Reputation: 139
Are there different libraries of Windows system calls?
From looking at traces of system calls in Windows, I am very confused by the different types of these. Here are some different types I've encountered:
NtQueryPerformanceCounter( Counter=0xbcf6c8 [1.45779e+009], Freq=null ) => 0
NtProtectVirtualMemory( ProcessHandle=-1, BaseAddress=0xbcf6f4 …
NtProtectVirtualMemory( ProcessHandle=-1, BaseAddress=0xbcf6f4 [0x7702e000]…
NtQuerySystemInformation( SystemInformationClass=0 [SystemBasicInformation]
NtQueryVirtualMemory( ProcessHandle=-1, BaseAddress=0x76f20000, MemoryInformationClass=6, MemoryInformation=0xbcf440, Length=0xc, ReturnLength=null ) => 0
I know that these are referred to as API system calls. My untrained eye classify these as system calls that start with "Nt".
But I've also encountered these:
"CreateSemaphoreW","CreateSemaphoreA","GlobalAddAtomW","lstrcpynW","LoadLibraryExW","SearchPathW",
"CreateFileW","CreateFileMappingW","MapViewOfFileEx","GetSystemMetrics","RegisterClipboardFormatW","SystemParametersInfoW",
"GetDC","GetDeviceCaps","ReleaseDC","LocalAlloc"
Although I may be wrong, I assume that these are system calls that are lower in level than those that start with Nt.
And this is another trace that I've encountered:
HeapAlloc HeapAlloc HeapFree HeapFree HeapAlloc HeapAlloc HeapFree
HeapFree NtOpenKey GetProcessHeap HeapAlloc NtOpenKey HeapAlloc NtOpenKey
NtQueryValueKey NtQueryValueKey HeapFree HeapAlloc HeapAlloc NtOpenKey
NtQueryValueKey HeapAlloc HeapAlloc RegOpenKeyExW
This trace contains both Nt and those without... I understand that I may sound too unknowledgeable in this field but I really would like to develop a better general idea of what these are.
These traces make me assume that there are different sets of system calls that people seem to refer to them in the same name ("system calls"), in Windows. Could somebody tell me if I am wrong? And if I am right, are there names for these different sets of system calls?
Thank you
Upvotes: 3
Views: 1296
Answers (1)
Reputation: 941455
The top snippet shows native api function names, the actual api of the operating system. The api you'd target when you write drivers. But that is rarely the api you use when you write your own programs. Windows NT originally included three distinct api layers, Win32, OS/2 and Posix.
The second snippet shows function names from the Win32 api layer, by far the most common one you target when you write a Windows program. The OS/2 subsystem was retired a long time ago. Posix fell out of use and was discontinued at Win8 and Server2012, but is back in Win10 with the new Linux subsystem.
Such a subsystem is implemented by translating its api functions into equivalent native api functions, if any. Most of the Win32 subsystem code lives in kernel32.dll, gdi32.dll, user32.dll and advapi.dll. ntdll.dll is the native api wrapper that calls into the kernel when necessary. Native api function names start with Nt or Zw. There is a glue layer that marries the two that gets exposed occasionally, its function names start with Rtl.
Primary advantage of this layering is that Microsoft can innovate on the OS without breaking existing programs. Code that was written 30 years ago is still pretty likely to compile and run correctly on a current OS, in spite of two very drastic architecture changes and many Windows releases. The last big change to the native api was at Vista, major version 6.
Upvotes: 2
Related Questions
- System Calls in Windows & Native API?
- Viewing how Windows syscalls are handled by OS
- System calls on Windows
- Different system call ID's responsible for calling different functions on different versions of OS
- Example of System call
- In what library on Linux are the system calls and how is this library linked to the executable object file that contains the system calls?
- windows system call
- Can I access Windows Kernel system calls directly?
- System calls Implementation
- Consuming Windows NT Kernel System Call Trace Session Dumps