Geoff Chappell - Software Analyst
The table below lists all the named NTDLL exports that were added for version 6.1. Some new functions for version 6.1 that are exported only by ordinal are listed separately. Of the new functions exported by name, hardly any are yet documented, though a few are at least declared in one or another header file from the WDK or SDK.
Documentation status is conveyed by colour coding. NTDLL functions that actually are documented as exports from NTDLL are shown with no background colour. So too are the NTDLL implementations of documented functions from the C Run-Time Library. Functions that are documented in the Windows Driver Kit (WDK), typically as exports from the NT kernel for use by ring 0 software such as device drivers, but sometimes with non-specific talk of being callable from user mode, are lightly shaded blue. Documented functions that are known not to have been documented immediately they were introduced are a darker blue if the only known documentation is in the WDK, else pink. If the delayed documentation came specifically from its listing among the Settlement Program Interfaces in late 2002, then the function is less pink since Microsoft at least acknowledged that the documentation was late. A function is shaded grey if it seems not to be documented but is known to be the entire low-level implementation of some function in a higher-level DLL such as KERNEL32 or ADVAPI32. Identifying these is a work in progress. Functions that look to be completely undocumented are highlighted yellow. However, an undocumented function is shaded yellow, as semi-documented, if it is at least declared in one or another header file from the WDK or, exceptionally, the SDK. If you browse with scripting enabled, hovering over any text that has a background colour should produce a tooltip that explains the formatting.
That RtlFillMemoryUlonglong appears only as late as Windows 7 is conspicuous. It has for some years been documented in the WDK’s section for Installable File Systems, and declared in NTIFS.H as an importable function. Yet no import library supplied with the WDK for Windows Vista (for instance) resolves the corresponding import symbol. All builds of both the NT kernel and NTDLL from at least as far back as Windows 2000 do have code for an RtlFillMemoryUlonglong function, but they don’t export that function. Could it be that the function was meant to be exported all along, consistently with the documentation, but was neglected by an oversight that took years for anyone to notice (or bother correcting)?
| Function | Remarks |
|---|---|
| AlpcRundownCompletionList | |
| EtwEventWriteEx | |
| EtwEventWriteNoRegistration | |
| EvtIntReportAuthzEventAndSourceAsync | |
| EvtIntReportEventAndSourceAsync | |
| ExpInterlockedPopEntrySListEnd16 | x64 only |
| ExpInterlockedPopEntrySListFault16 | x64 only |
| ExpInterlockedPopEntrySListResume16 | x64 only |
| LdrGetDllHandleByMapping | |
| LdrGetDllHandleByName | |
| LdrResGetRCConfig | |
| LdrRscIsTypeExist | |
| NtAllocateReserveObject | |
| NtCreateProfileEx | |
| NtDisableLastKnownGood | |
| NtDrawText | |
| NtEnableLastKnownGood | |
| NtNotifyChangeSession | |
| NtOpenKeyEx | |
| NtOpenKeyTransactedEx | |
| NtQuerySecurityAttributesToken | |
| NtQuerySystemInformationEx | |
| NtQueueApcThreadEx | |
| NtSerializeBoot | |
| NtSetIoCompletionEx | |
| NtSetTimerEx | |
| NtUmsThreadYield | |
| NtWow64GetCurrentProcessorNumberEx | wow64 only |
| NtWow64InterlockedPopEntrySList | wow64 only |
| RtlAcquireReleaseSRWLockExclusive | |
| RtlAddIntegrityLabelToBoundaryDescriptor | |
| RtlContractHashTable | |
| RtlCopyExtendedContext | |
| RtlCreateHashTable | |
| RtlCreateProcessReflection | |
| RtlCreateUmsCompletionList | x64 only |
| RtlCreateUmsThread | x64 only |
| RtlCreateUmsThreadContext | x64 only |
| RtlCreateVirtualAccountSid | |
| RtlDeleteHashTable | |
| RtlDeleteUmsCompletionList | x64 only |
| RtlDeleteUmsThreadContext | x64 only |
| RtlDequeueUmsCompletionListItems | x64 only |
| RtlDetectHeapLeaks | |
| RtlDisableThreadProfiling | |
| RtlEnableThreadProfiling | |
| RtlEndEnumerationHashTable | |
| RtlEndWeakEnumerationHashTable | |
| RtlEnterUmsSchedulingMode | x64 only |
| RtlEnumerateEntryHashTable | |
| RtlEthernetAddressToStringA | declaration requires Windows Vista and higher |
| RtlEthernetAddressToStringW | declaration requires Windows Vista and higher |
| RtlEthernetStringToAddressA | declaration requires Windows Vista and higher |
| RtlEthernetStringToAddressW | declaration requires Windows Vista and higher |
| RtlExecuteUmsThread | x64 only |
| RtlExpandHashTable | |
| RtlFillMemoryUlonglong | x86 only; undocumented until 2000; documentation until 2008-2009 requires Windows 2000 and higher; documentation since 2008-2009 requires Windows 2000 and higher for x64 else Windows 7 and higher; declaration requires Windows XP and higher (x86); x64 support by macro in terms of compiler intrinsic __stosq |
| RtlGetCurrentProcessorNumberEx | forwarded from KERNEL32 function GetCurrentProcessorNumberEx in 6.1 and higher |
| RtlGetCurrentUmsThread | x64 only |
| RtlGetEnabledExtendedFeatures | |
| RtlGetExtendedContextLength | |
| RtlGetExtendedFeaturesMask | |
| RtlGetFullPathname_UEx | |
| RtlGetLocaleFileMappingAddress | |
| RtlGetNextEntryHashTable | |
| RtlGetNextUmsListItem | x64 only |
| RtlGetProcessPreferredUILanguages | |
| RtlGetUmsCompletionListEvent | x64 only |
| RtlInitEnumerationHashTable | |
| RtlInitWeakEnumerationHashTable | |
| RtlInitializeExtendedContext | |
| RtlInsertEntryHashTable | |
| RtlInterlockedClearBitRun | |
| RtlInterlockedSetBitRun | |
| RtlIsNameInExpression | declaration requires Windows 2000 and higher |
| RtlKnownExceptionFilter | |
| RtlLoadString | |
| RtlLocateExtendedFeature | |
| RtlLocateLegacyContext | |
| RtlLookupEntryHashTable | |
| RtlQueryPerformanceCounter | forwarded from KERNELBASE function QueryPerformanceCounter in 6.1 and higher |
| RtlQueryPerformanceFrequency | forwarded from KERNELBASE function QueryPerformanceFrequency in 6.1 and higher |
| RtlQueryThreadProfiling | |
| RtlQueryUmsThreadInformation | x64 only |
| RtlReadThreadProfilingData | |
| RtlRemoveEntryHashTable | |
| RtlReplaceSidInSd | |
| RtlReportSilentProcessExit | |
| RtlReportSqmEscalation | |
| RtlSetExtendedFeaturesMask | |
| RtlSetProcessPreferredUILanguages | |
| RtlSetUmsThreadInformation | x64 only |
| RtlTryAcquireSRWLockExclusive | forwarded from KERNELBASE function TryAcquireSRWLockExclusive in 6.1 and higher |
| RtlTryAcquireSRWLockShared | forwarded from KERNELBASE function TryAcquireSRWLockShared in 6.1 and higher |
| RtlUTF8ToUnicodeN | |
| RtlUmsThreadYield | x64 only |
| RtlUnicodeToUTF8N | |
| RtlWeaklyEnumerateEntryHashTable | |
| RtlWow64GetThreadSelectorEntry | x64 only |
| RtlpExecuteUmsThread | x64 only |
| RtlpUmsExecuteYieldThreadEnd | x64 only |
| RtlpUmsThreadYield | x64 only |
| SbExecuteProcedure | |
| SbSelectProcedure | |
| TpAllocAlpcCompletionEx | |
| TpAlpcRegisterCompletionList | |
| TpAlpcUnregisterCompletionList | |
| TpCallbackIndependent | |
| TpDbgGetFreeInfo | |
| TpDisablePoolCallbackChecks | |
| TpPoolFreeUnusedNodes | |
| TpQueryPoolStackInformation | |
| TpSetDefaultPoolMaxThreads | |
| TpSetDefaultPoolStackInformation | |
| TpSetPoolStackInformation | |
| WinSqmAddToAverageDWORD | |
| WinSqmAddToStreamEx | |
| WinSqmCheckEscalationAddToStreamEx | |
| WinSqmCheckEscalationSetDWORD | |
| WinSqmCheckEscalationSetDWORD64 | |
| WinSqmCheckEscalationSetString | |
| WinSqmCommonDatapointDelete | |
| WinSqmCommonDatapointSetDWORD | |
| WinSqmCommonDatapointSetDWORD64 | |
| WinSqmCommonDatapointSetStreamEx | |
| WinSqmCommonDatapointSetString | |
| WinSqmGetEscalationRuleStatus | |
| WinSqmGetInstrumentationProperty | |
| WinSqmIncrementDWORD | |
| WinSqmIsOptedInEx | |
| WinSqmSetDWORD | |
| WinSqmSetDWORD64 | |
| WinSqmSetEscalationInfo | |
| WinSqmSetIfMaxDWORD | |
| WinSqmSetIfMinDWORD | |
| ZwAllocateReserveObject | |
| ZwCreateProfileEx | |
| ZwDisableLastKnownGood | |
| ZwDrawText | |
| ZwEnableLastKnownGood | |
| ZwNotifyChangeSession | |
| ZwOpenKeyEx | |
| ZwOpenKeyTransactedEx | |
| ZwQuerySecurityAttributesToken | |
| ZwQuerySystemInformationEx | |
| ZwQueueApcThreadEx | |
| ZwSerializeBoot | |
| ZwSetIoCompletionEx | |
| ZwSetTimerEx | |
| ZwUmsThreadYield | |
| ZwWow64GetCurrentProcessorNumberEx | wow64 only |
| ZwWow64InterlockedPopEntrySList | wow64 only |
| _i64toa_s | |
| _i64tow_s | |
| _itoa_s | |
| _itow_s | |
| _ltoa_s | |
| _ltow_s | |
| _makepath_s | |
| _snprintf_s | |
| _snscanf_s | |
| _snwprintf_s | |
| _snwscanf_s | |
| _splitpath_s | |
| _strnset_s | |
| _strset_s | |
| _ui64toa_s | |
| _ui64tow_s | |
| _ultoa_s | |
| _ultow_s | |
| _vsnprintf_s | |
| _vsnwprintf_s | |
| _wcsnset_s | |
| _wcsset_s | |
| _wmakepath_s | |
| _wsplitpath_s | |
| memcpy_s | |
| memmove_s | |
| sprintf_s | |
| sscanf_s | |
| strcat_s | |
| strcpy_s | |
| strncat_s | |
| strncpy_s | |
| strnlen | |
| strtok_s | |
| swprintf_s | |
| swscanf_s | |
| vsprintf_s | |
| vswprintf_s | |
| wcscat_s | |
| wcscpy_s | |
| wcsncat_s | |
| wcsncpy_s | |
| wcsnlen |