Undocumented Windows NT

Last updated: September 27, 1995
by Andrew Schulman
Senior Editor, O'Reilly & Associates
andrew@ora.com


Sorry, this page isn't ready yet! But this page will soon contain an examination of KERNEL32.DLL, NTDLL.DLL, NTOSKRNL.EXE, ADVAPI32.DLL, and HAL.DLL from the i386 version of Windows NT 3.51. In the meantime, check out the "teaser" on undocumented NT in
  • Undocumented DOS, 2nd edition, pp. 225-227.

    The key point is that what most developers seem to think of as "the NT API" is really the Win32 API. Win32 is not the NT API. Win32 is a portable programming interface supported by a number of platforms, only one of which is Windows NT. Win32 executables also run on Windows 95, and on Win32s. Good examples of Win32 applications are WebSite and Mosaic for Windows.

    By now, it's generally realized that these are Win32 programs, not NT programs. But what then is the Windows NT API? It's what NT uses to implement higher-level APIs such as Win32. The NT API is documented to some extent in Microsoft's Windows NT Device Driver Kit (DDK), but much if not most of the native NT API is -- surprise! -- undocumented.

    If you have the Win32 software development kit (SDK) from Microsoft, you can examine the NT kernel with the DUMPBIN or LINK /DUMPBIN commands. For example:

    C:\MSVC32\BIN>link /dumpbin /exports \winnt35\system32\ntoskrnl.exe 
    
    Microsoft (R) COFF Binary File Dumper Version 1.00
    Copyright (C) Microsoft Corp 1992-93. All rights reserved.
    ...
    Section contains the following Exports for ntoskrnl.exe
    ...
    ordinal hint   name
         1B    0   CcCanIWrite  (000372a0)
         1C    1   CcCopyRead  (000372d0)
         1D    2   CcCopyWrite  (000372bc)
    ...
          1   25   ExAcquireFastMutexUnsafe  (0000a6da)
         40   26   ExAcquireResourceExclusive  (0000aaa2)
         41   27   ExAcquireResourceExclusiveLite  (0000ad58)
    ...
         77   69   FsRtlAddLargeMcbEntry  (0003cabc)
         78   6A   FsRtlAddMcbEntry  (0004ac24)
         79   6B   FsRtlAllocatePool  (0003cb6c)
    ...
         BF   B1   HalDispatchTable  (000103a8)
         C0   B2   HalPrivateDispatchTable  (0000fbde)
          E   B3   InterlockedDecrement  (0004dd78)
          F   B4   InterlockedExchange  (0000eb7a)
         10   B5   InterlockedIncrement  (0000e2bc)
         C1   B6   IoAcquireCancelSpinLock  (0000ef74)
         C2   B7   IoAcquireVpbSpinLock  (0004d5e8)
         C3   B8   IoAdapterObjectType  (0000e518)
    ...
        123  11A   Ke386CallBios  (00052bd6)
        124  11B   Ke386IoSetAccessProcess  (00014eb0)
        125  11C   Ke386QueryIoAccessMap  (00015008)
        126  11D   Ke386SetIoAccessMap  (0004381c)
        127  11E   KeAcquireSpinLockAtDpcLevel  (000436f0)
        128  11F   KeAddSystemServiceTable  (0003dcd8)
        129  120   KeAttachProcess  (0003dcf4)
        12A  121   KeBugCheck  (00016e20)
        12B  122   KeBugCheckEx  (0005e492)
    ...
        182  179   KeWaitForMutexObject  (00017eca)
        183  17A   KeWaitForSingleObject  (0003bcf0)
         13  17B   KefAcquireSpinLockAtDpcLevel  (0001aba8)
         14  17C   KefReleaseSpinLockFromDpcLevel  (000448a0)
         19  17D   Kei386EoiHelper  (0003bab0)
         15  17E   KiAcquireSpinLock  (0003b970)
        184  17F   KiCoprocessorError  (0001ad74)
        185  180   KiDeliverApc  (0001898e)
    ...
        189  187   LdrAccessResource  (0003bf9a)
        18A  188   LdrEnumResources  (0006b8b2)
        18B  189   LdrFindResource_U  (0006bf0c)
    ...
        18C  18A   LpcRequestPort  (0006b9f0)
        18D  18B   LsaCallAuthenticationPackage  (0005f610)
        18E  18C   LsaDeregisterLogonProcess  (00033d76)
        18F  18D   LsaFreeReturnBuffer  (00033df6)
        190  18E   LsaLogonUser  (00033ad0)
        191  18F   LsaLookupAuthenticationPackage  (00033c99)
        192  190   LsaRegisterLogonProcess  (00033c09)
        193  191   MmAdjustWorkingSetSize  (00033af7)
        194  192   MmAllocateContiguousMemory  (00046c88)
        195  193   MmAllocateNonCachedMemory  (0001fadc)
    ...
        1C1  1BF   NtAdjustPrivilegesToken  (000410f8)
        1C2  1C0   NtAllocateLocallyUniqueId  (00080868)
        1C3  1C1   NtAllocateUuids  (0004b0c4)
    ...
        1EB  1E9   ObCreateObject  (00059c9c)
        1EC  1EA   ObDereferenceObject  (00077450)
        1ED  1EB   ObGetObjectPointerCount  (00030734)
    ...
        1F8  1F7   PoQueryPowerSequence  (00031a20)
        1F9  1F8   PoRegisterDeviceForIdleDetection  (00031a26)
        1FA  1F9   PoRequestPowerChange  (00031a2a)
        1FB  1FA   ProbeForWrite  (0004b62a)
        1FC  1FB   PsChargePoolQuota  (00031cde)
        1FD  1FC   PsCreateSystemProcess  (0007cb7c)
        1FE  1FD   PsCreateSystemThread  (0007c46a)
    ...
        214  213   RtlAbsoluteToSelfRelativeSD  (0006f302)
        215  214   RtlAddAccessAllowedAce  (0006f64e)
        216  215   RtlAddAce  (0006f514)
    ...
        2BE  2BD   SeAccessCheck  (00083020)
        2BF  2BE   SeAppendPrivileges  (000834d4)
        2C0  2BF   SeAssignSecurity  (000835e0)
    ...
        2E1  2E0   ZwAccessCheckAndAuditAlarm  (0001b128)
        2E2  2E1   ZwAlertThread  (0001b168)
        2E3  2E2   ZwAllocateVirtualMemory  (0001b198)
    
    These functions are examples of the NT API.

    In the output from LINK /DUMPBIN shown above, it's worth noting the banner:

    Microsoft (R) COFF Binary File Dumper Version 1.00
    
    COFF is the Common Object File Format, the formal definition for the structure of machine-code files in UNIX System V. The executable file format for Win32, called Portable Executable (PE), is based directly on COFF. See the book Understanding and Using COFF from O'Reilly & Associates.

    Two other O'Reilly books you might find useful:


    The O'Reilly Windows Center

    Unauthorized Windows 95 Update