Difference between Nt and Zw

Hey guys,

This probably is a stupid question, but what is the difference between
the ZwxXxx functions and the NtxXxx … specifically, the NtConnectPort
and the ZwConnectPort.

Chris Sosa

Take a look at http://www.osronline.com/article.cfm?article=257. Of
course, since the calls are specifying are undocumented (and documented
poorly in the places that describe them), one could suggest you consider a
different approach.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Chris Sosa” wrote in message news:xxxxx@ntfsd…
> Hey guys,
>
> This probably is a stupid question, but what is the difference between
> the ZwxXxx functions and the NtxXxx … specifically, the NtConnectPort
> and the ZwConnectPort.
>
> Chris Sosa
>

Did you search the NT Insider issues on the osronline.com site? Question
has been asked and answered.


David J. Craig
Engineer, Sr. Staff Software Systems
Broadcom Corporation

“Chris Sosa” wrote in message news:xxxxx@ntfsd…
> Hey guys,
>
> This probably is a stupid question, but what is the difference between the
> ZwxXxx functions and the NtxXxx … specifically, the NtConnectPort and
> the ZwConnectPort.
>
> Chris Sosa
>

> what is the difference between the ZwxXxx functions and the NtxXxx

It depends on whether you are speaking about ntoskrnl.exe’s exports or ntdll.dll’d ones
In latter case there is no difference whatsoever. In former case Ntxxx services are called directly,
but Zwxxx calls go via the system service dispatcher, which updates target thread’s PreviousMode in ETHREAD. On calls to some certain services this step is very important (if PreviousMode is UserMode, some services may fail calls that pass them pointers above 0x80000000), although some services don’t seem to care. Therefore, if both Ntxxx and Zwxxx versions are available, it is better to call Zwxxx routines from your driver, just to make sure that parameters will pass validation check.

… specifically, the NtConnectPort and the ZwConnectPort.

These routines are completely undocumented. Therefore, it is better to avoid calling them if possible, especially taking into consideration the fact that these routines are normally, softly speaking, “of rather limited usefullness” for drivers - to be honest, I just cannot imagine the scenario when calling these routines is objective necessity…

Anton Bassov

Also note a goodly number of the ntdll ‘Zw’ variant exports have gone
missing in longhorn betas. The ‘Nt’ variants are still exported, which is
just confusing since it is generally better practice to use the Zw variant
in driver code, but now it is generally required to use the Nt variant in
user code. I’m sure this sounded like a good idea someplace…

t.

On Thu, 5 Jul 2007, xxxxx@hotmail.com wrote:

> what is the difference between the ZwxXxx functions and the NtxXxx

It depends on whether you are speaking about ntoskrnl.exe’s exports or ntdll.dll’d ones
In latter case there is no difference whatsoever. In former case Ntxxx services are called directly,
but Zwxxx calls go via the system service dispatcher, which updates target thread’s PreviousMode in ETHREAD. On calls to some certain services this step is very important (if PreviousMode is UserMode, some services may fail calls that pass them pointers above 0x80000000), although some services don’t seem to care. Therefore, if both Ntxxx and Zwxxx versions are available, it is better to call Zwxxx routines from your driver, just to make sure that parameters will pass validation check.

… specifically, the NtConnectPort and the ZwConnectPort.

These routines are completely undocumented. Therefore, it is better to avoid calling them if possible, especially taking into consideration the fact that these routines are normally, softly speaking, “of rather limited usefullness” for drivers - to be honest, I just cannot imagine the scenario when calling these routines is objective necessity…

Anton Bassov


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@openmars.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> now it is generally required to use the Nt variant in user code.

Actually, we are not supposed to use either Zwxxx or Ntxxx routines in the user mode anyway…

Anton Bassov

No difference in user mode (NTDLL exports).

In kernel mode (NTOSKRNL exports), NtXxx are syscall implementation bodies,
while ZwXxx are the small trampolines doing a kernel syscall via int 2e or
sysenter.

Calling ZwXxx from your kernel mode code will result in calling NtXxx with
ExGetPreviousMode() == KernelMode, which is correct.

Calling NtXxx from your kernel mode code will result in ExGetPreviousMode()
== your current previous mode, which is wrong if the current previous mode is
UserMode, and the pointer validation code within NtXxx will fail the syscall.

So, use ZwXxx.

I think that this concept of “kernel syscalls” is also present in Linux.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Chris Sosa” wrote in message news:xxxxx@ntfsd…
> Hey guys,
>
> This probably is a stupid question, but what is the difference between
> the ZwxXxx functions and the NtxXxx … specifically, the NtConnectPort
> and the ZwConnectPort.
>
> Chris Sosa
>

> … ZwXxx are the small trampolines doing a kernel syscall via int 2e or sysenter.

Actually, they don’t issue either INT 0x2E or SYSENTER instructions - they just put service index in EAX, make EDX point to parameters, and transfer execution to the service dispatcher routine , i.e. INT 0x2E handler, with a CALL instruction…

I think that this concept of “kernel syscalls” is also present in Linux.

Well, this concept has to be present on *any* OS that makes a distinction between privileged and non-privileged code…

Anton Bassov