Windows 7 kernel architecture changes - api-ms-win-core files

Okay, so each program has its own address space reserved only for that process, but what about the kernel space? Actually, the kernel is loaded only once in memory and each program must use it. This is why each process needs appropriate pointers set-up that do just that. It means that the PDEs stored in the page directory of every process point to the same kernel page table.

If we would like to run our own code in kernel memory, we must first find a way to pass the code to the kernel and stay there. I hope I made it clear that the functionality run in kernel mode is limited to the functionality of the code loaded in kernel mode, and thus the code from user mode is not allowed to be executed with kernel privileges.

Image: opera. The DirBase element above is actually the value that gets stored in the CR3 register every time a context-switch to a particular process occurs. That value is used as a pointer to the page table directory that contains PDEs.

The page directory table of process opera. EXE is stored at physical address 0xc Because the 0x to 0x7FFFFFFF linear address space is used by the program and not the kernel, the program will use the first half of the PDE entries in its page directory, while the kernel will use the second half.

Since, if PAE is disabled, each program has PDE entries, of them refer to user space memory, and the other refer to kernel space memory. With the. To switch to the context of the iexplore. There was some warning message about forcedecodeuser not being enabled. The output from that command can be seen on the picture below:. This time there was no error message and the context-switch actually occurred.

All the loaded DLLs also have their path displayed, which makes it very easy to find them on the hard drive. If lines are longer they will be wrapped and put into the second line.

There are quite many information available on the picture above, like the address of the process heap, the process parameters, the command line used to invoke the program, the path where to search for DLLs, etc. Also all the environment variables of this process are shown, but only the first three are presented for clarity.

The vmmon will then analyze the memory and present us with the statistics about which memory is used for heap, stack, data, etc. This can be seen on the picture below:. Converts a buffered ANSI string to a Unicode string, given a pointer to the source-string buffer and the address of caller-supplied storage for a pointer to the destination buffer.

This routine allocates a destination buffer if the caller does not supply the storage. You can also use the string manipulation routines provided by a compiler to convert ANSI strings to Unicode.

Converts a buffered Unicode string to an ANSI string, given a pointer to the source-string buffer and the address of caller-supplied storage for a pointer to the destination buffer. Concatenates a copy of a buffered Unicode string with a buffered Unicode string, given pointers to both buffers.

Concatenates a given input string with a buffered Unicode string, given a pointer to the buffer. Copies the source string to the destination, given pointers to both buffers, or sets the length of the destination string but not the length of the destination buffer to zero if the optional pointer to the source-string buffer is NULL.

Compares two buffered, single-byte character strings and returns a signed value indicating whether they are equivalent or which is greater. Compares two buffered Unicode strings and returns a signed value indicating whether they are equivalent or which is greater.

Converts a copy of a buffered Unicode string to uppercase and stores the copy in a destination buffer. Converts an unsigned integer value in the specified base to one or more Unicode characters in a buffer.

RtlUnicodeStringToInteger converts the Unicode string representation of an integer into its integer equivalent. Sets a variable of type LONG to a given value as an atomic operation; returns the original value of the variable. Converts an unsigned integer value in the specified base to one or more Unicode characters in the given buffer. Registers a callback routine with a previously created or opened callback object, so that the caller can be notified when conditions defined for the callback routine occur.

Registers device functionality a device interface that a driver can enable for use by applications or other system components. Sets the access allowed to a given file object representing a device. Checks whether a request to open a file object specifies a desired access that is compatible with the current shared access permissions for the open file object.

Modifies the current shared access permissions on the given file object. Restores the shared access permissions on the given file object that were modified by a preceding call to IoUpdateShareAccess. Initializes a new security descriptor to an absolute format with default values in effect, with no security constraints.

Builds a security descriptor for a new object, given the security descriptor of its parent directory if any and an originally requested security for the object. Deallocates the memory associated with a security descriptor that was created with SeAssignSecurity. Returns a Boolean value indicating whether the requested access rights can be granted to an object protected by a security descriptor and, possibly, a current owner.

Returns a Boolean value indicating whether the current thread has at least the given privilege level. Allocates and initializes an error log packet; returns a pointer so the caller can supply error log data and call IoWriteErrorLogEntry with the packet. Queues a previously allocated error log packet, filled in by the driver, to the system error logging thread. A file system driver uses the associated device object to send a dialog box to the user; the user can then correct the error or retry the operation.

Causes a dialog box to be sent to the user indicating that the given IRP was failed on the given device object for an optional VPB, so that the user can correct the error or retry the operation.

Raises an error status so that a caller-supplied structured exception handler is called. This routine is useful only to highest-level drivers that supply exception handlers, in particular to file systems. Brings down the system in a controlled manner, displaying the bug-check code and possibly more information, after the caller discovers an unrecoverable inconsistency that will corrupt the system unless it is brought down. After the system is brought down, this routine displays bug-check and possibly other information.

This routine can be called when debugging under-development drivers. Brings down the system in a controlled manner when the caller discovers an unrecoverable inconsistency that will corrupt the system if the caller continues to run.

KeBugCheckEx is preferable. Registers the device driver's bug-check callback routine, which is called if a system bug check occurs. Such a driver-supplied routine saves driver-determined state information, such as the contents of device registers, that would not otherwise be written into the system crash-dump file. Removes a device driver's callback routine from the set of registered bug-check callback routines.

This enumeration is used in PsSetCreateThreadNotifyRoutineEx to register callback notifications associated with thread creation or deletion.

It might make more space available by adding containers to the log, or it might ask clients to move their log tails. CmGetBoundTransaction The CmGetBoundTransaction routine returns a pointer to the transaction object that represents the transaction, if any, that is associated with a specified registry key object. CmGetCallbackVersion The CmGetCallbackVersion routine retrieves the major and minor version numbers for the current version of the configuration manager's registry callback feature.

Use CmRegisterCallbackEx instead. For a list of function codes, see Remarks. ExAcquireRundownProtection The ExAcquireRundownProtection routine tries to acquire run-down protection on a shared object so the caller can safely access the object. ExAcquireSharedStarveExclusive The ExAcquireSharedStarveExclusive routine acquires a given resource for shared access without waiting for any pending attempts to acquire exclusive access to the same resource.

ExAllocatePool allocates pool memory. It's exported only for existing driver binaries. ExCreateCallback The ExCreateCallback routine either creates a new callback object or opens an existing callback object on behalf of the caller. ExGetFirmwareType Returns the system firmware type. ExInitializeFastMutex The ExInitializeFastMutex routine initializes a fast mutex variable, used to synchronize mutually exclusive access by a set of threads to a shared resource.

ExInitializePushLock Initializes a push lock variable. ExInterlockedCompareExchange64 The ExInterlockedCompareExchange64 routine compares one integer variable to another and, if they are equal, sets the first variable to a caller-supplied value. ExIsSoftBoot Determines whether the system has gone through a soft restart. ExNotifyCallback The ExNotifyCallback routine causes all callback routines registered for the given object to be called.

ExReleasePushLockExclusive Releases a specified push lock for exclusive access owned by the current thread. ExReleasePushLockShared Releases a specified push lock for shared access owned by the current thread. ExRundownCompleted The ExRundownCompleted routine updates the run-down status of a shared object to indicate that the run down of the object has completed.

ExSetResourceOwnerPointerEx The ExSetResourceOwnerPointerEx routine transfers the ownership of an executive resource from the calling thread to an owner pointer, which is a system address that identifies the resource owner. Use this routine with extreme caution see the following Remarks section.

ExUnregisterCallback The ExUnregisterCallback routine removes a callback routine previously registered with a callback object from the list of routines to be called during the notification process.

Triggers a bus scan at the parent of the FPGA device. Enables or disables the access to the configuration space of the FPGA device. Toggles the error reporting for the FPGA device and its parent bridge.

This placeholder topic is provided as an example of documentation that may be included in a later release. InterlockedAnd The InterlockedAnd miniport. InterlockedAnd The InterlockedAnd wdm. InterlockedCompareExchange The InterlockedCompareExchange routine performs an atomic operation that compares the input value pointed to by Destination with the value of Comparand.

InterlockedCompareExchange The InterlockedCompareExchange routine performs an atomic operation that compares the input value pointed to by Destination with the value of Comperand.

InterlockedCompareExchangePointer The InterlockedCompareExchangePointer routine performs an atomic operation that compares the input pointer value pointed to by Destination with the pointer value Comparand.

InterlockedCompareExchangePointer The InterlockedCompareExchangePointer routine performs an atomic operation that compares the input pointer value pointed to by Destination with the pointer value Comperand.

InterlockedDecrement The InterlockedDecrement function miniport. InterlockedDecrement The InterlockedDecrement function wdm. InterlockedExchange The InterlockedExchange function miniport. InterlockedExchange The InterlockedExchange function wdm. InterlockedIncrement The InterlockedIncrement function miniport. InterlockedIncrement The InterlockedIncrement function wdm. InterlockedOr The InterlockedOr function miniport.

InterlockedOr The InterlockedOr function wdm. InterlockedXor The InterlockedXor function miniport. InterlockedXor The InterlockedXor function wdm. Don't use this function in your code.

IoAcquireRemoveLock The IoAcquireRemoveLock routine increments the count for a remove lock, indicating that the associated device object should not be detached from the device stack or deleted.

IoAllocateAdapterChannel Deprecated. IoAllocateDriverObjectExtension The IoAllocateDriverObjectExtension routine allocates a per-driver context area, called a driver object extension, and assigns a unique identifier to it. IoCreateController The IoCreateController routine allocates memory for and initializes a controller object with a controller extension of a driver-determined size.

IoCreateFile The IoCreateFile routine either causes a new file or directory to be created, or it opens an existing file, device, directory, or volume, giving the caller a handle for the file object. IoCreateNotificationEvent The IoCreateNotificationEvent routine creates or opens a named notification event used to notify one or more threads of execution that an event has occurred. IoCreateSynchronizationEvent The IoCreateSynchronizationEvent routine creates or opens a named synchronization event for use in serialization of access to hardware between two otherwise unrelated drivers.

IoDeleteController The IoDeleteController routine removes a given controller object from the system, for example, when the driver that created it is being unloaded. IoDeleteDevice The IoDeleteDevice routine removes a device object from the system, for example, when the underlying device is removed from the system. IoDetachDevice The IoDetachDevice routine releases an attachment between the caller's device object and a lower driver's device object.

IoDisconnectInterrupt The IoDisconnectInterrupt routine releases a device driver's set of interrupt object s when the device is paused or removed, or when the driver is being unloaded. Sends an IRP to the driver associated with a specified device object.

IoGetDeviceDirectory Returns a handle to a directory on disk specific to the specified driver object where the driver can read and write files. IoGetDeviceInterfaces The IoGetDeviceInterfaces routine returns a list of device interface instances of a particular device interface class such as all devices on the system that support a HID interface. IoGetDeviceObjectPointer The IoGetDeviceObjectPointer routine returns a pointer to the top object in the named device object's stack and a pointer to the corresponding file object, if the requested access to the objects can be granted.

IoGetDriverDirectory Returns a handle to a directory on disk from which the driver can read and write files. The files in that directory apply to a specific driver object.

IoGetInitiatorProcess The IoGetInitiatorProcess routine retrieves the process which initiated the creation of a file object if different than the process which is issuing the create.

IoInvalidateDeviceRelations The IoInvalidateDeviceRelations routine notifies the PnP manager that the relations for a device such as bus relations, ejection relations, removal relations, and the target device relation have changed. IoMakeAssociatedIrp This routine is reserved for use by file systems and file system filter drivers. IoRegisterContainerNotification The IoRegisterContainerNotification routine registers a kernel-mode driver to receive notifications about a specified class of events.

IoRegisterDeviceInterface The IoRegisterDeviceInterface routine registers a device interface class, if it has not been previously registered, and creates a new instance of the interface class, which a driver can subsequently enable for use by applications or other system components. IoRegisterDriverReinitialization The IoRegisterDriverReinitialization routine is called by a driver during its initialization or reinitialization to register its Reinitialize routine to be called again before the driver's and, possibly the system's, initialization is complete.

IoReportRootDevice allows only one device per driver to be created. This allows a driver to associate two related activity IDs without requiring a specific provider to be enabled.

For more information, see the following Remarks section. The system executes this routine when the threaded DPC runs. The CustomTimerDpc routine executes after a timer object's time interval expires. KeBugCheck The KeBugCheck routine brings down the system in a controlled manner when the caller discovers an unrecoverable inconsistency that would corrupt the system if the caller continued to run. KeBugCheckEx The KeBugCheckEx routine brings down the system in a controlled manner when the caller discovers an unrecoverable inconsistency that would corrupt the system if the caller continued to run.

KeDelayExecutionThread The KeDelayExecutionThread routine puts the current thread into an alertable or nonalertable wait state for a specified interval. KeInitializeEvent The KeInitializeEvent routine initializes an event object as a synchronization single waiter or notification type event and sets it to a signaled or not-signaled state.

KeInitializeSemaphore The KeInitializeSemaphore routine initializes a semaphore object with a specified count and specifies an upper limit that the count can attain. KeInsertDeviceQueue The KeInsertDeviceQueue routine acquires the spin lock for the specified device queue object and, if the device queue is set to a busy state, queues the specified entry. KeMemoryBarrier The KeMemoryBarrier routine creates a barrier at its position in the code—across which the compiler and the processor cannot move any operations.

KePulseEvent The KePulseEvent routine atomically sets an event object to a signaled state, attempts to satisfy as many waits as possible, and then resets the event object to a not-signaled state. KeQueryGroupAffinity The KeQueryGroupAffinity routine returns an affinity mask that identifies the active logical processors in a specified group in a multiprocessor system.

KeQueryGroupAffinity Learn how the KeQueryGroupAffinity routine returns an affinity mask that identifies the active logical processors in a specified group in a multiprocessor system. KeQueryInterruptTime The KeQueryInterruptTime routine returns the current value of the system interrupt time count, with accuracy to within system clock tick.

KeQueryLogicalProcessorRelationship The KeQueryLogicalProcessorRelationship routine gets information about the relationships of one or more processors to the other processors in a multiprocessor system. KeQueryTickCount Learn how the KeQueryTickCount routine maintains a count of the interval timer interrupts that have occurred since the system was booted. KeQueryTimeIncrement The KeQueryTimeIncrement routine returns the number of nanosecond units that are added to the system time each time the interval clock interrupts.

KeRegisterProcessorChangeCallback The KeRegisterProcessorChangeCallback routine registers a callback function with the operating system so that the operating system will notify the driver when a new processor is added to the hardware partition.

KeResetEvent The KeResetEvent routine resets a specified event object to a not-signaled state and returns the previous state of that event object. KeSetCoalescableTimer The KeSetCoalescableTimer routine sets the initial expiration time and period of a timer object and specifies how much delay can be tolerated in the expiration times. KeSetEvent The KeSetEvent routine sets an event object to a signaled state if the event was not already signaled, and returns the previous state of the event object.

KeSetTimer The KeSetTimer routine sets the absolute or relative interval at which a timer object is to be set to a signaled state and, optionally, supplies a CustomTimerDpc routine to be executed when that interval expires.

KeSetTimerEx The KeSetTimerEx routine sets the absolute or relative interval at which a timer object is to be set to a signaled state, optionally supplies a CustomTimerDpc routine to be executed when that interval expires, and optionally supplies a recurring interval for the timer. KeSynchronizeExecution The KeSynchronizeExecution routine synchronizes the execution of the specified routine with the interrupt service routine ISR that is assigned to a set of one or more interrupt objects.

KeWaitForMultipleObjects The KeWaitForMultipleObjects routine puts the current thread into an alertable or nonalertable wait state until any or all of a number of dispatcher objects are set to a signaled state or optionally until the wait times out. KeWaitForSingleObject The KeWaitForSingleObject routine puts the current thread into a wait state until the given dispatcher object is set to a signaled state or optionally until the wait times out.

MmAllocateContiguousMemory The MmAllocateContiguousMemory routine allocates a range of contiguous, nonpaged physical memory and maps it to the system address space. MmAllocateContiguousMemory Learn how the MmAllocateContiguousMemory routine allocates a range of contiguous, nonpaged physical memory and maps it to the system address space. MmCopyMemory The MmCopyMemory routine copies the specified range of virtual or physical memory into the caller-supplied buffer. Warning We do not recommend using this function.

