Geoff Chappell - Software Analyst
Whether or not NTDLL belongs to the Win32 subsystem particularly or is more generally the kernel’s user-mode face for supporting all subsystems, it is indisputably on the user-mode side of the boundary with kernel mode. The highest-level functionality in kernel mode is also the lowest-level functionality in user mode. This functionality is sometimes called the native API. Its functions are described as native system services in Microsoft’s documentation for device driver programming and are sometimes referred to just as system calls.
The extra qualification as native has significance, however. Ever since version 3.51 (and explicitly not before), the kernel has allowed for multiple distinct sets of system services: at first four, but limited to two starting with version 5.2 in the build for Windows 2003 SP1. The first of these sets is native. The second supports user-mode communication with WIN32K.SYS, which surely is important but is just as surely not native.
The native API functions are distinguished by names that begin with Nt or Zw. They are exported from NTDLL in user mode and from the NTOSKRNL module (i.e., the kernel, whatever its filename) in kernel mode, though not all functions are exported in both modes or with both prefixes. Indeed, very many are exported only in user mode even as late as Windows 10, some two decades after the first 32-bit Windows that doesn’t run as an MS-DOS program. Many more were exported only in user mode to begin with, until their usefulness for kernel-mode programming (at least for Microsoft’s) was compelling enough that they became kernel-mode exports too.
As user-mode exports, the native API functions tend to be known by their Nt prefix (for reasons given below). They are mostly undocumented, in part for the obviously good reason that their functionality is better reached through the documented functions of the Win32 API. Documented or not, they have long attracted the attention of various sorts of programmers for good reasons and bad. Among the bad must be counted hackers, not just malware writers but some programmers of security tools too, who by-pass the documented Win32 APIs in the hope of doing their otherwise more or less ordinary work without being readily detected. Even some of Microsoft’s own programmers, not only of low-level user-mode software such as services but also of so-called middleware, could not resist the siren call of the native API, such that Microsoft felt compelled in 2002 to document some of the API for user-mode programming, albeit with warnings.
The suggestion seems strong, then, that the native API functions exist to be called from user mode even if most user-mode software would better not call them. Yet where these notes document native API functions they do so in the Kernel section. Why?
The reason is that the kernel is where these functions are coded. Even if the function is exported only in user mode, NTDLL has none of the implementation. Though the native API functions are NTDLL exports, NTDLL provides nothing more than one or another type of stub for the transition to kernel mode. For other NTDLL exports, I do (or mean to) place my documentation of them here with NTDLL because even if most of their work, e.g., to create a file, is ultimately done in kernel mode, NTDLL provides at least some non-trivial pre- or post-processing. But for whatever native API functions I yet document, look in the Kernel section. Here, there are just these general notes.
If a native API function is exported in user mode, which almost all are, then with only one exception NTDLL exports it in both the Nt and Zw forms, which are aliases. This user-mode function is just a stub to effect a transition to kernel mode for the real handling. It is there picked up by a routine whose name has the Nt prefix. In kernel mode, the Nt and Zw names are not aliases. The Nt function has the substantial implementation. It may be exported from the kernel, but more likely is not. Indeed, most of these Nt routines exist only to service the corresponding user-mode functionality. If the functionality is exposed in kernel mode for use from outside the kernel, e.g., from drivers, there may instead (or also) be an export with the Zw prefix. This is a stub which simulates a transition from user mode to kernel mode, ending up in the kernel’s Nt routine, except for recording that the call actually originated in kernel mode.
The clearly intended usage is that user-mode clients will call the functions whose names have the Nt prefix and kernel-mode clients will call the Zw functions. If everyone sticks to this, then the underlying Nt routine in kernel mode can reliably distinguish whether it is executing for a kernel-mode or user-mode caller. Though it doesn’t matter which of the Nt and Zw forms is called in user mode, since they are just aliases there, calling the wrong one in kernel mode can bring surprises.
Of particular importance is that user-mode requests are subject to the natural distrust that everything executing in kernel mode must have for any parameters, but especially addresses, that can possibly have originated in user mode. As user-mode calls to an Nt or Zw function make the transition to kernel mode, the thread’s so-called previous mode—actually named PreviousMode in the KTHREAD—is set to UserMode (1) and the kernel-mode Nt routine then knows to distrust all parameters.
What distrust means in general is that all addresses, whether given as arguments or passed indirectly in structures whose addresses are given as arguments, must be in user-mode address space, are typically also subject to alignment requirements, and may have to be writable even if it turns out that there’s nothing to write. All access through these addresses, whether for reading or writing, is done with exception handling. Where data at these addresses is to be read as input for kernel-mode processing, the kernel captures a copy to validate and then work from so that it is not vulnerable to the user-mode caller changing the data after validation.
Good practice in user mode is to avoid these functions. Instead, call them indirectly through Win32 API functions, even if undocumented. Know about the underlying native function, as much as it helps to understand the higher-level wrapping, but keep to the higher level for real-world use unless you have a very good reason not to.
A kernel-mode call to the Zw form goes through a stub that directs the handling to the same Nt routine as from user mode, but with the previous mode set to KernelMode (0). It will then be handled as if trusted. The usual case will be that some kernel-mode caller forms a request for its own purposes, with parameters that are in kernel-mode address space and will remain meaningful if the handling switches to an arbitrary thread. For this, the Zw call is natural and appropriate.
It is not of itself unsound to call a Zw function with arguments that are user-mode addresses, but since these addresses will all be trusted, the caller has the entire responsibility for whatever might get done with those user-mode addresses.
By contrast, a kernel-mode call to the Nt form, if it is exported, passes through no stub. It goes directly to the internal handling. The previous mode is unchanged. The call may be handled as trusted or not. The caller had better know which. The kernel-mode caller of an Nt function has the responsibility of knowing the previous mode. It is generally better to call the Zw function, but there are two notable cases where the Nt function has the edge.
If the previous mode is KernelMode, as when the caller is handling a kernel-mode request, then calling the Nt function is effectively the same as calling the Zw function except for being faster and using less stack. The efficiency makes it irresistable to some programmers, and indeed the use of less stack means that calling the Nt function actually is safer, e.g., for re-entrant file I/O by file system filter drivers. However, the caller must be certain that the previous mode truly is KernelMode. Get this wrong and the kernel-mode addresses that would be perfectly fine as parameters for a call to the Zw function will instead be rejected by the Nt function.
Calling the Nt function can also be right when the previous mode is UserMode. Here, the kernel-mode caller knows it is handling a user-mode request and wants its own further operations to continue being treated as user-mode requests. One reason, though probably rare in drivers such as can be added by third-party programmers, is that it will pass user-mode addresses to those operations. Another is that it truly does want access rights and privileges within those operations to be evaluated as if for a user-mode request.
As noted above, not all system functions are exported in both user mode and kernel mode, and not all are exported with both the Nt and Zw prefixes. The following table lists the modes and prefixes, and summarises the applicable Windows versions. Where user or kernel is shown without parentheses, infer that the function is exported in that mode with both prefixes in the corresponding versions. If a function is exported in both modes using both prefixes, it is shown as all.
Also given the shorthand all is any function that is exported in all known versions all the way back to Windows NT 3.10.
Not one NT API function is exported with the Zw prefix unless it is also exported with the Nt prefix. In user mode, only one is not exported with both prefixes. This exceptional case is NtGetTickCount: both it and ZwGetTickCount were dropped as exports for Windows XP but only the latter stayed dropped.
One other function, named NtCurrentTeb, is also exported from NTDLL only with the Nt prefix, and only then in x86 builds, but it is not included below because although its name starts with Nt, it is not handled through a transition to kernel mode and is not regarded here as a native API function. Two functions are exported in kernel mode with the Nt prefix only and not at all in user mode. They are NtGetEnvironmentVariableEx and NtQueryEnvironmentVariableInfoEx. They are here treated as being not actually intended as native API functions. Also omitted from the table, if only for now, are nearly two dozen user-mode functions that NTDLL exports with both the Nt and Zw prefixes, but only from the wow64 builds. These are meant to look in some sense like native API functions, yet they are not.
Note that many native API functions that are exported in kernel mode were not always. Many were first exported with one prefix but only much later with the other. What governs Microsoft’s thinking about which functions are also exposed for use in kernel mode but from outside the kernel is anyone’s guess. It seems at least plausible, however, that these functions are intended first as user-mode exports and then get exported in kernel mode as and when Microsoft discovers a need for Microsoft’s purposes.
