Native API Functions

Whether or not NTDLL belongs to the Win32 subsystem particularly or is more generally the kernel’s user-mode face for supporting all subsystems, it is indisputably on the user-mode side of the boundary with kernel mode. The highest-level functionality in kernel mode is also the lowest-level functionality in user mode. This functionality is sometimes called the native API. Its functions are described as native system services in Microsoft’s documentation for device driver programming and are sometimes referred to just as system calls.

The extra qualification as native has significance, however. Ever since version 3.51 (and explicitly not before), the kernel has allowed for multiple distinct sets of system services: at first four, but limited to two starting with version 5.2 in the build for Windows 2003 SP1. The first of these sets is native. The second supports user-mode communication with WIN32K.SYS, which surely is important but is just as surely not native.

The native API functions are distinguished by names that begin with Nt or Zw. They are exported from NTDLL in user mode and from the NTOSKRNL module (i.e., the kernel, whatever its filename) in kernel mode, though not all functions are exported in both modes or with both prefixes. Indeed, very many are exported only in user mode even as late as Windows 10, some two decades after the first 32-bit Windows that didn’t run as an MS-DOS program, and many more were exported only in user mode to begin with, until their usefulness for kernel-mode programming (at least for Microsoft’s) was compelling enough that they became kernel-mode exports too.

As user-mode exports, the native API functions tend to be known by their Nt prefix (for reasons given below). They are mostly undocumented, in part for the obviously good reason that their functionality is better reached through the documented functions of the Win32 API. Documented or not, they have long attracted the attention of various sorts of programmers for good reasons and bad. Among the bad must be counted hackers, not just malware writers but some programmers of security tools too, who by-pass the documented Win32 APIs in the hope of doing their otherwise more or less ordinary work without being readily detected. Even some of Microsoft’s own programmers, not only of low-level user-mode software such as services but also of so-called middleware, could not resist the siren call of the native API, such that Microsoft felt compelled in 2002 to document some of the API for user-mode programming, albeit with warnings.

The suggestion seems strong, then, that the native API functions exist to be called from user mode even if most user-mode software would better not call them. Yet where these notes document native API functions they do so in the Kernel section. Why?

Implementation

The reason is that even if the function is exported only in user mode, NTDLL has none of the implementation. Though the native API functions are NTDLL exports, their implementation is entirely in kernel mode. NTDLL provides nothing more than one or another type of stub for the transition to kernel mode. For other NTDLL exports, I do (or mean to) place my documentation of them here with NTDLL because even if most of their work, e.g., to create a file, is ultimately done in kernel mode, NTDLL provides at least some non-trivial pre- or post-processing. But for whatever native API functions I yet document, look in the Kernel section. Here, there are just these general notes.

If a native API function is exported in user mode, which almost all are, then with only one exception NTDLL exports it in both the Nt and Zw forms, which are aliases. This user-mode function is just a stub to effect a transition to kernel mode for the real handling. It is there picked up by a routine whose name has the Nt prefix. In kernel mode, the Nt and Zw names are not aliases. The Nt function has the substantial implementation. It may be exported from the kernel, but more likely is not. Indeed, most of these Nt routines exist only to service the corresponding user-mode functionality. If the functionality is exposed in kernel mode for use from outside the kernel, e.g., from drivers, there may instead (or also) be an export with the Zw prefix. This is a stub which simulates a transition from user mode to kernel mode, ending up in the kernel’s Nt routine, except for recording that the call actually originated in kernel mode.

Usage

The clearly intended usage is that user-mode clients will call the functions whose names have the Nt prefix and kernel-mode clients will call the Zw functions. If everyone sticks to this, then the underlying Nt routine in kernel mode can reliably distinguish whether it is executing for a kernel-mode or user-mode caller. Though it doesn’t matter which of the Nt and Zw forms is called in user mode, since they are just aliases there, calling the wrong one in kernel mode can bring surprises.

User Mode

Of particular importance is that user-mode requests are subject to the natural distrust that everything executing in kernel mode must have for any parameters, but especially addresses, that can possibly have originated in user mode. As user-mode calls to an Nt or Zw function make the transition to kernel mode, the thread’s so-called previous mode—actually named PreviousMode in the KTHREAD—is set to UserMode (1) and the kernel-mode Nt routine then knows to distrust all parameters.

What distrust means in general is that all addresses, whether given as arguments or passed indirectly in structures whose addresses are given as arguments, must be in user-mode address space, are typically also subject to alignment requirements, and may have to be writable even if it turns out that there’s nothing to write. All access through these addresses, whether for reading or writing, is done with exception handling. Where data at these addresses is to be read as input for kernel-mode processing, the kernel captures a copy to validate and then work from so that it is not vulnerable to the user-mode caller changing the data after validation.

Good practice in user mode is to avoid these functions. Instead, call them indirectly through Win32 API functions, even if undocumented. Know about the underlying native function, as much as it helps to understand the higher-level wrapping, but keep to the latter for real-world use unless you have a very good reason not to.

Kernel-Mode Zw Calls

A kernel-mode call to the Zw form goes through a stub that directs the handling to the same Nt routine as from user mode, but with the previous mode set to KernelMode (0). It will then be handled as if trusted. The usual case will be that some kernel-mode caller forms a request for its own purposes, with parameters that are in kernel-mode address space and will remain meaningful if the handling switches to an arbitrary thread. For this, the Zw call is natural and appropriate.

It is not of itself unsound to call a Zw function with arguments that are user-mode addresses, but since these addresses will all be trusted, the caller has the entire responsibility for whatever might get done with those user-mode addresses.

Kernel-Mode Nt Calls

By contrast, a kernel-mode call to the Nt form, if it is exported, passes through no stub. It goes directly to the internal handling. The previous mode is unchanged. The call may be handled as trusted or not. The caller had better know which. The kernel-mode caller of an Nt function has the responsibility of knowing the previous mode. It is generally better to call the Zw function, but there are two notable cases where the Nt function has the edge.

If the previous mode is KernelMode, as when the caller is handling a kernel-mode request, then calling the Nt function is effectively the same as calling the Zw function except for being faster and using less stack. The efficiency makes it irresistable to some programmers, and indeed the use of less stack means that calling the Nt function actually is safer, e.g., for re-entrant file I/O by file system filter drivers. However, the caller must be certain that the previous mode truly is KernelMode. Get this wrong and the kernel-mode addresses that would be perfectly fine as parameters for a call to the Zw function will instead be rejected by the Nt function.

Calling the Nt function can also be right when the previous mode is UserMode. Here, the kernel-mode caller knows it is handling a user-mode request and wants its own further operations to continue being treated as user-mode requests. One reason, though probably rare in drivers such as can be added by third-party programmers, is that it will pass user-mode addresses to those operations. Another is that it truly does want access rights and privileges within those operations to be evaluated as if for a user-mode request.

Available Functions

As noted above, not all system functions are exported in both user mode and kernel mode, and not all are exported with both the Nt and Zw prefixes. The following table lists the modes and prefixes, and summarises the applicable Windows versions. Where user or kernel is shown without parentheses, infer that the function is exported in that mode with both prefixes in the corresponding versions. If a function is exported in both modes using both prefixes, it is shown as all.

Not one NT API function is exported with the Zw prefix unless it is also exported with the Nt prefix. In user mode, only one is not exported with both prefixes. This exceptional case is NtGetTickCount: the exporting of ZwGetTickCount was stopped in Windows XP.

One other function, named NtCurrentTeb, is also exported from NTDLL only with the Nt prefix, and only then in x86 builds, but it is not included below because although its name starts with Nt, it is not handled through a transition to kernel mode and is not regarded here as a native API function. Two functions are exported in kernel mode with the Nt prefix only and not at all in user mode. They are NtGetEnvironmentVariableEx and NtQueryEnvironmentVariableInfoEx. They are here treated as being not actually intended as native API functions. Also omitted from the table, if only for now, are nearly two dozen user-mode functions that NTDLL exports with both the Nt and Zw prefixes, but only from the wow64 builds. These are meant to look in some sense like native API functions, yet they are not.

Note that many native API functions that are exported in kernel mode were not always. Many were first exported with one prefix but only much later with the other. What governs Microsoft’s thinking about which functions are also exposed for use in kernel mode but from outside the kernel is anyone’s guess. It seems at least plausible, however, that these functions are intended first as user-mode exports and then get exported in kernel mode as and when Microsoft discovers a need for Microsoft’s purposes.

Beware of what the table tells of the very earliest history. Not only are my holdings of Windows NT 3.10 and 3.50 incomplete as regards service packs, what little I do have is not certainly complete even for any one build. In particular, among files that are supposedly for Windows NT 3.50, I have not found any build of NTDLL.DLL that certainly is from version 3.50. It seems likely just from continuity that any function that is shown below as a user-mode export in version 3.10 and higher—or even just 3.10 to 3.51—is exported in version 3.50 too. However, if a function is shown below as a user-mode export in version 3.51 and higher—or in version 3.10 only—it may or may not also be a user-mode export in version 3.50.

Function Modes and Prefixes Versions
NtAcceptConnectPort user 3.10 and higher
NtAccessCheck user 3.10 and higher
NtAccessCheckAndAuditAlarm user;
kernel (Zw)
3.10 and higher
NtAccessCheckByType user 5.0 and higher
NtAccessCheckByTypeAndAuditAlarm user 5.0 and higher
NtAccessCheckByTypeResultList user 5.0 and higher
NtAccessCheckByTypeResultListAndAuditAlarm user 5.0 and higher
NtAccessCheckByTypeResultListAndAuditAlarmByHandle user 5.0 and higher
NtAcquireCMFViewOwnership user 6.0 only
NtAddAtom user;
kernel (Nt)
4.0 and higher
NtAddAtomEx user 6.2 and higher
NtAddBootEntry user;
kernel (Zw)
5.1 and higher
NtAddDriverEntry user;
kernel (Zw)
5.2 and higher
NtAdjustGroupsToken user 3.10 and higher
NtAdjustPrivilegesToken user;
kernel (Nt)
3.10 and higher
kernel (Zw) 5.0 and higher
NtAdjustTokenClaimsAndDeviceGroups user 6.2 and higher
NtAlertResumeThread user 3.10 and higher
NtAlertThread user 3.10 and higher
kernel (Zw) 3.51 and higher
NtAlertThreadById user 6.2 and higher
NtAllocateLocallyUniqueId user;
kernel (Nt)
3.10 and higher
kernel (Zw) 6.0 and higher
NtAllocateReserveObject user 6.1 and higher
NtAllocateUserPhysicalPages user 5.0 and higher
NtAllocateUuids user;
kernel (Nt)
3.51 and higher
NtAllocateVirtualMemory all 3.10 and higher
NtAlpcAcceptConnectPort user;
kernel (Zw)
6.0 and higher
NtAlpcCancelMessage user;
kernel (Zw)
6.0 and higher
NtAlpcConnectPort user;
kernel (Zw)
6.0 and higher
NtAlpcConnectPortEx user;
kernel (Zw)
6.2 and higher
NtAlpcCreatePort user;
kernel (Zw)
6.0 and higher
NtAlpcCreatePortSection user;
kernel (Zw)
6.0 and higher
NtAlpcCreateResourceReserve user;
kernel (Zw)
6.0 and higher
NtAlpcCreateSectionView user;
kernel (Zw)
6.0 and higher
NtAlpcCreateSecurityContext user;
kernel (Zw)
6.0 and higher
NtAlpcDeletePortSection user;
kernel (Zw)
6.0 and higher
NtAlpcDeleteResourceReserve user;
kernel (Zw)
6.0 and higher
NtAlpcDeleteSectionView user;
kernel (Zw)
6.0 and higher
NtAlpcDeleteSecurityContext user;
kernel (Zw)
6.0 and higher
NtAlpcDisconnectPort user;
kernel (Zw)
6.0 and higher
NtAlpcImpersonateClientContainerOfPort user 10.0 and higher
NtAlpcImpersonateClientOfPort user 6.0 and higher
NtAlpcOpenSenderProcess user 6.0 and higher
NtAlpcOpenSenderThread user 6.0 and higher
kernel (Zw) 10.0 and higher
NtAlpcQueryInformation user;
kernel (Zw)
6.0 and higher
NtAlpcQueryInformationMessage user 6.0 and higher
kernel (Zw) 10.0 and higher
NtAlpcRevokeSecurityContext user 6.0 and higher
NtAlpcSendWaitReceivePort user;
kernel (Zw)
6.0 and higher
NtAlpcSetInformation user;
kernel (Zw)
6.0 and higher
NtApphelpCacheControl user 5.2 and higher
NtAreMappedFilesTheSame user 5.0 and higher
NtAssignProcessToJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtAssociateWaitCompletionPacket user 6.2 and higher
kernel (Zw) 6.3 and higher
NtCallbackReturn user 3.51 and higher
NtCancelDeviceWakeupRequest user 5.0 and 6.0 only
NtCancelIoFile user 3.10 and higher
kernel (Zw) 5.0 and higher
NtCancelIoFileEx user 6.0 and higher
kernel (Zw) 6.3 and higher
NtCancelSynchronousIoFile user 6.0 and higher
NtCancelTimer user 3.10 and higher
kernel (Zw) 5.0 and higher
NtCancelTimer2 user 6.3 and higher
NtCancelWaitCompletionPacket user 6.2 and higher
NtClearAllSavepointsTransaction user;
kernel (Nt)
6.0 before Windows Vista SP1
NtClearEvent user;
kernel (Zw)
3.51 and higher
NtClearSavepointTransaction user;
kernel (Nt)
6.0 before Windows Vista SP1
NtClose all 3.10 and higher
NtCloseObjectAuditAlarm user;
kernel (Zw)
3.10 and higher
NtCommitComplete user;
kernel (Nt)
6.0 and higher
kernel (Zw) 6.1 and higher
NtCommitEnlistment all 6.0 and higher
NtCommitTransaction all 6.0 and higher
NtCompactKeys user 5.1 and higher
NtCompareObjects user (Nt) 10.0 and higher
NtCompareTokens user 5.1 and higher
kernel (Zw) 10.0 and higher
NtCompleteConnectPort user 3.10 and higher
NtCompressKey user 5.1 and higher
NtConnectPort user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtContinue user 3.10 and higher
NtCreateChannel user 4.0 and 5.0 only
NtCreateDebugObject user 5.1 and higher
NtCreateDirectoryObject user;
kernel (Zw)
3.10 and higher
NtCreateDirectoryObjectEx user 6.2 and higher
NtCreateEnlistment all 6.0 and higher
NtCreateEvent user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtCreateEventPair user 3.10 and higher
NtCreateFile all 3.10 and higher
NtCreateIRTimer user 6.2 and higher
NtCreateIoCompletion user 3.51 and higher
kernel (Zw) 6.0 and higher
NtCreateJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtCreateJobSet user 5.1 and higher
NtCreateKey user;
kernel (Zw)
3.10 and higher
NtCreateKeyTransacted user;
kernel (Zw)
6.0 and higher
NtCreateKeyedEvent user 5.1 and higher
NtCreateLowBoxToken user 6.2 and higher
NtCreateMailslotFile user 3.10 and higher
NtCreateMutant user 3.10 and higher
NtCreateNamedPipeFile user 3.10 and higher
NtCreatePagingFile user 3.10 and higher
NtCreatePartition user 10.0 and higher
NtCreatePort user 3.10 and higher
NtCreatePrivateNamespace user 6.0 and higher
NtCreateProcess user 3.10 and higher
NtCreateProcessEx user 5.1 and higher
NtCreateProfile user 3.10 and higher
NtCreateProfileEx user 6.1 and higher
NtCreateResourceManager all 6.0 and higher
NtCreateSection all 3.10 and higher
NtCreateSemaphore user 3.10 and higher
NtCreateSymbolicLinkObject user;
kernel (Zw)
3.10 and higher
NtCreateThread user 3.10 and higher
NtCreateThreadEx user 6.0 and higher
NtCreateTimer user 3.10 and higher
kernel (Zw) 3.51, and 5.0 and higher
NtCreateTimer2 user 6.3 and higher
NtCreateToken user 3.10 and higher
NtCreateTokenEx user 6.2 and higher
NtCreateTransaction all 6.0 and higher
NtCreateTransactionManager user;
kernel (Zw)
6.0 and higher
kernel (Nt) 6.1 and higher
NtCreateUserProcess user 6.0 and higher
kernel (Zw) 6.2 and higher
NtCreateWaitCompletionPacket user 6.2 and higher
kernel (Zw) 6.3 and higher
NtCreateWaitablePort user 5.0 and higher
NtCreateWnfStateName user;
kernel (Zw)
6.2 and higher
NtCreateWorkerFactory user 6.0 and higher
NtDebugActiveProcess user 5.1 and higher
NtDebugContinue user 5.1 and higher
NtDelayExecution user 3.10 and higher
NtDeleteAtom user;
kernel (Nt)
4.0 and higher
NtDeleteBootEntry user;
kernel (Zw)
5.1 and higher
NtDeleteDriverEntry user;
kernel (Zw)
5.2 and higher
NtDeleteFile kernel 3.50 and higher
user 3.51 and higher
NtDeleteKey user;
kernel (Zw)
3.10 and higher
NtDeleteObjectAuditAlarm user 4.0 and higher
NtDeletePrivateNamespace user 6.0 and higher
NtDeleteValueKey user;
kernel (Zw)
3.10 and higher
NtDeleteWnfStateData user;
kernel (Zw)
6.2 and higher
NtDeleteWnfStateName user;
kernel (Zw)
6.2 and higher
NtDeviceIoControlFile all 3.10 and higher
NtDisableLastKnownGood user 6.1 and higher
NtDisplayString user;
kernel (Zw)
3.10 and higher
NtDrawText user 6.1 and higher
NtDuplicateObject all 3.10 and higher
NtDuplicateToken user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.51 and higher
NtEnableLastKnownGood user 6.1 and higher
NtEnumerateBootEntries user;
kernel (Zw)
5.1 and higher
NtEnumerateBus user 3.51 only
NtEnumerateDriverEntries user;
kernel (Zw)
5.2 and higher
NtEnumerateKey user;
kernel (Zw)
3.10 and higher
NtEnumerateSystemEnvironmentValuesEx user 5.1 and higher
NtEnumerateTransactionObject all 6.0 and higher
NtEnumerateValueKey user;
kernel (Zw)
3.10 and higher
NtExtendSection user 3.10 and higher
NtFilterBootOption user 6.2 and higher
NtFilterToken user 5.0 and higher
NtFilterTokenEx user 6.2 and higher
NtFindAtom user;
kernel (Nt)
4.0 and higher
NtFlushBuffersFile user 3.10 and higher
kernel (Zw) 6.0 and higher
NtFlushBuffersFileEx user;
kernel (Zw)
6.2 and higher
NtFlushInstallUILanguage user 6.0 and higher
NtFlushInstructionCache user; 3.10 and higher
kernel (Zw) 3.50 and higher
NtFlushKey user;
kernel (Zw)
3.10 and higher
NtFlushProcessWriteBuffers user 6.0 and higher
NtFlushVirtualMemory user 3.10 and higher
kernel (Zw) 5.0 and higher
NtFlushWriteBuffer user 3.10 and higher
NtFreeUserPhysicalPages user 5.0 and higher
NtFreeVirtualMemory all 3.10 and higher
NtFreezeRegistry user 6.0 and higher
NtFreezeTransactions user;
kernel (Nt)
6.0 and higher
NtFsControlFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtGetCachedSigningLevel user 6.2 and higher
kernel (Zw) 10.0 and higher
NtGetCompleteWnfStateSubscription user 6.3 and higher
NtGetContextThread user 3.10 and higher
NtGetCurrentProcessorNumber user 5.2 and higher
NtGetCurrentProcessorNumberEx user 10.0 and higher
NtGetDevicePowerState user 5.0 and higher
NtGetMUIRegistryInfo user 6.0 and higher
NtGetNextProcess user 6.0 and higher
kernel (Zw) 10.0 and higher
NtGetNextThread user 6.0 and higher
NtGetNlsSectionPtr user 6.0 and higher
NtGetNotificationResourceManager all 6.0 and higher
NtGetPlugPlayEvent user 3.51 to 6.1
NtGetTickCount user (Nt) 3.10 and higher, except 5.1
user (Zw) 3.10 to 5.0 only
NtGetWriteWatch user 5.0 and higher
NtImpersonateAnonymousToken user 5.0 and higher
kernel (Zw) 6.0 and higher
NtImpersonateClientOfPort user 3.10 and higher
NtImpersonateThread user 3.10 and higher
NtInitializeNlsFiles user 6.0 and higher
NtInitializeRegistry user 3.10 and higher
NtInitializeVDM user 3.10 only
NtInitiatePowerAction user;
kernel (Zw)
5.0 and higher
NtIsProcessInJob user;
kernel (Zw)
5.1 and higher
NtIsSystemResumeAutomatic user 5.0 and higher
NtIsUILanguageComitted user 6.0 and higher
NtListTransactions user 6.0 before Windows Vista SP1
NtListenChannel user 4.0 and 5.0 only
NtListenPort user 3.10 and higher
NtLoadDriver user;
kernel (Zw)
3.10 and higher
NtLoadKey user 3.10 and higher
kernel (Zw) 4.0 and higher
NtLoadKey2 user 4.0 and higher
NtLoadKeyEx user 5.2 and higher
kernel (Zw) 6.0 and higher
NtLockFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 6.1 and higher
NtLockProductActivationKeys user 5.1 and higher
kernel (Zw) 6.0 and higher
NtLockRegistryKey user 5.1 and higher
NtLockVirtualMemory user 3.10 and higher
kernel (Zw) 6.3 and higher
NtMakePermanentObject user;
kernel (Nt)
5.1 and higher
NtMakeTemporaryObject user;
kernel (Zw)
3.10 and higher
NtManagePartition user 10.0 and higher
NtMapCMFModule user 6.0 and higher
NtMapUserPhysicalPages user 5.0 and higher
NtMapUserPhysicalPagesScatter user 5.0 and higher
NtMapViewOfSection all 3.10 and higher
NtMarshallTransaction all 6.0 before Windows Vista SP1
NtModifyBootEntry user 5.1 and higher
kernel (Zw) 5.2 and higher
NtModifyDriverEntry user;
kernel (Zw)
5.2 and higher
NtNotifyChangeDirectoryFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 10.0 and higher
NtNotifyChangeKey user 3.10 and higher
kernel (Zw) 3.51 and higher
NtNotifyChangeMultipleKeys user 5.0 and higher
NtNotifyChangeSession user;
kernel (Zw)
6.1 and higher
NtOpenChannel user 4.0 and 5.0 only
NtOpenDirectoryObject user;
kernel (Zw)
3.10 and higher
NtOpenEnlistment all 6.0 and higher
NtOpenEvent user 3.10 and higher
kernel (Zw) 3.50 and higher
NtOpenEventPair user 3.10 and higher
NtOpenFile all 3.10 and higher
NtOpenIoCompletion user 3.51 and higher
NtOpenJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtOpenKey user;
kernel (Zw)
3.10 and higher
NtOpenKeyEx user;
kernel (Zw)
6.1 and higher
NtOpenKeyTransacted user;
kernel (Zw)
6.0 and higher
NtOpenKeyTransactedEx user;
kernel (Zw)
6.1 and higher
NtOpenKeyedEvent user 5.1 and higher
NtOpenMutant user 3.10 and higher
NtOpenObjectAuditAlarm user 3.10 and higher
NtOpenPartition user 10.0 and higher
NtOpenPrivateNamespace user 6.0 and higher
NtOpenProcess user 3.10 and higher
kernel (Nt) 3.50 and higher
kernel (Zw) 3.51 and higher
NtOpenProcessToken all 3.10 and higher
NtOpenProcessTokenEx all 5.1 and higher
NtOpenResourceManager all 6.0 and higher
NtOpenSection user;
kernel (Zw)
3.10 and higher
NtOpenSemaphore user 3.10 and higher
NtOpenSession user 6.0 and higher
kernel (Zw) 6.1 and higher
NtOpenSymbolicLinkObject user;
kernel (Zw)
3.10 and higher
NtOpenThread user 3.10 and higher
kernel 3.51 and higher
NtOpenThreadToken user;
kernel (Zw)
3.10 and higher
kernel (Nt) 5.1 and higher
NtOpenThreadTokenEx all 5.1 and higher
NtOpenTimer user 3.10 and higher
kernel (Zw) 5.0 and higher
NtOpenTransaction all 6.0 and higher
NtOpenTransactionManager user;
kernel (Zw)
6.0 and higher
kernel (Nt) 6.1 and higher
NtPlugPlayControl user 3.51 and higher
