Geoff Chappell, Software Analyst
The table below lists the 262 exports that are new to NTDLL for version 5.1, i.e., Windows XP. Some functions wait for a service pack. With Windows XP SP2, the otherwise orderly correlation with version numbers in all the rest of NTDLL’s history breaks down. Some functions added for Windows XP SP2 actually appear first (in chronological order) in the version 5.2 from the original Windows Server 2003. Others do not appear in version 5.2 until its first service pack. Curiously, some of these are documented as requiring Windows Vista.
Documentation status is conveyed by colour coding. If you browse with scripting enabled, hovering over any text that has a background colour should produce a tooltip that explains the formatting. NTDLL exports that have all along had their own non-trivial documentation as exports from NTDLL are shown with no background colour. So too are the NTDLL implementations of documented functions and variables from the C Run-Time Library. If the whole of the documentation is just that the function is reserved or obsolete, without even giving a prototype, then the function is highlighted red or highlighted pink, respectively. Functions that look to be completely undocumented are highlighted yellow. If a function is documented now but is known not to have been documented immediately, especially in the contemporaneous Software Development Kit (SDK), then it is shaded yellow to retain some of its previous status as undocumented. If the delayed documentation came specifically from the function’s listing among the Settlement Program Interfaces in late 2002, then the shading is less yellow since Microsoft at least acknowledged that the documentation was late. An undocumented function is highlighted orange, as semi-documented, if it is at least declared in one or another header file from an SDK or, exceptionally, a Windows Driver Kit (WDK). NTDLL is low-level enough that some functions are documented in the Windows Driver Kit (WDK), typically as exports from the NT kernel for use by ring 0 software such as device drivers, but sometimes with non-specific talk of being callable from user mode. Such functions are shaded blue if they seem always to have had such documentation, but a brighter blue if the WDK documentation was not immediate. A function is shaded grey if it seems not to be documented but is known to be the entire low-level implementation of some function in a higher-level DLL such as KERNEL32 or ADVAPI32. Identifying these is a work in progress.
| Function | Remarks |
|---|---|
| CsrCaptureMessageMultiUnicodeStringsInPlace | |
| CsrGetProcessId | |
| DbgPrintEx | |
| DbgQueryDebugFilterState | |
| DbgSetDebugFilterState | |
| DbgUiConvertStateChangeStructure | |
| DbgUiDebugActiveProcess | |
| DbgUiGetThreadDebugObject | |
| DbgUiIssueRemoteBreakin | |
| DbgUiRemoteBreakin | |
| DbgUiSetThreadDebugObject | |
| DbgUiStopDebugging | |
| KiFastSystemCall | begins from SP2; not in 5.2 before SP1; x86 only |
| KiFastSystemCallRet | begins from SP2; not in 5.2 before SP1; x86 only |
| KiIntSystemCall | begins SP2; not in 5.2 before SP1; x86 only |
| LdrAccessOutOfProcessResource | discontinued in 6.0 |
| LdrAddRefDll | |
| LdrCreateOutOfProcessImage | discontinued in 6.0 |
| LdrDestroyOutOfProcessImage | discontinued in 6.0 |
| LdrEnumerateLoadedModules | begins from SP1 |
| LdrFindCreateProcessManifest | discontinued in 6.0 |
| LdrFindResourceEx_U | |
| LdrGetDllHandleEx | |
| LdrHotPatchRoutine | begins from SP2; discontinued in 6.3 |
| LdrInitShimEngineDynamic | |
| LdrLockLoaderLock | |
| LdrSetAppCompatDllRedirectionCallback | |
| LdrSetDllManifestProber | |
| LdrUnlockLoaderLock | |
| NtAddBootEntry | |
| NtCompactKeys | |
| NtCompareTokens | undocumented until 2004-2006; not declared |
| NtCompressKey | |
| NtCreateDebugObject | |
| NtCreateJobSet | |
| NtCreateKeyedEvent | |
| NtCreateProcessEx | |
| NtDebugActiveProcess | |
| NtDebugContinue | |
| NtDeleteBootEntry | |
| NtEnumerateBootEntries | |
| NtEnumerateSystemEnvironmentValuesEx | |
| NtIsProcessInJob | |
