The only mistake I’ve detected is that you keep saying prefices instead of
prefixes. I even checked the dictionary to make sure it’s incorrect. 
Also I think Etw = Event Tracing for Windows.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Oliver Schneider
Sent: Sunday, February 27, 2005 6:52 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Meaning of the function prefices
Hi,
I wanted to find out about the following function prefices to the function
names of NTOSKRNL.EXE and NTDLL.DLL exports:
Cc*, Cm*, Csr*, Dbg*, Etw*, Ex*, Fs*, Hal*, Inbv*, Io*, Kd*, Ke*, Ki*, Ldr*,
Lpc*, Lsa*, Mm*, Nls*, Nt*, Ob*, Pfx*, Po*, Ps*, Rtl*, (Rtlp*, Rtlx*,) Se*,
Wmi*, Vf*, Zw*
Of course I believe to know the meaning of some prefices already, but
nevertheless there are some completely unknown to me.
E.g. has Zw* a meaning at all? The difference in kernel mode is that Zw*
functions don’t care about the previous mode, so perhaps Z is for “Zero” and
“w” for some synonym of “check” (or something ;-)?!
Here’s what I believe I know:
Cc = Cache manager (???)
Csr = Client Server support functions(LPC; related: CSRSS.EXE) Dbg =
Debugger support functions Etw = Extended tracing … support functions
(???)
Ex = Executive
Fs = File system support functions
Hal = Hardware abstraction layer functions Inbv = Something like: _In_itial
_B_oot _V_ideo functions (???)
Io = I/O manager support functions
Kd = Kernel debugger support functions
Ki = Kernel interrupt support functions (???)
Ldr = PE image loader support functions Lpc = LPC support functions Lsa =
Local security authority support functions
Mm = Memory manager support functions
Nls = Native language support functions
Ob = Object manager functions
Pfx = Name prefix support functions (???)
Po = Power management support functions
Ps = Process management support functions
Rtl = Runtime library functions
Rtlp = Private runtime library functions
Se = Security support functions
Wmi = Windows management instrumentation support functions
Vf = Verification (?) functions
So, if I am right on the above there are still these few left:
Cm, Ke, Nt, Rtlx, Zw
However, if I am mistaking on some of the above prefices, please correct me.
(Etw* was introduced with Windows 2003 Server) Maybe “Ke/Ki” is Kernel
_e_xternal and Kernel _i_nternal functions?
Oliver
PS: What for? Well, I am currently compiling a list of all the exports of
ntdll.dll and ntoskrnl.exe which contains currently only information about
the availability of the functions (KM/UM and OS), but will be extended with
function declarations soon (I hope) -> http://native.assarbad.net
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@safend.com To unsubscribe
send a blank email to xxxxx@lists.osr.com