Geoff Chappell - Software Analyst
The table below lists all the NTDLL exports that were added for version 5.2. One general point to note is that this version’s first service pack is the first release of Windows for the x64 platform, and brings many new functions that are specific to the x64 or wow64 builds. Another is the addition of many functions for Event Tracing for Windows, many of which had been implemented in ADVAPI32 before its version 5.2 and move back to ADVAPI32 in the next version.
Documentation status is conveyed by colour coding. NTDLL functions that actually are documented as exports from NTDLL are shown with no background colour. So too are the NTDLL implementations of documented functions from the C Run-Time Library. Functions that are documented in the Windows Driver Kit (WDK), typically as exports from the NT kernel for use by ring 0 software such as device drivers, but sometimes with non-specific talk of being callable from user mode, are lightly shaded blue. Documented functions that are known not to have been documented immediately they were introduced are a darker blue if the only known documentation is in the WDK, else pink. If the delayed documentation came specifically from its listing among the Settlement Program Interfaces in late 2002, then the function is less pink since Microsoft at least acknowledged that the documentation was late. A function is shaded grey if it seems not to be documented but is known to be the entire low-level implementation of some function in a higher-level DLL such as KERNEL32 or ADVAPI32. Identifying these is a work in progress. Functions that look to be completely undocumented are highlighted yellow. However, an undocumented function is shaded yellow, as semi-documented, if it is at least declared in one or another header file from the WDK or, exceptionally, the SDK. If you browse with scripting enabled, hovering over any text that has a background colour should produce a tooltip that explains the formatting.
| Function | Remarks |
|---|---|
| EtwControlTraceA | discontinued in 6.0; forwarded from ADVAPI32 function ControlTraceA in 5.2 only |
| EtwControlTraceW | discontinued in 6.0; forwarded from ADVAPI32 function ControlTraceW in 5.2 only |
| EtwCreateTraceInstanceId | forwarded from ADVAPI32 function CreateTraceInstanceId in 5.2 and higher |
| EtwEnableTrace | discontinued in 6.0; forwarded from ADVAPI32 function EnableTrace in 5.2 only |
| EtwEnumerateTraceGuids | discontinued in 6.0; forwarded from ADVAPI32 function EnumerateTraceGuids in 5.2 only |
| EtwFlushTraceA | discontinued in 6.0; forwarded from ADVAPI32 function FlushTraceA in 5.2 only |
| EtwFlushTraceW | discontinued in 6.0; forwarded from ADVAPI32 function FlushTraceW in 5.2 only |
| EtwGetTraceEnableFlags | forwarded from ADVAPI32 function GetTraceEnableFlags in 5.2 and higher |
| EtwGetTraceEnableLevel | forwarded from ADVAPI32 function GetTraceEnableLevel in 5.2 and higher |
| EtwGetTraceLoggerHandle | forwarded from ADVAPI32 function GetTraceLoggerHandle in 5.2 and higher |
| EtwNotificationRegistrationA | discontinued in 6.0; forwarded from ADVAPI32 function WmiNotificationRegistrationA in 5.2 only |
| EtwNotificationRegistrationW | discontinued in 6.0; forwarded from ADVAPI32 function WmiNotificationRegistrationW in 5.2 only |
| EtwQueryAllTracesA | discontinued in 6.0; forwarded from ADVAPI32 function QueryAllTracesA in 5.2 only |
| EtwQueryAllTracesW | discontinued in 6.0; forwarded from ADVAPI32 function QueryAllTracesW in 5.2 only |
| EtwQueryTraceA | discontinued in 6.0; forwarded from ADVAPI32 function QueryTraceA in 5.2 only |
| EtwQueryTraceW | discontinued in 6.0; forwarded from ADVAPI32 function QueryTraceA in 5.2 only |
| EtwReceiveNotificationsA | discontinued in 6.0; forwarded from ADVAPI32 function WmiReceiveNotificationsA in 5.2 only |
| EtwReceiveNotificationsW | discontinued in 6.0; forwarded from ADVAPI32 function WmiReceiveNotificationsW in 5.2 only |
| EtwRegisterTraceGuidsA | forwarded from ADVAPI32 function RegisterTraceGuidsA in 5.2 and higher |
| EtwRegisterTraceGuidsW | forwarded from ADVAPI32 function RegisterTraceGuidsW in 5.2 and higher |
| EtwStartTraceA | discontinued in 6.0; forwarded from ADVAPI32 function StartTraceA in 5.2 only |
| EtwStartTraceW | discontinued in 6.0; forwarded from ADVAPI32 function StartTraceW in 5.2 only |
| EtwStopTraceA | discontinued in 6.0; forwarded from ADVAPI32 function StopTraceA in 5.2 only |
| EtwStopTraceW | discontinued in 6.0; forwarded from ADVAPI32 function StopTraceW in 5.2 only |
| EtwTraceEvent | discontinued in 6.0; forwarded from ADVAPI32 function TraceEvent in 5.2 only |
| EtwTraceMessage | forwarded from ADVAPI32 function TraceMessage in 5.2 and higher |
| EtwTraceMessageVa | forwarded from ADVAPI32 function TraceMessageVa in 5.2 and higher |
| EtwUnregisterTraceGuids | forwarded from ADVAPI32 function UnregisterTraceGuids in 5.2 and higher |
| EtwUpdateTraceA | discontinued in 6.0; forwarded from ADVAPI32 function UpdateTraceA in 5.2 only |
| EtwUpdateTraceW | discontinued in 6.0; forwarded from ADVAPI32 function UpdateTraceW in 5.2 only |
| EtwpGetTraceBuffer | discontinued in 6.0; |
| EtwpSetHWConfigFunction | discontinued in 6.0; |
| ExpInterlockedPopEntrySListEnd | begins from SP1 |
| ExpInterlockedPopEntrySListFault | begins from SP1 |
| ExpInterlockedPopEntrySListResume | begins from SP1 |
| LdrGetKnownDllSectionHandle | begins from SP1; x64 only |
| LdrOpenImageFileOptionsKey | begins from SP1 |
| LdrProcessInitializationComplete | begins from SP1; x64 only |
| LdrQueryImageFileExecutionOptionsEx | |
| LdrQueryImageFileKeyOption | begins from SP1 |
| NtAddDriverEntry | |
| NtApphelpCacheControl | |
| NtDeleteDriverEntry | |
| NtEnumerateDriverEntries | |
| NtGetCurrentProcessorNumber | forwarded from KERNEL32 function GetCurrentProcessorNumber
in 5.2 before Windows Server 2003 SP1; undocumented until 2004-2006; not declared |
| NtLoadKeyEx | |
| NtModifyDriverEntry | |
| NtQueryDriverEntryOrder | |
| NtQueryOpenSubKeysEx | |
| NtSetDriverEntryOrder | |
| NtUnloadKey2 | |
| NtWaitForMultipleObjects32 | begins from SP1 |
| NtWow64CsrAllocateCaptureBuffer | begins from SP1; wow64 only |
| NtWow64CsrAllocateMessagePointer | begins from SP1; wow64 only |
| NtWow64CsrCaptureMessageBuffer | begins from SP1; wow64 only |
| NtWow64CsrCaptureMessageString | begins from SP1; wow64 only |
| NtWow64CsrClientCallServer | begins from SP1; wow64 only |
| NtWow64CsrClientConnectToServer | begins from SP1; wow64 only |
| NtWow64CsrFreeCaptureBuffer | begins from SP1; wow64 only |
| NtWow64CsrGetProcessId | begins from SP1; wow64 only |
| NtWow64CsrIdentifyAlertableThread | begins from SP1; wow64 only |
| NtWow64CsrNewThread | begins from SP1; wow64 only; discontinued in 6.0 from Windows Vista SP1 |
| NtWow64CsrSetPriorityClass | begins from SP1; wow64 only; discontinued in 6.0 from Windows Vista SP1 |
| NtWow64DebuggerCall | begins from SP1; wow64 only |
| NtWow64GetNativeSystemInformation | begins from SP1; wow64 only |
| NtWow64QueryInformationProcess64 | begins from SP1; wow64 only |
| NtWow64QueryVirtualMemory64 | begins from SP1; wow64 only |
| NtWow64ReadVirtualMemory64 | begins from SP1; wow64 only |
| RtlAcquirePrivilege | begins from SP1 |
| RtlAddFunctionTable | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlAddVectoredContinueHandler | begins from SP1; forwarded from KERNEL32 function AddVectoredContinueHandler in corresponding 5.2, and higher |
| RtlAllocateActivationContextStack | begins from SP1 |
| RtlCopyMappedMemory | |
| RtlCopyMemory | begins from SP1; x64 only; x86 support by macro in terms of memcpy function |
| RtlCopyMemoryNonTemporal | begins from SP1; x64 only; x86 support by macro as RtlCopyMemory |
| RtlDeleteFunctionTable | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlDosPathNameToNtPathName_U_WithStatus | begins from SP1 |
| RtlDosPathNameToRelativeNtPathName_U | |
| RtlDosPathNameToRelativeNtPathName_U_WithStatus | begins from SP1 |
| RtlFormatMessageEx | begins from SP1 |
| RtlFreeActivationContextStack | begins from SP1 |
| RtlGetCriticalSectionRecursionCount | begins from SP1 |
| RtlGetCurrentProcessorNumber | begins from SP1; forwarded from KERNEL32 function GetCurrentProcessorNumber in corresponding 5.2, and higher |
| RtlGetFullPathName_UstrEx | |
| RtlGetFunctionTableListHead | begins from SP1; x64 only; undocumented until 2004-2006; documentation withdrawn in 2007-2008 |
| RtlGetThreadErrorMode | |
| RtlImageNtHeaderEx | |
| RtlInitAnsiStringEx | |
| RtlInsertElementGenericTableFull | declared for Windows 2000 and higher; conditionally redefined by macro as RtlInsertElementGenericTableFullAvl |
| RtlInsertElementGenericTableFullAvl | declaration requires Windows XP and higher |
| RtlInstallFunctionTableCallback | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlInterlockedCompareExchange64 | x86 only; forwarded from KERNEL32 function InterlockedCompareExchange64 in 5.2 and higher; forwarded from KERNELBASE function InterlockedCompareExchange64 in 6.1 and higher |
| RtlIsCriticalSectionLocked | begins from SP1 |
| RtlIsCriticalSectionLockedByThread | begins from SP1 |
| RtlLookupElementGenericTableFull | declaration requires Windows 2000 and higher; conditionally redefined by macro as RtlLookupElementGenericTableFullAvl |
| RtlLookupElementGenericTableFullAvl | declaration requires Windows XP and higher |
| RtlLookupFunctionEntry | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlLookupFunctionTable | begins from SP1; x64 only |
| RtlMultipleAllocateHeap | |
| RtlMultipleFreeHeap | |
| RtlReleasePrivilege | begins from SP1 |
| RtlReleaseRelativeName | |
| RtlRemoveVectoredContinueHandler | begins from SP1; forwarded from KERNEL32 function RemoveVectoredContinueHandler in corresponding 5.2, and higher |
| RtlRestoreContext | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlSetEnvironmentStrings | |
| RtlSetThreadErrorMode | |
| RtlSetUnhandledExceptionFilter | begins from SP1 |
| RtlUnwindEx | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlVirtualUnwind | begins from SP1; x64 only; forwarded from KERNEL32 in 5.2 and 6.0 |
| RtlWow64EnableFsRedirection | |
| RtlWow64EnableFsRedirectionEx | begins from SP1 |
| ZwAddDriverEntry | |
| ZwApphelpCacheControl | |
| ZwDeleteDriverEntry | |
| ZwEnumerateDriverEntries | |
| ZwGetCurrentProcessorNumber | |
| ZwLoadKeyEx | |
| ZwModifyDriverEntry | |
| ZwQueryDriverEntryOrder | |
| ZwQueryOpenSubKeysEx | |
| ZwSetDriverEntryOrder | |
| ZwUnloadKey2 | |
| ZwWaitForMultipleObjects32 | begins from SP1 |
| ZwWow64CsrAllocateCaptureBuffer | begins from SP1; wow64 only |
| ZwWow64CsrAllocateMessagePointer | begins from SP1; wow64 only |
| ZwWow64CsrCaptureMessageBuffer | begins from SP1; wow64 only |
| ZwWow64CsrCaptureMessageString | begins from SP1; wow64 only |
| ZwWow64CsrClientCallServer | begins from SP1; wow64 only |
| ZwWow64CsrClientConnectToServer | begins from SP1; wow64 only |
| ZwWow64CsrFreeCaptureBuffer | begins from SP1; wow64 only |
| ZwWow64CsrGetProcessId | begins from SP1; wow64 only |
| ZwWow64CsrIdentifyAlertableThread | begins from SP1; wow64 only |
| ZwWow64CsrNewThread | begins from SP1; wow64 only |
| ZwWow64CsrSetPriorityClass | begins from SP1; wow64 only |
| ZwWow64DebuggerCall | begins from SP1; wow64 only |
| ZwWow64GetNativeSystemInformation | begins from SP1; wow64 only |
| ZwWow64QueryInformationProcess64 | begins from SP1; wow64 only |
| ZwWow64QueryVirtualMemory64 | begins from SP1; wow64 only |
| ZwWow64ReadVirtualMemory64 | begins from SP1; wow64 only |
| __C_specific_handler | begins from SP1; x64 only; forwarded from KERNEL32 function __C_specific_handler in 5.2 and higher |
| __chkstk | begins from SP1; x64 only; forwarded from KERNEL32 function __chkstk in 5.2 and higher |
| __misaligned_access | begins from SP1; x64 only; forwarded from KERNEL32 function __misaligned_access in 5.2 and higher |
| _local_unwind | begins from SP1; x64 only; forwarded from KERNEL32 function _local_unwind in 5.2 and higher |
| _setjmp | begins from SP1; x64 only |
| _setjmpex | begins from SP1; x64 only |
| _vscwprintf | |
| _wcstoui64 | |
| longjmp | begins from SP1; x64 only |