API-MS-Win-Core-Synch-L1-1-0

All functions in the API-MS-Win-Core-Synch-L1-1-0 set are documented exports from KERNEL32:

• AcquireSRWLockExclusive
• AcquireSRWLockShared
• CancelWaitableTimer
• CreateEventA
• CreateEventW
• CreateEventExA
• CreateEventExW
• CreateMutexA
• CreateMutexW
• CreateMutexExA
• CreateMutexExW
• CreateSemaphoreExW
• CreateWaitableTimerExW
• DeleteCriticalSection
• EnterCriticalSection
• InitializeCriticalSection
• InitializeCriticalSectionAndSpinCount
• InitializeCriticalSectionEx
• InitializeSRWLock
• LeaveCriticalSection
• OpenEventA
• OpenEventW
• OpenMutexW
• OpenProcess
• OpenSemaphoreW
• OpenWaitableTimerW
• ReleaseMutex
• ReleaseSRWLockExclusive
• ReleaseSRWLockShared
• ReleaseSemaphore
• ResetEvent
• SetCriticalSectionSpinCount
• SetEvent
• SetWaitableTimer
• SetWaitableTimerEx
• SleepEx
• TryAcquireSRWLockExclusive
• TryAcquireSRWLockShared
• TryEnterCriticalSection
• WaitForMultipleObjectsEx
• WaitForSingleObject
• WaitForSingleObjectEx

For most of these functions, the implementations in KERNEL32 version 6.1 and higher are just stubs which transfer the handling to wherever the schema redirects the API Set. The exceptions are:

• AcquireSRWLockExclusive,
• AcquireSRWLockShared,
• DeleteCriticalSection,
• EnterCriticalSection,
• InitializeCriticalSection,
• InitializeSRWLock,
• LeaveCriticalSection,
• ReleaseSRWLockExclusive,
• ReleaseSRWLockShared,
• SetCriticalSectionSpinCount,
• TryAcquireSRWLockExclusive,
• TryAcquireSRWLockShared,
• TryEnterCriticalSection,

which are each forwarded to a corresponding NTDLL function; and

• SetWaitableTimerEx, which is forwarded to API-MS-Win-Core-ThreadPool-L1-1-0, i.e., to a different API Set;
• WaitForMultipleObjectsEx, for which KERNEL32 wraps substantial code around its transfer to the API Set;
• WaitForSingleObject and WaitForSingleObjectEx, for which KERNEL32 pre-processes its transfer to the API Set.

The handling of SetWaitableTimerEx is surely a bug in one way or another, but inspection just of the executable files can’t tell which way. It seems more plausible that the function is meant to be in this API Set, with the other functions for waitable timers, and that KERNEL32 somehow has its forward wrong.

New Locations

For each function that KERNEL32 version 6.1 transfers to the API Set, a non-trivial implementation is exported from KERNELBASE version 6.1 and higher.

All the functions that KERNEL32 forwards to an NTDLL function are also exported from KERNELBASE version 6.1 and higher, also as forwards to the NTDLL function.

Schema Redirection

The Windows 7 schema redirects this API Set to KERNEL32, except that when KERNEL32 itself imports from the API Set, the redirection is to KERNELBASE. Thus:

• high-level executables, which do not use the API Set, continue to import these functions from KERNEL32;
• low-level executables have their imports from the API Set redirected to KERNEL32;
• stub implementations in KERNEL32 import from underlying implementations in KERNELBASE.