4 * COPYRIGHT: See COPYING in the top level directory
5 * PROJECT: ReactOS kernel
6 * PURPOSE: System call definitions
7 * FILE: include/ddk/zw.h
9 * ??/??/??: First few functions (David Welch)
10 * ??/??/??: Complete implementation by Ariadne
11 * 13/07/98: Reorganised things a bit (David Welch)
12 * 04/08/98: Added some documentation (Ariadne)
13 * 14/08/98: Added type TIME and change variable type from [1] to [0]
14 * 14/09/98: Added for each Nt call a corresponding Zw Call
20 #include <ntos/security.h>
21 #include <ntos/zwtypes.h>
22 #include <napi/npipe.h>
24 #ifndef _RTLGETPROCESSHEAP_DEFINED_
25 #define _RTLGETPROCESSHEAP_DEFINED_
26 #define RtlGetProcessHeap() (NtCurrentPeb()->ProcessHeap)
29 // semaphore information
31 typedef enum _SEMAPHORE_INFORMATION_CLASS
33 SemaphoreBasicInformation = 0
34 } SEMAPHORE_INFORMATION_CLASS;
36 typedef struct _SEMAPHORE_BASIC_INFORMATION
40 } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
44 typedef enum _EVENT_INFORMATION_CLASS
46 EventBasicInformation = 0
47 } EVENT_INFORMATION_CLASS;
49 typedef struct _EVENT_BASIC_INFORMATION
53 } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
56 //#define SECURITY_INFORMATION ULONG
57 //typedef ULONG SECURITY_INFORMATION;
60 * FUNCTION: Adjusts the groups in an access token
62 * TokenHandle = Specifies the access token
63 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
64 * their default state, if false the groups specified in
67 * BufferLength = Specifies the size of the buffer for the PreviousState.
69 * ReturnLength = Bytes written in PreviousState buffer.
70 * REMARKS: The arguments map to the win32 AdjustTokenGroups
77 IN HANDLE TokenHandle,
78 IN BOOLEAN ResetToDefault,
79 IN PTOKEN_GROUPS NewState,
80 IN ULONG BufferLength,
81 OUT PTOKEN_GROUPS PreviousState OPTIONAL,
82 OUT PULONG ReturnLength
88 IN HANDLE TokenHandle,
89 IN BOOLEAN ResetToDefault,
90 IN PTOKEN_GROUPS NewState,
91 IN ULONG BufferLength,
92 OUT PTOKEN_GROUPS PreviousState,
93 OUT PULONG ReturnLength
101 * TokenHandle = Handle to the access token
102 * DisableAllPrivileges = The resulting suspend count.
108 * The arguments map to the win32 AdjustTokenPrivileges
114 NtAdjustPrivilegesToken(
115 IN HANDLE TokenHandle,
116 IN BOOLEAN DisableAllPrivileges,
117 IN PTOKEN_PRIVILEGES NewState,
118 IN ULONG BufferLength,
119 OUT PTOKEN_PRIVILEGES PreviousState,
120 OUT PULONG ReturnLength
125 ZwAdjustPrivilegesToken(
126 IN HANDLE TokenHandle,
127 IN BOOLEAN DisableAllPrivileges,
128 IN PTOKEN_PRIVILEGES NewState,
129 IN ULONG BufferLength,
130 OUT PTOKEN_PRIVILEGES PreviousState,
131 OUT PULONG ReturnLength
136 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
139 * ThreadHandle = Handle to the thread that should be resumed
140 * SuspendCount = The resulting suspend count.
142 * A thread is resumed if its suspend count is 0
148 IN HANDLE ThreadHandle,
149 OUT PULONG SuspendCount
155 IN HANDLE ThreadHandle,
156 OUT PULONG SuspendCount
160 * FUNCTION: Puts the thread in a alerted state
162 * ThreadHandle = Handle to the thread that should be alerted
168 IN HANDLE ThreadHandle
174 IN HANDLE ThreadHandle
179 * FUNCTION: Allocates a locally unique id
181 * LocallyUniqueId = Locally unique number
186 NtAllocateLocallyUniqueId(
187 OUT LUID *LocallyUniqueId
192 ZwAllocateLocallyUniqueId(
197 * FUNCTION: Allocates a block of virtual memory in the process address space
199 * ProcessHandle = The handle of the process which owns the virtual memory
200 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
201 * value the system will try to allocate the memory at the address supplied. It rounds
202 * it down to a multiple if the page size.
203 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
204 * the memory will be allocated at a address below a certain value.
205 * RegionSize = The number of bytes to allocate
206 * AllocationType = Indicates the type of virtual memory you like to allocated,
207 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
208 * Protect = Indicates the protection type of the pages allocated, can be a combination of
209 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
210 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
212 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
213 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
214 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
215 * and the AllocationType and ProctectionType map to the other two parameters.
220 NtAllocateVirtualMemory (
221 IN HANDLE ProcessHandle,
222 IN OUT PVOID *BaseAddress,
224 IN OUT PULONG RegionSize,
225 IN ULONG AllocationType,
231 ZwAllocateVirtualMemory (
232 IN HANDLE ProcessHandle,
233 IN OUT PVOID *BaseAddress,
235 IN OUT PULONG RegionSize,
236 IN ULONG AllocationType,
240 * FUNCTION: Returns from a callback into user mode
244 //FIXME: this function might need 3 parameters
245 NTSTATUS STDCALL NtCallbackReturn(PVOID Result,
249 NTSTATUS STDCALL ZwCallbackReturn(PVOID Result,
254 * FUNCTION: Cancels a IO request
256 * FileHandle = Handle to the file
260 * This function maps to the win32 CancelIo.
266 IN HANDLE FileHandle,
267 OUT PIO_STATUS_BLOCK IoStatusBlock
273 IN HANDLE FileHandle,
274 OUT PIO_STATUS_BLOCK IoStatusBlock
278 * FUNCTION: Sets the status of the event back to non-signaled
280 * EventHandle = Handle to the event
282 * This function maps to win32 function ResetEvent.
289 IN HANDLE EventHandle
295 IN HANDLE EventHandle
299 * FUNCTION: Closes an object handle
301 * Handle = Handle to the object
303 * This function maps to the win32 function CloseHandle.
320 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
323 HandleId = Handle to the object
326 * This function maps to the win32 function ObjectCloseAuditAlarm.
332 NtCloseObjectAuditAlarm(
333 IN PUNICODE_STRING SubsystemName,
335 IN BOOLEAN GenerateOnClose
340 ZwCloseObjectAuditAlarm(
341 IN PUNICODE_STRING SubsystemName,
343 IN BOOLEAN GenerateOnClose
347 * FUNCTION: Creates a directory object
349 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
350 * DesiredAccess = Specifies access to the directory
351 * ObjectAttribute = Initialized attributes for the object
352 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
353 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
359 NtCreateDirectoryObject(
360 OUT PHANDLE DirectoryHandle,
361 IN ACCESS_MASK DesiredAccess,
362 IN POBJECT_ATTRIBUTES ObjectAttributes
367 ZwCreateDirectoryObject(
368 OUT PHANDLE DirectoryHandle,
369 IN ACCESS_MASK DesiredAccess,
370 IN POBJECT_ATTRIBUTES ObjectAttributes
374 * FUNCTION: Creates an event object
376 * EventHandle (OUT) = Caller supplied storage for the resulting handle
377 * DesiredAccess = Specifies access to the event
378 * ObjectAttribute = Initialized attributes for the object
379 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
380 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
381 * automatically after the system has rescheduled a thread waiting on the event.
382 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
383 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
384 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
385 * both parameters aswell ( possibly the order is reversed ).
392 OUT PHANDLE EventHandle,
393 IN ACCESS_MASK DesiredAccess,
394 IN POBJECT_ATTRIBUTES ObjectAttributes,
395 IN BOOLEAN ManualReset,
396 IN BOOLEAN InitialState
402 OUT PHANDLE EventHandle,
403 IN ACCESS_MASK DesiredAccess,
404 IN POBJECT_ATTRIBUTES ObjectAttributes,
405 IN BOOLEAN ManualReset,
406 IN BOOLEAN InitialState
410 * FUNCTION: Creates an eventpair object
412 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
413 * DesiredAccess = Specifies access to the event
414 * ObjectAttribute = Initialized attributes for the object
420 OUT PHANDLE EventPairHandle,
421 IN ACCESS_MASK DesiredAccess,
422 IN POBJECT_ATTRIBUTES ObjectAttributes
428 OUT PHANDLE EventPairHandle,
429 IN ACCESS_MASK DesiredAccess,
430 IN POBJECT_ATTRIBUTES ObjectAttributes
435 * FUNCTION: Creates or opens a file, directory or device object.
437 * FileHandle (OUT) = Caller supplied storage for the resulting handle
438 * DesiredAccess = Specifies the allowed or desired access to the file can
439 * be a combination of DELETE | FILE_READ_DATA ..
440 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
441 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
442 * the file is created and opened or allready existed and is just opened.
443 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
444 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
445 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
446 * CreateOptions = specifies the behavior of the system on file creation.
447 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
448 * EaLength = Extended Attributes buffer size, applies only to files and directories.
449 * REMARKS: This function maps to the win32 CreateFile.
456 OUT PHANDLE FileHandle,
457 IN ACCESS_MASK DesiredAccess,
458 IN POBJECT_ATTRIBUTES ObjectAttributes,
459 OUT PIO_STATUS_BLOCK IoStatusBlock,
460 IN PLARGE_INTEGER AllocationSize OPTIONAL,
461 IN ULONG FileAttributes,
462 IN ULONG ShareAccess,
463 IN ULONG CreateDisposition,
464 IN ULONG CreateOptions,
465 IN PVOID EaBuffer OPTIONAL,
472 OUT PHANDLE FileHandle,
473 IN ACCESS_MASK DesiredAccess,
474 IN POBJECT_ATTRIBUTES ObjectAttributes,
475 OUT PIO_STATUS_BLOCK IoStatusBlock,
476 IN PLARGE_INTEGER AllocationSize OPTIONAL,
477 IN ULONG FileAttributes,
478 IN ULONG ShareAccess,
479 IN ULONG CreateDisposition,
480 IN ULONG CreateOptions,
481 IN PVOID EaBuffer OPTIONAL,
486 * FUNCTION: Creates or opens a file, directory or device object.
488 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
489 * DesiredAccess = Specifies the allowed or desired access to the port
491 * NumberOfConcurrentThreads =
492 * REMARKS: This function maps to the win32 CreateIoCompletionPort
499 NtCreateIoCompletion(
500 OUT PHANDLE IoCompletionHandle,
501 IN ACCESS_MASK DesiredAccess,
502 IN POBJECT_ATTRIBUTES ObjectAttributes,
503 IN ULONG NumberOfConcurrentThreads
508 ZwCreateIoCompletion(
509 OUT PHANDLE IoCompletionHandle,
510 IN ACCESS_MASK DesiredAccess,
511 IN POBJECT_ATTRIBUTES ObjectAttributes,
512 IN ULONG NumberOfConcurrentThreads
516 * FUNCTION: Creates a registry key
518 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
519 * DesiredAccess = Specifies the allowed or desired access to the key
520 * It can have a combination of the following values:
521 * KEY_READ | KEY_WRITE | KEY_EXECUTE | KEY_ALL_ACCESS
523 * KEY_QUERY_VALUE The values of the key can be queried.
524 * KEY_SET_VALUE The values of the key can be modified.
525 * KEY_CREATE_SUB_KEYS The key may contain subkeys.
526 * KEY_ENUMERATE_SUB_KEYS Subkeys can be queried.
528 * KEY_CREATE_LINK A symbolic link to the key can be created.
529 * ObjectAttributes = The name of the key may be specified directly in the name field
530 * of object attributes or relative to a key in rootdirectory.
531 * TitleIndex = Might specify the position in the sequential order of subkeys.
532 * Class = Specifies the kind of data, for example REG_SZ for string data. [ ??? ]
533 * CreateOptions = Specifies additional options with which the key is created
534 * REG_OPTION_VOLATILE The key is not preserved across boots.
535 * REG_OPTION_NON_VOLATILE The key is preserved accross boots.
536 * REG_OPTION_CREATE_LINK The key is a symbolic link to another key.
537 * REG_OPTION_BACKUP_RESTORE Key is being opened or created for backup/restore operations.
538 * Disposition = Indicates if the call to NtCreateKey resulted in the creation of a key it
539 * can have the following values: REG_CREATED_NEW_KEY | REG_OPENED_EXISTING_KEY
545 NtCreateKey(OUT PHANDLE KeyHandle,
546 IN ACCESS_MASK DesiredAccess,
547 IN POBJECT_ATTRIBUTES ObjectAttributes,
549 IN PUNICODE_STRING Class OPTIONAL,
550 IN ULONG CreateOptions,
551 IN PULONG Disposition OPTIONAL);
554 ZwCreateKey(OUT PHANDLE KeyHandle,
555 IN ACCESS_MASK DesiredAccess,
556 IN POBJECT_ATTRIBUTES ObjectAttributes,
558 IN PUNICODE_STRING Class OPTIONAL,
559 IN ULONG CreateOptions,
560 IN PULONG Disposition OPTIONAL);
563 * FUNCTION: Creates a mail slot file
565 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
566 * DesiredAccess = Specifies the allowed or desired access to the file
567 * ObjectAttributes = Contains the name of the mailslotfile.
574 * REMARKS: This funciton maps to the win32 function CreateMailSlot
581 NtCreateMailslotFile(
582 OUT PHANDLE MailSlotFileHandle,
583 IN ACCESS_MASK DesiredAccess,
584 IN POBJECT_ATTRIBUTES ObjectAttributes,
585 OUT PIO_STATUS_BLOCK IoStatusBlock,
586 IN ULONG FileAttributes,
587 IN ULONG ShareAccess,
588 IN ULONG MaxMessageSize,
589 IN PLARGE_INTEGER TimeOut
594 ZwCreateMailslotFile(
595 OUT PHANDLE MailSlotFileHandle,
596 IN ACCESS_MASK DesiredAccess,
597 IN POBJECT_ATTRIBUTES ObjectAttributes,
598 OUT PIO_STATUS_BLOCK IoStatusBlock,
599 IN ULONG FileAttributes,
600 IN ULONG ShareAccess,
601 IN ULONG MaxMessageSize,
602 IN PLARGE_INTEGER TimeOut
606 * FUNCTION: Creates or opens a mutex
608 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
609 * DesiredAccess = Specifies the allowed or desired access to the port
610 * ObjectAttributes = Contains the name of the mutex.
611 * InitialOwner = If true the calling thread acquires ownership
613 * REMARKS: This funciton maps to the win32 function CreateMutex
620 OUT PHANDLE MutantHandle,
621 IN ACCESS_MASK DesiredAccess,
622 IN POBJECT_ATTRIBUTES ObjectAttributes,
623 IN BOOLEAN InitialOwner
629 OUT PHANDLE MutantHandle,
630 IN ACCESS_MASK DesiredAccess,
631 IN POBJECT_ATTRIBUTES ObjectAttributes,
632 IN BOOLEAN InitialOwner
636 * FUNCTION: Creates a process.
638 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
639 * DesiredAccess = Specifies the allowed or desired access to the process can
640 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
641 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
642 * ParentProcess = Handle to the parent process.
