Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Meaning of the function prefices

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi,

I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:

Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
Wmi*, Vf*, Zw*

Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don't care about the previous mode, so perhaps Z is for "Zero" and
"w" for some synonym of "check" (or something ;-)?!

Here's what I believe I know:
-----------------------------
Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE)
Dbg = Debugger support functions
Etw = Extended tracing ... support functions (???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions
Inbv = Something like: _In_itial _B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions
Lpc = LPC support functions
Lsa = Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions

So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw

However, if I am mistaking on some of the above prefices, please correct me.
(Etw* was introduced with Windows 2003 Server)
Maybe "Ke/Ki" is Kernel _e_xternal and Kernel _i_nternal functions?

Oliver

PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended with
function declarations soon (I hope) -> http://native.assarbad.net

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    The only mistake I've detected is that you keep saying prefices instead of
    prefixes. I even checked the dictionary to make sure it's incorrect. :)
    Also I think Etw = Event Tracing for Windows.

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Oliver Schneider
    Sent: Sunday, February 27, 2005 6:52 PM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] Meaning of the function prefices

    Hi,

    I wanted to find out about the following function prefices to the function
    names of NTOSKRNL.EXE and NTDLL.DLL exports:

    Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
    Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
    Wmi*, Vf*, Zw*

    Of course I believe to know the meaning of some prefices already, but
    nevertheless there are some completely unknown to me.
    E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
    functions don't care about the previous mode, so perhaps Z is for "Zero" and
    "w" for some synonym of "check" (or something ;-)?!

    Here's what I believe I know:
    -----------------------------
    Cc = Cache manager (???)
    Csr = Client Server support functions(LPC; related: CSRSS.EXE) Dbg =
    Debugger support functions Etw = Extended tracing ... support functions
    (???)
    Ex = Executive
    Fs = File system support functions
    Hal = Hardware abstraction layer functions Inbv = Something like: _In_itial
    _B_oot _V_ideo functions (???)
    Io = I/O manager support functions
    Kd = Kernel debugger support functions
    Ki = Kernel interrupt support functions (???)
    Ldr = PE image loader support functions Lpc = LPC support functions Lsa =
    Local security authority support functions
    Mm = Memory manager support functions
    Nls = Native language support functions
    Ob = Object manager functions
    Pfx = Name prefix support functions (???)
    Po = Power management support functions
    Ps = Process management support functions
    Rtl = Runtime library functions
    Rtlp = Private runtime library functions
    Se = Security support functions
    Wmi = Windows management instrumentation support functions
    Vf = Verification (?) functions

    So, if I am right on the above there are still these few left:
    Cm, Ke, Nt, Rtlx, Zw

    However, if I am mistaking on some of the above prefices, please correct me.
    (Etw* was introduced with Windows 2003 Server) Maybe "Ke/Ki" is Kernel
    _e_xternal and Kernel _i_nternal functions?

    Oliver

    PS: What for? Well, I am currently compiling a list of all the exports of
    ntdll.dll and ntoskrnl.exe which contains currently only information about
    the availability of the functions (KM/UM and OS), but will be extended with
    function declarations soon (I hope) -> http://native.assarbad.net

    ---
    Questions? First check the Kernel Driver FAQ at
    http://www.osronline.com/article.cfm?id=256

    You are currently subscribed to ntdev as: xxxxx@safend.com To unsubscribe
    send a blank email to xxxxx@lists.osr.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    > The only mistake I've detected is that you keep saying prefices instead
    > of prefixes. I even checked the dictionary to make sure it's incorrect.
    > :)
    You're right. Checked it some minutes ago. I was mislead by the fact that
    the plural form of "index" is "indices" and consequently the plural form of
    "prefix" should behave the same way.
    But I have a good excuse at hand ;) ... I am not a native speaker *g*

    > Also I think Etw = Event Tracing for Windows.
    Sounds reasonable. I added it to my list.

    Thanks. Some more additions, comments?

    Oliver

    --
    ---------------------------------------------------
    May the source be with you, stranger ;)

    ICQ: #281645
    URL: http://assarbad.net
  • Loren_WiltonLoren_Wilton Member - All Emails Posts: 447
    > Thanks. Some more additions, comments?

    You are correct that Ke/Ki is Kernel Internal and Kernel External.

    I believe/suspect that Cm is probably Configuration Manager. I htink this
    was inherited from Win95 when they imported that ugly boatload of PnP
    interfaces.

    Loren
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Vf - Driver verifier function
    Nt - NT Native API
    Zw - Zero Warranty??? (Native API equivalents for driver)

