Geoff Chappell - Software Analyst
The table below lists all the NTDLL exports that were added for version 5.1. Some functions wait for a service pack. With Windows XP SP2, the otherwise orderly correlation with version numbers in all the rest of NTDLL’s history breaks down. Some functions added for Windows XP SP2 actually appear first (in chronological order) in the version 5.2 from the original Windows Server 2003. Others do not appear in version 5.2 until its first service pack. Curiously, some of these are documented as requiring Windows Vista.
Documentation status is conveyed by colour coding. NTDLL functions that actually are documented as exports from NTDLL are shown with no background colour. So too are the NTDLL implementations of documented functions from the C Run-Time Library. Functions that are documented in the Windows Driver Kit (WDK), typically as exports from the NT kernel for use by ring 0 software such as device drivers, but sometimes with non-specific talk of being callable from user mode, are lightly shaded blue. Documented functions that are known not to have been documented immediately they were introduced are a darker blue if the only known documentation is in the WDK, else pink. If the delayed documentation came specifically from its listing among the Settlement Program Interfaces in late 2002, then the function is less pink since Microsoft at least acknowledged that the documentation was late. A function is shaded grey if it seems not to be documented but is known to be the entire low-level implementation of some function in a higher-level DLL such as KERNEL32 or ADVAPI32. Identifying these is a work in progress. Functions that look to be completely undocumented are highlighted yellow. However, an undocumented function is shaded yellow, as semi-documented, if it is at least declared in one or another header file from the WDK or, exceptionally, the SDK. If you browse with scripting enabled, hovering over any text that has a background colour should produce a tooltip that explains the formatting.
| Function | Remarks |
|---|---|
| CsrCaptureMessageMultiUnicodeStringsInPlace | |
| CsrGetProcessId | |
| DbgPrintEx | |
| DbgQueryDebugFilterState | |
| DbgSetDebugFilterState | |
| DbgUiConvertStateChangeStructure | |
| DbgUiDebugActiveProcess | |
| DbgUiGetThreadDebugObject | |
| DbgUiIssueRemoteBreakin | |
| DbgUiRemoteBreakin | |
| DbgUiSetThreadDebugObject | |
| DbgUiStopDebugging | |
| KiFastSystemCall | begins from SP2; not in 5.2 before SP1; x86 only |
| KiFastSystemCallRet | begins from SP2; not in 5.2 before SP1; x86 only |
| KiIntSystemCall | begins SP2; not in 5.2 before SP1; x86 only |
| LdrAccessOutOfProcessResource | discontinued in 6.0 |
| LdrAddRefDll | |
| LdrCreateOutOfProcessImage | discontinued in 6.0 |
| LdrDestroyOutOfProcessImage | discontinued in 6.0 |
| LdrEnumerateLoadedModules | begins from SP1 |
| LdrFindCreateProcessManifest | discontinued in 6.0 |
| LdrFindResourceEx_U | |
| LdrGetDllHandleEx | |
| LdrHotPatchRoutine | begins from SP2 |
| LdrInitShimEngineDynamic | |
| LdrLockLoaderLock | |
| LdrSetAppCompatDllRedirectionCallback | |
| LdrSetDllManifestProber | |
| LdrUnlockLoaderLock | |
| NtAddBootEntry | |
| NtCompactKeys | |
| NtCompareTokens | undocumented until 2004-2006; not declared |
| NtCompressKey | |
| NtCreateDebugObject | |
| NtCreateJobSet | |
| NtCreateKeyedEvent | |
| NtCreateProcessEx | |
| NtDebugActiveProcess | |
| NtDebugContinue | |
| NtDeleteBootEntry | |
| NtEnumerateBootEntries | |
| NtEnumerateSystemEnvironmentValuesEx | |
| NtIsProcessInJob | |
