |
| FsRtlInsertExtraCreateParameter | before 6.1, declared | |
| FsRtlInsertPerFileContext | before 6.2, declared | |
| FsRtlIsEcpAcknowledged | before 6.1, declared | |
| FsRtlIsEcpFromUserMode | before 6.1 revision, declared | |
| FsRtlLogCcFlushError | before 6.2, declared | |
| FsRtlLookupPerFileContext | before 6.2, declared | |
| FsRtlMupGetProviderIdFromName | before 6.1, declared | |
| FsRtlMupGetProviderInfoFromFileObject | before 6.1, declared | |
| FsRtlNotifyCleanupAll | before 6.2, declared | |
| FsRtlNotifyVolumeEventEx | before 6.2, declared | |
| FsRtlOplockBreakToNone | before 6.1, declared | |
| FsRtlRegisterFltMgrCalls | ||
| FsRtlRegisterMupCalls | ||
| FsRtlRegisterUncProviderEx | ||
| FsRtlRemoveDotsFromPath | before 6.2, declared | |
| FsRtlRemoveExtraCreateParameter | before 6.1, declared | |
| FsRtlRemovePerFileContext | before 6.2, declared | |
| FsRtlSetEcpListIntoIrp | before 6.1 revision, declared | |
| FsRtlTeardownPerFileContexts | before 6.2, declared | |
| FsRtlValidateReparsePointBuffer | before 6.2, declared |
See in general that merging the IFS Kit into the WDK for Windows Vista did little, if anything, for getting newly added FsRtl functions documented. Almost all are declared in the NTIFS.H which the merger brought into much wider circulation, but almost all had to wait for the next WDK—and many for the one after—before they become documented.
Version 6.0 adds two functions that work with the BASE_MCB structure, which version 5.2 extracted from the older LARGE_MCB. As with the original BASE_MCB fuctions, these additions were declared in NTIFS.H but left out of the documentation. They looked to be still undocumented when checking online on 13th October 2018. Now in 2020, Microsoft’s website has documentation of them, both dated 19th October 2018.
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| HvlQueryConnection | |||
| IoAllocateMiniCompletionPacket | |||
| IoAllocateSfioStreamIdentifier | |||
| IoApplyPriorityInfoThread | before 6.2, undocumented | ||
| IoCallDriverStackSafe | discontinued in 6.1 | ||
| IoCheckShareAccessEx | before 6.2, declared documented start is 6.1 |
||
| IoClearDependency | starts in SP1; discontinued in 1703 |
declared start is 6.3 | |
| IoClearIrpExtraCreateParameter | |||
| IoConnectInterruptEx | |||
| IoCreateArcName | |||
| IoCreateFileEx | |||
| IoDeleteAllDependencyRelations | starts in SP1; discontinued in 1703 |
declared start is 6.3 | |
| IoDisconnectInterruptEx | |||
| IoDuplicateDependency | starts in SP1 | declared start is 6.3 | |
| IoFreeMiniCompletionPacket | |||
| IoFreeSfioStreamIdentifier | |||
| IoGetBootDiskInformationLite | |||
| IoGetDevicePropertyData | before 6.1, declared | ||
| IoGetIoPriorityHint | |||
| IoGetIrpExtraCreateParameter | |||
| IoGetSfioStreamIdentifier | |||
| IoGetSymLinkSupportInformation | starts in SP2 | ||
| IoGetTransactionParameterBlock | |||
| IoInitializeWorkItem | |||
| IoIsFileObjectIgnoringSharing | before 6.2, declared | ||
| IoQueueWorkItemEx | |||
| IoReplacePartitionUnit | starts in SP1 | ||
| IoRequestDeviceEjectEx | |||
| IoRetrievePriorityInfo | before 6.2, undocumented | ||
| IoSetDependency | starts in SP1 | declared start is 6.3 | |
| IoSetDevicePropertyData | before 6.1, declared | ||
| IoSetIoCompletionEx | |||
| IoSetIoPriorityHint | |||
| IoSetIoPriorityHintIntoFileObject | |||
| IoSetIoPriorityHintIntoThread | |||
| IoSetIrpExtraCreateParameter | |||
| IoSetShareAccessEx | before 6.2, declared documented start is 6.1 |
||
| IoSizeofWorkItem | |||
| IoUninitializeWorkItem | |||
| IoWithinStackLimits | before 6.1, declared |
The IoConnectInterruptEx and IoDisconnectInterruptEx functions are also implemented in a statically linked library—in this case, iointex.lib—for use by new drivers that run on older versions.