643 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
644 * SectionHandle = Handle to a section object to back the image file
645 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
646 * ExceptionPort = Handle to a exception port.
648 * This function maps to the win32 CreateProcess.
654 OUT PHANDLE ProcessHandle,
655 IN ACCESS_MASK DesiredAccess,
656 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
657 IN HANDLE ParentProcess,
658 IN BOOLEAN InheritObjectTable,
659 IN HANDLE SectionHandle OPTIONAL,
660 IN HANDLE DebugPort OPTIONAL,
661 IN HANDLE ExceptionPort OPTIONAL
667 OUT PHANDLE ProcessHandle,
668 IN ACCESS_MASK DesiredAccess,
669 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
670 IN HANDLE ParentProcess,
671 IN BOOLEAN InheritObjectTable,
672 IN HANDLE SectionHandle OPTIONAL,
673 IN HANDLE DebugPort OPTIONAL,
674 IN HANDLE ExceptionPort OPTIONAL
678 * FUNCTION: Creates a section object.
680 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
681 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
682 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
683 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
684 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
685 * If value specified for a mapped file and the file is not large enough, file will be extended.
686 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
687 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
688 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
695 OUT PHANDLE SectionHandle,
696 IN ACCESS_MASK DesiredAccess,
697 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
698 IN PLARGE_INTEGER MaximumSize OPTIONAL,
699 IN ULONG SectionPageProtection OPTIONAL,
700 IN ULONG AllocationAttributes,
701 IN HANDLE FileHandle OPTIONAL
707 OUT PHANDLE SectionHandle,
708 IN ACCESS_MASK DesiredAccess,
709 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
710 IN PLARGE_INTEGER MaximumSize OPTIONAL,
711 IN ULONG SectionPageProtection OPTIONAL,
712 IN ULONG AllocationAttributes,
713 IN HANDLE FileHandle OPTIONAL
717 * FUNCTION: Creates a semaphore object for interprocess synchronization.
719 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
720 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
721 * ObjectAttribute = Initialized attributes for the object.
722 * InitialCount = Not necessary zero, might be smaller than zero.
723 * MaximumCount = Maxiumum count the semaphore can reach.
726 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
729 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
733 OUT PHANDLE SemaphoreHandle,
734 IN ACCESS_MASK DesiredAccess,
735 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
736 IN LONG InitialCount,
743 OUT PHANDLE SemaphoreHandle,
744 IN ACCESS_MASK DesiredAccess,
745 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
746 IN LONG InitialCount,
751 * FUNCTION: Creates a symbolic link object
753 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
754 * DesiredAccess = Specifies the allowed or desired access to the thread.
755 * ObjectAttributes = Initialized attributes for the object.
756 * Name = Target name of the symbolic link
761 NtCreateSymbolicLinkObject(
762 OUT PHANDLE SymbolicLinkHandle,
763 IN ACCESS_MASK DesiredAccess,
764 IN POBJECT_ATTRIBUTES ObjectAttributes,
765 IN PUNICODE_STRING Name
770 ZwCreateSymbolicLinkObject(
771 OUT PHANDLE SymbolicLinkHandle,
772 IN ACCESS_MASK DesiredAccess,
773 IN POBJECT_ATTRIBUTES ObjectAttributes,
774 IN PUNICODE_STRING Name
778 * FUNCTION: Creates a waitable timer.
780 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
781 * DesiredAccess = Specifies the allowed or desired access to the timer.
782 * ObjectAttributes = Initialized attributes for the object.
783 * TimerType = Specifies if the timer should be reset manually.
785 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
786 * corresponding fields in OBJECT_ATTRIBUTES structure.
792 OUT PHANDLE TimerHandle,
793 IN ACCESS_MASK DesiredAccess,
794 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
795 IN TIMER_TYPE TimerType
801 OUT PHANDLE TimerHandle,
802 IN ACCESS_MASK DesiredAccess,
803 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
804 IN TIMER_TYPE TimerType
808 * FUNCTION: Creates a token.
810 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
811 * DesiredAccess = Specifies the allowed or desired access to the process can
812 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
813 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
821 * TokenPrimaryGroup =
825 * This function does not map to a win32 function
832 OUT PHANDLE TokenHandle,
833 IN ACCESS_MASK DesiredAccess,
834 IN POBJECT_ATTRIBUTES ObjectAttributes,
835 IN TOKEN_TYPE TokenType,
836 IN PLUID AuthenticationId,
837 IN PLARGE_INTEGER ExpirationTime,
838 IN PTOKEN_USER TokenUser,
839 IN PTOKEN_GROUPS TokenGroups,
840 IN PTOKEN_PRIVILEGES TokenPrivileges,
841 IN PTOKEN_OWNER TokenOwner,
842 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
843 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
844 IN PTOKEN_SOURCE TokenSource
850 OUT PHANDLE TokenHandle,
851 IN ACCESS_MASK DesiredAccess,
852 IN POBJECT_ATTRIBUTES ObjectAttributes,
853 IN TOKEN_TYPE TokenType,
854 IN PLUID AuthenticationId,
855 IN PLARGE_INTEGER ExpirationTime,
856 IN PTOKEN_USER TokenUser,
857 IN PTOKEN_GROUPS TokenGroups,
858 IN PTOKEN_PRIVILEGES TokenPrivileges,
859 IN PTOKEN_OWNER TokenOwner,
860 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
861 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
862 IN PTOKEN_SOURCE TokenSource
866 * FUNCTION: Returns the callers thread TEB.
867 * RETURNS: The resulting teb.
877 * FUNCTION: Deletes an atom from the global atom table
879 * Atom = Identifies the atom to delete
881 * The function maps to the win32 GlobalDeleteAtom
897 * FUNCTION: Deletes a file or a directory
899 * ObjectAttributes = Name of the file which should be deleted
901 * This system call is functionally equivalent to NtSetInformationFile
902 * setting the disposition information.
903 * The function maps to the win32 DeleteFile.
909 IN POBJECT_ATTRIBUTES ObjectAttributes
915 IN POBJECT_ATTRIBUTES ObjectAttributes
919 * FUNCTION: Deletes a registry key
921 * KeyHandle = Handle of the key
936 * FUNCTION: Generates a audit message when an object is deleted
938 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
939 * HandleId= Handle to an audit object
940 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
941 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
947 NtDeleteObjectAuditAlarm (
948 IN PUNICODE_STRING SubsystemName,
950 IN BOOLEAN GenerateOnClose
955 ZwDeleteObjectAuditAlarm (
956 IN PUNICODE_STRING SubsystemName,
958 IN BOOLEAN GenerateOnClose
963 * FUNCTION: Deletes a value from a registry key
965 * KeyHandle = Handle of the key
966 * ValueName = Name of the value to delete
974 IN PUNICODE_STRING ValueName
981 IN PUNICODE_STRING ValueName
984 * FUNCTION: Sends IOCTL to the io sub system
986 * DeviceHandle = Points to the handle that is created by NtCreateFile
987 * Event = Event to synchronize on STATUS_PENDING
988 * ApcRoutine = Asynchroneous procedure callback
989 * ApcContext = Callback context.
990 * IoStatusBlock = Caller should supply storage for extra information..
991 * IoControlCode = Contains the IO Control command. This is an
992 * index to the structures in InputBuffer and OutputBuffer.
993 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
994 * InputBufferSize = Size of the input bufffer
995 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
996 * OutputBufferSize = Size of the input bufffer
1002 NtDeviceIoControlFile(
1003 IN HANDLE DeviceHandle,
1004 IN HANDLE Event OPTIONAL,
1005 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1006 IN PVOID UserApcContext OPTIONAL,
1007 OUT PIO_STATUS_BLOCK IoStatusBlock,
1008 IN ULONG IoControlCode,
1009 IN PVOID InputBuffer,
1010 IN ULONG InputBufferSize,
1011 OUT PVOID OutputBuffer,
1012 IN ULONG OutputBufferSize
1017 ZwDeviceIoControlFile(
1018 IN HANDLE DeviceHandle,
1019 IN HANDLE Event OPTIONAL,
1020 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1021 IN PVOID UserApcContext OPTIONAL,
1022 OUT PIO_STATUS_BLOCK IoStatusBlock,
1023 IN ULONG IoControlCode,
1024 IN PVOID InputBuffer,
1025 IN ULONG InputBufferSize,
1026 OUT PVOID OutputBuffer,
1027 IN ULONG OutputBufferSize
1030 * FUNCTION: Displays a string on the blue screen
1032 * DisplayString = The string to display
1039 IN PUNICODE_STRING DisplayString
1045 IN PUNICODE_STRING DisplayString
1049 * FUNCTION: Returns information about the subkeys of an open key
1051 * KeyHandle = Handle of the key whose subkeys are to enumerated
1052 * Index = zero based index of the subkey for which information is
1054 * KeyInformationClass = Type of information returned
1055 * KeyInformation (OUT) = Caller allocated buffer for the information
1057 * Length = Length in bytes of the KeyInformation buffer
1058 * ResultLength (OUT) = Caller allocated storage which holds
1059 * the number of bytes of information retrieved
1066 IN HANDLE KeyHandle,
1068 IN KEY_INFORMATION_CLASS KeyInformationClass,
1069 OUT PVOID KeyInformation,
1071 OUT PULONG ResultLength
1077 IN HANDLE KeyHandle,
1079 IN KEY_INFORMATION_CLASS KeyInformationClass,
1080 OUT PVOID KeyInformation,
1082 OUT PULONG ResultLength
1085 * FUNCTION: Returns information about the value entries of an open key
1087 * KeyHandle = Handle of the key whose value entries are to enumerated
1088 * Index = zero based index of the subkey for which information is
1090 * KeyInformationClass = Type of information returned
1091 * KeyInformation (OUT) = Caller allocated buffer for the information
1093 * Length = Length in bytes of the KeyInformation buffer
1094 * ResultLength (OUT) = Caller allocated storage which holds
1095 * the number of bytes of information retrieved
1101 NtEnumerateValueKey(
1102 IN HANDLE KeyHandle,
1104 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1105 OUT PVOID KeyValueInformation,
1107 OUT PULONG ResultLength
1112 ZwEnumerateValueKey(
1113 IN HANDLE KeyHandle,
1115 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1116 OUT PVOID KeyValueInformation,
1118 OUT PULONG ResultLength
1122 * FUNCTION: Flushes chached file data to disk
1124 * FileHandle = Points to the file
1125 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1126 * buffers operation. The information field is set to number of bytes
1130 * This funciton maps to the win32 FlushFileBuffers
1135 IN HANDLE FileHandle,
1136 OUT PIO_STATUS_BLOCK IoStatusBlock
1142 IN HANDLE FileHandle,
1143 OUT PIO_STATUS_BLOCK IoStatusBlock
1147 * FUNCTION: Flushes a registry key to disk
1149 * KeyHandle = Points to the registry key handle
1152 * This funciton maps to the win32 RegFlushKey.
1167 * FUNCTION: Flushes the dirty pages to file
1169 * FIXME: Not sure this does (how is the file specified)
1171 NTSTATUS STDCALL NtFlushWriteBuffer(VOID);
1172 NTSTATUS STDCALL ZwFlushWriteBuffer(VOID);
1175 * FUNCTION: Frees a range of virtual memory
1177 * ProcessHandle = Points to the process that allocated the virtual
1179 * BaseAddress = Points to the memory address, rounded down to a
1180 * multiple of the pagesize
1181 * RegionSize = Limits the range to free, rounded up to a multiple of
1183 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1186 NTSTATUS STDCALL NtFreeVirtualMemory(IN HANDLE ProcessHandle,
1187 IN PVOID *BaseAddress,
1188 IN PULONG RegionSize,
1190 NTSTATUS STDCALL ZwFreeVirtualMemory(IN HANDLE ProcessHandle,
1191 IN PVOID *BaseAddress,
1192 IN PULONG RegionSize,
1196 * FUNCTION: Sends FSCTL to the filesystem
1198 * DeviceHandle = Points to the handle that is created by NtCreateFile
1199 * Event = Event to synchronize on STATUS_PENDING
1202 * IoStatusBlock = Caller should supply storage for
1203 * IoControlCode = Contains the File System Control command. This is an
1204 * index to the structures in InputBuffer and OutputBuffer.
1205 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1206 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1207 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1208 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1210 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1211 * InputBufferSize = Size of the input bufffer
1212 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1213 * OutputBufferSize = Size of the input bufffer
1214 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1215 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1220 IN HANDLE DeviceHandle,
1221 IN HANDLE Event OPTIONAL,
1222 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1223 IN PVOID ApcContext OPTIONAL,
1224 OUT PIO_STATUS_BLOCK IoStatusBlock,
1225 IN ULONG IoControlCode,
1226 IN PVOID InputBuffer,
1227 IN ULONG InputBufferSize,
1228 OUT PVOID OutputBuffer,
1229 IN ULONG OutputBufferSize
1235 IN HANDLE DeviceHandle,
1236 IN HANDLE Event OPTIONAL,
1237 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1238 IN PVOID ApcContext OPTIONAL,
1239 OUT PIO_STATUS_BLOCK IoStatusBlock,
1240 IN ULONG IoControlCode,
1241 IN PVOID InputBuffer,
1242 IN ULONG InputBufferSize,
1243 OUT PVOID OutputBuffer,
1244 IN ULONG OutputBufferSize
1248 * FUNCTION: Retrieves the processor context of a thread
1250 * ThreadHandle = Handle to a thread
1251 * Context (OUT) = Caller allocated storage for the processor context
1258 IN HANDLE ThreadHandle,
1259 OUT PCONTEXT Context
1265 IN HANDLE ThreadHandle,
1266 OUT PCONTEXT Context
1270 * FUNCTION: Sets a thread to impersonate another
1272 * ThreadHandle = Server thread that will impersonate a client.
1273 ThreadToImpersonate = Client thread that will be impersonated
1274 SecurityQualityOfService = Specifies the impersonation level.
1280 NtImpersonateThread(
1281 IN HANDLE ThreadHandle,
1282 IN HANDLE ThreadToImpersonate,
1283 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1288 ZwImpersonateThread(
1289 IN HANDLE ThreadHandle,
1290 IN HANDLE ThreadToImpersonate,
1291 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1295 * FUNCTION: Initializes the registry.
1297 * SetUpBoot = This parameter is true for a setup boot.
1302 NtInitializeRegistry(
1307 ZwInitializeRegistry(
1312 * FUNCTION: Loads a driver.
1314 * DriverServiceName = Name of the driver to load
1320 IN PUNICODE_STRING DriverServiceName
1326 IN PUNICODE_STRING DriverServiceName
1330 * FUNCTION: Locks a range of bytes in a file.
1332 * FileHandle = Handle to the file
1333 * Event = Should be null if apc is specified.
1334 * ApcRoutine = Asynchroneous Procedure Callback
1335 * ApcContext = Argument to the callback
1336 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1337 * the completion status and information about the requested lock operation.
1338 * ByteOffset = Offset
1339 * Length = Number of bytes to lock.
1340 * Key = Special value to give other threads the possibility to unlock the file
1341 by supplying the key in a call to NtUnlockFile.
1342 * FailImmediatedly = If false the request will block untill the lock is obtained.
1343 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1345 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1346 not be obtained immediately, the device queue is busy and the IRP is queued.
1347 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1348 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1354 IN HANDLE FileHandle,
1355 IN HANDLE Event OPTIONAL,
1356 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1357 IN PVOID ApcContext OPTIONAL,
1358 OUT PIO_STATUS_BLOCK IoStatusBlock,
1359 IN PLARGE_INTEGER ByteOffset,
1360 IN PLARGE_INTEGER Length,
1362 IN BOOLEAN FailImmediatedly,
1363 IN BOOLEAN ExclusiveLock
1369 IN HANDLE FileHandle,
1370 IN HANDLE Event OPTIONAL,
1371 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1372 IN PVOID ApcContext OPTIONAL,
1373 OUT PIO_STATUS_BLOCK IoStatusBlock,
1374 IN PLARGE_INTEGER ByteOffset,
1375 IN PLARGE_INTEGER Length,
1377 IN BOOLEAN FailImmediatedly,
1378 IN BOOLEAN ExclusiveLock
1382 * FUNCTION: Makes temporary object that will be removed at next boot.
1384 * Handle = Handle to object
1390 NtMakeTemporaryObject(
1396 ZwMakeTemporaryObject(
1400 * FUNCTION: Maps a view of a section into the virtual address space of a
1403 * SectionHandle = Handle of the section
1404 * ProcessHandle = Handle of the process
1405 * BaseAddress = Desired base address (or NULL) on entry
1406 * Actual base address of the view on exit
1407 * ZeroBits = Number of high order address bits that must be zero
1408 * CommitSize = Size in bytes of the initially committed section of
1410 * SectionOffset = Offset in bytes from the beginning of the section
1411 * to the beginning of the view
1412 * ViewSize = Desired length of map (or zero to map all) on entry
1413 * Actual length mapped on exit
1414 * InheritDisposition = Specified how the view is to be shared with
1416 * AllocateType = Type of allocation for the pages
1417 * Protect = Protection for the committed region of the view
1423 IN HANDLE SectionHandle,
1424 IN HANDLE ProcessHandle,
1425 IN OUT PVOID *BaseAddress,
1427 IN ULONG CommitSize,
1428 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1429 IN OUT PULONG ViewSize,
1430 IN SECTION_INHERIT InheritDisposition,
1431 IN ULONG AllocationType,
1432 IN ULONG AccessProtection
1438 IN HANDLE SectionHandle,
1439 IN HANDLE ProcessHandle,
1440 IN OUT PVOID *BaseAddress,
1442 IN ULONG CommitSize,
1443 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1444 IN OUT PULONG ViewSize,
1445 IN SECTION_INHERIT InheritDisposition,
1446 IN ULONG AllocationType,
1447 IN ULONG AccessProtection
1451 * FUNCTION: Installs a notify for the change of a directory's contents
1453 * FileHandle = Handle to the directory
1455 * ApcRoutine = Start address
1456 * ApcContext = Delimits the range of virtual memory
1457 * for which the new access protection holds
1458 * IoStatusBlock = The new access proctection for the pages
1459 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
1460 * BufferSize = Size of the buffer
1461 CompletionFilter = Can be one of the following values:
1462 FILE_NOTIFY_CHANGE_FILE_NAME
1463 FILE_NOTIFY_CHANGE_DIR_NAME
1464 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
1465 FILE_NOTIFY_CHANGE_ATTRIBUTES
1466 FILE_NOTIFY_CHANGE_SIZE
1467 FILE_NOTIFY_CHANGE_LAST_WRITE
1468 FILE_NOTIFY_CHANGE_LAST_ACCESS
1469 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
1470 FILE_NOTIFY_CHANGE_EA
1471 FILE_NOTIFY_CHANGE_SECURITY
1472 FILE_NOTIFY_CHANGE_STREAM_NAME
1473 FILE_NOTIFY_CHANGE_STREAM_SIZE
1474 FILE_NOTIFY_CHANGE_STREAM_WRITE
1475 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
1478 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
1483 NtNotifyChangeDirectoryFile(
1484 IN HANDLE FileHandle,
1485 IN HANDLE Event OPTIONAL,
1486 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1487 IN PVOID ApcContext OPTIONAL,
1488 OUT PIO_STATUS_BLOCK IoStatusBlock,
1490 IN ULONG BufferSize,
1491 IN ULONG CompletionFilter,
1492 IN BOOLEAN WatchTree
1497 ZwNotifyChangeDirectoryFile(
1498 IN HANDLE FileHandle,
1499 IN HANDLE Event OPTIONAL,
1500 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1501 IN PVOID ApcContext OPTIONAL,
1502 OUT PIO_STATUS_BLOCK IoStatusBlock,
1504 IN ULONG BufferSize,
1505 IN ULONG CompletionFilter,
1506 IN BOOLEAN WatchTree
1510 * FUNCTION: Installs a notfication callback on registry changes
1512 KeyHandle = Handle to the registry key
1513 Event = Event that should be signalled on modification of the key
1514 ApcRoutine = Routine that should be called on modification of the key
1515 ApcContext = Argument to the ApcRoutine
1517 CompletionFilter = Specifies the kind of notification the caller likes to receive.
1518 Can be a combination of the following values:
1520 REG_NOTIFY_CHANGE_NAME
1521 REG_NOTIFY_CHANGE_ATTRIBUTES
1522 REG_NOTIFY_CHANGE_LAST_SET
1523 REG_NOTIFY_CHANGE_SECURITY
1526 Asynchroneous = If TRUE the changes are reported by signalling an event if false
1527 the function will not return before a change occurs.
1528 ChangeBuffer = Will return the old value
1529 Length = Size of the change buffer
1530 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
1532 * REMARKS: If the key is closed the event is signalled aswell.
1539 IN HANDLE KeyHandle,
1541 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1542 IN PVOID ApcContext OPTIONAL,
1543 OUT PIO_STATUS_BLOCK IoStatusBlock,
1544 IN ULONG CompletionFilter,
1545 IN BOOLEAN Asynchroneous,
1546 OUT PVOID ChangeBuffer,
1548 IN BOOLEAN WatchSubtree
1554 IN HANDLE KeyHandle,
1556 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1557 IN PVOID ApcContext OPTIONAL,
1558 OUT PIO_STATUS_BLOCK IoStatusBlock,
1559 IN ULONG CompletionFilter,
1560 IN BOOLEAN Asynchroneous,
1561 OUT PVOID ChangeBuffer,
1563 IN BOOLEAN WatchSubtree
1567 * FUNCTION: Opens an existing directory object
1569 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1570 * DesiredAccess = Requested access to the directory
1571 * ObjectAttributes = Initialized attributes for the object
1577 NtOpenDirectoryObject(
1578 OUT PHANDLE FileHandle,
1579 IN ACCESS_MASK DesiredAccess,
1580 IN POBJECT_ATTRIBUTES ObjectAttributes
1584 ZwOpenDirectoryObject(
1585 OUT PHANDLE FileHandle,
1586 IN ACCESS_MASK DesiredAccess,
1587 IN POBJECT_ATTRIBUTES ObjectAttributes
1591 * FUNCTION: Opens an existing event
1593 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1594 * DesiredAccess = Requested access to the event
1595 * ObjectAttributes = Initialized attributes for the object
1601 OUT PHANDLE EventHandle,
1602 IN ACCESS_MASK DesiredAccess,
1603 IN POBJECT_ATTRIBUTES ObjectAttributes
1609 OUT PHANDLE EventHandle,
1610 IN ACCESS_MASK DesiredAccess,
1611 IN POBJECT_ATTRIBUTES ObjectAttributes
1615 * FUNCTION: Opens an existing event pair
1617 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1618 * DesiredAccess = Requested access to the event
1619 * ObjectAttributes = Initialized attributes for the object
1626 OUT PHANDLE EventPairHandle,
1627 IN ACCESS_MASK DesiredAccess,
1628 IN POBJECT_ATTRIBUTES ObjectAttributes
1634 OUT PHANDLE EventPairHandle,
1635 IN ACCESS_MASK DesiredAccess,
1636 IN POBJECT_ATTRIBUTES ObjectAttributes
1639 * FUNCTION: Opens an existing file
1641 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1642 * DesiredAccess = Requested access to the file
1643 * ObjectAttributes = Initialized attributes for the object
1652 OUT PHANDLE FileHandle,
1653 IN ACCESS_MASK DesiredAccess,
1654 IN POBJECT_ATTRIBUTES ObjectAttributes,
1655 OUT PIO_STATUS_BLOCK IoStatusBlock,
1656 IN ULONG ShareAccess,
1657 IN ULONG OpenOptions
1663 OUT PHANDLE FileHandle,
1664 IN ACCESS_MASK DesiredAccess,
1665 IN POBJECT_ATTRIBUTES ObjectAttributes,
1666 OUT PIO_STATUS_BLOCK IoStatusBlock,
1667 IN ULONG ShareAccess,
1668 IN ULONG OpenOptions
1672 * FUNCTION: Opens an existing io completion object
1674 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
1675 * DesiredAccess = Requested access to the io completion object
1676 * ObjectAttributes = Initialized attributes for the object
1683 OUT PHANDLE CompetionPort,
1684 IN ACCESS_MASK DesiredAccess,
1685 IN POBJECT_ATTRIBUTES ObjectAttributes
1691 OUT PHANDLE CompetionPort,
1692 IN ACCESS_MASK DesiredAccess,
1693 IN POBJECT_ATTRIBUTES ObjectAttributes
1697 * FUNCTION: Opens an existing key in the registry
1699 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1700 * DesiredAccess = Requested access to the key
1701 * ObjectAttributes = Initialized attributes for the object
1707 OUT PHANDLE KeyHandle,
1708 IN ACCESS_MASK DesiredAccess,
1709 IN POBJECT_ATTRIBUTES ObjectAttributes
1715 OUT PHANDLE KeyHandle,
1716 IN ACCESS_MASK DesiredAccess,
1717 IN POBJECT_ATTRIBUTES ObjectAttributes
1720 * FUNCTION: Opens an existing key in the registry
1722 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
1723 * DesiredAccess = Requested access to the mutant
1724 * ObjectAttribute = Initialized attributes for the object
1730 OUT PHANDLE MutantHandle,
1731 IN ACCESS_MASK DesiredAccess,
1732 IN POBJECT_ATTRIBUTES ObjectAttributes
1737 OUT PHANDLE MutantHandle,
1738 IN ACCESS_MASK DesiredAccess,
1739 IN POBJECT_ATTRIBUTES ObjectAttributes
1743 * FUNCTION: Opens an existing process
1745 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
1746 * DesiredAccess = Requested access to the process
1747 * ObjectAttribute = Initialized attributes for the object
1748 * ClientId = Identifies the process id to open
1754 OUT PHANDLE ProcessHandle,
1755 IN ACCESS_MASK DesiredAccess,
1756 IN POBJECT_ATTRIBUTES ObjectAttributes,
1757 IN PCLIENT_ID ClientId
1762 OUT PHANDLE ProcessHandle,
1763 IN ACCESS_MASK DesiredAccess,
1764 IN POBJECT_ATTRIBUTES ObjectAttributes,
1765 IN PCLIENT_ID ClientId
1768 * FUNCTION: Opens an existing process
1770 * ProcessHandle = Handle of the process of which owns the token
1771 * DesiredAccess = Requested access to the token
1772 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
1774 This function maps to the win32
1781 IN HANDLE ProcessHandle,
1782 IN ACCESS_MASK DesiredAccess,
1783 OUT PHANDLE TokenHandle
1789 IN HANDLE ProcessHandle,
1790 IN ACCESS_MASK DesiredAccess,
1791 OUT PHANDLE TokenHandle
1795 * FUNCTION: Opens an existing section object
1797 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1798 * DesiredAccess = Requested access to the key
1799 * ObjectAttribute = Initialized attributes for the object
1806 OUT PHANDLE SectionHandle,
1807 IN ACCESS_MASK DesiredAccess,
1808 IN POBJECT_ATTRIBUTES ObjectAttributes
1813 OUT PHANDLE SectionHandle,
1814 IN ACCESS_MASK DesiredAccess,
1815 IN POBJECT_ATTRIBUTES ObjectAttributes
1818 * FUNCTION: Opens an existing semaphore
1820 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
1821 * DesiredAccess = Requested access to the semaphore
1822 * ObjectAttribute = Initialized attributes for the object
1828 IN HANDLE SemaphoreHandle,
1829 IN ACCESS_MASK DesiredAcces,
1830 IN POBJECT_ATTRIBUTES ObjectAttributes
1835 IN HANDLE SemaphoreHandle,
1836 IN ACCESS_MASK DesiredAcces,
1837 IN POBJECT_ATTRIBUTES ObjectAttributes
1840 * FUNCTION: Opens an existing symbolic link
1842 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
1843 * DesiredAccess = Requested access to the symbolic link
1844 * ObjectAttribute = Initialized attributes for the object
1849 NtOpenSymbolicLinkObject(
1850 OUT PHANDLE SymbolicLinkHandle,
1851 IN ACCESS_MASK DesiredAccess,
1852 IN POBJECT_ATTRIBUTES ObjectAttributes
1856 ZwOpenSymbolicLinkObject(
1857 OUT PHANDLE SymbolicLinkHandle,
1858 IN ACCESS_MASK DesiredAccess,
1859 IN POBJECT_ATTRIBUTES ObjectAttributes
1862 * FUNCTION: Opens an existing thread
1864 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
1865 * DesiredAccess = Requested access to the thread
1866 * ObjectAttribute = Initialized attributes for the object
1867 * ClientId = Identifies the thread to open.
1873 OUT PHANDLE ThreadHandle,
1874 IN ACCESS_MASK DesiredAccess,
1875 IN POBJECT_ATTRIBUTES ObjectAttributes,
1876 IN PCLIENT_ID ClientId
1881 OUT PHANDLE ThreadHandle,
1882 IN ACCESS_MASK DesiredAccess,
1883 IN POBJECT_ATTRIBUTES ObjectAttributes,
1884 IN PCLIENT_ID ClientId
1890 IN HANDLE ThreadHandle,
1891 IN ACCESS_MASK DesiredAccess,
1892 IN BOOLEAN OpenAsSelf,
1893 OUT PHANDLE TokenHandle
1899 IN HANDLE ThreadHandle,
1900 IN ACCESS_MASK DesiredAccess,
1901 IN BOOLEAN OpenAsSelf,
1902 OUT PHANDLE TokenHandle
1905 * FUNCTION: Opens an existing timer
1907 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
1908 * DesiredAccess = Requested access to the timer
1909 * ObjectAttribute = Initialized attributes for the object
1915 OUT PHANDLE TimerHandle,
1916 IN ACCESS_MASK DesiredAccess,
1917 IN POBJECT_ATTRIBUTES ObjectAttributes
1922 OUT PHANDLE TimerHandle,
1923 IN ACCESS_MASK DesiredAccess,
1924 IN POBJECT_ATTRIBUTES ObjectAttributes
1928 * FUNCTION: Checks an access token for specific privileges
1930 * ClientToken = Handle to a access token structure
1931 * RequiredPrivileges = Specifies the requested privileges.
1932 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
1933 set in the Control member of PRIVILEGES_SET Result
1934 will only be TRUE if all privileges are present in the access token.
1941 IN HANDLE ClientToken,
1942 IN PPRIVILEGE_SET RequiredPrivileges,
1949 IN HANDLE ClientToken,
1950 IN PPRIVILEGE_SET RequiredPrivileges,
1956 NtPrivilegedServiceAuditAlarm(
1957 IN PUNICODE_STRING SubsystemName,
1958 IN PUNICODE_STRING ServiceName,
1959 IN HANDLE ClientToken,
1960 IN PPRIVILEGE_SET Privileges,
1961 IN BOOLEAN AccessGranted
1966 ZwPrivilegedServiceAuditAlarm(
1967 IN PUNICODE_STRING SubsystemName,
1968 IN PUNICODE_STRING ServiceName,
1969 IN HANDLE ClientToken,
1970 IN PPRIVILEGE_SET Privileges,
1971 IN BOOLEAN AccessGranted
1976 NtPrivilegeObjectAuditAlarm(
1977 IN PUNICODE_STRING SubsystemName,
1979 IN HANDLE ClientToken,
1980 IN ULONG DesiredAccess,
1981 IN PPRIVILEGE_SET Privileges,
1982 IN BOOLEAN AccessGranted
1987 ZwPrivilegeObjectAuditAlarm(
1988 IN PUNICODE_STRING SubsystemName,
1990 IN HANDLE ClientToken,
1991 IN ULONG DesiredAccess,
1992 IN PPRIVILEGE_SET Privileges,
1993 IN BOOLEAN AccessGranted
1997 * FUNCTION: Entry point for native applications
1999 * Peb = Pointes to the Process Environment Block (PEB)
2001 * Native applications should use this function instead of a main.
2002 * Calling proces should terminate itself.
2012 * FUNCTION: Signals an event and resets it afterwards.
2014 * EventHandle = Handle to the event
2015 * PulseCount = Number of times the action is repeated
2021 IN HANDLE EventHandle,
2022 IN PULONG PulseCount OPTIONAL
2028 IN HANDLE EventHandle,
2029 IN PULONG PulseCount OPTIONAL
2033 * FUNCTION: Queries the attributes of a file
2035 * ObjectAttributes = Initialized attributes for the object
2036 * Buffer = Caller supplies storage for the attributes
2041 NtQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2042 OUT PFILE_BASIC_INFORMATION FileInformation);
2045 ZwQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2046 OUT PFILE_BASIC_INFORMATION FileInformation);
2049 * FUNCTION: Queries the default locale id
2051 * UserProfile = Type of locale id
2052 * TRUE: thread locale id
2053 * FALSE: system locale id
2054 * DefaultLocaleId = Caller supplies storage for the locale id
2060 NtQueryDefaultLocale(
2061 IN BOOLEAN UserProfile,
2062 OUT PLCID DefaultLocaleId
2067 ZwQueryDefaultLocale(
2068 IN BOOLEAN UserProfile,
2069 OUT PLCID DefaultLocaleId
2073 * FUNCTION: Queries a directory file.
2075 * FileHandle = Handle to a directory file
2076 * EventHandle = Handle to the event signaled on completion
2077 * ApcRoutine = Asynchroneous procedure callback, called on completion
2078 * ApcContext = Argument to the apc.
2079 * IoStatusBlock = Caller supplies storage for extended status information.
2080 * FileInformation = Caller supplies storage for the resulting information.
2082 * FileNameInformation FILE_NAMES_INFORMATION
2083 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2084 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2085 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2087 * Length = Size of the storage supplied
2088 * FileInformationClass = Indicates the type of information requested.
2089 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2090 * FileName = Initial directory name to query, that may contain wild cards.
2091 * RestartScan = Number of times the action should be repeated
2092 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2093 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2094 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2099 NtQueryDirectoryFile(
2100 IN HANDLE FileHandle,
2101 IN HANDLE Event OPTIONAL,
2102 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2103 IN PVOID ApcContext OPTIONAL,
2104 OUT PIO_STATUS_BLOCK IoStatusBlock,
2105 OUT PVOID FileInformation,
2107 IN FILE_INFORMATION_CLASS FileInformationClass,
2108 IN BOOLEAN ReturnSingleEntry,
2109 IN PUNICODE_STRING FileName OPTIONAL,
2110 IN BOOLEAN RestartScan
2115 ZwQueryDirectoryFile(
2116 IN HANDLE FileHandle,
2117 IN HANDLE Event OPTIONAL,
2118 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2119 IN PVOID ApcContext OPTIONAL,
2120 OUT PIO_STATUS_BLOCK IoStatusBlock,
2121 OUT PVOID FileInformation,
2123 IN FILE_INFORMATION_CLASS FileInformationClass,
2124 IN BOOLEAN ReturnSingleEntry,
2125 IN PUNICODE_STRING FileName OPTIONAL,
2126 IN BOOLEAN RestartScan
2130 * FUNCTION: Queries the extended attributes of a file
2132 * FileHandle = Handle to the event
2133 * IoStatusBlock = Number of times the action is repeated
2147 IN HANDLE FileHandle,
2148 OUT PIO_STATUS_BLOCK IoStatusBlock,
2151 IN BOOLEAN ReturnSingleEntry,
2152 IN PVOID EaList OPTIONAL,
2153 IN ULONG EaListLength,
2154 IN PULONG EaIndex OPTIONAL,
2155 IN BOOLEAN RestartScan
2161 IN HANDLE FileHandle,
2162 OUT PIO_STATUS_BLOCK IoStatusBlock,
2165 IN BOOLEAN ReturnSingleEntry,
2166 IN PVOID EaList OPTIONAL,
2167 IN ULONG EaListLength,
2168 IN PULONG EaIndex OPTIONAL,
2169 IN BOOLEAN RestartScan
2173 * FUNCTION: Queries an event
2175 * EventHandle = Handle to the event
2176 * EventInformationClass = Index of the information structure
2178 EventBasicInformation EVENT_BASIC_INFORMATION
2180 * EventInformation = Caller supplies storage for the information structure
2181 * EventInformationLength = Size of the information structure
2182 * ReturnLength = Data written
2188 IN HANDLE EventHandle,
2189 IN EVENT_INFORMATION_CLASS EventInformationClass,
2190 OUT PVOID EventInformation,
2191 IN ULONG EventInformationLength,
2192 OUT PULONG ReturnLength
2197 IN HANDLE EventHandle,
2198 IN EVENT_INFORMATION_CLASS EventInformationClass,
2199 OUT PVOID EventInformation,
2200 IN ULONG EventInformationLength,
2201 OUT PULONG ReturnLength
2205 NtQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2206 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2209 ZwQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2210 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2213 * FUNCTION: Queries the information of a file object.
2215 * FileHandle = Handle to the file object
2216 * IoStatusBlock = Caller supplies storage for extended information
2217 * on the current operation.
2218 * FileInformation = Storage for the new file information
2219 * Lenght = Size of the storage for the file information.
2220 * FileInformationClass = Indicates which file information is queried
2222 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2223 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2224 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2225 FileBasicInformation FILE_BASIC_INFORMATION
2226 FileStandardInformation FILE_STANDARD_INFORMATION
2227 FileInternalInformation FILE_INTERNAL_INFORMATION
2228 FileEaInformation FILE_EA_INFORMATION
2229 FileAccessInformation FILE_ACCESS_INFORMATION
2230 FileNameInformation FILE_NAME_INFORMATION
2231 FileRenameInformation FILE_RENAME_INFORMATION
2233 FileNamesInformation FILE_NAMES_INFORMATION
2234 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2235 FilePositionInformation FILE_POSITION_INFORMATION
2236 FileFullEaInformation FILE_FULL_EA_INFORMATION
2237 FileModeInformation FILE_MODE_INFORMATION
2238 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2239 FileAllInformation FILE_ALL_INFORMATION
2241 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2242 FileAlternateNameInformation
2243 FileStreamInformation FILE_STREAM_INFORMATION
2245 FilePipeLocalInformation
2246 FilePipeRemoteInformation
2247 FileMailslotQueryInformation
2248 FileMailslotSetInformation
2249 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2250 FileCopyOnWriteInformation
2251 FileCompletionInformation IO_COMPLETION_CONTEXT
2252 FileMoveClusterInformation
2253 FileOleClassIdInformation
2254 FileOleStateBitsInformation
2255 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2256 FileObjectIdInformation
2257 FileOleAllInformation
2258 FileOleDirectoryInformation
2259 FileContentIndexInformation
2260 FileInheritContentIndexInformation
2262 FileMaximumInformation
2265 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2266 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2271 NtQueryInformationFile(
2272 IN HANDLE FileHandle,
2273 OUT PIO_STATUS_BLOCK IoStatusBlock,
2274 OUT PVOID FileInformation,
2276 IN FILE_INFORMATION_CLASS FileInformationClass
2281 ZwQueryInformationFile(
2283 PIO_STATUS_BLOCK IoStatusBlock,
2284 PVOID FileInformation,
2286 FILE_INFORMATION_CLASS FileInformationClass
2291 * FUNCTION: Queries the information of a thread object.
2293 * ThreadHandle = Handle to the thread object
2294 * ThreadInformationClass = Index to a certain information structure
2296 ThreadBasicInformation THREAD_BASIC_INFORMATION
2297 ThreadTimes KERNEL_USER_TIMES
2298 ThreadPriority KPRIORITY
2299 ThreadBasePriority KPRIORITY
2300 ThreadAffinityMask KAFFINITY
2301 ThreadImpersonationToken
2302 ThreadDescriptorTableEntry
2303 ThreadEnableAlignmentFaultFixup
2305 ThreadQuerySetWin32StartAddress
2307 ThreadPerformanceCount
2308 ThreadAmILastThread BOOLEAN
2309 ThreadIdealProcessor ULONG
2310 ThreadPriorityBoost ULONG
2314 * ThreadInformation = Caller supplies torage for the thread information
2315 * ThreadInformationLength = Size of the thread information structure
2316 * ReturnLength = Actual number of bytes written
2319 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
2320 GetThreadPriorityBoost functions.
2327 NtQueryInformationThread(
2328 IN HANDLE ThreadHandle,
2329 IN THREADINFOCLASS ThreadInformationClass,
2330 OUT PVOID ThreadInformation,
2331 IN ULONG ThreadInformationLength,
2332 OUT PULONG ReturnLength
2338 NtQueryInformationToken(
2339 IN HANDLE TokenHandle,
2340 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2341 OUT PVOID TokenInformation,
2342 IN ULONG TokenInformationLength,
2343 OUT PULONG ReturnLength
2348 ZwQueryInformationToken(
2349 IN HANDLE TokenHandle,
2350 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2351 OUT PVOID TokenInformation,
2352 IN ULONG TokenInformationLength,
2353 OUT PULONG ReturnLength
2358 NtQueryIoCompletion(
2359 IN HANDLE IoCompletionHandle,
2360 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
2361 OUT PVOID IoCompletionInformation,
2362 IN ULONG IoCompletionInformationLength,
2363 OUT PULONG ResultLength OPTIONAL
2368 ZwQueryIoCompletion(
2369 IN HANDLE IoCompletionHandle,
2370 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
2371 OUT PVOID IoCompletionInformation,
2372 IN ULONG IoCompletionInformationLength,
2373 OUT PULONG ResultLength OPTIONAL
2377 * FUNCTION: Queries the information of a registry key object.
2379 KeyHandle = Handle to a registry key
2380 KeyInformationClass = Index to a certain information structure
2381 KeyInformation = Caller supplies storage for resulting information
2382 Length = Size of the supplied storage
2383 ResultLength = Bytes written
2388 IN HANDLE KeyHandle,
2389 IN KEY_INFORMATION_CLASS KeyInformationClass,
2390 OUT PVOID KeyInformation,
2392 OUT PULONG ResultLength
2398 IN HANDLE KeyHandle,
2399 IN KEY_INFORMATION_CLASS KeyInformationClass,
2400 OUT PVOID KeyInformation,
2402 OUT PULONG ResultLength
2410 NtQueryMultipleValueKey(
2411 IN HANDLE KeyHandle,
2412 IN OUT PKEY_VALUE_ENTRY ValueList,
2413 IN ULONG NumberOfValues,
2415 IN OUT PULONG Length,
2416 OUT PULONG ReturnLength
2421 ZwQueryMultipleValueKey(
2422 IN HANDLE KeyHandle,
2423 IN OUT PKEY_VALUE_ENTRY ValueList,
2424 IN ULONG NumberOfValues,
2426 IN OUT PULONG Length,
2427 OUT PULONG ReturnLength
2431 * FUNCTION: Queries the information of a mutant object.
2433 MutantHandle = Handle to a mutant
2434 MutantInformationClass = Index to a certain information structure
2435 MutantInformation = Caller supplies storage for resulting information
2436 Length = Size of the supplied storage
2437 ResultLength = Bytes written
2442 IN HANDLE MutantHandle,
2443 IN CINT MutantInformationClass,
2444 OUT PVOID MutantInformation,
2446 OUT PULONG ResultLength
2452 IN HANDLE MutantHandle,
2453 IN CINT MutantInformationClass,
2454 OUT PVOID MutantInformation,
2456 OUT PULONG ResultLength
2460 * FUNCTION: Queries the system ( high-resolution ) performance counter.
2462 * Counter = Performance counter
2463 * Frequency = Performance frequency
2465 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
2466 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
2472 NtQueryPerformanceCounter(
2473 IN PLARGE_INTEGER Counter,
2474 IN PLARGE_INTEGER Frequency
2479 ZwQueryPerformanceCounter(
2480 IN PLARGE_INTEGER Counter,
2481 IN PLARGE_INTEGER Frequency
2485 * FUNCTION: Queries the information of a semaphore.
2487 * SemaphoreHandle = Handle to the semaphore object
2488 * SemaphoreInformationClass = Index to a certain information structure
2490 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
2492 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
2493 * Length = Size of the infomation structure
2498 IN HANDLE SemaphoreHandle,
2499 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2500 OUT PVOID SemaphoreInformation,
2502 OUT PULONG ReturnLength
2508 IN HANDLE SemaphoreHandle,
2509 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2510 OUT PVOID SemaphoreInformation,
2512 OUT PULONG ReturnLength
2517 * FUNCTION: Queries the information of a symbolic link object.
2519 * SymbolicLinkHandle = Handle to the symbolic link object
2520 * LinkTarget = resolved name of link
2521 * DataWritten = size of the LinkName.
2527 NtQuerySymbolicLinkObject(
2528 IN HANDLE SymLinkObjHandle,
2529 OUT PUNICODE_STRING LinkTarget,
2530 OUT PULONG DataWritten OPTIONAL
2535 ZwQuerySymbolicLinkObject(
2536 IN HANDLE SymLinkObjHandle,
2537 OUT PUNICODE_STRING LinkName,
2538 OUT PULONG DataWritten OPTIONAL
2543 * FUNCTION: Queries a system environment variable.
2545 * Name = Name of the variable
2546 * Value (OUT) = value of the variable
2547 * Length = size of the buffer
2548 * ReturnLength = data written
2554 NtQuerySystemEnvironmentValue(
2555 IN PUNICODE_STRING Name,
2563 ZwQuerySystemEnvironmentValue(
2564 IN PUNICODE_STRING Name,
2572 * FUNCTION: Queries the system information.