NtPowerInformation user;
kernel (Zw)
5.0 and higher
NtPrePrepareComplete user 6.0 and higher
kernel 6.1 and higher
NtPrePrepareEnlistment all 6.0 and higher
NtPrepareComplete all 6.0 and higher
NtPrepareEnlistment all 6.0 and higher
NtPrivilegeCheck user 3.10 and higher
NtPrivilegeObjectAuditAlarm user 3.10 and higher
NtPrivilegedServiceAuditAlarm user 3.10 and higher
NtPropagationComplete user 6.0 and higher
kernel 6.1 and higher
NtPropagationFailed user 6.0 and higher
kernel 6.1 and higher
NtProtectVirtualMemory user 3.10 and higher
kernel (Zw) 6.3 and higher
NtPullTransaction all 6.0 before Windows Vista SP1
NtPulseEvent user
3.10 and higher
kernel (Zw) 3.51 and higher
NtQueryAttributesFile user 3.51 and higher
NtQueryBootEntryOrder user;
kernel (Zw)
5.1 and higher
NtQueryBootOptions user;
kernel (Zw)
5.1 and higher
NtQueryDebugFilterState user 5.1 and higher
NtQueryDefaultLocale user 3.10 and higher
kernel (Zw) 4.0 and higher
NtQueryDefaultUILanguage user;
kernel (Zw)
5.0 and higher
NtQueryDirectoryFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtQueryDirectoryObject user 3.10 and higher
kernel (Zw) 5.0 and higher
NtQueryDriverEntryOrder user;
kernel (Zw)
5.2 and higher
NtQueryEaFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 5.0 and higher
NtQueryEvent user 3.10 and higher
NtQueryFullAttributesFile user 4.0 and higher
kernel (Zw) 5.1 and higher
NtQueryInformationAtom user;
kernel (Nt)
4.0 and higher
NtQueryInformationEnlistment all 6.0 and higher
NtQueryInformationFile all 3.10 and higher
NtQueryInformationJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtQueryInformationPort user 3.10 and higher
NtQueryInformationProcess user 3.10 and higher
kernel (Nt) 3.50 and higher
kernel (Zw) 3.51 and higher
NtQueryInformationResourceManager all 6.0 and higher
NtQueryInformationThread user 3.10 and higher
kernel 5.1 and higher
NtQueryInformationToken all 3.10 and higher
NtQueryInformationTransaction all 6.0 and higher
NtQueryInformationTransactionManager all 6.0 and higher
NtQueryInformationWorkerFactory user 6.0 and higher
NtQueryInstallUILanguage user;
kernel (Zw)
5.0 and higher
NtQueryIntervalProfile user 3.10 and higher
NtQueryIoCompletion user 3.51 and higher
NtQueryKey user;
kernel (Zw)
3.10 and higher
NtQueryLicenseValue user;
kernel (Zw)
6.0 and higher
NtQueryMultipleValueKey user 4.0 and higher
NtQueryMutant user 3.10 and higher
NtQueryObject user 3.10 and higher
kernel (Zw) 4.0 and higher
NtQueryOleDirectoryFile user;
kernel (Nt)
4.0 only
NtQueryOpenSubKeys user 5.0 and higher
NtQueryOpenSubKeysEx user 5.2 and higher
NtQueryPerformanceCounter user 3.10 and higher
NtQueryPortInformationProcess user 5.1 and higher
NtQueryQuotaInformationFile user;
kernel (Nt)
5.0 and higher
kernel (Zw) 6.1 and higher
NtQuerySection user
3.10 and higher
kernel (Zw) 3.50 and higher
NtQuerySecurityAttributesToken all 6.1 and higher
NtQuerySecurityObject user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.51 and higher
NtQuerySemaphore user 3.10 and higher
NtQuerySymbolicLinkObject user;
kernel (Zw)
3.10 and higher
NtQuerySystemEnvironmentValue user 3.10 and higher
NtQuerySystemEnvironmentValueEx user 5.1 and higher
kernel (Zw) 6.2 and higher
NtQuerySystemInformation user 3.10 and higher
kernel (Zw) 4.0 and higher
kernel (Nt) 5.0 and higher
NtQuerySystemInformationEx user;
kernel (Nt)
6.1 and higher
kernel (Zw) 6.3 and higher
NtQuerySystemTime user 3.10 and higher
NtQueryTimer user 3.10 and higher
NtQueryTimerResolution user 3.51 and higher
NtQueryValueKey user;
kernel (Zw)
3.10 and higher
NtQueryVirtualMemory user 3.10 and higher
kernel (Zw) 6.0 and higher
NtQueryVolumeInformationFile all 3.10 and higher
NtQueryWnfStateData user;
kernel (Zw)
6.2 and higher
NtQueryWnfStateNameInformation user;
kernel (Zw)
6.2 and higher
NtQueueApcThread user 4.0 and higher
NtQueueApcThreadEx user 6.1 and higher
NtRaiseException user 3.10 and higher
NtRaiseHardError user 3.10 and higher
NtReadFile all 3.10 and higher
NtReadFileScatter user 4.0 from Windows NT 4.0 SP3, and higher
NtReadOnlyEnlistment user 6.0 and higher
kernel 6.1 and higher
NtReadRequestData user 3.10 and higher
NtReadVirtualMemory user 3.10 and higher
NtRecoverEnlistment user;
kernel (Zw)
6.0 and higher
kernel (Nt) 6.1 and higher
NtRecoverResourceManager user;
kernel (Zw)
6.0 and higher
kernel (Nt) 6.1 and higher
NtRecoverTransactionManager user;
kernel (Zw)
6.0 and higher
kernel (Nt) 6.1 and higher
NtRegisterNewDevice user 3.51 only
NtRegisterProtocolAddressInformation user 6.0 and higher
NtRegisterThreadTerminatePort user 3.10 and higher
NtReleaseCMFViewOwnership user 6.0 only
NtReleaseKeyedEvent user 5.1 and higher
NtReleaseMutant user 3.10 and higher
NtReleaseProcessMutant user 3.10 to 3.51
NtReleaseSemaphore user 3.10 and higher
NtReleaseWorkerFactoryWorker user 6.0 and higher
NtRemoveIoCompletion user 3.51 and higher
kernel (Zw) 6.0 and higher
NtRemoveIoCompletionEx user;
kernel (Zw)
6.0 and higher
NtRemoveProcessDebug user 5.1 and higher
NtRenameKey user 5.1 and higher
kernel (Zw) 6.1 from Windows 7 SP1, and higher
NtRenameTransactionManager user 6.0 from Windows Vista SP1, and higher
NtRenameValueKey user 3.10 only
NtReplaceKey user 3.10 and higher
kernel (Zw) 4.0 and higher
NtReplacePartitionUnit user 6.0 from Windows Vista SP1, and higher
NtReplyPort user 3.10 and higher
NtReplyWaitReceivePort user 3.10 and higher
NtReplyWaitReceivePortEx user 5.0 and higher
NtReplyWaitReplyPort user 3.10 and higher
NtReplyWaitSendChannel user 4.0 and 5.0 only
NtRequestDeviceWakeup user 5.0 and 6.0 only
NtRequestPort user;
kernel (Nt)
3.10 and higher
kernel (Zw) 6.0 and higher
NtRequestWaitReplyPort user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtRequestWakeupLatency user 5.0 and 6.0 only
NtResetEvent user
3.10 and higher
kernel (Zw) 3.51 and higher
NtResetWriteWatch user 5.0 and higher
NtRestoreKey user 3.10 and higher
kernel (Zw) 5.0 and higher
NtResumeProcess user 5.1 and higher
NtResumeThread user 3.10 and higher
NtRevertContainerImpersonation user 10.0 and higher
NtRollbackComplete user 6.0 and higher
kernel 6.1 and higher
NtRollbackEnlistment all 6.0 and higher
NtRollbackSavepointTransaction user 6.0 before Windows Vista SP1
NtRollbackTransaction all 6.0 and higher
NtRollforwardTransactionManager user 6.0 and higher
NtSaveKey user 3.10 and higher
kernel (Zw) 4.0 and higher
NtSaveKeyEx user;
kernel (Zw)
5.1 and higher
NtSaveMergedKeys user 5.0 and higher
NtSavepointComplete all 6.0 before Windows Vista SP1
NtSavepointTransaction all 6.0 before Windows Vista SP1
NtSecureConnectPort user 5.0 and higher
kernel (Zw) 5.2 from Windows Server 2003 SP1, and higher
NtSendWaitReplyChannel user 4.0 and 5.0 only
NtSerializeBoot user 6.1 and higher
NtSetBootEntryOrder user;
kernel (Zw)
5.1 and higher
NtSetBootOptions user;
kernel (Zw)
5.1 and higher
NtSetCachedSigningLevel all 6.2 and higher
NtSetContextChannel user 4.0 and 5.0 only
NtSetContextThread user 3.10 and higher
NtSetDebugFilterState user 5.1 and higher
NtSetDefaultHardErrorPort user 3.10 and higher
NtSetDefaultLocale user
3.10 and higher
kernel (Zw) 3.51 and higher
NtSetDefaultUILanguage user;
kernel (Zw)
5.0 and higher
NtSetDriverEntryOrder user;
kernel (Zw)
5.2 and higher
NtSetEaFile user 3.10 and higher
kernel 5.0 and higher
NtSetEvent user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtSetEventBoostPriority user 5.1 and higher
NtSetHighEventPair user 3.10 and higher
NtSetHighWaitLowEventPair user 3.10 and higher
NtSetHighWaitLowThread user 3.10 to 4.0
NtSetIRTimer user 6.2 and higher
NtSetInformationDebugObject user 5.1 and higher
NtSetInformationEnlistment all 6.0 and higher
NtSetInformationFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtSetInformationJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtSetInformationKey user 3.10 and higher
kernel (Zw) 6.2 and higher
NtSetInformationObject user 3.51 and higher
kernel (Zw) 4.0 and higher
NtSetInformationProcess all 3.10 and higher
NtSetInformationResourceManager user;
kernel (Nt)
6.0 and higher
kernel (Zw) 6.1 and higher
NtSetInformationSymbolicLink user 10.0 and higher
NtSetInformationThread user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtSetInformationToken user 3.10 and higher
kernel 6.1 and higher
NtSetInformationTransaction all 6.0 and higher
NtSetInformationTransactionManager user 6.0 and higher
NtSetInformationVirtualMemory all 6.2 and higher
NtSetInformationWorkerFactory user 6.0 and higher
NtSetIntervalProfile user 3.10 and higher
NtSetIoCompletion user 3.51 and higher
NtSetIoCompletionEx user 6.1 and higher
NtSetLdtEntries user 3.10 and higher
NtSetLowEventPair user 3.10 and higher
NtSetLowWaitHighEventPair user 3.10 and higher
NtSetLowWaitHighThread user 3.10 to 4.0
NtSetQuotaInformationFile user;
kernel (Nt)
5.0 and higher
kernel (Zw) 6.1 and higher
NtSetSecurityObject user;
kernel (Nt)
3.10 and higher
kernel (Zw) 5.0 and higher
NtSetSystemEnvironmentValue user 3.10 and higher
NtSetSystemEnvironmentValueEx user 5.1 and higher
kernel (Zw) 6.2 and higher
NtSetSystemInformation user;
kernel (Zw)
3.51 and higher
NtSetSystemPowerState user 3.51 and higher
NtSetSystemTime user 3.10 and higher
kernel (Zw) 4.0 and higher
NtSetThreadExecutionState user 5.0 and higher
NtSetTimer user 3.10 and higher
kernel (Zw) 3.51, and 5.0 and higher
NtSetTimer2 user 6.3 and higher
NtSetTimerEx user;
kernel (Zw)
6.1 and higher
NtSetTimerResolution user 3.51 and higher
NtSetUuidSeed user 5.0 and higher
NtSetValueKey user;
kernel (Zw)
3.10 and higher
NtSetVolumeInformationFile user 3.10 and higher
kernel 5.0 and higher
NtSetWnfProcessNotificationEvent user 6.3 and higher
NtShutdownSystem user 3.10 and higher
kernel (Nt) 5.1 and higher
NtShutdownWorkerFactory user 6.0 and higher
NtSignalAndWaitForSingleObject user 4.0 and higher
NtSinglePhaseReject user 6.0 and higher
NtStartProfile user 3.10 and higher
NtStartTm user;
kernel (Nt)
6.0 before Windows Vista SP1
NtStopProfile user 3.10 and higher
NtSubscribeWnfStateChange user 6.2 and higher
NtSuspendProcess user 5.1 and higher
NtSuspendThread user 3.10 and higher
NtSystemDebugControl user 3.10 and higher
NtTerminateJobObject user 5.0 and higher
kernel (Zw) 5.1 and higher
NtTerminateProcess user 3.10 and higher
kernel (Zw) 4.0 and higher
NtTerminateThread user 3.10 and higher
NtTestAlert user 3.10 and higher
NtThawRegistry user 6.0 and higher
NtThawTransactions user;
kernel (Nt)
6.0 and higher
NtTraceControl user;
kernel (Nt)
6.0 and higher
kernel (Zw) 10.0 and higher
NtTraceEvent user;
kernel (Nt)
5.1 and higher
kernel (Zw) 6.1 and higher
NtTranslateFilePath user;
kernel (Zw)
5.1 and higher
NtUmsThreadYield user 6.1 and higher
NtUnloadDriver user 3.10 and higher
kernel (Zw) 4.0 and higher
NtUnloadKey user 3.10 and higher
kernel (Zw) 4.0 and higher
NtUnloadKey2 user 5.2 and higher
NtUnloadKeyEx user 5.1 and higher
kernel (Zw) 6.0 and higher
NtUnlockFile user;
kernel (Nt)
3.10 and higher
kernel (Zw) 6.1 and higher
NtUnlockVirtualMemory user 3.10 and higher
kernel (Zw) 6.2 and higher
NtUnmapViewOfSection user;
kernel (Zw)
3.10 and higher
NtUnmapViewOfSectionEx user 6.2 and higher
NtUnsubscribeWnfStateChange user 6.2 and higher
NtUpdateWnfStateData user;
kernel (Zw)
6.2 and higher
NtVdmControl user;
kernel (Nt)
3.10 and higher
NtVdmStartExecution user 3.10 only
NtW32Call user 3.51 to 4.0 from Windows NT 4.0 SP3
NtWaitForAlertByThreadId user 6.2 and higher
NtWaitForDebugEvent user 5.1 and higher
NtWaitForKeyedEvent user 5.1 and higher
NtWaitForMultipleObjects user
3.10 and higher
kernel (Zw) 3.51 and higher
NtWaitForMultipleObjects32 user 5.2 from Windows Server 2003 SP1, and higher
NtWaitForProcessMutant user 3.10 to 3.51
NtWaitForSingleObject user;
kernel (Nt)
3.10 and higher
kernel (Zw) 3.50 and higher
NtWaitForWnfNotifications user 6.2 only
NtWaitForWorkViaWorkerFactory user 6.0 and higher
NtWaitHighEventPair user 3.10 and higher
NtWaitLowEventPair user 3.10 and higher
NtWorkerFactoryWorkerReady user 6.0 and higher
NtWriteFile all 3.10 and higher
NtWriteFileGather user 4.0 from Windows NT 4.0 SP3, and higher
NtWriteRequestData user 3.10 and higher
NtWriteVirtualMemory user 3.10 and higher
NtYieldExecution user;
kernel (Zw)
4.0 and higher