Meaning of the function prefices

Hi,

I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:

Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
Wmi*, Vf*, Zw*

Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don’t care about the previous mode, so perhaps Z is for “Zero” and
“w” for some synonym of “check” (or something ;-)?!

Here’s what I believe I know:

Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE)
Dbg = Debugger support functions
Etw = Extended tracing … support functions (???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions
Inbv = Something like: _In_itial _B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions
Lpc = LPC support functions
Lsa = Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions

So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw

However, if I am mistaking on some of the above prefices, please correct me.
(Etw* was introduced with Windows 2003 Server)
Maybe “Ke/Ki” is Kernel _e_xternal and Kernel _i_nternal functions?

Oliver

PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended with
function declarations soon (I hope) -> http://native.assarbad.net

The only mistake I’ve detected is that you keep saying prefices instead of
prefixes. I even checked the dictionary to make sure it’s incorrect. :slight_smile:
Also I think Etw = Event Tracing for Windows.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oliver Schneider
Sent: Sunday, February 27, 2005 6:52 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Meaning of the function prefices

Hi,

I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:

Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
Wmi*, Vf*, Zw*

Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don’t care about the previous mode, so perhaps Z is for “Zero” and
“w” for some synonym of “check” (or something ;-)?!

Here’s what I believe I know:

Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE) Dbg =
Debugger support functions Etw = Extended tracing … support functions
(???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions Inbv = Something like: _In_itial
_B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions Lpc = LPC support functions Lsa =
Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions

So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw

However, if I am mistaking on some of the above prefices, please correct me.
(Etw* was introduced with Windows 2003 Server) Maybe “Ke/Ki” is Kernel
_e_xternal and Kernel _i_nternal functions?

Oliver

PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended with
function declarations soon (I hope) -> http://native.assarbad.net


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@safend.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

> The only mistake I’ve detected is that you keep saying prefices instead

of prefixes. I even checked the dictionary to make sure it’s incorrect.
:slight_smile:
You’re right. Checked it some minutes ago. I was mislead by the fact that
the plural form of “index” is “indices” and consequently the plural form of
“prefix” should behave the same way.
But I have a good excuse at hand :wink: … I am not a native speaker *g*

Also I think Etw = Event Tracing for Windows.
Sounds reasonable. I added it to my list.

Thanks. Some more additions, comments?

Oliver

May the source be with you, stranger :wink:

ICQ: #281645
URL: http://assarbad.net

> Thanks. Some more additions, comments?

You are correct that Ke/Ki is Kernel Internal and Kernel External.

I believe/suspect that Cm is probably Configuration Manager. I htink this
was inherited from Win95 when they imported that ugly boatload of PnP
interfaces.

Loren

Vf - Driver verifier function
Nt - NT Native API
Zw - Zero Warranty??? (Native API equivalents for driver)

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

-----Original Message-----
From: Oliver Schneider [mailto:xxxxx@gmxpro.net]
Sent: February 27, 2005 11:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Meaning of the function prefices

Hi,

I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:

Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*,
Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,)
Se*,
Wmi*, Vf*, Zw*

Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don’t care about the previous mode, so perhaps Z is for “Zero”
and
“w” for some synonym of “check” (or something ;-)?!

Here’s what I believe I know:

Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE)
Dbg = Debugger support functions
Etw = Extended tracing … support functions (???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions
Inbv = Something like: _In_itial _B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions
Lpc = LPC support functions
Lsa = Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions

So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw

However, if I am mistaking on some of the above prefices, please correct
me.
(Etw* was introduced with Windows 2003 Server)
Maybe “Ke/Ki” is Kernel _e_xternal and Kernel _i_nternal functions?

Oliver

PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended
with
function declarations soon (I hope) -> http://native.assarbad.net


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@ati.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Calvin Guan wrote:

Vf - Driver verifier function
Nt - NT Native API
Zw - Zero Warranty??? (Native API equivalents for driver)

The only explanation I’ve ever heard from a Microsoftie was that the Zw
prefix chosen so that they would sort at the end of the list,
inconspicuously out of the way, since those are calls that driver
writers would presumably not use very often.

Not very satisfying, but it’s certainly the way an engineer would think.

I like the “Zero Warranty” explanation better. With any luck, we can
turn that into an urban legend that replaces the “end of the alphabet”
explanation.

Dekker’s “Developing Windows NT Device Drivers” has a chart with some of the common prefixes (Appendix A - Refernence section - page. 779). There are only a few listed so I typed them in below (some have been already listed in previous emails):

Ex = Executive
Hal = Hardware Abstraction Layer
Io = I/O System
Ke = Kernel
Ks = Kernel Streams
Mm = Memory management
Ob = Object Management
Po = Power Management
Ps = Process Subsystem
Rtl = General runtime library (would work in user mode)
Se = Security Subsystem
Zw = NT System Service

Sharon
----- Original Message -----
From: Tim Robertsmailto:xxxxx
To: Windows System Software Devs Interest Listmailto:xxxxx
Sent: Wednesday, March 02, 2005 10:18 AM
Subject: Re: [ntdev] Meaning of the function prefices

Calvin Guan wrote:

>Vf - Driver verifier function
>Nt - NT Native API
>Zw - Zero Warranty??? (Native API equivalents for driver)
>
>

The only explanation I’ve ever heard from a Microsoftie was that the Zw
prefix chosen so that they would sort at the end of the list,
inconspicuously out of the way, since those are calls that driver
writers would presumably not use very often.

Not very satisfying, but it’s certainly the way an engineer would think.

I like the “Zero Warranty” explanation better. With any luck, we can
turn that into an urban legend that replaces the “end of the alphabet”
explanation.


- Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256http:

You are currently subscribed to ntdev as: xxxxx@msn.commailto:xxxxx
To unsubscribe send a blank email to xxxxx@lists.osr.commailto:xxxxx</mailto:xxxxx></mailto:xxxxx></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

> Cc = Cache manager (???)

Yes.

Ki = Kernel interrupt support functions (???)

Just internal kernel stuff like KiSwapThread etc.

Pfx = Name prefix support functions (???)

Yes, some kind of a container for strings.

Cm, Ke, Nt, Rtlx, Zw

Cm - registry implementation, as also Hvpxxx.
Ke - exported functions if the dispatcher
Rtl - runtime library common functions like dealing with Unicode strings
Nt - syscall implementations
Zw - tiny pieces of code which call syscalls, thus re-entering the kernel.

In user mode NTDLL, Ntxxx and Zwxxx are synonyms, and are always tiny pieces of
code which call syscalls, thus entering the kernel.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com