4 * COPYRIGHT: See COPYING in the top level directory
5 * PROJECT: ReactOS kernel
6 * PURPOSE: System call definitions
7 * FILE: include/ddk/zw.h
9 * ??/??/??: First few functions (David Welch)
10 * ??/??/??: Complete implementation by Ariadne
11 * 13/07/98: Reorganised things a bit (David Welch)
12 * 04/08/98: Added some documentation (Ariadne)
13 * 14/08/98: Added type TIME and change variable type from [1] to [0]
14 * 14/09/98: Added for each Nt call a corresponding Zw Call
20 #include <ntos/security.h>
21 #include <ntos/zwtypes.h>
22 #include <napi/npipe.h>
24 #ifndef _RTLGETPROCESSHEAP_DEFINED_
25 #define _RTLGETPROCESSHEAP_DEFINED_
26 #define RtlGetProcessHeap() (NtCurrentPeb()->ProcessHeap)
29 // semaphore information
31 typedef enum _SEMAPHORE_INFORMATION_CLASS
33 SemaphoreBasicInformation = 0
34 } SEMAPHORE_INFORMATION_CLASS;
36 typedef struct _SEMAPHORE_BASIC_INFORMATION
40 } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
44 typedef enum _EVENT_INFORMATION_CLASS
46 EventBasicInformation = 0
47 } EVENT_INFORMATION_CLASS;
49 typedef struct _EVENT_BASIC_INFORMATION
53 } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
56 //#define SECURITY_INFORMATION ULONG
57 //typedef ULONG SECURITY_INFORMATION;
60 * FUNCTION: Adjusts the groups in an access token
62 * TokenHandle = Specifies the access token
63 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
64 * their default state, if false the groups specified in
67 * BufferLength = Specifies the size of the buffer for the PreviousState.
69 * ReturnLength = Bytes written in PreviousState buffer.
70 * REMARKS: The arguments map to the win32 AdjustTokenGroups
77 IN HANDLE TokenHandle,
78 IN BOOLEAN ResetToDefault,
79 IN PTOKEN_GROUPS NewState,
80 IN ULONG BufferLength,
81 OUT PTOKEN_GROUPS PreviousState OPTIONAL,
82 OUT PULONG ReturnLength
88 IN HANDLE TokenHandle,
89 IN BOOLEAN ResetToDefault,
90 IN PTOKEN_GROUPS NewState,
91 IN ULONG BufferLength,
92 OUT PTOKEN_GROUPS PreviousState,
93 OUT PULONG ReturnLength
101 * TokenHandle = Handle to the access token
102 * DisableAllPrivileges = The resulting suspend count.
108 * The arguments map to the win32 AdjustTokenPrivileges
114 NtAdjustPrivilegesToken(
115 IN HANDLE TokenHandle,
116 IN BOOLEAN DisableAllPrivileges,
117 IN PTOKEN_PRIVILEGES NewState,
118 IN ULONG BufferLength,
119 OUT PTOKEN_PRIVILEGES PreviousState,
120 OUT PULONG ReturnLength
125 ZwAdjustPrivilegesToken(
126 IN HANDLE TokenHandle,
127 IN BOOLEAN DisableAllPrivileges,
128 IN PTOKEN_PRIVILEGES NewState,
129 IN ULONG BufferLength,
130 OUT PTOKEN_PRIVILEGES PreviousState,
131 OUT PULONG ReturnLength
136 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
139 * ThreadHandle = Handle to the thread that should be resumed
140 * SuspendCount = The resulting suspend count.
142 * A thread is resumed if its suspend count is 0
148 IN HANDLE ThreadHandle,
149 OUT PULONG SuspendCount
155 IN HANDLE ThreadHandle,
156 OUT PULONG SuspendCount
160 * FUNCTION: Puts the thread in a alerted state
162 * ThreadHandle = Handle to the thread that should be alerted
168 IN HANDLE ThreadHandle
174 IN HANDLE ThreadHandle
179 * FUNCTION: Allocates a locally unique id
181 * LocallyUniqueId = Locally unique number
186 NtAllocateLocallyUniqueId(
187 OUT LUID *LocallyUniqueId
192 ZwAllocateLocallyUniqueId(
197 * FUNCTION: Allocates a block of virtual memory in the process address space
199 * ProcessHandle = The handle of the process which owns the virtual memory
200 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
201 * value the system will try to allocate the memory at the address supplied. It rounds
202 * it down to a multiple if the page size.
203 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
204 * the memory will be allocated at a address below a certain value.
205 * RegionSize = The number of bytes to allocate
206 * AllocationType = Indicates the type of virtual memory you like to allocated,
207 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
208 * Protect = Indicates the protection type of the pages allocated, can be a combination of
209 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
210 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
212 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
213 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
214 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
215 * and the AllocationType and ProctectionType map to the other two parameters.
220 NtAllocateVirtualMemory (
221 IN HANDLE ProcessHandle,
222 IN OUT PVOID *BaseAddress,
224 IN OUT PULONG RegionSize,
225 IN ULONG AllocationType,
231 ZwAllocateVirtualMemory (
232 IN HANDLE ProcessHandle,
233 IN OUT PVOID *BaseAddress,
235 IN OUT PULONG RegionSize,
236 IN ULONG AllocationType,
240 * FUNCTION: Returns from a callback into user mode
244 //FIXME: this function might need 3 parameters
245 NTSTATUS STDCALL NtCallbackReturn(PVOID Result,
249 NTSTATUS STDCALL ZwCallbackReturn(PVOID Result,
254 * FUNCTION: Cancels a IO request
256 * FileHandle = Handle to the file
260 * This function maps to the win32 CancelIo.
266 IN HANDLE FileHandle,
267 OUT PIO_STATUS_BLOCK IoStatusBlock
273 IN HANDLE FileHandle,
274 OUT PIO_STATUS_BLOCK IoStatusBlock
278 * FUNCTION: Sets the status of the event back to non-signaled
280 * EventHandle = Handle to the event
282 * This function maps to win32 function ResetEvent.
289 IN HANDLE EventHandle
295 IN HANDLE EventHandle
299 * FUNCTION: Closes an object handle
301 * Handle = Handle to the object
303 * This function maps to the win32 function CloseHandle.
320 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
323 HandleId = Handle to the object
326 * This function maps to the win32 function ObjectCloseAuditAlarm.
332 NtCloseObjectAuditAlarm(
333 IN PUNICODE_STRING SubsystemName,
335 IN BOOLEAN GenerateOnClose
340 ZwCloseObjectAuditAlarm(
341 IN PUNICODE_STRING SubsystemName,
343 IN BOOLEAN GenerateOnClose
347 * FUNCTION: Creates a directory object
349 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
350 * DesiredAccess = Specifies access to the directory
351 * ObjectAttribute = Initialized attributes for the object
352 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
353 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
359 NtCreateDirectoryObject(
360 OUT PHANDLE DirectoryHandle,
361 IN ACCESS_MASK DesiredAccess,
362 IN POBJECT_ATTRIBUTES ObjectAttributes
367 ZwCreateDirectoryObject(
368 OUT PHANDLE DirectoryHandle,
369 IN ACCESS_MASK DesiredAccess,
370 IN POBJECT_ATTRIBUTES ObjectAttributes
374 * FUNCTION: Creates an event object
376 * EventHandle (OUT) = Caller supplied storage for the resulting handle
377 * DesiredAccess = Specifies access to the event
378 * ObjectAttribute = Initialized attributes for the object
379 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
380 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
381 * automatically after the system has rescheduled a thread waiting on the event.
382 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
383 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
384 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
385 * both parameters aswell ( possibly the order is reversed ).
392 OUT PHANDLE EventHandle,
393 IN ACCESS_MASK DesiredAccess,
394 IN POBJECT_ATTRIBUTES ObjectAttributes,
395 IN BOOLEAN ManualReset,
396 IN BOOLEAN InitialState
402 OUT PHANDLE EventHandle,
403 IN ACCESS_MASK DesiredAccess,
404 IN POBJECT_ATTRIBUTES ObjectAttributes,
405 IN BOOLEAN ManualReset,
406 IN BOOLEAN InitialState
410 * FUNCTION: Creates an eventpair object
412 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
413 * DesiredAccess = Specifies access to the event
414 * ObjectAttribute = Initialized attributes for the object
420 OUT PHANDLE EventPairHandle,
421 IN ACCESS_MASK DesiredAccess,
422 IN POBJECT_ATTRIBUTES ObjectAttributes
428 OUT PHANDLE EventPairHandle,
429 IN ACCESS_MASK DesiredAccess,
430 IN POBJECT_ATTRIBUTES ObjectAttributes
435 * FUNCTION: Creates or opens a file, directory or device object.
437 * FileHandle (OUT) = Caller supplied storage for the resulting handle
438 * DesiredAccess = Specifies the allowed or desired access to the file can
439 * be a combination of DELETE | FILE_READ_DATA ..
440 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
441 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
442 * the file is created and opened or allready existed and is just opened.
443 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
444 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
445 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
446 * CreateOptions = specifies the behavior of the system on file creation.
447 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
448 * EaLength = Extended Attributes buffer size, applies only to files and directories.
449 * REMARKS: This function maps to the win32 CreateFile.
456 OUT PHANDLE FileHandle,
457 IN ACCESS_MASK DesiredAccess,
458 IN POBJECT_ATTRIBUTES ObjectAttributes,
459 OUT PIO_STATUS_BLOCK IoStatusBlock,
460 IN PLARGE_INTEGER AllocationSize OPTIONAL,
461 IN ULONG FileAttributes,
462 IN ULONG ShareAccess,
463 IN ULONG CreateDisposition,
464 IN ULONG CreateOptions,
465 IN PVOID EaBuffer OPTIONAL,
472 OUT PHANDLE FileHandle,
473 IN ACCESS_MASK DesiredAccess,
474 IN POBJECT_ATTRIBUTES ObjectAttributes,
475 OUT PIO_STATUS_BLOCK IoStatusBlock,
476 IN PLARGE_INTEGER AllocationSize OPTIONAL,
477 IN ULONG FileAttributes,
478 IN ULONG ShareAccess,
479 IN ULONG CreateDisposition,
480 IN ULONG CreateOptions,
481 IN PVOID EaBuffer OPTIONAL,
486 * FUNCTION: Creates or opens a file, directory or device object.
488 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
489 * DesiredAccess = Specifies the allowed or desired access to the port
491 * NumberOfConcurrentThreads =
492 * REMARKS: This function maps to the win32 CreateIoCompletionPort
499 NtCreateIoCompletion(
500 OUT PHANDLE CompletionPort,
501 IN ACCESS_MASK DesiredAccess,
502 OUT PIO_STATUS_BLOCK IoStatusBlock,
503 IN ULONG NumberOfConcurrentThreads
508 ZwCreateIoCompletion(
509 OUT PHANDLE CompletionPort,
510 IN ACCESS_MASK DesiredAccess,
511 OUT PIO_STATUS_BLOCK IoStatusBlock,
512 IN ULONG NumberOfConcurrentThreads
517 * FUNCTION: Creates a registry key
519 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
520 * DesiredAccess = Specifies the allowed or desired access to the key
521 * It can have a combination of the following values:
522 * KEY_READ | KEY_WRITE | KEY_EXECUTE | KEY_ALL_ACCESS
524 * KEY_QUERY_VALUE The values of the key can be queried.
525 * KEY_SET_VALUE The values of the key can be modified.
526 * KEY_CREATE_SUB_KEYS The key may contain subkeys.
527 * KEY_ENUMERATE_SUB_KEYS Subkeys can be queried.
529 * KEY_CREATE_LINK A symbolic link to the key can be created.
530 * ObjectAttributes = The name of the key may be specified directly in the name field
531 * of object attributes or relative to a key in rootdirectory.
532 * TitleIndex = Might specify the position in the sequential order of subkeys.
533 * Class = Specifies the kind of data, for example REG_SZ for string data. [ ??? ]
534 * CreateOptions = Specifies additional options with which the key is created
535 * REG_OPTION_VOLATILE The key is not preserved across boots.
536 * REG_OPTION_NON_VOLATILE The key is preserved accross boots.
537 * REG_OPTION_CREATE_LINK The key is a symbolic link to another key.
538 * REG_OPTION_BACKUP_RESTORE Key is being opened or created for backup/restore operations.
539 * Disposition = Indicates if the call to NtCreateKey resulted in the creation of a key it
540 * can have the following values: REG_CREATED_NEW_KEY | REG_OPENED_EXISTING_KEY
546 NtCreateKey(OUT PHANDLE KeyHandle,
547 IN ACCESS_MASK DesiredAccess,
548 IN POBJECT_ATTRIBUTES ObjectAttributes,
550 IN PUNICODE_STRING Class OPTIONAL,
551 IN ULONG CreateOptions,
552 IN PULONG Disposition OPTIONAL);
555 ZwCreateKey(OUT PHANDLE KeyHandle,
556 IN ACCESS_MASK DesiredAccess,
557 IN POBJECT_ATTRIBUTES ObjectAttributes,
559 IN PUNICODE_STRING Class OPTIONAL,
560 IN ULONG CreateOptions,
561 IN PULONG Disposition OPTIONAL);
564 * FUNCTION: Creates a mail slot file
566 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
567 * DesiredAccess = Specifies the allowed or desired access to the file
568 * ObjectAttributes = Contains the name of the mailslotfile.
575 * REMARKS: This funciton maps to the win32 function CreateMailSlot
582 NtCreateMailslotFile(
583 OUT PHANDLE MailSlotFileHandle,
584 IN ACCESS_MASK DesiredAccess,
585 IN POBJECT_ATTRIBUTES ObjectAttributes,
586 OUT PIO_STATUS_BLOCK IoStatusBlock,
587 IN ULONG FileAttributes,
588 IN ULONG ShareAccess,
589 IN ULONG MaxMessageSize,
590 IN PLARGE_INTEGER TimeOut
595 ZwCreateMailslotFile(
596 OUT PHANDLE MailSlotFileHandle,
597 IN ACCESS_MASK DesiredAccess,
598 IN POBJECT_ATTRIBUTES ObjectAttributes,
599 OUT PIO_STATUS_BLOCK IoStatusBlock,
600 IN ULONG FileAttributes,
601 IN ULONG ShareAccess,
602 IN ULONG MaxMessageSize,
603 IN PLARGE_INTEGER TimeOut
607 * FUNCTION: Creates or opens a mutex
609 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
610 * DesiredAccess = Specifies the allowed or desired access to the port
611 * ObjectAttributes = Contains the name of the mutex.
612 * InitialOwner = If true the calling thread acquires ownership
614 * REMARKS: This funciton maps to the win32 function CreateMutex
621 OUT PHANDLE MutantHandle,
622 IN ACCESS_MASK DesiredAccess,
623 IN POBJECT_ATTRIBUTES ObjectAttributes,
624 IN BOOLEAN InitialOwner
630 OUT PHANDLE MutantHandle,
631 IN ACCESS_MASK DesiredAccess,
632 IN POBJECT_ATTRIBUTES ObjectAttributes,
633 IN BOOLEAN InitialOwner
637 * FUNCTION: Creates a process.
639 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
640 * DesiredAccess = Specifies the allowed or desired access to the process can
641 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
642 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
643 * ParentProcess = Handle to the parent process.
644 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
645 * SectionHandle = Handle to a section object to back the image file
646 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
647 * ExceptionPort = Handle to a exception port.
649 * This function maps to the win32 CreateProcess.
655 OUT PHANDLE ProcessHandle,
656 IN ACCESS_MASK DesiredAccess,
657 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
658 IN HANDLE ParentProcess,
659 IN BOOLEAN InheritObjectTable,
660 IN HANDLE SectionHandle OPTIONAL,
661 IN HANDLE DebugPort OPTIONAL,
662 IN HANDLE ExceptionPort OPTIONAL
668 OUT PHANDLE ProcessHandle,
669 IN ACCESS_MASK DesiredAccess,
670 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
671 IN HANDLE ParentProcess,
672 IN BOOLEAN InheritObjectTable,
673 IN HANDLE SectionHandle OPTIONAL,
674 IN HANDLE DebugPort OPTIONAL,
675 IN HANDLE ExceptionPort OPTIONAL
679 * FUNCTION: Creates a section object.
681 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
682 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
683 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
684 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
685 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
686 * If value specified for a mapped file and the file is not large enough, file will be extended.
687 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
688 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
689 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
696 OUT PHANDLE SectionHandle,
697 IN ACCESS_MASK DesiredAccess,
698 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
699 IN PLARGE_INTEGER MaximumSize OPTIONAL,
700 IN ULONG SectionPageProtection OPTIONAL,
701 IN ULONG AllocationAttributes,
702 IN HANDLE FileHandle OPTIONAL
708 OUT PHANDLE SectionHandle,
709 IN ACCESS_MASK DesiredAccess,
710 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
711 IN PLARGE_INTEGER MaximumSize OPTIONAL,
712 IN ULONG SectionPageProtection OPTIONAL,
713 IN ULONG AllocationAttributes,
714 IN HANDLE FileHandle OPTIONAL
718 * FUNCTION: Creates a semaphore object for interprocess synchronization.
720 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
721 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
722 * ObjectAttribute = Initialized attributes for the object.
723 * InitialCount = Not necessary zero, might be smaller than zero.
724 * MaximumCount = Maxiumum count the semaphore can reach.
727 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
730 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
734 OUT PHANDLE SemaphoreHandle,
735 IN ACCESS_MASK DesiredAccess,
736 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
737 IN LONG InitialCount,
744 OUT PHANDLE SemaphoreHandle,
745 IN ACCESS_MASK DesiredAccess,
746 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
747 IN LONG InitialCount,
752 * FUNCTION: Creates a symbolic link object
754 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
755 * DesiredAccess = Specifies the allowed or desired access to the thread.
756 * ObjectAttributes = Initialized attributes for the object.
757 * Name = Target name of the symbolic link
762 NtCreateSymbolicLinkObject(
763 OUT PHANDLE SymbolicLinkHandle,
764 IN ACCESS_MASK DesiredAccess,
765 IN POBJECT_ATTRIBUTES ObjectAttributes,
766 IN PUNICODE_STRING Name
771 ZwCreateSymbolicLinkObject(
772 OUT PHANDLE SymbolicLinkHandle,
773 IN ACCESS_MASK DesiredAccess,
774 IN POBJECT_ATTRIBUTES ObjectAttributes,
775 IN PUNICODE_STRING Name
779 * FUNCTION: Creates a waitable timer.
781 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
782 * DesiredAccess = Specifies the allowed or desired access to the timer.
783 * ObjectAttributes = Initialized attributes for the object.
784 * TimerType = Specifies if the timer should be reset manually.
786 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
787 * corresponding fields in OBJECT_ATTRIBUTES structure.
793 OUT PHANDLE TimerHandle,
794 IN ACCESS_MASK DesiredAccess,
795 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
796 IN TIMER_TYPE TimerType
802 OUT PHANDLE TimerHandle,
803 IN ACCESS_MASK DesiredAccess,
804 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
805 IN TIMER_TYPE TimerType
809 * FUNCTION: Creates a token.
811 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
812 * DesiredAccess = Specifies the allowed or desired access to the process can
813 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
814 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
822 * TokenPrimaryGroup =
826 * This function does not map to a win32 function
833 OUT PHANDLE TokenHandle,
834 IN ACCESS_MASK DesiredAccess,
835 IN POBJECT_ATTRIBUTES ObjectAttributes,
836 IN TOKEN_TYPE TokenType,
837 IN PLUID AuthenticationId,
838 IN PLARGE_INTEGER ExpirationTime,
839 IN PTOKEN_USER TokenUser,
840 IN PTOKEN_GROUPS TokenGroups,
841 IN PTOKEN_PRIVILEGES TokenPrivileges,
842 IN PTOKEN_OWNER TokenOwner,
843 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
844 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
845 IN PTOKEN_SOURCE TokenSource
851 OUT PHANDLE TokenHandle,
852 IN ACCESS_MASK DesiredAccess,
853 IN POBJECT_ATTRIBUTES ObjectAttributes,
854 IN TOKEN_TYPE TokenType,
855 IN PLUID AuthenticationId,
856 IN PLARGE_INTEGER ExpirationTime,
857 IN PTOKEN_USER TokenUser,
858 IN PTOKEN_GROUPS TokenGroups,
859 IN PTOKEN_PRIVILEGES TokenPrivileges,
860 IN PTOKEN_OWNER TokenOwner,
861 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
862 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
863 IN PTOKEN_SOURCE TokenSource
867 * FUNCTION: Returns the callers thread TEB.
868 * RETURNS: The resulting teb.
878 * FUNCTION: Deletes an atom from the global atom table
880 * Atom = Identifies the atom to delete
882 * The function maps to the win32 GlobalDeleteAtom
898 * FUNCTION: Deletes a file or a directory
900 * ObjectAttributes = Name of the file which should be deleted
902 * This system call is functionally equivalent to NtSetInformationFile
903 * setting the disposition information.
904 * The function maps to the win32 DeleteFile.
910 IN POBJECT_ATTRIBUTES ObjectAttributes
916 IN POBJECT_ATTRIBUTES ObjectAttributes
920 * FUNCTION: Deletes a registry key
922 * KeyHandle = Handle of the key
937 * FUNCTION: Generates a audit message when an object is deleted
939 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
940 * HandleId= Handle to an audit object
941 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
942 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
948 NtDeleteObjectAuditAlarm (
949 IN PUNICODE_STRING SubsystemName,
951 IN BOOLEAN GenerateOnClose
956 ZwDeleteObjectAuditAlarm (
957 IN PUNICODE_STRING SubsystemName,
959 IN BOOLEAN GenerateOnClose
964 * FUNCTION: Deletes a value from a registry key
966 * KeyHandle = Handle of the key
967 * ValueName = Name of the value to delete
975 IN PUNICODE_STRING ValueName
982 IN PUNICODE_STRING ValueName
985 * FUNCTION: Sends IOCTL to the io sub system
987 * DeviceHandle = Points to the handle that is created by NtCreateFile
988 * Event = Event to synchronize on STATUS_PENDING
989 * ApcRoutine = Asynchroneous procedure callback
990 * ApcContext = Callback context.
991 * IoStatusBlock = Caller should supply storage for extra information..
992 * IoControlCode = Contains the IO Control command. This is an
993 * index to the structures in InputBuffer and OutputBuffer.
994 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
995 * InputBufferSize = Size of the input bufffer
996 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
997 * OutputBufferSize = Size of the input bufffer
1003 NtDeviceIoControlFile(
1004 IN HANDLE DeviceHandle,
1005 IN HANDLE Event OPTIONAL,
1006 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1007 IN PVOID UserApcContext OPTIONAL,
1008 OUT PIO_STATUS_BLOCK IoStatusBlock,
1009 IN ULONG IoControlCode,
1010 IN PVOID InputBuffer,
1011 IN ULONG InputBufferSize,
1012 OUT PVOID OutputBuffer,
1013 IN ULONG OutputBufferSize
1018 ZwDeviceIoControlFile(
1019 IN HANDLE DeviceHandle,
1020 IN HANDLE Event OPTIONAL,
1021 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1022 IN PVOID UserApcContext OPTIONAL,
1023 OUT PIO_STATUS_BLOCK IoStatusBlock,
1024 IN ULONG IoControlCode,
1025 IN PVOID InputBuffer,
1026 IN ULONG InputBufferSize,
1027 OUT PVOID OutputBuffer,
1028 IN ULONG OutputBufferSize
1031 * FUNCTION: Displays a string on the blue screen
1033 * DisplayString = The string to display
1040 IN PUNICODE_STRING DisplayString
1046 IN PUNICODE_STRING DisplayString
1050 * FUNCTION: Returns information about the subkeys of an open key
1052 * KeyHandle = Handle of the key whose subkeys are to enumerated
1053 * Index = zero based index of the subkey for which information is
1055 * KeyInformationClass = Type of information returned
1056 * KeyInformation (OUT) = Caller allocated buffer for the information
1058 * Length = Length in bytes of the KeyInformation buffer
1059 * ResultLength (OUT) = Caller allocated storage which holds
1060 * the number of bytes of information retrieved
1067 IN HANDLE KeyHandle,
1069 IN KEY_INFORMATION_CLASS KeyInformationClass,
1070 OUT PVOID KeyInformation,
1072 OUT PULONG ResultLength
1078 IN HANDLE KeyHandle,
1080 IN KEY_INFORMATION_CLASS KeyInformationClass,
1081 OUT PVOID KeyInformation,
1083 OUT PULONG ResultLength
1086 * FUNCTION: Returns information about the value entries of an open key
1088 * KeyHandle = Handle of the key whose value entries are to enumerated
1089 * Index = zero based index of the subkey for which information is
1091 * KeyInformationClass = Type of information returned
1092 * KeyInformation (OUT) = Caller allocated buffer for the information
1094 * Length = Length in bytes of the KeyInformation buffer
1095 * ResultLength (OUT) = Caller allocated storage which holds
1096 * the number of bytes of information retrieved
1102 NtEnumerateValueKey(
1103 IN HANDLE KeyHandle,
1105 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1106 OUT PVOID KeyValueInformation,
1108 OUT PULONG ResultLength
1113 ZwEnumerateValueKey(
1114 IN HANDLE KeyHandle,
1116 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1117 OUT PVOID KeyValueInformation,
1119 OUT PULONG ResultLength
1123 * FUNCTION: Flushes chached file data to disk
1125 * FileHandle = Points to the file
1126 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1127 * buffers operation. The information field is set to number of bytes
1131 * This funciton maps to the win32 FlushFileBuffers
1136 IN HANDLE FileHandle,
1137 OUT PIO_STATUS_BLOCK IoStatusBlock
1143 IN HANDLE FileHandle,
1144 OUT PIO_STATUS_BLOCK IoStatusBlock
1148 * FUNCTION: Flushes a registry key to disk
1150 * KeyHandle = Points to the registry key handle
1153 * This funciton maps to the win32 RegFlushKey.
1168 * FUNCTION: Flushes the dirty pages to file
1170 * FIXME: Not sure this does (how is the file specified)
1172 NTSTATUS STDCALL NtFlushWriteBuffer(VOID);
1173 NTSTATUS STDCALL ZwFlushWriteBuffer(VOID);
1176 * FUNCTION: Frees a range of virtual memory
1178 * ProcessHandle = Points to the process that allocated the virtual
1180 * BaseAddress = Points to the memory address, rounded down to a
1181 * multiple of the pagesize
1182 * RegionSize = Limits the range to free, rounded up to a multiple of
1184 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1187 NTSTATUS STDCALL NtFreeVirtualMemory(IN HANDLE ProcessHandle,
1188 IN PVOID *BaseAddress,
1189 IN PULONG RegionSize,
1191 NTSTATUS STDCALL ZwFreeVirtualMemory(IN HANDLE ProcessHandle,
1192 IN PVOID *BaseAddress,
1193 IN PULONG RegionSize,
1197 * FUNCTION: Sends FSCTL to the filesystem
1199 * DeviceHandle = Points to the handle that is created by NtCreateFile
1200 * Event = Event to synchronize on STATUS_PENDING
1203 * IoStatusBlock = Caller should supply storage for
1204 * IoControlCode = Contains the File System Control command. This is an
1205 * index to the structures in InputBuffer and OutputBuffer.
1206 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1207 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1208 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1209 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1211 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1212 * InputBufferSize = Size of the input bufffer
1213 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1214 * OutputBufferSize = Size of the input bufffer
1215 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1216 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1221 IN HANDLE DeviceHandle,
1222 IN HANDLE Event OPTIONAL,
1223 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1224 IN PVOID ApcContext OPTIONAL,
1225 OUT PIO_STATUS_BLOCK IoStatusBlock,
1226 IN ULONG IoControlCode,
1227 IN PVOID InputBuffer,
1228 IN ULONG InputBufferSize,
1229 OUT PVOID OutputBuffer,
1230 IN ULONG OutputBufferSize
1236 IN HANDLE DeviceHandle,
1237 IN HANDLE Event OPTIONAL,
1238 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1239 IN PVOID ApcContext OPTIONAL,
1240 OUT PIO_STATUS_BLOCK IoStatusBlock,
1241 IN ULONG IoControlCode,
1242 IN PVOID InputBuffer,
1243 IN ULONG InputBufferSize,
1244 OUT PVOID OutputBuffer,
1245 IN ULONG OutputBufferSize
1249 * FUNCTION: Retrieves the processor context of a thread
1251 * ThreadHandle = Handle to a thread
1252 * Context (OUT) = Caller allocated storage for the processor context
1259 IN HANDLE ThreadHandle,
1260 OUT PCONTEXT Context
1266 IN HANDLE ThreadHandle,
1267 OUT PCONTEXT Context
1271 * FUNCTION: Sets a thread to impersonate another
1273 * ThreadHandle = Server thread that will impersonate a client.
1274 ThreadToImpersonate = Client thread that will be impersonated
1275 SecurityQualityOfService = Specifies the impersonation level.
1281 NtImpersonateThread(
1282 IN HANDLE ThreadHandle,
1283 IN HANDLE ThreadToImpersonate,
1284 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1289 ZwImpersonateThread(
1290 IN HANDLE ThreadHandle,
1291 IN HANDLE ThreadToImpersonate,
1292 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1296 * FUNCTION: Initializes the registry.
1298 * SetUpBoot = This parameter is true for a setup boot.
1303 NtInitializeRegistry(
1308 ZwInitializeRegistry(
1313 * FUNCTION: Loads a driver.
1315 * DriverServiceName = Name of the driver to load
1321 IN PUNICODE_STRING DriverServiceName
1327 IN PUNICODE_STRING DriverServiceName
1331 * FUNCTION: Locks a range of bytes in a file.
1333 * FileHandle = Handle to the file
1334 * Event = Should be null if apc is specified.
1335 * ApcRoutine = Asynchroneous Procedure Callback
1336 * ApcContext = Argument to the callback
1337 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1338 * the completion status and information about the requested lock operation.
1339 * ByteOffset = Offset
1340 * Length = Number of bytes to lock.
1341 * Key = Special value to give other threads the possibility to unlock the file
1342 by supplying the key in a call to NtUnlockFile.
1343 * FailImmediatedly = If false the request will block untill the lock is obtained.
1344 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1346 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1347 not be obtained immediately, the device queue is busy and the IRP is queued.
1348 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1349 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1355 IN HANDLE FileHandle,
1356 IN HANDLE Event OPTIONAL,
1357 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1358 IN PVOID ApcContext OPTIONAL,
1359 OUT PIO_STATUS_BLOCK IoStatusBlock,
1360 IN PLARGE_INTEGER ByteOffset,
1361 IN PLARGE_INTEGER Length,
1363 IN BOOLEAN FailImmediatedly,
1364 IN BOOLEAN ExclusiveLock
1370 IN HANDLE FileHandle,
1371 IN HANDLE Event OPTIONAL,
1372 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1373 IN PVOID ApcContext OPTIONAL,
1374 OUT PIO_STATUS_BLOCK IoStatusBlock,
1375 IN PLARGE_INTEGER ByteOffset,
1376 IN PLARGE_INTEGER Length,
1378 IN BOOLEAN FailImmediatedly,
1379 IN BOOLEAN ExclusiveLock
1383 * FUNCTION: Makes temporary object that will be removed at next boot.
1385 * Handle = Handle to object
1391 NtMakeTemporaryObject(
1397 ZwMakeTemporaryObject(
1401 * FUNCTION: Maps a view of a section into the virtual address space of a
1404 * SectionHandle = Handle of the section
1405 * ProcessHandle = Handle of the process
1406 * BaseAddress = Desired base address (or NULL) on entry
1407 * Actual base address of the view on exit
1408 * ZeroBits = Number of high order address bits that must be zero
1409 * CommitSize = Size in bytes of the initially committed section of
1411 * SectionOffset = Offset in bytes from the beginning of the section
1412 * to the beginning of the view
1413 * ViewSize = Desired length of map (or zero to map all) on entry
1414 * Actual length mapped on exit
1415 * InheritDisposition = Specified how the view is to be shared with
1417 * AllocateType = Type of allocation for the pages
1418 * Protect = Protection for the committed region of the view
1424 IN HANDLE SectionHandle,
1425 IN HANDLE ProcessHandle,
1426 IN OUT PVOID *BaseAddress,
1428 IN ULONG CommitSize,
1429 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1430 IN OUT PULONG ViewSize,
1431 IN SECTION_INHERIT InheritDisposition,
1432 IN ULONG AllocationType,
1433 IN ULONG AccessProtection
1439 IN HANDLE SectionHandle,
1440 IN HANDLE ProcessHandle,
1441 IN OUT PVOID *BaseAddress,
1443 IN ULONG CommitSize,
1444 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1445 IN OUT PULONG ViewSize,
1446 IN SECTION_INHERIT InheritDisposition,
1447 IN ULONG AllocationType,
1448 IN ULONG AccessProtection
1452 * FUNCTION: Installs a notify for the change of a directory's contents
1454 * FileHandle = Handle to the directory
1456 * ApcRoutine = Start address
1457 * ApcContext = Delimits the range of virtual memory
1458 * for which the new access protection holds
1459 * IoStatusBlock = The new access proctection for the pages
1460 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
1461 * BufferSize = Size of the buffer
1462 CompletionFilter = Can be one of the following values:
1463 FILE_NOTIFY_CHANGE_FILE_NAME
1464 FILE_NOTIFY_CHANGE_DIR_NAME
1465 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
1466 FILE_NOTIFY_CHANGE_ATTRIBUTES
1467 FILE_NOTIFY_CHANGE_SIZE
1468 FILE_NOTIFY_CHANGE_LAST_WRITE
1469 FILE_NOTIFY_CHANGE_LAST_ACCESS
1470 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
1471 FILE_NOTIFY_CHANGE_EA
1472 FILE_NOTIFY_CHANGE_SECURITY
1473 FILE_NOTIFY_CHANGE_STREAM_NAME
1474 FILE_NOTIFY_CHANGE_STREAM_SIZE
1475 FILE_NOTIFY_CHANGE_STREAM_WRITE
1476 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
1479 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
1484 NtNotifyChangeDirectoryFile(
1485 IN HANDLE FileHandle,
1486 IN HANDLE Event OPTIONAL,
1487 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1488 IN PVOID ApcContext OPTIONAL,
1489 OUT PIO_STATUS_BLOCK IoStatusBlock,
1491 IN ULONG BufferSize,
1492 IN ULONG CompletionFilter,
1493 IN BOOLEAN WatchTree
1498 ZwNotifyChangeDirectoryFile(
1499 IN HANDLE FileHandle,
1500 IN HANDLE Event OPTIONAL,
1501 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1502 IN PVOID ApcContext OPTIONAL,
1503 OUT PIO_STATUS_BLOCK IoStatusBlock,
1505 IN ULONG BufferSize,
1506 IN ULONG CompletionFilter,
1507 IN BOOLEAN WatchTree
1511 * FUNCTION: Installs a notfication callback on registry changes
1513 KeyHandle = Handle to the registry key
1514 Event = Event that should be signalled on modification of the key
1515 ApcRoutine = Routine that should be called on modification of the key
1516 ApcContext = Argument to the ApcRoutine
1518 CompletionFilter = Specifies the kind of notification the caller likes to receive.
1519 Can be a combination of the following values:
1521 REG_NOTIFY_CHANGE_NAME
1522 REG_NOTIFY_CHANGE_ATTRIBUTES
1523 REG_NOTIFY_CHANGE_LAST_SET
1524 REG_NOTIFY_CHANGE_SECURITY
1527 Asynchroneous = If TRUE the changes are reported by signalling an event if false
1528 the function will not return before a change occurs.
1529 ChangeBuffer = Will return the old value
1530 Length = Size of the change buffer
1531 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
1533 * REMARKS: If the key is closed the event is signalled aswell.
1540 IN HANDLE KeyHandle,
1542 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1543 IN PVOID ApcContext OPTIONAL,
1544 OUT PIO_STATUS_BLOCK IoStatusBlock,
1545 IN ULONG CompletionFilter,
1546 IN BOOLEAN Asynchroneous,
1547 OUT PVOID ChangeBuffer,
1549 IN BOOLEAN WatchSubtree
1555 IN HANDLE KeyHandle,
1557 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1558 IN PVOID ApcContext OPTIONAL,
1559 OUT PIO_STATUS_BLOCK IoStatusBlock,
1560 IN ULONG CompletionFilter,
1561 IN BOOLEAN Asynchroneous,
1562 OUT PVOID ChangeBuffer,
1564 IN BOOLEAN WatchSubtree
1568 * FUNCTION: Opens an existing directory object
1570 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1571 * DesiredAccess = Requested access to the directory
1572 * ObjectAttributes = Initialized attributes for the object
1578 NtOpenDirectoryObject(
1579 OUT PHANDLE FileHandle,
1580 IN ACCESS_MASK DesiredAccess,
1581 IN POBJECT_ATTRIBUTES ObjectAttributes
1585 ZwOpenDirectoryObject(
1586 OUT PHANDLE FileHandle,
1587 IN ACCESS_MASK DesiredAccess,
1588 IN POBJECT_ATTRIBUTES ObjectAttributes
1592 * FUNCTION: Opens an existing event
1594 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1595 * DesiredAccess = Requested access to the event
1596 * ObjectAttributes = Initialized attributes for the object
1602 OUT PHANDLE EventHandle,
1603 IN ACCESS_MASK DesiredAccess,
1604 IN POBJECT_ATTRIBUTES ObjectAttributes
1610 OUT PHANDLE EventHandle,
1611 IN ACCESS_MASK DesiredAccess,
1612 IN POBJECT_ATTRIBUTES ObjectAttributes
1616 * FUNCTION: Opens an existing event pair
1618 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1619 * DesiredAccess = Requested access to the event
1620 * ObjectAttributes = Initialized attributes for the object
1627 OUT PHANDLE EventPairHandle,
1628 IN ACCESS_MASK DesiredAccess,
1629 IN POBJECT_ATTRIBUTES ObjectAttributes
1635 OUT PHANDLE EventPairHandle,
1636 IN ACCESS_MASK DesiredAccess,
1637 IN POBJECT_ATTRIBUTES ObjectAttributes
1640 * FUNCTION: Opens an existing file
1642 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1643 * DesiredAccess = Requested access to the file
1644 * ObjectAttributes = Initialized attributes for the object
1653 OUT PHANDLE FileHandle,
1654 IN ACCESS_MASK DesiredAccess,
1655 IN POBJECT_ATTRIBUTES ObjectAttributes,
1656 OUT PIO_STATUS_BLOCK IoStatusBlock,
1657 IN ULONG ShareAccess,
1658 IN ULONG OpenOptions
1664 OUT PHANDLE FileHandle,
1665 IN ACCESS_MASK DesiredAccess,
1666 IN POBJECT_ATTRIBUTES ObjectAttributes,
1667 OUT PIO_STATUS_BLOCK IoStatusBlock,
1668 IN ULONG ShareAccess,
1669 IN ULONG OpenOptions
1673 * FUNCTION: Opens an existing io completion object
1675 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
1676 * DesiredAccess = Requested access to the io completion object
1677 * ObjectAttributes = Initialized attributes for the object
1684 OUT PHANDLE CompetionPort,
1685 IN ACCESS_MASK DesiredAccess,
1686 IN POBJECT_ATTRIBUTES ObjectAttributes
1692 OUT PHANDLE CompetionPort,
1693 IN ACCESS_MASK DesiredAccess,
1694 IN POBJECT_ATTRIBUTES ObjectAttributes
1698 * FUNCTION: Opens an existing key in the registry
1700 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1701 * DesiredAccess = Requested access to the key
1702 * ObjectAttributes = Initialized attributes for the object
1708 OUT PHANDLE KeyHandle,
1709 IN ACCESS_MASK DesiredAccess,
1710 IN POBJECT_ATTRIBUTES ObjectAttributes
1716 OUT PHANDLE KeyHandle,
1717 IN ACCESS_MASK DesiredAccess,
1718 IN POBJECT_ATTRIBUTES ObjectAttributes
1721 * FUNCTION: Opens an existing key in the registry
1723 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
1724 * DesiredAccess = Requested access to the mutant
1725 * ObjectAttribute = Initialized attributes for the object
1731 OUT PHANDLE MutantHandle,
1732 IN ACCESS_MASK DesiredAccess,
1733 IN POBJECT_ATTRIBUTES ObjectAttributes
1738 OUT PHANDLE MutantHandle,
1739 IN ACCESS_MASK DesiredAccess,
1740 IN POBJECT_ATTRIBUTES ObjectAttributes
1744 * FUNCTION: Opens an existing process
1746 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
1747 * DesiredAccess = Requested access to the process
1748 * ObjectAttribute = Initialized attributes for the object
1749 * ClientId = Identifies the process id to open
1755 OUT PHANDLE ProcessHandle,
1756 IN ACCESS_MASK DesiredAccess,
1757 IN POBJECT_ATTRIBUTES ObjectAttributes,
1758 IN PCLIENT_ID ClientId
1763 OUT PHANDLE ProcessHandle,
1764 IN ACCESS_MASK DesiredAccess,
1765 IN POBJECT_ATTRIBUTES ObjectAttributes,
1766 IN PCLIENT_ID ClientId
1769 * FUNCTION: Opens an existing process
1771 * ProcessHandle = Handle of the process of which owns the token
1772 * DesiredAccess = Requested access to the token
1773 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
1775 This function maps to the win32
1782 IN HANDLE ProcessHandle,
1783 IN ACCESS_MASK DesiredAccess,
1784 OUT PHANDLE TokenHandle
1790 IN HANDLE ProcessHandle,
1791 IN ACCESS_MASK DesiredAccess,
1792 OUT PHANDLE TokenHandle
1796 * FUNCTION: Opens an existing section object
1798 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1799 * DesiredAccess = Requested access to the key
1800 * ObjectAttribute = Initialized attributes for the object
1807 OUT PHANDLE SectionHandle,
1808 IN ACCESS_MASK DesiredAccess,
1809 IN POBJECT_ATTRIBUTES ObjectAttributes
1814 OUT PHANDLE SectionHandle,
1815 IN ACCESS_MASK DesiredAccess,
1816 IN POBJECT_ATTRIBUTES ObjectAttributes
1819 * FUNCTION: Opens an existing semaphore
1821 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
1822 * DesiredAccess = Requested access to the semaphore
1823 * ObjectAttribute = Initialized attributes for the object
1829 IN HANDLE SemaphoreHandle,
1830 IN ACCESS_MASK DesiredAcces,
1831 IN POBJECT_ATTRIBUTES ObjectAttributes
1836 IN HANDLE SemaphoreHandle,
1837 IN ACCESS_MASK DesiredAcces,
1838 IN POBJECT_ATTRIBUTES ObjectAttributes
1841 * FUNCTION: Opens an existing symbolic link
1843 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
1844 * DesiredAccess = Requested access to the symbolic link
1845 * ObjectAttribute = Initialized attributes for the object
1850 NtOpenSymbolicLinkObject(
1851 OUT PHANDLE SymbolicLinkHandle,
1852 IN ACCESS_MASK DesiredAccess,
1853 IN POBJECT_ATTRIBUTES ObjectAttributes
1857 ZwOpenSymbolicLinkObject(
1858 OUT PHANDLE SymbolicLinkHandle,
1859 IN ACCESS_MASK DesiredAccess,
1860 IN POBJECT_ATTRIBUTES ObjectAttributes
1863 * FUNCTION: Opens an existing thread
1865 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
1866 * DesiredAccess = Requested access to the thread
1867 * ObjectAttribute = Initialized attributes for the object
1868 * ClientId = Identifies the thread to open.
1874 OUT PHANDLE ThreadHandle,
1875 IN ACCESS_MASK DesiredAccess,
1876 IN POBJECT_ATTRIBUTES ObjectAttributes,
1877 IN PCLIENT_ID ClientId
1882 OUT PHANDLE ThreadHandle,
1883 IN ACCESS_MASK DesiredAccess,
1884 IN POBJECT_ATTRIBUTES ObjectAttributes,
1885 IN PCLIENT_ID ClientId
1891 IN HANDLE ThreadHandle,
1892 IN ACCESS_MASK DesiredAccess,
1893 IN BOOLEAN OpenAsSelf,
1894 OUT PHANDLE TokenHandle
1900 IN HANDLE ThreadHandle,
1901 IN ACCESS_MASK DesiredAccess,
1902 IN BOOLEAN OpenAsSelf,
1903 OUT PHANDLE TokenHandle
1906 * FUNCTION: Opens an existing timer
1908 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
1909 * DesiredAccess = Requested access to the timer
1910 * ObjectAttribute = Initialized attributes for the object
1916 OUT PHANDLE TimerHandle,
1917 IN ACCESS_MASK DesiredAccess,
1918 IN POBJECT_ATTRIBUTES ObjectAttributes
1923 OUT PHANDLE TimerHandle,
1924 IN ACCESS_MASK DesiredAccess,
1925 IN POBJECT_ATTRIBUTES ObjectAttributes
1929 * FUNCTION: Checks an access token for specific privileges
1931 * ClientToken = Handle to a access token structure
1932 * RequiredPrivileges = Specifies the requested privileges.
1933 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
1934 set in the Control member of PRIVILEGES_SET Result
1935 will only be TRUE if all privileges are present in the access token.
1942 IN HANDLE ClientToken,
1943 IN PPRIVILEGE_SET RequiredPrivileges,
1950 IN HANDLE ClientToken,
1951 IN PPRIVILEGE_SET RequiredPrivileges,
1957 NtPrivilegedServiceAuditAlarm(
1958 IN PUNICODE_STRING SubsystemName,
1959 IN PUNICODE_STRING ServiceName,
1960 IN HANDLE ClientToken,
1961 IN PPRIVILEGE_SET Privileges,
1962 IN BOOLEAN AccessGranted
1967 ZwPrivilegedServiceAuditAlarm(
1968 IN PUNICODE_STRING SubsystemName,
1969 IN PUNICODE_STRING ServiceName,
1970 IN HANDLE ClientToken,
1971 IN PPRIVILEGE_SET Privileges,
1972 IN BOOLEAN AccessGranted
1977 NtPrivilegeObjectAuditAlarm(
1978 IN PUNICODE_STRING SubsystemName,
1980 IN HANDLE ClientToken,
1981 IN ULONG DesiredAccess,
1982 IN PPRIVILEGE_SET Privileges,
1983 IN BOOLEAN AccessGranted
1988 ZwPrivilegeObjectAuditAlarm(
1989 IN PUNICODE_STRING SubsystemName,
1991 IN HANDLE ClientToken,
1992 IN ULONG DesiredAccess,
1993 IN PPRIVILEGE_SET Privileges,
1994 IN BOOLEAN AccessGranted
1998 * FUNCTION: Entry point for native applications
2000 * Peb = Pointes to the Process Environment Block (PEB)
2002 * Native applications should use this function instead of a main.
2003 * Calling proces should terminate itself.
2013 * FUNCTION: Signals an event and resets it afterwards.
2015 * EventHandle = Handle to the event
2016 * PulseCount = Number of times the action is repeated
2022 IN HANDLE EventHandle,
2023 IN PULONG PulseCount OPTIONAL
2029 IN HANDLE EventHandle,
2030 IN PULONG PulseCount OPTIONAL
2034 * FUNCTION: Queries the attributes of a file
2036 * ObjectAttributes = Initialized attributes for the object
2037 * Buffer = Caller supplies storage for the attributes
2042 NtQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2043 OUT PFILE_BASIC_INFORMATION FileInformation);
2046 ZwQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2047 OUT PFILE_BASIC_INFORMATION FileInformation);
2050 * FUNCTION: Queries the default locale id
2052 * UserProfile = Type of locale id
2053 * TRUE: thread locale id
2054 * FALSE: system locale id
2055 * DefaultLocaleId = Caller supplies storage for the locale id
2061 NtQueryDefaultLocale(
2062 IN BOOLEAN UserProfile,
2063 OUT PLCID DefaultLocaleId
2068 ZwQueryDefaultLocale(
2069 IN BOOLEAN UserProfile,
2070 OUT PLCID DefaultLocaleId
2074 * FUNCTION: Queries a directory file.
2076 * FileHandle = Handle to a directory file
2077 * EventHandle = Handle to the event signaled on completion
2078 * ApcRoutine = Asynchroneous procedure callback, called on completion
2079 * ApcContext = Argument to the apc.
2080 * IoStatusBlock = Caller supplies storage for extended status information.
2081 * FileInformation = Caller supplies storage for the resulting information.
2083 * FileNameInformation FILE_NAMES_INFORMATION
2084 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2085 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2086 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2088 * Length = Size of the storage supplied
2089 * FileInformationClass = Indicates the type of information requested.
2090 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2091 * FileName = Initial directory name to query, that may contain wild cards.
2092 * RestartScan = Number of times the action should be repeated
2093 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2094 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2095 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2100 NtQueryDirectoryFile(
2101 IN HANDLE FileHandle,
2102 IN HANDLE Event OPTIONAL,
2103 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2104 IN PVOID ApcContext OPTIONAL,
2105 OUT PIO_STATUS_BLOCK IoStatusBlock,
2106 OUT PVOID FileInformation,
2108 IN FILE_INFORMATION_CLASS FileInformationClass,
2109 IN BOOLEAN ReturnSingleEntry,
2110 IN PUNICODE_STRING FileName OPTIONAL,
2111 IN BOOLEAN RestartScan
2116 ZwQueryDirectoryFile(
2117 IN HANDLE FileHandle,
2118 IN HANDLE Event OPTIONAL,
2119 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2120 IN PVOID ApcContext OPTIONAL,
2121 OUT PIO_STATUS_BLOCK IoStatusBlock,
2122 OUT PVOID FileInformation,
2124 IN FILE_INFORMATION_CLASS FileInformationClass,
2125 IN BOOLEAN ReturnSingleEntry,
2126 IN PUNICODE_STRING FileName OPTIONAL,
2127 IN BOOLEAN RestartScan
2131 * FUNCTION: Queries the extended attributes of a file
2133 * FileHandle = Handle to the event
2134 * IoStatusBlock = Number of times the action is repeated
2148 IN HANDLE FileHandle,
2149 OUT PIO_STATUS_BLOCK IoStatusBlock,
2152 IN BOOLEAN ReturnSingleEntry,
2153 IN PVOID EaList OPTIONAL,
2154 IN ULONG EaListLength,
2155 IN PULONG EaIndex OPTIONAL,
2156 IN BOOLEAN RestartScan
2162 IN HANDLE FileHandle,
2163 OUT PIO_STATUS_BLOCK IoStatusBlock,
2166 IN BOOLEAN ReturnSingleEntry,
2167 IN PVOID EaList OPTIONAL,
2168 IN ULONG EaListLength,
2169 IN PULONG EaIndex OPTIONAL,
2170 IN BOOLEAN RestartScan
2174 * FUNCTION: Queries an event
2176 * EventHandle = Handle to the event
2177 * EventInformationClass = Index of the information structure
2179 EventBasicInformation EVENT_BASIC_INFORMATION
2181 * EventInformation = Caller supplies storage for the information structure
2182 * EventInformationLength = Size of the information structure
2183 * ReturnLength = Data written
2189 IN HANDLE EventHandle,
2190 IN EVENT_INFORMATION_CLASS EventInformationClass,
2191 OUT PVOID EventInformation,
2192 IN ULONG EventInformationLength,
2193 OUT PULONG ReturnLength
2198 IN HANDLE EventHandle,
2199 IN EVENT_INFORMATION_CLASS EventInformationClass,
2200 OUT PVOID EventInformation,
2201 IN ULONG EventInformationLength,
2202 OUT PULONG ReturnLength
2206 NtQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2207 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2210 ZwQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2211 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2214 * FUNCTION: Queries the information of a file object.
2216 * FileHandle = Handle to the file object
2217 * IoStatusBlock = Caller supplies storage for extended information
2218 * on the current operation.
2219 * FileInformation = Storage for the new file information
2220 * Lenght = Size of the storage for the file information.
2221 * FileInformationClass = Indicates which file information is queried
2223 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2224 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2225 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2226 FileBasicInformation FILE_BASIC_INFORMATION
2227 FileStandardInformation FILE_STANDARD_INFORMATION
2228 FileInternalInformation FILE_INTERNAL_INFORMATION
2229 FileEaInformation FILE_EA_INFORMATION
2230 FileAccessInformation FILE_ACCESS_INFORMATION
2231 FileNameInformation FILE_NAME_INFORMATION
2232 FileRenameInformation FILE_RENAME_INFORMATION
2234 FileNamesInformation FILE_NAMES_INFORMATION
2235 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2236 FilePositionInformation FILE_POSITION_INFORMATION
2237 FileFullEaInformation FILE_FULL_EA_INFORMATION
2238 FileModeInformation FILE_MODE_INFORMATION
2239 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2240 FileAllInformation FILE_ALL_INFORMATION
2242 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2243 FileAlternateNameInformation
2244 FileStreamInformation FILE_STREAM_INFORMATION
2246 FilePipeLocalInformation
2247 FilePipeRemoteInformation
2248 FileMailslotQueryInformation
2249 FileMailslotSetInformation
2250 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2251 FileCopyOnWriteInformation
2252 FileCompletionInformation IO_COMPLETION_CONTEXT
2253 FileMoveClusterInformation
2254 FileOleClassIdInformation
2255 FileOleStateBitsInformation
2256 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2257 FileObjectIdInformation
2258 FileOleAllInformation
2259 FileOleDirectoryInformation
2260 FileContentIndexInformation
2261 FileInheritContentIndexInformation
2263 FileMaximumInformation
2266 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2267 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2272 NtQueryInformationFile(
2273 IN HANDLE FileHandle,
2274 OUT PIO_STATUS_BLOCK IoStatusBlock,
2275 OUT PVOID FileInformation,
2277 IN FILE_INFORMATION_CLASS FileInformationClass
2282 ZwQueryInformationFile(
2284 PIO_STATUS_BLOCK IoStatusBlock,
2285 PVOID FileInformation,
2287 FILE_INFORMATION_CLASS FileInformationClass
2292 * FUNCTION: Queries the information of a thread object.
2294 * ThreadHandle = Handle to the thread object
2295 * ThreadInformationClass = Index to a certain information structure
2297 ThreadBasicInformation THREAD_BASIC_INFORMATION
2298 ThreadTimes KERNEL_USER_TIMES
2299 ThreadPriority KPRIORITY
2300 ThreadBasePriority KPRIORITY
2301 ThreadAffinityMask KAFFINITY
2302 ThreadImpersonationToken
2303 ThreadDescriptorTableEntry
2304 ThreadEnableAlignmentFaultFixup
2306 ThreadQuerySetWin32StartAddress
2308 ThreadPerformanceCount
2309 ThreadAmILastThread BOOLEAN
2310 ThreadIdealProcessor ULONG
2311 ThreadPriorityBoost ULONG
2315 * ThreadInformation = Caller supplies torage for the thread information
2316 * ThreadInformationLength = Size of the thread information structure
2317 * ReturnLength = Actual number of bytes written
2320 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
2321 GetThreadPriorityBoost functions.
2328 NtQueryInformationThread(
2329 IN HANDLE ThreadHandle,
2330 IN THREADINFOCLASS ThreadInformationClass,
2331 OUT PVOID ThreadInformation,
2332 IN ULONG ThreadInformationLength,
2333 OUT PULONG ReturnLength
2339 NtQueryInformationToken(
2340 IN HANDLE TokenHandle,
2341 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2342 OUT PVOID TokenInformation,
2343 IN ULONG TokenInformationLength,
2344 OUT PULONG ReturnLength
2349 ZwQueryInformationToken(
2350 IN HANDLE TokenHandle,
2351 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2352 OUT PVOID TokenInformation,
2353 IN ULONG TokenInformationLength,
2354 OUT PULONG ReturnLength
2359 NtQueryIoCompletion(
2360 IN HANDLE CompletionPort,
2361 IN ULONG CompletionKey,
2362 OUT PIO_STATUS_BLOCK IoStatusBlock,
2363 OUT PULONG NumberOfBytesTransferred
2367 ZwQueryIoCompletion(
2368 IN HANDLE CompletionPort,
2369 IN ULONG CompletionKey,
2370 OUT PIO_STATUS_BLOCK IoStatusBlock,
2371 OUT PULONG NumberOfBytesTransferred
2376 * FUNCTION: Queries the information of a registry key object.
2378 KeyHandle = Handle to a registry key
2379 KeyInformationClass = Index to a certain information structure
2380 KeyInformation = Caller supplies storage for resulting information
2381 Length = Size of the supplied storage
2382 ResultLength = Bytes written
2387 IN HANDLE KeyHandle,
2388 IN KEY_INFORMATION_CLASS KeyInformationClass,
2389 OUT PVOID KeyInformation,
2391 OUT PULONG ResultLength
2397 IN HANDLE KeyHandle,
2398 IN KEY_INFORMATION_CLASS KeyInformationClass,
2399 OUT PVOID KeyInformation,
2401 OUT PULONG ResultLength
2409 NtQueryMultipleValueKey(
2410 IN HANDLE KeyHandle,
2411 IN OUT PKEY_VALUE_ENTRY ValueList,
2412 IN ULONG NumberOfValues,
2414 IN OUT PULONG Length,
2415 OUT PULONG ReturnLength
2420 ZwQueryMultipleValueKey(
2421 IN HANDLE KeyHandle,
2422 IN OUT PKEY_VALUE_ENTRY ValueList,
2423 IN ULONG NumberOfValues,
2425 IN OUT PULONG Length,
2426 OUT PULONG ReturnLength
2430 * FUNCTION: Queries the information of a mutant object.
2432 MutantHandle = Handle to a mutant
2433 MutantInformationClass = Index to a certain information structure
2434 MutantInformation = Caller supplies storage for resulting information
2435 Length = Size of the supplied storage
2436 ResultLength = Bytes written
2441 IN HANDLE MutantHandle,
2442 IN CINT MutantInformationClass,
2443 OUT PVOID MutantInformation,
2445 OUT PULONG ResultLength
2451 IN HANDLE MutantHandle,
2452 IN CINT MutantInformationClass,
2453 OUT PVOID MutantInformation,
2455 OUT PULONG ResultLength
2459 * FUNCTION: Queries the system ( high-resolution ) performance counter.
2461 * Counter = Performance counter
2462 * Frequency = Performance frequency
2464 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
2465 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
2471 NtQueryPerformanceCounter(
2472 IN PLARGE_INTEGER Counter,
2473 IN PLARGE_INTEGER Frequency
2478 ZwQueryPerformanceCounter(
2479 IN PLARGE_INTEGER Counter,
2480 IN PLARGE_INTEGER Frequency
2484 * FUNCTION: Queries the information of a semaphore.
2486 * SemaphoreHandle = Handle to the semaphore object
2487 * SemaphoreInformationClass = Index to a certain information structure
2489 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
2491 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
2492 * Length = Size of the infomation structure
2497 IN HANDLE SemaphoreHandle,
2498 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2499 OUT PVOID SemaphoreInformation,
2501 OUT PULONG ReturnLength
2507 IN HANDLE SemaphoreHandle,
2508 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2509 OUT PVOID SemaphoreInformation,
2511 OUT PULONG ReturnLength
2516 * FUNCTION: Queries the information of a symbolic link object.
2518 * SymbolicLinkHandle = Handle to the symbolic link object
2519 * LinkTarget = resolved name of link
2520 * DataWritten = size of the LinkName.
2526 NtQuerySymbolicLinkObject(
2527 IN HANDLE SymLinkObjHandle,
2528 OUT PUNICODE_STRING LinkTarget,
2529 OUT PULONG DataWritten OPTIONAL
2534 ZwQuerySymbolicLinkObject(
2535 IN HANDLE SymLinkObjHandle,
2536 OUT PUNICODE_STRING LinkName,
2537 OUT PULONG DataWritten OPTIONAL
2542 * FUNCTION: Queries a system environment variable.
2544 * Name = Name of the variable
2545 * Value (OUT) = value of the variable
2546 * Length = size of the buffer
2547 * ReturnLength = data written
2553 NtQuerySystemEnvironmentValue(
2554 IN PUNICODE_STRING Name,
2562 ZwQuerySystemEnvironmentValue(
2563 IN PUNICODE_STRING Name,
2571 * FUNCTION: Queries the system information.
2573 * SystemInformationClass = Index to a certain information structure
2575 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
2576 SystemCacheInformation SYSTEM_CACHE_INFORMATION
2577 SystemConfigurationInformation CONFIGURATION_INFORMATION
2579 * SystemInformation = caller supplies storage for the information structure
2580 * Length = size of the structure
2581 ResultLength = Data written
2587 NtQuerySystemInformation(
2588 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2589 OUT PVOID SystemInformation,
2591 OUT PULONG ResultLength
2596 ZwQuerySystemInformation(
2597 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2598 OUT PVOID SystemInformation,
2600 OUT PULONG ResultLength
2604 * FUNCTION: Queries information about a timer
2606 * TimerHandle = Handle to the timer
2607 TimerValueInformationClass = Index to a certain information structure
2608 TimerValueInformation = Caller supplies storage for the information structure
2609 Length = Size of the information structure
2610 ResultLength = Data written
2617 IN HANDLE TimerHandle,
2618 IN CINT TimerInformationClass,
2619 OUT PVOID TimerInformation,
2621 OUT PULONG ResultLength
2626 IN HANDLE TimerHandle,
2627 IN CINT TimerInformationClass,
2628 OUT PVOID TimerInformation,
2630 OUT PULONG ResultLength
2634 * FUNCTION: Queries the timer resolution
2636 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
2637 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
2638 ActualResolution (OUT) = Caller should supply storage for the resulting time.
2646 NtQueryTimerResolution (
2647 OUT PULONG MinimumResolution,
2648 OUT PULONG MaximumResolution,
2649 OUT PULONG ActualResolution
2654 ZwQueryTimerResolution (
2655 OUT PULONG MinimumResolution,
2656 OUT PULONG MaximumResolution,
2657 OUT PULONG ActualResolution
2661 * FUNCTION: Queries a registry key value
2663 * KeyHandle = Handle to the registry key
2664 ValueName = Name of the value in the registry key
2665 KeyValueInformationClass = Index to a certain information structure
2667 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
2668 KeyValueFullInformation = KEY_FULL_INFORMATION
2669 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
2671 KeyValueInformation = Caller supplies storage for the information structure
2672 Length = Size of the information structure
2673 ResultLength = Data written
2680 IN HANDLE KeyHandle,
2681 IN PUNICODE_STRING ValueName,
2682 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2683 OUT PVOID KeyValueInformation,
2685 OUT PULONG ResultLength
2691 IN HANDLE KeyHandle,
2692 IN PUNICODE_STRING ValueName,
2693 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2694 OUT PVOID KeyValueInformation,
2696 OUT PULONG ResultLength
2700 * FUNCTION: Queries the volume information
2702 * FileHandle = Handle to a file object on the target volume
2703 * IoStatusBlock = Caller should supply storage for additional status information
2704 * ReturnLength = DataWritten
2705 * FsInformation = Caller should supply storage for the information structure.
2706 * Length = Size of the information structure
2707 * FsInformationClass = Index to a information structure
2709 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
2710 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
2711 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
2712 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
2713 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
2714 FileFsControlInformation
2715 FileFsQuotaQueryInformation --
2716 FileFsQuotaSetInformation --
2717 FileFsMaximumInformation
2719 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
2720 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
2725 NtQueryVolumeInformationFile(
2726 IN HANDLE FileHandle,
2727 OUT PIO_STATUS_BLOCK IoStatusBlock,
2728 OUT PVOID FsInformation,
2730 IN FS_INFORMATION_CLASS FsInformationClass
2735 ZwQueryVolumeInformationFile(
2736 IN HANDLE FileHandle,
2737 OUT PIO_STATUS_BLOCK IoStatusBlock,
2738 OUT PVOID FsInformation,
2740 IN FS_INFORMATION_CLASS FsInformationClass
2743 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
2745 * FUNCTION: Queues a (user) apc to a thread.
2747 ThreadHandle = Thread to which the apc is queued.
2748 ApcRoutine = Points to the apc routine
2749 NormalContext = Argument to Apc Routine
2750 * SystemArgument1 = Argument of the Apc Routine
2751 SystemArgument2 = Argument of the Apc Routine
2752 * REMARK: If the apc is queued against a thread of a different process than the calling thread
2753 the apc routine should be specified in the address space of the queued thread's process.
2760 HANDLE ThreadHandle,
2761 PKNORMAL_ROUTINE ApcRoutine,
2762 PVOID NormalContext,
2763 PVOID SystemArgument1,
2764 PVOID SystemArgument2);
2769 HANDLE ThreadHandle,
2770 PKNORMAL_ROUTINE ApcRoutine,
2771 PVOID NormalContext,
2772 PVOID SystemArgument1,
2773 PVOID SystemArgument2);
2777 * FUNCTION: Raises an exception
2779 * ExceptionRecord = Structure specifying the exception
2780 * Context = Context in which the excpetion is raised
2789 IN PEXCEPTION_RECORD ExceptionRecord,
2790 IN PCONTEXT Context,
2791 IN BOOLEAN SearchFrames
2797 IN PEXCEPTION_RECORD ExceptionRecord,
2798 IN PCONTEXT Context,
2799 IN BOOLEAN SearchFrames
2803 * FUNCTION: Read a file
2805 * FileHandle = Handle of a file to read
2806 * Event = This event is signalled when the read operation completes
2807 * UserApcRoutine = Call back , if supplied Event should be NULL
2808 * UserApcContext = Argument to the callback
2809 * IoStatusBlock = Caller should supply storage for additional status information
2810 * Buffer = Caller should supply storage to receive the information
2811 * BufferLength = Size of the buffer
2812 * ByteOffset = Offset to start reading the file
2813 * Key = If a range is lock a matching key will allow the read to continue.
2821 IN HANDLE FileHandle,
2822 IN HANDLE Event OPTIONAL,
2823 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2824 IN PVOID UserApcContext OPTIONAL,
2825 OUT PIO_STATUS_BLOCK IoStatusBlock,
2827 IN ULONG BufferLength,
2828 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2829 IN PULONG Key OPTIONAL
2835 IN HANDLE FileHandle,
2836 IN HANDLE Event OPTIONAL,
2837 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2838 IN PVOID UserApcContext OPTIONAL,
2839 OUT PIO_STATUS_BLOCK IoStatusBlock,
2841 IN ULONG BufferLength,
2842 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2843 IN PULONG Key OPTIONAL
2846 * FUNCTION: Read a file using scattered io
2848 FileHandle = Handle of a file to read
2849 Event = This event is signalled when the read operation completes
2850 * UserApcRoutine = Call back , if supplied Event should be NULL
2851 UserApcContext = Argument to the callback
2852 IoStatusBlock = Caller should supply storage for additional status information
2853 BufferDescription = Caller should supply storage to receive the information
2854 BufferLength = Size of the buffer
2855 ByteOffset = Offset to start reading the file
2856 Key = Key = If a range is lock a matching key will allow the read to continue.
2863 IN HANDLE FileHandle,
2864 IN HANDLE Event OPTIONAL,
2865 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2866 IN PVOID UserApcContext OPTIONAL,
2867 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2868 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2869 IN ULONG BufferLength,
2870 IN PLARGE_INTEGER ByteOffset,
2871 IN PULONG Key OPTIONAL
2877 IN HANDLE FileHandle,
2878 IN HANDLE Event OPTIONAL,
2879 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2880 IN PVOID UserApcContext OPTIONAL,
2881 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2882 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2883 IN ULONG BufferLength,
2884 IN PLARGE_INTEGER ByteOffset,
2885 IN PULONG Key OPTIONAL
2888 * FUNCTION: Copies a range of virtual memory to a buffer
2890 * ProcessHandle = Specifies the process owning the virtual address space
2891 * BaseAddress = Points to the address of virtual memory to start the read
2892 * Buffer = Caller supplies storage to copy the virtual memory to.
2893 * NumberOfBytesToRead = Limits the range to read
2894 * NumberOfBytesRead = The actual number of bytes read.
2900 NtReadVirtualMemory(
2901 IN HANDLE ProcessHandle,
2902 IN PVOID BaseAddress,
2904 IN ULONG NumberOfBytesToRead,
2905 OUT PULONG NumberOfBytesRead
2909 ZwReadVirtualMemory(
2910 IN HANDLE ProcessHandle,
2911 IN PVOID BaseAddress,
2913 IN ULONG NumberOfBytesToRead,
2914 OUT PULONG NumberOfBytesRead
2919 * FUNCTION: Debugger can register for thread termination
2921 * TerminationPort = Port on which the debugger likes to be notified.
2926 NtRegisterThreadTerminatePort(
2927 HANDLE TerminationPort
2931 ZwRegisterThreadTerminatePort(
2932 HANDLE TerminationPort
2936 * FUNCTION: Releases a mutant
2938 * MutantHandle = Handle to the mutant
2945 IN HANDLE MutantHandle,
2946 IN PULONG ReleaseCount OPTIONAL
2952 IN HANDLE MutantHandle,
2953 IN PULONG ReleaseCount OPTIONAL
2957 * FUNCTION: Releases a semaphore
2959 * SemaphoreHandle = Handle to the semaphore object
2960 * ReleaseCount = Number to decrease the semaphore count
2961 * PreviousCount = Previous semaphore count
2967 IN HANDLE SemaphoreHandle,
2968 IN LONG ReleaseCount,
2969 OUT PLONG PreviousCount
2975 IN HANDLE SemaphoreHandle,
2976 IN LONG ReleaseCount,
2977 OUT PLONG PreviousCount
2981 * FUNCTION: Removes an io completion
2983 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2984 * CompletionKey = Requested access to the key
2985 * IoStatusBlock = Caller provides storage for extended status information
2986 * CompletionStatus = Current status of the io operation.
2987 * WaitTime = Time to wait if ..
2992 NtRemoveIoCompletion(
2993 IN HANDLE CompletionPort,
2994 OUT PULONG CompletionKey,
2995 OUT PIO_STATUS_BLOCK IoStatusBlock,
2996 OUT PULONG CompletionStatus,
2997 IN PLARGE_INTEGER WaitTime
3002 ZwRemoveIoCompletion(
3003 IN HANDLE CompletionPort,
3004 OUT PULONG CompletionKey,
3005 OUT PIO_STATUS_BLOCK IoStatusBlock,
3006 OUT PULONG CompletionStatus,
3007 IN PLARGE_INTEGER WaitTime
3010 * FUNCTION: Replaces one registry key with another
3012 * ObjectAttributes = Specifies the attributes of the key
3013 * Key = Handle to the key
3014 * ReplacedObjectAttributes = The function returns the old object attributes
3020 IN POBJECT_ATTRIBUTES ObjectAttributes,
3022 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3027 IN POBJECT_ATTRIBUTES ObjectAttributes,
3029 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3033 * FUNCTION: Resets a event to a non signaled state
3035 * EventHandle = Handle to the event that should be reset
3036 * NumberOfWaitingThreads = The number of threads released.
3043 PULONG NumberOfWaitingThreads OPTIONAL
3049 PULONG NumberOfWaitingThreads OPTIONAL
3068 * FUNCTION: Decrements a thread's resume count
3070 * ThreadHandle = Handle to the thread that should be resumed
3071 * ResumeCount = The resulting resume count.
3073 * A thread is resumed if its suspend count is 0. This procedure maps to
3074 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3080 IN HANDLE ThreadHandle,
3081 OUT PULONG SuspendCount
3086 IN HANDLE ThreadHandle,
3087 OUT PULONG SuspendCount
3090 * FUNCTION: Writes the content of a registry key to ascii file
3092 * KeyHandle = Handle to the key
3093 * FileHandle = Handle of the file
3095 This function maps to the Win32 RegSaveKey.
3102 IN HANDLE KeyHandle,
3103 IN HANDLE FileHandle
3108 IN HANDLE KeyHandle,
3109 IN HANDLE FileHandle
3113 * FUNCTION: Sets the context of a specified thread.
3115 * ThreadHandle = Handle to the thread
3116 * Context = The processor context.
3123 IN HANDLE ThreadHandle,
3129 IN HANDLE ThreadHandle,
3134 * FUNCTION: Sets the default locale id
3136 * UserProfile = Type of locale id
3137 * TRUE: thread locale id
3138 * FALSE: system locale id
3139 * DefaultLocaleId = Locale id
3146 IN BOOLEAN UserProfile,
3147 IN LCID DefaultLocaleId
3153 IN BOOLEAN UserProfile,
3154 IN LCID DefaultLocaleId
3158 * FUNCTION: Sets the default hard error port
3160 * PortHandle = Handle to the port
3161 * NOTE: The hard error port is used for first change exception handling
3166 NtSetDefaultHardErrorPort(
3167 IN HANDLE PortHandle
3171 ZwSetDefaultHardErrorPort(
3172 IN HANDLE PortHandle
3176 * FUNCTION: Sets the extended attributes of a file.
3178 * FileHandle = Handle to the file
3179 * IoStatusBlock = Storage for a resulting status and information
3180 * on the current operation.
3181 * EaBuffer = Extended Attributes buffer.
3182 * EaBufferSize = Size of the extended attributes buffer
3188 IN HANDLE FileHandle,
3189 IN PIO_STATUS_BLOCK IoStatusBlock,
3196 IN HANDLE FileHandle,
3197 IN PIO_STATUS_BLOCK IoStatusBlock,
3202 //FIXME: should I return the event state ?
3205 * FUNCTION: Sets the event to a signalled state.
3207 * EventHandle = Handle to the event
3208 * NumberOfThreadsReleased = The number of threads released
3210 * This procedure maps to the win32 SetEvent function.
3217 IN HANDLE EventHandle,
3218 PULONG NumberOfThreadsReleased
3224 IN HANDLE EventHandle,
3225 PULONG NumberOfThreadsReleased
3229 * FUNCTION: Sets the high part of an event pair
3231 EventPair = Handle to the event pair
3238 IN HANDLE EventPairHandle
3244 IN HANDLE EventPairHandle
3247 * FUNCTION: Sets the high part of an event pair and wait for the low part
3249 EventPair = Handle to the event pair
3254 NtSetHighWaitLowEventPair(
3255 IN HANDLE EventPairHandle
3259 ZwSetHighWaitLowEventPair(
3260 IN HANDLE EventPairHandle
3264 * FUNCTION: Sets the information of a file object.
3266 * FileHandle = Handle to the file object
3267 * IoStatusBlock = Caller supplies storage for extended information
3268 * on the current operation.
3269 * FileInformation = Storage for the new file information
3270 * Lenght = Size of the new file information.
3271 * FileInformationClass = Indicates to a certain information structure
3273 FileNameInformation FILE_NAME_INFORMATION
3274 FileRenameInformation FILE_RENAME_INFORMATION
3275 FileStreamInformation FILE_STREAM_INFORMATION
3276 * FileCompletionInformation IO_COMPLETION_CONTEXT
3279 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
3280 * SetNamedPipeHandleState, SetMailslotInfo functions.
3287 NtSetInformationFile(
3288 IN HANDLE FileHandle,
3289 IN PIO_STATUS_BLOCK IoStatusBlock,
3290 IN PVOID FileInformation,
3292 IN FILE_INFORMATION_CLASS FileInformationClass
3296 ZwSetInformationFile(
3297 IN HANDLE FileHandle,
3298 IN PIO_STATUS_BLOCK IoStatusBlock,
3299 IN PVOID FileInformation,
3301 IN FILE_INFORMATION_CLASS FileInformationClass
3305 * FUNCTION: Changes a set of thread specific parameters
3307 * ThreadHandle = Handle to the thread
3308 * ThreadInformationClass = Index to the set of parameters to change.
3309 * Can be one of the following values:
3311 * ThreadBasicInformation THREAD_BASIC_INFORMATION
3312 * ThreadPriority KPRIORITY //???
3313 * ThreadBasePriority KPRIORITY
3314 * ThreadAffinityMask KAFFINITY //??
3315 * ThreadImpersonationToken ACCESS_TOKEN
3316 * ThreadIdealProcessor ULONG
3317 * ThreadPriorityBoost ULONG
3319 * ThreadInformation = Caller supplies storage for parameters to set.
3320 * ThreadInformationLength = Size of the storage supplied
3325 NtSetInformationThread(
3326 IN HANDLE ThreadHandle,
3327 IN THREADINFOCLASS ThreadInformationClass,
3328 IN PVOID ThreadInformation,
3329 IN ULONG ThreadInformationLength
3333 ZwSetInformationThread(
3334 IN HANDLE ThreadHandle,
3335 IN THREADINFOCLASS ThreadInformationClass,
3336 IN PVOID ThreadInformation,
3337 IN ULONG ThreadInformationLength
3341 * FUNCTION: Changes a set of token specific parameters
3343 * TokenHandle = Handle to the token
3344 * TokenInformationClass = Index to a certain information structure.
3345 * Can be one of the following values:
3347 TokenUser TOKEN_USER
3348 TokenGroups TOKEN_GROUPS
3349 TokenPrivileges TOKEN_PRIVILEGES
3350 TokenOwner TOKEN_OWNER
3351 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
3352 TokenDefaultDacl TOKEN_DEFAULT_DACL
3353 TokenSource TOKEN_SOURCE
3354 TokenType TOKEN_TYPE
3355 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
3356 TokenStatistics TOKEN_STATISTICS
3358 * TokenInformation = Caller supplies storage for information structure.
3359 * TokenInformationLength = Size of the information structure
3365 NtSetInformationToken(
3366 IN HANDLE TokenHandle,
3367 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3368 OUT PVOID TokenInformation,
3369 IN ULONG TokenInformationLength
3374 ZwSetInformationToken(
3375 IN HANDLE TokenHandle,
3376 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3377 OUT PVOID TokenInformation,
3378 IN ULONG TokenInformationLength
3383 * FUNCTION: Sets an io completion
3388 * NumberOfBytesToTransfer =
3389 * NumberOfBytesTransferred =
3395 IN HANDLE CompletionPort,
3396 IN ULONG CompletionKey,
3397 OUT PIO_STATUS_BLOCK IoStatusBlock,
3398 IN ULONG NumberOfBytesToTransfer,
3399 OUT PULONG NumberOfBytesTransferred
3404 IN HANDLE CompletionPort,
3405 IN ULONG CompletionKey,
3406 OUT PIO_STATUS_BLOCK IoStatusBlock,
3407 IN ULONG NumberOfBytesToTransfer,
3408 OUT PULONG NumberOfBytesTransferred
3412 * FUNCTION: Set properties for profiling
3422 NtSetIntervalProfile(
3424 KPROFILE_SOURCE ClockSource
3429 ZwSetIntervalProfile(
3431 KPROFILE_SOURCE ClockSource
3436 * FUNCTION: Sets the low part of an event pair
3438 EventPair = Handle to the event pair
3453 * FUNCTION: Sets the low part of an event pair and wait for the high part
3455 EventPair = Handle to the event pair
3460 NtSetLowWaitHighEventPair(
3465 ZwSetLowWaitHighEventPair(
3471 NtSetSecurityObject(
3473 IN SECURITY_INFORMATION SecurityInformation,
3474 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3479 ZwSetSecurityObject(
3481 IN SECURITY_INFORMATION SecurityInformation,
3482 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3487 * FUNCTION: Sets a system environment variable
3489 * ValueName = Name of the environment variable
3490 * Value = Value of the environment variable
3495 NtSetSystemEnvironmentValue(
3496 IN PUNICODE_STRING VariableName,
3497 IN PUNICODE_STRING Value
3501 ZwSetSystemEnvironmentValue(
3502 IN PUNICODE_STRING VariableName,
3503 IN PUNICODE_STRING Value
3506 * FUNCTION: Sets system parameters
3508 * SystemInformationClass = Index to a particular set of system parameters
3509 * Can be one of the following values:
3511 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3513 * SystemInformation = Structure containing the parameters.
3514 * SystemInformationLength = Size of the structure.
3519 NtSetSystemInformation(
3520 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3521 IN PVOID SystemInformation,
3522 IN ULONG SystemInformationLength
3527 ZwSetSystemInformation(
3528 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3529 IN PVOID SystemInformation,
3530 IN ULONG SystemInformationLength
3534 * FUNCTION: Sets the system time
3536 * SystemTime = Old System time
3537 * NewSystemTime = New System time
3543 IN PLARGE_INTEGER SystemTime,
3544 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3549 IN PLARGE_INTEGER SystemTime,
3550 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3554 * FUNCTION: Sets the frequency of the system timer
3556 * RequestedResolution =
3558 * ActualResolution =
3563 NtSetTimerResolution(
3564 IN ULONG RequestedResolution,
3566 OUT PULONG ActualResolution
3570 ZwSetTimerResolution(
3571 IN ULONG RequestedResolution,
3573 OUT PULONG ActualResolution
3577 * FUNCTION: Sets the value of a registry key
3579 * KeyHandle = Handle to a registry key
3580 * ValueName = Name of the value entry to change
3581 * TitleIndex = pointer to a structure containing the new volume information
3582 * Type = Type of the registry key. Can be one of the values:
3583 * REG_BINARY Unspecified binary data
3584 * REG_DWORD A 32 bit value
3585 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
3586 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
3587 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
3588 * REG_LINK A zero terminated wide character string referring to a symbolic link.
3589 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
3590 * REG_NONE Unspecified type
3591 * REG_SZ A wide character string ( zero terminated )
3592 * REG_RESOURCE_LIST ??
3593 * REG_RESOURCE_REQUIREMENTS_LIST ??
3594 * REG_FULL_RESOURCE_DESCRIPTOR ??
3595 * Data = Contains the data for the registry key.
3596 * DataSize = size of the data.
3602 IN HANDLE KeyHandle,
3603 IN PUNICODE_STRING ValueName,
3604 IN ULONG TitleIndex OPTIONAL,
3612 IN HANDLE KeyHandle,
3613 IN PUNICODE_STRING ValueName,
3614 IN ULONG TitleIndex OPTIONAL,
3621 * FUNCTION: Sets the volume information.
3623 * FileHandle = Handle to the file
3624 * IoStatusBlock = Caller should supply storage for additional status information
3625 * VolumeInformation = pointer to a structure containing the new volume information
3626 * Length = size of the structure.
3627 * VolumeInformationClass = specifies the particular volume information to set
3632 NtSetVolumeInformationFile(
3633 IN HANDLE FileHandle,
3634 OUT PIO_STATUS_BLOCK IoStatusBlock,
3635 IN PVOID FsInformation,
3637 IN FS_INFORMATION_CLASS FsInformationClass
3642 ZwSetVolumeInformationFile(
3643 IN HANDLE FileHandle,
3644 OUT PIO_STATUS_BLOCK IoStatusBlock,
3645 IN PVOID FsInformation,
3647 IN FS_INFORMATION_CLASS FsInformationClass
3651 * FUNCTION: Shuts the system down
3653 * Action = Specifies the type of shutdown, it can be one of the following values:
3654 * ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
3660 IN SHUTDOWN_ACTION Action
3666 IN SHUTDOWN_ACTION Action
3670 /* --- PROFILING --- */
3673 * FUNCTION: Starts profiling
3675 * ProfileHandle = Handle to the profile
3682 HANDLE ProfileHandle
3688 HANDLE ProfileHandle
3692 * FUNCTION: Stops profiling
3694 * ProfileHandle = Handle to the profile
3701 HANDLE ProfileHandle
3707 HANDLE ProfileHandle
3710 /* --- PROCESS MANAGEMENT --- */
3712 //--NtSystemDebugControl
3714 * FUNCTION: Terminates the execution of a process.
3716 * ThreadHandle = Handle to the process
3717 * ExitStatus = The exit status of the process to terminate with.
3719 Native applications should kill themselves using this function.
3725 IN HANDLE ProcessHandle ,
3726 IN NTSTATUS ExitStatus
3731 IN HANDLE ProcessHandle ,
3732 IN NTSTATUS ExitStatus
3735 /* --- DEVICE DRIVER CONTROL --- */
3738 * FUNCTION: Unloads a driver.
3740 * DriverServiceName = Name of the driver to unload
3746 IN PUNICODE_STRING DriverServiceName
3751 IN PUNICODE_STRING DriverServiceName
3754 /* --- VIRTUAL MEMORY MANAGEMENT --- */
3757 * FUNCTION: Writes a range of virtual memory
3759 * ProcessHandle = The handle to the process owning the address space.
3760 * BaseAddress = The points to the address to write to
3761 * Buffer = Pointer to the buffer to write
3762 * NumberOfBytesToWrite = Offset to the upper boundary to write
3763 * NumberOfBytesWritten = Total bytes written
3765 * This function maps to the win32 WriteProcessMemory
3770 NtWriteVirtualMemory(
3771 IN HANDLE ProcessHandle,
3772 IN PVOID BaseAddress,
3774 IN ULONG NumberOfBytesToWrite,
3775 OUT PULONG NumberOfBytesWritten
3780 ZwWriteVirtualMemory(
3781 IN HANDLE ProcessHandle,
3782 IN PVOID BaseAddress,
3784 IN ULONG NumberOfBytesToWrite,
3785 OUT PULONG NumberOfBytesWritten
3789 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
3791 * ProcessHandle = Handle to the process
3792 * BaseAddress = The address where the mapping begins
3794 This procedure maps to the win32 UnMapViewOfFile
3799 NtUnmapViewOfSection(
3800 IN HANDLE ProcessHandle,
3801 IN PVOID BaseAddress
3805 ZwUnmapViewOfSection(
3806 IN HANDLE ProcessHandle,
3807 IN PVOID BaseAddress
3810 /* --- OBJECT SYNCHRONIZATION --- */
3813 * FUNCTION: Signals an object and wait for an other one.
3815 * SignalObject = Handle to the object that should be signaled
3816 * WaitObject = Handle to the object that should be waited for
3817 * Alertable = True if the wait is alertable
3818 * Time = The time to wait
3823 NtSignalAndWaitForSingleObject(
3824 IN HANDLE SignalObject,
3825 IN HANDLE WaitObject,
3826 IN BOOLEAN Alertable,
3827 IN PLARGE_INTEGER Time
3832 NtSignalAndWaitForSingleObject(
3833 IN HANDLE SignalObject,
3834 IN HANDLE WaitObject,
3835 IN BOOLEAN Alertable,
3836 IN PLARGE_INTEGER Time
3840 * FUNCTION: Waits for an object to become signalled.
3842 * Object = The object handle
3843 * Alertable = If true the wait is alertable.
3844 * Time = The maximum wait time.
3846 * This function maps to the win32 WaitForSingleObjectEx.
3851 NtWaitForSingleObject (
3853 IN BOOLEAN Alertable,
3854 IN PLARGE_INTEGER Time
3859 ZwWaitForSingleObject (
3861 IN BOOLEAN Alertable,
3862 IN PLARGE_INTEGER Time
3865 /* --- EVENT PAIR OBJECT --- */
3868 * FUNCTION: Waits for the high part of an eventpair to become signalled
3870 * EventPairHandle = Handle to the event pair.
3876 NtWaitHighEventPair(
3877 IN HANDLE EventPairHandle
3882 ZwWaitHighEventPair(
3883 IN HANDLE EventPairHandle
3887 * FUNCTION: Waits for the low part of an eventpair to become signalled
3889 * EventPairHandle = Handle to the event pair.
3895 IN HANDLE EventPairHandle
3901 IN HANDLE EventPairHandle
3904 /* --- FILE MANAGEMENT --- */
3907 * FUNCTION: Unlocks a range of bytes in a file.
3909 * FileHandle = Handle to the file
3910 * IoStatusBlock = Caller should supply storage for a structure containing
3911 * the completion status and information about the requested unlock operation.
3912 The information field is set to the number of bytes unlocked.
3913 * ByteOffset = Offset to start the range of bytes to unlock
3914 * Length = Number of bytes to unlock.
3915 * Key = Special value to enable other threads to unlock a file than the
3916 thread that locked the file. The key supplied must match with the one obtained
3917 in a previous call to NtLockFile.
3919 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
3920 not be obtained immediately, the device queue is busy and the IRP is queued.
3921 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
3922 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
3927 IN HANDLE FileHandle,
3928 OUT PIO_STATUS_BLOCK IoStatusBlock,
3929 IN PLARGE_INTEGER ByteOffset,
3930 IN PLARGE_INTEGER Lenght,
3931 OUT PULONG Key OPTIONAL
3936 IN HANDLE FileHandle,
3937 OUT PIO_STATUS_BLOCK IoStatusBlock,
3938 IN PLARGE_INTEGER ByteOffset,
3939 IN PLARGE_INTEGER Lenght,
3940 OUT PULONG Key OPTIONAL
3944 * FUNCTION: Writes data to a file
3946 * FileHandle = The handle a file ( from NtCreateFile )
3947 * Event = Specifies a event that will become signalled when the write operation completes.
3948 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
3949 * ApcContext = Argument to the Apc Routine
3950 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
3951 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
3952 * Length = Size in bytest of the buffer
3953 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
3954 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
3955 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
3956 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
3959 * This function maps to the win32 WriteFile.
3960 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
3961 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
3962 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
3967 IN HANDLE FileHandle,
3968 IN HANDLE Event OPTIONAL,
3969 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
3970 IN PVOID ApcContext OPTIONAL,
3971 OUT PIO_STATUS_BLOCK IoStatusBlock,
3974 IN PLARGE_INTEGER ByteOffset,
3975 IN PULONG Key OPTIONAL
3981 IN HANDLE FileHandle,
3982 IN HANDLE Event OPTIONAL,
3983 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
3984 IN PVOID ApcContext OPTIONAL,
3985 OUT PIO_STATUS_BLOCK IoStatusBlock,
3988 IN PLARGE_INTEGER ByteOffset ,
3989 IN PULONG Key OPTIONAL
3993 * FUNCTION: Writes a file
3995 * FileHandle = The handle of the file
3997 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
3998 * ApcContext = Argument to the Apc Routine
3999 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
4000 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
4001 * BufferLength = Size in bytest of the buffer
4002 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
4003 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
4004 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
4005 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
4006 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
4008 * This function maps to the win32 WriteFile.
4009 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4010 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4011 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4017 IN HANDLE FileHandle,
4018 IN HANDLE Event OPTIONAL,
4019 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4020 IN PVOID ApcContext OPTIONAL,
4021 OUT PIO_STATUS_BLOCK IoStatusBlock,
4022 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4023 IN ULONG BufferLength,
4024 IN PLARGE_INTEGER ByteOffset,
4025 IN PULONG Key OPTIONAL
4031 IN HANDLE FileHandle,
4032 IN HANDLE Event OPTIONAL,
4033 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4034 IN PVOID ApcContext OPTIONAL,
4035 OUT PIO_STATUS_BLOCK IoStatusBlock,
4036 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4037 IN ULONG BufferLength,
4038 IN PLARGE_INTEGER ByteOffset,
4039 IN PULONG Key OPTIONAL
4043 /* --- THREAD MANAGEMENT --- */
4046 * FUNCTION: Increments a thread's resume count
4048 * ThreadHandle = Handle to the thread that should be resumed
4049 * PreviousSuspendCount = The resulting/previous suspend count.
4051 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
4052 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
4053 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
4059 IN HANDLE ThreadHandle,
4060 IN PULONG PreviousSuspendCount
4066 IN HANDLE ThreadHandle,
4067 IN PULONG PreviousSuspendCount
4071 * FUNCTION: Terminates the execution of a thread.
4073 * ThreadHandle = Handle to the thread
4074 * ExitStatus = The exit status of the thread to terminate with.
4080 IN HANDLE ThreadHandle ,
4081 IN NTSTATUS ExitStatus
4086 IN HANDLE ThreadHandle ,
4087 IN NTSTATUS ExitStatus
4090 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
4105 * FUNCTION: Yields the callers thread.
4120 /* --- PLUG AND PLAY --- */
4130 NtGetPlugPlayEvent (
4134 /* --- POWER MANAGEMENT --- */
4137 NtSetSystemPowerState(IN POWER_ACTION SystemAction,
4138 IN SYSTEM_POWER_STATE MinSystemState,
4141 /* --- DEBUG SUBSYSTEM --- */
4144 NtSystemDebugControl(DEBUG_CONTROL_CODE ControlCode,
4146 ULONG InputBufferLength,
4148 ULONG OutputBufferLength,
4149 PULONG ReturnLength);
4151 /* --- VIRTUAL DOS MACHINE (VDM) --- */
4155 NtVdmControl (ULONG ControlCode, PVOID ControlData);
4161 NtW32Call(IN ULONG RoutineIndex,
4163 IN ULONG ArgumentLength,
4164 OUT PVOID* Result OPTIONAL,
4165 OUT PULONG ResultLength OPTIONAL);
4167 /* --- CHANNELS --- */
4189 NtReplyWaitSendChannel (
4195 NtSendWaitReplyChannel (
4201 NtSetContextChannel (
4205 /* --- MISCELLANEA --- */
4207 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
4218 NtQueryOleDirectoryFile (
4223 * FUNCTION: Checks a clients access rights to a object
4225 * SecurityDescriptor = Security information against which the access is checked
4226 * ClientToken = Represents a client
4230 * ReturnLength = Bytes written
4232 * AccessStatus = Indicates if the ClientToken allows the requested access
4233 * REMARKS: The arguments map to the win32 AccessCheck
4240 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4241 IN HANDLE ClientToken,
4242 IN ACCESS_MASK DesiredAcces,
4243 IN PGENERIC_MAPPING GenericMapping,
4244 OUT PPRIVILEGE_SET PrivilegeSet,
4245 OUT PULONG ReturnLength,
4246 OUT PULONG GrantedAccess,
4247 OUT PBOOLEAN AccessStatus
4253 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4254 IN HANDLE ClientToken,
4255 IN ACCESS_MASK DesiredAcces,
4256 IN PGENERIC_MAPPING GenericMapping,
4257 OUT PPRIVILEGE_SET PrivilegeSet,
4258 OUT PULONG ReturnLength,
4259 OUT PULONG GrantedAccess,
4260 OUT PBOOLEAN AccessStatus
4266 IN ACCESS_MASK DesiredAccess,
4267 OUT PHANDLE KeyHandle);
4270 #ifndef __USE_W32API
4273 * FUNCTION: Continues a thread with the specified context
4275 * Context = Specifies the processor context
4276 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
4277 * be PASSIVE_LEVEL or APC_LEVEL
4279 * NtContinue can be used to continue after an exception or apc.
4282 //FIXME This function might need another parameter
4287 IN PCONTEXT Context,
4288 IN BOOLEAN TestAlert
4291 NTSTATUS STDCALL ZwContinue(IN PCONTEXT Context, IN CINT IrqLevel);
4294 * FUNCTION: Retrieves the system time
4296 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
4304 OUT TIME *CurrentTime
4310 OUT TIME *CurrentTime
4314 * FUNCTION: Loads a registry key.
4316 * KeyHandle = Handle to the registry key
4317 * ObjectAttributes = ???
4320 * This procedure maps to the win32 procedure RegLoadKey
4327 POBJECT_ATTRIBUTES ObjectAttributes,
4334 POBJECT_ATTRIBUTES ObjectAttributes,
4339 * FUNCTION: Copies a handle from one process space to another
4341 * SourceProcessHandle = The source process owning the handle. The source process should have opened
4342 * the SourceHandle with PROCESS_DUP_HANDLE access.
4343 * SourceHandle = The handle to the object.
4344 * TargetProcessHandle = The destination process owning the handle
4345 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
4346 * DesiredAccess = The desired access to the handle.
4347 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
4348 * Options = Specifies special actions upon duplicating the handle. Can be
4349 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
4350 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
4351 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
4352 * the DesiredAccess paramter and just grant the same access to the new
4355 * REMARKS: This function maps to the win32 DuplicateHandle.
4361 IN HANDLE SourceProcessHandle,
4362 IN HANDLE SourceHandle,
4363 IN HANDLE TargetProcessHandle,
4364 OUT PHANDLE TargetHandle,
4365 IN ACCESS_MASK DesiredAccess,
4366 IN BOOLEAN InheritHandle,
4373 IN HANDLE SourceProcessHandle,
4374 IN PHANDLE SourceHandle,
4375 IN HANDLE TargetProcessHandle,
4376 OUT PHANDLE TargetHandle,
4377 IN ACCESS_MASK DesiredAccess,
4378 IN BOOLEAN InheritHandle,
4383 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
4385 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
4387 * ObjectAttributes =
4394 * REMARKS: The arguments map to the win32 AccessCheck
4400 NtAccessCheckAndAuditAlarm(
4401 IN PUNICODE_STRING SubsystemName,
4402 IN PHANDLE ObjectHandle,
4403 IN POBJECT_ATTRIBUTES ObjectAttributes,
4404 IN ACCESS_MASK DesiredAccess,
4405 IN PGENERIC_MAPPING GenericMapping,
4406 IN BOOLEAN ObjectCreation,
4407 OUT PULONG GrantedAccess,
4408 OUT PBOOLEAN AccessStatus,
4409 OUT PBOOLEAN GenerateOnClose
4414 ZwAccessCheckAndAuditAlarm(
4415 IN PUNICODE_STRING SubsystemName,
4416 IN PHANDLE ObjectHandle,
4417 IN POBJECT_ATTRIBUTES ObjectAttributes,
4418 IN ACCESS_MASK DesiredAccess,
4419 IN PGENERIC_MAPPING GenericMapping,
4420 IN BOOLEAN ObjectCreation,
4421 OUT PULONG GrantedAccess,
4422 OUT PBOOLEAN AccessStatus,
4423 OUT PBOOLEAN GenerateOnClose
4427 * FUNCTION: Adds an atom to the global atom table
4429 * AtomString = The string to add to the atom table.
4430 * Atom (OUT) = Caller supplies storage for the resulting atom.
4431 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
4438 IN OUT PRTL_ATOM Atom
4446 IN OUT PRTL_ATOM Atom
4452 PULARGE_INTEGER Time,
4460 PULARGE_INTEGER Time,
4466 * FUNCTION: Cancels a timer
4468 * TimerHandle = Handle to the timer
4469 * CurrentState = Specifies the state of the timer when cancelled.
4471 * The arguments to this function map to the function CancelWaitableTimer.
4477 IN HANDLE TimerHandle,
4478 OUT PBOOLEAN CurrentState OPTIONAL
4484 IN HANDLE TimerHandle,
4485 OUT ULONG ElapsedTime
4489 * FUNCTION: Creates a paging file.
4491 * FileName = Name of the pagefile
4492 * InitialSize = Specifies the initial size in bytes
4493 * MaximumSize = Specifies the maximum size in bytes
4494 * Reserved = Reserved for future use
4500 IN PUNICODE_STRING FileName,
4501 IN PLARGE_INTEGER InitialSize,
4502 IN PLARGE_INTEGER MaxiumSize,
4509 IN PUNICODE_STRING FileName,
4510 IN PLARGE_INTEGER InitialSize,
4511 IN PLARGE_INTEGER MaxiumSize,
4516 * FUNCTION: Creates a user mode thread
4518 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
4519 * DesiredAccess = Specifies the allowed or desired access to the thread.
4520 * ObjectAttributes = Initialized attributes for the object.
4521 * ProcessHandle = Handle to the threads parent process.
4522 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
4523 * ThreadContext = Initial processor context for the thread.
4524 * InitialTeb = Initial user mode stack context for the thread.
4525 * CreateSuspended = Specifies if the thread is ready for scheduling
4527 * This function maps to the win32 function CreateThread.
4533 OUT PHANDLE ThreadHandle,
4534 IN ACCESS_MASK DesiredAccess,
4535 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
4536 IN HANDLE ProcessHandle,
4537 OUT PCLIENT_ID ClientId,
4538 IN PCONTEXT ThreadContext,
4539 IN PINITIAL_TEB InitialTeb,
4540 IN BOOLEAN CreateSuspended
4546 OUT PHANDLE ThreadHandle,
4547 IN ACCESS_MASK DesiredAccess,
4548 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
4549 IN HANDLE ProcessHandle,
4550 OUT PCLIENT_ID ClientId,
4551 IN PCONTEXT ThreadContext,
4552 IN PINITIAL_TEB InitialTeb,
4553 IN BOOLEAN CreateSuspended
4559 IN HANDLE ExistingToken,
4560 IN ACCESS_MASK DesiredAccess,
4561 IN POBJECT_ATTRIBUTES ObjectAttributes,
4562 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
4563 IN TOKEN_TYPE TokenType,
4564 OUT PHANDLE NewToken
4570 IN HANDLE ExistingToken,
4571 IN ACCESS_MASK DesiredAccess,
4572 IN POBJECT_ATTRIBUTES ObjectAttributes,
4573 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
4574 IN TOKEN_TYPE TokenType,
4575 OUT PHANDLE NewToken
4579 * FUNCTION: Finds a atom
4581 * AtomName = Name to search for.
4582 * Atom = Caller supplies storage for the resulting atom
4585 * This funciton maps to the win32 GlobalFindAtom
4591 OUT PRTL_ATOM Atom OPTIONAL
4598 OUT PRTL_ATOM Atom OPTIONAL
4602 * FUNCTION: Flushes a the processors instruction cache
4604 * ProcessHandle = Points to the process owning the cache
4605 * BaseAddress = // might this be a image address ????
4606 * NumberOfBytesToFlush =
4609 * This funciton is used by debuggers
4613 NtFlushInstructionCache(
4614 IN HANDLE ProcessHandle,
4615 IN PVOID BaseAddress,
4616 IN UINT NumberOfBytesToFlush
4621 ZwFlushInstructionCache(
4622 IN HANDLE ProcessHandle,
4623 IN PVOID BaseAddress,
4624 IN UINT NumberOfBytesToFlush
4628 * FUNCTION: Flushes virtual memory to file
4630 * ProcessHandle = Points to the process that allocated the virtual memory
4631 * BaseAddress = Points to the memory address
4632 * NumberOfBytesToFlush = Limits the range to flush,
4633 * NumberOfBytesFlushed = Actual number of bytes flushed
4636 * Check return status on STATUS_NOT_MAPPED_DATA
4640 NtFlushVirtualMemory(
4641 IN HANDLE ProcessHandle,
4642 IN PVOID BaseAddress,
4643 IN ULONG NumberOfBytesToFlush,
4644 OUT PULONG NumberOfBytesFlushed OPTIONAL
4649 ZwFlushVirtualMemory(
4650 IN HANDLE ProcessHandle,
4651 IN PVOID BaseAddress,
4652 IN ULONG NumberOfBytesToFlush,
4653 OUT PULONG NumberOfBytesFlushed OPTIONAL
4657 * FUNCTION: Retrieves the uptime of the system
4659 * UpTime = Number of clock ticks since boot.
4675 * FUNCTION: Loads a registry key.
4677 * KeyHandle = Handle to the registry key
4678 * ObjectAttributes = ???
4680 * This procedure maps to the win32 procedure RegLoadKey
4687 POBJECT_ATTRIBUTES ObjectAttributes
4694 POBJECT_ATTRIBUTES ObjectAttributes
4698 * FUNCTION: Locks a range of virtual memory.
4700 * ProcessHandle = Handle to the process
4701 * BaseAddress = Lower boundary of the range of bytes to lock.
4702 * NumberOfBytesLock = Offset to the upper boundary.
4703 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
4705 This procedure maps to the win32 procedure VirtualLock
4706 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
4710 NtLockVirtualMemory(
4711 HANDLE ProcessHandle,
4713 ULONG NumberOfBytesToLock,
4714 PULONG NumberOfBytesLocked
4719 ZwLockVirtualMemory(
4720 HANDLE ProcessHandle,
4722 ULONG NumberOfBytesToLock,
4723 PULONG NumberOfBytesLocked
4728 NtOpenObjectAuditAlarm(
4729 IN PUNICODE_STRING SubsystemName,
4731 IN POBJECT_ATTRIBUTES ObjectAttributes,
4732 IN HANDLE ClientToken,
4733 IN ULONG DesiredAccess,
4734 IN ULONG GrantedAccess,
4735 IN PPRIVILEGE_SET Privileges,
4736 IN BOOLEAN ObjectCreation,
4737 IN BOOLEAN AccessGranted,
4738 OUT PBOOLEAN GenerateOnClose
4743 ZwOpenObjectAuditAlarm(
4744 IN PUNICODE_STRING SubsystemName,
4746 IN POBJECT_ATTRIBUTES ObjectAttributes,
4747 IN HANDLE ClientToken,
4748 IN ULONG DesiredAccess,
4749 IN ULONG GrantedAccess,
4750 IN PPRIVILEGE_SET Privileges,
4751 IN BOOLEAN ObjectCreation,
4752 IN BOOLEAN AccessGranted,
4753 OUT PBOOLEAN GenerateOnClose
4757 * FUNCTION: Set the access protection of a range of virtual memory
4759 * ProcessHandle = Handle to process owning the virtual address space
4760 * BaseAddress = Start address
4761 * NumberOfBytesToProtect = Delimits the range of virtual memory
4762 * for which the new access protection holds
4763 * NewAccessProtection = The new access proctection for the pages
4764 * OldAccessProtection = Caller should supply storage for the old
4768 * The function maps to the win32 VirtualProtectEx
4773 NtProtectVirtualMemory(
4774 IN HANDLE ProcessHandle,
4775 IN PVOID BaseAddress,
4776 IN ULONG NumberOfBytesToProtect,
4777 IN ULONG NewAccessProtection,
4778 OUT PULONG OldAccessProtection
4783 ZwProtectVirtualMemory(
4784 IN HANDLE ProcessHandle,
4785 IN PVOID BaseAddress,
4786 IN ULONG NumberOfBytesToProtect,
4787 IN ULONG NewAccessProtection,
4788 OUT PULONG OldAccessProtection
4793 NtQueryInformationAtom(
4795 IN ATOM_INFORMATION_CLASS AtomInformationClass,
4796 OUT PVOID AtomInformation,
4797 IN ULONG AtomInformationLength,
4798 OUT PULONG ReturnLength OPTIONAL
4803 ZwQueryInformationAtom(
4805 IN ATOM_INFORMATION_CLASS AtomInformationClass,
4806 OUT PVOID AtomInformation,
4807 IN ULONG AtomInformationLength,
4808 OUT PULONG ReturnLength OPTIONAL
4812 * FUNCTION: Query information about the content of a directory object
4814 DirObjInformation = Buffer must be large enough to hold the name strings too
4815 GetNextIndex = If TRUE :return the index of the next object in this directory in ObjectIndex
4816 If FALSE: return the number of objects in this directory in ObjectIndex
4817 IgnoreInputIndex= If TRUE: ignore input value of ObjectIndex always start at index 0
4818 If FALSE use input value of ObjectIndex
4819 ObjectIndex = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
4820 DataWritten = Actual size of the ObjectIndex ???
4825 NtQueryDirectoryObject(
4826 IN HANDLE DirObjHandle,
4827 OUT POBJDIR_INFORMATION DirObjInformation,
4828 IN ULONG BufferLength,
4829 IN BOOLEAN GetNextIndex,
4830 IN BOOLEAN IgnoreInputIndex,
4831 IN OUT PULONG ObjectIndex,
4832 OUT PULONG DataWritten OPTIONAL
4837 ZwQueryDirectoryObject(
4838 IN HANDLE DirObjHandle,
4839 OUT POBJDIR_INFORMATION DirObjInformation,
4840 IN ULONG BufferLength,
4841 IN BOOLEAN GetNextIndex,
4842 IN BOOLEAN IgnoreInputIndex,
4843 IN OUT PULONG ObjectIndex,
4844 OUT PULONG DataWritten OPTIONAL
4848 * FUNCTION: Queries the information of a process object.
4850 * ProcessHandle = Handle to the process object
4851 * ProcessInformation = Index to a certain information structure
4853 ProcessBasicInformation PROCESS_BASIC_INFORMATION
4854 ProcessQuotaLimits QUOTA_LIMITS
4855 ProcessIoCounters IO_COUNTERS
4856 ProcessVmCounters VM_COUNTERS
4857 ProcessTimes KERNEL_USER_TIMES
4858 ProcessBasePriority KPRIORITY
4859 ProcessRaisePriority KPRIORITY
4860 ProcessDebugPort HANDLE
4861 ProcessExceptionPort HANDLE
4862 ProcessAccessToken PROCESS_ACCESS_TOKEN
4863 ProcessLdtInformation LDT_ENTRY ??
4864 ProcessLdtSize ULONG
4865 ProcessDefaultHardErrorMode ULONG
4866 ProcessIoPortHandlers // kernel mode only
4867 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
4868 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
4869 ProcessUserModeIOPL (I/O Privilege Level)
4870 ProcessEnableAlignmentFaultFixup BOOLEAN
4871 ProcessPriorityClass ULONG
4872 ProcessWx86Information ULONG
4873 ProcessHandleCount ULONG
4874 ProcessAffinityMask ULONG
4875 ProcessPooledQuotaLimits QUOTA_LIMITS
4878 * ProcessInformation = Caller supplies storage for the process information structure
4879 * ProcessInformationLength = Size of the process information structure
4880 * ReturnLength = Actual number of bytes written
4883 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
4884 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
4885 GetProcessShutdownParameters functions.
4891 NtQueryInformationProcess(
4892 IN HANDLE ProcessHandle,
4893 IN CINT ProcessInformationClass,
4894 OUT PVOID ProcessInformation,
4895 IN ULONG ProcessInformationLength,
4896 OUT PULONG ReturnLength
4901 ZwQueryInformationProcess(
4902 IN HANDLE ProcessHandle,
4903 IN CINT ProcessInformationClass,
4904 OUT PVOID ProcessInformation,
4905 IN ULONG ProcessInformationLength,
4906 OUT PULONG ReturnLength
4910 * FUNCTION: Query the interval and the clocksource for profiling
4918 NtQueryIntervalProfile(
4919 OUT PULONG Interval,
4920 OUT KPROFILE_SOURCE ClockSource
4925 ZwQueryIntervalProfile(
4926 OUT PULONG Interval,
4927 OUT KPROFILE_SOURCE ClockSource
4931 * FUNCTION: Queries the information of a object.
4933 ObjectHandle = Handle to a object
4934 ObjectInformationClass = Index to a certain information structure
4936 ObjectBasicInformation
4937 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4938 ObjectNameInformation OBJECT_NAME_INFORMATION
4939 ObjectDataInformation OBJECT_DATA_INFORMATION
4941 ObjectInformation = Caller supplies storage for resulting information
4942 Length = Size of the supplied storage
4943 ResultLength = Bytes written
4949 IN HANDLE ObjectHandle,
4950 IN CINT ObjectInformationClass,
4951 OUT PVOID ObjectInformation,
4953 OUT PULONG ResultLength
4959 IN HANDLE ObjectHandle,
4960 IN CINT ObjectInformationClass,
4961 OUT PVOID ObjectInformation,
4963 OUT PULONG ResultLength
4968 NtQuerySecurityObject(
4970 IN CINT SecurityObjectInformationClass,
4971 OUT PVOID SecurityObjectInformation,
4973 OUT PULONG ReturnLength
4978 ZwQuerySecurityObject(
4980 IN CINT SecurityObjectInformationClass,
4981 OUT PVOID SecurityObjectInformation,
4983 OUT PULONG ReturnLength
4987 * FUNCTION: Queries the virtual memory information.
4989 ProcessHandle = Process owning the virtual address space
4990 BaseAddress = Points to the page where the information is queried for.
4991 * VirtualMemoryInformationClass = Index to a certain information structure
4993 MemoryBasicInformation MEMORY_BASIC_INFORMATION
4995 * VirtualMemoryInformation = caller supplies storage for the information structure
4996 * Length = size of the structure
4997 ResultLength = Data written
5004 NtQueryVirtualMemory(
5005 IN HANDLE ProcessHandle,
5007 IN IN CINT VirtualMemoryInformationClass,
5008 OUT PVOID VirtualMemoryInformation,
5010 OUT PULONG ResultLength
5015 ZwQueryVirtualMemory(
5016 IN HANDLE ProcessHandle,
5018 IN IN CINT VirtualMemoryInformationClass,
5019 OUT PVOID VirtualMemoryInformation,
5021 OUT PULONG ResultLength
5025 * FUNCTION: Raises a hard error (stops the system)
5027 * Status = Status code of the hard error
5060 * FUNCTION: Sets the information of a registry key.
5062 * KeyHandle = Handle to the registry key
5063 * KeyInformationClass = Index to the a certain information structure.
5064 Can be one of the following values:
5066 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
5068 KeyInformation = Storage for the new information
5069 * KeyInformationLength = Size of the information strucure
5075 NtSetInformationKey(
5076 IN HANDLE KeyHandle,
5077 IN CINT KeyInformationClass,
5078 IN PVOID KeyInformation,
5079 IN ULONG KeyInformationLength
5084 ZwSetInformationKey(
5085 IN HANDLE KeyHandle,
5086 IN CINT KeyInformationClass,
5087 IN PVOID KeyInformation,
5088 IN ULONG KeyInformationLength
5092 * FUNCTION: Changes a set of object specific parameters
5095 * ObjectInformationClass = Index to the set of parameters to change.
5098 ObjectBasicInformation
5099 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5100 ObjectAllInformation
5101 ObjectDataInformation OBJECT_DATA_INFORMATION
5102 ObjectNameInformation OBJECT_NAME_INFORMATION
5105 * ObjectInformation = Caller supplies storage for parameters to set.
5106 * Length = Size of the storage supplied
5111 NtSetInformationObject(
5112 IN HANDLE ObjectHandle,
5113 IN CINT ObjectInformationClass,
5114 IN PVOID ObjectInformation,
5120 ZwSetInformationObject(
5121 IN HANDLE ObjectHandle,
5122 IN CINT ObjectInformationClass,
5123 IN PVOID ObjectInformation,
5128 * FUNCTION: Changes a set of process specific parameters
5130 * ProcessHandle = Handle to the process
5131 * ProcessInformationClass = Index to a information structure.
5133 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
5134 * ProcessQuotaLimits QUOTA_LIMITS
5135 * ProcessBasePriority KPRIORITY
5136 * ProcessRaisePriority KPRIORITY
5137 * ProcessDebugPort HANDLE
5138 * ProcessExceptionPort HANDLE
5139 * ProcessAccessToken PROCESS_ACCESS_TOKEN
5140 * ProcessDefaultHardErrorMode ULONG
5141 * ProcessPriorityClass ULONG
5142 * ProcessAffinityMask KAFFINITY //??
5144 * ProcessInformation = Caller supplies storage for information to set.
5145 * ProcessInformationLength = Size of the information structure
5150 NtSetInformationProcess(
5151 IN HANDLE ProcessHandle,
5152 IN CINT ProcessInformationClass,
5153 IN PVOID ProcessInformation,
5154 IN ULONG ProcessInformationLength
5159 ZwSetInformationProcess(
5160 IN HANDLE ProcessHandle,
5161 IN CINT ProcessInformationClass,
5162 IN PVOID ProcessInformation,
5163 IN ULONG ProcessInformationLength
5167 * FUNCTION: Sets the characteristics of a timer
5169 * TimerHandle = Handle to the timer
5170 * DueTime = Time before the timer becomes signalled for the first time.
5171 * TimerApcRoutine = Completion routine can be called on time completion
5172 * TimerContext = Argument to the completion routine
5173 * Resume = Specifies if the timer should repeated after completing one cycle
5174 * Period = Cycle of the timer
5175 * REMARKS: This routine maps to the win32 SetWaitableTimer.
5181 IN HANDLE TimerHandle,
5182 IN PLARGE_INTEGER DueTime,
5183 IN PTIMERAPCROUTINE TimerApcRoutine,
5184 IN PVOID TimerContext,
5186 IN ULONG Period OPTIONAL,
5187 OUT PBOOLEAN PreviousState OPTIONAL
5193 IN HANDLE TimerHandle,
5194 IN PLARGE_INTEGER DueTime,
5195 IN PTIMERAPCROUTINE TimerApcRoutine,
5196 IN PVOID TimerContext,
5198 IN ULONG Period OPTIONAL,
5199 OUT PBOOLEAN PreviousState OPTIONAL
5203 * FUNCTION: Unloads a registry key.
5205 * KeyHandle = Handle to the registry key
5207 * This procedure maps to the win32 procedure RegUnloadKey
5223 * FUNCTION: Unlocks a range of virtual memory.
5225 * ProcessHandle = Handle to the process
5226 * BaseAddress = Lower boundary of the range of bytes to unlock.
5227 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
5228 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
5230 This procedure maps to the win32 procedure VirtualUnlock
5231 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
5235 NtUnlockVirtualMemory(
5236 IN HANDLE ProcessHandle,
5237 IN PVOID BaseAddress,
5238 IN ULONG NumberOfBytesToUnlock,
5239 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5244 ZwUnlockVirtualMemory(
5245 IN HANDLE ProcessHandle,
5246 IN PVOID BaseAddress,
5247 IN ULONG NumberOfBytesToUnlock,
5248 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5252 * FUNCTION: Waits for multiple objects to become signalled.
5254 * Count = The number of objects
5255 * Object = The array of object handles
5256 * WaitType = Can be one of the values UserMode or KernelMode
5257 * Alertable = If true the wait is alertable.
5258 * Time = The maximum wait time.
5260 * This function maps to the win32 WaitForMultipleObjectEx.
5265 NtWaitForMultipleObjects (
5269 IN BOOLEAN Alertable,
5270 IN PLARGE_INTEGER Time
5275 ZwWaitForMultipleObjects (
5279 IN BOOLEAN Alertable,
5280 IN PLARGE_INTEGER Time
5284 * FUNCTION: Creates a profile
5286 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
5287 * ObjectAttribute = Initialized attributes for the object
5288 * ImageBase = Start address of executable image
5289 * ImageSize = Size of the image
5290 * Granularity = Bucket size
5291 * Buffer = Caller supplies buffer for profiling info
5292 * ProfilingSize = Buffer size
5293 * ClockSource = Specify 0 / FALSE ??
5294 * ProcessorMask = A value of -1 indicates disables per processor profiling,
5295 otherwise bit set for the processor to profile.
5297 * This function maps to the win32 CreateProcess.
5303 NtCreateProfile(OUT PHANDLE ProfileHandle,
5304 IN HANDLE ProcessHandle,
5307 IN ULONG Granularity,
5309 IN ULONG ProfilingSize,
5310 IN KPROFILE_SOURCE Source,
5311 IN ULONG ProcessorMask);
5316 OUT PHANDLE ProfileHandle,
5317 IN POBJECT_ATTRIBUTES ObjectAttributes,
5320 IN ULONG Granularity,
5322 IN ULONG ProfilingSize,
5323 IN ULONG ClockSource,
5324 IN ULONG ProcessorMask
5328 * FUNCTION: Delays the execution of the calling thread.
5330 * Alertable = If TRUE the thread is alertable during is wait period
5331 * Interval = Specifies the interval to wait.
5345 IN BOOLEAN Alertable,
5350 * FUNCTION: Extends a section
5352 * SectionHandle = Handle to the section
5353 * NewMaximumSize = Adjusted size
5359 IN HANDLE SectionHandle,
5360 IN ULONG NewMaximumSize
5366 IN HANDLE SectionHandle,
5367 IN ULONG NewMaximumSize
5371 * FUNCTION: Queries the information of a section object.
5373 * SectionHandle = Handle to the section link object
5374 * SectionInformationClass = Index to a certain information structure
5375 * SectionInformation (OUT)= Caller supplies storage for resulting information
5376 * Length = Size of the supplied storage
5377 * ResultLength = Data written
5384 IN HANDLE SectionHandle,
5385 IN CINT SectionInformationClass,
5386 OUT PVOID SectionInformation,
5388 OUT PULONG ResultLength
5394 IN HANDLE SectionHandle,
5395 IN CINT SectionInformationClass,
5396 OUT PVOID SectionInformation,
5398 OUT PULONG ResultLength
5401 typedef struct _SECTION_IMAGE_INFORMATION
5408 USHORT MinorSubsystemVersion;
5409 USHORT MajorSubsystemVersion;
5411 ULONG Characteristics;
5416 } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
5418 #endif /* !__USE_W32API */
5420 #endif /* __DDK_ZW_H */