Named Exports Added For NTDLL 6.1

The table below lists the 196 named NTDLL exports that are new to NTDLL for version 6.1, i.e., for Windows 7. Another eight new functions for version 6.1 are exported only by ordinal and are listed separately. Of the new functions exported by name, hardly any are yet documented, though a few are at least declared in one or another header file from the contemporaneous Software Development Kit or Windows Driver Kit.

Documentation status is conveyed by colour coding. If you browse with scripting enabled, hovering over any text that has a background colour should produce a tooltip that explains the formatting. NTDLL exports that have all along had their own non-trivial documentation as exports from NTDLL are shown with no background colour. So too are the NTDLL implementations of documented functions and variables from the C Run-Time Library. If the whole of the documentation is just that the function is reserved or obsolete, without even giving a prototype, then the function is highlighted red or highlighted pink, respectively. Functions that look to be completely undocumented are highlighted yellow. If a function is documented now but is known not to have been documented immediately, especially in the contemporaneous Software Development Kit (SDK), then it is shaded yellow to retain some of its previous status as undocumented. If the delayed documentation came specifically from the function’s listing among the Settlement Program Interfaces in late 2002, then the shading is less yellow since Microsoft at least acknowledged that the documentation was late. An undocumented function is highlighted orange, as semi-documented, if it is at least declared in one or another header file from an SDK or, exceptionally, a Windows Driver Kit (WDK). NTDLL is low-level enough that some functions are documented in the Windows Driver Kit (WDK), typically as exports from the NT kernel for use by ring 0 software such as device drivers, but sometimes with non-specific talk of being callable from user mode. Such functions are shaded blue if they seem always to have had such documentation, but a brighter blue if the WDK documentation was not immediate. A function is shaded grey if it seems not to be documented but is known to be the entire low-level implementation of some function in a higher-level DLL such as KERNEL32 or ADVAPI32. Identifying these is a work in progress.

That RtlFillMemoryUlonglong appears only as late as Windows 7 is conspicuous. It has for some years been documented in the WDK’s section for Installable File Systems, and declared in NTIFS.H as an importable function. Yet no import library supplied with the WDK for Windows Vista (for instance) resolves the corresponding import symbol. All builds of both the NT kernel and NTDLL from at least as far back as Windows 2000 have code for the function but only as an internal routine . Could it be that the function was meant to be exported all along, consistently with the documentation, but was neglected by an oversight that took years for anyone to notice (or bother correcting)?

Function Remarks
AlpcRundownCompletionList  
EtwEventWriteEx declared in Windows 10 WDK
EtwEventWriteNoRegistration declared in Windows 10 WDK
EvtIntReportAuthzEventAndSourceAsync  
EvtIntReportEventAndSourceAsync  
ExpInterlockedPopEntrySListEnd16 x64 only;
discontinued in 6.3
ExpInterlockedPopEntrySListFault16 x64 only;
discontinued in 6.3
ExpInterlockedPopEntrySListResume16 x64 only;
discontinued in 6.3
LdrGetDllHandleByMapping  
LdrGetDllHandleByName  
LdrResGetRCConfig  
LdrRscIsTypeExist  
NtAllocateReserveObject  
NtCreateProfileEx  
NtDisableLastKnownGood  
NtDrawText  
NtEnableLastKnownGood  
NtNotifyChangeSession  
NtOpenKeyEx  
NtOpenKeyTransactedEx  
NtQuerySecurityAttributesToken  
NtQuerySystemInformationEx  
NtQueueApcThreadEx  
NtSerializeBoot  
NtSetIoCompletionEx  
NtSetTimerEx  
NtUmsThreadYield  
NtWow64GetCurrentProcessorNumberEx wow64 only
NtWow64InterlockedPopEntrySList wow64 only;
discontinued in 6.2
RtlAcquireReleaseSRWLockExclusive  
RtlAddIntegrityLabelToBoundaryDescriptor  
RtlContractHashTable  
RtlCopyContext begins with Windows 7 SP1;
declared in Windows 10 WDK
RtlCopyExtendedContext  
RtlCreateHashTable  
RtlCreateProcessReflection  
RtlCreateUmsCompletionList x64 only
RtlCreateUmsThread x64 only
RtlCreateUmsThreadContext x64 only
RtlCreateVirtualAccountSid  
RtlDeleteHashTable  
RtlDeleteUmsCompletionList x64 only
RtlDeleteUmsThreadContext x64 only
RtlDequeueUmsCompletionListItems x64 only
RtlDetectHeapLeaks  
RtlDisableThreadProfiling  
RtlEnableThreadProfiling  
RtlEndEnumerationHashTable  
RtlEndWeakEnumerationHashTable  
RtlEnterUmsSchedulingMode x64 only
RtlEnumerateEntryHashTable  
RtlEthernetAddressToStringA declaration requires Windows Vista and higher
RtlEthernetAddressToStringW declaration requires Windows Vista and higher
RtlEthernetStringToAddressA declaration requires Windows Vista and higher
RtlEthernetStringToAddressW declaration requires Windows Vista and higher
RtlExecuteUmsThread x64 only
RtlExpandHashTable  
RtlFillMemoryUlonglong x86 only;
undocumented until 2000;
documentation until 2008-2009 requires Windows 2000 and higher;
documentation since 2008-2009 requires Windows 2000 and higher for x64 else Windows 7 and higher;
declaration requires Windows XP and higher (x86);
x64 support by macro in terms of compiler intrinsic __stosq
RtlGetCurrentProcessorNumberEx forwarded from KERNEL32 function GetCurrentProcessorNumberEx in 6.1 and higher
RtlGetCurrentUmsThread x64 only
RtlGetEnabledExtendedFeatures  
RtlGetExtendedContextLength  
RtlGetExtendedFeaturesMask  
RtlGetFullPathname_UEx  
RtlGetLocaleFileMappingAddress  
RtlGetNextEntryHashTable  
RtlGetNextUmsListItem x64 only
RtlGetProcessPreferredUILanguages  
RtlGetUmsCompletionListEvent x64 only
RtlInitEnumerationHashTable  
RtlInitWeakEnumerationHashTable  
RtlInitializeExtendedContext  
RtlInsertEntryHashTable  
RtlInterlockedClearBitRun  
RtlInterlockedSetBitRun  
RtlIsNameInExpression declaration requires Windows 2000 and higher
RtlKnownExceptionFilter  
RtlLoadString  
RtlLocateExtendedFeature  
RtlLocateLegacyContext  
RtlLookupEntryHashTable  
RtlQueryPerformanceCounter forwarded from KERNELBASE function QueryPerformanceCounter in 6.1 and higher
RtlQueryPerformanceFrequency forwarded from KERNELBASE function QueryPerformanceFrequency in 6.1 and higher