| NtLockProductActivationKeys | |
| NtLockRegistryKey | |
| NtMakePermanentObject | |
| NtModifyBootEntry | |
| NtOpenKeyedEvent | |
| NtOpenProcessTokenEx | undocumented until 2008-2009 |
| NtOpenThreadTokenEx | undocumented until 2008-2009 |
| NtQueryBootEntryOrder | |
| NtQueryBootOptions | |
| NtQueryDebugFilterState | |
| NtQueryPortInformationProcess | |
| NtQuerySystemEnvironmentValueEx | |
| NtReleaseKeyedEvent | |
| NtRemoveProcessDebug | |
| NtRenameKey | |
| NtResumeProcess | |
| NtSaveKeyEx | |
| NtSetBootEntryOrder | |
| NtSetBootOptions | |
| NtSetDebugFilterState | |
| NtSetEventBoostPriority | |
| NtSetInformationDebugObject | |
| NtSetSystemEnvironmentValueEx | |
| NtSuspendProcess | |
| NtTraceEvent | |
| NtTranslateFilePath | |
| NtUnloadKeyEx | |
| NtWaitForDebugEvent | |
| NtWaitForKeyedEvent | |
| RtlActivateActivationContext | |
| RtlActivateActivationContextEx | |
| RtlActivateActivationContextUnsafeFast | |
| RtlAddRefActivationContext | whole implementation of KERNEL32 function AddRefActCtx in 5.1 and higher |
| RtlAddRefMemoryStream | not in wow64 |
| RtlAddVectoredExceptionHandler | forwarded from KERNEL32 function AddVectoredExceptionHandler in 5.1 and higher |
| RtlAddressInSectionTable | |
| RtlAppendPathElement | |
| RtlApplicationVerifierStop | |
| RtlAssert2 | discontinued in 5.2 |
| RtlCaptureContext | forwarded from KERNEL32 function RtlCaptureContext
in 5.1 to 6.0; undocumented in WDK until 2005-2006; documented in WDK until 2008-2009 as “reserved for system use”; declaration in WDK requires Windows 2000 and higher |
| RtlCaptureStackContext | x86 only |
| RtlCheckProcessParameters | discontinued in 6.0 |
| RtlCloneMemoryStream | not in wow64 |
| RtlCommitMemoryStream | not in wow64 |
| RtlComputeCrc32 | |
| RtlComputeImportTableHash | |
| RtlComputePrivatizedDllName_U | |
| RtlCopyMemoryStreamTo | not in wow64 |
| RtlCopyOutOfProcessMemoryStreamTo | not in wow64 |
| RtlCreateActivationContext | |
| RtlCreateBootStatusDataFile | |
| RtlCreateSystemVolumeInformationFolder | undocumented until 2005-2006 |
| RtlDeactivateActivationContext | |
| RtlDeactivateActivationContextUnsafeFast | |
| RtlDecodePointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function DecodePointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function DecodePointer in 6.1 and higher |
| RtlDecodeSystemPointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function DecodeSystemPointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function DecodeSystemPointer in 6.1 and higher |
| RtlDeleteElementGenericTableAvl | |
| RtlDllShutdownInProgress | |
| RtlDosApplyFileIsolationRedirection_Ustr | |
| RtlDosSearchPath_Ustr | |
| RtlDowncaseUnicodeChar | undocumented until 2005-2006 |
| RtlDuplicateUnicodeString | |
| RtlEncodePointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function EncodePointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function EncodePointer in 6.1 and higher; |
| RtlEncodeSystemPointer | begins from SP2; not in 5.2 before SP1; forwarded from KERNEL32 function EncodeSystemPointer in corresponding 5.1 and 5.2, and higher; forwarded from KERNELBASE function EncodeSystemPointer in 6.1 and higher |
| RtlEnumerateGenericTableAvl | |
| RtlEnumerateGenericTableLikeADirectory | |
| RtlEnumerateGenericTableWithoutSplayingAvl | |
| RtlExitUserThread | forwarded from KERNEL32 function ExitThread
in 6.0 and higher; forwarded from KERNELBASE function ExitThread in 6.1 and higher |
| RtlFinalReleaseOutOfProcessMemoryStream | not in wow64 |
| RtlFindActivationContextSectionGuid | |
| RtlFindActivationContextSectionString | |
| RtlFindCharInUnicodeString | |
| RtlFindClearRuns | declaration requires Windows 2000 and higher |
| RtlFirstEntrySList | undocumented until 2006 |
| RtlFlushSecureMemoryCache | |
| RtlFreeThreadActivationContextStack | |
| RtlGetActiveActivationContext | |
| RtlGetCurrentPeb | |
| RtlGetElementGenericTableAvl | undocumented until 2008-2009 |
| RtlGetFrame | |
| RtlGetLastNtStatus | |
| RtlGetLastWin32Error | forwarded from KERNEL32 function GetLastError in 5.1 and 5.2 |
| RtlGetLengthWithoutLastFullDosOrNtPathElement | |
| RtlGetLengthWithoutTrailingPathSeperators | |
| RtlGetNativeSystemInformation | |
| RtlGetNtVersionNumbers | |
| RtlGetSetBootStatusData | |
| RtlGetUnloadEventTrace | begins from SP2; undocumented until 2004-2006; documentation withdrawn from SDK in 2007-2008; not declared |
| RtlHashUnicodeString | undocumented until 2005-2006 |
| RtlInitMemoryStream | not in wow64 |
| RtlInitOutOfProcessMemoryStream | not in wow64 |
| RtlInitUnicodeStringEx | |
| RtlInitializeGenericTableAvl | |
| RtlInitializeSListHead | forwarded from KERNEL32 function InitializeSListHead
in 5.1 and higher; forwarded from KERNELBASE function InitializeSListHead in 6.1 and higher; undocumented until 2006 |
| RtlInitializeStackTraceDatabase | begins from SP2; discontinued in 6.0 |
| RtlInsertElementGenericTableAvl | |
| RtlInterlockedFlushSList | forwarded from KERNEL32 function InterlockedFlushSList
in 5.1 and higher; forwarded from KERNELBASE function InterlockedFlushSList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPopEntrySList | forwarded from KERNEL32 function InterlockedPopEntrySList
in 5.1 and higher; forwarded from KERNELBASE function InterlockedPopEntrySList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPushEntrySList | forwarded from KERNEL32 function InterlockedPushEntrySList
in 5.1 and higher; forwarded from KERNELBASE function InterlockedPushEntrySList in 6.1 and higher; undocumented until 2006 |
| RtlInterlockedPushListSList | forwarded from KERNEL32 function InterlockedPushListSList
in 6.0 and higher; forwarded from KERNELBASE function InterlockedPushListSList in 6.1 and higher |
| RtlIpv4AddressToStringA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4AddressToStringExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4AddressToStringExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4AddressToStringW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4StringToAddressA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv4StringToAddressExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4StringToAddressExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv4StringToAddressW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6AddressToStringA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6AddressToStringExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6AddressToStringExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6AddressToStringW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6StringToAddressA | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIpv6StringToAddressExA | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6StringToAddressExW | begins from SP2; documented as requiring Windows Vista or higher; declared for Windows Vista and higher |
| RtlIpv6StringToAddressW | undocumented until 2004-2006; documentation requires Windows Vista and higher; declaration requires Windows Vista and higher |
| RtlIsActivationContextActive | |
| RtlIsGenericTableEmptyAvl | |
| RtlIsThreadWithinLoaderCallout | begins from SP1 |