2574 * SystemInformationClass = Index to a certain information structure
2576 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
2577 SystemCacheInformation SYSTEM_CACHE_INFORMATION
2578 SystemConfigurationInformation CONFIGURATION_INFORMATION
2580 * SystemInformation = caller supplies storage for the information structure
2581 * Length = size of the structure
2582 ResultLength = Data written
2588 NtQuerySystemInformation(
2589 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2590 OUT PVOID SystemInformation,
2592 OUT PULONG ResultLength
2597 ZwQuerySystemInformation(
2598 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2599 OUT PVOID SystemInformation,
2601 OUT PULONG ResultLength
2605 * FUNCTION: Queries information about a timer
2607 * TimerHandle = Handle to the timer
2608 TimerValueInformationClass = Index to a certain information structure
2609 TimerValueInformation = Caller supplies storage for the information structure
2610 Length = Size of the information structure
2611 ResultLength = Data written
2618 IN HANDLE TimerHandle,
2619 IN CINT TimerInformationClass,
2620 OUT PVOID TimerInformation,
2622 OUT PULONG ResultLength
2627 IN HANDLE TimerHandle,
2628 IN CINT TimerInformationClass,
2629 OUT PVOID TimerInformation,
2631 OUT PULONG ResultLength
2635 * FUNCTION: Queries the timer resolution
2637 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
2638 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
2639 ActualResolution (OUT) = Caller should supply storage for the resulting time.
2647 NtQueryTimerResolution (
2648 OUT PULONG MinimumResolution,
2649 OUT PULONG MaximumResolution,
2650 OUT PULONG ActualResolution
2655 ZwQueryTimerResolution (
2656 OUT PULONG MinimumResolution,
2657 OUT PULONG MaximumResolution,
2658 OUT PULONG ActualResolution
2662 * FUNCTION: Queries a registry key value
2664 * KeyHandle = Handle to the registry key
2665 ValueName = Name of the value in the registry key
2666 KeyValueInformationClass = Index to a certain information structure
2668 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
2669 KeyValueFullInformation = KEY_FULL_INFORMATION
2670 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
2672 KeyValueInformation = Caller supplies storage for the information structure
2673 Length = Size of the information structure
2674 ResultLength = Data written
2681 IN HANDLE KeyHandle,
2682 IN PUNICODE_STRING ValueName,
2683 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2684 OUT PVOID KeyValueInformation,
2686 OUT PULONG ResultLength
2692 IN HANDLE KeyHandle,
2693 IN PUNICODE_STRING ValueName,
2694 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2695 OUT PVOID KeyValueInformation,
2697 OUT PULONG ResultLength
2701 * FUNCTION: Queries the volume information
2703 * FileHandle = Handle to a file object on the target volume
2704 * IoStatusBlock = Caller should supply storage for additional status information
2705 * ReturnLength = DataWritten
2706 * FsInformation = Caller should supply storage for the information structure.
2707 * Length = Size of the information structure
2708 * FsInformationClass = Index to a information structure
2710 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
2711 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
2712 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
2713 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
2714 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
2715 FileFsControlInformation
2716 FileFsQuotaQueryInformation --
2717 FileFsQuotaSetInformation --
2718 FileFsMaximumInformation
2720 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
2721 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
2726 NtQueryVolumeInformationFile(
2727 IN HANDLE FileHandle,
2728 OUT PIO_STATUS_BLOCK IoStatusBlock,
2729 OUT PVOID FsInformation,
2731 IN FS_INFORMATION_CLASS FsInformationClass
2736 ZwQueryVolumeInformationFile(
2737 IN HANDLE FileHandle,
2738 OUT PIO_STATUS_BLOCK IoStatusBlock,
2739 OUT PVOID FsInformation,
2741 IN FS_INFORMATION_CLASS FsInformationClass
2744 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
2746 * FUNCTION: Queues a (user) apc to a thread.
2748 ThreadHandle = Thread to which the apc is queued.
2749 ApcRoutine = Points to the apc routine
2750 NormalContext = Argument to Apc Routine
2751 * SystemArgument1 = Argument of the Apc Routine
2752 SystemArgument2 = Argument of the Apc Routine
2753 * REMARK: If the apc is queued against a thread of a different process than the calling thread
2754 the apc routine should be specified in the address space of the queued thread's process.
2761 HANDLE ThreadHandle,
2762 PKNORMAL_ROUTINE ApcRoutine,
2763 PVOID NormalContext,
2764 PVOID SystemArgument1,
2765 PVOID SystemArgument2);
2770 HANDLE ThreadHandle,
2771 PKNORMAL_ROUTINE ApcRoutine,
2772 PVOID NormalContext,
2773 PVOID SystemArgument1,
2774 PVOID SystemArgument2);
2778 * FUNCTION: Raises an exception
2780 * ExceptionRecord = Structure specifying the exception
2781 * Context = Context in which the excpetion is raised
2790 IN PEXCEPTION_RECORD ExceptionRecord,
2791 IN PCONTEXT Context,
2792 IN BOOLEAN SearchFrames
2798 IN PEXCEPTION_RECORD ExceptionRecord,
2799 IN PCONTEXT Context,
2800 IN BOOLEAN SearchFrames
2804 * FUNCTION: Read a file
2806 * FileHandle = Handle of a file to read
2807 * Event = This event is signalled when the read operation completes
2808 * UserApcRoutine = Call back , if supplied Event should be NULL
2809 * UserApcContext = Argument to the callback
2810 * IoStatusBlock = Caller should supply storage for additional status information
2811 * Buffer = Caller should supply storage to receive the information
2812 * BufferLength = Size of the buffer
2813 * ByteOffset = Offset to start reading the file
2814 * Key = If a range is lock a matching key will allow the read to continue.
2822 IN HANDLE FileHandle,
2823 IN HANDLE Event OPTIONAL,
2824 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2825 IN PVOID UserApcContext OPTIONAL,
2826 OUT PIO_STATUS_BLOCK IoStatusBlock,
2828 IN ULONG BufferLength,
2829 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2830 IN PULONG Key OPTIONAL
2836 IN HANDLE FileHandle,
2837 IN HANDLE Event OPTIONAL,
2838 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2839 IN PVOID UserApcContext OPTIONAL,
2840 OUT PIO_STATUS_BLOCK IoStatusBlock,
2842 IN ULONG BufferLength,
2843 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2844 IN PULONG Key OPTIONAL
2847 * FUNCTION: Read a file using scattered io
2849 FileHandle = Handle of a file to read
2850 Event = This event is signalled when the read operation completes
2851 * UserApcRoutine = Call back , if supplied Event should be NULL
2852 UserApcContext = Argument to the callback
2853 IoStatusBlock = Caller should supply storage for additional status information
2854 BufferDescription = Caller should supply storage to receive the information
2855 BufferLength = Size of the buffer
2856 ByteOffset = Offset to start reading the file
2857 Key = Key = If a range is lock a matching key will allow the read to continue.
2864 IN HANDLE FileHandle,
2865 IN HANDLE Event OPTIONAL,
2866 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2867 IN PVOID UserApcContext OPTIONAL,
2868 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2869 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2870 IN ULONG BufferLength,
2871 IN PLARGE_INTEGER ByteOffset,
2872 IN PULONG Key OPTIONAL
2878 IN HANDLE FileHandle,
2879 IN HANDLE Event OPTIONAL,
2880 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2881 IN PVOID UserApcContext OPTIONAL,
2882 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2883 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2884 IN ULONG BufferLength,
2885 IN PLARGE_INTEGER ByteOffset,
2886 IN PULONG Key OPTIONAL
2889 * FUNCTION: Copies a range of virtual memory to a buffer
2891 * ProcessHandle = Specifies the process owning the virtual address space
2892 * BaseAddress = Points to the address of virtual memory to start the read
2893 * Buffer = Caller supplies storage to copy the virtual memory to.
2894 * NumberOfBytesToRead = Limits the range to read
2895 * NumberOfBytesRead = The actual number of bytes read.
2901 NtReadVirtualMemory(
2902 IN HANDLE ProcessHandle,
2903 IN PVOID BaseAddress,
2905 IN ULONG NumberOfBytesToRead,
2906 OUT PULONG NumberOfBytesRead
2910 ZwReadVirtualMemory(
2911 IN HANDLE ProcessHandle,
2912 IN PVOID BaseAddress,
2914 IN ULONG NumberOfBytesToRead,
2915 OUT PULONG NumberOfBytesRead
2920 * FUNCTION: Debugger can register for thread termination
2922 * TerminationPort = Port on which the debugger likes to be notified.
2927 NtRegisterThreadTerminatePort(
2928 HANDLE TerminationPort
2932 ZwRegisterThreadTerminatePort(
2933 HANDLE TerminationPort
2937 * FUNCTION: Releases a mutant
2939 * MutantHandle = Handle to the mutant
2946 IN HANDLE MutantHandle,
2947 IN PULONG ReleaseCount OPTIONAL
2953 IN HANDLE MutantHandle,
2954 IN PULONG ReleaseCount OPTIONAL
2958 * FUNCTION: Releases a semaphore
2960 * SemaphoreHandle = Handle to the semaphore object
2961 * ReleaseCount = Number to decrease the semaphore count
2962 * PreviousCount = Previous semaphore count
2968 IN HANDLE SemaphoreHandle,
2969 IN LONG ReleaseCount,
2970 OUT PLONG PreviousCount
2976 IN HANDLE SemaphoreHandle,
2977 IN LONG ReleaseCount,
2978 OUT PLONG PreviousCount
2982 * FUNCTION: Removes an io completion
2984 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2985 * CompletionKey = Requested access to the key
2986 * IoStatusBlock = Caller provides storage for extended status information
2987 * CompletionStatus = Current status of the io operation.
2988 * WaitTime = Time to wait if ..
2993 NtRemoveIoCompletion(
2994 IN HANDLE IoCompletionHandle,
2995 OUT PULONG CompletionKey,
2996 OUT PULONG CompletionValue,
2997 OUT PIO_STATUS_BLOCK IoStatusBlock,
2998 IN PLARGE_INTEGER Timeout OPTIONAL
3003 ZwRemoveIoCompletion(
3004 IN HANDLE IoCompletionHandle,
3005 OUT PULONG CompletionKey,
3006 OUT PULONG CompletionValue,
3007 OUT PIO_STATUS_BLOCK IoStatusBlock,
3008 IN PLARGE_INTEGER Timeout OPTIONAL
3012 * FUNCTION: Replaces one registry key with another
3014 * ObjectAttributes = Specifies the attributes of the key
3015 * Key = Handle to the key
3016 * ReplacedObjectAttributes = The function returns the old object attributes
3022 IN POBJECT_ATTRIBUTES ObjectAttributes,
3024 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3029 IN POBJECT_ATTRIBUTES ObjectAttributes,
3031 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3035 * FUNCTION: Resets a event to a non signaled state
3037 * EventHandle = Handle to the event that should be reset
3038 * NumberOfWaitingThreads = The number of threads released.
3045 PULONG NumberOfWaitingThreads OPTIONAL
3051 PULONG NumberOfWaitingThreads OPTIONAL
3070 * FUNCTION: Decrements a thread's resume count
3072 * ThreadHandle = Handle to the thread that should be resumed
3073 * ResumeCount = The resulting resume count.
3075 * A thread is resumed if its suspend count is 0. This procedure maps to
3076 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3082 IN HANDLE ThreadHandle,
3083 OUT PULONG SuspendCount
3088 IN HANDLE ThreadHandle,
3089 OUT PULONG SuspendCount
3092 * FUNCTION: Writes the content of a registry key to ascii file
3094 * KeyHandle = Handle to the key
3095 * FileHandle = Handle of the file
3097 This function maps to the Win32 RegSaveKey.
3104 IN HANDLE KeyHandle,
3105 IN HANDLE FileHandle
3110 IN HANDLE KeyHandle,
3111 IN HANDLE FileHandle
3115 * FUNCTION: Sets the context of a specified thread.
3117 * ThreadHandle = Handle to the thread
3118 * Context = The processor context.
3125 IN HANDLE ThreadHandle,
3131 IN HANDLE ThreadHandle,
3136 * FUNCTION: Sets the default locale id
3138 * UserProfile = Type of locale id
3139 * TRUE: thread locale id
3140 * FALSE: system locale id
3141 * DefaultLocaleId = Locale id
3148 IN BOOLEAN UserProfile,
3149 IN LCID DefaultLocaleId
3155 IN BOOLEAN UserProfile,
3156 IN LCID DefaultLocaleId
3160 * FUNCTION: Sets the default hard error port
3162 * PortHandle = Handle to the port
3163 * NOTE: The hard error port is used for first change exception handling
3168 NtSetDefaultHardErrorPort(
3169 IN HANDLE PortHandle
3173 ZwSetDefaultHardErrorPort(
3174 IN HANDLE PortHandle
3178 * FUNCTION: Sets the extended attributes of a file.
3180 * FileHandle = Handle to the file
3181 * IoStatusBlock = Storage for a resulting status and information
3182 * on the current operation.
3183 * EaBuffer = Extended Attributes buffer.
3184 * EaBufferSize = Size of the extended attributes buffer
3190 IN HANDLE FileHandle,
3191 IN PIO_STATUS_BLOCK IoStatusBlock,
3198 IN HANDLE FileHandle,
3199 IN PIO_STATUS_BLOCK IoStatusBlock,
3204 //FIXME: should I return the event state ?
3207 * FUNCTION: Sets the event to a signalled state.
3209 * EventHandle = Handle to the event
3210 * NumberOfThreadsReleased = The number of threads released
3212 * This procedure maps to the win32 SetEvent function.
3219 IN HANDLE EventHandle,
3220 PULONG NumberOfThreadsReleased
3226 IN HANDLE EventHandle,
3227 PULONG NumberOfThreadsReleased
3231 * FUNCTION: Sets the high part of an event pair
3233 EventPair = Handle to the event pair
3240 IN HANDLE EventPairHandle
3246 IN HANDLE EventPairHandle
3249 * FUNCTION: Sets the high part of an event pair and wait for the low part
3251 EventPair = Handle to the event pair
3256 NtSetHighWaitLowEventPair(
3257 IN HANDLE EventPairHandle
3261 ZwSetHighWaitLowEventPair(
3262 IN HANDLE EventPairHandle
3266 * FUNCTION: Sets the information of a file object.
3268 * FileHandle = Handle to the file object
3269 * IoStatusBlock = Caller supplies storage for extended information
3270 * on the current operation.
3271 * FileInformation = Storage for the new file information
3272 * Lenght = Size of the new file information.
3273 * FileInformationClass = Indicates to a certain information structure
3275 FileNameInformation FILE_NAME_INFORMATION
3276 FileRenameInformation FILE_RENAME_INFORMATION
3277 FileStreamInformation FILE_STREAM_INFORMATION
3278 * FileCompletionInformation IO_COMPLETION_CONTEXT
3281 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
3282 * SetNamedPipeHandleState, SetMailslotInfo functions.