MmIsDriverVerifying The MmIsDriverVerifying routine indicates whether the kernel-mode driver that is identified by the specified driver object is being verified or calls a driver that is being verified by Driver Verifier. MmLockPagableCodeSection The MmLockPagableCodeSection routine locks a section of driver code, containing a set of driver routines marked with a special compiler directive, into system space.

MmMapMdl This function maps physical pages described by a memory descriptor list MDL into the system virtual address space. MmPageEntireDriver The MmPageEntireDriver routine causes all of a driver's code and data to be made pageable, overriding the attributes of the various sections that make up the driver's image. MmSecureVirtualMemory The MmSecureVirtualMemory routine secures a user-space memory address range so that it cannot be freed and its protection type cannot be made more restrictive.

MmSecureVirtualMemoryEx This routine probes the requested address range and protects the specified address range from having its protection made more restrictive and being deleted. NtAllocateVirtualMemory The NtAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. NtClose The NtClose routine in ntifs. NtClose is a generic routine that operates on any type of object. NtCommitEnlistment The ZwCommitEnlistment routine initiates the commit operation for a specified enlistment's transaction.

Once the handle pointed to is no longer in use, the driver must close it. NtCreateSectionEx Creates a section object. NtDeviceIoControlFile Learn how this routine sends a control code directly to a specified device driver, causing the corresponding driver to perform the specified operation.

NtDuplicateToken The NtDuplicateToken function in creates a handle to a new access token that duplicates an existing token.

NtFreeVirtualMemory The NtFreeVirtualMemory routine releases, decommits, or both, a region of pages within the virtual address space of a specified process. NtOpenProcessToken The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token. NtOpenThreadToken The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token.

NtPrepareEnlistment The ZwPrepareEnlistment routine initiates the prepare operation for a specified enlistment's transaction. NtPrivilegeCheck The NtPrivilegeCheck routine determines whether a specified set of privileges is enabled in the subject's access token.

NtQueryDirectoryFile The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle. If the call occurs in user mode, use the name NtQueryObject. A security descriptor can be in absolute or self-relative form. NtQueryVirtualMemory The NtQueryVirtualMemory routine determines the state, protection, and type of a region of pages in the virtual address space of the subject process. NtQueryVolumeInformationFile This routine retrieves information about the volume associated with a given file, directory, storage device, or volume.

NtRecoverEnlistment The ZwRecoverEnlistment routine initiates a recovery operation for the transaction that is associated with a specified enlistment. NtRecoverResourceManager The ZwRecoverResourceManager routine tries to recover the transaction that is associated with each enlistment of a specified resource manager object. NtRecoverTransactionManager The ZwRecoverTransactionManager routine reconstructs the state of the transaction manager object including all transactions, enlistments, and resource managers from the recovery information that is in the log stream.

NtRollbackEnlistment The ZwRollbackEnlistment routine rolls back the transaction that is associated with a specified enlistment. NtRollforwardTransactionManager The ZwRollforwardTransactionManager routine initiates recovery operations for all of the in-progress transactions that are assigned to a specified transaction manager. The calling process must have access rights to set the information.

If the call is in user mode, use the name NtSetSecurityObject. ObDereferenceObject The ObDereferenceObject routine decrements the given object's reference count and performs retention checks. ObDereferenceObjectDeferDeleteWithTag The ObDereferenceObjectDeferDeleteWithTag routine decrements the reference count for the specified object, defers deletion of the object to avoid deadlocks, and writes a four-byte tag value to the object to support object reference tracing.

ObDereferenceObjectWithTag The ObDereferenceObjectWithTag routine decrements the reference count of the specified object, and writes a four-byte tag value to the object to support object reference tracing. ObReferenceObjectByHandle The ObReferenceObjectByHandle routine provides access validation on the object handle, and, if access can be granted, returns the corresponding pointer to the object's body.

ObReferenceObjectWithTag The ObReferenceObjectWithTag routine increments the reference count of the specified object, and writes a four-byte tag value to the object to support object reference tracing.

ObRegisterCallbacks The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations. Note This routine is reserved for system use. To enable power requests, create one power request object and use it for all calls.

The driver must delete the power request object before it deletes the device object. PoFxSetComponentLatency The PoFxSetComponentLatency routine specifies the maximum latency that can be tolerated in the transition from the idle condition to the active condition in the specified component.

The power manager counts requests for each power request type. ProbeForRead The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned.

ProbeForWrite The ProbeForWrite routine checks that a user-mode buffer actually resides in the user-mode portion of the address space, is writable, and is correctly aligned. PsAllocSiloContextSlot This routine allocates a slot that can be used to insert, retrieve, and delete an object in all silos. PsDereferenceSiloContext This routine decrements the reference count on the object.

PsGetCurrentSilo This routine returns the current silo for the calling thread. First the thread is checked to see if it has been attached to a silo. If not, then the thread is checked to see if it is in a silo. The call must be made in kernel-mode. PsGetEffectiveServerSilo This routine traverses the parent chain of the Silo until finding the effective server silo or host silo. PsGetHostSilo This routine returns the host silo. The returned pointer is valid as long as the supplied Job object remains referenced.

PsGetParentSilo Retrieves the most immediate parent silo in the hierarchy for a given job object. PsGetPermanentSiloContext This routine retrieves an object that was inserted in the Silo without incrementing the reference count. PsGetSiloContext This routine retrieves the silo context from the specified silo and slot. PsGetSiloMonitorContextSlot This routine returns the silo context slot that was allocated by the monitor during the registration.

Use RtlGetVersion instead. PsGetVersion returns caller-selected information about the current version of the NT-based operating system. PsMakeSiloContextPermanent This routine makes the slot in a silo instance read-only, allowing the object in the slot to be retrieved without affecting the reference count on that object. PsReferenceSiloContext This routine increments the reference count on the object. PsRegisterSiloMonitor This routine registers a server silo monitor that can receive notifications about server silo events.

PsStartSiloMonitor This routine tries to start the server silo monitor. PsTerminateServerSilo This routine terminates the specified silo. PsUnregisterSiloMonitor This routine unregisters a server silo monitor.

RtlCompareMemory The RtlCompareMemory routine compares two blocks of memory and returns the number of bytes that match. RtlCopyMemory Learn how the RtlCopyMemory routine copies the contents of a source memory block to a destination memory block. RtlCopyMemoryNonTemporal This function copies from one buffer to another using non-temporal moves that do not pollute the cache.

On return, the security descriptor is initialized with no system ACL, no discretionary ACL, no owner, no primary group, and all control flags set to zero. RtlDeleteRegistryValue The RtlDeleteRegistryValue routine removes the specified entry name and the associated values from the registry along the given relative path. RtlEqualMemory The RtlEqualMemory routine compares two blocks of memory to determine whether the specified number of bytes are identical.

RtlExtendCorrelationVector This routine extends the supplied correlation vector. For a correlation vector of the form X. RtlFillMemoryNonTemporal This function fills a block of memory with the specified fill value using non-temporal moves that do not pollute the cache.

RtlIncrementCorrelationVector Increments the specified correlation vector. RtlInitStringEx does not alter the source string. RtlIsZeroMemory This routine checks if a block of unaligned memory is all zero.

RtlMoveMemory The RtlMoveMemory routine copies the contents of a source memory block to a destination memory block, and supports overlapping source and destination memory blocks. RtlNormalizeSecurityDescriptor Examines a security descriptor for ways to modify its layout. RtlQueryRegistryValueWithFallback Retrieves a value entry for a registry key by using, a primary handle; if not found, uses the fallback handle. The UTF-8 output is null-terminated only if the Unicode input string is.

RtlUpcaseUnicodeString The RtlUpcaseUnicodeString routine converts a copy of the source string to uppercase and writes the converted string in the destination buffer. The Unicode output is null-terminated only if the UTF-8 input string is. RtlValidateCorrelationVector Validates the specified correlation vector to check whether it conforms to the Correlation Vector Specification v2. RtlVerifyVersionInfo The RtlVerifyVersionInfo routine compares a specified set of operating system version requirements to the corresponding attributes of the currently running version of the operating system.