| Function | Modes and Prefixes | Versions |
|---|---|---|
| NtAcceptConnectPort | user | all |
| NtAccessCheck | user | all |
| NtAccessCheckAndAuditAlarm | user; kernel (Zw) |
all |
| NtAccessCheckByType | user | 5.0 and higher |
| NtAccessCheckByTypeAndAuditAlarm | user | 5.0 and higher |
| NtAccessCheckByTypeResultList | user | 5.0 and higher |
| NtAccessCheckByTypeResultListAndAuditAlarm | user | 5.0 and higher |
| NtAccessCheckByTypeResultListAndAuditAlarmByHandle | user | 5.0 and higher |
| NtAcquireCMFViewOwnership | user | 6.0 only |
| NtAddAtom | user; kernel (Nt) |
4.0 and higher |
| NtAddAtomEx | user | 6.2 and higher |
| NtAddBootEntry | user; kernel (Zw) |
5.1 and higher |
| NtAddDriverEntry | user; kernel (Zw) |
5.2 and higher |
| NtAdjustGroupsToken | user | all |
| NtAdjustPrivilegesToken | user; kernel (Nt) |
all |
| kernel (Zw) | 5.0 and higher | |
| NtAdjustTokenClaimsAndDeviceGroups | user | 6.2 and higher |
| NtAlertResumeThread | user | all |
| NtAlertThread | user | all |
| kernel (Zw) | 3.51 and higher | |
| NtAlertThreadById | user | 6.2 and higher |
| NtAllocateLocallyUniqueId | user; kernel (Nt) |
all |
| kernel (Zw) | 6.0 and higher | |
| NtAllocateReserveObject | user | 6.1 and higher |
| NtAllocateUserPhysicalPages | user | 5.0 and higher |
| NtAllocateUuids | user; kernel (Nt) |
3.51 and higher |
| NtAllocateVirtualMemory | all | all |
| NtAlpcAcceptConnectPort | user; kernel (Zw) |
6.0 and higher |
| NtAlpcCancelMessage | user; kernel (Zw) |
6.0 and higher |
| NtAlpcConnectPort | user; kernel (Zw) |
6.0 and higher |
| NtAlpcConnectPortEx | user; kernel (Zw) |
6.2 and higher |
| NtAlpcCreatePort | user; kernel (Zw) |
6.0 and higher |
| NtAlpcCreatePortSection | user; kernel (Zw) |
6.0 and higher |
| NtAlpcCreateResourceReserve | user; kernel (Zw) |
6.0 and higher |
| NtAlpcCreateSectionView | user; kernel (Zw) |
6.0 and higher |
| NtAlpcCreateSecurityContext | user; kernel (Zw) |
6.0 and higher |
| NtAlpcDeletePortSection | user; kernel (Zw) |
6.0 and higher |
| NtAlpcDeleteResourceReserve | user; kernel (Zw) |
6.0 and higher |
| NtAlpcDeleteSectionView | user; kernel (Zw) |
6.0 and higher |
| NtAlpcDeleteSecurityContext | user; kernel (Zw) |
6.0 and higher |
| NtAlpcDisconnectPort | user; kernel (Zw) |
6.0 and higher |
| NtAlpcImpersonateClientContainerOfPort | user | 10.0 and higher |
| NtAlpcImpersonateClientOfPort | user | 6.0 and higher |
| NtAlpcOpenSenderProcess | user | 6.0 and higher |
| NtAlpcOpenSenderThread | user | 6.0 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtAlpcQueryInformation | user; kernel (Zw) |
6.0 and higher |
| NtAlpcQueryInformationMessage | user | 6.0 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtAlpcRevokeSecurityContext | user | 6.0 and higher |
| NtAlpcSendWaitReceivePort | user; kernel (Zw) |
6.0 and higher |
| NtAlpcSetInformation | user; kernel (Zw) |
6.0 and higher |
| NtApphelpCacheControl | user | 5.2 and higher |
| NtAreMappedFilesTheSame | user | 5.0 and higher |
| NtAssignProcessToJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtAssociateWaitCompletionPacket | user | 6.2 and higher |
| kernel (Zw) | 6.3 and higher | |
| NtCallbackReturn | user | 3.51 and higher |
| NtCancelDeviceWakeupRequest | user | 5.0 to 6.0 |
| NtCancelIoFile | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtCancelIoFileEx | user | 6.0 and higher |
| kernel (Zw) | 6.3 and higher | |
| NtCancelSynchronousIoFile | user | 6.0 and higher |
| NtCancelTimer | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtCancelTimer2 | user | 6.3 and higher |
| NtCancelWaitCompletionPacket | user | 6.2 and higher |
| NtClearAllSavepointsTransaction | user; kernel (Nt) |
6.0 before SP1 |
| NtClearEvent | user; kernel (Zw) |
3.50 and higher |
| NtClearSavepointTransaction | user; kernel (Nt) |
6.0 before SP1 |
| NtClose | all | all |
| NtCloseObjectAuditAlarm | user; kernel (Zw) |
all |
| NtCommitComplete | user; kernel (Nt) |
6.0 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtCommitEnlistment | all | 6.0 and higher |
| NtCommitTransaction | all | 6.0 and higher |
| NtCompactKeys | user | 5.1 and higher |
| NtCompareObjects | user (Nt) | 10.0 and higher |
| NtCompareTokens | user | 5.1 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtCompleteConnectPort | user | all |
| NtCompressKey | user | 5.1 and higher |
| NtConnectPort | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtContinue | user | all |
| NtCreateChannel | user | 4.0 to 5.0 |
| NtCreateDebugObject | user | 5.1 and higher |
| NtCreateDirectoryObject | user; kernel (Zw) |
all |
| NtCreateDirectoryObjectEx | user | 6.2 and higher |
| NtCreateEnlistment | all | 6.0 and higher |
| NtCreateEvent | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtCreateEventPair | user | all |
| NtCreateFile | all | all |
| NtCreateIRTimer | user | 6.2 and higher |
| NtCreateIoCompletion | user | 3.50 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtCreateJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtCreateJobSet | user | 5.1 and higher |
| NtCreateKey | user; kernel (Zw) |
all |
| NtCreateKeyTransacted | user; kernel (Zw) |
6.0 and higher |
| NtCreateKeyedEvent | user | 5.1 and higher |
| NtCreateLowBoxToken | user | 6.2 and higher |
| NtCreateMailslotFile | user | all |
| NtCreateMutant | user | all |
| NtCreateNamedPipeFile | user | all |
| NtCreatePagingFile | user | all |
| NtCreatePartition | user | 10.0 and higher |
| NtCreatePort | user | all |
| NtCreatePrivateNamespace | user | 6.0 and higher |
| NtCreateProcess | user | all |
| NtCreateProcessEx | user | 5.1 and higher |
| NtCreateProfile | user | all |
| NtCreateProfileEx | user | 6.1 and higher |
| NtCreateResourceManager | all | 6.0 and higher |
| NtCreateSection | all | all |
| NtCreateSemaphore | user | all |
| NtCreateSymbolicLinkObject | user; kernel (Zw) |
all |
| NtCreateThread | user | all |
| NtCreateThreadEx | user | 6.0 and higher |
| NtCreateTimer | user | all |
| kernel (Zw) | 3.51, and 5.0 and higher | |
| NtCreateTimer2 | user | 6.3 and higher |
| NtCreateToken | user | all |
| NtCreateTokenEx | user | 6.2 and higher |
| NtCreateTransaction | all | 6.0 and higher |
| NtCreateTransactionManager | user; kernel (Zw) |
6.0 and higher |
| kernel (Nt) | 6.1 and higher | |
| NtCreateUserProcess | user | 6.0 and higher |
| kernel (Zw) | 6.2 and higher | |
| NtCreateWaitCompletionPacket | user | 6.2 and higher |
| kernel (Zw) | 6.3 and higher | |
| NtCreateWaitablePort | user | 5.0 and higher |
| NtCreateWnfStateName | user; kernel (Zw) |
6.2 and higher |
| NtCreateWorkerFactory | user | 6.0 and higher |
| NtDebugActiveProcess | user | 5.1 and higher |
| NtDebugContinue | user | 5.1 and higher |
| NtDelayExecution | user | all |
| NtDeleteAtom | user; kernel (Nt) |
4.0 and higher |
| NtDeleteBootEntry | user; kernel (Zw) |
5.1 and higher |
| NtDeleteDriverEntry | user; kernel (Zw) |
5.2 and higher |
| NtDeleteFile | all | 3.50 and higher |
| NtDeleteKey | user; kernel (Zw) |
all |
| NtDeleteObjectAuditAlarm | user | 4.0 and higher |
| NtDeletePrivateNamespace | user | 6.0 and higher |
| NtDeleteValueKey | user; kernel (Zw) |
all |
| NtDeleteWnfStateData | user; kernel (Zw) |
6.2 and higher |
| NtDeleteWnfStateName | user; kernel (Zw) |
6.2 and higher |
| NtDeviceIoControlFile | all | all |
| NtDisableLastKnownGood | user | 6.1 and higher |
| NtDisplayString | user; kernel (Zw) |
all |
| NtDrawText | user | 6.1 and higher |
| NtDuplicateObject | all | all |
| NtDuplicateToken | user; kernel (Nt) |
all |
| kernel (Zw) | 3.51 and higher | |
| NtEnableLastKnownGood | user | 6.1 and higher |
| NtEnumerateBootEntries | user; kernel (Zw) |
5.1 and higher |
| NtEnumerateBus | user | 3.51 only |
| NtEnumerateDriverEntries | user; kernel (Zw) |
5.2 and higher |
| NtEnumerateKey | user; kernel (Zw) |
all |
| NtEnumerateSystemEnvironmentValuesEx | user | 5.1 and higher |
| NtEnumerateTransactionObject | all | 6.0 and higher |
| NtEnumerateValueKey | user; kernel (Zw) |
all |
| NtExtendSection | user | all |
| NtFilterBootOption | user | 6.2 and higher |
| NtFilterToken | user | 5.0 and higher |
| NtFilterTokenEx | user | 6.2 and higher |
| NtFindAtom | user; kernel (Nt) |
4.0 and higher |
| NtFlushBuffersFile | user | all |
| kernel (Zw) | 6.0 and higher | |
| NtFlushBuffersFileEx | user; kernel (Zw) |
6.2 and higher |
| NtFlushInstallUILanguage | user | 6.0 and higher |
| NtFlushInstructionCache | user; | all |
| kernel (Zw) | 3.50 and higher | |
| NtFlushKey | user; kernel (Zw) |
all |
| NtFlushProcessWriteBuffers | user | 6.0 and higher |
| NtFlushVirtualMemory | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtFlushWriteBuffer | user | all |
| NtFreeUserPhysicalPages | user | 5.0 and higher |
| NtFreeVirtualMemory | all | all |
| NtFreezeRegistry | user | 6.0 and higher |
| NtFreezeTransactions | user; kernel (Nt) |
6.0 and higher |
| NtFsControlFile | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtGetCachedSigningLevel | user | 6.2 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtGetCompleteWnfStateSubscription | user | 6.3 and higher |
| NtGetContextThread | user | all |
| NtGetCurrentProcessorNumber | user | 5.2 and higher |
| NtGetCurrentProcessorNumberEx | user | 10.0 and higher |
| NtGetDevicePowerState | user | 5.0 and higher |
| NtGetMUIRegistryInfo | user | 6.0 and higher |
| NtGetNextProcess | user | 6.0 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtGetNextThread | user | 6.0 and higher |
| NtGetNlsSectionPtr | user | 6.0 and higher |
| NtGetNotificationResourceManager | all | 6.0 and higher |
| NtGetPlugPlayEvent | user | 3.51 to 6.1 |
| NtGetTickCount | user (Nt) | all except 5.1 |
| user (Zw) | 3.10 to 5.0 | |
| NtGetWriteWatch | user | 5.0 and higher |
| NtImpersonateAnonymousToken | user | 5.0 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtImpersonateClientOfPort | user | all |
| NtImpersonateThread | user | all |
| NtInitializeNlsFiles | user | 6.0 and higher |
| NtInitializeRegistry | user | all |
| NtInitializeVDM | user | 3.10 only |
| NtInitiatePowerAction | user; kernel (Zw) |
5.0 and higher |
| NtIsProcessInJob | user; kernel (Zw) |
5.1 and higher |
| NtIsSystemResumeAutomatic | user | 5.0 and higher |
| NtIsUILanguageComitted | user | 6.0 and higher |
| NtListTransactions | user | 6.0 before SP1 |
| NtListenChannel | user | 4.0 to 5.0 |
| NtListenPort | user | all |
| NtLoadDriver | user; kernel (Zw) |
all |
| NtLoadKey | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtLoadKey2 | user | 4.0 and higher |
| NtLoadKeyEx | user | 5.2 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtLockFile | user; kernel (Nt) |
all |
| kernel (Zw) | 6.1 and higher | |
| NtLockProductActivationKeys | user | 5.1 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtLockRegistryKey | user | 5.1 and higher |
| NtLockVirtualMemory | user | all |
| kernel (Zw) | 6.3 and higher | |
| NtMakePermanentObject | user; kernel (Nt) |
5.1 and higher |
| NtMakeTemporaryObject | user; kernel (Zw) |
all |
| NtManagePartition | user | 10.0 and higher |
| NtMapCMFModule | user | 6.0 and higher |
| NtMapUserPhysicalPages | user | 5.0 and higher |
| NtMapUserPhysicalPagesScatter | user | 5.0 and higher |
| NtMapViewOfSection | all | all |
| NtMarshallTransaction | all | 6.0 before SP1 |
| NtModifyBootEntry | user | 5.1 and higher |
| kernel (Zw) | 5.2 and higher | |
| NtModifyDriverEntry | user; kernel (Zw) |
5.2 and higher |
| NtNotifyChangeDirectoryFile | user; kernel (Nt) |
all |
| kernel (Zw) | 10.0 and higher | |
| NtNotifyChangeKey | user | all |
| kernel (Zw) | 3.51 and higher | |
| NtNotifyChangeMultipleKeys | user | 5.0 and higher |
| NtNotifyChangeSession | user; kernel (Zw) |
6.1 and higher |
| NtOpenChannel | user | 4.0 to 5.0 |
| NtOpenDirectoryObject | user; kernel (Zw) |
all |
| NtOpenEnlistment | all | 6.0 and higher |
| NtOpenEvent | user | all |
| kernel (Zw) | 3.50 and higher | |
| NtOpenEventPair | user | all |
| NtOpenFile | all | all |
| NtOpenIoCompletion | user | 3.50 and higher |
| NtOpenJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtOpenKey | user; kernel (Zw) |
all |
| NtOpenKeyEx | user; kernel (Zw) |
6.1 and higher |
| NtOpenKeyTransacted | user; kernel (Zw) |
6.0 and higher |
| NtOpenKeyTransactedEx | user; kernel (Zw) |
6.1 and higher |
| NtOpenKeyedEvent | user | 5.1 and higher |
| NtOpenMutant | user | all |
| NtOpenObjectAuditAlarm | user | all |
| NtOpenPartition | user | 10.0 and higher |
| NtOpenPrivateNamespace | user | 6.0 and higher |
| NtOpenProcess | user | all |
| kernel (Nt) | 3.50 and higher | |
| kernel (Zw) | 3.51 and higher | |
| NtOpenProcessToken | all | all |
| NtOpenProcessTokenEx | all | 5.1 and higher |
| NtOpenResourceManager | all | 6.0 and higher |
| NtOpenSection | user; kernel (Zw) |
all |
| NtOpenSemaphore | user | all |
| NtOpenSession | user | 6.0 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtOpenSymbolicLinkObject | user; kernel (Zw) |
all |
| NtOpenThread | user | all |
| kernel | 3.51 and higher | |
| NtOpenThreadToken | user; kernel (Zw) |
all |
| kernel (Nt) | 5.1 and higher | |
| NtOpenThreadTokenEx | all | 5.1 and higher |
| NtOpenTimer | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtOpenTransaction | all | 6.0 and higher |
| NtOpenTransactionManager | user; kernel (Zw) |
6.0 and higher |
| kernel (Nt) | 6.1 and higher | |
| NtPlugPlayControl | user | 3.51 and higher |
| NtPowerInformation | user; kernel (Zw) |
5.0 and higher |
| NtPrePrepareComplete | user | 6.0 and higher |
| kernel | 6.1 and higher | |
| NtPrePrepareEnlistment | all | 6.0 and higher |
| NtPrepareComplete | all | 6.0 and higher |
| NtPrepareEnlistment | all | 6.0 and higher |
| NtPrivilegeCheck | user | all |
| NtPrivilegeObjectAuditAlarm | user | all |
| NtPrivilegedServiceAuditAlarm | user | all |
| NtPropagationComplete | user | 6.0 and higher |
| kernel | 6.1 and higher | |
| NtPropagationFailed | user | 6.0 and higher |
| kernel | 6.1 and higher | |
| NtProtectVirtualMemory | user | all |
| kernel (Zw) | 6.3 and higher | |
| NtPullTransaction | all | 6.0 before SP1 |
| NtPulseEvent | user |
all |
| kernel (Zw) | 3.51 and higher | |
| NtQueryAttributesFile | user | 3.50 and higher |
| NtQueryBootEntryOrder | user; kernel (Zw) |
5.1 and higher |
| NtQueryBootOptions | user; kernel (Zw) |
5.1 and higher |
| NtQueryDebugFilterState | user | 5.1 and higher |
| NtQueryDefaultLocale | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtQueryDefaultUILanguage | user; kernel (Zw) |
5.0 and higher |
| NtQueryDirectoryFile | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtQueryDirectoryObject | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtQueryDriverEntryOrder | user; kernel (Zw) |
5.2 and higher |
| NtQueryEaFile | user; kernel (Nt) |
all |
| kernel (Zw) | 5.0 and higher | |
| NtQueryEvent | user | all |
| NtQueryFullAttributesFile | user | 4.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtQueryInformationAtom | user; kernel (Nt) |
4.0 and higher |
| NtQueryInformationEnlistment | all | 6.0 and higher |
| NtQueryInformationFile | all | all |
| NtQueryInformationJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtQueryInformationPort | user | all |
| NtQueryInformationProcess | user | all |
| kernel (Nt) | 3.50 and higher | |
| kernel (Zw) | 3.51 and higher | |
| NtQueryInformationResourceManager | all | 6.0 and higher |
| NtQueryInformationThread | user | all |
| kernel | 5.1 and higher | |
| NtQueryInformationToken | all | all |
| NtQueryInformationTransaction | all | 6.0 and higher |
| NtQueryInformationTransactionManager | all | 6.0 and higher |
| NtQueryInformationWorkerFactory | user | 6.0 and higher |
| NtQueryInstallUILanguage | user; kernel (Zw) |
5.0 and higher |
| NtQueryIntervalProfile | user | all |
| NtQueryIoCompletion | user | 3.50 and higher |
| NtQueryKey | user; kernel (Zw) |
all |
| NtQueryLicenseValue | user; kernel (Zw) |
6.0 and higher |
| NtQueryMultipleValueKey | user | 4.0 and higher |
| NtQueryMutant | user | all |
| NtQueryObject | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtQueryOleDirectoryFile | user; kernel (Nt) |
4.0 only |
| NtQueryOpenSubKeys | user | 5.0 and higher |
| NtQueryOpenSubKeysEx | user | 5.2 and higher |
| NtQueryPerformanceCounter | user | all |
| NtQueryPortInformationProcess | user | 5.1 and higher |
| NtQueryQuotaInformationFile | user; kernel (Nt) |
5.0 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtQuerySection | user |
all |
| kernel (Zw) | 3.50 and higher | |
| NtQuerySecurityAttributesToken | all | 6.1 and higher |
| NtQuerySecurityObject | user; kernel (Nt) |
all |
| kernel (Zw) | 3.51 and higher | |
| NtQuerySemaphore | user | all |
| NtQuerySymbolicLinkObject | user; kernel (Zw) |
all |
| NtQuerySystemEnvironmentValue | user | all |
| NtQuerySystemEnvironmentValueEx | user | 5.1 and higher |
| kernel (Zw) | 6.2 and higher | |
| NtQuerySystemInformation | user | all |
| kernel (Zw) | 4.0 and higher | |
| kernel (Nt) | 5.0 and higher | |
| NtQuerySystemInformationEx | user; kernel (Nt) |
6.1 and higher |
| kernel (Zw) | 6.3 and higher | |
| NtQuerySystemTime | user | all |
| NtQueryTimer | user | all |
| NtQueryTimerResolution | user | 3.50 and higher |
| NtQueryValueKey | user; kernel (Zw) |
all |
| NtQueryVirtualMemory | user | all |
| kernel (Zw) | 6.0 and higher | |
| NtQueryVolumeInformationFile | all | all |
| NtQueryWnfStateData | user; kernel (Zw) |
6.2 and higher |
| NtQueryWnfStateNameInformation | user; kernel (Zw) |
6.2 and higher |
| NtQueueApcThread | user | 4.0 and higher |
| NtQueueApcThreadEx | user | 6.1 and higher |
| NtRaiseException | user | all |
| NtRaiseHardError | user | all |
| NtReadFile | all | all |
| NtReadFileScatter | user | 4.0 SP2 and higher |
| NtReadOnlyEnlistment | user | 6.0 and higher |
| kernel | 6.1 and higher | |
| NtReadRequestData | user | all |
| NtReadVirtualMemory | user | all |
| NtRecoverEnlistment | user; kernel (Zw) |
6.0 and higher |
| kernel (Nt) | 6.1 and higher | |
| NtRecoverResourceManager | user; kernel (Zw) |
6.0 and higher |
| kernel (Nt) | 6.1 and higher | |
| NtRecoverTransactionManager | user; kernel (Zw) |
6.0 and higher |
| kernel (Nt) | 6.1 and higher | |
| NtRegisterNewDevice | user | 3.51 only |
| NtRegisterProtocolAddressInformation | user | 6.0 and higher |
| NtRegisterThreadTerminatePort | user | all |
| NtReleaseCMFViewOwnership | user | 6.0 only |
| NtReleaseKeyedEvent | user | 5.1 and higher |
| NtReleaseMutant | user | all |
| NtReleaseProcessMutant | user | 3.10 to 3.51 |
| NtReleaseSemaphore | user | all |
| NtReleaseWorkerFactoryWorker | user | 6.0 and higher |
| NtRemoveIoCompletion | user | 3.50 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtRemoveIoCompletionEx | user; kernel (Zw) |
6.0 and higher |
| NtRemoveProcessDebug | user | 5.1 and higher |
| NtRenameKey | user | 5.1 and higher |
| kernel (Zw) | 6.1 SP1 and higher | |
| NtRenameTransactionManager | user | 6.0 SP1 and higher |
| NtRenameValueKey | user | 3.10 only |
| NtReplaceKey | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtReplacePartitionUnit | user | 6.0 SP1 and higher |
| NtReplyPort | user | all |
| NtReplyWaitReceivePort | user | all |
| NtReplyWaitReceivePortEx | user | 5.0 and higher |
| NtReplyWaitReplyPort | user | all |
| NtReplyWaitSendChannel | user | 4.0 to 5.0 |
| NtRequestDeviceWakeup | user | 5.0 to 6.0 |
| NtRequestPort | user; kernel (Nt) |
all |
| kernel (Zw) | 6.0 and higher | |
| NtRequestWaitReplyPort | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtRequestWakeupLatency | user | 5.0 to 6.0 |
| NtResetEvent | user |
all |
| kernel (Zw) | 3.51 and higher | |
| NtResetWriteWatch | user | 5.0 and higher |
| NtRestoreKey | user | all |
| kernel (Zw) | 5.0 and higher | |
| NtResumeProcess | user | 5.1 and higher |
| NtResumeThread | user | all |
| NtRevertContainerImpersonation | user | 10.0 and higher |
| NtRollbackComplete | user | 6.0 and higher |
| kernel | 6.1 and higher | |
| NtRollbackEnlistment | all | 6.0 and higher |
| NtRollbackSavepointTransaction | user | 6.0 before SP1 |
| NtRollbackTransaction | all | 6.0 and higher |
| NtRollforwardTransactionManager | user | 6.0 and higher |
| NtSaveKey | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtSaveKeyEx | user; kernel (Zw) |
5.1 and higher |
| NtSaveMergedKeys | user | 5.0 and higher |
| NtSavepointComplete | all | 6.0 before SP1 |
| NtSavepointTransaction | all | 6.0 before SP1 |
| NtSecureConnectPort | user | 5.0 and higher |
| kernel (Zw) | 5.2 SP1 and higher | |
| NtSendWaitReplyChannel | user | 4.0 to 5.0 |
| NtSerializeBoot | user | 6.1 and higher |
| NtSetBootEntryOrder | user; kernel (Zw) |
5.1 and higher |
| NtSetBootOptions | user; kernel (Zw) |
5.1 and higher |
| NtSetCachedSigningLevel | all | 6.2 and higher |
| NtSetContextChannel | user | 4.0 to 5.0 |
| NtSetContextThread | user | all |
| NtSetDebugFilterState | user | 5.1 and higher |
| NtSetDefaultHardErrorPort | user | all |
| NtSetDefaultLocale | user |
all |
| kernel (Zw) | 3.51 and higher | |
| NtSetDefaultUILanguage | user; kernel (Zw) |
5.0 and higher |
| NtSetDriverEntryOrder | user; kernel (Zw) |
5.2 and higher |
| NtSetEaFile | user | all |
| kernel | 5.0 and higher | |
| NtSetEvent | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtSetEventBoostPriority | user | 5.1 and higher |
| NtSetHighEventPair | user | all |
| NtSetHighWaitLowEventPair | user | all |
| NtSetHighWaitLowThread | user | 3.10 to 4.0 |
| NtSetIRTimer | user | 6.2 and higher |
| NtSetInformationDebugObject | user | 5.1 and higher |
| NtSetInformationEnlistment | all | 6.0 and higher |
| NtSetInformationFile | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtSetInformationJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtSetInformationKey | user | all |
| kernel (Zw) | 6.2 and higher | |
| NtSetInformationObject | user | 3.50 and higher |
| kernel (Zw) | 4.0 and higher | |
| NtSetInformationProcess | all | all |
| NtSetInformationResourceManager | user; kernel (Nt) |
6.0 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtSetInformationSymbolicLink | user | 10.0 and higher |
