Geoff Chappell, Software Analyst
This page lists the functions and variables that are newly exported by name from the Windows kernel in its first release for version 6.3, i.e., for the original Windows 8.1.
For the table below, documentation status is summarised by colour coding so that more detail can be given as Remarks with less text. (If you read this website with scripts enabled, then hovering the mouse over any coloured text will produce a tooltip that shows why the text is coloured.) Functions that have their own non-trivial documentation are shown with no background colour. If the function is documented as reserved or obsolete, it is shaded red or shaded grey, respectively. Functions that appear to be completely undocumented are highlighted yellow. If a function is documented now but was not documented in the first contemporaneous Device Driver Kit (DDK), Windows Driver Kit (WDK) or Installable File System (IFS) Kit, then it is shaded yellow to retain some of its previous status. Many undocumented functions do at least have C-language declarations in one or another header file from the WDK. These are shaded orange, except for one special case. Some declarations are known only from “minwin” headers that Microsoft published in early editions of the WDK for Windows 10 which seem since to have been withdrawn. These are highlighted orange to indicate that public knowledge even of the declaration is exceptional.
Few of the new functions for version 6.3 appear in the documentation that Microsoft offered when saying “The Windows Driver Kit (WDK) is integrated with Microsoft Visual Studio” whether in 2014 for Windows 8.1 or even in 2015 for Windows 10. Some show in a search online today (29th February 2016).
| Name | Export History | Documentation History | Notes |
|---|---|---|---|
| DbgkWerCaptureLiveKernelDump | |||
| ExAcquireCacheAwarePushLockExclusiveEx | |||
| ExAcquireCacheAwarePushLockSharedEx | |||
| ExAcquirePushLockExclusiveEx | |||
| ExAcquirePushLockSharedEx | |||
| ExAllocateTimer | before 2013-2016, declared | ok | |
| ExCancelTimer | before 2013-2016, declared | ok | |
| ExCompositionObjectType (data) | |||
| ExDeleteTimer | before 2013-2016, declared | ok | |
| ExReleaseCacheAwarePushLockExclusiveEx | |||
| ExReleaseCacheAwarePushLockSharedEx | |||
| ExReleasePushLockEx | |||
| ExReleasePushLockExclusiveEx | |||
| ExReleasePushLockSharedEx | |||
| ExSetTimer | before 2013-2016, declared | ok | |
| ExTryAcquirePushLockExclusiveEx | |||
| ExTryAcquirePushLockSharedEx | |||
| ExTryConvertPushLockSharedToExclusiveEx | |||
| ExTryToAcquireResourceExclusiveLite | in 3.51 to 5.2, declared | doc: 3.51 etc decl: 3.51 etc |
|
| ExUnblockOnAddressPushLockEx | |||
| ExUnblockPushLockEx |
For the four functions that work with Executive Timer objects, the WDK documentation for Windows 8.1 and Windows 10 that Microsoft presents as “integrated” with successive editions of Visual Studio has a page titled ExXxxTimer Routines and EX_TIMER Objects that lists the functions, and even describes them, but the links to what might have been the documentation of the functions themselves are broken. Whether, or for how long, the supposedly same documentation online had this deficiency is not known, but each function’s documentation was seen to be available online in 2016.
| Name | Export History | Documentation History | Notes |
|---|---|---|---|
| FsRtlCheckUpperOplock | ok | ||
| FsRtlHeatInit | |||
| FsRtlHeatLogIo | |||
| FsRtlHeatLogTierMove | |||
| FsRtlHeatUninit | |||
| FsRtlInsertReservedPerFileContext | discontinued in 1809 | ||
| FsRtlInsertReservedPerStreamContext | discontinued in 1809 | ||
| FsRtlLookupReservedPerFileContext | discontinued in 1809 | ||
| FsRtlLookupReservedPerStreamContext | discontinued in 1809 | ||
| FsRtlRemoveReservedPerFileContext | discontinued in 1809 | ||
| FsRtlRemoveReservedPerStreamContext | discontinued in 1809 | ||
| FsRtlSendModernAppTermination | |||
| FsRtlUpperOplockFsctrl | ok | ||
| HvlQueryNumaDistance | declared start is 6.2 | ||
| InterlockedPushListSList | decl: 6.0 plus since 6.0, declared start is 5.1 |
||
| IoConvertFileHandleToKernelHandle | |||
| IoGetGenericIrpExtension | |||
| IoLoadCrashDumpDriver | x64 only | ||
| IoPropagateIrpExtension | |||
| IoQueryFullDriverPath | before 2015-2016, declared | ok | |
| IoSetGenericIrpExtension | |||
| IoSizeofGenericIrpExtension | |||
| IoTestDependency | |||
| KdAcquireDebuggerLock | |||
| KdDeregisterPowerHandler | |||
| KdRegisterPowerHandler | |||
| KdReleaseDebuggerLock | |||
| KeClockInterruptNotify | |||
| KeClockTimerPowerChange | |||
| KeFindFirstSetRightAffinityEx | |||
| KeGetClockOwner | |||
| KeGetClockTimerResolution | |||
| KeGetNextClockTickDuration | |||
| KeRemoveQueueDpcEx | ok | ||
| KitLogFeatureUsage | |||
| MmCopyMemory | before 2015-2016, declared | ok | |
| MmGetCacheAttribute | ok | ||
| MmMdlPagesAreZero | ok | ||
| PoFxPowerOnCrashdumpDevice | before 10.0, declared | ok | |
| PoFxRegisterCrashdumpDevice | beofre 10.0, declared | ok | |
| PsGetProcessProtection | |||
| PsIsProtectedProcessLight | |||
| RtlAvlInsertNodeEx | |||
| RtlAvlRemoveNode | |||
| RtlGetAppContainerParent | |||
| RtlGetAppContainerSidType | |||
| RtlImageNtHeaderEx | |||
| RtlInterlockedClearBitRun | |||
| RtlInterlockedSetBitRun | |||
| RtlInterlockedSetClearRun | |||
| SeAdjustAccessStateForTrustLabel | ok | ||
| SeGetCachedSigningLevel | |||
| SeIsParentOfChildAppContainer | |||
| SeRegisterImageVerificationCallback | ok | ||
| SeShouldCheckForAccessRightsFromParent | ok | ||
| SeUnregisterImageVerificationCallback | ok | ||
| VfInsertContext | |||
| VfQueryDeviceContext | |||
| VfQueryDispatchTable | |||
| VfQueryDriverContext | |||
| VfQueryIrpContext | |||
| VfQueryThreadContext | |||
| VfRemoveContext | |||
| ZwAssociateWaitCompletionPacket | |||
| ZwCancelIoFileEx | |||
| ZwCreateWaitCompletionPacket | |||
| ZwLockVirtualMemory | |||
| ZwProtectVirtualMemory | |||
| ZwQuerySystemInformationEx |
Version 6.3 discontinues notably many exports, none of which are known ever to have been documented or declared. For each, the version in parentheses tells when exporting started: