The key point is that what most developers seem to think of as "the NT API" is really the Win32 API. Win32 is not the NT API. Win32 is a portable programming interface supported by a number of platforms, only one of which is Windows NT. Win32 executables also run on Windows 95, and on Win32s. Good examples of Win32 applications are WebSite and Mosaic for Windows.
By now, it's generally realized that these are Win32 programs, not NT programs. But what then is the Windows NT API? It's what NT uses to implement higher-level APIs such as Win32. The NT API is documented to some extent in Microsoft's Windows NT Device Driver Kit (DDK), but much if not most of the native NT API is -- surprise! -- undocumented.
If you have the Win32 software development kit (SDK) from Microsoft,
you can examine the NT kernel with the DUMPBIN
or
LINK /DUMPBIN
commands. For example:
C:\MSVC32\BIN>link /dumpbin /exports \winnt35\system32\ntoskrnl.exe Microsoft (R) COFF Binary File Dumper Version 1.00 Copyright (C) Microsoft Corp 1992-93. All rights reserved. ... Section contains the following Exports for ntoskrnl.exe ... ordinal hint name 1B 0 CcCanIWrite (000372a0) 1C 1 CcCopyRead (000372d0) 1D 2 CcCopyWrite (000372bc) ... 1 25 ExAcquireFastMutexUnsafe (0000a6da) 40 26 ExAcquireResourceExclusive (0000aaa2) 41 27 ExAcquireResourceExclusiveLite (0000ad58) ... 77 69 FsRtlAddLargeMcbEntry (0003cabc) 78 6A FsRtlAddMcbEntry (0004ac24) 79 6B FsRtlAllocatePool (0003cb6c) ... BF B1 HalDispatchTable (000103a8) C0 B2 HalPrivateDispatchTable (0000fbde) E B3 InterlockedDecrement (0004dd78) F B4 InterlockedExchange (0000eb7a) 10 B5 InterlockedIncrement (0000e2bc) C1 B6 IoAcquireCancelSpinLock (0000ef74) C2 B7 IoAcquireVpbSpinLock (0004d5e8) C3 B8 IoAdapterObjectType (0000e518) ... 123 11A Ke386CallBios (00052bd6) 124 11B Ke386IoSetAccessProcess (00014eb0) 125 11C Ke386QueryIoAccessMap (00015008) 126 11D Ke386SetIoAccessMap (0004381c) 127 11E KeAcquireSpinLockAtDpcLevel (000436f0) 128 11F KeAddSystemServiceTable (0003dcd8) 129 120 KeAttachProcess (0003dcf4) 12A 121 KeBugCheck (00016e20) 12B 122 KeBugCheckEx (0005e492) ... 182 179 KeWaitForMutexObject (00017eca) 183 17A KeWaitForSingleObject (0003bcf0) 13 17B KefAcquireSpinLockAtDpcLevel (0001aba8) 14 17C KefReleaseSpinLockFromDpcLevel (000448a0) 19 17D Kei386EoiHelper (0003bab0) 15 17E KiAcquireSpinLock (0003b970) 184 17F KiCoprocessorError (0001ad74) 185 180 KiDeliverApc (0001898e) ... 189 187 LdrAccessResource (0003bf9a) 18A 188 LdrEnumResources (0006b8b2) 18B 189 LdrFindResource_U (0006bf0c) ... 18C 18A LpcRequestPort (0006b9f0) 18D 18B LsaCallAuthenticationPackage (0005f610) 18E 18C LsaDeregisterLogonProcess (00033d76) 18F 18D LsaFreeReturnBuffer (00033df6) 190 18E LsaLogonUser (00033ad0) 191 18F LsaLookupAuthenticationPackage (00033c99) 192 190 LsaRegisterLogonProcess (00033c09) 193 191 MmAdjustWorkingSetSize (00033af7) 194 192 MmAllocateContiguousMemory (00046c88) 195 193 MmAllocateNonCachedMemory (0001fadc) ... 1C1 1BF NtAdjustPrivilegesToken (000410f8) 1C2 1C0 NtAllocateLocallyUniqueId (00080868) 1C3 1C1 NtAllocateUuids (0004b0c4) ... 1EB 1E9 ObCreateObject (00059c9c) 1EC 1EA ObDereferenceObject (00077450) 1ED 1EB ObGetObjectPointerCount (00030734) ... 1F8 1F7 PoQueryPowerSequence (00031a20) 1F9 1F8 PoRegisterDeviceForIdleDetection (00031a26) 1FA 1F9 PoRequestPowerChange (00031a2a) 1FB 1FA ProbeForWrite (0004b62a) 1FC 1FB PsChargePoolQuota (00031cde) 1FD 1FC PsCreateSystemProcess (0007cb7c) 1FE 1FD PsCreateSystemThread (0007c46a) ... 214 213 RtlAbsoluteToSelfRelativeSD (0006f302) 215 214 RtlAddAccessAllowedAce (0006f64e) 216 215 RtlAddAce (0006f514) ... 2BE 2BD SeAccessCheck (00083020) 2BF 2BE SeAppendPrivileges (000834d4) 2C0 2BF SeAssignSecurity (000835e0) ... 2E1 2E0 ZwAccessCheckAndAuditAlarm (0001b128) 2E2 2E1 ZwAlertThread (0001b168) 2E3 2E2 ZwAllocateVirtualMemory (0001b198)These functions are examples of the NT API.
In the output from LINK /DUMPBIN shown above, it's worth noting the banner:
Microsoft (R) COFF Binary File Dumper Version 1.00COFF is the Common Object File Format, the formal definition for the structure of machine-code files in UNIX System V. The executable file format for Win32, called Portable Executable (PE), is based directly on COFF. See the book Understanding and Using COFF from O'Reilly & Associates.
Two other O'Reilly books you might find useful: