Run-Time Library Execution Functions

As well as being the kernel’s public face in user mode, NTDLL does much that might on its own be regarded as system work. In particular, it does much of the work of preparing user-mode executables for execution and eventually of tearing them down. Much of this is internal, even deeply so, but some functions that are involved in it are exported. A few have been exported through the whole history of Windows, i.e., from version 3.10.

• LdrOpenImageFileOptionsKey (5.2 from Windows Server 2003 SP1, and higher);
• LdrQueryImageFileExecutionOptionsEx (5.2 and higher);
• LdrQueryImageFileKeyOption (5.2 from Windows Server 2003 SP1, and higher);
• RtlCreateUserProcess
• RtlCreateUserStack (6.0 and higher);
• RtlCreateUserThread
• RtlFreeUserStack (6.0 and higher);
• RtlNormalizeProcessParams
• RtlQueryElevationFlags (6.0 and higher);
• RtlTestProtectedAccess (6.3 and higher);
• RtlValidProcessProtection (6.3 and higher).