NTDLL

NTDLL is the user-mode face of the Windows kernel to support any number of application-level subsystems. In the Win32 subsystem, which accounts for far and away the greatest number of Windows executables in ordinary use, the lowest layer is provided by such modules as KERNEL32.DLL and ADVAPI32.DLL. Many functions that NTDLL exports are simply re-exported as KERNEL32 or ADVAPI32 functions. Put another way, some KERNEL32 and ADVAPI32 functions have no code in those DLLs but instead appear in the export directory of those DLLs only as forwards to NTDLL. For many more NTDLL functions, there is some KERNEL32 or ADVAPI32 function whose code in those DLLs just repackages the NTDLL function, e.g., to change the arguments slightly.

Strictly speaking then, NTDLL is not a Win32 component but a lower-level platform on which Win32 is built. Yet, as ever with Microsoft, the practice and theory are not wholly in sync. Rather many Win32 executables that Microsoft supplies with Windows cut past KERNEL32 and ADVAPI32 and import directly from NTDLL. These are admittedly very low-level executables but not all of them are integral to the Win32 subsystem. Many are of a general type, namely services, that Microsoft plainly does intend can be written by non-Microsoft programmers. It is not obviously satisfactory that when Microsoft’s programmers write such programs, they use NTDLL functions that are not documented for use by non-Microsoft programmers when writing similar programs.

For these notes, I have chosen to follow the practice rather than what looks to be the theoretical architecture, and I count NTDLL in the Win32 subsystem. Note, however, that where I document any functions of the Native API, i.e., those functions whose names begin with Nt or Zw, I do so in the Kernel section even if the function is exported only from NTDLL.