3289 NtSetInformationFile(
3290 IN HANDLE FileHandle,
3291 IN PIO_STATUS_BLOCK IoStatusBlock,
3292 IN PVOID FileInformation,
3294 IN FILE_INFORMATION_CLASS FileInformationClass
3298 ZwSetInformationFile(
3299 IN HANDLE FileHandle,
3300 IN PIO_STATUS_BLOCK IoStatusBlock,
3301 IN PVOID FileInformation,
3303 IN FILE_INFORMATION_CLASS FileInformationClass
3307 * FUNCTION: Changes a set of thread specific parameters
3309 * ThreadHandle = Handle to the thread
3310 * ThreadInformationClass = Index to the set of parameters to change.
3311 * Can be one of the following values:
3313 * ThreadBasicInformation THREAD_BASIC_INFORMATION
3314 * ThreadPriority KPRIORITY //???
3315 * ThreadBasePriority KPRIORITY
3316 * ThreadAffinityMask KAFFINITY //??
3317 * ThreadImpersonationToken ACCESS_TOKEN
3318 * ThreadIdealProcessor ULONG
3319 * ThreadPriorityBoost ULONG
3321 * ThreadInformation = Caller supplies storage for parameters to set.
3322 * ThreadInformationLength = Size of the storage supplied
3327 NtSetInformationThread(
3328 IN HANDLE ThreadHandle,
3329 IN THREADINFOCLASS ThreadInformationClass,
3330 IN PVOID ThreadInformation,
3331 IN ULONG ThreadInformationLength
3335 ZwSetInformationThread(
3336 IN HANDLE ThreadHandle,
3337 IN THREADINFOCLASS ThreadInformationClass,
3338 IN PVOID ThreadInformation,
3339 IN ULONG ThreadInformationLength
3343 * FUNCTION: Changes a set of token specific parameters
3345 * TokenHandle = Handle to the token
3346 * TokenInformationClass = Index to a certain information structure.
3347 * Can be one of the following values:
3349 TokenUser TOKEN_USER
3350 TokenGroups TOKEN_GROUPS
3351 TokenPrivileges TOKEN_PRIVILEGES
3352 TokenOwner TOKEN_OWNER
3353 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
3354 TokenDefaultDacl TOKEN_DEFAULT_DACL
3355 TokenSource TOKEN_SOURCE
3356 TokenType TOKEN_TYPE
3357 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
3358 TokenStatistics TOKEN_STATISTICS
3360 * TokenInformation = Caller supplies storage for information structure.
3361 * TokenInformationLength = Size of the information structure
3367 NtSetInformationToken(
3368 IN HANDLE TokenHandle,
3369 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3370 OUT PVOID TokenInformation,
3371 IN ULONG TokenInformationLength
3376 ZwSetInformationToken(
3377 IN HANDLE TokenHandle,
3378 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3379 OUT PVOID TokenInformation,
3380 IN ULONG TokenInformationLength
3385 * FUNCTION: Sets an io completion
3390 * NumberOfBytesToTransfer =
3391 * NumberOfBytesTransferred =
3397 IN HANDLE IoCompletionPortHandle,
3398 IN ULONG CompletionKey,
3399 IN ULONG CompletionValue,
3400 IN NTSTATUS CompletionStatus,
3401 IN ULONG CompletionInformation
3407 IN HANDLE IoCompletionPortHandle,
3408 IN ULONG CompletionKey,
3409 IN ULONG CompletionValue,
3410 IN NTSTATUS CompletionStatus,
3411 IN ULONG CompletionInformation
3415 * FUNCTION: Set properties for profiling
3425 NtSetIntervalProfile(
3427 KPROFILE_SOURCE ClockSource
3432 ZwSetIntervalProfile(
3434 KPROFILE_SOURCE ClockSource
3439 * FUNCTION: Sets the low part of an event pair
3441 EventPair = Handle to the event pair
3456 * FUNCTION: Sets the low part of an event pair and wait for the high part
3458 EventPair = Handle to the event pair
3463 NtSetLowWaitHighEventPair(
3468 ZwSetLowWaitHighEventPair(
3474 NtSetSecurityObject(
3476 IN SECURITY_INFORMATION SecurityInformation,
3477 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3482 ZwSetSecurityObject(
3484 IN SECURITY_INFORMATION SecurityInformation,
3485 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3490 * FUNCTION: Sets a system environment variable
3492 * ValueName = Name of the environment variable
3493 * Value = Value of the environment variable
3498 NtSetSystemEnvironmentValue(
3499 IN PUNICODE_STRING VariableName,
3500 IN PUNICODE_STRING Value
3504 ZwSetSystemEnvironmentValue(
3505 IN PUNICODE_STRING VariableName,
3506 IN PUNICODE_STRING Value
3509 * FUNCTION: Sets system parameters
3511 * SystemInformationClass = Index to a particular set of system parameters
3512 * Can be one of the following values:
3514 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3516 * SystemInformation = Structure containing the parameters.
3517 * SystemInformationLength = Size of the structure.
3522 NtSetSystemInformation(
3523 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3524 IN PVOID SystemInformation,
3525 IN ULONG SystemInformationLength
3530 ZwSetSystemInformation(
3531 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3532 IN PVOID SystemInformation,
3533 IN ULONG SystemInformationLength
3537 * FUNCTION: Sets the system time
3539 * SystemTime = Old System time
3540 * NewSystemTime = New System time
3546 IN PLARGE_INTEGER SystemTime,
3547 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3552 IN PLARGE_INTEGER SystemTime,
3553 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3557 * FUNCTION: Sets the frequency of the system timer
3559 * RequestedResolution =
3561 * ActualResolution =
3566 NtSetTimerResolution(
3567 IN ULONG RequestedResolution,
3569 OUT PULONG ActualResolution
3573 ZwSetTimerResolution(
3574 IN ULONG RequestedResolution,
3576 OUT PULONG ActualResolution
3580 * FUNCTION: Sets the value of a registry key
3582 * KeyHandle = Handle to a registry key
3583 * ValueName = Name of the value entry to change
3584 * TitleIndex = pointer to a structure containing the new volume information
3585 * Type = Type of the registry key. Can be one of the values:
3586 * REG_BINARY Unspecified binary data
3587 * REG_DWORD A 32 bit value
3588 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
3589 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
3590 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
3591 * REG_LINK A zero terminated wide character string referring to a symbolic link.
3592 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
3593 * REG_NONE Unspecified type
3594 * REG_SZ A wide character string ( zero terminated )
3595 * REG_RESOURCE_LIST ??
3596 * REG_RESOURCE_REQUIREMENTS_LIST ??
3597 * REG_FULL_RESOURCE_DESCRIPTOR ??
3598 * Data = Contains the data for the registry key.
3599 * DataSize = size of the data.
3605 IN HANDLE KeyHandle,
3606 IN PUNICODE_STRING ValueName,
3607 IN ULONG TitleIndex OPTIONAL,
3615 IN HANDLE KeyHandle,
3616 IN PUNICODE_STRING ValueName,
3617 IN ULONG TitleIndex OPTIONAL,
3624 * FUNCTION: Sets the volume information.
3626 * FileHandle = Handle to the file
3627 * IoStatusBlock = Caller should supply storage for additional status information
3628 * VolumeInformation = pointer to a structure containing the new volume information
3629 * Length = size of the structure.
3630 * VolumeInformationClass = specifies the particular volume information to set
3635 NtSetVolumeInformationFile(
3636 IN HANDLE FileHandle,
3637 OUT PIO_STATUS_BLOCK IoStatusBlock,
3638 IN PVOID FsInformation,
3640 IN FS_INFORMATION_CLASS FsInformationClass
3645 ZwSetVolumeInformationFile(
3646 IN HANDLE FileHandle,
3647 OUT PIO_STATUS_BLOCK IoStatusBlock,
3648 IN PVOID FsInformation,
3650 IN FS_INFORMATION_CLASS FsInformationClass
3654 * FUNCTION: Shuts the system down
3656 * Action = Specifies the type of shutdown, it can be one of the following values:
3657 * ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
3663 IN SHUTDOWN_ACTION Action
3669 IN SHUTDOWN_ACTION Action
3673 /* --- PROFILING --- */
3676 * FUNCTION: Starts profiling
3678 * ProfileHandle = Handle to the profile
3685 HANDLE ProfileHandle
3691 HANDLE ProfileHandle
3695 * FUNCTION: Stops profiling
3697 * ProfileHandle = Handle to the profile
3704 HANDLE ProfileHandle
3710 HANDLE ProfileHandle
3713 /* --- PROCESS MANAGEMENT --- */
3715 //--NtSystemDebugControl
3717 * FUNCTION: Terminates the execution of a process.
3719 * ThreadHandle = Handle to the process
3720 * ExitStatus = The exit status of the process to terminate with.
3722 Native applications should kill themselves using this function.
3728 IN HANDLE ProcessHandle ,
3729 IN NTSTATUS ExitStatus
3734 IN HANDLE ProcessHandle ,
3735 IN NTSTATUS ExitStatus
3738 /* --- DEVICE DRIVER CONTROL --- */
3741 * FUNCTION: Unloads a driver.
3743 * DriverServiceName = Name of the driver to unload
3749 IN PUNICODE_STRING DriverServiceName
3754 IN PUNICODE_STRING DriverServiceName
3757 /* --- VIRTUAL MEMORY MANAGEMENT --- */
3760 * FUNCTION: Writes a range of virtual memory
3762 * ProcessHandle = The handle to the process owning the address space.
3763 * BaseAddress = The points to the address to write to
3764 * Buffer = Pointer to the buffer to write
3765 * NumberOfBytesToWrite = Offset to the upper boundary to write
3766 * NumberOfBytesWritten = Total bytes written
3768 * This function maps to the win32 WriteProcessMemory
3773 NtWriteVirtualMemory(
3774 IN HANDLE ProcessHandle,
3775 IN PVOID BaseAddress,
3777 IN ULONG NumberOfBytesToWrite,
3778 OUT PULONG NumberOfBytesWritten
3783 ZwWriteVirtualMemory(
3784 IN HANDLE ProcessHandle,
3785 IN PVOID BaseAddress,
3787 IN ULONG NumberOfBytesToWrite,
3788 OUT PULONG NumberOfBytesWritten
3792 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
3794 * ProcessHandle = Handle to the process
3795 * BaseAddress = The address where the mapping begins
3797 This procedure maps to the win32 UnMapViewOfFile
3802 NtUnmapViewOfSection(
3803 IN HANDLE ProcessHandle,
3804 IN PVOID BaseAddress
3808 ZwUnmapViewOfSection(
3809 IN HANDLE ProcessHandle,
3810 IN PVOID BaseAddress
3813 /* --- OBJECT SYNCHRONIZATION --- */
3816 * FUNCTION: Signals an object and wait for an other one.
3818 * SignalObject = Handle to the object that should be signaled
3819 * WaitObject = Handle to the object that should be waited for
3820 * Alertable = True if the wait is alertable
3821 * Time = The time to wait
3826 NtSignalAndWaitForSingleObject(
3827 IN HANDLE SignalObject,
3828 IN HANDLE WaitObject,
3829 IN BOOLEAN Alertable,
3830 IN PLARGE_INTEGER Time
3835 NtSignalAndWaitForSingleObject(
3836 IN HANDLE SignalObject,
3837 IN HANDLE WaitObject,
3838 IN BOOLEAN Alertable,
3839 IN PLARGE_INTEGER Time
3843 * FUNCTION: Waits for an object to become signalled.
3845 * Object = The object handle
3846 * Alertable = If true the wait is alertable.
3847 * Time = The maximum wait time.
3849 * This function maps to the win32 WaitForSingleObjectEx.
3854 NtWaitForSingleObject (
3856 IN BOOLEAN Alertable,
3857 IN PLARGE_INTEGER Time
3862 ZwWaitForSingleObject (
3864 IN BOOLEAN Alertable,
3865 IN PLARGE_INTEGER Time
3868 /* --- EVENT PAIR OBJECT --- */
3871 * FUNCTION: Waits for the high part of an eventpair to become signalled
3873 * EventPairHandle = Handle to the event pair.
3879 NtWaitHighEventPair(
3880 IN HANDLE EventPairHandle
3885 ZwWaitHighEventPair(
3886 IN HANDLE EventPairHandle
3890 * FUNCTION: Waits for the low part of an eventpair to become signalled
3892 * EventPairHandle = Handle to the event pair.
3898 IN HANDLE EventPairHandle
3904 IN HANDLE EventPairHandle
3907 /* --- FILE MANAGEMENT --- */
3910 * FUNCTION: Unlocks a range of bytes in a file.
3912 * FileHandle = Handle to the file
3913 * IoStatusBlock = Caller should supply storage for a structure containing
3914 * the completion status and information about the requested unlock operation.
3915 The information field is set to the number of bytes unlocked.
3916 * ByteOffset = Offset to start the range of bytes to unlock
3917 * Length = Number of bytes to unlock.
3918 * Key = Special value to enable other threads to unlock a file than the
3919 thread that locked the file. The key supplied must match with the one obtained
3920 in a previous call to NtLockFile.
3922 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
3923 not be obtained immediately, the device queue is busy and the IRP is queued.
3924 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
3925 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
3930 IN HANDLE FileHandle,
3931 OUT PIO_STATUS_BLOCK IoStatusBlock,
3932 IN PLARGE_INTEGER ByteOffset,
3933 IN PLARGE_INTEGER Lenght,
3934 OUT PULONG Key OPTIONAL
3939 IN HANDLE FileHandle,
3940 OUT PIO_STATUS_BLOCK IoStatusBlock,
3941 IN PLARGE_INTEGER ByteOffset,
3942 IN PLARGE_INTEGER Lenght,
3943 OUT PULONG Key OPTIONAL
3947 * FUNCTION: Writes data to a file
3949 * FileHandle = The handle a file ( from NtCreateFile )
3950 * Event = Specifies a event that will become signalled when the write operation completes.
3951 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
3952 * ApcContext = Argument to the Apc Routine
3953 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
3954 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
3955 * Length = Size in bytest of the buffer
3956 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
3957 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
3958 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
3959 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
3962 * This function maps to the win32 WriteFile.
3963 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
3964 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
3965 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
3970 IN HANDLE FileHandle,
3971 IN HANDLE Event OPTIONAL,
3972 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
3973 IN PVOID ApcContext OPTIONAL,
3974 OUT PIO_STATUS_BLOCK IoStatusBlock,
3977 IN PLARGE_INTEGER ByteOffset,
3978 IN PULONG Key OPTIONAL
3984 IN HANDLE FileHandle,
3985 IN HANDLE Event OPTIONAL,
3986 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
3987 IN PVOID ApcContext OPTIONAL,
3988 OUT PIO_STATUS_BLOCK IoStatusBlock,
3991 IN PLARGE_INTEGER ByteOffset ,
3992 IN PULONG Key OPTIONAL
3996 * FUNCTION: Writes a file
3998 * FileHandle = The handle of the file
4000 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
4001 * ApcContext = Argument to the Apc Routine
4002 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
4003 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
4004 * BufferLength = Size in bytest of the buffer
4005 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
4006 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
4007 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
4008 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
4009 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
4011 * This function maps to the win32 WriteFile.
4012 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4013 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4014 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4020 IN HANDLE FileHandle,
4021 IN HANDLE Event OPTIONAL,
4022 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4023 IN PVOID ApcContext OPTIONAL,
4024 OUT PIO_STATUS_BLOCK IoStatusBlock,
4025 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4026 IN ULONG BufferLength,
4027 IN PLARGE_INTEGER ByteOffset,
4028 IN PULONG Key OPTIONAL
4034 IN HANDLE FileHandle,
4035 IN HANDLE Event OPTIONAL,
4036 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4037 IN PVOID ApcContext OPTIONAL,
4038 OUT PIO_STATUS_BLOCK IoStatusBlock,
4039 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4040 IN ULONG BufferLength,
4041 IN PLARGE_INTEGER ByteOffset,
4042 IN PULONG Key OPTIONAL
4046 /* --- THREAD MANAGEMENT --- */
4049 * FUNCTION: Increments a thread's resume count
4051 * ThreadHandle = Handle to the thread that should be resumed
4052 * PreviousSuspendCount = The resulting/previous suspend count.
4054 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
4055 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
4056 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
4062 IN HANDLE ThreadHandle,
4063 IN PULONG PreviousSuspendCount
4069 IN HANDLE ThreadHandle,
4070 IN PULONG PreviousSuspendCount
4074 * FUNCTION: Terminates the execution of a thread.
4076 * ThreadHandle = Handle to the thread
4077 * ExitStatus = The exit status of the thread to terminate with.
4083 IN HANDLE ThreadHandle ,
4084 IN NTSTATUS ExitStatus
4089 IN HANDLE ThreadHandle ,
4090 IN NTSTATUS ExitStatus
4093 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
4108 * FUNCTION: Yields the callers thread.
4123 /* --- PLUG AND PLAY --- */
4133 NtGetPlugPlayEvent (
4137 /* --- POWER MANAGEMENT --- */
4140 NtSetSystemPowerState(IN POWER_ACTION SystemAction,
4141 IN SYSTEM_POWER_STATE MinSystemState,
4144 /* --- DEBUG SUBSYSTEM --- */
4147 NtSystemDebugControl(DEBUG_CONTROL_CODE ControlCode,
4149 ULONG InputBufferLength,
4151 ULONG OutputBufferLength,
4152 PULONG ReturnLength);
4154 /* --- VIRTUAL DOS MACHINE (VDM) --- */
4158 NtVdmControl (ULONG ControlCode, PVOID ControlData);
4164 NtW32Call(IN ULONG RoutineIndex,
4166 IN ULONG ArgumentLength,
4167 OUT PVOID* Result OPTIONAL,
4168 OUT PULONG ResultLength OPTIONAL);
4170 /* --- CHANNELS --- */
4192 NtReplyWaitSendChannel (
4198 NtSendWaitReplyChannel (
4204 NtSetContextChannel (
4208 /* --- MISCELLANEA --- */
4210 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
4221 NtQueryOleDirectoryFile (
4226 * FUNCTION: Checks a clients access rights to a object
4228 * SecurityDescriptor = Security information against which the access is checked
4229 * ClientToken = Represents a client
4233 * ReturnLength = Bytes written
4235 * AccessStatus = Indicates if the ClientToken allows the requested access
4236 * REMARKS: The arguments map to the win32 AccessCheck
4243 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4244 IN HANDLE ClientToken,
4245 IN ACCESS_MASK DesiredAcces,
4246 IN PGENERIC_MAPPING GenericMapping,
4247 OUT PPRIVILEGE_SET PrivilegeSet,
4248 OUT PULONG ReturnLength,
4249 OUT PULONG GrantedAccess,
4250 OUT PBOOLEAN AccessStatus
4256 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4257 IN HANDLE ClientToken,
4258 IN ACCESS_MASK DesiredAcces,
4259 IN PGENERIC_MAPPING GenericMapping,
4260 OUT PPRIVILEGE_SET PrivilegeSet,
4261 OUT PULONG ReturnLength,
4262 OUT PULONG GrantedAccess,
4263 OUT PBOOLEAN AccessStatus
4269 IN ACCESS_MASK DesiredAccess,
4270 OUT PHANDLE KeyHandle);
4273 #ifndef __USE_W32API
4276 * FUNCTION: Continues a thread with the specified context
4278 * Context = Specifies the processor context
4279 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
4280 * be PASSIVE_LEVEL or APC_LEVEL
4282 * NtContinue can be used to continue after an exception or apc.
4285 //FIXME This function might need another parameter
4290 IN PCONTEXT Context,
4291 IN BOOLEAN TestAlert
4294 NTSTATUS STDCALL ZwContinue(IN PCONTEXT Context, IN CINT IrqLevel);
4297 * FUNCTION: Retrieves the system time
4299 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
4307 OUT TIME *CurrentTime
4313 OUT TIME *CurrentTime
4317 * FUNCTION: Copies a handle from one process space to another
4319 * SourceProcessHandle = The source process owning the handle. The source process should have opened
4320 * the SourceHandle with PROCESS_DUP_HANDLE access.
4321 * SourceHandle = The handle to the object.
4322 * TargetProcessHandle = The destination process owning the handle
4323 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
4324 * DesiredAccess = The desired access to the handle.
4325 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
4326 * Options = Specifies special actions upon duplicating the handle. Can be
4327 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
4328 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
4329 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
4330 * the DesiredAccess paramter and just grant the same access to the new
4333 * REMARKS: This function maps to the win32 DuplicateHandle.
4339 IN HANDLE SourceProcessHandle,
4340 IN HANDLE SourceHandle,
4341 IN HANDLE TargetProcessHandle,
4342 OUT PHANDLE TargetHandle,
4343 IN ACCESS_MASK DesiredAccess,
4344 IN BOOLEAN InheritHandle,
4351 IN HANDLE SourceProcessHandle,
4352 IN PHANDLE SourceHandle,
4353 IN HANDLE TargetProcessHandle,
4354 OUT PHANDLE TargetHandle,
4355 IN ACCESS_MASK DesiredAccess,
4356 IN BOOLEAN InheritHandle,
4361 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
4363 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
4365 * ObjectAttributes =
4372 * REMARKS: The arguments map to the win32 AccessCheck
4378 NtAccessCheckAndAuditAlarm(
4379 IN PUNICODE_STRING SubsystemName,
4380 IN PHANDLE ObjectHandle,
4381 IN POBJECT_ATTRIBUTES ObjectAttributes,
4382 IN ACCESS_MASK DesiredAccess,
4383 IN PGENERIC_MAPPING GenericMapping,
4384 IN BOOLEAN ObjectCreation,
4385 OUT PULONG GrantedAccess,
4386 OUT PBOOLEAN AccessStatus,
4387 OUT PBOOLEAN GenerateOnClose
4392 ZwAccessCheckAndAuditAlarm(
4393 IN PUNICODE_STRING SubsystemName,
4394 IN PHANDLE ObjectHandle,
4395 IN POBJECT_ATTRIBUTES ObjectAttributes,
4396 IN ACCESS_MASK DesiredAccess,
4397 IN PGENERIC_MAPPING GenericMapping,
4398 IN BOOLEAN ObjectCreation,
4399 OUT PULONG GrantedAccess,
4400 OUT PBOOLEAN AccessStatus,
4401 OUT PBOOLEAN GenerateOnClose
4405 * FUNCTION: Adds an atom to the global atom table
4407 * AtomString = The string to add to the atom table.
4408 * Atom (OUT) = Caller supplies storage for the resulting atom.
4409 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
4416 IN OUT PRTL_ATOM Atom
4424 IN OUT PRTL_ATOM Atom
4430 PULARGE_INTEGER Time,
4438 PULARGE_INTEGER Time,
4444 * FUNCTION: Cancels a timer
4446 * TimerHandle = Handle to the timer
4447 * CurrentState = Specifies the state of the timer when cancelled.
4449 * The arguments to this function map to the function CancelWaitableTimer.
4455 IN HANDLE TimerHandle,
4456 OUT PBOOLEAN CurrentState OPTIONAL
4462 IN HANDLE TimerHandle,
4463 OUT ULONG ElapsedTime
4467 * FUNCTION: Creates a paging file.
4469 * FileName = Name of the pagefile
4470 * InitialSize = Specifies the initial size in bytes
4471 * MaximumSize = Specifies the maximum size in bytes
4472 * Reserved = Reserved for future use
4478 IN PUNICODE_STRING FileName,
4479 IN PLARGE_INTEGER InitialSize,
4480 IN PLARGE_INTEGER MaxiumSize,
4487 IN PUNICODE_STRING FileName,
4488 IN PLARGE_INTEGER InitialSize,
4489 IN PLARGE_INTEGER MaxiumSize,
4494 * FUNCTION: Creates a user mode thread
4496 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
4497 * DesiredAccess = Specifies the allowed or desired access to the thread.
4498 * ObjectAttributes = Initialized attributes for the object.
4499 * ProcessHandle = Handle to the threads parent process.
4500 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
4501 * ThreadContext = Initial processor context for the thread.
4502 * InitialTeb = Initial user mode stack context for the thread.
4503 * CreateSuspended = Specifies if the thread is ready for scheduling
4505 * This function maps to the win32 function CreateThread.
4511 OUT PHANDLE ThreadHandle,
4512 IN ACCESS_MASK DesiredAccess,
4513 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
4514 IN HANDLE ProcessHandle,
4515 OUT PCLIENT_ID ClientId,
4516 IN PCONTEXT ThreadContext,
4517 IN PUSER_STACK UserStack,
4518 IN BOOLEAN CreateSuspended
4524 OUT PHANDLE ThreadHandle,
4525 IN ACCESS_MASK DesiredAccess,
4526 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
4527 IN HANDLE ProcessHandle,
4528 OUT PCLIENT_ID ClientId,
4529 IN PCONTEXT ThreadContext,
4530 IN PUSER_STACK UserStack,
4531 IN BOOLEAN CreateSuspended
4537 IN HANDLE ExistingToken,
4538 IN ACCESS_MASK DesiredAccess,
4539 IN POBJECT_ATTRIBUTES ObjectAttributes,
4540 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
4541 IN TOKEN_TYPE TokenType,
4542 OUT PHANDLE NewToken
4548 IN HANDLE ExistingToken,
4549 IN ACCESS_MASK DesiredAccess,
4550 IN POBJECT_ATTRIBUTES ObjectAttributes,
4551 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
4552 IN TOKEN_TYPE TokenType,
4553 OUT PHANDLE NewToken
4557 * FUNCTION: Finds a atom
4559 * AtomName = Name to search for.
4560 * Atom = Caller supplies storage for the resulting atom
4563 * This funciton maps to the win32 GlobalFindAtom
4569 OUT PRTL_ATOM Atom OPTIONAL
4576 OUT PRTL_ATOM Atom OPTIONAL
4580 * FUNCTION: Flushes a the processors instruction cache
4582 * ProcessHandle = Points to the process owning the cache
4583 * BaseAddress = // might this be a image address ????
4584 * NumberOfBytesToFlush =
4587 * This funciton is used by debuggers
4591 NtFlushInstructionCache(
4592 IN HANDLE ProcessHandle,
4593 IN PVOID BaseAddress,
4594 IN UINT NumberOfBytesToFlush
4599 ZwFlushInstructionCache(
4600 IN HANDLE ProcessHandle,
4601 IN PVOID BaseAddress,
4602 IN UINT NumberOfBytesToFlush
4606 * FUNCTION: Flushes virtual memory to file
4608 * ProcessHandle = Points to the process that allocated the virtual memory
4609 * BaseAddress = Points to the memory address
4610 * NumberOfBytesToFlush = Limits the range to flush,
4611 * NumberOfBytesFlushed = Actual number of bytes flushed
4614 * Check return status on STATUS_NOT_MAPPED_DATA
4618 NtFlushVirtualMemory(
4619 IN HANDLE ProcessHandle,
4620 IN PVOID BaseAddress,
4621 IN ULONG NumberOfBytesToFlush,
4622 OUT PULONG NumberOfBytesFlushed OPTIONAL
4627 ZwFlushVirtualMemory(
4628 IN HANDLE ProcessHandle,
4629 IN PVOID BaseAddress,
4630 IN ULONG NumberOfBytesToFlush,
4631 OUT PULONG NumberOfBytesFlushed OPTIONAL
4635 * FUNCTION: Retrieves the uptime of the system
4637 * UpTime = Number of clock ticks since boot.
4653 * FUNCTION: Loads a registry key.
4655 * KeyObjectAttributes = Key to be loaded
4656 * FileObjectAttributes = File to load the key from
4658 * This procedure maps to the win32 procedure RegLoadKey
4664 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
4665 IN POBJECT_ATTRIBUTES FileObjectAttributes
4671 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
4672 IN POBJECT_ATTRIBUTES FileObjectAttributes
4676 * FUNCTION: Loads a registry key.
4678 * KeyObjectAttributes = Key to be loaded
4679 * FileObjectAttributes = File to load the key from
4682 * This procedure maps to the win32 procedure RegLoadKey
4688 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
4689 IN POBJECT_ATTRIBUTES FileObjectAttributes,
4695 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
4696 IN POBJECT_ATTRIBUTES FileObjectAttributes,
4701 * FUNCTION: Locks a range of virtual memory.
4703 * ProcessHandle = Handle to the process
4704 * BaseAddress = Lower boundary of the range of bytes to lock.
4705 * NumberOfBytesLock = Offset to the upper boundary.
4706 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
4708 This procedure maps to the win32 procedure VirtualLock.
4709 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
4713 NtLockVirtualMemory(
4714 HANDLE ProcessHandle,
4716 ULONG NumberOfBytesToLock,
4717 PULONG NumberOfBytesLocked
4722 ZwLockVirtualMemory(
4723 HANDLE ProcessHandle,
4725 ULONG NumberOfBytesToLock,
4726 PULONG NumberOfBytesLocked
4731 NtOpenObjectAuditAlarm(
4732 IN PUNICODE_STRING SubsystemName,
4734 IN POBJECT_ATTRIBUTES ObjectAttributes,
4735 IN HANDLE ClientToken,
4736 IN ULONG DesiredAccess,
4737 IN ULONG GrantedAccess,
4738 IN PPRIVILEGE_SET Privileges,
4739 IN BOOLEAN ObjectCreation,
4740 IN BOOLEAN AccessGranted,
4741 OUT PBOOLEAN GenerateOnClose
4746 ZwOpenObjectAuditAlarm(
4747 IN PUNICODE_STRING SubsystemName,
4749 IN POBJECT_ATTRIBUTES ObjectAttributes,
4750 IN HANDLE ClientToken,
4751 IN ULONG DesiredAccess,
4752 IN ULONG GrantedAccess,
4753 IN PPRIVILEGE_SET Privileges,
4754 IN BOOLEAN ObjectCreation,
4755 IN BOOLEAN AccessGranted,
4756 OUT PBOOLEAN GenerateOnClose
4760 * FUNCTION: Set the access protection of a range of virtual memory
4762 * ProcessHandle = Handle to process owning the virtual address space
4763 * BaseAddress = Start address
4764 * NumberOfBytesToProtect = Delimits the range of virtual memory
4765 * for which the new access protection holds
4766 * NewAccessProtection = The new access proctection for the pages
4767 * OldAccessProtection = Caller should supply storage for the old
4771 * The function maps to the win32 VirtualProtectEx
4776 NtProtectVirtualMemory(
4777 IN HANDLE ProcessHandle,
4778 IN PVOID BaseAddress,
4779 IN ULONG NumberOfBytesToProtect,
4780 IN ULONG NewAccessProtection,
4781 OUT PULONG OldAccessProtection
4786 ZwProtectVirtualMemory(
4787 IN HANDLE ProcessHandle,
4788 IN PVOID BaseAddress,
4789 IN ULONG NumberOfBytesToProtect,
4790 IN ULONG NewAccessProtection,
4791 OUT PULONG OldAccessProtection
4796 NtQueryInformationAtom(
4798 IN ATOM_INFORMATION_CLASS AtomInformationClass,
4799 OUT PVOID AtomInformation,
4800 IN ULONG AtomInformationLength,
4801 OUT PULONG ReturnLength OPTIONAL
4806 ZwQueryInformationAtom(
4808 IN ATOM_INFORMATION_CLASS AtomInformationClass,
4809 OUT PVOID AtomInformation,
4810 IN ULONG AtomInformationLength,
4811 OUT PULONG ReturnLength OPTIONAL
4815 * FUNCTION: Query information about the content of a directory object
4817 DirObjInformation = Buffer must be large enough to hold the name strings too
4818 GetNextIndex = If TRUE :return the index of the next object in this directory in ObjectIndex
4819 If FALSE: return the number of objects in this directory in ObjectIndex
4820 IgnoreInputIndex= If TRUE: ignore input value of ObjectIndex always start at index 0
4821 If FALSE use input value of ObjectIndex
4822 ObjectIndex = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
4823 DataWritten = Actual size of the ObjectIndex ???
4828 NtQueryDirectoryObject(
4829 IN HANDLE DirObjHandle,
4830 OUT POBJDIR_INFORMATION DirObjInformation,
4831 IN ULONG BufferLength,
4832 IN BOOLEAN GetNextIndex,
4833 IN BOOLEAN IgnoreInputIndex,
4834 IN OUT PULONG ObjectIndex,
4835 OUT PULONG DataWritten OPTIONAL
4840 ZwQueryDirectoryObject(
4841 IN HANDLE DirObjHandle,
4842 OUT POBJDIR_INFORMATION DirObjInformation,
4843 IN ULONG BufferLength,
4844 IN BOOLEAN GetNextIndex,
4845 IN BOOLEAN IgnoreInputIndex,
4846 IN OUT PULONG ObjectIndex,
4847 OUT PULONG DataWritten OPTIONAL
4851 * FUNCTION: Queries the information of a process object.
4853 * ProcessHandle = Handle to the process object
4854 * ProcessInformation = Index to a certain information structure
4856 ProcessBasicInformation PROCESS_BASIC_INFORMATION
4857 ProcessQuotaLimits QUOTA_LIMITS
4858 ProcessIoCounters IO_COUNTERS
4859 ProcessVmCounters VM_COUNTERS
4860 ProcessTimes KERNEL_USER_TIMES
4861 ProcessBasePriority KPRIORITY
4862 ProcessRaisePriority KPRIORITY
4863 ProcessDebugPort HANDLE
4864 ProcessExceptionPort HANDLE
4865 ProcessAccessToken PROCESS_ACCESS_TOKEN
4866 ProcessLdtInformation LDT_ENTRY ??
4867 ProcessLdtSize ULONG
4868 ProcessDefaultHardErrorMode ULONG
4869 ProcessIoPortHandlers // kernel mode only
4870 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
4871 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
4872 ProcessUserModeIOPL (I/O Privilege Level)
4873 ProcessEnableAlignmentFaultFixup BOOLEAN
4874 ProcessPriorityClass ULONG
4875 ProcessWx86Information ULONG
4876 ProcessHandleCount ULONG
4877 ProcessAffinityMask ULONG
4878 ProcessPooledQuotaLimits QUOTA_LIMITS
4881 * ProcessInformation = Caller supplies storage for the process information structure
4882 * ProcessInformationLength = Size of the process information structure
4883 * ReturnLength = Actual number of bytes written
4886 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
4887 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
4888 GetProcessShutdownParameters functions.
4894 NtQueryInformationProcess(
4895 IN HANDLE ProcessHandle,
4896 IN CINT ProcessInformationClass,
4897 OUT PVOID ProcessInformation,
4898 IN ULONG ProcessInformationLength,
4899 OUT PULONG ReturnLength
4904 ZwQueryInformationProcess(
4905 IN HANDLE ProcessHandle,
4906 IN CINT ProcessInformationClass,
4907 OUT PVOID ProcessInformation,
4908 IN ULONG ProcessInformationLength,
4909 OUT PULONG ReturnLength
4913 * FUNCTION: Query the interval and the clocksource for profiling
4921 NtQueryIntervalProfile(
4922 OUT PULONG Interval,
4923 OUT KPROFILE_SOURCE ClockSource
4928 ZwQueryIntervalProfile(
4929 OUT PULONG Interval,
4930 OUT KPROFILE_SOURCE ClockSource
4934 * FUNCTION: Queries the information of a object.
4936 ObjectHandle = Handle to a object
4937 ObjectInformationClass = Index to a certain information structure
4939 ObjectBasicInformation
4940 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4941 ObjectNameInformation OBJECT_NAME_INFORMATION
4942 ObjectDataInformation OBJECT_DATA_INFORMATION
4944 ObjectInformation = Caller supplies storage for resulting information
4945 Length = Size of the supplied storage
4946 ResultLength = Bytes written
4952 IN HANDLE ObjectHandle,
4953 IN CINT ObjectInformationClass,
4954 OUT PVOID ObjectInformation,
4956 OUT PULONG ResultLength
4962 IN HANDLE ObjectHandle,
4963 IN CINT ObjectInformationClass,
4964 OUT PVOID ObjectInformation,
4966 OUT PULONG ResultLength
4971 NtQuerySecurityObject(
4973 IN SECURITY_INFORMATION SecurityInformation,
4974 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
4976 OUT PULONG ResultLength
4981 ZwQuerySecurityObject(
4983 IN SECURITY_INFORMATION SecurityInformation,
4984 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
4986 OUT PULONG ResultLength
4990 * FUNCTION: Queries the virtual memory information.
4992 ProcessHandle = Process owning the virtual address space
4993 BaseAddress = Points to the page where the information is queried for.
4994 * VirtualMemoryInformationClass = Index to a certain information structure
4996 MemoryBasicInformation MEMORY_BASIC_INFORMATION
4998 * VirtualMemoryInformation = caller supplies storage for the information structure
4999 * Length = size of the structure
5000 ResultLength = Data written
5007 NtQueryVirtualMemory(
5008 IN HANDLE ProcessHandle,
5010 IN IN CINT VirtualMemoryInformationClass,
5011 OUT PVOID VirtualMemoryInformation,
5013 OUT PULONG ResultLength
5018 ZwQueryVirtualMemory(
5019 IN HANDLE ProcessHandle,
5021 IN IN CINT VirtualMemoryInformationClass,
5022 OUT PVOID VirtualMemoryInformation,
5024 OUT PULONG ResultLength
5028 * FUNCTION: Raises a hard error (stops the system)
5030 * Status = Status code of the hard error
5063 * FUNCTION: Sets the information of a registry key.
5065 * KeyHandle = Handle to the registry key
5066 * KeyInformationClass = Index to the a certain information structure.
5067 Can be one of the following values:
5069 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
5071 KeyInformation = Storage for the new information
5072 * KeyInformationLength = Size of the information strucure
5078 NtSetInformationKey(
5079 IN HANDLE KeyHandle,
5080 IN CINT KeyInformationClass,
5081 IN PVOID KeyInformation,
5082 IN ULONG KeyInformationLength
5087 ZwSetInformationKey(
5088 IN HANDLE KeyHandle,
5089 IN CINT KeyInformationClass,
5090 IN PVOID KeyInformation,
5091 IN ULONG KeyInformationLength
5095 * FUNCTION: Changes a set of object specific parameters
5098 * ObjectInformationClass = Index to the set of parameters to change.
5101 ObjectBasicInformation
5102 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5103 ObjectAllInformation
5104 ObjectDataInformation OBJECT_DATA_INFORMATION
5105 ObjectNameInformation OBJECT_NAME_INFORMATION
5108 * ObjectInformation = Caller supplies storage for parameters to set.
5109 * Length = Size of the storage supplied
5114 NtSetInformationObject(
5115 IN HANDLE ObjectHandle,
5116 IN CINT ObjectInformationClass,
5117 IN PVOID ObjectInformation,
5123 ZwSetInformationObject(
5124 IN HANDLE ObjectHandle,
5125 IN CINT ObjectInformationClass,
5126 IN PVOID ObjectInformation,
5131 * FUNCTION: Changes a set of process specific parameters
5133 * ProcessHandle = Handle to the process
5134 * ProcessInformationClass = Index to a information structure.
5136 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
5137 * ProcessQuotaLimits QUOTA_LIMITS
5138 * ProcessBasePriority KPRIORITY
5139 * ProcessRaisePriority KPRIORITY
5140 * ProcessDebugPort HANDLE
5141 * ProcessExceptionPort HANDLE
5142 * ProcessAccessToken PROCESS_ACCESS_TOKEN
5143 * ProcessDefaultHardErrorMode ULONG
5144 * ProcessPriorityClass ULONG
5145 * ProcessAffinityMask KAFFINITY //??
5147 * ProcessInformation = Caller supplies storage for information to set.
5148 * ProcessInformationLength = Size of the information structure
5153 NtSetInformationProcess(
5154 IN HANDLE ProcessHandle,
5155 IN CINT ProcessInformationClass,
5156 IN PVOID ProcessInformation,
5157 IN ULONG ProcessInformationLength
5162 ZwSetInformationProcess(
5163 IN HANDLE ProcessHandle,
5164 IN CINT ProcessInformationClass,
5165 IN PVOID ProcessInformation,
5166 IN ULONG ProcessInformationLength
5170 * FUNCTION: Sets the characteristics of a timer
5172 * TimerHandle = Handle to the timer
5173 * DueTime = Time before the timer becomes signalled for the first time.
5174 * TimerApcRoutine = Completion routine can be called on time completion
5175 * TimerContext = Argument to the completion routine
5176 * Resume = Specifies if the timer should repeated after completing one cycle
5177 * Period = Cycle of the timer
5178 * REMARKS: This routine maps to the win32 SetWaitableTimer.
5184 IN HANDLE TimerHandle,
5185 IN PLARGE_INTEGER DueTime,
5186 IN PTIMERAPCROUTINE TimerApcRoutine,
5187 IN PVOID TimerContext,
5189 IN ULONG Period OPTIONAL,
5190 OUT PBOOLEAN PreviousState OPTIONAL
5196 IN HANDLE TimerHandle,
5197 IN PLARGE_INTEGER DueTime,
5198 IN PTIMERAPCROUTINE TimerApcRoutine,
5199 IN PVOID TimerContext,
5201 IN ULONG Period OPTIONAL,
5202 OUT PBOOLEAN PreviousState OPTIONAL
5206 * FUNCTION: Unloads a registry key.
5208 * KeyHandle = Handle to the registry key
5210 * This procedure maps to the win32 procedure RegUnloadKey
5216 IN POBJECT_ATTRIBUTES KeyObjectAttributes
5222 IN POBJECT_ATTRIBUTES KeyObjectAttributes
5226 * FUNCTION: Unlocks a range of virtual memory.
5228 * ProcessHandle = Handle to the process
5229 * BaseAddress = Lower boundary of the range of bytes to unlock.
5230 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
5231 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
5233 This procedure maps to the win32 procedure VirtualUnlock
5234 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
5238 NtUnlockVirtualMemory(
5239 IN HANDLE ProcessHandle,
5240 IN PVOID BaseAddress,
5241 IN ULONG NumberOfBytesToUnlock,
5242 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5247 ZwUnlockVirtualMemory(
5248 IN HANDLE ProcessHandle,
5249 IN PVOID BaseAddress,
5250 IN ULONG NumberOfBytesToUnlock,
5251 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5255 * FUNCTION: Waits for multiple objects to become signalled.
5257 * Count = The number of objects
5258 * Object = The array of object handles
5259 * WaitType = Can be one of the values UserMode or KernelMode
5260 * Alertable = If true the wait is alertable.
5261 * Time = The maximum wait time.
5263 * This function maps to the win32 WaitForMultipleObjectEx.
5268 NtWaitForMultipleObjects (
5271 IN WAIT_TYPE WaitType,
5272 IN BOOLEAN Alertable,
5273 IN PLARGE_INTEGER Time
5278 ZwWaitForMultipleObjects (
5281 IN WAIT_TYPE WaitType,
5282 IN BOOLEAN Alertable,
5283 IN PLARGE_INTEGER Time
5287 * FUNCTION: Creates a profile
5289 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
5290 * ObjectAttribute = Initialized attributes for the object
5291 * ImageBase = Start address of executable image
5292 * ImageSize = Size of the image
5293 * Granularity = Bucket size
5294 * Buffer = Caller supplies buffer for profiling info
5295 * ProfilingSize = Buffer size
5296 * ClockSource = Specify 0 / FALSE ??
5297 * ProcessorMask = A value of -1 indicates disables per processor profiling,
5298 otherwise bit set for the processor to profile.
5300 * This function maps to the win32 CreateProcess.
5306 NtCreateProfile(OUT PHANDLE ProfileHandle,
5307 IN HANDLE ProcessHandle,
5310 IN ULONG Granularity,
5312 IN ULONG ProfilingSize,
5313 IN KPROFILE_SOURCE Source,
5314 IN ULONG ProcessorMask);
5319 OUT PHANDLE ProfileHandle,
5320 IN POBJECT_ATTRIBUTES ObjectAttributes,
5323 IN ULONG Granularity,
5325 IN ULONG ProfilingSize,
5326 IN ULONG ClockSource,
5327 IN ULONG ProcessorMask
5331 * FUNCTION: Delays the execution of the calling thread.
5333 * Alertable = If TRUE the thread is alertable during is wait period
5334 * Interval = Specifies the interval to wait.
5348 IN BOOLEAN Alertable,
5353 * FUNCTION: Extends a section
5355 * SectionHandle = Handle to the section
5356 * NewMaximumSize = Adjusted size
5362 IN HANDLE SectionHandle,
5363 IN ULONG NewMaximumSize
5369 IN HANDLE SectionHandle,
5370 IN ULONG NewMaximumSize
5374 * FUNCTION: Queries the information of a section object.
5376 * SectionHandle = Handle to the section link object
5377 * SectionInformationClass = Index to a certain information structure
5378 * SectionInformation (OUT)= Caller supplies storage for resulting information
5379 * Length = Size of the supplied storage
5380 * ResultLength = Data written
5387 IN HANDLE SectionHandle,
5388 IN CINT SectionInformationClass,
5389 OUT PVOID SectionInformation,
5391 OUT PULONG ResultLength
5397 IN HANDLE SectionHandle,
5398 IN CINT SectionInformationClass,
5399 OUT PVOID SectionInformation,
5401 OUT PULONG ResultLength
5404 typedef struct _SECTION_IMAGE_INFORMATION
5411 USHORT MinorSubsystemVersion;
5412 USHORT MajorSubsystemVersion;
5414 ULONG Characteristics;
5419 } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
5421 #endif /* !__USE_W32API */
5423 #endif /* __DDK_ZW_H */