| NtLockProductActivationKeys | |
| NtLockRegistryKey | |
| NtMakePermanentObject | |
| NtModifyBootEntry | |
| NtOpenKeyedEvent | |
| NtOpenProcessTokenEx | undocumented until 2008-2009 |
| NtOpenThreadTokenEx | undocumented until 2008-2009 |
| NtQueryBootEntryOrder | |
| NtQueryBootOptions | |
| NtQueryDebugFilterState | |
| NtQueryPortInformationProcess | |
| NtQuerySystemEnvironmentValueEx | |
| NtReleaseKeyedEvent | |
| NtRemoveProcessDebug | |
| NtRenameKey | |
| NtResumeProcess | |
| NtSaveKeyEx | |
| NtSetBootEntryOrder | |
| NtSetBootOptions | |
| NtSetDebugFilterState | |
| NtSetEventBoostPriority | |
| NtSetInformationDebugObject | |
| NtSetSystemEnvironmentValueEx | |
| NtSuspendProcess | |
| NtTraceEvent | declared in Windows 10 WDK |
| NtTranslateFilePath | |
| NtUnloadKeyEx | |
| NtWaitForDebugEvent | |
| NtWaitForKeyedEvent | |
| RtlActivateActivationContext | |
| RtlActivateActivationContextEx | |
| RtlActivateActivationContextUnsafeFast | |
| RtlAddRefActivationContext | whole implementation of KERNEL32 function AddRefActCtx in 5.1 and higher |
| RtlAddRefMemoryStream | not in wow64 before 6.0 |
| RtlAddVectoredExceptionHandler | forwarded from KERNEL32 function AddVectoredExceptionHandler in 5.1 and higher |
| RtlAddressInSectionTable | |
| RtlAppendPathElement | |
| RtlApplicationVerifierStop | |
| RtlAssert2 | discontinued in 5.2 |
| RtlCaptureContext | forwarded from KERNEL32 function RtlCaptureContext in 5.1 to 6.0; undocumented in WDK until 2005-2006; documented in WDK until 2008-2009 as “reserved for system use”; declaration in WDK requires Windows 2000 and higher |
| RtlCaptureStackContext | x86 only |
| RtlCheckProcessParameters | discontinued in 6.0 |
| RtlCloneMemoryStream | not in wow64 |
| RtlCommitMemoryStream | not in wow64 before 6.0 |
| RtlComputeCrc32 | declared in Windows 10 WDK |
| RtlComputeImportTableHash | |
| RtlComputePrivatizedDllName_U | |
| RtlCopyMemoryStreamTo | not in wow64 before 6.0 |
| RtlCopyOutOfProcessMemoryStreamTo | not in wow64 before 6.0 |
| RtlCreateActivationContext | |
| RtlCreateBootStatusDataFile | |
| RtlCreateSystemVolumeInformationFolder | undocumented until 2005-2006 |
| RtlDeactivateActivationContext | |
| RtlDeactivateActivationContextUnsafeFast | |
| RtlDecodePointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function DecodePointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function DecodePointer in 6.1 and higher |
| RtlDecodeSystemPointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function DecodeSystemPointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function DecodeSystemPointer in 6.1 and higher |
| RtlDeleteElementGenericTableAvl | |
| RtlDllShutdownInProgress | |
| RtlDosApplyFileIsolationRedirection_Ustr | |
| RtlDosSearchPath_Ustr | |
| RtlDowncaseUnicodeChar | undocumented until 2005-2006 |
| RtlDuplicateUnicodeString | |
| RtlEncodePointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function EncodePointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function EncodePointer in 6.1 and higher; |
| RtlEncodeSystemPointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function EncodeSystemPointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function EncodeSystemPointer in 6.1 and higher |
| RtlEnumerateGenericTableAvl | |
| RtlEnumerateGenericTableLikeADirectory | |
| RtlEnumerateGenericTableWithoutSplayingAvl | |
| RtlExitUserThread | forwarded from KERNEL32 function ExitThread in 6.0 and higher; forwarded from KERNELBASE function ExitThread in 6.1 and higher |
| RtlFinalReleaseOutOfProcessMemoryStream | not in wow64 |
| RtlFindActivationContextSectionGuid | |
| RtlFindActivationContextSectionString | |
| RtlFindCharInUnicodeString | |
| RtlFindClearRuns | declaration requires Windows 2000 and higher |
| RtlFirstEntrySList | undocumented until 2006 |
| RtlFlushSecureMemoryCache | |
| RtlFreeThreadActivationContextStack | |
| RtlGetActiveActivationContext | |
| RtlGetCurrentPeb | |
| RtlGetElementGenericTableAvl | undocumented until 2008-2009 |
| RtlGetFrame | |
| RtlGetLastNtStatus | |
