win32k internals

Hi all,

I’m debugging win32k and I’d love to know two things about win32k, does
anyone know more about them here?

1. I guess
   NtUserCallOneParam/NtUserCallTwoParam/…/NtUserCallHwndParamLock are used
   for user32.dll -> win32k.sys calls, is that correct? Or where/when are they
   used?

e.g. WindowFromDC (in user32.dll) is implemented as: NtUserCallOneParam(
hdc, SPI__WINDOWFROMDC ), where SPI_* index points into apfnSimpleCall table

2. Most internal functions (e.g. xxxCreateThreadInfo) start by “xxx”
   prefix, are MS developers perverted? (as stated by Alex Ionescu) or what’s
   the secret of other prefixes “yyy-”, “zzz-”? I found in one Alex’s blog
   entry from '08: “I’ve also finally found out why Win32k functions are called
   “xxx” and “yyy”. Now I just need to find out about “zzz”. I’ll probably
   share this information in a later post”. However, no one has shared that
   information yet - is it something like Fermat’s Last Theorem that we won’t
   know the right answer for years?

Thanks,

Petr Kurtin

>2) Most internal functions (e.g. xxxCreateThreadInfo) start by “xxx” prefix, are MS developers

perverted? (as stated by Alex Ionescu) or what’s the secret of other prefixes “yyy-”, “zzz-”? I found in
one Alex’s blog entry from '08: "I’ve also finally found out why Win32k functions are called “xxx” and
“yyy”. Now I just need to find out about “zzz”

I think these functions are the same as in Windows 1.x in year 1985.

USER is a very conservative piece of code.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

the developers are not “perverted”. win32k is a massively complex piece of code, it has a ton of locking and calling rules for instance. So, to express some of those hierarichal rules, xxx yyy and zzz are used to express the calling “level” at which a function resides. you can call from xxx to yyy to zzz, but not the other direction. this helps in folks writing the code as well as those debugging it.

d

Doron, Maxim, thank you for the explainations.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@Microsoft.com
Sent: Friday, January 21, 2011 7:19 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] win32k internals

the developers are not “perverted”. win32k is a massively complex piece of
code, it has a ton of locking and calling rules for instance. So, to
express some of those hierarichal rules, xxx yyy and zzz are used to express
the calling “level” at which a function resides. you can call from xxx to
yyy to zzz, but not the other direction. this helps in folks writing the
code as well as those debugging it.

d

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

For years, I have told the completely apocryphal story of how the Zw prefix
came about. It was an all-day meeting to decide the various abbreviations
for the kernel component methods. They got prefixes like Io, Ob, Nt, Ke,
Ki, Mm, etc., but it was now 5pm and everyone was tired. “So what do we
call this class of functions?” and nobody wanted to say anything, they just
wanted to get out of that meeting and go home. “Hell, Zach Weinstein is
going to write that code, so let’s call it Zw!” said someone, and they
adjourned the meeting.

I’ve been in those kinds of meetings, I’ve run those kinds of meetings, and
I’ve made those kinds of decisions. One of our systems once had a module
called DICTOAN (“Dammit, I can’t think of a name!” And yes, I was tired,
and gave it that name, and wrote it).

It’s probably at least as credible as the actual reason. And it amuses
people, who at that point need some humor.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Friday, January 21, 2011 6:22 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] win32k internals

2. Most internal functions (e.g. xxxCreateThreadInfo) start by “xxx”
   prefix, are MS developers
   perverted? (as stated by Alex Ionescu) or what’s the secret of other
   prefixes “yyy-”, “zzz-”? I found in
   one Alex’s blog entry from '08: "I’ve also finally found out why Win32k
   functions are called “xxx” and
   “yyy”. Now I just need to find out about “zzz”

I think these functions are the same as in Windows 1.x in year 1985.

USER is a very conservative piece of code.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

–
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Cute story except I don’t think there was a Zack W. on the team

I thought the reason was because no component should ever be named Zw (due to english syntax/component naming), and so it was a prefix that was pretty guaranteed not to conflict with anything.

The perverted developers thing was just a joke. As Doron stated, it implies locking hierarchy. I believe “xxx” means the thread has been locked and “yyy” means the desktop has been locked. They also describe if parameter probing has been done yet, or not.

–
Best regards,
Alex Ionescu

An authentic story to follow up on Zw is how the name “AFD” came to be, or Bowser.

To answer question #1, I believe the NtUserCallXxxParamYyy APIs were designed to avoid the proliferation of thousands of system calls (there is a limit to how many system calls a given service table can handle)

–
Best regards,
Alex Ionescu

This is the reason I’ve been given by a couple of the original devs from NT, when I asked about this (separately). I admit I was disappointed, but that seems to be the real story.

Hmmmm… the way I understand THIS one, is that it’s intended to be an acronym that can mean many things. To program managers, it might mean"Address Family Decoder" – To the devs it was just “Another Fucking Driver”

I admit I don’t know the story about “Bowser” – I suspect just somebody’s sense of humor in place of “Browser”, but perhaps there’s more to it than that.

Peter
OSR

> called DICTOAN (“Dammit, I can’t think of a name!” And yes, I was tired,

and gave it that name, and wrote it).

I remember the C++ method name of ->PipeDreamInShadow (actually “in the background as low priority”), and also the name of “sisiduk” which served the same purpose as DICTOAN but was generated by random keyboard typing.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> An authentic story to follow up on Zw is how the name “AFD” came to be, or Bowser.

“AFD” follows the Soviet-style secrecy pattern - the nuclear weapons industry in the USSR was called “Ministry of Middle Machinery”, and the missile industry as “Ministry of Common Machinery”.

There was also spud.sys, I think some part of IIS - Special Purpose Utility Driver. Yet another AFD

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Larry Osterman discussed the origin of “bowser” in his blog:

http://blogs.msdn.com/b/larryosterman/archive/2006/03/14/551368.aspx

It started as a joke, but stuck because “browser.sys” confused the debugger.
I guess we can blame it on windbag (or more likely kd386).

-------- Original Message --------
Subject: Re: [ntdev] win32k internals
From: xxxxx@osr.com
To: Windows System Software Devs Interest List
Date: 1/30/2011 11:06 AM

> I admit I don’t know the story about “Bowser” – I suspect just somebody’s sense of humor in place of “Browser”, but perhaps there’s more to it than that.