| NtSetInformationThread | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtSetInformationToken | user | all |
| kernel | 6.1 and higher | |
| NtSetInformationTransaction | all | 6.0 and higher |
| NtSetInformationTransactionManager | user | 6.0 and higher |
| NtSetInformationVirtualMemory | all | 6.2 and higher |
| NtSetInformationWorkerFactory | user | 6.0 and higher |
| NtSetIntervalProfile | user | all |
| NtSetIoCompletion | user | 3.51 and higher |
| NtSetIoCompletionEx | user | 6.1 and higher |
| NtSetLdtEntries | user | all |
| NtSetLowEventPair | user | all |
| NtSetLowWaitHighEventPair | user | all |
| NtSetLowWaitHighThread | user | 3.10 to 4.0 |
| NtSetQuotaInformationFile | user; kernel (Nt) |
5.0 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtSetSecurityObject | user; kernel (Nt) |
all |
| kernel (Zw) | 5.0 and higher | |
| NtSetSystemEnvironmentValue | user | all |
| NtSetSystemEnvironmentValueEx | user | 5.1 and higher |
| kernel (Zw) | 6.2 and higher | |
| NtSetSystemInformation | user; kernel (Zw) |
3.50 and higher |
| NtSetSystemPowerState | user | 3.51 and higher |
| NtSetSystemTime | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtSetThreadExecutionState | user | 5.0 and higher |
| NtSetTimer | user | all |
| kernel (Zw) | 3.51, and 5.0 and higher | |
| NtSetTimer2 | user | 6.3 and higher |
| NtSetTimerEx | user; kernel (Zw) |
6.1 and higher |
| NtSetTimerResolution | user | 3.50 and higher |
| NtSetUuidSeed | user | 5.0 and higher |
| NtSetValueKey | user; kernel (Zw) |
all |
| NtSetVolumeInformationFile | user | all |
| kernel | 5.0 and higher | |
| NtSetWnfProcessNotificationEvent | user | 6.3 and higher |
| NtShutdownSystem | user | all |
| kernel (Nt) | 5.1 and higher | |
| NtShutdownWorkerFactory | user | 6.0 and higher |
| NtSignalAndWaitForSingleObject | user | 4.0 and higher |
| NtSinglePhaseReject | user | 6.0 and higher |
| NtStartProfile | user | all |
| NtStartTm | user; kernel (Nt) |
6.0 before SP1 |
| NtStopProfile | user | all |
| NtSubscribeWnfStateChange | user | 6.2 and higher |
| NtSuspendProcess | user | 5.1 and higher |
| NtSuspendThread | user | all |
| NtSystemDebugControl | user | all |
| NtTerminateJobObject | user | 5.0 and higher |
| kernel (Zw) | 5.1 and higher | |
| NtTerminateProcess | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtTerminateThread | user | all |
| NtTestAlert | user | all |
| NtThawRegistry | user | 6.0 and higher |
| NtThawTransactions | user; kernel (Nt) |
6.0 and higher |
| NtTraceControl | user; kernel (Nt) |
6.0 and higher |
| kernel (Zw) | 10.0 and higher | |
| NtTraceEvent | user; kernel (Nt) |
5.1 and higher |
| kernel (Zw) | 6.1 and higher | |
| NtTranslateFilePath | user; kernel (Zw) |
5.1 and higher |
| NtUmsThreadYield | user | 6.1 and higher |
| NtUnloadDriver | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtUnloadKey | user | all |
| kernel (Zw) | 4.0 and higher | |
| NtUnloadKey2 | user | 5.2 and higher |
| NtUnloadKeyEx | user | 5.1 and higher |
| kernel (Zw) | 6.0 and higher | |
| NtUnlockFile | user; kernel (Nt) |
all |
| kernel (Zw) | 6.1 and higher | |
| NtUnlockVirtualMemory | user | all |
| kernel (Zw) | 6.2 and higher | |
| NtUnmapViewOfSection | user; kernel (Zw) |
all |
| NtUnmapViewOfSectionEx | user | 6.2 and higher |
| NtUnsubscribeWnfStateChange | user | 6.2 and higher |
| NtUpdateWnfStateData | user; kernel (Zw) |
6.2 and higher |
| NtVdmControl | user; kernel (Nt) |
all |
| NtVdmStartExecution | user | 3.10 only |
| NtW32Call | user | 3.51 to 4.0 SP3 |
| NtWaitForAlertByThreadId | user | 6.2 and higher |
| NtWaitForDebugEvent | user | 5.1 and higher |
| NtWaitForKeyedEvent | user | 5.1 and higher |
| NtWaitForMultipleObjects | user |
all |
| kernel (Zw) | 3.51 and higher | |
| NtWaitForMultipleObjects32 | user | 5.2 SP1 and higher |
| NtWaitForProcessMutant | user | 3.10 to 3.51 |
| NtWaitForSingleObject | user; kernel (Nt) |
all |
| kernel (Zw) | 3.50 and higher | |
| NtWaitForWnfNotifications | user | 6.2 only |
| NtWaitForWorkViaWorkerFactory | user | 6.0 and higher |
| NtWaitHighEventPair | user | all |
| NtWaitLowEventPair | user | all |
| NtWorkerFactoryWorkerReady | user | 6.0 and higher |
| NtWriteFile | all | all |
| NtWriteFileGather | user | 4.0 SP2 and higher |
| NtWriteRequestData | user | all |
| NtWriteVirtualMemory | user | all |
| NtYieldExecution | user; kernel (Zw) |
4.0 and higher |