| RtlLockBootStatusData | |
| RtlLockMemoryStreamRegion | not in wow64 |
| RtlLogStackBackTrace | |
| RtlLookupElementGenericTableAvl | |
| RtlMapSecurityErrorToNtStatus | |
| RtlMultiAppendUnicodeStringBuffer | |
| RtlNewSecurityObjectWithMultipleInheritance | |
| RtlNtPathNameToDosPathName | |
| RtlNtStatusToDosErrorNoTeb | documented as “reserved for system use” |
| RtlNumberGenericTableElementsAvl | |
| RtlPopFrame | |
| RtlPushFrame | |
| RtlQueryDepthSList | forwarded from KERNEL32 function QueryDepthSList
in 5.1 and higher; forwarded from KERNELBASE function QueryDepthSList in 6.1 and higher; undocumented until 2006 |
| RtlQueryHeapInformation | |
| RtlQueryInformationActivationContext | |
| RtlQueryInformationActiveActivationContext | |
| RtlQueryInterfaceMemoryStream | not in wow64 |
| RtlQueueApcWow64Thread | |
| RtlRandomEx | |
| RtlReadMemoryStream | not in wow64 |
| RtlReadOutOfProcessMemoryStream | not in wow64 |
| RtlRegisterSecureMemoryCacheCallback | |
| RtlReleaseActivationContext | whole implementation of KERNEL32 function ReleaseActCtx in 5.1 and higher |
| RtlReleaseMemoryStream | not in wow64 |
| RtlRemoveVectoredExceptionHandler | forwarded from KERNEL32 function RemoveVectoredExceptionHandler in 5.1 and higher |
| RtlRestoreLastWin32Error | forwarded from KERNEL32 function RestoreLastError in 5.1 and higher |
| RtlRevertMemoryStream | not in wow64 |
| RtlSeekMemoryStream | not in wow64 |
| RtlSetHeapInformation | |
| RtlSetLastWin32Error | forwarded from KERNEL32 function SetLastError
in 5.1 and 5.2 only; forwarded from KERNELBASE function SetLastError in 6.1 and higher |
| RtlSetLastWin32ErrorAndNtStatusFromNtStatus | |
| RtlSetMemoryStreamSize | not in wow64 |
| RtlSetProcessIsCritical | |
| RtlSetThreadIsCritical | |
| RtlStatMemoryStream | not in wow64 |
| RtlUnhandledExceptionFilter | |
| RtlUnhandledExceptionFilter2 | |
| RtlUnlockBootStatusData | |
| RtlUnlockMemoryStreamRegion | not in wow64 |
| RtlValidateUnicodeString | |
| RtlWriteMemoryStream | not in wow64 |
| RtlZombifyActivationContext | |
| RtlpApplyLengthFunction | |
| RtlpEnsureBufferSize | |
| RtlpNotOwnerCriticalSection | |
| ZwAddBootEntry | |
| ZwCompactKeys | |
| ZwCompareTokens | |
| ZwCompressKey | |
| ZwCreateDebugObject | |
| ZwCreateJobSet | |
| ZwCreateKeyedEvent | |
| ZwCreateProcessEx | |
| ZwDebugActiveProcess | |
| ZwDebugContinue | |
| ZwDeleteBootEntry | |
| ZwEnumerateBootEntries | |
| ZwEnumerateSystemEnvironmentValuesEx | |
| ZwIsProcessInJob | |
| ZwLockProductActivationKeys | |
| ZwLockRegistryKey | |
| ZwMakePermanentObject | |
| ZwModifyBootEntry | |
| ZwOpenKeyedEvent | |
| ZwOpenProcessTokenEx | |
| ZwOpenThreadTokenEx | |
| ZwQueryBootEntryOrder | |
| ZwQueryBootOptions | |
| ZwQueryDebugFilterState | |
| ZwQueryPortInformationProcess | |
| ZwQuerySystemEnvironmentValueEx | |
| ZwReleaseKeyedEvent | |
| ZwRemoveProcessDebug | |
| ZwRenameKey | declaration requires Windows 7 and higher |
| ZwResumeProcess | |
| ZwSaveKeyEx | |
| ZwSetBootEntryOrder | |
| ZwSetBootOptions | |
| ZwSetDebugFilterState | |
| ZwSetEventBoostPriority | |
| ZwSetInformationDebugObject | |
| ZwSetSystemEnvironmentValueEx | |
| ZwSuspendProcess | |
| ZwTraceEvent | |
| ZwTranslateFilePath | |
| ZwUnloadKeyEx | |
| ZwWaitForDebugEvent | |
| ZwWaitForKeyedEvent | |
| _CIcos | x86 only |
| _CIlog | x86 only |
| _CIsin | x86 only |
| _CIsqrt | x86 only |
| _alldvrm | x86 only |
| _aulldvrm | x86 only |
| _lfind | |
| _ui64tow | |
| _vsnwprintf | |
| bsearch | |
| vDbgPrintEx | |
| vDbgPrintExWithPrefix |