| Function | Export History | Documentation History |
|---|---|---|
| KeAlertThread | ||
| KeAllocateCalloutStack | ||
| KeDeregisterProcessorChangeCallback | starts in SP1 | |
| KeExpandKernelStackAndCalloutEx | before 6.1 revision, undocumented in 6.1 revision, documented but not declared |
|
| KeFreeCalloutStack | ||
| KeInvalidateRangeAllCaches | ||
| KeQueryActiveProcessorCount | ||
| KeQueryDpcWatchdogInformation | before 6.1, declared | |
| KeQueryMaximumProcessorCount | before 6.1, declared | |
| KeRegisterProcessorChangeCallback | starts in SP1 | |
| KeRemoveQueueEx | starts in SP1 | |
| KeRevertToUserAffinityThreadEx | before 6.1, declared | |
| KeSetActualBasePriorityThread | ||
| KeSetSystemAffinityThreadEx | before 6.1, declared | |
| KeStartDynamicProcessor | before 6.1, declared | |
| KeTestAlertThread | starts in SP1 |
Though KeRemoveQueueEx is not exported from the version 6.0 kernel before SP1, it plausibly was meant to be. It is declared in NTIFS.H from the WDK for Windows Vista and the original version 6.0 kernel not only has it as an internal routine but as the effective implementation of the old, documented KeRemoveQueue.
The undocumented KeStartDynamicProcessor is declared in the WDM.H from the WDK for Windows Vista, and then its declaration disappears except in the presumably accidental disclosure of NTOSP.H by Microsoft in early editions of the WDK for Windows 10.
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| LdrFindResourceEx_U | |||
| LdrResFindResource | |||
| LdrResFindResourceDirectory | |||
| LdrResSearchResource | |||
| LpcReplyWaitReplyPort | |||
| LpcRequestWaitReplyPortEx | |||
| LpcSendWaitReceivePort | |||
| MmAllocateContiguousMemorySpecifyCacheNode | before 6.1, declared | before 6.2, declared start is 5.0 | |
| MmBadPointer (data) | before 6.1, declared | since 6.3, deprecated | |
| MmCopyVirtualMemory | |||
| MmIsDriverVerifyingByAddress | before 6.1, declared | ||
| MmRotatePhysicalView | |||
| MmSetUserExceptionCallout | discontinued in 6.1 |
Starting with the WDK for Windows 8.1, Microsoft formally deprecates the MmBadPointer variable’s declaration in favour of an MM_BAD_POINTER macro. A historical survey might be content with this, perhaps adding for completeness that the macro is not documented in and of itself. Indeed, in the downloadable package of WDK documentation for Windows 8.1 to integrate into Visual Studio, and again for Windows 10, the page for the variable has a link for the macro but the link is broken. More is going on here than mere untidiness. For background, remember that exported variables are imported as pointers. This can cause programmers something between an inconvenience and a complication. To help, Microsoft sometimes hides the declared variable behind a documented macro, as with KD_DEBUGGER_ENABLED for KdDebuggerEnabled. But the superseding of MmBadPointer by MM_BAD_POINTER is not for convenience. It is instead a correction: MmBadPointer was documented for use as a variable but its declaration is only what works for the kernel. For an importing module, the declaration is faulty. The variable is meant to hold an address that is guaranteed to be bad but using it as documented, and as done by Microsoft’s own RDBSS.SYS driver in versions 6.0 to 6.2 inclusive, instead produces an address that is certain to be good (being an address in the kernel’s data).
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| NtBuildGUID (data) | |||
| NtBuildLab (data) | |||
| NtClearAllSavepointsTransaction | discontinued in SP1 | ||
| NtClearSavepointTransaction | discontinued in SP1 | ||
| NtCommitComplete | before 6.1, declared before 6.2, reserved |
||
| NtCommitEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtCommitTransaction | before 6.1, declared before 6.2, reserved |
||
| NtCreateEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtCreateResourceManager | before 6.1, declared before 6.2, reserved |
||
| NtCreateTransaction | before 6.1, declared before 6.2, reserved |
||
| NtEnumerateTransactionObject | before 6.1, declared before 6.2, reserved |
||
| NtFreezeTransactions | |||
| NtGetEnvironmentVariableEx | starts in SP1 | ||
| NtGetNotificationResourceManager | before 6.1, declared before 6.2, reserved |
||
| NtMarshallTransaction | discontinued in SP1 | ||
| NtOpenEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtOpenResourceManager | before 6.1, declared before 6.2, reserved |
||
| NtOpenTransaction | before 6.1, declared before 6.2, reserved |
||
| NtPrePrepareEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtPrepareComplete | before 6.1, declared before 6.2, reserved |
||
| NtPrepareEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtPullTransaction | discontinued in SP1 | ||
| NtQueryEnvironmentVariableInfoEx | starts in SP1 | ||
| NtQueryInformationEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtQueryInformationResourceManager | before 6.1, declared before 6.2, reserved |
||
| NtQueryInformationTransaction | before 6.1, declared before 6.2, reserved |
||
| NtQueryInformationTransactionManager | before 6.1, declared before 6.2, reserved |
||
| NtRollbackEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtRollbackTransaction | before 6.1, declared before 6.2, reserved |
||
| NtSavepointComplete | discontinued in SP1 | ||
| NtSavepointTransaction | discontinued in SP1 | ||
| NtSetInformationEnlistment | before 6.1, declared before 6.2, reserved |
||
| NtSetInformationResourceManager | before 6.1, declared before 6.2, reserved |
||
| NtSetInformationTransaction | before 6.1, declared before 6.2, reserved |
||
| NtStartTm | discontinued in SP1 | ||
| NtThawTransactions | |||
| NtTraceControl |
Functions whose names begin with Nt correspond closely with functions whose names have the Zw prefix instead (see below). Put aside some general points about how the two differ, and documentation of the Nt function is to a large extent implied by documentation of the Zw. Microsoft started making this explicit some time after releasing the WDK for Windows Vista. Perhaps not coincidentally, Windows Vista had just brought by far the largest addition yet of Nt functions, but since the documentation for Windows Vista leaves them alone they are here taken to have been initially undocumented or declared. Documentation in the WDK for Windows 7 gives each Nt function its own page and directs attention to the page for the corresponding Zw function. The latter might be thought to count for both, except that the former warns expressly “Do not call this routine from kernel-mode code.” This is here taken as documenting the Nt functions as reserved (certainly for kernel-mode use, which is this survey’s focus). Microsoft loosened the text significantly for Windows 8 to note that the Nt and Zw versions “can behave differently”, which is here taken as formally permitting their use, such that they are no longer documented as reserved.
Whatever the reason that several Nt functions for the new Transaction Manager feature do not survive to the first service pack, they weren’t born in some experimental backwater: though none were documented, all but one was declared.
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| ObDereferenceObjectDeferDelete | before 6.1, declared | ||
| ObGetFilterVersion | starts in SP1 | ||
| ObIsKernelHandle | before 6.1, declared | ||
| ObRegisterCallbacks | starts in SP1 | ||
| ObUnRegisterCallbacks | starts in SP1 | ||
| POGOBuffer (data) | |||
| PfFileInfoNotify | |||
| PoDisableSleepStates | |||
| PoGetSystemWake | |||
| PoReenableSleepStates | |||
| PoRegisterPowerSettingCallback | |||
| PoSetDeviceBusyEx | starts in SP1 | ||
| PoSetFixedWakeSource | |||
| PoSetSystemWake | |||
| PoUnregisterPowerSettingCallback | |||
| PoUserShutdownInitiated | |||
| PsAcquireProcessExitSynchronization | |||
| PsChargeProcessCpuCycles | discontinued in 6.1 (x64); discontinued in 6.2 (x86) |
||
| PsEnterPriorityRegion | |||
| PsIsCurrentThreadPrefetching | |||
| PsIsProtectedProcess | |||
| PsLeavePriorityRegion | |||
| PsQueryProcessExceptionFlags | starts in SP1 | ||
| PsReferenceProcessFilePointer | |||
| PsReleaseProcessExitSynchronization | |||
| PsResumeProcess | |||
| PsSetCreateProcessNotifyRoutineEx | starts in SP1 | ||
| PsSetCurrentThreadPrefetching | |||
| PsSuspendProcess | |||
| PsUILanguageComitted (data) | |||
| RtlCmDecodeMemIoResource | |||
| RtlCmEncodeMemIoResource | |||
| RtlCompareAltitudes | |||
| RtlComputeCrc32 | |||
| RtlCopyLuidAndAttributesArray | |||
| RtlCopySidAndAttributesArray | |||
| RtlDuplicateUnicodeString | declared start is 5.1 | ||
| RtlFindClosestEncodableLength | |||
| RtlFormatMessage | |||
| RtlGetIntegerAtom | |||
| RtlGetProductInfo | |||
| RtlGetThreadLangIdByIndex | |||
| RtlIdnToAscii | |||
| RtlIdnToNameprepUnicode | |||
| RtlIdnToUnicode | |||
| RtlInvertRangeListEx | |||
| RtlIoDecodeMemIoResource | |||
| RtlIoEncodeMemIoResource | |||
| RtlIsNormalizedString | |||
| RtlIsNtDdiVersionAvailable | |||
| RtlIsServicePackVersionInstalled | |||
| RtlLocalTimeToSystemTime | |||
| RtlLookupFirstMatchingElementGenericTableAvl | before 6.2, declared | declared start is 5.1 | |
| RtlNormalizeString | |||
| RtlNumberOfSetBitsUlongPtr | before 6.2, declared | ||
| RtlQueryDynamicTimeZoneInformation | |||
| RtlQueryElevationFlags | |||
| RtlQueryModuleInformation | |||
| RtlRunOnceBeginInitialize | |||
| RtlRunOnceComplete | |||
| RtlRunOnceExecuteOnce | |||
| RtlRunOnceInitialize | |||
| RtlSetDynamicTimeZoneInformation | |||
| RtlSidHashInitialize | |||
| RtlSidHashLookup | |||
| RtlSystemTimeToLocalTime | |||
| RtlValidateUnicodeString | declared start is 5.1 |
When first introduced, the RtlIsNtDdiVersionAvailable and RtlIsServicePackVersionInstalled functions were all but useless except if supported through a statically linked library. To the caller who imports these functions from the kernel, the documentation’s suggestions of testing for availability back to Windows 2000 is at best redundant because the caller necessarily is running on version 6.0 or higher. To a driver written for Windows Vista but capable of downgrading its expectations to whatever Windows it finds itself running on, these functions are useful only if the driver gets them from a statically linked library. The WDK supplies the library, named RTLVER.LIB, and has the headers arrange that building for a target operating system older than Windows Vista will need the library. The documentation, however, gives only the smallest hint of any of this—for no explained reason, these functions “Link to Rtlver.lib and Wdmsec.lib”—until an explanatory paragraph was added to the WDK for Windows 8. Do not miss the irony that by this time the WDK had stopped supporting the building of drivers for versions older than Windows Vista.
| Function | Export History | Documentation History |
|---|---|---|
| SeAccessCheckFromState | ||
| SeAuditHardLinkCreationWithTransaction | ||
| SeAuditTransactionStateChange | ||
| SeCaptureSubjectContextEx | before 10.0, undocumented | |
| SeCloseObjectAuditAlarmForNonObObject | ||
| SeComputeAutoInheritByObjectType | ||
| SeCreateAccessStateEx | ||
| SeDeleteObjectAuditAlarmWithTransaction | ||
| SeExamineSacl | ||
| SeGetLinkedToken | ||
| SeLocateProcessImageName | ||
| SeOpenObjectAuditAlarmForNonObObject | ||
| SeOpenObjectAuditAlarmWithTransaction | ||
| SeOpenObjectForDeleteAuditAlarmWithTransaction | ||
| SeReportSecurityEventWithSubCategory | ||
| SeSetAuthorizationCallbacks | ||
| TmCancelPropagationRequest | before 6.1, declared | |
| TmCommitComplete | before 6.1, declared | |
| TmCommitEnlistment | before 6.1, declared | |
| TmCommitTransaction | before 6.1, declared | |
| TmCreateEnlistment | before 6.1, declared | |
| TmCurrentTransaction | before 6.1, declared | |
| TmDefaultTmOpenFileCount | discontinued in SP1 | |
| TmDereferenceEnlistmentKey | before 6.1, declared | |
| TmEnableCallbacks | before 6.1, declared | |
| TmEndPropagationRequest | before 6.1, declared | |
| TmEnlistmentObjectType (data) | since 6.1, indirectly documented | |
| TmFreezeTransactions | before 6.1, declared | |
| TmGetTransactionId | before 6.1, declared | |
| TmInitDefaultTemporaryTm | discontinued in SP1 | |
| TmInitSystem | before 6.1, declared | |
| TmInitSystemPhase2 | before 6.1, declared | |
| TmInitializeResourceManager | discontinued in 6.2 | |
| TmInitializeTransaction | discontinued in 6.2 | |
| TmIsTransactionActive | before 6.1, declared | |
| TmMarshallTransaction | discontinued in SP1 | |
| TmPrePrepareComplete | before 6.1, declared | |
| TmPrePrepareEnlistment | before 6.1, declared | |
| TmPrepareComplete | before 6.1, declared | |
| TmPrepareEnlistment | before 6.1, declared | |
| TmPropagationComplete | ||
| TmPropagationFailed | ||
| TmPullTransaction | discontinued in SP1 | |
| TmReadOnlyEnlistment | before 6.1, declared | |
| TmRecoverEnlistment | before 6.1, declared | |
| TmRecoverResourceManager | before 6.1, declared | |
| TmRecoverTransactionManager | before 6.1, declared | |
| TmReferenceEnlistmentKey | before 6.1, declared | |
| TmRequestOutcomeEnlistment | before 6.1, declared | |
| TmResourceManagerObjectType (data) | since 6.1, indirectly documented | |
| TmRmIsNotificationQueueEmpty_Temporary | discontinued in SP1 | |
| TmRollbackComplete | before 6.1, declared | |
| TmRollbackEnlistment | before 6.1, declared | |
| TmRollbackTransaction | before 6.1, declared | |
| TmSavepointComplete | discontinued in SP1 | |
| TmSavepointTransaction | discontinued in SP1 | |
| TmSetCurrentTransaction | before 6.1, declared | |
| TmSetPreviousModeToKernel | discontinued in SP1 | |
| TmThawTransactions | before 6.1, declared | |
| TmTransactionManagerObjectType (data) | since 6.1, indirectly documented | |
| TmTransactionObjectType (data) | since 6.1, indirectly documented | |
| TmpIsKTMCommitCoordinator | starts in SP1; discontinued in 6.2 |
As with most exported variables, TmEnlistmentObjectType , TmResourceMangerObjectType, TmTransactionManagerObjectType and TmTransactionObjectType are not themselves documented. Starting with the WDK for Windows 7, however, they get mentioned in the documentation of exported functions such as ObReferenceObjectByHandle from being intended as an argument.
| Function | Export History | Documentation History |
|---|---|---|
| WheaAddErrorSource | starts in SP1 | before 2019, declared |
| WheaGetErrorSource | starts in SP1 | |
| WheaRegisterErrSrcInitializer | discontinued in 6.1 | |
| WheaReportHwError | before 6.1, declared before 2019, declared documented start is 1903 |
Microsoft’s online documentation of WheaAddErrorSource is dated 19th August 2019 and I see no reason to disbelieve it. Curiously, the function is declared in the WDK for Windows Vista, but among WDK for versions that actually do export the function, the declaration appears only in NTOSP.H from early editions for Windows 10.
That documentation of WheaReportHwError was delayed until 2019 is more certain. Microsoft dates the documentation to 6th March 2019 and the function’s availability to the 1903 release. While undocumented, it was declared in NTDDK.H from the WDK for Windows Vista, specifically, and then the declaration disappeared except for the accidentally disclosed NTOSP.H.
| Function | Export History | Documentation History | Declaration History |
|---|---|---|---|
| ZwAllocateLocallyUniqueId | |||
| ZwAlpcAcceptConnectPort | |||
| ZwAlpcCancelMessage | |||
| ZwAlpcConnectPort | |||
| ZwAlpcCreatePort | |||
| ZwAlpcCreatePortSection | |||
| ZwAlpcCreateResourceReserve | |||
| ZwAlpcCreateSectionView | |||
| ZwAlpcCreateSecurityContext | |||
| ZwAlpcDeletePortSection | |||
| ZwAlpcDeleteResourceReserve | |||
| ZwAlpcDeleteSectionView | |||
| ZwAlpcDeleteSecurityContext | |||
| ZwAlpcDisconnectPort | |||
| ZwAlpcQueryInformation | |||
| ZwAlpcSendWaitReceivePort | |||
| ZwAlpcSetInformation | |||
| ZwCommitEnlistment | before 6.1, declared | ||
| ZwCommitTransaction | |||
| ZwCreateEnlistment | |||
| ZwCreateIoCompletion | |||
| ZwCreateKeyTransacted | before 6.1, declared | ||
| ZwCreateResourceManager | |||
| ZwCreateTransaction | |||
| ZwCreateTransactionManager | |||
| ZwEnumerateTransactionObject | before 6.1, declared | ||
| ZwFlushBuffersFile | |||
| ZwGetNotificationResourceManager | before 6.1, declared | ||
| ZwImpersonateAnonymousToken | |||
| ZwLoadKeyEx | |||
| ZwLockProductActivationKeys | |||
| ZwMarshallTransaction | discontinued in SP1 | ||
| ZwOpenEnlistment | |||
| ZwOpenKeyTransacted | before 6.1, declared | ||
| ZwOpenResourceManager | |||
| ZwOpenTransaction | |||
| ZwOpenTransactionManager | |||
| ZwPrePrepareEnlistment | before 6.1, declared | ||
| ZwPrepareComplete | before 6.1, declared | ||
| ZwPrepareEnlistment | before 6.1, declared | ||
| ZwPullTransaction | discontinued in SP1 | ||
| ZwQueryInformationEnlistment | |||
| ZwQueryInformationResourceManager | |||
| ZwQueryInformationTransaction | |||
| ZwQueryInformationTransactionManager | |||
| ZwQueryLicenseValue | |||
| ZwQueryVirtualMemory | before 10.0, undocumented before 2015-2018, declared |
declared start is 5.0 | |
| ZwRecoverEnlistment | before 6.1, declared | ||
| ZwRecoverResourceManager | |||
| ZwRecoverTransactionManager | |||
| ZwRemoveIoCompletion | |||
| ZwRemoveIoCompletionEx | |||
| ZwRequestPort | |||
| ZwRollbackEnlistment | before 6.1, declared | ||
| ZwRollbackTransaction | |||
| ZwSavepointComplete | discontinued in SP1 | ||
| ZwSavepointTransaction | discontinued in SP1 | ||
| ZwSetInformationEnlistment | |||
| ZwSetInformationTransaction | |||
| ZwUnloadKeyEx |
In WDK documentation for Windows 10 as integrated into Visual Studio 2015, documentation of NtQueryVirtualMemory (which is not a kernel export in any version) would link to a page for its Zw partner but the link is broken. The ZwQueryVirtualMemory function is documented today, 27th September 2020, at Microsoft’s website and has been at least since 30th April 2018, and there’s no reason to doubt Microsoft on this even though this documentation would have it that the function’s minimum availability is Windows 10.
| Function | Export History | Documentation History |
|---|---|---|
| _alloca_probe_16 | x86 only | |
| _alloca_probe_8 | x86 only | |
| _chkstk | x86 only | |
| _strtoui64 | ||
| _swprintf | ||
| _vswprintf | ||
| bsearch | ||
| psMUITest (data) |
The ancient KeIsExecutingDpc function was not at first taken up for export from the x64 kernel. It starts being exported from x64 builds in version 6.0.
Version 6.0 stops exporting a few functions (and variables). For each, the version in parentheses tells when exporting started.
As usual, none had yet been documented.
Two functions that continued at first as exports from the x64 kernel are not kept as exports from the x64 builds:
Both continue as x86 exports.