    -
    Calvin Guan Software Engineer
    ATI Technologies Inc. www.ati.com

    > -----Original Message-----
    > From: Oliver Schneider [mailto:xxxxx@gmxpro.net]
    > Sent: February 27, 2005 11:52 AM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] Meaning of the function prefices
    >
    > Hi,
    >
    > I wanted to find out about the following function prefices to the function
    > names of NTOSKRNL.EXE and NTDLL.DLL exports:
    >
    > Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*,
    > Ldr*,
    > Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,)
    > Se*,
    > Wmi*, Vf*, Zw*
    >
    > Of course I believe to know the meaning of some prefices already, but
    > nevertheless there are some completely unknown to me.
    > E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
    > functions don't care about the previous mode, so perhaps Z is for "Zero"
    > and
    > "w" for some synonym of "check" (or something ;-)?!
    >
    > Here's what I believe I know:
    > -----------------------------
    > Cc = Cache manager (???)
    > Csr = Client Server support functions(LPC; related: CSRSS.EXE)
    > Dbg = Debugger support functions
    > Etw = Extended tracing ... support functions (???)
    > Ex = Executive
    > Fs = File system support functions
    > Hal = Hardware abstraction layer functions
    > Inbv = Something like: _In_itial _B_oot _V_ideo functions (???)
    > Io = I/O manager support functions
    > Kd = Kernel debugger support functions
    > Ki = Kernel interrupt support functions (???)
    > Ldr = PE image loader support functions
    > Lpc = LPC support functions
    > Lsa = Local security authority support functions
    > Mm = Memory manager support functions
    > Nls = Native language support functions
    > Ob = Object manager functions
    > Pfx = Name prefix support functions (???)
    > Po = Power management support functions
    > Ps = Process management support functions
    > Rtl = Runtime library functions
    > Rtlp = Private runtime library functions
    > Se = Security support functions
    > Wmi = Windows management instrumentation support functions
    > Vf = Verification (?) functions
    >
    > So, if I am right on the above there are still these few left:
    > Cm, Ke, Nt, Rtlx, Zw
    >
    > However, if I am mistaking on some of the above prefices, please correct
    > me.
    > (Etw* was introduced with Windows 2003 Server)
    > Maybe "Ke/Ki" is Kernel _e_xternal and Kernel _i_nternal functions?
    >
    > Oliver
    >
    > PS: What for? Well, I am currently compiling a list of all the exports of
    > ntdll.dll and ntoskrnl.exe which contains currently only information about
    > the availability of the functions (KM/UM and OS), but will be extended
    > with
    > function declarations soon (I hope) -> http://native.assarbad.net
    >
    > ---
    > Questions? First check the Kernel Driver FAQ at
    > http://www.osronline.com/article.cfm?id=256
    >
    > You are currently subscribed to ntdev as: xxxxx@ati.com
    > To unsubscribe send a blank email to xxxxx@lists.osr.com
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,966
    Calvin Guan wrote:

    >Vf - Driver verifier function
    >Nt - NT Native API
    >Zw - Zero Warranty??? (Native API equivalents for driver)
    >
    >

    The only explanation I've ever heard from a Microsoftie was that the Zw
    prefix chosen so that they would sort at the end of the list,
    inconspicuously out of the way, since those are calls that driver
    writers would presumably not use very often.

    Not very satisfying, but it's certainly the way an engineer would think.

    I like the "Zero Warranty" explanation better. With any luck, we can
    turn that into an urban legend that replaces the "end of the alphabet"
    explanation.

    --
    - Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Sharon_DrasninSharon_Drasnin Member Posts: 128
    Dekker's "Developing Windows NT Device Drivers" has a chart with some of the common prefixes (Appendix A - Refernence section - page. 779). There are only a few listed so I typed them in below (some have been already listed in previous emails):

    Ex = Executive
    Hal = Hardware Abstraction Layer
    Io = I/O System
    Ke = Kernel
    Ks = Kernel Streams
    Mm = Memory management
    Ob = Object Management
    Po = Power Management
    Ps = Process Subsystem
    Rtl = General runtime library (would work in user mode)
    Se = Security Subsystem
    Zw = NT System Service

    Sharon
    ----- Original Message -----
    From: Tim Roberts
    To: Windows System Software Devs Interest List
    Sent: Wednesday, March 02, 2005 10:18 AM
    Subject: Re: [ntdev] Meaning of the function prefices


    Calvin Guan wrote:

    >Vf - Driver verifier function
    >Nt - NT Native API
    >Zw - Zero Warranty??? (Native API equivalents for driver)
    >
    >

    The only explanation I've ever heard from a Microsoftie was that the Zw
    prefix chosen so that they would sort at the end of the list,
    inconspicuously out of the way, since those are calls that driver
    writers would presumably not use very often.

    Not very satisfying, but it's certainly the way an engineer would think.

    I like the "Zero Warranty" explanation better. With any luck, we can
    turn that into an urban legend that replaces the "end of the alphabet"
    explanation.

    --
    - Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.


    ---
    Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

    You are currently subscribed to ntdev as: xxxxx@msn.com
    To unsubscribe send a blank email to xxxxx@lists.osr.com
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > Cc = Cache manager (???)

    Yes.

    > Ki = Kernel interrupt support functions (???)

    Just internal kernel stuff like KiSwapThread etc.

    > Pfx = Name prefix support functions (???)

    Yes, some kind of a container for strings.

    > Cm, Ke, Nt, Rtlx, Zw

    Cm - registry implementation, as also Hvpxxx.
    Ke - exported functions if the dispatcher
    Rtl - runtime library common functions like dealing with Unicode strings
    Nt - syscall implementations
    Zw - tiny pieces of code which call syscalls, thus re-entering the kernel.

    In user mode NTDLL, Ntxxx and Zwxxx are synonyms, and are always tiny pieces of
    code which call syscalls, thus entering the kernel.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    xxxxx@storagecraft.com
    http://www.storagecraft.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA