4 * COPYRIGHT: See COPYING in the top level directory
5 * PROJECT: ReactOS kernel
6 * PURPOSE: System call definitions
7 * FILE: include/ddk/zw.h
9 * ??/??/??: First few functions (David Welch)
10 * ??/??/??: Complete implementation by Ariadne
11 * 13/07/98: Reorganised things a bit (David Welch)
12 * 04/08/98: Added some documentation (Ariadne)
13 * 14/08/98: Added type TIME and change variable type from [1] to [0]
14 * 14/09/98: Added for each Nt call a corresponding Zw Call
15 * 09/08/03: Added ThreadEventPair routines
21 #include <ntos/security.h>
22 #include <ntos/zwtypes.h>
23 #include <napi/npipe.h>
25 #ifndef _RTLGETPROCESSHEAP_DEFINED_
26 #define _RTLGETPROCESSHEAP_DEFINED_
27 #define RtlGetProcessHeap() (NtCurrentPeb()->ProcessHeap)
30 // semaphore information
32 typedef enum _SEMAPHORE_INFORMATION_CLASS
34 SemaphoreBasicInformation = 0
35 } SEMAPHORE_INFORMATION_CLASS;
37 typedef struct _SEMAPHORE_BASIC_INFORMATION
41 } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
45 typedef enum _EVENT_INFORMATION_CLASS
47 EventBasicInformation = 0
48 } EVENT_INFORMATION_CLASS;
50 typedef struct _EVENT_BASIC_INFORMATION
54 } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
57 //#define SECURITY_INFORMATION ULONG
58 //typedef ULONG SECURITY_INFORMATION;
61 * FUNCTION: Adjusts the groups in an access token
63 * TokenHandle = Specifies the access token
64 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
65 * their default state, if false the groups specified in
68 * BufferLength = Specifies the size of the buffer for the PreviousState.
70 * ReturnLength = Bytes written in PreviousState buffer.
71 * REMARKS: The arguments map to the win32 AdjustTokenGroups
78 IN HANDLE TokenHandle,
79 IN BOOLEAN ResetToDefault,
80 IN PTOKEN_GROUPS NewState,
81 IN ULONG BufferLength,
82 OUT PTOKEN_GROUPS PreviousState OPTIONAL,
83 OUT PULONG ReturnLength
89 IN HANDLE TokenHandle,
90 IN BOOLEAN ResetToDefault,
91 IN PTOKEN_GROUPS NewState,
92 IN ULONG BufferLength,
93 OUT PTOKEN_GROUPS PreviousState,
94 OUT PULONG ReturnLength
102 * TokenHandle = Handle to the access token
103 * DisableAllPrivileges = The resulting suspend count.
109 * The arguments map to the win32 AdjustTokenPrivileges
115 NtAdjustPrivilegesToken(
116 IN HANDLE TokenHandle,
117 IN BOOLEAN DisableAllPrivileges,
118 IN PTOKEN_PRIVILEGES NewState,
119 IN ULONG BufferLength,
120 OUT PTOKEN_PRIVILEGES PreviousState,
121 OUT PULONG ReturnLength
126 ZwAdjustPrivilegesToken(
127 IN HANDLE TokenHandle,
128 IN BOOLEAN DisableAllPrivileges,
129 IN PTOKEN_PRIVILEGES NewState,
130 IN ULONG BufferLength,
131 OUT PTOKEN_PRIVILEGES PreviousState,
132 OUT PULONG ReturnLength
137 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
140 * ThreadHandle = Handle to the thread that should be resumed
141 * SuspendCount = The resulting suspend count.
143 * A thread is resumed if its suspend count is 0
149 IN HANDLE ThreadHandle,
150 OUT PULONG SuspendCount
156 IN HANDLE ThreadHandle,
157 OUT PULONG SuspendCount
161 * FUNCTION: Puts the thread in a alerted state
163 * ThreadHandle = Handle to the thread that should be alerted
169 IN HANDLE ThreadHandle
175 IN HANDLE ThreadHandle
180 * FUNCTION: Allocates a locally unique id
182 * LocallyUniqueId = Locally unique number
187 NtAllocateLocallyUniqueId(
188 OUT LUID *LocallyUniqueId
193 ZwAllocateLocallyUniqueId(
198 * FUNCTION: Allocates a block of virtual memory in the process address space
200 * ProcessHandle = The handle of the process which owns the virtual memory
201 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
202 * value the system will try to allocate the memory at the address supplied. It rounds
203 * it down to a multiple if the page size.
204 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
205 * the memory will be allocated at a address below a certain value.
206 * RegionSize = The number of bytes to allocate
207 * AllocationType = Indicates the type of virtual memory you like to allocated,
208 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
209 * Protect = Indicates the protection type of the pages allocated, can be a combination of
210 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
211 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
213 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
214 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
215 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
216 * and the AllocationType and ProctectionType map to the other two parameters.
221 NtAllocateVirtualMemory (
222 IN HANDLE ProcessHandle,
223 IN OUT PVOID *BaseAddress,
225 IN OUT PULONG RegionSize,
226 IN ULONG AllocationType,
232 ZwAllocateVirtualMemory (
233 IN HANDLE ProcessHandle,
234 IN OUT PVOID *BaseAddress,
236 IN OUT PULONG RegionSize,
237 IN ULONG AllocationType,
241 * FUNCTION: Returns from a callback into user mode
245 //FIXME: this function might need 3 parameters
246 NTSTATUS STDCALL NtCallbackReturn(PVOID Result,
250 NTSTATUS STDCALL ZwCallbackReturn(PVOID Result,
255 * FUNCTION: Cancels a IO request
257 * FileHandle = Handle to the file
261 * This function maps to the win32 CancelIo.
267 IN HANDLE FileHandle,
268 OUT PIO_STATUS_BLOCK IoStatusBlock
274 IN HANDLE FileHandle,
275 OUT PIO_STATUS_BLOCK IoStatusBlock
279 * FUNCTION: Sets the status of the event back to non-signaled
281 * EventHandle = Handle to the event
283 * This function maps to win32 function ResetEvent.
290 IN HANDLE EventHandle
296 IN HANDLE EventHandle
300 * FUNCTION: Closes an object handle
302 * Handle = Handle to the object
304 * This function maps to the win32 function CloseHandle.
321 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
324 HandleId = Handle to the object
327 * This function maps to the win32 function ObjectCloseAuditAlarm.
333 NtCloseObjectAuditAlarm(
334 IN PUNICODE_STRING SubsystemName,
336 IN BOOLEAN GenerateOnClose
341 ZwCloseObjectAuditAlarm(
342 IN PUNICODE_STRING SubsystemName,
344 IN BOOLEAN GenerateOnClose
348 * FUNCTION: Creates a directory object
350 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
351 * DesiredAccess = Specifies access to the directory
352 * ObjectAttribute = Initialized attributes for the object
353 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
354 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
360 NtCreateDirectoryObject(
361 OUT PHANDLE DirectoryHandle,
362 IN ACCESS_MASK DesiredAccess,
363 IN POBJECT_ATTRIBUTES ObjectAttributes
368 ZwCreateDirectoryObject(
369 OUT PHANDLE DirectoryHandle,
370 IN ACCESS_MASK DesiredAccess,
371 IN POBJECT_ATTRIBUTES ObjectAttributes
375 * FUNCTION: Creates an event object
377 * EventHandle (OUT) = Caller supplied storage for the resulting handle
378 * DesiredAccess = Specifies access to the event
379 * ObjectAttribute = Initialized attributes for the object
380 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
381 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
382 * automatically after the system has rescheduled a thread waiting on the event.
383 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
384 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
385 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
386 * both parameters aswell ( possibly the order is reversed ).
393 OUT PHANDLE EventHandle,
394 IN ACCESS_MASK DesiredAccess,
395 IN POBJECT_ATTRIBUTES ObjectAttributes,
396 IN BOOLEAN ManualReset,
397 IN BOOLEAN InitialState
403 OUT PHANDLE EventHandle,
404 IN ACCESS_MASK DesiredAccess,
405 IN POBJECT_ATTRIBUTES ObjectAttributes,
406 IN BOOLEAN ManualReset,
407 IN BOOLEAN InitialState
411 * FUNCTION: Creates an eventpair object
413 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
414 * DesiredAccess = Specifies access to the event
415 * ObjectAttribute = Initialized attributes for the object
421 OUT PHANDLE EventPairHandle,
422 IN ACCESS_MASK DesiredAccess,
423 IN POBJECT_ATTRIBUTES ObjectAttributes
429 OUT PHANDLE EventPairHandle,
430 IN ACCESS_MASK DesiredAccess,
431 IN POBJECT_ATTRIBUTES ObjectAttributes
436 * FUNCTION: Creates or opens a file, directory or device object.
438 * FileHandle (OUT) = Caller supplied storage for the resulting handle
439 * DesiredAccess = Specifies the allowed or desired access to the file can
440 * be a combination of DELETE | FILE_READ_DATA ..
441 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
442 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
443 * the file is created and opened or allready existed and is just opened.
444 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
445 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
446 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
447 * CreateOptions = specifies the behavior of the system on file creation.
448 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
449 * EaLength = Extended Attributes buffer size, applies only to files and directories.
450 * REMARKS: This function maps to the win32 CreateFile.
457 OUT PHANDLE FileHandle,
458 IN ACCESS_MASK DesiredAccess,
459 IN POBJECT_ATTRIBUTES ObjectAttributes,
460 OUT PIO_STATUS_BLOCK IoStatusBlock,
461 IN PLARGE_INTEGER AllocationSize OPTIONAL,
462 IN ULONG FileAttributes,
463 IN ULONG ShareAccess,
464 IN ULONG CreateDisposition,
465 IN ULONG CreateOptions,
466 IN PVOID EaBuffer OPTIONAL,
473 OUT PHANDLE FileHandle,
474 IN ACCESS_MASK DesiredAccess,
475 IN POBJECT_ATTRIBUTES ObjectAttributes,
476 OUT PIO_STATUS_BLOCK IoStatusBlock,
477 IN PLARGE_INTEGER AllocationSize OPTIONAL,
478 IN ULONG FileAttributes,
479 IN ULONG ShareAccess,
480 IN ULONG CreateDisposition,
481 IN ULONG CreateOptions,
482 IN PVOID EaBuffer OPTIONAL,
487 * FUNCTION: Creates or opens a file, directory or device object.
489 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
490 * DesiredAccess = Specifies the allowed or desired access to the port
492 * NumberOfConcurrentThreads =
493 * REMARKS: This function maps to the win32 CreateIoCompletionPort
500 NtCreateIoCompletion(
501 OUT PHANDLE IoCompletionHandle,
502 IN ACCESS_MASK DesiredAccess,
503 IN POBJECT_ATTRIBUTES ObjectAttributes,
504 IN ULONG NumberOfConcurrentThreads
509 ZwCreateIoCompletion(
510 OUT PHANDLE IoCompletionHandle,
511 IN ACCESS_MASK DesiredAccess,
512 IN POBJECT_ATTRIBUTES ObjectAttributes,
513 IN ULONG NumberOfConcurrentThreads
517 * FUNCTION: Creates a registry key
519 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
520 * DesiredAccess = Specifies the allowed or desired access to the key
521 * It can have a combination of the following values:
522 * KEY_READ | KEY_WRITE | KEY_EXECUTE | KEY_ALL_ACCESS
524 * KEY_QUERY_VALUE The values of the key can be queried.
525 * KEY_SET_VALUE The values of the key can be modified.
526 * KEY_CREATE_SUB_KEYS The key may contain subkeys.
527 * KEY_ENUMERATE_SUB_KEYS Subkeys can be queried.
529 * KEY_CREATE_LINK A symbolic link to the key can be created.
530 * ObjectAttributes = The name of the key may be specified directly in the name field
531 * of object attributes or relative to a key in rootdirectory.
532 * TitleIndex = Might specify the position in the sequential order of subkeys.
533 * Class = Specifies the kind of data, for example REG_SZ for string data. [ ??? ]
534 * CreateOptions = Specifies additional options with which the key is created
535 * REG_OPTION_VOLATILE The key is not preserved across boots.
536 * REG_OPTION_NON_VOLATILE The key is preserved accross boots.
537 * REG_OPTION_CREATE_LINK The key is a symbolic link to another key.
538 * REG_OPTION_BACKUP_RESTORE Key is being opened or created for backup/restore operations.
539 * Disposition = Indicates if the call to NtCreateKey resulted in the creation of a key it
540 * can have the following values: REG_CREATED_NEW_KEY | REG_OPENED_EXISTING_KEY
546 NtCreateKey(OUT PHANDLE KeyHandle,
547 IN ACCESS_MASK DesiredAccess,
548 IN POBJECT_ATTRIBUTES ObjectAttributes,
550 IN PUNICODE_STRING Class OPTIONAL,
551 IN ULONG CreateOptions,
552 IN PULONG Disposition OPTIONAL);
555 ZwCreateKey(OUT PHANDLE KeyHandle,
556 IN ACCESS_MASK DesiredAccess,
557 IN POBJECT_ATTRIBUTES ObjectAttributes,
559 IN PUNICODE_STRING Class OPTIONAL,
560 IN ULONG CreateOptions,
561 IN PULONG Disposition OPTIONAL);
564 * FUNCTION: Creates a mail slot file
566 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
567 * DesiredAccess = Specifies the allowed or desired access to the file
568 * ObjectAttributes = Contains the name of the mailslotfile.
575 * REMARKS: This funciton maps to the win32 function CreateMailSlot
582 NtCreateMailslotFile(
583 OUT PHANDLE MailSlotFileHandle,
584 IN ACCESS_MASK DesiredAccess,
585 IN POBJECT_ATTRIBUTES ObjectAttributes,
586 OUT PIO_STATUS_BLOCK IoStatusBlock,
587 IN ULONG FileAttributes,
588 IN ULONG ShareAccess,
589 IN ULONG MaxMessageSize,
590 IN PLARGE_INTEGER TimeOut
595 ZwCreateMailslotFile(
596 OUT PHANDLE MailSlotFileHandle,
597 IN ACCESS_MASK DesiredAccess,
598 IN POBJECT_ATTRIBUTES ObjectAttributes,
599 OUT PIO_STATUS_BLOCK IoStatusBlock,
600 IN ULONG FileAttributes,
601 IN ULONG ShareAccess,
602 IN ULONG MaxMessageSize,
603 IN PLARGE_INTEGER TimeOut
607 * FUNCTION: Creates or opens a mutex
609 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
610 * DesiredAccess = Specifies the allowed or desired access to the port
611 * ObjectAttributes = Contains the name of the mutex.
612 * InitialOwner = If true the calling thread acquires ownership
614 * REMARKS: This funciton maps to the win32 function CreateMutex
621 OUT PHANDLE MutantHandle,
622 IN ACCESS_MASK DesiredAccess,
623 IN POBJECT_ATTRIBUTES ObjectAttributes,
624 IN BOOLEAN InitialOwner
630 OUT PHANDLE MutantHandle,
631 IN ACCESS_MASK DesiredAccess,
632 IN POBJECT_ATTRIBUTES ObjectAttributes,
633 IN BOOLEAN InitialOwner
637 * FUNCTION: Creates a process.
639 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
640 * DesiredAccess = Specifies the allowed or desired access to the process can
641 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
642 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
643 * ParentProcess = Handle to the parent process.
644 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
645 * SectionHandle = Handle to a section object to back the image file
646 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
647 * ExceptionPort = Handle to a exception port.
649 * This function maps to the win32 CreateProcess.
655 OUT PHANDLE ProcessHandle,
656 IN ACCESS_MASK DesiredAccess,
657 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
658 IN HANDLE ParentProcess,
659 IN BOOLEAN InheritObjectTable,
660 IN HANDLE SectionHandle OPTIONAL,
661 IN HANDLE DebugPort OPTIONAL,
662 IN HANDLE ExceptionPort OPTIONAL
668 OUT PHANDLE ProcessHandle,
669 IN ACCESS_MASK DesiredAccess,
670 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
671 IN HANDLE ParentProcess,
672 IN BOOLEAN InheritObjectTable,
673 IN HANDLE SectionHandle OPTIONAL,
674 IN HANDLE DebugPort OPTIONAL,
675 IN HANDLE ExceptionPort OPTIONAL
679 * FUNCTION: Creates a section object.
681 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
682 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
683 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
684 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
685 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
686 * If value specified for a mapped file and the file is not large enough, file will be extended.
687 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
688 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
689 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
696 OUT PHANDLE SectionHandle,
697 IN ACCESS_MASK DesiredAccess,
698 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
699 IN PLARGE_INTEGER MaximumSize OPTIONAL,
700 IN ULONG SectionPageProtection OPTIONAL,
701 IN ULONG AllocationAttributes,
702 IN HANDLE FileHandle OPTIONAL
708 OUT PHANDLE SectionHandle,
709 IN ACCESS_MASK DesiredAccess,
710 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
711 IN PLARGE_INTEGER MaximumSize OPTIONAL,
712 IN ULONG SectionPageProtection OPTIONAL,
713 IN ULONG AllocationAttributes,
714 IN HANDLE FileHandle OPTIONAL
718 * FUNCTION: Creates a semaphore object for interprocess synchronization.
720 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
721 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
722 * ObjectAttribute = Initialized attributes for the object.
723 * InitialCount = Not necessary zero, might be smaller than zero.
724 * MaximumCount = Maxiumum count the semaphore can reach.
727 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
730 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
734 OUT PHANDLE SemaphoreHandle,
735 IN ACCESS_MASK DesiredAccess,
736 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
737 IN LONG InitialCount,
744 OUT PHANDLE SemaphoreHandle,
745 IN ACCESS_MASK DesiredAccess,
746 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
747 IN LONG InitialCount,
752 * FUNCTION: Creates a symbolic link object
754 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
755 * DesiredAccess = Specifies the allowed or desired access to the thread.
756 * ObjectAttributes = Initialized attributes for the object.
757 * Name = Target name of the symbolic link
762 NtCreateSymbolicLinkObject(
763 OUT PHANDLE SymbolicLinkHandle,
764 IN ACCESS_MASK DesiredAccess,
765 IN POBJECT_ATTRIBUTES ObjectAttributes,
766 IN PUNICODE_STRING Name
771 ZwCreateSymbolicLinkObject(
772 OUT PHANDLE SymbolicLinkHandle,
773 IN ACCESS_MASK DesiredAccess,
774 IN POBJECT_ATTRIBUTES ObjectAttributes,
775 IN PUNICODE_STRING Name
779 * FUNCTION: Creates a waitable timer.
781 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
782 * DesiredAccess = Specifies the allowed or desired access to the timer.
783 * ObjectAttributes = Initialized attributes for the object.
784 * TimerType = Specifies if the timer should be reset manually.
786 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
787 * corresponding fields in OBJECT_ATTRIBUTES structure.
793 OUT PHANDLE TimerHandle,
794 IN ACCESS_MASK DesiredAccess,
795 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
796 IN TIMER_TYPE TimerType
802 OUT PHANDLE TimerHandle,
803 IN ACCESS_MASK DesiredAccess,
804 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
805 IN TIMER_TYPE TimerType
809 * FUNCTION: Creates a token.
811 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
812 * DesiredAccess = Specifies the allowed or desired access to the process can
813 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
814 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
822 * TokenPrimaryGroup =
826 * This function does not map to a win32 function
833 OUT PHANDLE TokenHandle,
834 IN ACCESS_MASK DesiredAccess,
835 IN POBJECT_ATTRIBUTES ObjectAttributes,
836 IN TOKEN_TYPE TokenType,
837 IN PLUID AuthenticationId,
838 IN PLARGE_INTEGER ExpirationTime,
839 IN PTOKEN_USER TokenUser,
840 IN PTOKEN_GROUPS TokenGroups,
841 IN PTOKEN_PRIVILEGES TokenPrivileges,
842 IN PTOKEN_OWNER TokenOwner,
843 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
844 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
845 IN PTOKEN_SOURCE TokenSource
851 OUT PHANDLE TokenHandle,
852 IN ACCESS_MASK DesiredAccess,
853 IN POBJECT_ATTRIBUTES ObjectAttributes,
854 IN TOKEN_TYPE TokenType,
855 IN PLUID AuthenticationId,
856 IN PLARGE_INTEGER ExpirationTime,
857 IN PTOKEN_USER TokenUser,
858 IN PTOKEN_GROUPS TokenGroups,
859 IN PTOKEN_PRIVILEGES TokenPrivileges,
860 IN PTOKEN_OWNER TokenOwner,
861 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
862 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
863 IN PTOKEN_SOURCE TokenSource
867 * FUNCTION: Returns the callers thread TEB.
868 * RETURNS: The resulting teb.
878 * FUNCTION: Deletes an atom from the global atom table
880 * Atom = Identifies the atom to delete
882 * The function maps to the win32 GlobalDeleteAtom
898 * FUNCTION: Deletes a file or a directory
900 * ObjectAttributes = Name of the file which should be deleted
902 * This system call is functionally equivalent to NtSetInformationFile
903 * setting the disposition information.
904 * The function maps to the win32 DeleteFile.
910 IN POBJECT_ATTRIBUTES ObjectAttributes
916 IN POBJECT_ATTRIBUTES ObjectAttributes
920 * FUNCTION: Deletes a registry key
922 * KeyHandle = Handle of the key
937 * FUNCTION: Generates a audit message when an object is deleted
939 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
940 * HandleId= Handle to an audit object
941 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
942 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
948 NtDeleteObjectAuditAlarm (
949 IN PUNICODE_STRING SubsystemName,
951 IN BOOLEAN GenerateOnClose
956 ZwDeleteObjectAuditAlarm (
957 IN PUNICODE_STRING SubsystemName,
959 IN BOOLEAN GenerateOnClose
964 * FUNCTION: Deletes a value from a registry key
966 * KeyHandle = Handle of the key
967 * ValueName = Name of the value to delete
975 IN PUNICODE_STRING ValueName
982 IN PUNICODE_STRING ValueName
985 * FUNCTION: Sends IOCTL to the io sub system
987 * DeviceHandle = Points to the handle that is created by NtCreateFile
988 * Event = Event to synchronize on STATUS_PENDING
989 * ApcRoutine = Asynchroneous procedure callback
990 * ApcContext = Callback context.
991 * IoStatusBlock = Caller should supply storage for extra information..
992 * IoControlCode = Contains the IO Control command. This is an
993 * index to the structures in InputBuffer and OutputBuffer.
994 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
995 * InputBufferSize = Size of the input bufffer
996 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
997 * OutputBufferSize = Size of the input bufffer
1003 NtDeviceIoControlFile(
1004 IN HANDLE DeviceHandle,
1005 IN HANDLE Event OPTIONAL,
1006 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1007 IN PVOID UserApcContext OPTIONAL,
1008 OUT PIO_STATUS_BLOCK IoStatusBlock,
1009 IN ULONG IoControlCode,
1010 IN PVOID InputBuffer,
1011 IN ULONG InputBufferSize,
1012 OUT PVOID OutputBuffer,
1013 IN ULONG OutputBufferSize
1018 ZwDeviceIoControlFile(
1019 IN HANDLE DeviceHandle,
1020 IN HANDLE Event OPTIONAL,
1021 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
1022 IN PVOID UserApcContext OPTIONAL,
1023 OUT PIO_STATUS_BLOCK IoStatusBlock,
1024 IN ULONG IoControlCode,
1025 IN PVOID InputBuffer,
1026 IN ULONG InputBufferSize,
1027 OUT PVOID OutputBuffer,
1028 IN ULONG OutputBufferSize
1031 * FUNCTION: Displays a string on the blue screen
1033 * DisplayString = The string to display
1040 IN PUNICODE_STRING DisplayString
1046 IN PUNICODE_STRING DisplayString
1050 * FUNCTION: Returns information about the subkeys of an open key
1052 * KeyHandle = Handle of the key whose subkeys are to enumerated
1053 * Index = zero based index of the subkey for which information is
1055 * KeyInformationClass = Type of information returned
1056 * KeyInformation (OUT) = Caller allocated buffer for the information
1058 * Length = Length in bytes of the KeyInformation buffer
1059 * ResultLength (OUT) = Caller allocated storage which holds
1060 * the number of bytes of information retrieved
1067 IN HANDLE KeyHandle,
1069 IN KEY_INFORMATION_CLASS KeyInformationClass,
1070 OUT PVOID KeyInformation,
1072 OUT PULONG ResultLength
1078 IN HANDLE KeyHandle,
1080 IN KEY_INFORMATION_CLASS KeyInformationClass,
1081 OUT PVOID KeyInformation,
1083 OUT PULONG ResultLength
1086 * FUNCTION: Returns information about the value entries of an open key
1088 * KeyHandle = Handle of the key whose value entries are to enumerated
1089 * Index = zero based index of the subkey for which information is
1091 * KeyInformationClass = Type of information returned
1092 * KeyInformation (OUT) = Caller allocated buffer for the information
1094 * Length = Length in bytes of the KeyInformation buffer
1095 * ResultLength (OUT) = Caller allocated storage which holds
1096 * the number of bytes of information retrieved
1102 NtEnumerateValueKey(
1103 IN HANDLE KeyHandle,
1105 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1106 OUT PVOID KeyValueInformation,
1108 OUT PULONG ResultLength
1113 ZwEnumerateValueKey(
1114 IN HANDLE KeyHandle,
1116 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1117 OUT PVOID KeyValueInformation,
1119 OUT PULONG ResultLength
1123 * FUNCTION: Flushes chached file data to disk
1125 * FileHandle = Points to the file
1126 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1127 * buffers operation. The information field is set to number of bytes
1131 * This funciton maps to the win32 FlushFileBuffers
1136 IN HANDLE FileHandle,
1137 OUT PIO_STATUS_BLOCK IoStatusBlock
1143 IN HANDLE FileHandle,
1144 OUT PIO_STATUS_BLOCK IoStatusBlock
1148 * FUNCTION: Flushes a registry key to disk
1150 * KeyHandle = Points to the registry key handle
1153 * This funciton maps to the win32 RegFlushKey.
1168 * FUNCTION: Flushes the dirty pages to file
1170 * FIXME: Not sure this does (how is the file specified)
1172 NTSTATUS STDCALL NtFlushWriteBuffer(VOID);
1173 NTSTATUS STDCALL ZwFlushWriteBuffer(VOID);
1176 * FUNCTION: Frees a range of virtual memory
1178 * ProcessHandle = Points to the process that allocated the virtual
1180 * BaseAddress = Points to the memory address, rounded down to a
1181 * multiple of the pagesize
1182 * RegionSize = Limits the range to free, rounded up to a multiple of
1184 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1187 NTSTATUS STDCALL NtFreeVirtualMemory(IN HANDLE ProcessHandle,
1188 IN PVOID *BaseAddress,
1189 IN PULONG RegionSize,
1191 NTSTATUS STDCALL ZwFreeVirtualMemory(IN HANDLE ProcessHandle,
1192 IN PVOID *BaseAddress,
1193 IN PULONG RegionSize,
1197 * FUNCTION: Sends FSCTL to the filesystem
1199 * DeviceHandle = Points to the handle that is created by NtCreateFile
1200 * Event = Event to synchronize on STATUS_PENDING
1203 * IoStatusBlock = Caller should supply storage for
1204 * IoControlCode = Contains the File System Control command. This is an
1205 * index to the structures in InputBuffer and OutputBuffer.
1206 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1207 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1208 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1209 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1211 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1212 * InputBufferSize = Size of the input bufffer
1213 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1214 * OutputBufferSize = Size of the input bufffer
1215 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1216 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1221 IN HANDLE DeviceHandle,
1222 IN HANDLE Event OPTIONAL,
1223 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1224 IN PVOID ApcContext OPTIONAL,
1225 OUT PIO_STATUS_BLOCK IoStatusBlock,
1226 IN ULONG IoControlCode,
1227 IN PVOID InputBuffer,
1228 IN ULONG InputBufferSize,
1229 OUT PVOID OutputBuffer,
1230 IN ULONG OutputBufferSize
1236 IN HANDLE DeviceHandle,
1237 IN HANDLE Event OPTIONAL,
1238 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1239 IN PVOID ApcContext OPTIONAL,
1240 OUT PIO_STATUS_BLOCK IoStatusBlock,
1241 IN ULONG IoControlCode,
1242 IN PVOID InputBuffer,
1243 IN ULONG InputBufferSize,
1244 OUT PVOID OutputBuffer,
1245 IN ULONG OutputBufferSize
1249 * FUNCTION: Retrieves the processor context of a thread
1251 * ThreadHandle = Handle to a thread
1252 * Context (OUT) = Caller allocated storage for the processor context
1259 IN HANDLE ThreadHandle,
1260 OUT PCONTEXT Context
1266 IN HANDLE ThreadHandle,
1267 OUT PCONTEXT Context
1271 * FUNCTION: Sets a thread to impersonate another
1273 * ThreadHandle = Server thread that will impersonate a client.
1274 ThreadToImpersonate = Client thread that will be impersonated
1275 SecurityQualityOfService = Specifies the impersonation level.
1281 NtImpersonateThread(
1282 IN HANDLE ThreadHandle,
1283 IN HANDLE ThreadToImpersonate,
1284 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1289 ZwImpersonateThread(
1290 IN HANDLE ThreadHandle,
1291 IN HANDLE ThreadToImpersonate,
1292 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1296 * FUNCTION: Initializes the registry.
1298 * SetUpBoot = This parameter is true for a setup boot.
1303 NtInitializeRegistry(
1308 ZwInitializeRegistry(
1313 * FUNCTION: Loads a driver.
1315 * DriverServiceName = Name of the driver to load
1321 IN PUNICODE_STRING DriverServiceName
1327 IN PUNICODE_STRING DriverServiceName
1331 * FUNCTION: Locks a range of bytes in a file.
1333 * FileHandle = Handle to the file
1334 * Event = Should be null if apc is specified.
1335 * ApcRoutine = Asynchroneous Procedure Callback
1336 * ApcContext = Argument to the callback
1337 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1338 * the completion status and information about the requested lock operation.
1339 * ByteOffset = Offset
1340 * Length = Number of bytes to lock.
1341 * Key = Special value to give other threads the possibility to unlock the file
1342 by supplying the key in a call to NtUnlockFile.
1343 * FailImmediatedly = If false the request will block untill the lock is obtained.
1344 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1346 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1347 not be obtained immediately, the device queue is busy and the IRP is queued.
1348 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1349 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1355 IN HANDLE FileHandle,
1356 IN HANDLE Event OPTIONAL,
1357 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1358 IN PVOID ApcContext OPTIONAL,
1359 OUT PIO_STATUS_BLOCK IoStatusBlock,
1360 IN PLARGE_INTEGER ByteOffset,
1361 IN PLARGE_INTEGER Length,
1363 IN BOOLEAN FailImmediatedly,
1364 IN BOOLEAN ExclusiveLock
1370 IN HANDLE FileHandle,
1371 IN HANDLE Event OPTIONAL,
1372 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1373 IN PVOID ApcContext OPTIONAL,
1374 OUT PIO_STATUS_BLOCK IoStatusBlock,
1375 IN PLARGE_INTEGER ByteOffset,
1376 IN PLARGE_INTEGER Length,
1378 IN BOOLEAN FailImmediatedly,
1379 IN BOOLEAN ExclusiveLock
1383 * FUNCTION: Makes temporary object that will be removed at next boot.
1385 * Handle = Handle to object
1391 NtMakeTemporaryObject(
1397 ZwMakeTemporaryObject(
1401 * FUNCTION: Maps a view of a section into the virtual address space of a
1404 * SectionHandle = Handle of the section
1405 * ProcessHandle = Handle of the process
1406 * BaseAddress = Desired base address (or NULL) on entry
1407 * Actual base address of the view on exit
1408 * ZeroBits = Number of high order address bits that must be zero
1409 * CommitSize = Size in bytes of the initially committed section of
1411 * SectionOffset = Offset in bytes from the beginning of the section
1412 * to the beginning of the view
1413 * ViewSize = Desired length of map (or zero to map all) on entry
1414 * Actual length mapped on exit
1415 * InheritDisposition = Specified how the view is to be shared with
1417 * AllocateType = Type of allocation for the pages
1418 * Protect = Protection for the committed region of the view
1424 IN HANDLE SectionHandle,
1425 IN HANDLE ProcessHandle,
1426 IN OUT PVOID *BaseAddress,
1428 IN ULONG CommitSize,
1429 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1430 IN OUT PULONG ViewSize,
1431 IN SECTION_INHERIT InheritDisposition,
1432 IN ULONG AllocationType,
1433 IN ULONG AccessProtection
1439 IN HANDLE SectionHandle,
1440 IN HANDLE ProcessHandle,
1441 IN OUT PVOID *BaseAddress,
1443 IN ULONG CommitSize,
1444 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
1445 IN OUT PULONG ViewSize,
1446 IN SECTION_INHERIT InheritDisposition,
1447 IN ULONG AllocationType,
1448 IN ULONG AccessProtection
1452 * FUNCTION: Installs a notify for the change of a directory's contents
1454 * FileHandle = Handle to the directory
1456 * ApcRoutine = Start address
1457 * ApcContext = Delimits the range of virtual memory
1458 * for which the new access protection holds
1459 * IoStatusBlock = The new access proctection for the pages
1460 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
1461 * BufferSize = Size of the buffer
1462 CompletionFilter = Can be one of the following values:
1463 FILE_NOTIFY_CHANGE_FILE_NAME
1464 FILE_NOTIFY_CHANGE_DIR_NAME
1465 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
1466 FILE_NOTIFY_CHANGE_ATTRIBUTES
1467 FILE_NOTIFY_CHANGE_SIZE
1468 FILE_NOTIFY_CHANGE_LAST_WRITE
1469 FILE_NOTIFY_CHANGE_LAST_ACCESS
1470 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
1471 FILE_NOTIFY_CHANGE_EA
1472 FILE_NOTIFY_CHANGE_SECURITY
1473 FILE_NOTIFY_CHANGE_STREAM_NAME
1474 FILE_NOTIFY_CHANGE_STREAM_SIZE
1475 FILE_NOTIFY_CHANGE_STREAM_WRITE
1476 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
1479 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
1484 NtNotifyChangeDirectoryFile(
1485 IN HANDLE FileHandle,
1486 IN HANDLE Event OPTIONAL,
1487 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1488 IN PVOID ApcContext OPTIONAL,
1489 OUT PIO_STATUS_BLOCK IoStatusBlock,
1491 IN ULONG BufferSize,
1492 IN ULONG CompletionFilter,
1493 IN BOOLEAN WatchTree
1498 ZwNotifyChangeDirectoryFile(
1499 IN HANDLE FileHandle,
1500 IN HANDLE Event OPTIONAL,
1501 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1502 IN PVOID ApcContext OPTIONAL,
1503 OUT PIO_STATUS_BLOCK IoStatusBlock,
1505 IN ULONG BufferSize,
1506 IN ULONG CompletionFilter,
1507 IN BOOLEAN WatchTree
1511 * FUNCTION: Installs a notfication callback on registry changes
1513 KeyHandle = Handle to the registry key
1514 Event = Event that should be signalled on modification of the key
1515 ApcRoutine = Routine that should be called on modification of the key
1516 ApcContext = Argument to the ApcRoutine
1518 CompletionFilter = Specifies the kind of notification the caller likes to receive.
1519 Can be a combination of the following values:
1521 REG_NOTIFY_CHANGE_NAME
1522 REG_NOTIFY_CHANGE_ATTRIBUTES
1523 REG_NOTIFY_CHANGE_LAST_SET
1524 REG_NOTIFY_CHANGE_SECURITY
1527 Asynchroneous = If TRUE the changes are reported by signalling an event if false
1528 the function will not return before a change occurs.
1529 ChangeBuffer = Will return the old value
1530 Length = Size of the change buffer
1531 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
1533 * REMARKS: If the key is closed the event is signalled aswell.
1540 IN HANDLE KeyHandle,
1542 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1543 IN PVOID ApcContext OPTIONAL,
1544 OUT PIO_STATUS_BLOCK IoStatusBlock,
1545 IN ULONG CompletionFilter,
1546 IN BOOLEAN Asynchroneous,
1547 OUT PVOID ChangeBuffer,
1549 IN BOOLEAN WatchSubtree
1555 IN HANDLE KeyHandle,
1557 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1558 IN PVOID ApcContext OPTIONAL,
1559 OUT PIO_STATUS_BLOCK IoStatusBlock,
1560 IN ULONG CompletionFilter,
1561 IN BOOLEAN Asynchroneous,
1562 OUT PVOID ChangeBuffer,
1564 IN BOOLEAN WatchSubtree
1568 * FUNCTION: Opens an existing directory object
1570 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1571 * DesiredAccess = Requested access to the directory
1572 * ObjectAttributes = Initialized attributes for the object
1578 NtOpenDirectoryObject(
1579 OUT PHANDLE FileHandle,
1580 IN ACCESS_MASK DesiredAccess,
1581 IN POBJECT_ATTRIBUTES ObjectAttributes
1585 ZwOpenDirectoryObject(
1586 OUT PHANDLE FileHandle,
1587 IN ACCESS_MASK DesiredAccess,
1588 IN POBJECT_ATTRIBUTES ObjectAttributes
1592 * FUNCTION: Opens an existing event
1594 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1595 * DesiredAccess = Requested access to the event
1596 * ObjectAttributes = Initialized attributes for the object
1602 OUT PHANDLE EventHandle,
1603 IN ACCESS_MASK DesiredAccess,
1604 IN POBJECT_ATTRIBUTES ObjectAttributes
1610 OUT PHANDLE EventHandle,
1611 IN ACCESS_MASK DesiredAccess,
1612 IN POBJECT_ATTRIBUTES ObjectAttributes
1616 * FUNCTION: Opens an existing event pair
1618 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1619 * DesiredAccess = Requested access to the event
1620 * ObjectAttributes = Initialized attributes for the object
1627 OUT PHANDLE EventPairHandle,
1628 IN ACCESS_MASK DesiredAccess,
1629 IN POBJECT_ATTRIBUTES ObjectAttributes
1635 OUT PHANDLE EventPairHandle,
1636 IN ACCESS_MASK DesiredAccess,
1637 IN POBJECT_ATTRIBUTES ObjectAttributes
1640 * FUNCTION: Opens an existing file
1642 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1643 * DesiredAccess = Requested access to the file
1644 * ObjectAttributes = Initialized attributes for the object
1653 OUT PHANDLE FileHandle,
1654 IN ACCESS_MASK DesiredAccess,
1655 IN POBJECT_ATTRIBUTES ObjectAttributes,
1656 OUT PIO_STATUS_BLOCK IoStatusBlock,
1657 IN ULONG ShareAccess,
1658 IN ULONG OpenOptions
1664 OUT PHANDLE FileHandle,
1665 IN ACCESS_MASK DesiredAccess,
1666 IN POBJECT_ATTRIBUTES ObjectAttributes,
1667 OUT PIO_STATUS_BLOCK IoStatusBlock,
1668 IN ULONG ShareAccess,
1669 IN ULONG OpenOptions
1673 * FUNCTION: Opens an existing io completion object
1675 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
1676 * DesiredAccess = Requested access to the io completion object
1677 * ObjectAttributes = Initialized attributes for the object
1684 OUT PHANDLE CompetionPort,
1685 IN ACCESS_MASK DesiredAccess,
1686 IN POBJECT_ATTRIBUTES ObjectAttributes
1692 OUT PHANDLE CompetionPort,
1693 IN ACCESS_MASK DesiredAccess,
1694 IN POBJECT_ATTRIBUTES ObjectAttributes
1698 * FUNCTION: Opens an existing key in the registry
1700 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1701 * DesiredAccess = Requested access to the key
1702 * ObjectAttributes = Initialized attributes for the object
1708 OUT PHANDLE KeyHandle,
1709 IN ACCESS_MASK DesiredAccess,
1710 IN POBJECT_ATTRIBUTES ObjectAttributes
1716 OUT PHANDLE KeyHandle,
1717 IN ACCESS_MASK DesiredAccess,
1718 IN POBJECT_ATTRIBUTES ObjectAttributes
1721 * FUNCTION: Opens an existing key in the registry
1723 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
1724 * DesiredAccess = Requested access to the mutant
1725 * ObjectAttribute = Initialized attributes for the object
1731 OUT PHANDLE MutantHandle,
1732 IN ACCESS_MASK DesiredAccess,
1733 IN POBJECT_ATTRIBUTES ObjectAttributes
1738 OUT PHANDLE MutantHandle,
1739 IN ACCESS_MASK DesiredAccess,
1740 IN POBJECT_ATTRIBUTES ObjectAttributes
1744 * FUNCTION: Opens an existing process
1746 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
1747 * DesiredAccess = Requested access to the process
1748 * ObjectAttribute = Initialized attributes for the object
1749 * ClientId = Identifies the process id to open
1755 OUT PHANDLE ProcessHandle,
1756 IN ACCESS_MASK DesiredAccess,
1757 IN POBJECT_ATTRIBUTES ObjectAttributes,
1758 IN PCLIENT_ID ClientId
1763 OUT PHANDLE ProcessHandle,
1764 IN ACCESS_MASK DesiredAccess,
1765 IN POBJECT_ATTRIBUTES ObjectAttributes,
1766 IN PCLIENT_ID ClientId
1769 * FUNCTION: Opens an existing process
1771 * ProcessHandle = Handle of the process of which owns the token
1772 * DesiredAccess = Requested access to the token
1773 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
1775 This function maps to the win32
1782 IN HANDLE ProcessHandle,
1783 IN ACCESS_MASK DesiredAccess,
1784 OUT PHANDLE TokenHandle
1790 IN HANDLE ProcessHandle,
1791 IN ACCESS_MASK DesiredAccess,
1792 OUT PHANDLE TokenHandle
1796 * FUNCTION: Opens an existing section object
1798 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1799 * DesiredAccess = Requested access to the key
1800 * ObjectAttribute = Initialized attributes for the object
1807 OUT PHANDLE SectionHandle,
1808 IN ACCESS_MASK DesiredAccess,
1809 IN POBJECT_ATTRIBUTES ObjectAttributes
1814 OUT PHANDLE SectionHandle,
1815 IN ACCESS_MASK DesiredAccess,
1816 IN POBJECT_ATTRIBUTES ObjectAttributes
1819 * FUNCTION: Opens an existing semaphore
1821 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
1822 * DesiredAccess = Requested access to the semaphore
1823 * ObjectAttribute = Initialized attributes for the object
1829 IN HANDLE SemaphoreHandle,
1830 IN ACCESS_MASK DesiredAcces,
1831 IN POBJECT_ATTRIBUTES ObjectAttributes
1836 IN HANDLE SemaphoreHandle,
1837 IN ACCESS_MASK DesiredAcces,
1838 IN POBJECT_ATTRIBUTES ObjectAttributes
1841 * FUNCTION: Opens an existing symbolic link
1843 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
1844 * DesiredAccess = Requested access to the symbolic link
1845 * ObjectAttribute = Initialized attributes for the object
1850 NtOpenSymbolicLinkObject(
1851 OUT PHANDLE SymbolicLinkHandle,
1852 IN ACCESS_MASK DesiredAccess,
1853 IN POBJECT_ATTRIBUTES ObjectAttributes
1857 ZwOpenSymbolicLinkObject(
1858 OUT PHANDLE SymbolicLinkHandle,
1859 IN ACCESS_MASK DesiredAccess,
1860 IN POBJECT_ATTRIBUTES ObjectAttributes
1863 * FUNCTION: Opens an existing thread
1865 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
1866 * DesiredAccess = Requested access to the thread
1867 * ObjectAttribute = Initialized attributes for the object
1868 * ClientId = Identifies the thread to open.
1874 OUT PHANDLE ThreadHandle,
1875 IN ACCESS_MASK DesiredAccess,
1876 IN POBJECT_ATTRIBUTES ObjectAttributes,
1877 IN PCLIENT_ID ClientId
1882 OUT PHANDLE ThreadHandle,
1883 IN ACCESS_MASK DesiredAccess,
1884 IN POBJECT_ATTRIBUTES ObjectAttributes,
1885 IN PCLIENT_ID ClientId
1891 IN HANDLE ThreadHandle,
1892 IN ACCESS_MASK DesiredAccess,
1893 IN BOOLEAN OpenAsSelf,
1894 OUT PHANDLE TokenHandle
1900 IN HANDLE ThreadHandle,
1901 IN ACCESS_MASK DesiredAccess,
1902 IN BOOLEAN OpenAsSelf,
1903 OUT PHANDLE TokenHandle
1906 * FUNCTION: Opens an existing timer
1908 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
1909 * DesiredAccess = Requested access to the timer
1910 * ObjectAttribute = Initialized attributes for the object
1916 OUT PHANDLE TimerHandle,
1917 IN ACCESS_MASK DesiredAccess,
1918 IN POBJECT_ATTRIBUTES ObjectAttributes
1923 OUT PHANDLE TimerHandle,
1924 IN ACCESS_MASK DesiredAccess,
1925 IN POBJECT_ATTRIBUTES ObjectAttributes
1929 * FUNCTION: Checks an access token for specific privileges
1931 * ClientToken = Handle to a access token structure
1932 * RequiredPrivileges = Specifies the requested privileges.
1933 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
1934 set in the Control member of PRIVILEGES_SET Result
1935 will only be TRUE if all privileges are present in the access token.
1942 IN HANDLE ClientToken,
1943 IN PPRIVILEGE_SET RequiredPrivileges,
1950 IN HANDLE ClientToken,
1951 IN PPRIVILEGE_SET RequiredPrivileges,
1957 NtPrivilegedServiceAuditAlarm(
1958 IN PUNICODE_STRING SubsystemName,
1959 IN PUNICODE_STRING ServiceName,
1960 IN HANDLE ClientToken,
1961 IN PPRIVILEGE_SET Privileges,
1962 IN BOOLEAN AccessGranted
1967 ZwPrivilegedServiceAuditAlarm(
1968 IN PUNICODE_STRING SubsystemName,
1969 IN PUNICODE_STRING ServiceName,
1970 IN HANDLE ClientToken,
1971 IN PPRIVILEGE_SET Privileges,
1972 IN BOOLEAN AccessGranted
1977 NtPrivilegeObjectAuditAlarm(
1978 IN PUNICODE_STRING SubsystemName,
1980 IN HANDLE ClientToken,
1981 IN ULONG DesiredAccess,
1982 IN PPRIVILEGE_SET Privileges,
1983 IN BOOLEAN AccessGranted
1988 ZwPrivilegeObjectAuditAlarm(
1989 IN PUNICODE_STRING SubsystemName,
1991 IN HANDLE ClientToken,
1992 IN ULONG DesiredAccess,
1993 IN PPRIVILEGE_SET Privileges,
1994 IN BOOLEAN AccessGranted
1998 * FUNCTION: Entry point for native applications
2000 * Peb = Pointes to the Process Environment Block (PEB)
2002 * Native applications should use this function instead of a main.
2003 * Calling proces should terminate itself.
2013 * FUNCTION: Signals an event and resets it afterwards.
2015 * EventHandle = Handle to the event
2016 * PulseCount = Number of times the action is repeated
2022 IN HANDLE EventHandle,
2023 IN PULONG PulseCount OPTIONAL
2029 IN HANDLE EventHandle,
2030 IN PULONG PulseCount OPTIONAL
2034 * FUNCTION: Queries the attributes of a file
2036 * ObjectAttributes = Initialized attributes for the object
2037 * Buffer = Caller supplies storage for the attributes
2042 NtQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2043 OUT PFILE_BASIC_INFORMATION FileInformation);
2046 ZwQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2047 OUT PFILE_BASIC_INFORMATION FileInformation);
2050 * FUNCTION: Queries the default locale id
2052 * UserProfile = Type of locale id
2053 * TRUE: thread locale id
2054 * FALSE: system locale id
2055 * DefaultLocaleId = Caller supplies storage for the locale id
2061 NtQueryDefaultLocale(
2062 IN BOOLEAN UserProfile,
2063 OUT PLCID DefaultLocaleId
2068 ZwQueryDefaultLocale(
2069 IN BOOLEAN UserProfile,
2070 OUT PLCID DefaultLocaleId
2074 * FUNCTION: Queries a directory file.
2076 * FileHandle = Handle to a directory file
2077 * EventHandle = Handle to the event signaled on completion
2078 * ApcRoutine = Asynchroneous procedure callback, called on completion
2079 * ApcContext = Argument to the apc.
2080 * IoStatusBlock = Caller supplies storage for extended status information.
2081 * FileInformation = Caller supplies storage for the resulting information.
2083 * FileNameInformation FILE_NAMES_INFORMATION
2084 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2085 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2086 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2088 * Length = Size of the storage supplied
2089 * FileInformationClass = Indicates the type of information requested.
2090 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2091 * FileName = Initial directory name to query, that may contain wild cards.
2092 * RestartScan = Number of times the action should be repeated
2093 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2094 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2095 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2100 NtQueryDirectoryFile(
2101 IN HANDLE FileHandle,
2102 IN HANDLE Event OPTIONAL,
2103 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2104 IN PVOID ApcContext OPTIONAL,
2105 OUT PIO_STATUS_BLOCK IoStatusBlock,
2106 OUT PVOID FileInformation,
2108 IN FILE_INFORMATION_CLASS FileInformationClass,
2109 IN BOOLEAN ReturnSingleEntry,
2110 IN PUNICODE_STRING FileName OPTIONAL,
2111 IN BOOLEAN RestartScan
2116 ZwQueryDirectoryFile(
2117 IN HANDLE FileHandle,
2118 IN HANDLE Event OPTIONAL,
2119 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2120 IN PVOID ApcContext OPTIONAL,
2121 OUT PIO_STATUS_BLOCK IoStatusBlock,
2122 OUT PVOID FileInformation,
2124 IN FILE_INFORMATION_CLASS FileInformationClass,
2125 IN BOOLEAN ReturnSingleEntry,
2126 IN PUNICODE_STRING FileName OPTIONAL,
2127 IN BOOLEAN RestartScan
2131 * FUNCTION: Queries the extended attributes of a file
2133 * FileHandle = Handle to the event
2134 * IoStatusBlock = Number of times the action is repeated
2148 IN HANDLE FileHandle,
2149 OUT PIO_STATUS_BLOCK IoStatusBlock,
2152 IN BOOLEAN ReturnSingleEntry,
2153 IN PVOID EaList OPTIONAL,
2154 IN ULONG EaListLength,
2155 IN PULONG EaIndex OPTIONAL,
2156 IN BOOLEAN RestartScan
2162 IN HANDLE FileHandle,
2163 OUT PIO_STATUS_BLOCK IoStatusBlock,
2166 IN BOOLEAN ReturnSingleEntry,
2167 IN PVOID EaList OPTIONAL,
2168 IN ULONG EaListLength,
2169 IN PULONG EaIndex OPTIONAL,
2170 IN BOOLEAN RestartScan
2174 * FUNCTION: Queries an event
2176 * EventHandle = Handle to the event
2177 * EventInformationClass = Index of the information structure
2179 EventBasicInformation EVENT_BASIC_INFORMATION
2181 * EventInformation = Caller supplies storage for the information structure
2182 * EventInformationLength = Size of the information structure
2183 * ReturnLength = Data written
2189 IN HANDLE EventHandle,
2190 IN EVENT_INFORMATION_CLASS EventInformationClass,
2191 OUT PVOID EventInformation,
2192 IN ULONG EventInformationLength,
2193 OUT PULONG ReturnLength
2198 IN HANDLE EventHandle,
2199 IN EVENT_INFORMATION_CLASS EventInformationClass,
2200 OUT PVOID EventInformation,
2201 IN ULONG EventInformationLength,
2202 OUT PULONG ReturnLength
2206 NtQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2207 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2210 ZwQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes,
2211 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
2214 * FUNCTION: Queries the information of a file object.
2216 * FileHandle = Handle to the file object
2217 * IoStatusBlock = Caller supplies storage for extended information
2218 * on the current operation.
2219 * FileInformation = Storage for the new file information
2220 * Lenght = Size of the storage for the file information.
2221 * FileInformationClass = Indicates which file information is queried
2223 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2224 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2225 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2226 FileBasicInformation FILE_BASIC_INFORMATION
2227 FileStandardInformation FILE_STANDARD_INFORMATION
2228 FileInternalInformation FILE_INTERNAL_INFORMATION
2229 FileEaInformation FILE_EA_INFORMATION
2230 FileAccessInformation FILE_ACCESS_INFORMATION
2231 FileNameInformation FILE_NAME_INFORMATION
2232 FileRenameInformation FILE_RENAME_INFORMATION
2234 FileNamesInformation FILE_NAMES_INFORMATION
2235 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2236 FilePositionInformation FILE_POSITION_INFORMATION
2237 FileFullEaInformation FILE_FULL_EA_INFORMATION
2238 FileModeInformation FILE_MODE_INFORMATION
2239 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2240 FileAllInformation FILE_ALL_INFORMATION
2242 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2243 FileAlternateNameInformation
2244 FileStreamInformation FILE_STREAM_INFORMATION
2246 FilePipeLocalInformation
2247 FilePipeRemoteInformation
2248 FileMailslotQueryInformation
2249 FileMailslotSetInformation
2250 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2251 FileCopyOnWriteInformation
2252 FileCompletionInformation IO_COMPLETION_CONTEXT
2253 FileMoveClusterInformation
2254 FileOleClassIdInformation
2255 FileOleStateBitsInformation
2256 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2257 FileObjectIdInformation
2258 FileOleAllInformation
2259 FileOleDirectoryInformation
2260 FileContentIndexInformation
2261 FileInheritContentIndexInformation
2263 FileMaximumInformation
2266 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2267 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2272 NtQueryInformationFile(
2273 IN HANDLE FileHandle,
2274 OUT PIO_STATUS_BLOCK IoStatusBlock,
2275 OUT PVOID FileInformation,
2277 IN FILE_INFORMATION_CLASS FileInformationClass
2282 ZwQueryInformationFile(
2284 PIO_STATUS_BLOCK IoStatusBlock,
2285 PVOID FileInformation,
2287 FILE_INFORMATION_CLASS FileInformationClass
2292 * FUNCTION: Queries the information of a thread object.
2294 * ThreadHandle = Handle to the thread object
2295 * ThreadInformationClass = Index to a certain information structure
2297 ThreadBasicInformation THREAD_BASIC_INFORMATION
2298 ThreadTimes KERNEL_USER_TIMES
2299 ThreadPriority KPRIORITY
2300 ThreadBasePriority KPRIORITY
2301 ThreadAffinityMask KAFFINITY
2302 ThreadImpersonationToken
2303 ThreadDescriptorTableEntry
2304 ThreadEnableAlignmentFaultFixup
2306 ThreadQuerySetWin32StartAddress
2308 ThreadPerformanceCount
2309 ThreadAmILastThread BOOLEAN
2310 ThreadIdealProcessor ULONG
2311 ThreadPriorityBoost ULONG
2315 * ThreadInformation = Caller supplies torage for the thread information
2316 * ThreadInformationLength = Size of the thread information structure
2317 * ReturnLength = Actual number of bytes written
2320 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
2321 GetThreadPriorityBoost functions.
2328 NtQueryInformationThread(
2329 IN HANDLE ThreadHandle,
2330 IN THREADINFOCLASS ThreadInformationClass,
2331 OUT PVOID ThreadInformation,
2332 IN ULONG ThreadInformationLength,
2333 OUT PULONG ReturnLength
2339 NtQueryInformationToken(
2340 IN HANDLE TokenHandle,
2341 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2342 OUT PVOID TokenInformation,
2343 IN ULONG TokenInformationLength,
2344 OUT PULONG ReturnLength
2349 ZwQueryInformationToken(
2350 IN HANDLE TokenHandle,
2351 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
2352 OUT PVOID TokenInformation,
2353 IN ULONG TokenInformationLength,
2354 OUT PULONG ReturnLength
2359 NtQueryIoCompletion(
2360 IN HANDLE IoCompletionHandle,
2361 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
2362 OUT PVOID IoCompletionInformation,
2363 IN ULONG IoCompletionInformationLength,
2364 OUT PULONG ResultLength OPTIONAL
2369 ZwQueryIoCompletion(
2370 IN HANDLE IoCompletionHandle,
2371 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
2372 OUT PVOID IoCompletionInformation,
2373 IN ULONG IoCompletionInformationLength,
2374 OUT PULONG ResultLength OPTIONAL
2378 * FUNCTION: Queries the information of a registry key object.
2380 KeyHandle = Handle to a registry key
2381 KeyInformationClass = Index to a certain information structure
2382 KeyInformation = Caller supplies storage for resulting information
2383 Length = Size of the supplied storage
2384 ResultLength = Bytes written
2389 IN HANDLE KeyHandle,
2390 IN KEY_INFORMATION_CLASS KeyInformationClass,
2391 OUT PVOID KeyInformation,
2393 OUT PULONG ResultLength
2399 IN HANDLE KeyHandle,
2400 IN KEY_INFORMATION_CLASS KeyInformationClass,
2401 OUT PVOID KeyInformation,
2403 OUT PULONG ResultLength
2411 NtQueryMultipleValueKey(
2412 IN HANDLE KeyHandle,
2413 IN OUT PKEY_VALUE_ENTRY ValueList,
2414 IN ULONG NumberOfValues,
2416 IN OUT PULONG Length,
2417 OUT PULONG ReturnLength
2422 ZwQueryMultipleValueKey(
2423 IN HANDLE KeyHandle,
2424 IN OUT PKEY_VALUE_ENTRY ValueList,
2425 IN ULONG NumberOfValues,
2427 IN OUT PULONG Length,
2428 OUT PULONG ReturnLength
2432 * FUNCTION: Queries the information of a mutant object.
2434 MutantHandle = Handle to a mutant
2435 MutantInformationClass = Index to a certain information structure
2436 MutantInformation = Caller supplies storage for resulting information
2437 Length = Size of the supplied storage
2438 ResultLength = Bytes written
2443 IN HANDLE MutantHandle,
2444 IN CINT MutantInformationClass,
2445 OUT PVOID MutantInformation,
2447 OUT PULONG ResultLength
2453 IN HANDLE MutantHandle,
2454 IN CINT MutantInformationClass,
2455 OUT PVOID MutantInformation,
2457 OUT PULONG ResultLength
2461 * FUNCTION: Queries the system ( high-resolution ) performance counter.
2463 * Counter = Performance counter
2464 * Frequency = Performance frequency
2466 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
2467 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
2473 NtQueryPerformanceCounter(
2474 IN PLARGE_INTEGER Counter,
2475 IN PLARGE_INTEGER Frequency
2480 ZwQueryPerformanceCounter(
2481 IN PLARGE_INTEGER Counter,
2482 IN PLARGE_INTEGER Frequency
2486 * FUNCTION: Queries the information of a semaphore.
2488 * SemaphoreHandle = Handle to the semaphore object
2489 * SemaphoreInformationClass = Index to a certain information structure
2491 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
2493 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
2494 * Length = Size of the infomation structure
2499 IN HANDLE SemaphoreHandle,
2500 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2501 OUT PVOID SemaphoreInformation,
2503 OUT PULONG ReturnLength
2509 IN HANDLE SemaphoreHandle,
2510 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
2511 OUT PVOID SemaphoreInformation,
2513 OUT PULONG ReturnLength
2518 * FUNCTION: Queries the information of a symbolic link object.
2520 * SymbolicLinkHandle = Handle to the symbolic link object
2521 * LinkTarget = resolved name of link
2522 * DataWritten = size of the LinkName.
2528 NtQuerySymbolicLinkObject(
2529 IN HANDLE SymLinkObjHandle,
2530 OUT PUNICODE_STRING LinkTarget,
2531 OUT PULONG DataWritten OPTIONAL
2536 ZwQuerySymbolicLinkObject(
2537 IN HANDLE SymLinkObjHandle,
2538 OUT PUNICODE_STRING LinkName,
2539 OUT PULONG DataWritten OPTIONAL
2544 * FUNCTION: Queries a system environment variable.
2546 * Name = Name of the variable
2547 * Value (OUT) = value of the variable
2548 * Length = size of the buffer
2549 * ReturnLength = data written
2555 NtQuerySystemEnvironmentValue(
2556 IN PUNICODE_STRING Name,
2564 ZwQuerySystemEnvironmentValue(
2565 IN PUNICODE_STRING Name,
2573 * FUNCTION: Queries the system information.
2575 * SystemInformationClass = Index to a certain information structure
2577 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
2578 SystemCacheInformation SYSTEM_CACHE_INFORMATION
2579 SystemConfigurationInformation CONFIGURATION_INFORMATION
2581 * SystemInformation = caller supplies storage for the information structure
2582 * Length = size of the structure
2583 ResultLength = Data written
2589 NtQuerySystemInformation(
2590 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2591 OUT PVOID SystemInformation,
2593 OUT PULONG ResultLength
2598 ZwQuerySystemInformation(
2599 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
2600 OUT PVOID SystemInformation,
2602 OUT PULONG ResultLength
2606 * FUNCTION: Queries information about a timer
2608 * TimerHandle = Handle to the timer
2609 TimerValueInformationClass = Index to a certain information structure
2610 TimerValueInformation = Caller supplies storage for the information structure
2611 Length = Size of the information structure
2612 ResultLength = Data written
2619 IN HANDLE TimerHandle,
2620 IN CINT TimerInformationClass,
2621 OUT PVOID TimerInformation,
2623 OUT PULONG ResultLength
2628 IN HANDLE TimerHandle,
2629 IN CINT TimerInformationClass,
2630 OUT PVOID TimerInformation,
2632 OUT PULONG ResultLength
2636 * FUNCTION: Queries the timer resolution
2638 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
2639 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
2640 ActualResolution (OUT) = Caller should supply storage for the resulting time.
2648 NtQueryTimerResolution (
2649 OUT PULONG MinimumResolution,
2650 OUT PULONG MaximumResolution,
2651 OUT PULONG ActualResolution
2656 ZwQueryTimerResolution (
2657 OUT PULONG MinimumResolution,
2658 OUT PULONG MaximumResolution,
2659 OUT PULONG ActualResolution
2663 * FUNCTION: Queries a registry key value
2665 * KeyHandle = Handle to the registry key
2666 ValueName = Name of the value in the registry key
2667 KeyValueInformationClass = Index to a certain information structure
2669 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
2670 KeyValueFullInformation = KEY_FULL_INFORMATION
2671 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
2673 KeyValueInformation = Caller supplies storage for the information structure
2674 Length = Size of the information structure
2675 ResultLength = Data written
2682 IN HANDLE KeyHandle,
2683 IN PUNICODE_STRING ValueName,
2684 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2685 OUT PVOID KeyValueInformation,
2687 OUT PULONG ResultLength
2693 IN HANDLE KeyHandle,
2694 IN PUNICODE_STRING ValueName,
2695 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2696 OUT PVOID KeyValueInformation,
2698 OUT PULONG ResultLength
2702 * FUNCTION: Queries the volume information
2704 * FileHandle = Handle to a file object on the target volume
2705 * IoStatusBlock = Caller should supply storage for additional status information
2706 * ReturnLength = DataWritten
2707 * FsInformation = Caller should supply storage for the information structure.
2708 * Length = Size of the information structure
2709 * FsInformationClass = Index to a information structure
2711 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
2712 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
2713 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
2714 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
2715 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
2716 FileFsControlInformation
2717 FileFsQuotaQueryInformation --
2718 FileFsQuotaSetInformation --
2719 FileFsMaximumInformation
2721 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
2722 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
2727 NtQueryVolumeInformationFile(
2728 IN HANDLE FileHandle,
2729 OUT PIO_STATUS_BLOCK IoStatusBlock,
2730 OUT PVOID FsInformation,
2732 IN FS_INFORMATION_CLASS FsInformationClass
2737 ZwQueryVolumeInformationFile(
2738 IN HANDLE FileHandle,
2739 OUT PIO_STATUS_BLOCK IoStatusBlock,
2740 OUT PVOID FsInformation,
2742 IN FS_INFORMATION_CLASS FsInformationClass
2745 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
2747 * FUNCTION: Queues a (user) apc to a thread.
2749 ThreadHandle = Thread to which the apc is queued.
2750 ApcRoutine = Points to the apc routine
2751 NormalContext = Argument to Apc Routine
2752 * SystemArgument1 = Argument of the Apc Routine
2753 SystemArgument2 = Argument of the Apc Routine
2754 * REMARK: If the apc is queued against a thread of a different process than the calling thread
2755 the apc routine should be specified in the address space of the queued thread's process.
2762 HANDLE ThreadHandle,
2763 PKNORMAL_ROUTINE ApcRoutine,
2764 PVOID NormalContext,
2765 PVOID SystemArgument1,
2766 PVOID SystemArgument2);
2771 HANDLE ThreadHandle,
2772 PKNORMAL_ROUTINE ApcRoutine,
2773 PVOID NormalContext,
2774 PVOID SystemArgument1,
2775 PVOID SystemArgument2);
2779 * FUNCTION: Raises an exception
2781 * ExceptionRecord = Structure specifying the exception
2782 * Context = Context in which the excpetion is raised
2791 IN PEXCEPTION_RECORD ExceptionRecord,
2792 IN PCONTEXT Context,
2793 IN BOOLEAN SearchFrames
2799 IN PEXCEPTION_RECORD ExceptionRecord,
2800 IN PCONTEXT Context,
2801 IN BOOLEAN SearchFrames
2805 * FUNCTION: Read a file
2807 * FileHandle = Handle of a file to read
2808 * Event = This event is signalled when the read operation completes
2809 * UserApcRoutine = Call back , if supplied Event should be NULL
2810 * UserApcContext = Argument to the callback
2811 * IoStatusBlock = Caller should supply storage for additional status information
2812 * Buffer = Caller should supply storage to receive the information
2813 * BufferLength = Size of the buffer
2814 * ByteOffset = Offset to start reading the file
2815 * Key = If a range is lock a matching key will allow the read to continue.
2823 IN HANDLE FileHandle,
2824 IN HANDLE Event OPTIONAL,
2825 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2826 IN PVOID UserApcContext OPTIONAL,
2827 OUT PIO_STATUS_BLOCK IoStatusBlock,
2829 IN ULONG BufferLength,
2830 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2831 IN PULONG Key OPTIONAL
2837 IN HANDLE FileHandle,
2838 IN HANDLE Event OPTIONAL,
2839 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2840 IN PVOID UserApcContext OPTIONAL,
2841 OUT PIO_STATUS_BLOCK IoStatusBlock,
2843 IN ULONG BufferLength,
2844 IN PLARGE_INTEGER ByteOffset OPTIONAL,
2845 IN PULONG Key OPTIONAL
2848 * FUNCTION: Read a file using scattered io
2850 FileHandle = Handle of a file to read
2851 Event = This event is signalled when the read operation completes
2852 * UserApcRoutine = Call back , if supplied Event should be NULL
2853 UserApcContext = Argument to the callback
2854 IoStatusBlock = Caller should supply storage for additional status information
2855 BufferDescription = Caller should supply storage to receive the information
2856 BufferLength = Size of the buffer
2857 ByteOffset = Offset to start reading the file
2858 Key = Key = If a range is lock a matching key will allow the read to continue.
2865 IN HANDLE FileHandle,
2866 IN HANDLE Event OPTIONAL,
2867 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2868 IN PVOID UserApcContext OPTIONAL,
2869 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2870 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2871 IN ULONG BufferLength,
2872 IN PLARGE_INTEGER ByteOffset,
2873 IN PULONG Key OPTIONAL
2879 IN HANDLE FileHandle,
2880 IN HANDLE Event OPTIONAL,
2881 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL,
2882 IN PVOID UserApcContext OPTIONAL,
2883 OUT PIO_STATUS_BLOCK UserIoStatusBlock,
2884 IN FILE_SEGMENT_ELEMENT BufferDescription[],
2885 IN ULONG BufferLength,
2886 IN PLARGE_INTEGER ByteOffset,
2887 IN PULONG Key OPTIONAL
2890 * FUNCTION: Copies a range of virtual memory to a buffer
2892 * ProcessHandle = Specifies the process owning the virtual address space
2893 * BaseAddress = Points to the address of virtual memory to start the read
2894 * Buffer = Caller supplies storage to copy the virtual memory to.
2895 * NumberOfBytesToRead = Limits the range to read
2896 * NumberOfBytesRead = The actual number of bytes read.
2902 NtReadVirtualMemory(
2903 IN HANDLE ProcessHandle,
2904 IN PVOID BaseAddress,
2906 IN ULONG NumberOfBytesToRead,
2907 OUT PULONG NumberOfBytesRead
2911 ZwReadVirtualMemory(
2912 IN HANDLE ProcessHandle,
2913 IN PVOID BaseAddress,
2915 IN ULONG NumberOfBytesToRead,
2916 OUT PULONG NumberOfBytesRead
2921 * FUNCTION: Debugger can register for thread termination
2923 * TerminationPort = Port on which the debugger likes to be notified.
2928 NtRegisterThreadTerminatePort(
2929 HANDLE TerminationPort
2933 ZwRegisterThreadTerminatePort(
2934 HANDLE TerminationPort
2938 * FUNCTION: Releases a mutant
2940 * MutantHandle = Handle to the mutant
2947 IN HANDLE MutantHandle,
2948 IN PULONG ReleaseCount OPTIONAL
2954 IN HANDLE MutantHandle,
2955 IN PULONG ReleaseCount OPTIONAL
2959 * FUNCTION: Releases a semaphore
2961 * SemaphoreHandle = Handle to the semaphore object
2962 * ReleaseCount = Number to decrease the semaphore count
2963 * PreviousCount = Previous semaphore count
2969 IN HANDLE SemaphoreHandle,
2970 IN LONG ReleaseCount,
2971 OUT PLONG PreviousCount
2977 IN HANDLE SemaphoreHandle,
2978 IN LONG ReleaseCount,
2979 OUT PLONG PreviousCount
2983 * FUNCTION: Removes an io completion
2985 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2986 * CompletionKey = Requested access to the key
2987 * IoStatusBlock = Caller provides storage for extended status information
2988 * CompletionStatus = Current status of the io operation.
2989 * WaitTime = Time to wait if ..
2994 NtRemoveIoCompletion(
2995 IN HANDLE IoCompletionHandle,
2996 OUT PULONG CompletionKey,
2997 OUT PULONG CompletionValue,
2998 OUT PIO_STATUS_BLOCK IoStatusBlock,
2999 IN PLARGE_INTEGER Timeout OPTIONAL
3004 ZwRemoveIoCompletion(
3005 IN HANDLE IoCompletionHandle,
3006 OUT PULONG CompletionKey,
3007 OUT PULONG CompletionValue,
3008 OUT PIO_STATUS_BLOCK IoStatusBlock,
3009 IN PLARGE_INTEGER Timeout OPTIONAL
3013 * FUNCTION: Replaces one registry key with another
3015 * ObjectAttributes = Specifies the attributes of the key
3016 * Key = Handle to the key
3017 * ReplacedObjectAttributes = The function returns the old object attributes
3023 IN POBJECT_ATTRIBUTES ObjectAttributes,
3025 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3030 IN POBJECT_ATTRIBUTES ObjectAttributes,
3032 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3036 * FUNCTION: Resets a event to a non signaled state
3038 * EventHandle = Handle to the event that should be reset
3039 * NumberOfWaitingThreads = The number of threads released.
3046 PULONG NumberOfWaitingThreads OPTIONAL
3052 PULONG NumberOfWaitingThreads OPTIONAL
3071 * FUNCTION: Decrements a thread's resume count
3073 * ThreadHandle = Handle to the thread that should be resumed
3074 * ResumeCount = The resulting resume count.
3076 * A thread is resumed if its suspend count is 0. This procedure maps to
3077 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3083 IN HANDLE ThreadHandle,
3084 OUT PULONG SuspendCount
3089 IN HANDLE ThreadHandle,
3090 OUT PULONG SuspendCount
3093 * FUNCTION: Writes the content of a registry key to ascii file
3095 * KeyHandle = Handle to the key
3096 * FileHandle = Handle of the file
3098 This function maps to the Win32 RegSaveKey.
3105 IN HANDLE KeyHandle,
3106 IN HANDLE FileHandle
3111 IN HANDLE KeyHandle,
3112 IN HANDLE FileHandle
3116 * FUNCTION: Sets the context of a specified thread.
3118 * ThreadHandle = Handle to the thread
3119 * Context = The processor context.
3126 IN HANDLE ThreadHandle,
3132 IN HANDLE ThreadHandle,
3137 * FUNCTION: Sets the default locale id
3139 * UserProfile = Type of locale id
3140 * TRUE: thread locale id
3141 * FALSE: system locale id
3142 * DefaultLocaleId = Locale id
3149 IN BOOLEAN UserProfile,
3150 IN LCID DefaultLocaleId
3156 IN BOOLEAN UserProfile,
3157 IN LCID DefaultLocaleId
3161 * FUNCTION: Sets the default hard error port
3163 * PortHandle = Handle to the port
3164 * NOTE: The hard error port is used for first change exception handling
3169 NtSetDefaultHardErrorPort(
3170 IN HANDLE PortHandle
3174 ZwSetDefaultHardErrorPort(
3175 IN HANDLE PortHandle
3179 * FUNCTION: Sets the extended attributes of a file.
3181 * FileHandle = Handle to the file
3182 * IoStatusBlock = Storage for a resulting status and information
3183 * on the current operation.
3184 * EaBuffer = Extended Attributes buffer.
3185 * EaBufferSize = Size of the extended attributes buffer
3191 IN HANDLE FileHandle,
3192 IN PIO_STATUS_BLOCK IoStatusBlock,
3199 IN HANDLE FileHandle,
3200 IN PIO_STATUS_BLOCK IoStatusBlock,
3205 //FIXME: should I return the event state ?
3208 * FUNCTION: Sets the event to a signalled state.
3210 * EventHandle = Handle to the event
3211 * NumberOfThreadsReleased = The number of threads released
3213 * This procedure maps to the win32 SetEvent function.
3220 IN HANDLE EventHandle,
3221 PULONG NumberOfThreadsReleased
3227 IN HANDLE EventHandle,
3228 PULONG NumberOfThreadsReleased
3232 * FUNCTION: Sets the high part of an event pair
3234 EventPair = Handle to the event pair
3241 IN HANDLE EventPairHandle
3247 IN HANDLE EventPairHandle
3250 * FUNCTION: Sets the high part of an event pair and wait for the low part
3252 EventPair = Handle to the event pair
3257 NtSetHighWaitLowEventPair(
3258 IN HANDLE EventPairHandle
3262 ZwSetHighWaitLowEventPair(
3263 IN HANDLE EventPairHandle
3267 * FUNCTION: Sets the information of a file object.
3269 * FileHandle = Handle to the file object
3270 * IoStatusBlock = Caller supplies storage for extended information
3271 * on the current operation.
3272 * FileInformation = Storage for the new file information
3273 * Lenght = Size of the new file information.
3274 * FileInformationClass = Indicates to a certain information structure
3276 FileNameInformation FILE_NAME_INFORMATION
3277 FileRenameInformation FILE_RENAME_INFORMATION
3278 FileStreamInformation FILE_STREAM_INFORMATION
3279 * FileCompletionInformation IO_COMPLETION_CONTEXT
3282 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
3283 * SetNamedPipeHandleState, SetMailslotInfo functions.
3290 NtSetInformationFile(
3291 IN HANDLE FileHandle,
3292 IN PIO_STATUS_BLOCK IoStatusBlock,
3293 IN PVOID FileInformation,
3295 IN FILE_INFORMATION_CLASS FileInformationClass
3299 ZwSetInformationFile(
3300 IN HANDLE FileHandle,
3301 IN PIO_STATUS_BLOCK IoStatusBlock,
3302 IN PVOID FileInformation,
3304 IN FILE_INFORMATION_CLASS FileInformationClass
3308 * FUNCTION: Changes a set of thread specific parameters
3310 * ThreadHandle = Handle to the thread
3311 * ThreadInformationClass = Index to the set of parameters to change.
3312 * Can be one of the following values:
3314 * ThreadBasicInformation THREAD_BASIC_INFORMATION
3315 * ThreadPriority KPRIORITY //???
3316 * ThreadBasePriority KPRIORITY
3317 * ThreadAffinityMask KAFFINITY //??
3318 * ThreadImpersonationToken ACCESS_TOKEN
3319 * ThreadIdealProcessor ULONG
3320 * ThreadPriorityBoost ULONG
3322 * ThreadInformation = Caller supplies storage for parameters to set.
3323 * ThreadInformationLength = Size of the storage supplied
3328 NtSetInformationThread(
3329 IN HANDLE ThreadHandle,
3330 IN THREADINFOCLASS ThreadInformationClass,
3331 IN PVOID ThreadInformation,
3332 IN ULONG ThreadInformationLength
3336 ZwSetInformationThread(
3337 IN HANDLE ThreadHandle,
3338 IN THREADINFOCLASS ThreadInformationClass,
3339 IN PVOID ThreadInformation,
3340 IN ULONG ThreadInformationLength
3344 * FUNCTION: Changes a set of token specific parameters
3346 * TokenHandle = Handle to the token
3347 * TokenInformationClass = Index to a certain information structure.
3348 * Can be one of the following values:
3350 TokenUser TOKEN_USER
3351 TokenGroups TOKEN_GROUPS
3352 TokenPrivileges TOKEN_PRIVILEGES
3353 TokenOwner TOKEN_OWNER
3354 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
3355 TokenDefaultDacl TOKEN_DEFAULT_DACL
3356 TokenSource TOKEN_SOURCE
3357 TokenType TOKEN_TYPE
3358 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
3359 TokenStatistics TOKEN_STATISTICS
3361 * TokenInformation = Caller supplies storage for information structure.
3362 * TokenInformationLength = Size of the information structure
3368 NtSetInformationToken(
3369 IN HANDLE TokenHandle,
3370 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3371 OUT PVOID TokenInformation,
3372 IN ULONG TokenInformationLength
3377 ZwSetInformationToken(
3378 IN HANDLE TokenHandle,
3379 IN TOKEN_INFORMATION_CLASS TokenInformationClass,
3380 OUT PVOID TokenInformation,
3381 IN ULONG TokenInformationLength
3386 * FUNCTION: Sets an io completion
3391 * NumberOfBytesToTransfer =
3392 * NumberOfBytesTransferred =
3398 IN HANDLE IoCompletionPortHandle,
3399 IN ULONG CompletionKey,
3400 IN ULONG CompletionValue,
3401 IN NTSTATUS CompletionStatus,
3402 IN ULONG CompletionInformation
3408 IN HANDLE IoCompletionPortHandle,
3409 IN ULONG CompletionKey,
3410 IN ULONG CompletionValue,
3411 IN NTSTATUS CompletionStatus,
3412 IN ULONG CompletionInformation
3416 * FUNCTION: Set properties for profiling
3426 NtSetIntervalProfile(
3428 KPROFILE_SOURCE ClockSource
3433 ZwSetIntervalProfile(
3435 KPROFILE_SOURCE ClockSource
3440 * FUNCTION: Sets the low part of an event pair
3442 EventPair = Handle to the event pair
3457 * FUNCTION: Sets the low part of an event pair and wait for the high part
3459 EventPair = Handle to the event pair
3464 NtSetLowWaitHighEventPair(
3469 ZwSetLowWaitHighEventPair(
3473 /* NtSetLowWaitHighThread effectively invokes NtSetLowWaitHighEventPair on the
3474 * event pair of the thread.
3478 NtSetLowWaitHighThread(
3481 /* ZwSetLowWaitHighThread effectively invokes ZwSetLowWaitHighEventPair on the
3482 * event pair of the thread.
3486 ZwSetLowWaitHighThread(
3490 /* NtSetHighWaitLowThread effectively invokes NtSetHighWaitLowEventPair on the
3491 * event pair of the thread.
3495 NtSetHighWaitLowThread(
3499 /* ZwSetHighWaitLowThread effectively invokes ZwSetHighWaitLowEventPair on the
3500 * event pair of the thread.
3504 ZwSetHighWaitLowThread(
3510 NtSetSecurityObject(
3512 IN SECURITY_INFORMATION SecurityInformation,
3513 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3518 ZwSetSecurityObject(
3520 IN SECURITY_INFORMATION SecurityInformation,
3521 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3526 * FUNCTION: Sets a system environment variable
3528 * ValueName = Name of the environment variable
3529 * Value = Value of the environment variable
3534 NtSetSystemEnvironmentValue(
3535 IN PUNICODE_STRING VariableName,
3536 IN PUNICODE_STRING Value
3540 ZwSetSystemEnvironmentValue(
3541 IN PUNICODE_STRING VariableName,
3542 IN PUNICODE_STRING Value
3545 * FUNCTION: Sets system parameters
3547 * SystemInformationClass = Index to a particular set of system parameters
3548 * Can be one of the following values:
3550 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3552 * SystemInformation = Structure containing the parameters.
3553 * SystemInformationLength = Size of the structure.
3558 NtSetSystemInformation(
3559 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3560 IN PVOID SystemInformation,
3561 IN ULONG SystemInformationLength
3566 ZwSetSystemInformation(
3567 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
3568 IN PVOID SystemInformation,
3569 IN ULONG SystemInformationLength
3573 * FUNCTION: Sets the system time
3575 * SystemTime = Old System time
3576 * NewSystemTime = New System time
3582 IN PLARGE_INTEGER SystemTime,
3583 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3588 IN PLARGE_INTEGER SystemTime,
3589 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3593 * FUNCTION: Sets the frequency of the system timer
3595 * RequestedResolution =
3597 * ActualResolution =
3602 NtSetTimerResolution(
3603 IN ULONG RequestedResolution,
3605 OUT PULONG ActualResolution
3609 ZwSetTimerResolution(
3610 IN ULONG RequestedResolution,
3612 OUT PULONG ActualResolution
3616 * FUNCTION: Sets the value of a registry key
3618 * KeyHandle = Handle to a registry key
3619 * ValueName = Name of the value entry to change
3620 * TitleIndex = pointer to a structure containing the new volume information
3621 * Type = Type of the registry key. Can be one of the values:
3622 * REG_BINARY Unspecified binary data
3623 * REG_DWORD A 32 bit value
3624 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
3625 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
3626 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
3627 * REG_LINK A zero terminated wide character string referring to a symbolic link.
3628 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
3629 * REG_NONE Unspecified type
3630 * REG_SZ A wide character string ( zero terminated )
3631 * REG_RESOURCE_LIST ??
3632 * REG_RESOURCE_REQUIREMENTS_LIST ??
3633 * REG_FULL_RESOURCE_DESCRIPTOR ??
3634 * Data = Contains the data for the registry key.
3635 * DataSize = size of the data.
3641 IN HANDLE KeyHandle,
3642 IN PUNICODE_STRING ValueName,
3643 IN ULONG TitleIndex OPTIONAL,
3651 IN HANDLE KeyHandle,
3652 IN PUNICODE_STRING ValueName,
3653 IN ULONG TitleIndex OPTIONAL,
3660 * FUNCTION: Sets the volume information.
3662 * FileHandle = Handle to the file
3663 * IoStatusBlock = Caller should supply storage for additional status information
3664 * VolumeInformation = pointer to a structure containing the new volume information
3665 * Length = size of the structure.
3666 * VolumeInformationClass = specifies the particular volume information to set
3671 NtSetVolumeInformationFile(
3672 IN HANDLE FileHandle,
3673 OUT PIO_STATUS_BLOCK IoStatusBlock,
3674 IN PVOID FsInformation,
3676 IN FS_INFORMATION_CLASS FsInformationClass
3681 ZwSetVolumeInformationFile(
3682 IN HANDLE FileHandle,
3683 OUT PIO_STATUS_BLOCK IoStatusBlock,
3684 IN PVOID FsInformation,
3686 IN FS_INFORMATION_CLASS FsInformationClass
3690 * FUNCTION: Shuts the system down
3692 * Action = Specifies the type of shutdown, it can be one of the following values:
3693 * ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
3699 IN SHUTDOWN_ACTION Action
3705 IN SHUTDOWN_ACTION Action
3709 /* --- PROFILING --- */
3712 * FUNCTION: Starts profiling
3714 * ProfileHandle = Handle to the profile
3721 HANDLE ProfileHandle
3727 HANDLE ProfileHandle
3731 * FUNCTION: Stops profiling
3733 * ProfileHandle = Handle to the profile
3740 HANDLE ProfileHandle
3746 HANDLE ProfileHandle
3749 /* --- PROCESS MANAGEMENT --- */
3751 //--NtSystemDebugControl
3753 * FUNCTION: Terminates the execution of a process.
3755 * ThreadHandle = Handle to the process
3756 * ExitStatus = The exit status of the process to terminate with.
3758 Native applications should kill themselves using this function.
3764 IN HANDLE ProcessHandle ,
3765 IN NTSTATUS ExitStatus
3770 IN HANDLE ProcessHandle ,
3771 IN NTSTATUS ExitStatus
3774 /* --- DEVICE DRIVER CONTROL --- */
3777 * FUNCTION: Unloads a driver.
3779 * DriverServiceName = Name of the driver to unload
3785 IN PUNICODE_STRING DriverServiceName
3790 IN PUNICODE_STRING DriverServiceName
3793 /* --- VIRTUAL MEMORY MANAGEMENT --- */
3796 * FUNCTION: Writes a range of virtual memory
3798 * ProcessHandle = The handle to the process owning the address space.
3799 * BaseAddress = The points to the address to write to
3800 * Buffer = Pointer to the buffer to write
3801 * NumberOfBytesToWrite = Offset to the upper boundary to write
3802 * NumberOfBytesWritten = Total bytes written
3804 * This function maps to the win32 WriteProcessMemory
3809 NtWriteVirtualMemory(
3810 IN HANDLE ProcessHandle,
3811 IN PVOID BaseAddress,
3813 IN ULONG NumberOfBytesToWrite,
3814 OUT PULONG NumberOfBytesWritten
3819 ZwWriteVirtualMemory(
3820 IN HANDLE ProcessHandle,
3821 IN PVOID BaseAddress,
3823 IN ULONG NumberOfBytesToWrite,
3824 OUT PULONG NumberOfBytesWritten
3828 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
3830 * ProcessHandle = Handle to the process
3831 * BaseAddress = The address where the mapping begins
3833 This procedure maps to the win32 UnMapViewOfFile
3838 NtUnmapViewOfSection(
3839 IN HANDLE ProcessHandle,
3840 IN PVOID BaseAddress
3844 ZwUnmapViewOfSection(
3845 IN HANDLE ProcessHandle,
3846 IN PVOID BaseAddress
3849 /* --- OBJECT SYNCHRONIZATION --- */
3852 * FUNCTION: Signals an object and wait for an other one.
3854 * SignalObject = Handle to the object that should be signaled
3855 * WaitObject = Handle to the object that should be waited for
3856 * Alertable = True if the wait is alertable
3857 * Time = The time to wait
3862 NtSignalAndWaitForSingleObject(
3863 IN HANDLE SignalObject,
3864 IN HANDLE WaitObject,
3865 IN BOOLEAN Alertable,
3866 IN PLARGE_INTEGER Time
3871 NtSignalAndWaitForSingleObject(
3872 IN HANDLE SignalObject,
3873 IN HANDLE WaitObject,
3874 IN BOOLEAN Alertable,
3875 IN PLARGE_INTEGER Time
3879 * FUNCTION: Waits for an object to become signalled.
3881 * Object = The object handle
3882 * Alertable = If true the wait is alertable.
3883 * Time = The maximum wait time.
3885 * This function maps to the win32 WaitForSingleObjectEx.
3890 NtWaitForSingleObject (
3892 IN BOOLEAN Alertable,
3893 IN PLARGE_INTEGER Time
3898 ZwWaitForSingleObject (
3900 IN BOOLEAN Alertable,
3901 IN PLARGE_INTEGER Time
3904 /* --- EVENT PAIR OBJECT --- */
3907 * FUNCTION: Waits for the high part of an eventpair to become signalled
3909 * EventPairHandle = Handle to the event pair.
3915 NtWaitHighEventPair(
3916 IN HANDLE EventPairHandle
3921 ZwWaitHighEventPair(
3922 IN HANDLE EventPairHandle
3926 * FUNCTION: Waits for the low part of an eventpair to become signalled
3928 * EventPairHandle = Handle to the event pair.
3934 IN HANDLE EventPairHandle
3940 IN HANDLE EventPairHandle
3943 /* --- FILE MANAGEMENT --- */
3946 * FUNCTION: Unlocks a range of bytes in a file.
3948 * FileHandle = Handle to the file
3949 * IoStatusBlock = Caller should supply storage for a structure containing
3950 * the completion status and information about the requested unlock operation.
3951 The information field is set to the number of bytes unlocked.
3952 * ByteOffset = Offset to start the range of bytes to unlock
3953 * Length = Number of bytes to unlock.
3954 * Key = Special value to enable other threads to unlock a file than the
3955 thread that locked the file. The key supplied must match with the one obtained
3956 in a previous call to NtLockFile.
3958 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
3959 not be obtained immediately, the device queue is busy and the IRP is queued.
3960 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
3961 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
3966 IN HANDLE FileHandle,
3967 OUT PIO_STATUS_BLOCK IoStatusBlock,
3968 IN PLARGE_INTEGER ByteOffset,
3969 IN PLARGE_INTEGER Lenght,
3970 OUT PULONG Key OPTIONAL
3975 IN HANDLE FileHandle,
3976 OUT PIO_STATUS_BLOCK IoStatusBlock,
3977 IN PLARGE_INTEGER ByteOffset,
3978 IN PLARGE_INTEGER Lenght,
3979 OUT PULONG Key OPTIONAL
3983 * FUNCTION: Writes data to a file
3985 * FileHandle = The handle a file ( from NtCreateFile )
3986 * Event = Specifies a event that will become signalled when the write operation completes.
3987 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
3988 * ApcContext = Argument to the Apc Routine
3989 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
3990 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
3991 * Length = Size in bytest of the buffer
3992 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
3993 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
3994 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
3995 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
3998 * This function maps to the win32 WriteFile.
3999 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4000 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4001 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4006 IN HANDLE FileHandle,
4007 IN HANDLE Event OPTIONAL,
4008 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4009 IN PVOID ApcContext OPTIONAL,
4010 OUT PIO_STATUS_BLOCK IoStatusBlock,
4013 IN PLARGE_INTEGER ByteOffset,
4014 IN PULONG Key OPTIONAL
4020 IN HANDLE FileHandle,
4021 IN HANDLE Event OPTIONAL,
4022 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4023 IN PVOID ApcContext OPTIONAL,
4024 OUT PIO_STATUS_BLOCK IoStatusBlock,
4027 IN PLARGE_INTEGER ByteOffset ,
4028 IN PULONG Key OPTIONAL
4032 * FUNCTION: Writes a file
4034 * FileHandle = The handle of the file
4036 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
4037 * ApcContext = Argument to the Apc Routine
4038 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
4039 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
4040 * BufferLength = Size in bytest of the buffer
4041 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
4042 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
4043 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
4044 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
4045 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
4047 * This function maps to the win32 WriteFile.
4048 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4049 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4050 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4056 IN HANDLE FileHandle,
4057 IN HANDLE Event OPTIONAL,
4058 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4059 IN PVOID ApcContext OPTIONAL,
4060 OUT PIO_STATUS_BLOCK IoStatusBlock,
4061 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4062 IN ULONG BufferLength,
4063 IN PLARGE_INTEGER ByteOffset,
4064 IN PULONG Key OPTIONAL
4070 IN HANDLE FileHandle,
4071 IN HANDLE Event OPTIONAL,
4072 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
4073 IN PVOID ApcContext OPTIONAL,
4074 OUT PIO_STATUS_BLOCK IoStatusBlock,
4075 IN FILE_SEGMENT_ELEMENT BufferDescription[],
4076 IN ULONG BufferLength,
4077 IN PLARGE_INTEGER ByteOffset,
4078 IN PULONG Key OPTIONAL
4082 /* --- THREAD MANAGEMENT --- */
4085 * FUNCTION: Increments a thread's resume count
4087 * ThreadHandle = Handle to the thread that should be resumed
4088 * PreviousSuspendCount = The resulting/previous suspend count.
4090 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
4091 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
4092 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
4098 IN HANDLE ThreadHandle,
4099 IN PULONG PreviousSuspendCount
4105 IN HANDLE ThreadHandle,
4106 IN PULONG PreviousSuspendCount
4110 * FUNCTION: Terminates the execution of a thread.
4112 * ThreadHandle = Handle to the thread
4113 * ExitStatus = The exit status of the thread to terminate with.
4119 IN HANDLE ThreadHandle ,
4120 IN NTSTATUS ExitStatus
4125 IN HANDLE ThreadHandle ,
4126 IN NTSTATUS ExitStatus
4129 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
4144 * FUNCTION: Yields the callers thread.
4159 /* --- PLUG AND PLAY --- */
4169 NtGetPlugPlayEvent (
4173 /* --- POWER MANAGEMENT --- */
4176 NtSetSystemPowerState(IN POWER_ACTION SystemAction,
4177 IN SYSTEM_POWER_STATE MinSystemState,
4180 /* --- DEBUG SUBSYSTEM --- */
4183 NtSystemDebugControl(DEBUG_CONTROL_CODE ControlCode,
4185 ULONG InputBufferLength,
4187 ULONG OutputBufferLength,
4188 PULONG ReturnLength);
4190 /* --- VIRTUAL DOS MACHINE (VDM) --- */
4194 NtVdmControl (ULONG ControlCode, PVOID ControlData);
4200 NtW32Call(IN ULONG RoutineIndex,
4202 IN ULONG ArgumentLength,
4203 OUT PVOID* Result OPTIONAL,
4204 OUT PULONG ResultLength OPTIONAL);
4206 /* --- CHANNELS --- */
4228 NtReplyWaitSendChannel (
4234 NtSendWaitReplyChannel (
4240 NtSetContextChannel (
4244 /* --- MISCELLANEA --- */
4246 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
4249 NtSetLdtEntries (ULONG Selector1,
4250 LDT_ENTRY LdtEntry1,
4252 LDT_ENTRY LdtEntry2);
4256 NtQueryOleDirectoryFile (
4261 * FUNCTION: Checks a clients access rights to a object
4263 * SecurityDescriptor = Security information against which the access is checked
4264 * ClientToken = Represents a client
4268 * ReturnLength = Bytes written
4270 * AccessStatus = Indicates if the ClientToken allows the requested access
4271 * REMARKS: The arguments map to the win32 AccessCheck
4278 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4279 IN HANDLE ClientToken,
4280 IN ACCESS_MASK DesiredAcces,
4281 IN PGENERIC_MAPPING GenericMapping,
4282 OUT PPRIVILEGE_SET PrivilegeSet,
4283 OUT PULONG ReturnLength,
4284 OUT PULONG GrantedAccess,
4285 OUT PBOOLEAN AccessStatus
4291 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4292 IN HANDLE ClientToken,
4293 IN ACCESS_MASK DesiredAcces,
4294 IN PGENERIC_MAPPING GenericMapping,
4295 OUT PPRIVILEGE_SET PrivilegeSet,
4296 OUT PULONG ReturnLength,
4297 OUT PULONG GrantedAccess,
4298 OUT PBOOLEAN AccessStatus
4304 IN ACCESS_MASK DesiredAccess,
4305 OUT PHANDLE KeyHandle);
4308 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
4310 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
4314 * SecurityDescriptor =
4321 * REMARKS: The arguments map to the win32 AccessCheck
4327 NtAccessCheckAndAuditAlarm(
4328 IN PUNICODE_STRING SubsystemName,
4329 IN PHANDLE ObjectHandle,
4330 IN PUNICODE_STRING ObjectTypeName,
4331 IN PUNICODE_STRING ObjectName,
4332 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4333 IN ACCESS_MASK DesiredAccess,
4334 IN PGENERIC_MAPPING GenericMapping,
4335 IN BOOLEAN ObjectCreation,
4336 OUT PACCESS_MASK GrantedAccess,
4337 OUT PNTSTATUS AccessStatus,
4338 OUT PBOOLEAN GenerateOnClose
4342 * FUNCTION: Cancels a timer
4344 * TimerHandle = Handle to the timer
4345 * CurrentState = Specifies the state of the timer when cancelled.
4347 * The arguments to this function map to the function CancelWaitableTimer.
4353 IN HANDLE TimerHandle,
4354 OUT PBOOLEAN CurrentState OPTIONAL
4358 * FUNCTION: Continues a thread with the specified context
4360 * Context = Specifies the processor context
4361 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
4362 * be PASSIVE_LEVEL or APC_LEVEL
4364 * NtContinue can be used to continue after an exception or apc.
4367 //FIXME This function might need another parameter
4372 IN PCONTEXT Context,
4373 IN BOOLEAN TestAlert
4377 * FUNCTION: Creates a paging file.
4379 * FileName = Name of the pagefile
4380 * InitialSize = Specifies the initial size in bytes
4381 * MaximumSize = Specifies the maximum size in bytes
4382 * Reserved = Reserved for future use
4388 IN PUNICODE_STRING FileName,
4389 IN PLARGE_INTEGER InitialSize,
4390 IN PLARGE_INTEGER MaxiumSize,
4396 * FUNCTION: Creates a profile
4398 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
4399 * ObjectAttribute = Initialized attributes for the object
4400 * ImageBase = Start address of executable image
4401 * ImageSize = Size of the image
4402 * Granularity = Bucket size
4403 * Buffer = Caller supplies buffer for profiling info
4404 * ProfilingSize = Buffer size
4405 * ClockSource = Specify 0 / FALSE ??
4406 * ProcessorMask = A value of -1 indicates disables per processor profiling,
4407 otherwise bit set for the processor to profile.
4409 * This function maps to the win32 CreateProcess.
4415 NtCreateProfile(OUT PHANDLE ProfileHandle,
4416 IN HANDLE ProcessHandle,
4419 IN ULONG Granularity,
4421 IN ULONG ProfilingSize,
4422 IN KPROFILE_SOURCE Source,
4423 IN ULONG ProcessorMask);
4426 * FUNCTION: Creates a user mode thread
4428 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
4429 * DesiredAccess = Specifies the allowed or desired access to the thread.
4430 * ObjectAttributes = Initialized attributes for the object.
4431 * ProcessHandle = Handle to the threads parent process.
4432 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
4433 * ThreadContext = Initial processor context for the thread.
4434 * InitialTeb = Initial user mode stack context for the thread.
4435 * CreateSuspended = Specifies if the thread is ready for scheduling
4437 * This function maps to the win32 function CreateThread.
4443 OUT PHANDLE ThreadHandle,
4444 IN ACCESS_MASK DesiredAccess,
4445 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
4446 IN HANDLE ProcessHandle,
4447 OUT PCLIENT_ID ClientId,
4448 IN PCONTEXT ThreadContext,
4449 IN PUSER_STACK UserStack,
4450 IN BOOLEAN CreateSuspended
4454 * FUNCTION: Delays the execution of the calling thread.
4456 * Alertable = If TRUE the thread is alertable during is wait period
4457 * Interval = Specifies the interval to wait.
4469 * FUNCTION: Extends a section
4471 * SectionHandle = Handle to the section
4472 * NewMaximumSize = Adjusted size
4478 IN HANDLE SectionHandle,
4479 IN ULONG NewMaximumSize
4483 * FUNCTION: Flushes a the processors instruction cache
4485 * ProcessHandle = Points to the process owning the cache
4486 * BaseAddress = // might this be a image address ????
4487 * NumberOfBytesToFlush =
4490 * This funciton is used by debuggers
4494 NtFlushInstructionCache(
4495 IN HANDLE ProcessHandle,
4496 IN PVOID BaseAddress,
4497 IN UINT NumberOfBytesToFlush
4501 * FUNCTION: Flushes virtual memory to file
4503 * ProcessHandle = Points to the process that allocated the virtual memory
4504 * BaseAddress = Points to the memory address
4505 * NumberOfBytesToFlush = Limits the range to flush,
4506 * NumberOfBytesFlushed = Actual number of bytes flushed
4509 * Check return status on STATUS_NOT_MAPPED_DATA
4513 NtFlushVirtualMemory(
4514 IN HANDLE ProcessHandle,
4515 IN PVOID BaseAddress,
4516 IN ULONG NumberOfBytesToFlush,
4517 OUT PULONG NumberOfBytesFlushed OPTIONAL
4521 * FUNCTION: Retrieves the uptime of the system
4523 * UpTime = Number of clock ticks since boot.
4533 * FUNCTION: Loads a registry key.
4535 * KeyObjectAttributes = Key to be loaded
4536 * FileObjectAttributes = File to load the key from
4538 * This procedure maps to the win32 procedure RegLoadKey
4544 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
4545 IN POBJECT_ATTRIBUTES FileObjectAttributes
4550 * FUNCTION: Locks a range of virtual memory.
4552 * ProcessHandle = Handle to the process
4553 * BaseAddress = Lower boundary of the range of bytes to lock.
4554 * NumberOfBytesLock = Offset to the upper boundary.
4555 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
4557 This procedure maps to the win32 procedure VirtualLock.
4558 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
4562 NtLockVirtualMemory(
4563 HANDLE ProcessHandle,
4565 ULONG NumberOfBytesToLock,
4566 PULONG NumberOfBytesLocked
4571 NtOpenObjectAuditAlarm(
4572 IN PUNICODE_STRING SubsystemName,
4574 IN PUNICODE_STRING ObjectTypeName,
4575 IN PUNICODE_STRING ObjectName,
4576 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4577 IN HANDLE ClientToken,
4578 IN ULONG DesiredAccess,
4579 IN ULONG GrantedAccess,
4580 IN PPRIVILEGE_SET Privileges,
4581 IN BOOLEAN ObjectCreation,
4582 IN BOOLEAN AccessGranted,
4583 OUT PBOOLEAN GenerateOnClose
4587 * FUNCTION: Set the access protection of a range of virtual memory
4589 * ProcessHandle = Handle to process owning the virtual address space
4590 * BaseAddress = Start address
4591 * NumberOfBytesToProtect = Delimits the range of virtual memory
4592 * for which the new access protection holds
4593 * NewAccessProtection = The new access proctection for the pages
4594 * OldAccessProtection = Caller should supply storage for the old
4598 * The function maps to the win32 VirtualProtectEx
4603 NtProtectVirtualMemory(
4604 IN HANDLE ProcessHandle,
4605 IN PVOID BaseAddress,
4606 IN ULONG NumberOfBytesToProtect,
4607 IN ULONG NewAccessProtection,
4608 OUT PULONG OldAccessProtection
4612 * FUNCTION: Query information about the content of a directory object
4615 Buffer = Buffer must be large enough to hold the name strings too
4616 ReturnSingleEntry = If TRUE :return the index of the next object in this directory in ObjectIndex
4617 If FALSE: return the number of objects in this directory in ObjectIndex
4618 RestartScan = If TRUE: ignore input value of ObjectIndex always start at index 0
4619 If FALSE use input value of ObjectIndex
4620 Context = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
4621 ReturnLength = Actual size of the ObjectIndex ???
4626 NtQueryDirectoryObject(
4627 IN HANDLE DirectoryHandle,
4629 IN ULONG BufferLength,
4630 IN BOOLEAN ReturnSingleEntry,
4631 IN BOOLEAN RestartScan,
4632 IN OUT PULONG Context,
4633 OUT PULONG ReturnLength OPTIONAL
4637 * FUNCTION: Query the interval and the clocksource for profiling
4645 NtQueryIntervalProfile(
4646 OUT PULONG Interval,
4647 OUT KPROFILE_SOURCE ClockSource
4651 * FUNCTION: Queries the information of a section object.
4653 * SectionHandle = Handle to the section link object
4654 * SectionInformationClass = Index to a certain information structure
4655 * SectionInformation (OUT)= Caller supplies storage for resulting information
4656 * Length = Size of the supplied storage
4657 * ResultLength = Data written
4664 IN HANDLE SectionHandle,
4665 IN CINT SectionInformationClass,
4666 OUT PVOID SectionInformation,
4668 OUT PULONG ResultLength
4672 * FUNCTION: Queries the virtual memory information.
4674 ProcessHandle = Process owning the virtual address space
4675 BaseAddress = Points to the page where the information is queried for.
4676 * VirtualMemoryInformationClass = Index to a certain information structure
4678 MemoryBasicInformation MEMORY_BASIC_INFORMATION
4680 * VirtualMemoryInformation = caller supplies storage for the information structure
4681 * Length = size of the structure
4682 ResultLength = Data written
4689 NtQueryVirtualMemory(
4690 IN HANDLE ProcessHandle,
4692 IN IN CINT VirtualMemoryInformationClass,
4693 OUT PVOID VirtualMemoryInformation,
4695 OUT PULONG ResultLength
4699 * FUNCTION: Raises a hard error (stops the system)
4701 * Status = Status code of the hard error
4723 * FUNCTION: Sets the information of a registry key.
4725 * KeyHandle = Handle to the registry key
4726 * KeyInformationClass = Index to the a certain information structure.
4727 Can be one of the following values:
4729 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
4731 KeyInformation = Storage for the new information
4732 * KeyInformationLength = Size of the information strucure
4738 NtSetInformationKey(
4739 IN HANDLE KeyHandle,
4740 IN CINT KeyInformationClass,
4741 IN PVOID KeyInformation,
4742 IN ULONG KeyInformationLength
4746 * FUNCTION: Changes a set of object specific parameters
4749 * ObjectInformationClass = Index to the set of parameters to change.
4752 ObjectBasicInformation
4753 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4754 ObjectAllInformation
4755 ObjectDataInformation OBJECT_DATA_INFORMATION
4756 ObjectNameInformation OBJECT_NAME_INFORMATION
4759 * ObjectInformation = Caller supplies storage for parameters to set.
4760 * Length = Size of the storage supplied
4765 NtSetInformationObject(
4766 IN HANDLE ObjectHandle,
4767 IN CINT ObjectInformationClass,
4768 IN PVOID ObjectInformation,
4773 * FUNCTION: Sets the characteristics of a timer
4775 * TimerHandle = Handle to the timer
4776 * DueTime = Time before the timer becomes signalled for the first time.
4777 * TimerApcRoutine = Completion routine can be called on time completion
4778 * TimerContext = Argument to the completion routine
4779 * Resume = Specifies if the timer should repeated after completing one cycle
4780 * Period = Cycle of the timer
4781 * REMARKS: This routine maps to the win32 SetWaitableTimer.
4787 IN HANDLE TimerHandle,
4788 IN PLARGE_INTEGER DueTime,
4789 IN PTIMERAPCROUTINE TimerApcRoutine,
4790 IN PVOID TimerContext,
4792 IN ULONG Period OPTIONAL,
4793 OUT PBOOLEAN PreviousState OPTIONAL
4797 * FUNCTION: Unloads a registry key.
4799 * KeyHandle = Handle to the registry key
4801 * This procedure maps to the win32 procedure RegUnloadKey
4807 IN POBJECT_ATTRIBUTES KeyObjectAttributes
4811 * FUNCTION: Unlocks a range of virtual memory.
4813 * ProcessHandle = Handle to the process
4814 * BaseAddress = Lower boundary of the range of bytes to unlock.
4815 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
4816 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
4818 This procedure maps to the win32 procedure VirtualUnlock
4819 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
4823 NtUnlockVirtualMemory(
4824 IN HANDLE ProcessHandle,
4825 IN PVOID BaseAddress,
4826 IN ULONG NumberOfBytesToUnlock,
4827 OUT PULONG NumberOfBytesUnlocked OPTIONAL
4831 * FUNCTION: Waits for multiple objects to become signalled.
4833 * Count = The number of objects
4834 * Object = The array of object handles
4835 * WaitType = Can be one of the values UserMode or KernelMode
4836 * Alertable = If true the wait is alertable.
4837 * Time = The maximum wait time.
4839 * This function maps to the win32 WaitForMultipleObjectEx.
4844 NtWaitForMultipleObjects (
4847 IN WAIT_TYPE WaitType,
4848 IN BOOLEAN Alertable,
4849 IN PLARGE_INTEGER Time
4856 #ifndef __USE_W32API
4859 * FUNCTION: Continues a thread with the specified context
4861 * Context = Specifies the processor context
4862 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
4863 * be PASSIVE_LEVEL or APC_LEVEL
4865 * NtContinue can be used to continue after an exception or apc.
4868 //FIXME This function might need another parameter
4870 NTSTATUS STDCALL ZwContinue(IN PCONTEXT Context, IN CINT IrqLevel);
4873 * FUNCTION: Retrieves the system time
4875 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
4883 OUT PLARGE_INTEGER CurrentTime
4887 * FUNCTION: Copies a handle from one process space to another
4889 * SourceProcessHandle = The source process owning the handle. The source process should have opened
4890 * the SourceHandle with PROCESS_DUP_HANDLE access.
4891 * SourceHandle = The handle to the object.
4892 * TargetProcessHandle = The destination process owning the handle
4893 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
4894 * DesiredAccess = The desired access to the handle.
4895 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
4896 * Options = Specifies special actions upon duplicating the handle. Can be
4897 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
4898 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
4899 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
4900 * the DesiredAccess paramter and just grant the same access to the new
4903 * REMARKS: This function maps to the win32 DuplicateHandle.
4909 IN HANDLE SourceProcessHandle,
4910 IN HANDLE SourceHandle,
4911 IN HANDLE TargetProcessHandle,
4912 OUT PHANDLE TargetHandle,
4913 IN ACCESS_MASK DesiredAccess,
4914 IN BOOLEAN InheritHandle,
4921 IN HANDLE SourceProcessHandle,
4922 IN PHANDLE SourceHandle,
4923 IN HANDLE TargetProcessHandle,
4924 OUT PHANDLE TargetHandle,
4925 IN ACCESS_MASK DesiredAccess,
4926 IN BOOLEAN InheritHandle,
4931 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
4933 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
4937 * SecurityDescriptor =
4944 * REMARKS: The arguments map to the win32 AccessCheck
4950 ZwAccessCheckAndAuditAlarm(
4951 IN PUNICODE_STRING SubsystemName,
4952 IN PHANDLE ObjectHandle,
4953 IN PUNICODE_STRING ObjectTypeName,
4954 IN PUNICODE_STRING ObjectName,
4955 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
4956 IN ACCESS_MASK DesiredAccess,
4957 IN PGENERIC_MAPPING GenericMapping,
4958 IN BOOLEAN ObjectCreation,
4959 OUT PACCESS_MASK GrantedAccess,
4960 OUT PNTSTATUS AccessStatus,
4961 OUT PBOOLEAN GenerateOnClose
4965 * FUNCTION: Adds an atom to the global atom table
4967 * AtomString = The string to add to the atom table.
4968 * Atom (OUT) = Caller supplies storage for the resulting atom.
4969 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
4976 IN OUT PRTL_ATOM Atom
4984 IN OUT PRTL_ATOM Atom
4990 PULARGE_INTEGER Time,
4998 PULARGE_INTEGER Time,
5006 IN HANDLE TimerHandle,
5007 OUT ULONG ElapsedTime
5011 * FUNCTION: Creates a paging file.
5013 * FileName = Name of the pagefile
5014 * InitialSize = Specifies the initial size in bytes
5015 * MaximumSize = Specifies the maximum size in bytes
5016 * Reserved = Reserved for future use
5022 IN PUNICODE_STRING FileName,
5023 IN PLARGE_INTEGER InitialSize,
5024 IN PLARGE_INTEGER MaxiumSize,
5029 * FUNCTION: Creates a user mode thread
5031 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
5032 * DesiredAccess = Specifies the allowed or desired access to the thread.
5033 * ObjectAttributes = Initialized attributes for the object.
5034 * ProcessHandle = Handle to the threads parent process.
5035 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
5036 * ThreadContext = Initial processor context for the thread.
5037 * InitialTeb = Initial user mode stack context for the thread.
5038 * CreateSuspended = Specifies if the thread is ready for scheduling
5040 * This function maps to the win32 function CreateThread.
5046 OUT PHANDLE ThreadHandle,
5047 IN ACCESS_MASK DesiredAccess,
5048 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
5049 IN HANDLE ProcessHandle,
5050 OUT PCLIENT_ID ClientId,
5051 IN PCONTEXT ThreadContext,
5052 IN PUSER_STACK UserStack,
5053 IN BOOLEAN CreateSuspended
5059 IN HANDLE ExistingToken,
5060 IN ACCESS_MASK DesiredAccess,
5061 IN POBJECT_ATTRIBUTES ObjectAttributes,
5062 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
5063 IN TOKEN_TYPE TokenType,
5064 OUT PHANDLE NewToken
5070 IN HANDLE ExistingToken,
5071 IN ACCESS_MASK DesiredAccess,
5072 IN POBJECT_ATTRIBUTES ObjectAttributes,
5073 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
5074 IN TOKEN_TYPE TokenType,
5075 OUT PHANDLE NewToken
5079 * FUNCTION: Finds a atom
5081 * AtomName = Name to search for.
5082 * Atom = Caller supplies storage for the resulting atom
5085 * This funciton maps to the win32 GlobalFindAtom
5091 OUT PRTL_ATOM Atom OPTIONAL
5098 OUT PRTL_ATOM Atom OPTIONAL
5102 * FUNCTION: Flushes a the processors instruction cache
5104 * ProcessHandle = Points to the process owning the cache
5105 * BaseAddress = // might this be a image address ????
5106 * NumberOfBytesToFlush =
5109 * This funciton is used by debuggers
5113 ZwFlushInstructionCache(
5114 IN HANDLE ProcessHandle,
5115 IN PVOID BaseAddress,
5116 IN UINT NumberOfBytesToFlush
5120 * FUNCTION: Flushes virtual memory to file
5122 * ProcessHandle = Points to the process that allocated the virtual memory
5123 * BaseAddress = Points to the memory address
5124 * NumberOfBytesToFlush = Limits the range to flush,
5125 * NumberOfBytesFlushed = Actual number of bytes flushed
5128 * Check return status on STATUS_NOT_MAPPED_DATA
5132 ZwFlushVirtualMemory(
5133 IN HANDLE ProcessHandle,
5134 IN PVOID BaseAddress,
5135 IN ULONG NumberOfBytesToFlush,
5136 OUT PULONG NumberOfBytesFlushed OPTIONAL
5140 * FUNCTION: Retrieves the uptime of the system
5142 * UpTime = Number of clock ticks since boot.
5152 * FUNCTION: Loads a registry key.
5154 * KeyObjectAttributes = Key to be loaded
5155 * FileObjectAttributes = File to load the key from
5157 * This procedure maps to the win32 procedure RegLoadKey
5163 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
5164 IN POBJECT_ATTRIBUTES FileObjectAttributes
5168 * FUNCTION: Locks a range of virtual memory.
5170 * ProcessHandle = Handle to the process
5171 * BaseAddress = Lower boundary of the range of bytes to lock.
5172 * NumberOfBytesLock = Offset to the upper boundary.
5173 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
5175 This procedure maps to the win32 procedure VirtualLock.
5176 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
5180 ZwLockVirtualMemory(
5181 HANDLE ProcessHandle,
5183 ULONG NumberOfBytesToLock,
5184 PULONG NumberOfBytesLocked
5189 ZwOpenObjectAuditAlarm(
5190 IN PUNICODE_STRING SubsystemName,
5192 IN PUNICODE_STRING ObjectTypeName,
5193 IN PUNICODE_STRING ObjectName,
5194 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
5195 IN HANDLE ClientToken,
5196 IN ULONG DesiredAccess,
5197 IN ULONG GrantedAccess,
5198 IN PPRIVILEGE_SET Privileges,
5199 IN BOOLEAN ObjectCreation,
5200 IN BOOLEAN AccessGranted,
5201 OUT PBOOLEAN GenerateOnClose
5205 * FUNCTION: Set the access protection of a range of virtual memory
5207 * ProcessHandle = Handle to process owning the virtual address space
5208 * BaseAddress = Start address
5209 * NumberOfBytesToProtect = Delimits the range of virtual memory
5210 * for which the new access protection holds
5211 * NewAccessProtection = The new access proctection for the pages
5212 * OldAccessProtection = Caller should supply storage for the old
5216 * The function maps to the win32 VirtualProtectEx
5221 ZwProtectVirtualMemory(
5222 IN HANDLE ProcessHandle,
5223 IN PVOID BaseAddress,
5224 IN ULONG NumberOfBytesToProtect,
5225 IN ULONG NewAccessProtection,
5226 OUT PULONG OldAccessProtection
5231 NtQueryInformationAtom(
5233 IN ATOM_INFORMATION_CLASS AtomInformationClass,
5234 OUT PVOID AtomInformation,
5235 IN ULONG AtomInformationLength,
5236 OUT PULONG ReturnLength OPTIONAL
5241 ZwQueryInformationAtom(
5243 IN ATOM_INFORMATION_CLASS AtomInformationClass,
5244 OUT PVOID AtomInformation,
5245 IN ULONG AtomInformationLength,
5246 OUT PULONG ReturnLength OPTIONAL
5250 * FUNCTION: Query information about the content of a directory object
5253 Buffer = Buffer must be large enough to hold the name strings too
5254 ReturnSingleEntry = If TRUE :return the index of the next object in this directory in ObjectIndex
5255 If FALSE: return the number of objects in this directory in ObjectIndex
5256 RestartScan = If TRUE: ignore input value of ObjectIndex always start at index 0
5257 If FALSE use input value of ObjectIndex
5258 Context = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
5259 ReturnLength = Actual size of the ObjectIndex ???
5264 ZwQueryDirectoryObject(
5265 IN HANDLE DirectoryHandle,
5267 IN ULONG BufferLength,
5268 IN BOOLEAN ReturnSingleEntry,
5269 IN BOOLEAN RestartScan,
5270 IN OUT PULONG Context,
5271 OUT PULONG ReturnLength OPTIONAL
5275 * FUNCTION: Queries the information of a process object.
5277 * ProcessHandle = Handle to the process object
5278 * ProcessInformation = Index to a certain information structure
5280 ProcessBasicInformation PROCESS_BASIC_INFORMATION
5281 ProcessQuotaLimits QUOTA_LIMITS
5282 ProcessIoCounters IO_COUNTERS
5283 ProcessVmCounters VM_COUNTERS
5284 ProcessTimes KERNEL_USER_TIMES
5285 ProcessBasePriority KPRIORITY
5286 ProcessRaisePriority KPRIORITY
5287 ProcessDebugPort HANDLE
5288 ProcessExceptionPort HANDLE
5289 ProcessAccessToken PROCESS_ACCESS_TOKEN
5290 ProcessLdtInformation LDT_ENTRY ??
5291 ProcessLdtSize ULONG
5292 ProcessDefaultHardErrorMode ULONG
5293 ProcessIoPortHandlers // kernel mode only
5294 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
5295 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
5296 ProcessUserModeIOPL (I/O Privilege Level)
5297 ProcessEnableAlignmentFaultFixup BOOLEAN
5298 ProcessPriorityClass ULONG
5299 ProcessWx86Information ULONG
5300 ProcessHandleCount ULONG
5301 ProcessAffinityMask ULONG
5302 ProcessPooledQuotaLimits QUOTA_LIMITS
5305 * ProcessInformation = Caller supplies storage for the process information structure
5306 * ProcessInformationLength = Size of the process information structure
5307 * ReturnLength = Actual number of bytes written
5310 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
5311 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
5312 GetProcessShutdownParameters functions.
5318 NtQueryInformationProcess(
5319 IN HANDLE ProcessHandle,
5320 IN CINT ProcessInformationClass,
5321 OUT PVOID ProcessInformation,
5322 IN ULONG ProcessInformationLength,
5323 OUT PULONG ReturnLength
5328 ZwQueryInformationProcess(
5329 IN HANDLE ProcessHandle,
5330 IN CINT ProcessInformationClass,
5331 OUT PVOID ProcessInformation,
5332 IN ULONG ProcessInformationLength,
5333 OUT PULONG ReturnLength
5337 * FUNCTION: Query the interval and the clocksource for profiling
5345 ZwQueryIntervalProfile(
5346 OUT PULONG Interval,
5347 OUT KPROFILE_SOURCE ClockSource
5351 * FUNCTION: Queries the information of a object.
5353 ObjectHandle = Handle to a object
5354 ObjectInformationClass = Index to a certain information structure
5356 ObjectBasicInformation
5357 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5358 ObjectNameInformation OBJECT_NAME_INFORMATION
5359 ObjectDataInformation OBJECT_DATA_INFORMATION
5361 ObjectInformation = Caller supplies storage for resulting information
5362 Length = Size of the supplied storage
5363 ResultLength = Bytes written
5369 IN HANDLE ObjectHandle,
5370 IN CINT ObjectInformationClass,
5371 OUT PVOID ObjectInformation,
5373 OUT PULONG ResultLength
5378 NtQuerySecurityObject(
5380 IN SECURITY_INFORMATION SecurityInformation,
5381 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
5383 OUT PULONG ResultLength
5388 ZwQuerySecurityObject(
5390 IN SECURITY_INFORMATION SecurityInformation,
5391 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
5393 OUT PULONG ResultLength
5397 * FUNCTION: Queries the virtual memory information.
5399 ProcessHandle = Process owning the virtual address space
5400 BaseAddress = Points to the page where the information is queried for.
5401 * VirtualMemoryInformationClass = Index to a certain information structure
5403 MemoryBasicInformation MEMORY_BASIC_INFORMATION
5405 * VirtualMemoryInformation = caller supplies storage for the information structure
5406 * Length = size of the structure
5407 ResultLength = Data written
5414 ZwQueryVirtualMemory(
5415 IN HANDLE ProcessHandle,
5417 IN IN CINT VirtualMemoryInformationClass,
5418 OUT PVOID VirtualMemoryInformation,
5420 OUT PULONG ResultLength
5424 * FUNCTION: Raises a hard error (stops the system)
5426 * Status = Status code of the hard error
5447 * FUNCTION: Sets the information of a registry key.
5449 * KeyHandle = Handle to the registry key
5450 * KeyInformationClass = Index to the a certain information structure.
5451 Can be one of the following values:
5453 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
5455 KeyInformation = Storage for the new information
5456 * KeyInformationLength = Size of the information strucure
5462 ZwSetInformationKey(
5463 IN HANDLE KeyHandle,
5464 IN CINT KeyInformationClass,
5465 IN PVOID KeyInformation,
5466 IN ULONG KeyInformationLength
5470 * FUNCTION: Changes a set of object specific parameters
5473 * ObjectInformationClass = Index to the set of parameters to change.
5476 ObjectBasicInformation
5477 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5478 ObjectAllInformation
5479 ObjectDataInformation OBJECT_DATA_INFORMATION
5480 ObjectNameInformation OBJECT_NAME_INFORMATION
5483 * ObjectInformation = Caller supplies storage for parameters to set.
5484 * Length = Size of the storage supplied
5489 ZwSetInformationObject(
5490 IN HANDLE ObjectHandle,
5491 IN CINT ObjectInformationClass,
5492 IN PVOID ObjectInformation,
5497 * FUNCTION: Changes a set of process specific parameters
5499 * ProcessHandle = Handle to the process
5500 * ProcessInformationClass = Index to a information structure.
5502 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
5503 * ProcessQuotaLimits QUOTA_LIMITS
5504 * ProcessBasePriority KPRIORITY
5505 * ProcessRaisePriority KPRIORITY
5506 * ProcessDebugPort HANDLE
5507 * ProcessExceptionPort HANDLE
5508 * ProcessAccessToken PROCESS_ACCESS_TOKEN
5509 * ProcessDefaultHardErrorMode ULONG
5510 * ProcessPriorityClass ULONG
5511 * ProcessAffinityMask KAFFINITY //??
5513 * ProcessInformation = Caller supplies storage for information to set.
5514 * ProcessInformationLength = Size of the information structure
5519 NtSetInformationProcess(
5520 IN HANDLE ProcessHandle,
5521 IN CINT ProcessInformationClass,
5522 IN PVOID ProcessInformation,
5523 IN ULONG ProcessInformationLength
5528 ZwSetInformationProcess(
5529 IN HANDLE ProcessHandle,
5530 IN CINT ProcessInformationClass,
5531 IN PVOID ProcessInformation,
5532 IN ULONG ProcessInformationLength
5536 * FUNCTION: Sets the characteristics of a timer
5538 * TimerHandle = Handle to the timer
5539 * DueTime = Time before the timer becomes signalled for the first time.
5540 * TimerApcRoutine = Completion routine can be called on time completion
5541 * TimerContext = Argument to the completion routine
5542 * Resume = Specifies if the timer should repeated after completing one cycle
5543 * Period = Cycle of the timer
5544 * REMARKS: This routine maps to the win32 SetWaitableTimer.
5550 IN HANDLE TimerHandle,
5551 IN PLARGE_INTEGER DueTime,
5552 IN PTIMERAPCROUTINE TimerApcRoutine,
5553 IN PVOID TimerContext,
5555 IN ULONG Period OPTIONAL,
5556 OUT PBOOLEAN PreviousState OPTIONAL
5560 * FUNCTION: Unloads a registry key.
5562 * KeyHandle = Handle to the registry key
5564 * This procedure maps to the win32 procedure RegUnloadKey
5570 IN POBJECT_ATTRIBUTES KeyObjectAttributes
5574 * FUNCTION: Unlocks a range of virtual memory.
5576 * ProcessHandle = Handle to the process
5577 * BaseAddress = Lower boundary of the range of bytes to unlock.
5578 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
5579 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
5581 This procedure maps to the win32 procedure VirtualUnlock
5582 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
5586 ZwUnlockVirtualMemory(
5587 IN HANDLE ProcessHandle,
5588 IN PVOID BaseAddress,
5589 IN ULONG NumberOfBytesToUnlock,
5590 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5594 * FUNCTION: Waits for multiple objects to become signalled.
5596 * Count = The number of objects
5597 * Object = The array of object handles
5598 * WaitType = Can be one of the values UserMode or KernelMode
5599 * Alertable = If true the wait is alertable.
5600 * Time = The maximum wait time.
5602 * This function maps to the win32 WaitForMultipleObjectEx.
5607 ZwWaitForMultipleObjects (
5610 IN WAIT_TYPE WaitType,
5611 IN BOOLEAN Alertable,
5612 IN PLARGE_INTEGER Time
5616 * FUNCTION: Creates a profile
5618 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
5619 * ObjectAttribute = Initialized attributes for the object
5620 * ImageBase = Start address of executable image
5621 * ImageSize = Size of the image
5622 * Granularity = Bucket size
5623 * Buffer = Caller supplies buffer for profiling info
5624 * ProfilingSize = Buffer size
5625 * ClockSource = Specify 0 / FALSE ??
5626 * ProcessorMask = A value of -1 indicates disables per processor profiling,
5627 otherwise bit set for the processor to profile.
5629 * This function maps to the win32 CreateProcess.
5636 OUT PHANDLE ProfileHandle,
5637 IN POBJECT_ATTRIBUTES ObjectAttributes,
5640 IN ULONG Granularity,
5642 IN ULONG ProfilingSize,
5643 IN ULONG ClockSource,
5644 IN ULONG ProcessorMask
5648 * FUNCTION: Delays the execution of the calling thread.
5650 * Alertable = If TRUE the thread is alertable during is wait period
5651 * Interval = Specifies the interval to wait.
5657 IN BOOLEAN Alertable,
5662 * FUNCTION: Extends a section
5664 * SectionHandle = Handle to the section
5665 * NewMaximumSize = Adjusted size
5671 IN HANDLE SectionHandle,
5672 IN ULONG NewMaximumSize
5676 * FUNCTION: Queries the information of a section object.
5678 * SectionHandle = Handle to the section link object
5679 * SectionInformationClass = Index to a certain information structure
5680 * SectionInformation (OUT)= Caller supplies storage for resulting information
5681 * Length = Size of the supplied storage
5682 * ResultLength = Data written
5689 IN HANDLE SectionHandle,
5690 IN CINT SectionInformationClass,
5691 OUT PVOID SectionInformation,
5693 OUT PULONG ResultLength
5696 typedef struct _SECTION_IMAGE_INFORMATION
5703 USHORT MinorSubsystemVersion;
5704 USHORT MajorSubsystemVersion;
5706 ULONG Characteristics;
5711 } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
5713 #endif /* !__USE_W32API */
5716 * FUNCTION: Loads a registry key.
5718 * KeyObjectAttributes = Key to be loaded
5719 * FileObjectAttributes = File to load the key from
5722 * This procedure maps to the win32 procedure RegLoadKey
5728 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
5729 IN POBJECT_ATTRIBUTES FileObjectAttributes,
5736 IN POBJECT_ATTRIBUTES KeyObjectAttributes,
5737 IN POBJECT_ATTRIBUTES FileObjectAttributes,
5742 * FUNCTION: Retrieves the system time
5744 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
5752 OUT PLARGE_INTEGER CurrentTime
5756 * FUNCTION: Queries the information of a object.
5758 ObjectHandle = Handle to a object
5759 ObjectInformationClass = Index to a certain information structure
5761 ObjectBasicInformation
5762 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5763 ObjectNameInformation OBJECT_NAME_INFORMATION
5764 ObjectDataInformation OBJECT_DATA_INFORMATION
5766 ObjectInformation = Caller supplies storage for resulting information
5767 Length = Size of the supplied storage
5768 ResultLength = Bytes written
5774 IN HANDLE ObjectHandle,
5775 IN CINT ObjectInformationClass,
5776 OUT PVOID ObjectInformation,
5778 OUT PULONG ResultLength
5781 /* BEGIN REACTOS ONLY */
5784 ExInitializeBinaryTree(IN PBINARY_TREE Tree,
5785 IN PKEY_COMPARATOR Compare,
5786 IN BOOLEAN UseNonPagedPool);
5789 ExDeleteBinaryTree(IN PBINARY_TREE Tree);
5792 ExInsertBinaryTree(IN PBINARY_TREE Tree,
5797 ExSearchBinaryTree(IN PBINARY_TREE Tree,
5802 ExRemoveBinaryTree(IN PBINARY_TREE Tree,
5807 ExTraverseBinaryTree(IN PBINARY_TREE Tree,
5808 IN TRAVERSE_METHOD Method,
5809 IN PTRAVERSE_ROUTINE Routine,
5813 ExInitializeSplayTree(IN PSPLAY_TREE Tree,
5814 IN PKEY_COMPARATOR Compare,
5815 IN BOOLEAN Weighted,
5816 IN BOOLEAN UseNonPagedPool);
5819 ExDeleteSplayTree(IN PSPLAY_TREE Tree);
5822 ExInsertSplayTree(IN PSPLAY_TREE Tree,
5827 ExSearchSplayTree(IN PSPLAY_TREE Tree,
5832 ExRemoveSplayTree(IN PSPLAY_TREE Tree,
5837 ExWeightOfSplayTree(IN PSPLAY_TREE Tree,
5841 ExTraverseSplayTree(IN PSPLAY_TREE Tree,
5842 IN TRAVERSE_METHOD Method,
5843 IN PTRAVERSE_ROUTINE Routine,
5847 ExInitializeHashTable(IN PHASH_TABLE HashTable,
5848 IN ULONG HashTableSize,
5849 IN PKEY_COMPARATOR Compare OPTIONAL,
5850 IN BOOLEAN UseNonPagedPool);
5853 ExDeleteHashTable(IN PHASH_TABLE HashTable);
5856 ExInsertHashTable(IN PHASH_TABLE HashTable,
5862 ExSearchHashTable(IN PHASH_TABLE HashTable,
5868 ExRemoveHashTable(IN PHASH_TABLE HashTable,
5873 /* END REACTOS ONLY */
5875 #endif /* __DDK_ZW_H */