Windows Native API

This article relies excessively on references to primary sources. Please improve this article by adding secondary or tertiary sources. Find sources: "Windows Native API" – news · newspapers · books · scholar · JSTOR (January 2018) (Learn how and when to remove this template message)

The topic of this article may not meet Wikipedia's general notability guideline. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources: "Windows Native API" – news · newspapers · books · scholar · JSTOR (February 2022) (Learn how and when to remove this template message)

The Native API is a lightweight

• Nt or Zw are
  SSDT. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not.^[1] The Zw prefix does not stand for anything.^[2]
• Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
• Csr are client-server functions that are used to communicate with the Win32 subsystem process,
  csrss.exe
  (csrss stands for client/server runtime sub-system).
• Dbg are debugging functions such as a software breakpoint.
• Ki are upcalls from kernel mode for events like APC dispatching.
• Ldr are loader functions for PE file handling and starting of new processes.
• Nls for National Language Support (similar to code pages).
• Pfx for prefix handling.
• Tp for threadpool handling.

user32.dll and gdi32.dll include several other calls that execute an interrupt into kernel mode. These were not part of the original Windows NT design, as can be seen in Windows NT 3.5. However, due to performance issues of hardware of that age, it was decided to move the graphics subsystem into kernel mode. As such, system call in the range of 0x1000-0x1FFF are satisfied by win32k.sys (instead of ntoskrnl.exe as done for 0-0x0FFF), and are declared in user32.dll and gdi32.dll. These functions have the NtUser and NtGdi prefix (e.g. NtUserLockWorkStation and NtGdiEnableEudc).

Uses

Uses of Native API functions includes but not limited to:

• Enabling and disabling privileges (RtlAdjustPrivilege)
• Creating remote thread within processes that are running in different session (RtlCreateUserThread)
• Running native application (RtlCreateUserProcess)
• Performing force shutdown (NtShutdownSystem)
• Cause a BSOD in User mode (NtRaiseHardError)
• Display a string in Native Mode (NtDisplayString)

See also

• List of Microsoft Windows components

References