RtlQueryThreadProfiling  
RtlQueryUmsThreadInformation x64 only
RtlReadThreadProfilingData  
RtlRemoveEntryHashTable  
RtlReplaceSidInSd  
RtlReportSilentProcessExit  
RtlReportSqmEscalation  
RtlSetExtendedFeaturesMask  
RtlSetProcessPreferredUILanguages  
RtlSetUmsThreadInformation x64 only
RtlTryAcquireSRWLockExclusive forwarded from KERNELBASE function TryAcquireSRWLockExclusive in 6.1 and higher
RtlTryAcquireSRWLockShared forwarded from KERNELBASE function TryAcquireSRWLockShared in 6.1 and higher
RtlUTF8ToUnicodeN declared in Windows 10 WDK
RtlUmsThreadYield x64 only
RtlUnicodeToUTF8N  
RtlWeaklyEnumerateEntryHashTable  
RtlWow64GetThreadSelectorEntry x64 only
RtlpExecuteUmsThread x64 only
RtlpUmsExecuteYieldThreadEnd x64 only
RtlpUmsThreadYield x64 only
SbExecuteProcedure  
SbSelectProcedure  
TpAllocAlpcCompletionEx  
TpAlpcRegisterCompletionList  
TpAlpcUnregisterCompletionList  
TpCallbackIndependent  
TpDbgGetFreeInfo discontinued in 6.2
TpDisablePoolCallbackChecks  
TpPoolFreeUnusedNodes discontinued in 6.2
TpQueryPoolStackInformation  
TpSetDefaultPoolMaxThreads  
TpSetDefaultPoolStackInformation  
TpSetPoolStackInformation  
WinSqmAddToAverageDWORD  
WinSqmAddToStreamEx  
WinSqmCheckEscalationAddToStreamEx  
WinSqmCheckEscalationSetDWORD  
WinSqmCheckEscalationSetDWORD64  
WinSqmCheckEscalationSetString  
WinSqmCommonDatapointDelete  
WinSqmCommonDatapointSetDWORD  
WinSqmCommonDatapointSetDWORD64  
WinSqmCommonDatapointSetStreamEx  
WinSqmCommonDatapointSetString  
WinSqmGetEscalationRuleStatus  
WinSqmGetInstrumentationProperty  
WinSqmIncrementDWORD  
WinSqmIsOptedInEx  
WinSqmSetDWORD  
WinSqmSetDWORD64  
WinSqmSetEscalationInfo  
WinSqmSetIfMaxDWORD  
WinSqmSetIfMinDWORD  
ZwAllocateReserveObject declared in Windows 10 WDK
ZwCreateProfileEx declared in Windows 10 WDK
ZwDisableLastKnownGood declared in Windows 10 WDK
ZwDrawText declared in Windows 10 WDK
ZwEnableLastKnownGood declared in Windows 10 WDK
ZwNotifyChangeSession declared in Windows 10 WDK
ZwOpenKeyEx  
ZwOpenKeyTransactedEx  
ZwQuerySecurityAttributesToken  
ZwQuerySystemInformationEx declared in Windows 10 WDK
ZwQueueApcThreadEx declared in Windows 10 WDK
ZwSerializeBoot declared in Windows 10 WDK
ZwSetIoCompletionEx declared in Windows 10 WDK
ZwSetTimerEx  
ZwUmsThreadYield declared in Windows 10 WDK
ZwWow64GetCurrentProcessorNumberEx wow64 only
ZwWow64InterlockedPopEntrySList wow64 only;
discontinued in 6.2
_i64toa_s  
_i64tow_s  
_itoa_s  
_itow_s  
_ltoa_s  
_ltow_s  
_makepath_s  
_snprintf_s  
_snscanf_s  
_snwprintf_s  
_snwscanf_s  
_splitpath_s  
_strnset_s  
_strset_s  
_ui64toa_s  
_ui64tow_s  
_ultoa_s  
_ultow_s  
_vsnprintf_s  
_vsnwprintf_s  
_wcsnset_s  
_wcsset_s  
_wmakepath_s  
_wsplitpath_s  
memcpy_s  
memmove_s  
sprintf_s  
sscanf_s  
strcat_s  
strcpy_s  
strncat_s  
strncpy_s  
strnlen  
strtok_s  
swprintf_s  
swscanf_s  
vsprintf_s  
vswprintf_s  
wcscat_s  
wcscpy_s  
wcsncat_s  
wcsncpy_s  
wcsnlen  

Valediction

Version 6.1 discontinues a few exports, including some that had been added only as recently as the version 6.0 from Windows Vista SP2:

This page was created on 7th December 2009 and was last modified on 17th April 2016 (except for adding links on 1st February 2017).

Copyright © 2009-2017. Geoff Chappell. All rights reserved. Conditions apply.