RtlWriteRegistryValue The RtlWriteRegistryValue routine writes caller-supplied data into the registry along the specified relative path at the given value name. SeAccessCheck The SeAccessCheck routine determines whether the requested access rights can be granted to an object protected by a security descriptor and an object owner.

SeAssignSecurity The SeAssignSecurity routine builds a self-relative security descriptor for a new object, given the security descriptor of its parent directory and any originally requested security for the object.

TmCommitEnlistment The TmCommitEnlistment routine initiates the commit operation for a specified enlistment's transaction. TmPrepareEnlistment The TmPrepareEnlistment routine initiates the prepare operation for a specified enlistment's transaction.

TmRecoverEnlistment The TmRecoverEnlistment routine initiates a recovery operation for the transaction that is associated with a specified enlistment. TmRecoverResourceManager The TmRecoverResourceManager routine tries to recover the transaction that is associated with each enlistment of a specified resource manager object.

TmRecoverTransactionManager The TmRecoverTransactionManager routine reconstructs the state of the transaction manager object including all transactions, enlistments, and resource managers from the recovery information that is in the log stream. TmReferenceEnlistmentKey The TmReferenceEnlistmentKey routine increments the reference count for the key of a specified enlistment object and retrieves the key.

This routine is optional. This routine is required. ZwAllocateVirtualMemory The ZwAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process. ZwClose The ZwClose routine in wdm. ZwClose is a generic routine that operates on any type of object. ZwCommitEnlistment Learn how the ZwCommitEnlistment routine initiates the commit operation for a specified enlistment's transaction.

ZwCommitTransaction Learn how the ZwCommitTransaction routine initiates a commit operation for a specified transaction. ZwCreateEvent The ZwCreateEvent routine creates an event object, sets the initial state of the event to the specified value, and opens a handle to the object with the specified desired access. ZwCreateKeyTransacted The ZwCreateKeyTransacted routine creates a new registry key or opens an existing one, and it associates the key with a transaction.

ZwDeviceIoControlFile This routine sends a control code directly to a specified device driver, causing the corresponding driver to perform the specified operation. ZwDeviceIoControlFile Learn how the ZwDeviceIoControlFile routine sends a control code directly to a specified device driver, causing the corresponding driver to perform the specified operation.

ZwDuplicateToken The ZwDuplicateToken function creates a handle to a new access token that duplicates an existing token. ZwFlushBuffersFile The ZwFlushBuffersFile routine is called by a file system filter driver to send a flush request for the specified file to the file system. ZwFlushVirtualMemory The ZwFlushVirtualMemory routine flushes a range of virtual addresses within the virtual address space of a specified process which map to a data file back out to the data file if they have been modified.

ZwFreeVirtualMemory The ZwFreeVirtualMemory routine releases, decommits, or both, a region of pages within the virtual address space of a specified process. ZwFsControlFile The ZwFsControlFile routine sends a control code directly to a specified file system or file system filter driver, causing the corresponding driver to perform the specified action.

ZwGetNotificationResourceManager Learn how the ZwGetNotificationResourceManager routine retrieves the next transaction notification from a specified resource manager's notification queue. ZwOpenEvent The ZwOpenEvent routine opens a handle to an existing named event object with the specified desired access. ZwOpenProcess Learn how the ZwOpenProcess routine opens a handle to a process object and sets the access rights to this object.

ZwPrepareEnlistment Learn how the ZwPrepareEnlistment routine initiates the prepare operation for a specified enlistment's transaction.

ZwQueryDirectoryFile The ZwQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle. ZwQueryKey The ZwQueryKey routine provides information about the class of a registry key, and the number and sizes of its subkeys.

ZwQueryVirtualMemory The ZwQueryVirtualMemory routine determines the state, protection, and type of a region of pages within the virtual address space of the subject process. All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name. For example, api-ms-win-core-localregistry-l If you look deeply into these files, you'll see that all these files are very small, and the functions in them doen't do anything, and simply returns a 'TRUE' value.

Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l Moreover, if we look in the assembly language output of many API functions, we can see that they simply call their corresponding function in one of these api-ms-win-core Dlls.