Kernel Exports Added for Version 6.1

The large table on this page lists the 232 exports that were added to the Windows kernel in its first release for version 6.1., i.e., for the original Windows 7 and Windows Server 2008 R2.

Also listed is the one addition for Windows 7 SP1. Be aware, however, that this is for Windows 7 SP1 only for its formal release all the way back in 2010. Perhaps because of customer resistance to Windows 8, Windows 8.1 and even to Windows 10, Microsoft kept Windows 7 in active distribution for most of a decade with all fixes and other updates counting as Windows 7 SP1. Functions that this study lists as newly exported from later versions are back-fitted into these post-release builds which, for better or worse, fall outside the scope of this study because Microsoft never raised them to the formal significance of a service pack.

For the table below, documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. (If you read this website with scripts enabled, then hovering the mouse over any coloured text will produce a tooltip that shows why the text is coloured.) Functions that have their own non-trivial documentation are shown with no background colour. If the function is documented as reserved or obsolete, it is shaded red or shaded grey, respectively. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. Many undocumented functions do at least have C-language declarations in one or another header file from the WDK. These are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public knowledge even of the declaration is exceptional.

Function	Documentation History
CcCoherencyFlushAndPurgeCache
CcCopyWriteWontFlush

Though CcCopyWriteWontFlush is not an exported function until version 6.1, the IFS Kit for Windows 2000 defines it by macro and documents it.

Function	Documentation History
CmKeyObjectType (data)	since 6.2, indirectly documented

As with most exported variables, CmKeyObjectType is not itself documented. It does, however, get mentioned in documentation of ObOpenObjectByPointer, for which it can be given as an argument.

Function	Export History	Documentation History	Declaration History
DbgkLkmdRegisterCallback
DbgkLkmdUnregisterCallback
EtwWriteEx		before 6.3, declared
ExQueryAttributeInformation	discontinued in 6.3
ExRegisterAttributeInformationCallback	discontinued in 6.3
ExRegisterExtension
ExSetResourceOwnerPointerEx
ExUnregisterAttributeInformationCallback	discontinued in 6.3
ExUnregisterExtension
FsRtlAreThereCurrentOrInProgressFileLocks		before 6.2, declared
FsRtlCurrentOplockH
FsRtlGetVirtualDiskNestingLevel			declared start is 6.0
FsRtlInitializeExtraCreateParameter		before 6.1 revision, declared
FsRtlInitializeExtraCreateParameterList		before 6.1 revision, declared
FsRtlOplockBreakH
FsRtlOplockBreakToNoneEx
FsRtlOplockFsctrlEx
FsRtlOplockIsSharedRequest
FsRtlOplockKeysEqual
FsRtlQueryMaximumVirtualDiskNestingLevel			declared start is 6.0
IoAdjustStackSizeForRedirection
IoGetAffinityInterrupt
IoGetContainerInformation
IoGetDeviceNumaNode
IoGetOplockKeyContext		before 6.2, undocumented
IoRegisterContainerNotification
IoRegisterFsRegistrationChangeMountAware		before 6.2, declared
IoRegisterPriorityCallback
IoReplaceFileObjectName
IoReportRootDevice		before 6.2, undocumented documented start is 6.2
IoSetFileObjectIgnoreSharing		before 6.2, declared
IoSetOplockKeyContext	discontinued in 6.2
IoUnregisterContainerNotification
IoUnregisterPlugPlayNotificationEx
IoUnregisterPriorityCallback
KeAddGroupAffinityEx
KeAddProcessorAffinityEx
KeAddProcessorGroupAffinity
KeAllocateCalloutStackEx
KeAndAffinityEx
KeAndGroupAffinityEx
KeCheckProcessorAffinityEx
KeCheckProcessorGroupAffinity
KeComplementAffinityEx
KeCopyAffinityEx
KeCountSetBitsAffinityEx
KeCountSetBitsGroupAffinity
KeEnumerateNextProcessor
KeFindFirstSetLeftAffinityEx
KeFindFirstSetLeftGroupAffinity
KeFindFirstSetRightGroupAffinity
KeFirstGroupAffinityEx
KeGetCurrentNodeNumber
KeGetCurrentProcessorNumberEx
KeGetProcessorIndexFromNumber
KeGetProcessorNumberFromIndex
KeGetXSaveFeatureFlags
KeInitializeAffinityEx
KeInitializeEnumerationContext
KeInitializeEnumerationContextFromGroup
KeInterlockedClearProcessorAffinityEx
KeInterlockedSetProcessorAffinityEx
KeIsEmptyAffinityEx
KeIsEqualAffinityEx
KeIsSingleGroupAffinityEx
KeIsSubsetAffinityEx
KeOrAffinityEx
KePollFreezeExecution	x86 only
KeProcessorGroupAffinity
KeQueryActiveGroupCount
KeQueryActiveProcessorAffinity
KeQueryActiveProcessorCountEx
KeQueryGroupAffinity
KeQueryGroupAffinityEx
KeQueryHardwareCounterConfiguration
KeQueryHighestNodeNumber
KeQueryLogicalProcessorRelationship
KeQueryMaximumGroupCount
KeQueryMaximumProcessorCountEx
KeQueryNodeActiveAffinity
KeQueryNodeMaximumProcessorCount
KeQueryUnbiasedInterruptTime
KeRemoveGroupAffinityEx
KeRemoveProcessorAffinityEx
KeRemoveProcessorGroupAffinity
KeRestoreExtendedProcessorState
KeRevertToUserGroupAffinityThread
KeSaveExtendedProcessorState
KeSetCoalescableTimer
KeSetHardwareCounterConfiguration
KeSetSystemGroupAffinityThread
KeSetTargetProcessorDpcEx
KeSubtractAffinityEx
NtCreateTransactionManager		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtOpenTransactionManager		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtPrePrepareComplete		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtPropagationComplete			declared start is 6.0
NtPropagationFailed			declared start is 6.0
NtQuerySecurityAttributesToken
NtQuerySystemInformationEx
NtReadOnlyEnlistment		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtRecoverEnlistment		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtRecoverResourceManager		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtRecoverTransactionManager		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtRollbackComplete		before 6.2, reserved documented start is 6.0	declared start is 6.0
NtSetInformationToken		before 6.2, reserved	declared start is 5.1

Documentation in the WDK for Windows 7 gives each Nt function its own page but only to direct attention to the more substantial page for the corresponding Zw function. The latter might be thought to count for both, except that the former warns expressly “Do not call this routine from kernel-mode code.” This is here taken as documenting the Nt functions as reserved for kernel-mode use (which is this survey’s focus). Microsoft loosened the text significantly for Windows 8 to note that the Nt and Zw versions “can behave differently”, which is here taken as formally permitting their use, such that they are no longer documented as reserved.

Not shown above, but hinted at, is that most of these Nt functions have earlier history. The affected functions work with the Transaction Manager which was a new feature for Windows Vista. Very plausibly they were meant to be exported from the kernel in Windows Vista but were overlooked. All are user-mode exports from NTDLL in Windows Vista. All are declared in the WDM.H from the WDK for Windows Vista. For most, the corresponding Zw function is exported from the version 6.0 kernel and is documented in the WDK for Windows Vista. But as Nt functions, none are exported from the kernel until Windows 7, no matter how much the subsequent documentation and declarations may lead anyone to think otherwise.

Function	Export History	Documentation History	Declaration Histoy
ObDereferenceObjectDeferDeleteWithTag
ObGetObjectType
ObOpenObjectByPointerWithTag
ObQueryNameInfo
ObReferenceObjectByHandleWithTag
ObReferenceObjectByPointerWithTag
ObfDereferenceObjectWithTag
ObfReferenceObjectWithTag
PcwAddInstance
PcwCloseInstance
PcwCreateInstance
PcwRegister
PcwUnregister
PoClearPowerRequest
PoCreatePowerRequest
PoDeletePowerRequest
PoEndDeviceBusy
PoQueryWatchdogTime
PoSetPowerRequest
PoStartDeviceBusy
RtlCompareUnicodeStrings			since 6.0, declared start is 5.0
RtlContractHashTable
RtlCreateHashTable
RtlDeleteHashTable
RtlDowncaseUnicodeChar		documented start is 5.1	since 6.0, declared start is 5.1
RtlEndEnumerationHashTable
RtlEndWeakEnumerationHashTable
RtlEnumerateEntryHashTable
RtlEthernetAddressToStringA		SDK
RtlEthernetAddressToStringW		SDK
RtlEthernetStringToAddressA		SDK
RtlEthernetStringToAddressW		SDK
RtlExpandHashTable
RtlFillMemoryUlonglong	x86 only		since 6.0, declared start is 5.1
RtlFindAceByType
RtlGetEnabledExtendedFeatures		in 6.2 to 1511, documented but not declared
RtlGetLastRange		in 5.0 to 5.2, declared
RtlGetNextEntryHashTable
RtlInitEnumerationHashTable
RtlInitWeakEnumerationHashTable
RtlInsertEntryHashTable
RtlLoadString
RtlLookupEntryHashTable
RtlOwnerAcesPresent
RtlRemoveEntryHashTable
RtlReplaceSidInSd
RtlUTF8ToUnicodeN
RtlUnicodeToUTF8N
RtlWeaklyEnumerateEntryHashTable

Though RtlCompareUnicodeStrings is not exported from the kernel until version 6.1, it is declared in WDM.H as early as the WDK for Windows Vista. It is present in the version 6.0 kernel as an internal routine. Its user-mode export from NTDLL begins in version 6.0 too.

Another with earlier history is RtlDowncaseUnicodeChar. Not only is it declared in the WDM.H from the WDK for Windows Vista, it is documented too. Moreover, the declaration has earlier history, but in NTDDK.H, back to the DDK for Windows XP. It is indeed present in the version 5.1 kernel as an internal routine and is a user-mode export from NTDLL back then too, but it never was available to the programmers of kernel-mode drivers that hope to run on Windows XP.

The four functions for converting Ethernet addresses to and from text are not formally documented for use in kernel mode, only as user-mode exports from NTDLL. They are declared in IP2STRING.H, which is supplied with every WDK starting with Windows 7. A comment at the top is explicit that this header’s declared routines are “callable by both kernel mode code in the executive and user mode code in various NT subsystems.” A reorganisation for Windows 8 places the header in the “shared” subdirectory.

The unusually lengthy and specific description that Microsoft presents for RtlFillMemoryUlonglong starting with the WDK for Windows 7 comes about, of course, as a correction. The function is documented as long ago as the IFS Kit for Windows 2000 but no contemporaneous header is known to mention it. How it was treated in the IFS Kit for Windows XP or for Windows Server 2003 is not known, but in the WDK for Windows Vista the function is said straightforwardly to be “available on Microsoft Windows 2000 and later.” What’s in the corresponding NTIFS.H is a macro for the amd64 architecture and a declaration for others. But there is no exported function for the declaration to refer to. Neither is resolution available from any statically linked library that’s supplied with the WDK. One inference is that its export in version 6.1 and higher is itself a correction. The function is present even in the x86 kernel for version 5.0 but only as an internal routine. Perhaps it was meant to be exported all along.

Declaration of RtlGetEnabledExtendedFeatures disappears from WDM.H as early as the WDK for Windows 8. Early editions of the WDK for Windows 10 have it in a new header, named XSTATEAPI.H, in the “minwin” subdirectory. Aside from being plainly intended only for user-mode programming, the header won’t compile without headers (such as NTRTL.H) that the WDK omits and that Microsoft is not known ever to have published openly. In the WDK for the 1607 release, the subdirectory is gone and the function’s declaration is restored to the usual headers, though now it’s in NTDDK.H.

The RtlGetLastRange function is a late addition to a curious set of functions that are first exported from version 5.0. All, including this addition, were initially declared in NTDDK.H. Come the WDK for Windows Vista, the declarations disappeared and the functions now look to be undocumented except to historians. The addition is not wholly an addition. It is newly exported in version 6.1 but it’s present in the version 5.0 kernel as an internal routine. Most plausibly, it was meant to be exported all along. That it’s added to the exports years later suggests that the set still has some use. Further study may be justified.

Function	Export History	Documentation History	Declaration History
SeAccessCheckEx
SeAccessCheckWithHint
SeAuditingAnyFileEventsWithContext
SeAuditingWithTokenForSubcategory
SeQuerySecurityAttributesToken
SeSetSecurityAttributesToken
SeSrpAccessCheck

The SeAuditingWithTokenForSubcategory function is shown above as having no published declaration except from the “minwin” subdirectory in early editions of the WDK for Windows 10, but this is not quite true. What’s not shown above, because it predates the function’s export, is that it was declared in NTIFS.H from the WDK for Windows Vista. It is present in the corresponding kernel but only as an internal routine. Perhaps it was meant to be exported but didn’t actually get exported.

Function	Export History	Documentation History
WheaAttemptPhysicalPageOffline	x64-only before 1703
WheaConfigureErrorSource		before 2019, declared
WheaDeferredRecoveryService	x64 only
WheaInitializeDeferredRecoveryObject	x64 only
WheaInitializeRecordHeader		before 2019, declared
WheaRequestDeferredRecovery	x64 only

Microsoft’s online documentation of WheaConfigureErrorSource and WheaInitializeRecordHeader is dated 19th August 2019 and I see no reason to disbelieve it.

Function	Export History	Documentation History	Notes
ZwCommitComplete		documented start is 6.0	decl: 6.0 since 6.0, declared start is 6.0
ZwLockFile			decl: 6.0 since 6.0, declared start is 6.0
ZwNotifyChangeSession
ZwOpenKeyEx			ok
ZwOpenKeyTransactedEx			ok
ZwOpenSession
ZwPrePrepareComplete		documented start is 6.0	decl: 6.0 since 6.0, declared start is 6.0
ZwPropagationComplete
ZwPropagationFailed
ZwQueryQuotaInformationFile			decl: 6.0 since 6.0, declared start is 6.0
ZwQuerySecurityAttributesToken
ZwReadOnlyEnlistment		documented start is 6.0	decl: 6.0 since 6.0, declared start is 6.0
ZwRenameKey	starts in SP1
ZwRollbackComplete		documented start is 6.0	decl: 6.0 since 6.0, declared start is 6.0
ZwSetInformationResourceManager		documented start is 6.0	doc: 6.0 reserved: 6.1 plus since 6.0, declared start is 6.0
ZwSetInformationToken			doc: 6.0 (start is 5.1) decl: 6.0 in 6.0 only, declared start is 6.0
ZwSetQuotaInformationFile			doc: 6.0 (start is 5.1) decl: 6.0 since 6.0, declared start is 6.0
ZwSetTimerEx
ZwTraceEvent
ZwUnlockFile			decl: 6.0 since 6.0, declared start is 6.0

Though Microsoft places its documentation of the Zw functions in the WDK, not the SDK, and directs programmers to include kernel-mode headers such as WDM.H, NTDDK.H and NTIFS.H, neither the headers nor the documentation distinguish very much between kernel-mode and user-mode programming.

Though ZwRenameKey is not exported from the kernel until SP1, the original release of version 6.1 has it as an internal routine and it is declared in WDM.H from the WDK for Windows 7. Was it meant to have been exported from the original?

Function	Export History	Documentation History
_i64toa_s
_i64tow_s
_itoa_s
_itow_s
_ltoa_s
_ltow_s
_makepath_s
_snprintf_s
_snscanf_s
_snwprintf_s
_snwscanf_s
_splitpath_s
_strnset_s
_strset_s
_ui64toa_s
_ui64tow_s
_ultoa_s
_ultow_s
_vsnprintf_s
_vsnwprintf_s
_wcsnset_s
_wcsset_s
_wmakepath_s
_wsplitpath_s
_wtoi
_wtol
memcpy_s
memmove_s
sprintf_s
sscanf_s
strcat_s
strcpy_s
strncat_s
strncpy_s
strnlen
strtok_s
swprintf_s
swscanf_s
vsprintf_s
vswprintf_s
wcscat_s
wcscpy_s
wcsncat_s
wcsncpy_s
wcsnlen
wcstoul

Discontinued

Version 6.1 the kernel stops exporting a few functions. For each, the version in parentheses tells when the function was first exported:

IoAssignDriveLetters (5.1)
IoCallDriverStackSafe
IoPnPDeliverServicePowerNotification (5.0)
KeTerminateThread (3.10)
Kii386SpinOnSpinLock (3.10)
MmSetUserExceptionCallout
PsChargeProcessCpuCycles, but see note
WheaRegisterErrSrcInitializer

Discontinuation of PsChargeProcessCpuCycles is selective. As of version 6.1, it is no longer an export from the x64 kernel. Another way to put it is that it becomes an x86-only export in version 6.1 ahead of its discontinuation by version 6.2.