| RtlGetLastWin32Error | forwarded from KERNEL32 function GetLastError in 5.1 and 5.2 |
| RtlGetLengthWithoutLastFullDosOrNtPathElement | |
| RtlGetLengthWithoutTrailingPathSeperators | |
| RtlGetNativeSystemInformation | |
| RtlGetNtVersionNumbers | |
| RtlGetSetBootStatusData | |
| RtlGetUnloadEventTrace | begins from SP2; undocumented until 2004-2006; documentation withdrawn from SDK in 2007-2008; not declared |
| RtlHashUnicodeString | undocumented until 2005-2006 |
| RtlInitMemoryStream | not in wow64 before 6.0 |
| RtlInitOutOfProcessMemoryStream | not in wow64 before 6.0 |
| RtlInitUnicodeStringEx | |
| RtlInitializeGenericTableAvl | |
| RtlInitializeSListHead | forwarded from KERNEL32 function InitializeSListHead in 5.1 and higher; forwarded from KERNELBASE function InitializeSListHead in 6.1 and higher; undocumented until 2006 |
| RtlInitializeStackTraceDatabase | begins from SP2; discontinued in 6.0 |
| RtlInsertElementGenericTableAvl | |
| RtlInterlockedFlushSList | forwarded from KERNEL32 function InterlockedFlushSList in 5.1 and higher; forwarded from KERNELBASE function InterlockedFlushSList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPopEntrySList | forwarded from KERNEL32 function InterlockedPopEntrySList in 5.1 and higher; forwarded from KERNELBASE function InterlockedPopEntrySList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPushEntrySList | forwarded from KERNEL32 function InterlockedPushEntrySList in 5.1 and higher; forwarded from KERNELBASE function InterlockedPushEntrySList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPushListSList | forwarded from KERNEL32 function InterlockedPushListSList in 6.0 and higher; forwarded from KERNELBASE function InterlockedPushListSList in 6.1 and higher |
| RtlIpv4AddressToStringA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4AddressToStringExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4AddressToStringExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4AddressToStringW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4StringToAddressA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4StringToAddressExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4StringToAddressExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4StringToAddressW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6AddressToStringA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6AddressToStringExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6AddressToStringExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6AddressToStringW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6StringToAddressA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6StringToAddressExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6StringToAddressExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6StringToAddressW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIsActivationContextActive | |
| RtlIsGenericTableEmptyAvl | |
| RtlIsThreadWithinLoaderCallout | begins from SP1 |
| RtlLockBootStatusData | |
| RtlLockMemoryStreamRegion | not in wow64 before 6.0 |
| RtlLogStackBackTrace | |
| RtlLookupElementGenericTableAvl | |
| RtlMapSecurityErrorToNtStatus | |
| RtlMultiAppendUnicodeStringBuffer | |
| RtlNewSecurityObjectWithMultipleInheritance | |
| RtlNtPathNameToDosPathName | |
| RtlNtStatusToDosErrorNoTeb | documented as “reserved for system use” |
| RtlNumberGenericTableElementsAvl | |
| RtlPopFrame | |
| RtlPushFrame | |
| RtlQueryDepthSList | forwarded from KERNEL32 function QueryDepthSList in 5.1 and higher; forwarded from KERNELBASE function QueryDepthSList in 6.1 and higher; undocumented until 2006 |
| RtlQueryHeapInformation | |
| RtlQueryInformationActivationContext | |
| RtlQueryInformationActiveActivationContext | |
| RtlQueryInterfaceMemoryStream | not in wow64 |
| RtlQueueApcWow64Thread | |
| RtlRandomEx | |
| RtlReadMemoryStream | not in wow64 before 6.0 |
| RtlReadOutOfProcessMemoryStream | not in wow64 before 6.0 |
| RtlRegisterSecureMemoryCacheCallback | |
| RtlReleaseActivationContext | whole implementation of KERNEL32 function ReleaseActCtx in 5.1 and higher |
| RtlReleaseMemoryStream | not in wow64 before 6.0 |
| RtlRemoveVectoredExceptionHandler | forwarded from KERNEL32 function RemoveVectoredExceptionHandler in 5.1 and higher |
| RtlRestoreLastWin32Error | forwarded from KERNEL32 function RestoreLastError in 5.1 and higher |
| RtlRevertMemoryStream | not in wow64 before 6.0 |
| RtlSeekMemoryStream | not in wow64 before 6.0 |
| RtlSetHeapInformation | |
| RtlSetLastWin32Error | forwarded from KERNEL32 function SetLastError in 5.1 and 5.2 only; forwarded from KERNELBASE function SetLastError in 6.1 and higher |
| RtlSetLastWin32ErrorAndNtStatusFromNtStatus | |
| RtlSetMemoryStreamSize | not in wow64 before 6.0 |
| RtlSetProcessIsCritical | |
| RtlSetThreadIsCritical | |
| RtlStatMemoryStream | not in wow64 before 6.0 |
| RtlUnhandledExceptionFilter | |
| RtlUnhandledExceptionFilter2 | |
| RtlUnlockBootStatusData | |
| RtlUnlockMemoryStreamRegion | not in wow64 before 6.0 |
| RtlValidateUnicodeString | |
| RtlWriteMemoryStream | not in wow64 before 6.0 |
| RtlZombifyActivationContext | |
| RtlpApplyLengthFunction | |
| RtlpEnsureBufferSize | |
| RtlpNotOwnerCriticalSection | |
| ZwAddBootEntry | declared in Windows 10 WDK |
| ZwCompactKeys | declared in Windows 10 WDK |
| ZwCompareTokens | declared in Windows 10 WDK |
| ZwCompressKey | declared in Windows 10 WDK |
| ZwCreateDebugObject | |
| ZwCreateJobSet | declared in Windows 10 WDK |
| ZwCreateKeyedEvent | declared in Windows 10 WDK |
| ZwCreateProcessEx | declared in Windows 10 WDK |
| ZwDebugActiveProcess | |
| ZwDebugContinue | |
| ZwDeleteBootEntry | declared in Windows 10 WDK |
| ZwEnumerateBootEntries | declared in Windows 10 WDK |
| ZwEnumerateSystemEnvironmentValuesEx | declared in Windows 10 WDK |
| ZwIsProcessInJob | declared in Windows 10 WDK |
| ZwLockProductActivationKeys | declared in Windows 10 WDK |
| ZwLockRegistryKey | declared in Windows 10 WDK |
| ZwMakePermanentObject | declared in Windows 10 WDK |
| ZwModifyBootEntry | declared in Windows 10 WDK |
| ZwOpenKeyedEvent | declared in Windows 10 WDK |
| ZwOpenProcessTokenEx | |
| ZwOpenThreadTokenEx | |
| ZwQueryBootEntryOrder | declared in Windows 10 WDK |
| ZwQueryBootOptions | declared in Windows 10 WDK |
| ZwQueryDebugFilterState | declared in Windows 10 WDK |
| ZwQueryPortInformationProcess | declared in Windows 10 WDK |
| ZwQuerySystemEnvironmentValueEx | declared in Windows 10 WDK |
| ZwReleaseKeyedEvent | declared in Windows 10 WDK |
| ZwRemoveProcessDebug | |
| ZwRenameKey | declaration requires Windows 7 and higher |
| ZwResumeProcess | declared in Windows 10 WDK |
| ZwSaveKeyEx | declared in Windows 10 WDK |
| ZwSetBootEntryOrder | declared in Windows 10 WDK |
| ZwSetBootOptions | declared in Windows 10 WDK |
| ZwSetDebugFilterState | declared in Windows 10 WDK |
| ZwSetEventBoostPriority | declared in Windows 10 WDK |
| ZwSetInformationDebugObject | |
| ZwSetSystemEnvironmentValueEx | declared in Windows 10 WDK |
| ZwSuspendProcess | declared in Windows 10 WDK |
| ZwTraceEvent | declared in Windows 10 WDK |
| ZwTranslateFilePath | declared in Windows 10 WDK |
| ZwUnloadKeyEx | declared in Windows 10 WDK |
| ZwWaitForDebugEvent | |
| ZwWaitForKeyedEvent | declared in Windows 10 WDK |
| _CIcos | x86 only |
| _CIlog | x86 only |
| _CIsin | x86 only |
| _CIsqrt | x86 only |
| _alldvrm | x86 only |
| _aulldvrm | x86 only |
| _lfind | |
| _ui64tow | |
| _vsnwprintf | |
| bsearch | |
| vDbgPrintEx | |
| vDbgPrintExWithPrefix |
While version 5.1 adds significantly to NTDLL’s API, it also drops 21 functions (or 22, depending on how we count):
A special case must be made of NtGetTickCount, which is discontinued for version 5.1 but is then restored for version 5.2.
Additionally, a service pack of version 5.1 is the lowest-numbered build that clears away the many NTDLL functions for floating-point emulation. All the following cease as exports in version 5.1 from Windows XP SP2 and in version 5.2 from Windows Server 2003 SP1, such that they are not exported in version 6.0 and higher: