2 /* $Id: zw.h,v 1.54 2002/10/25 22:08:20 chorns Exp $
4 * COPYRIGHT: See COPYING in the top level directory
5 * PROJECT: ReactOS kernel
6 * PURPOSE: System call definitions
7 * FILE: include/ddk/zw.h
9 * ??/??/??: First few functions (David Welch)
10 * ??/??/??: Complete implementation by Ariadne
11 * 13/07/98: Reorganised things a bit (David Welch)
12 * 04/08/98: Added some documentation (Ariadne)
13 * 14/08/98: Added type TIME and change variable type from [1] to [0]
14 * 14/09/98: Added for each Nt call a corresponding Zw Call
20 #include <ntos/security.h>
21 #include <napi/npipe.h>
24 //#define SECURITY_INFORMATION ULONG
25 //typedef ULONG SECURITY_INFORMATION;
29 * FUNCTION: Checks a clients access rights to a object
31 * SecurityDescriptor = Security information against which the access is checked
32 * ClientToken = Represents a client
36 * ReturnLength = Bytes written
38 * AccessStatus = Indicates if the ClientToken allows the requested access
39 * REMARKS: The arguments map to the win32 AccessCheck
46 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
47 IN HANDLE ClientToken
,
48 IN ACCESS_MASK DesiredAcces
,
49 IN PGENERIC_MAPPING GenericMapping
,
50 OUT PPRIVILEGE_SET PrivilegeSet
,
51 OUT PULONG ReturnLength
,
52 OUT PULONG GrantedAccess
,
53 OUT PBOOLEAN AccessStatus
59 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
60 IN HANDLE ClientToken
,
61 IN ACCESS_MASK DesiredAcces
,
62 IN PGENERIC_MAPPING GenericMapping
,
63 OUT PPRIVILEGE_SET PrivilegeSet
,
64 OUT PULONG ReturnLength
,
65 OUT PULONG GrantedAccess
,
66 OUT PBOOLEAN AccessStatus
70 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
72 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
81 * REMARKS: The arguments map to the win32 AccessCheck
87 NtAccessCheckAndAuditAlarm(
88 IN PUNICODE_STRING SubsystemName
,
89 IN PHANDLE ObjectHandle
,
90 IN POBJECT_ATTRIBUTES ObjectAttributes
,
91 IN ACCESS_MASK DesiredAccess
,
92 IN PGENERIC_MAPPING GenericMapping
,
93 IN BOOLEAN ObjectCreation
,
94 OUT PULONG GrantedAccess
,
95 OUT PBOOLEAN AccessStatus
,
96 OUT PBOOLEAN GenerateOnClose
101 ZwAccessCheckAndAuditAlarm(
102 IN PUNICODE_STRING SubsystemName
,
103 IN PHANDLE ObjectHandle
,
104 IN POBJECT_ATTRIBUTES ObjectAttributes
,
105 IN ACCESS_MASK DesiredAccess
,
106 IN PGENERIC_MAPPING GenericMapping
,
107 IN BOOLEAN ObjectCreation
,
108 OUT PULONG GrantedAccess
,
109 OUT PBOOLEAN AccessStatus
,
110 OUT PBOOLEAN GenerateOnClose
114 * FUNCTION: Adds an atom to the global atom table
116 * AtomString = The string to add to the atom table.
117 * Atom (OUT) = Caller supplies storage for the resulting atom.
118 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
125 IN OUT PRTL_ATOM Atom
133 IN OUT PRTL_ATOM Atom
138 * FUNCTION: Adjusts the groups in an access token
140 * TokenHandle = Specifies the access token
141 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
142 * their default state, if false the groups specified in
145 * BufferLength = Specifies the size of the buffer for the PreviousState.
147 * ReturnLength = Bytes written in PreviousState buffer.
148 * REMARKS: The arguments map to the win32 AdjustTokenGroups
155 IN HANDLE TokenHandle
,
156 IN BOOLEAN ResetToDefault
,
157 IN PTOKEN_GROUPS NewState
,
158 IN ULONG BufferLength
,
159 OUT PTOKEN_GROUPS PreviousState OPTIONAL
,
160 OUT PULONG ReturnLength
166 IN HANDLE TokenHandle
,
167 IN BOOLEAN ResetToDefault
,
168 IN PTOKEN_GROUPS NewState
,
169 IN ULONG BufferLength
,
170 OUT PTOKEN_GROUPS PreviousState
,
171 OUT PULONG ReturnLength
179 * TokenHandle = Handle to the access token
180 * DisableAllPrivileges = The resulting suspend count.
186 * The arguments map to the win32 AdjustTokenPrivileges
192 NtAdjustPrivilegesToken(
193 IN HANDLE TokenHandle
,
194 IN BOOLEAN DisableAllPrivileges
,
195 IN PTOKEN_PRIVILEGES NewState
,
196 IN ULONG BufferLength
,
197 OUT PTOKEN_PRIVILEGES PreviousState
,
198 OUT PULONG ReturnLength
203 ZwAdjustPrivilegesToken(
204 IN HANDLE TokenHandle
,
205 IN BOOLEAN DisableAllPrivileges
,
206 IN PTOKEN_PRIVILEGES NewState
,
207 IN ULONG BufferLength
,
208 OUT PTOKEN_PRIVILEGES PreviousState
,
209 OUT PULONG ReturnLength
214 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
217 * ThreadHandle = Handle to the thread that should be resumed
218 * SuspendCount = The resulting suspend count.
220 * A thread is resumed if its suspend count is 0
226 IN HANDLE ThreadHandle
,
227 OUT PULONG SuspendCount
233 IN HANDLE ThreadHandle
,
234 OUT PULONG SuspendCount
238 * FUNCTION: Puts the thread in a alerted state
240 * ThreadHandle = Handle to the thread that should be alerted
246 IN HANDLE ThreadHandle
252 IN HANDLE ThreadHandle
257 * FUNCTION: Allocates a locally unique id
259 * LocallyUniqueId = Locally unique number
264 NtAllocateLocallyUniqueId(
265 OUT LUID
*LocallyUniqueId
270 ZwAllocateLocallyUniqueId(
277 PULARGE_INTEGER Time
,
285 PULARGE_INTEGER Time
,
292 * FUNCTION: Allocates a block of virtual memory in the process address space
294 * ProcessHandle = The handle of the process which owns the virtual memory
295 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
296 * value the system will try to allocate the memory at the address supplied. It rounds
297 * it down to a multiple if the page size.
298 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
299 * the memory will be allocated at a address below a certain value.
300 * RegionSize = The number of bytes to allocate
301 * AllocationType = Indicates the type of virtual memory you like to allocated,
302 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
303 * Protect = Indicates the protection type of the pages allocated, can be a combination of
304 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
305 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
307 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
308 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
309 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
310 * and the AllocationType and ProctectionType map to the other two parameters.
315 NtAllocateVirtualMemory (
316 IN HANDLE ProcessHandle
,
317 IN OUT PVOID
*BaseAddress
,
319 IN OUT PULONG RegionSize
,
320 IN ULONG AllocationType
,
326 ZwAllocateVirtualMemory (
327 IN HANDLE ProcessHandle
,
328 IN OUT PVOID
*BaseAddress
,
330 IN OUT PULONG RegionSize
,
331 IN ULONG AllocationType
,
335 * FUNCTION: Returns from a callback into user mode
339 //FIXME: this function might need 3 parameters
340 NTSTATUS STDCALL
NtCallbackReturn(PVOID Result
,
344 NTSTATUS STDCALL
ZwCallbackReturn(PVOID Result
,
349 * FUNCTION: Cancels a IO request
351 * FileHandle = Handle to the file
355 * This function maps to the win32 CancelIo.
361 IN HANDLE FileHandle
,
362 OUT PIO_STATUS_BLOCK IoStatusBlock
368 IN HANDLE FileHandle
,
369 OUT PIO_STATUS_BLOCK IoStatusBlock
372 * FUNCTION: Cancels a timer
374 * TimerHandle = Handle to the timer
375 * CurrentState = Specifies the state of the timer when cancelled.
377 * The arguments to this function map to the function CancelWaitableTimer.
383 IN HANDLE TimerHandle
,
384 OUT PBOOLEAN CurrentState OPTIONAL
390 IN HANDLE TimerHandle
,
391 OUT ULONG ElapsedTime
394 * FUNCTION: Sets the status of the event back to non-signaled
396 * EventHandle = Handle to the event
398 * This function maps to win32 function ResetEvent.
405 IN HANDLE EventHandle
411 IN HANDLE EventHandle
415 * FUNCTION: Closes an object handle
417 * Handle = Handle to the object
419 * This function maps to the win32 function CloseHandle.
436 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
439 HandleId = Handle to the object
442 * This function maps to the win32 function ObjectCloseAuditAlarm.
448 NtCloseObjectAuditAlarm(
449 IN PUNICODE_STRING SubsystemName
,
451 IN BOOLEAN GenerateOnClose
456 ZwCloseObjectAuditAlarm(
457 IN PUNICODE_STRING SubsystemName
,
459 IN BOOLEAN GenerateOnClose
463 * FUNCTION: Continues a thread with the specified context
465 * Context = Specifies the processor context
466 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
467 * be PASSIVE_LEVEL or APC_LEVEL
469 * NtContinue can be used to continue after an exception or apc.
472 //FIXME This function might need another parameter
481 NTSTATUS STDCALL
ZwContinue(IN PCONTEXT Context
, IN CINT IrqLevel
);
485 * FUNCTION: Creates a directory object
487 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
488 * DesiredAccess = Specifies access to the directory
489 * ObjectAttribute = Initialized attributes for the object
490 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
491 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
497 NtCreateDirectoryObject(
498 OUT PHANDLE DirectoryHandle
,
499 IN ACCESS_MASK DesiredAccess
,
500 IN POBJECT_ATTRIBUTES ObjectAttributes
505 ZwCreateDirectoryObject(
506 OUT PHANDLE DirectoryHandle
,
507 IN ACCESS_MASK DesiredAccess
,
508 IN POBJECT_ATTRIBUTES ObjectAttributes
512 * FUNCTION: Creates an event object
514 * EventHandle (OUT) = Caller supplied storage for the resulting handle
515 * DesiredAccess = Specifies access to the event
516 * ObjectAttribute = Initialized attributes for the object
517 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
518 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
519 * automatically after the system has rescheduled a thread waiting on the event.
520 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
521 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
522 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
523 * both parameters aswell ( possibly the order is reversed ).
530 OUT PHANDLE EventHandle
,
531 IN ACCESS_MASK DesiredAccess
,
532 IN POBJECT_ATTRIBUTES ObjectAttributes
,
533 IN BOOLEAN ManualReset
,
534 IN BOOLEAN InitialState
540 OUT PHANDLE EventHandle
,
541 IN ACCESS_MASK DesiredAccess
,
542 IN POBJECT_ATTRIBUTES ObjectAttributes
,
543 IN BOOLEAN ManualReset
,
544 IN BOOLEAN InitialState
548 * FUNCTION: Creates an eventpair object
550 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
551 * DesiredAccess = Specifies access to the event
552 * ObjectAttribute = Initialized attributes for the object
558 OUT PHANDLE EventPairHandle
,
559 IN ACCESS_MASK DesiredAccess
,
560 IN POBJECT_ATTRIBUTES ObjectAttributes
566 OUT PHANDLE EventPairHandle
,
567 IN ACCESS_MASK DesiredAccess
,
568 IN POBJECT_ATTRIBUTES ObjectAttributes
573 * FUNCTION: Creates or opens a file, directory or device object.
575 * FileHandle (OUT) = Caller supplied storage for the resulting handle
576 * DesiredAccess = Specifies the allowed or desired access to the file can
577 * be a combination of DELETE | FILE_READ_DATA ..
578 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
579 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
580 * the file is created and opened or allready existed and is just opened.
581 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
582 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
583 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
584 * CreateOptions = specifies the behavior of the system on file creation.
585 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
586 * EaLength = Extended Attributes buffer size, applies only to files and directories.
587 * REMARKS: This function maps to the win32 CreateFile.
594 OUT PHANDLE FileHandle
,
595 IN ACCESS_MASK DesiredAccess
,
596 IN POBJECT_ATTRIBUTES ObjectAttributes
,
597 OUT PIO_STATUS_BLOCK IoStatusBlock
,
598 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
599 IN ULONG FileAttributes
,
600 IN ULONG ShareAccess
,
601 IN ULONG CreateDisposition
,
602 IN ULONG CreateOptions
,
603 IN PVOID EaBuffer OPTIONAL
,
610 OUT PHANDLE FileHandle
,
611 IN ACCESS_MASK DesiredAccess
,
612 IN POBJECT_ATTRIBUTES ObjectAttributes
,
613 OUT PIO_STATUS_BLOCK IoStatusBlock
,
614 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
615 IN ULONG FileAttributes
,
616 IN ULONG ShareAccess
,
617 IN ULONG CreateDisposition
,
618 IN ULONG CreateOptions
,
619 IN PVOID EaBuffer OPTIONAL
,
624 * FUNCTION: Creates or opens a file, directory or device object.
626 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
627 * DesiredAccess = Specifies the allowed or desired access to the port
629 * NumberOfConcurrentThreads =
630 * REMARKS: This function maps to the win32 CreateIoCompletionPort
637 NtCreateIoCompletion(
638 OUT PHANDLE CompletionPort
,
639 IN ACCESS_MASK DesiredAccess
,
640 OUT PIO_STATUS_BLOCK IoStatusBlock
,
641 IN ULONG NumberOfConcurrentThreads
646 ZwCreateIoCompletion(
647 OUT PHANDLE CompletionPort
,
648 IN ACCESS_MASK DesiredAccess
,
649 OUT PIO_STATUS_BLOCK IoStatusBlock
,
650 IN ULONG NumberOfConcurrentThreads
655 * FUNCTION: Creates a mail slot file
657 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
658 * DesiredAccess = Specifies the allowed or desired access to the file
659 * ObjectAttributes = Contains the name of the mailslotfile.
666 * REMARKS: This funciton maps to the win32 function CreateMailSlot
673 NtCreateMailslotFile(
674 OUT PHANDLE MailSlotFileHandle
,
675 IN ACCESS_MASK DesiredAccess
,
676 IN POBJECT_ATTRIBUTES ObjectAttributes
,
677 OUT PIO_STATUS_BLOCK IoStatusBlock
,
678 IN ULONG FileAttributes
,
679 IN ULONG ShareAccess
,
680 IN ULONG MaxMessageSize
,
681 IN PLARGE_INTEGER TimeOut
686 ZwCreateMailslotFile(
687 OUT PHANDLE MailSlotFileHandle
,
688 IN ACCESS_MASK DesiredAccess
,
689 IN POBJECT_ATTRIBUTES ObjectAttributes
,
690 OUT PIO_STATUS_BLOCK IoStatusBlock
,
691 IN ULONG FileAttributes
,
692 IN ULONG ShareAccess
,
693 IN ULONG MaxMessageSize
,
694 IN PLARGE_INTEGER TimeOut
698 * FUNCTION: Creates or opens a mutex
700 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
701 * DesiredAccess = Specifies the allowed or desired access to the port
702 * ObjectAttributes = Contains the name of the mutex.
703 * InitialOwner = If true the calling thread acquires ownership
705 * REMARKS: This funciton maps to the win32 function CreateMutex
712 OUT PHANDLE MutantHandle
,
713 IN ACCESS_MASK DesiredAccess
,
714 IN POBJECT_ATTRIBUTES ObjectAttributes
,
715 IN BOOLEAN InitialOwner
721 OUT PHANDLE MutantHandle
,
722 IN ACCESS_MASK DesiredAccess
,
723 IN POBJECT_ATTRIBUTES ObjectAttributes
,
724 IN BOOLEAN InitialOwner
729 * FUNCTION: Creates a paging file.
731 * FileName = Name of the pagefile
732 * InitialSize = Specifies the initial size in bytes
733 * MaximumSize = Specifies the maximum size in bytes
734 * Reserved = Reserved for future use
740 IN PUNICODE_STRING FileName
,
741 IN PLARGE_INTEGER InitialSize
,
742 IN PLARGE_INTEGER MaxiumSize
,
749 IN PUNICODE_STRING FileName
,
750 IN PLARGE_INTEGER InitialSize
,
751 IN PLARGE_INTEGER MaxiumSize
,
756 * FUNCTION: Creates a process.
758 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
759 * DesiredAccess = Specifies the allowed or desired access to the process can
760 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
761 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
762 * ParentProcess = Handle to the parent process.
763 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
764 * SectionHandle = Handle to a section object to back the image file
765 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
766 * ExceptionPort = Handle to a exception port.
768 * This function maps to the win32 CreateProcess.
774 OUT PHANDLE ProcessHandle
,
775 IN ACCESS_MASK DesiredAccess
,
776 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
777 IN HANDLE ParentProcess
,
778 IN BOOLEAN InheritObjectTable
,
779 IN HANDLE SectionHandle OPTIONAL
,
780 IN HANDLE DebugPort OPTIONAL
,
781 IN HANDLE ExceptionPort OPTIONAL
787 OUT PHANDLE ProcessHandle
,
788 IN ACCESS_MASK DesiredAccess
,
789 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
790 IN HANDLE ParentProcess
,
791 IN BOOLEAN InheritObjectTable
,
792 IN HANDLE SectionHandle OPTIONAL
,
793 IN HANDLE DebugPort OPTIONAL
,
794 IN HANDLE ExceptionPort OPTIONAL
798 * FUNCTION: Creates a profile
800 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
801 * ObjectAttribute = Initialized attributes for the object
802 * ImageBase = Start address of executable image
803 * ImageSize = Size of the image
804 * Granularity = Bucket size
805 * Buffer = Caller supplies buffer for profiling info
806 * ProfilingSize = Buffer size
807 * ClockSource = Specify 0 / FALSE ??
808 * ProcessorMask = A value of -1 indicates disables per processor profiling,
809 otherwise bit set for the processor to profile.
811 * This function maps to the win32 CreateProcess.
817 NtCreateProfile(OUT PHANDLE ProfileHandle
,
818 IN HANDLE ProcessHandle
,
821 IN ULONG Granularity
,
823 IN ULONG ProfilingSize
,
824 IN KPROFILE_SOURCE Source
,
825 IN ULONG ProcessorMask
);
830 OUT PHANDLE ProfileHandle
,
831 IN POBJECT_ATTRIBUTES ObjectAttributes
,
834 IN ULONG Granularity
,
836 IN ULONG ProfilingSize
,
837 IN ULONG ClockSource
,
838 IN ULONG ProcessorMask
842 * FUNCTION: Creates a section object.
844 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
845 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
846 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
847 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
848 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
849 * If value specified for a mapped file and the file is not large enough, file will be extended.
850 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
851 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
852 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
859 OUT PHANDLE SectionHandle
,
860 IN ACCESS_MASK DesiredAccess
,
861 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
862 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
863 IN ULONG SectionPageProtection OPTIONAL
,
864 IN ULONG AllocationAttributes
,
865 IN HANDLE FileHandle OPTIONAL
871 OUT PHANDLE SectionHandle
,
872 IN ACCESS_MASK DesiredAccess
,
873 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
874 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
875 IN ULONG SectionPageProtection OPTIONAL
,
876 IN ULONG AllocationAttributes
,
877 IN HANDLE FileHandle OPTIONAL
881 * FUNCTION: Creates a semaphore object for interprocess synchronization.
883 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
884 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
885 * ObjectAttribute = Initialized attributes for the object.
886 * InitialCount = Not necessary zero, might be smaller than zero.
887 * MaximumCount = Maxiumum count the semaphore can reach.
890 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
893 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
897 OUT PHANDLE SemaphoreHandle
,
898 IN ACCESS_MASK DesiredAccess
,
899 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
900 IN LONG InitialCount
,
907 OUT PHANDLE SemaphoreHandle
,
908 IN ACCESS_MASK DesiredAccess
,
909 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
910 IN LONG InitialCount
,
915 * FUNCTION: Creates a symbolic link object
917 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
918 * DesiredAccess = Specifies the allowed or desired access to the thread.
919 * ObjectAttributes = Initialized attributes for the object.
920 * Name = Target name of the symbolic link
925 NtCreateSymbolicLinkObject(
926 OUT PHANDLE SymbolicLinkHandle
,
927 IN ACCESS_MASK DesiredAccess
,
928 IN POBJECT_ATTRIBUTES ObjectAttributes
,
929 IN PUNICODE_STRING Name
934 ZwCreateSymbolicLinkObject(
935 OUT PHANDLE SymbolicLinkHandle
,
936 IN ACCESS_MASK DesiredAccess
,
937 IN POBJECT_ATTRIBUTES ObjectAttributes
,
938 IN PUNICODE_STRING Name
942 * FUNCTION: Creates a user mode thread
944 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
945 * DesiredAccess = Specifies the allowed or desired access to the thread.
946 * ObjectAttributes = Initialized attributes for the object.
947 * ProcessHandle = Handle to the threads parent process.
948 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
949 * ThreadContext = Initial processor context for the thread.
950 * InitialTeb = Initial user mode stack context for the thread.
951 * CreateSuspended = Specifies if the thread is ready for scheduling
953 * This function maps to the win32 function CreateThread.
959 OUT PHANDLE ThreadHandle
,
960 IN ACCESS_MASK DesiredAccess
,
961 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
962 IN HANDLE ProcessHandle
,
963 OUT PCLIENT_ID ClientId
,
964 IN PCONTEXT ThreadContext
,
965 IN PINITIAL_TEB InitialTeb
,
966 IN BOOLEAN CreateSuspended
972 OUT PHANDLE ThreadHandle
,
973 IN ACCESS_MASK DesiredAccess
,
974 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
975 IN HANDLE ProcessHandle
,
976 OUT PCLIENT_ID ClientId
,
977 IN PCONTEXT ThreadContext
,
978 IN PINITIAL_TEB InitialTeb
,
979 IN BOOLEAN CreateSuspended
983 * FUNCTION: Creates a waitable timer.
985 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
986 * DesiredAccess = Specifies the allowed or desired access to the timer.
987 * ObjectAttributes = Initialized attributes for the object.
988 * TimerType = Specifies if the timer should be reset manually.
990 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
991 * corresponding fields in OBJECT_ATTRIBUTES structure.
997 OUT PHANDLE TimerHandle
,
998 IN ACCESS_MASK DesiredAccess
,
999 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1000 IN TIMER_TYPE TimerType
1006 OUT PHANDLE TimerHandle
,
1007 IN ACCESS_MASK DesiredAccess
,
1008 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1009 IN TIMER_TYPE TimerType
1013 * FUNCTION: Creates a token.
1015 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
1016 * DesiredAccess = Specifies the allowed or desired access to the process can
1017 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
1018 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
1020 * AuthenticationId =
1026 * TokenPrimaryGroup =
1027 * TokenDefaultDacl =
1030 * This function does not map to a win32 function
1037 OUT PHANDLE TokenHandle
,
1038 IN ACCESS_MASK DesiredAccess
,
1039 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1040 IN TOKEN_TYPE TokenType
,
1041 IN PLUID AuthenticationId
,
1042 IN PLARGE_INTEGER ExpirationTime
,
1043 IN PTOKEN_USER TokenUser
,
1044 IN PTOKEN_GROUPS TokenGroups
,
1045 IN PTOKEN_PRIVILEGES TokenPrivileges
,
1046 IN PTOKEN_OWNER TokenOwner
,
1047 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
1048 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
1049 IN PTOKEN_SOURCE TokenSource
1055 OUT PHANDLE TokenHandle
,
1056 IN ACCESS_MASK DesiredAccess
,
1057 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1058 IN TOKEN_TYPE TokenType
,
1059 IN PLUID AuthenticationId
,
1060 IN PLARGE_INTEGER ExpirationTime
,
1061 IN PTOKEN_USER TokenUser
,
1062 IN PTOKEN_GROUPS TokenGroups
,
1063 IN PTOKEN_PRIVILEGES TokenPrivileges
,
1064 IN PTOKEN_OWNER TokenOwner
,
1065 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
1066 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
1067 IN PTOKEN_SOURCE TokenSource
1071 * FUNCTION: Returns the callers thread TEB.
1072 * RETURNS: The resulting teb.
1082 * FUNCTION: Delays the execution of the calling thread.
1084 * Alertable = If TRUE the thread is alertable during is wait period
1085 * Interval = Specifies the interval to wait.
1088 NTSTATUS STDCALL
NtDelayExecution(IN ULONG Alertable
, IN TIME
* Interval
);
1093 IN BOOLEAN Alertable
,
1099 * FUNCTION: Deletes an atom from the global atom table
1101 * Atom = Identifies the atom to delete
1103 * The function maps to the win32 GlobalDeleteAtom
1119 * FUNCTION: Deletes a file or a directory
1121 * ObjectAttributes = Name of the file which should be deleted
1123 * This system call is functionally equivalent to NtSetInformationFile
1124 * setting the disposition information.
1125 * The function maps to the win32 DeleteFile.
1131 IN POBJECT_ATTRIBUTES ObjectAttributes
1137 IN POBJECT_ATTRIBUTES ObjectAttributes
1141 * FUNCTION: Deletes a registry key
1143 * KeyHandle = Handle of the key
1158 * FUNCTION: Generates a audit message when an object is deleted
1160 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
1161 * HandleId= Handle to an audit object
1162 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
1163 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
1169 NtDeleteObjectAuditAlarm (
1170 IN PUNICODE_STRING SubsystemName
,
1172 IN BOOLEAN GenerateOnClose
1177 ZwDeleteObjectAuditAlarm (
1178 IN PUNICODE_STRING SubsystemName
,
1180 IN BOOLEAN GenerateOnClose
1185 * FUNCTION: Deletes a value from a registry key
1187 * KeyHandle = Handle of the key
1188 * ValueName = Name of the value to delete
1195 IN HANDLE KeyHandle
,
1196 IN PUNICODE_STRING ValueName
1202 IN HANDLE KeyHandle
,
1203 IN PUNICODE_STRING ValueName
1206 * FUNCTION: Sends IOCTL to the io sub system
1208 * DeviceHandle = Points to the handle that is created by NtCreateFile
1209 * Event = Event to synchronize on STATUS_PENDING
1210 * ApcRoutine = Asynchroneous procedure callback
1211 * ApcContext = Callback context.
1212 * IoStatusBlock = Caller should supply storage for extra information..
1213 * IoControlCode = Contains the IO Control command. This is an
1214 * index to the structures in InputBuffer and OutputBuffer.
1215 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
1216 * InputBufferSize = Size of the input bufffer
1217 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
1218 * OutputBufferSize = Size of the input bufffer
1224 NtDeviceIoControlFile(
1225 IN HANDLE DeviceHandle
,
1226 IN HANDLE Event OPTIONAL
,
1227 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1228 IN PVOID UserApcContext OPTIONAL
,
1229 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1230 IN ULONG IoControlCode
,
1231 IN PVOID InputBuffer
,
1232 IN ULONG InputBufferSize
,
1233 OUT PVOID OutputBuffer
,
1234 IN ULONG OutputBufferSize
1239 ZwDeviceIoControlFile(
1240 IN HANDLE DeviceHandle
,
1241 IN HANDLE Event OPTIONAL
,
1242 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1243 IN PVOID UserApcContext OPTIONAL
,
1244 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1245 IN ULONG IoControlCode
,
1246 IN PVOID InputBuffer
,
1247 IN ULONG InputBufferSize
,
1248 OUT PVOID OutputBuffer
,
1249 IN ULONG OutputBufferSize
1252 * FUNCTION: Displays a string on the blue screen
1254 * DisplayString = The string to display
1261 IN PUNICODE_STRING DisplayString
1267 IN PUNICODE_STRING DisplayString
1271 * FUNCTION: Copies a handle from one process space to another
1273 * SourceProcessHandle = The source process owning the handle. The source process should have opened
1274 * the SourceHandle with PROCESS_DUP_HANDLE access.
1275 * SourceHandle = The handle to the object.
1276 * TargetProcessHandle = The destination process owning the handle
1277 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
1278 * DesiredAccess = The desired access to the handle.
1279 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
1280 * Options = Specifies special actions upon duplicating the handle. Can be
1281 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
1282 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
1283 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
1284 * the DesiredAccess paramter and just grant the same access to the new
1287 * REMARKS: This function maps to the win32 DuplicateHandle.
1293 IN HANDLE SourceProcessHandle
,
1294 IN HANDLE SourceHandle
,
1295 IN HANDLE TargetProcessHandle
,
1296 OUT PHANDLE TargetHandle
,
1297 IN ACCESS_MASK DesiredAccess
,
1298 IN BOOLEAN InheritHandle
,
1305 IN HANDLE SourceProcessHandle
,
1306 IN PHANDLE SourceHandle
,
1307 IN HANDLE TargetProcessHandle
,
1308 OUT PHANDLE TargetHandle
,
1309 IN ACCESS_MASK DesiredAccess
,
1310 IN BOOLEAN InheritHandle
,
1317 IN HANDLE ExistingToken
,
1318 IN ACCESS_MASK DesiredAccess
,
1319 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1320 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
1321 IN TOKEN_TYPE TokenType
,
1322 OUT PHANDLE NewToken
1328 IN HANDLE ExistingToken
,
1329 IN ACCESS_MASK DesiredAccess
,
1330 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1331 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
1332 IN TOKEN_TYPE TokenType
,
1333 OUT PHANDLE NewToken
1336 * FUNCTION: Returns information about the subkeys of an open key
1338 * KeyHandle = Handle of the key whose subkeys are to enumerated
1339 * Index = zero based index of the subkey for which information is
1341 * KeyInformationClass = Type of information returned
1342 * KeyInformation (OUT) = Caller allocated buffer for the information
1344 * Length = Length in bytes of the KeyInformation buffer
1345 * ResultLength (OUT) = Caller allocated storage which holds
1346 * the number of bytes of information retrieved
1353 IN HANDLE KeyHandle
,
1355 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1356 OUT PVOID KeyInformation
,
1358 OUT PULONG ResultLength
1364 IN HANDLE KeyHandle
,
1366 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1367 OUT PVOID KeyInformation
,
1369 OUT PULONG ResultLength
1372 * FUNCTION: Returns information about the value entries of an open key
1374 * KeyHandle = Handle of the key whose value entries are to enumerated
1375 * Index = zero based index of the subkey for which information is
1377 * KeyInformationClass = Type of information returned
1378 * KeyInformation (OUT) = Caller allocated buffer for the information
1380 * Length = Length in bytes of the KeyInformation buffer
1381 * ResultLength (OUT) = Caller allocated storage which holds
1382 * the number of bytes of information retrieved
1388 NtEnumerateValueKey(
1389 IN HANDLE KeyHandle
,
1391 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1392 OUT PVOID KeyValueInformation
,
1394 OUT PULONG ResultLength
1399 ZwEnumerateValueKey(
1400 IN HANDLE KeyHandle
,
1402 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1403 OUT PVOID KeyValueInformation
,
1405 OUT PULONG ResultLength
1408 * FUNCTION: Extends a section
1410 * SectionHandle = Handle to the section
1411 * NewMaximumSize = Adjusted size
1417 IN HANDLE SectionHandle
,
1418 IN ULONG NewMaximumSize
1423 IN HANDLE SectionHandle
,
1424 IN ULONG NewMaximumSize
1428 * FUNCTION: Finds a atom
1430 * AtomName = Name to search for.
1431 * Atom = Caller supplies storage for the resulting atom
1434 * This funciton maps to the win32 GlobalFindAtom
1440 OUT PRTL_ATOM Atom OPTIONAL
1447 OUT PRTL_ATOM Atom OPTIONAL
1451 * FUNCTION: Flushes chached file data to disk
1453 * FileHandle = Points to the file
1454 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1455 * buffers operation. The information field is set to number of bytes
1459 * This funciton maps to the win32 FlushFileBuffers
1464 IN HANDLE FileHandle
,
1465 OUT PIO_STATUS_BLOCK IoStatusBlock
1471 IN HANDLE FileHandle
,
1472 OUT PIO_STATUS_BLOCK IoStatusBlock
1475 * FUNCTION: Flushes a the processors instruction cache
1477 * ProcessHandle = Points to the process owning the cache
1478 * BaseAddress = // might this be a image address ????
1479 * NumberOfBytesToFlush =
1482 * This funciton is used by debuggers
1486 NtFlushInstructionCache(
1487 IN HANDLE ProcessHandle
,
1488 IN PVOID BaseAddress
,
1489 IN UINT NumberOfBytesToFlush
1493 ZwFlushInstructionCache(
1494 IN HANDLE ProcessHandle
,
1495 IN PVOID BaseAddress
,
1496 IN UINT NumberOfBytesToFlush
1499 * FUNCTION: Flushes a registry key to disk
1501 * KeyHandle = Points to the registry key handle
1504 * This funciton maps to the win32 RegFlushKey.
1519 * FUNCTION: Flushes virtual memory to file
1521 * ProcessHandle = Points to the process that allocated the virtual memory
1522 * BaseAddress = Points to the memory address
1523 * NumberOfBytesToFlush = Limits the range to flush,
1524 * NumberOfBytesFlushed = Actual number of bytes flushed
1527 * Check return status on STATUS_NOT_MAPPED_DATA
1531 NtFlushVirtualMemory(
1532 IN HANDLE ProcessHandle
,
1533 IN PVOID BaseAddress
,
1534 IN ULONG NumberOfBytesToFlush
,
1535 OUT PULONG NumberOfBytesFlushed OPTIONAL
1539 ZwFlushVirtualMemory(
1540 IN HANDLE ProcessHandle
,
1541 IN PVOID BaseAddress
,
1542 IN ULONG NumberOfBytesToFlush
,
1543 OUT PULONG NumberOfBytesFlushed OPTIONAL
1547 * FUNCTION: Flushes the dirty pages to file
1549 * FIXME: Not sure this does (how is the file specified)
1551 NTSTATUS STDCALL
NtFlushWriteBuffer(VOID
);
1552 NTSTATUS STDCALL
ZwFlushWriteBuffer(VOID
);
1555 * FUNCTION: Frees a range of virtual memory
1557 * ProcessHandle = Points to the process that allocated the virtual
1559 * BaseAddress = Points to the memory address, rounded down to a
1560 * multiple of the pagesize
1561 * RegionSize = Limits the range to free, rounded up to a multiple of
1563 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1566 NTSTATUS STDCALL
NtFreeVirtualMemory(IN HANDLE ProcessHandle
,
1567 IN PVOID
*BaseAddress
,
1568 IN PULONG RegionSize
,
1570 NTSTATUS STDCALL
ZwFreeVirtualMemory(IN HANDLE ProcessHandle
,
1571 IN PVOID
*BaseAddress
,
1572 IN PULONG RegionSize
,
1576 * FUNCTION: Sends FSCTL to the filesystem
1578 * DeviceHandle = Points to the handle that is created by NtCreateFile
1579 * Event = Event to synchronize on STATUS_PENDING
1582 * IoStatusBlock = Caller should supply storage for
1583 * IoControlCode = Contains the File System Control command. This is an
1584 * index to the structures in InputBuffer and OutputBuffer.
1585 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1586 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1587 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1588 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1590 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1591 * InputBufferSize = Size of the input bufffer
1592 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1593 * OutputBufferSize = Size of the input bufffer
1594 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1595 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1600 IN HANDLE DeviceHandle
,
1601 IN HANDLE Event OPTIONAL
,
1602 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1603 IN PVOID ApcContext OPTIONAL
,
1604 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1605 IN ULONG IoControlCode
,
1606 IN PVOID InputBuffer
,
1607 IN ULONG InputBufferSize
,
1608 OUT PVOID OutputBuffer
,
1609 IN ULONG OutputBufferSize
1615 IN HANDLE DeviceHandle
,
1616 IN HANDLE Event OPTIONAL
,
1617 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1618 IN PVOID ApcContext OPTIONAL
,
1619 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1620 IN ULONG IoControlCode
,
1621 IN PVOID InputBuffer
,
1622 IN ULONG InputBufferSize
,
1623 OUT PVOID OutputBuffer
,
1624 IN ULONG OutputBufferSize
1628 * FUNCTION: Retrieves the processor context of a thread
1630 * ThreadHandle = Handle to a thread
1631 * Context (OUT) = Caller allocated storage for the processor context
1638 IN HANDLE ThreadHandle
,
1639 OUT PCONTEXT Context
1645 IN HANDLE ThreadHandle
,
1646 OUT PCONTEXT Context
1649 * FUNCTION: Retrieves the uptime of the system
1651 * UpTime = Number of clock ticks since boot.
1667 * FUNCTION: Sets a thread to impersonate another
1669 * ThreadHandle = Server thread that will impersonate a client.
1670 ThreadToImpersonate = Client thread that will be impersonated
1671 SecurityQualityOfService = Specifies the impersonation level.
1677 NtImpersonateThread(
1678 IN HANDLE ThreadHandle
,
1679 IN HANDLE ThreadToImpersonate
,
1680 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1685 ZwImpersonateThread(
1686 IN HANDLE ThreadHandle
,
1687 IN HANDLE ThreadToImpersonate
,
1688 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1692 * FUNCTION: Initializes the registry.
1694 * SetUpBoot = This parameter is true for a setup boot.
1699 NtInitializeRegistry(
1704 ZwInitializeRegistry(
1709 * FUNCTION: Loads a driver.
1711 * DriverServiceName = Name of the driver to load
1717 IN PUNICODE_STRING DriverServiceName
1723 IN PUNICODE_STRING DriverServiceName
1727 * FUNCTION: Loads a registry key.
1729 * KeyHandle = Handle to the registry key
1730 * ObjectAttributes = ???
1732 * This procedure maps to the win32 procedure RegLoadKey
1739 POBJECT_ATTRIBUTES ObjectAttributes
1745 POBJECT_ATTRIBUTES ObjectAttributes
1749 * FUNCTION: Loads a registry key.
1751 * KeyHandle = Handle to the registry key
1752 * ObjectAttributes = ???
1755 * This procedure maps to the win32 procedure RegLoadKey
1762 POBJECT_ATTRIBUTES ObjectAttributes
,
1769 POBJECT_ATTRIBUTES ObjectAttributes
,
1774 * FUNCTION: Locks a range of bytes in a file.
1776 * FileHandle = Handle to the file
1777 * Event = Should be null if apc is specified.
1778 * ApcRoutine = Asynchroneous Procedure Callback
1779 * ApcContext = Argument to the callback
1780 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1781 * the completion status and information about the requested lock operation.
1782 * ByteOffset = Offset
1783 * Length = Number of bytes to lock.
1784 * Key = Special value to give other threads the possibility to unlock the file
1785 by supplying the key in a call to NtUnlockFile.
1786 * FailImmediatedly = If false the request will block untill the lock is obtained.
1787 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1789 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1790 not be obtained immediately, the device queue is busy and the IRP is queued.
1791 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1792 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1798 IN HANDLE FileHandle
,
1799 IN HANDLE Event OPTIONAL
,
1800 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1801 IN PVOID ApcContext OPTIONAL
,
1802 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1803 IN PLARGE_INTEGER ByteOffset
,
1804 IN PLARGE_INTEGER Length
,
1806 IN BOOLEAN FailImmediatedly
,
1807 IN BOOLEAN ExclusiveLock
1813 IN HANDLE FileHandle
,
1814 IN HANDLE Event OPTIONAL
,
1815 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1816 IN PVOID ApcContext OPTIONAL
,
1817 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1818 IN PLARGE_INTEGER ByteOffset
,
1819 IN PLARGE_INTEGER Length
,
1821 IN BOOLEAN FailImmediatedly
,
1822 IN BOOLEAN ExclusiveLock
1825 * FUNCTION: Locks a range of virtual memory.
1827 * ProcessHandle = Handle to the process
1828 * BaseAddress = Lower boundary of the range of bytes to lock.
1829 * NumberOfBytesLock = Offset to the upper boundary.
1830 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
1832 This procedure maps to the win32 procedure VirtualLock
1833 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
1837 NtLockVirtualMemory(
1838 HANDLE ProcessHandle
,
1840 ULONG NumberOfBytesToLock
,
1841 PULONG NumberOfBytesLocked
1845 ZwLockVirtualMemory(
1846 HANDLE ProcessHandle
,
1848 ULONG NumberOfBytesToLock
,
1849 PULONG NumberOfBytesLocked
1852 * FUNCTION: Makes temporary object that will be removed at next boot.
1854 * Handle = Handle to object
1860 NtMakeTemporaryObject(
1866 ZwMakeTemporaryObject(
1870 * FUNCTION: Maps a view of a section into the virtual address space of a
1873 * SectionHandle = Handle of the section
1874 * ProcessHandle = Handle of the process
1875 * BaseAddress = Desired base address (or NULL) on entry
1876 * Actual base address of the view on exit
1877 * ZeroBits = Number of high order address bits that must be zero
1878 * CommitSize = Size in bytes of the initially committed section of
1880 * SectionOffset = Offset in bytes from the beginning of the section
1881 * to the beginning of the view
1882 * ViewSize = Desired length of map (or zero to map all) on entry
1883 * Actual length mapped on exit
1884 * InheritDisposition = Specified how the view is to be shared with
1886 * AllocateType = Type of allocation for the pages
1887 * Protect = Protection for the committed region of the view
1893 IN HANDLE SectionHandle
,
1894 IN HANDLE ProcessHandle
,
1895 IN OUT PVOID
*BaseAddress
,
1897 IN ULONG CommitSize
,
1898 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
1899 IN OUT PULONG ViewSize
,
1900 IN SECTION_INHERIT InheritDisposition
,
1901 IN ULONG AllocationType
,
1902 IN ULONG AccessProtection
1908 IN HANDLE SectionHandle
,
1909 IN HANDLE ProcessHandle
,
1910 IN OUT PVOID
*BaseAddress
,
1912 IN ULONG CommitSize
,
1913 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
1914 IN OUT PULONG ViewSize
,
1915 IN SECTION_INHERIT InheritDisposition
,
1916 IN ULONG AllocationType
,
1917 IN ULONG AccessProtection
1921 * FUNCTION: Installs a notify for the change of a directory's contents
1923 * FileHandle = Handle to the directory
1925 * ApcRoutine = Start address
1926 * ApcContext = Delimits the range of virtual memory
1927 * for which the new access protection holds
1928 * IoStatusBlock = The new access proctection for the pages
1929 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
1930 * BufferSize = Size of the buffer
1931 CompletionFilter = Can be one of the following values:
1932 FILE_NOTIFY_CHANGE_FILE_NAME
1933 FILE_NOTIFY_CHANGE_DIR_NAME
1934 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
1935 FILE_NOTIFY_CHANGE_ATTRIBUTES
1936 FILE_NOTIFY_CHANGE_SIZE
1937 FILE_NOTIFY_CHANGE_LAST_WRITE
1938 FILE_NOTIFY_CHANGE_LAST_ACCESS
1939 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
1940 FILE_NOTIFY_CHANGE_EA
1941 FILE_NOTIFY_CHANGE_SECURITY
1942 FILE_NOTIFY_CHANGE_STREAM_NAME
1943 FILE_NOTIFY_CHANGE_STREAM_SIZE
1944 FILE_NOTIFY_CHANGE_STREAM_WRITE
1945 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
1948 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
1953 NtNotifyChangeDirectoryFile(
1954 IN HANDLE FileHandle
,
1955 IN HANDLE Event OPTIONAL
,
1956 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1957 IN PVOID ApcContext OPTIONAL
,
1958 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1960 IN ULONG BufferSize
,
1961 IN ULONG CompletionFilter
,
1962 IN BOOLEAN WatchTree
1967 ZwNotifyChangeDirectoryFile(
1968 IN HANDLE FileHandle
,
1969 IN HANDLE Event OPTIONAL
,
1970 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1971 IN PVOID ApcContext OPTIONAL
,
1972 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1974 IN ULONG BufferSize
,
1975 IN ULONG CompletionFilter
,
1976 IN BOOLEAN WatchTree
1980 * FUNCTION: Installs a notfication callback on registry changes
1982 KeyHandle = Handle to the registry key
1983 Event = Event that should be signalled on modification of the key
1984 ApcRoutine = Routine that should be called on modification of the key
1985 ApcContext = Argument to the ApcRoutine
1987 CompletionFilter = Specifies the kind of notification the caller likes to receive.
1988 Can be a combination of the following values:
1990 REG_NOTIFY_CHANGE_NAME
1991 REG_NOTIFY_CHANGE_ATTRIBUTES
1992 REG_NOTIFY_CHANGE_LAST_SET
1993 REG_NOTIFY_CHANGE_SECURITY
1996 Asynchroneous = If TRUE the changes are reported by signalling an event if false
1997 the function will not return before a change occurs.
1998 ChangeBuffer = Will return the old value
1999 Length = Size of the change buffer
2000 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
2002 * REMARKS: If the key is closed the event is signalled aswell.
2009 IN HANDLE KeyHandle
,
2011 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2012 IN PVOID ApcContext OPTIONAL
,
2013 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2014 IN ULONG CompletionFilter
,
2015 IN BOOLEAN Asynchroneous
,
2016 OUT PVOID ChangeBuffer
,
2018 IN BOOLEAN WatchSubtree
2024 IN HANDLE KeyHandle
,
2026 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2027 IN PVOID ApcContext OPTIONAL
,
2028 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2029 IN ULONG CompletionFilter
,
2030 IN BOOLEAN Asynchroneous
,
2031 OUT PVOID ChangeBuffer
,
2033 IN BOOLEAN WatchSubtree
2037 * FUNCTION: Opens an existing directory object
2039 * FileHandle (OUT) = Caller supplied storage for the resulting handle
2040 * DesiredAccess = Requested access to the directory
2041 * ObjectAttributes = Initialized attributes for the object
2047 NtOpenDirectoryObject(
2048 OUT PHANDLE FileHandle
,
2049 IN ACCESS_MASK DesiredAccess
,
2050 IN POBJECT_ATTRIBUTES ObjectAttributes
2054 ZwOpenDirectoryObject(
2055 OUT PHANDLE FileHandle
,
2056 IN ACCESS_MASK DesiredAccess
,
2057 IN POBJECT_ATTRIBUTES ObjectAttributes
2061 * FUNCTION: Opens an existing event
2063 * EventHandle (OUT) = Caller supplied storage for the resulting handle
2064 * DesiredAccess = Requested access to the event
2065 * ObjectAttributes = Initialized attributes for the object
2071 OUT PHANDLE EventHandle
,
2072 IN ACCESS_MASK DesiredAccess
,
2073 IN POBJECT_ATTRIBUTES ObjectAttributes
2079 OUT PHANDLE EventHandle
,
2080 IN ACCESS_MASK DesiredAccess
,
2081 IN POBJECT_ATTRIBUTES ObjectAttributes
2085 * FUNCTION: Opens an existing event pair
2087 * EventHandle (OUT) = Caller supplied storage for the resulting handle
2088 * DesiredAccess = Requested access to the event
2089 * ObjectAttributes = Initialized attributes for the object
2096 OUT PHANDLE EventPairHandle
,
2097 IN ACCESS_MASK DesiredAccess
,
2098 IN POBJECT_ATTRIBUTES ObjectAttributes
2104 OUT PHANDLE EventPairHandle
,
2105 IN ACCESS_MASK DesiredAccess
,
2106 IN POBJECT_ATTRIBUTES ObjectAttributes
2109 * FUNCTION: Opens an existing file
2111 * FileHandle (OUT) = Caller supplied storage for the resulting handle
2112 * DesiredAccess = Requested access to the file
2113 * ObjectAttributes = Initialized attributes for the object
2122 OUT PHANDLE FileHandle
,
2123 IN ACCESS_MASK DesiredAccess
,
2124 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2125 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2126 IN ULONG ShareAccess
,
2127 IN ULONG OpenOptions
2133 OUT PHANDLE FileHandle
,
2134 IN ACCESS_MASK DesiredAccess
,
2135 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2136 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2137 IN ULONG ShareAccess
,
2138 IN ULONG OpenOptions
2142 * FUNCTION: Opens an existing io completion object
2144 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2145 * DesiredAccess = Requested access to the io completion object
2146 * ObjectAttributes = Initialized attributes for the object
2153 OUT PHANDLE CompetionPort
,
2154 IN ACCESS_MASK DesiredAccess
,
2155 IN POBJECT_ATTRIBUTES ObjectAttributes
2161 OUT PHANDLE CompetionPort
,
2162 IN ACCESS_MASK DesiredAccess
,
2163 IN POBJECT_ATTRIBUTES ObjectAttributes
2167 * FUNCTION: Opens an existing key in the registry
2169 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
2170 * DesiredAccess = Requested access to the key
2171 * ObjectAttributes = Initialized attributes for the object
2177 OUT PHANDLE KeyHandle
,
2178 IN ACCESS_MASK DesiredAccess
,
2179 IN POBJECT_ATTRIBUTES ObjectAttributes
2185 OUT PHANDLE KeyHandle
,
2186 IN ACCESS_MASK DesiredAccess
,
2187 IN POBJECT_ATTRIBUTES ObjectAttributes
2190 * FUNCTION: Opens an existing key in the registry
2192 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
2193 * DesiredAccess = Requested access to the mutant
2194 * ObjectAttribute = Initialized attributes for the object
2200 OUT PHANDLE MutantHandle
,
2201 IN ACCESS_MASK DesiredAccess
,
2202 IN POBJECT_ATTRIBUTES ObjectAttributes
2207 OUT PHANDLE MutantHandle
,
2208 IN ACCESS_MASK DesiredAccess
,
2209 IN POBJECT_ATTRIBUTES ObjectAttributes
2214 NtOpenObjectAuditAlarm(
2215 IN PUNICODE_STRING SubsystemName
,
2217 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2218 IN HANDLE ClientToken
,
2219 IN ULONG DesiredAccess
,
2220 IN ULONG GrantedAccess
,
2221 IN PPRIVILEGE_SET Privileges
,
2222 IN BOOLEAN ObjectCreation
,
2223 IN BOOLEAN AccessGranted
,
2224 OUT PBOOLEAN GenerateOnClose
2229 ZwOpenObjectAuditAlarm(
2230 IN PUNICODE_STRING SubsystemName
,
2232 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2233 IN HANDLE ClientToken
,
2234 IN ULONG DesiredAccess
,
2235 IN ULONG GrantedAccess
,
2236 IN PPRIVILEGE_SET Privileges
,
2237 IN BOOLEAN ObjectCreation
,
2238 IN BOOLEAN AccessGranted
,
2239 OUT PBOOLEAN GenerateOnClose
2242 * FUNCTION: Opens an existing process
2244 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
2245 * DesiredAccess = Requested access to the process
2246 * ObjectAttribute = Initialized attributes for the object
2247 * ClientId = Identifies the process id to open
2253 OUT PHANDLE ProcessHandle
,
2254 IN ACCESS_MASK DesiredAccess
,
2255 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2256 IN PCLIENT_ID ClientId
2261 OUT PHANDLE ProcessHandle
,
2262 IN ACCESS_MASK DesiredAccess
,
2263 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2264 IN PCLIENT_ID ClientId
2267 * FUNCTION: Opens an existing process
2269 * ProcessHandle = Handle of the process of which owns the token
2270 * DesiredAccess = Requested access to the token
2271 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
2273 This function maps to the win32
2280 IN HANDLE ProcessHandle
,
2281 IN ACCESS_MASK DesiredAccess
,
2282 OUT PHANDLE TokenHandle
2288 IN HANDLE ProcessHandle
,
2289 IN ACCESS_MASK DesiredAccess
,
2290 OUT PHANDLE TokenHandle
2294 * FUNCTION: Opens an existing section object
2296 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
2297 * DesiredAccess = Requested access to the key
2298 * ObjectAttribute = Initialized attributes for the object
2305 OUT PHANDLE SectionHandle
,
2306 IN ACCESS_MASK DesiredAccess
,
2307 IN POBJECT_ATTRIBUTES ObjectAttributes
2312 OUT PHANDLE SectionHandle
,
2313 IN ACCESS_MASK DesiredAccess
,
2314 IN POBJECT_ATTRIBUTES ObjectAttributes
2317 * FUNCTION: Opens an existing semaphore
2319 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
2320 * DesiredAccess = Requested access to the semaphore
2321 * ObjectAttribute = Initialized attributes for the object
2327 IN HANDLE SemaphoreHandle
,
2328 IN ACCESS_MASK DesiredAcces
,
2329 IN POBJECT_ATTRIBUTES ObjectAttributes
2334 IN HANDLE SemaphoreHandle
,
2335 IN ACCESS_MASK DesiredAcces
,
2336 IN POBJECT_ATTRIBUTES ObjectAttributes
2339 * FUNCTION: Opens an existing symbolic link
2341 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
2342 * DesiredAccess = Requested access to the symbolic link
2343 * ObjectAttribute = Initialized attributes for the object
2348 NtOpenSymbolicLinkObject(
2349 OUT PHANDLE SymbolicLinkHandle
,
2350 IN ACCESS_MASK DesiredAccess
,
2351 IN POBJECT_ATTRIBUTES ObjectAttributes
2355 ZwOpenSymbolicLinkObject(
2356 OUT PHANDLE SymbolicLinkHandle
,
2357 IN ACCESS_MASK DesiredAccess
,
2358 IN POBJECT_ATTRIBUTES ObjectAttributes
2361 * FUNCTION: Opens an existing thread
2363 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
2364 * DesiredAccess = Requested access to the thread
2365 * ObjectAttribute = Initialized attributes for the object
2366 * ClientId = Identifies the thread to open.
2372 OUT PHANDLE ThreadHandle
,
2373 IN ACCESS_MASK DesiredAccess
,
2374 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2375 IN PCLIENT_ID ClientId
2380 OUT PHANDLE ThreadHandle
,
2381 IN ACCESS_MASK DesiredAccess
,
2382 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2383 IN PCLIENT_ID ClientId
2389 IN HANDLE ThreadHandle
,
2390 IN ACCESS_MASK DesiredAccess
,
2391 IN BOOLEAN OpenAsSelf
,
2392 OUT PHANDLE TokenHandle
2398 IN HANDLE ThreadHandle
,
2399 IN ACCESS_MASK DesiredAccess
,
2400 IN BOOLEAN OpenAsSelf
,
2401 OUT PHANDLE TokenHandle
2404 * FUNCTION: Opens an existing timer
2406 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
2407 * DesiredAccess = Requested access to the timer
2408 * ObjectAttribute = Initialized attributes for the object
2414 OUT PHANDLE TimerHandle
,
2415 IN ACCESS_MASK DesiredAccess
,
2416 IN POBJECT_ATTRIBUTES ObjectAttributes
2421 OUT PHANDLE TimerHandle
,
2422 IN ACCESS_MASK DesiredAccess
,
2423 IN POBJECT_ATTRIBUTES ObjectAttributes
2427 * FUNCTION: Checks an access token for specific privileges
2429 * ClientToken = Handle to a access token structure
2430 * RequiredPrivileges = Specifies the requested privileges.
2431 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
2432 set in the Control member of PRIVILEGES_SET Result
2433 will only be TRUE if all privileges are present in the access token.
2440 IN HANDLE ClientToken
,
2441 IN PPRIVILEGE_SET RequiredPrivileges
,
2448 IN HANDLE ClientToken
,
2449 IN PPRIVILEGE_SET RequiredPrivileges
,
2455 NtPrivilegedServiceAuditAlarm(
2456 IN PUNICODE_STRING SubsystemName
,
2457 IN PUNICODE_STRING ServiceName
,
2458 IN HANDLE ClientToken
,
2459 IN PPRIVILEGE_SET Privileges
,
2460 IN BOOLEAN AccessGranted
2465 ZwPrivilegedServiceAuditAlarm(
2466 IN PUNICODE_STRING SubsystemName
,
2467 IN PUNICODE_STRING ServiceName
,
2468 IN HANDLE ClientToken
,
2469 IN PPRIVILEGE_SET Privileges
,
2470 IN BOOLEAN AccessGranted
2475 NtPrivilegeObjectAuditAlarm(
2476 IN PUNICODE_STRING SubsystemName
,
2478 IN HANDLE ClientToken
,
2479 IN ULONG DesiredAccess
,
2480 IN PPRIVILEGE_SET Privileges
,
2481 IN BOOLEAN AccessGranted
2486 ZwPrivilegeObjectAuditAlarm(
2487 IN PUNICODE_STRING SubsystemName
,
2489 IN HANDLE ClientToken
,
2490 IN ULONG DesiredAccess
,
2491 IN PPRIVILEGE_SET Privileges
,
2492 IN BOOLEAN AccessGranted
2496 * FUNCTION: Entry point for native applications
2498 * Peb = Pointes to the Process Environment Block (PEB)
2500 * Native applications should use this function instead of a main.
2501 * Calling proces should terminate itself.
2510 * FUNCTION: Set the access protection of a range of virtual memory
2512 * ProcessHandle = Handle to process owning the virtual address space
2513 * BaseAddress = Start address
2514 * NumberOfBytesToProtect = Delimits the range of virtual memory
2515 * for which the new access protection holds
2516 * NewAccessProtection = The new access proctection for the pages
2517 * OldAccessProtection = Caller should supply storage for the old
2521 * The function maps to the win32 VirtualProtectEx
2526 NtProtectVirtualMemory(
2527 IN HANDLE ProcessHandle
,
2528 IN PVOID BaseAddress
,
2529 IN ULONG NumberOfBytesToProtect
,
2530 IN ULONG NewAccessProtection
,
2531 OUT PULONG OldAccessProtection
2536 ZwProtectVirtualMemory(
2537 IN HANDLE ProcessHandle
,
2538 IN PVOID BaseAddress
,
2539 IN ULONG NumberOfBytesToProtect
,
2540 IN ULONG NewAccessProtection
,
2541 OUT PULONG OldAccessProtection
2546 * FUNCTION: Signals an event and resets it afterwards.
2548 * EventHandle = Handle to the event
2549 * PulseCount = Number of times the action is repeated
2555 IN HANDLE EventHandle
,
2556 IN PULONG PulseCount OPTIONAL
2562 IN HANDLE EventHandle
,
2563 IN PULONG PulseCount OPTIONAL
2567 * FUNCTION: Queries the attributes of a file
2569 * ObjectAttributes = Initialized attributes for the object
2570 * Buffer = Caller supplies storage for the attributes
2575 NtQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2576 OUT PFILE_BASIC_INFORMATION FileInformation
);
2579 ZwQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2580 OUT PFILE_BASIC_INFORMATION FileInformation
);
2583 * FUNCTION: Queries the default locale id
2585 * UserProfile = Type of locale id
2586 * TRUE: thread locale id
2587 * FALSE: system locale id
2588 * DefaultLocaleId = Caller supplies storage for the locale id
2594 NtQueryDefaultLocale(
2595 IN BOOLEAN UserProfile
,
2596 OUT PLCID DefaultLocaleId
2601 ZwQueryDefaultLocale(
2602 IN BOOLEAN UserProfile
,
2603 OUT PLCID DefaultLocaleId
2607 * FUNCTION: Queries a directory file.
2609 * FileHandle = Handle to a directory file
2610 * EventHandle = Handle to the event signaled on completion
2611 * ApcRoutine = Asynchroneous procedure callback, called on completion
2612 * ApcContext = Argument to the apc.
2613 * IoStatusBlock = Caller supplies storage for extended status information.
2614 * FileInformation = Caller supplies storage for the resulting information.
2616 * FileNameInformation FILE_NAMES_INFORMATION
2617 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2618 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2619 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2621 * Length = Size of the storage supplied
2622 * FileInformationClass = Indicates the type of information requested.
2623 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2624 * FileName = Initial directory name to query, that may contain wild cards.
2625 * RestartScan = Number of times the action should be repeated
2626 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2627 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2628 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2633 NtQueryDirectoryFile(
2634 IN HANDLE FileHandle
,
2635 IN HANDLE Event OPTIONAL
,
2636 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2637 IN PVOID ApcContext OPTIONAL
,
2638 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2639 OUT PVOID FileInformation
,
2641 IN FILE_INFORMATION_CLASS FileInformationClass
,
2642 IN BOOLEAN ReturnSingleEntry
,
2643 IN PUNICODE_STRING FileName OPTIONAL
,
2644 IN BOOLEAN RestartScan
2649 ZwQueryDirectoryFile(
2650 IN HANDLE FileHandle
,
2651 IN HANDLE Event OPTIONAL
,
2652 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2653 IN PVOID ApcContext OPTIONAL
,
2654 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2655 OUT PVOID FileInformation
,
2657 IN FILE_INFORMATION_CLASS FileInformationClass
,
2658 IN BOOLEAN ReturnSingleEntry
,
2659 IN PUNICODE_STRING FileName OPTIONAL
,
2660 IN BOOLEAN RestartScan
2664 * FUNCTION: Query information about the content of a directory object
2666 DirObjInformation = Buffer must be large enough to hold the name strings too
2667 GetNextIndex = If TRUE :return the index of the next object in this directory in ObjectIndex
2668 If FALSE: return the number of objects in this directory in ObjectIndex
2669 IgnoreInputIndex= If TRUE: ignore input value of ObjectIndex always start at index 0
2670 If FALSE use input value of ObjectIndex
2671 ObjectIndex = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
2672 DataWritten = Actual size of the ObjectIndex ???
2677 NtQueryDirectoryObject(
2678 IN HANDLE DirObjHandle
,
2679 OUT POBJDIR_INFORMATION DirObjInformation
,
2680 IN ULONG BufferLength
,
2681 IN BOOLEAN GetNextIndex
,
2682 IN BOOLEAN IgnoreInputIndex
,
2683 IN OUT PULONG ObjectIndex
,
2684 OUT PULONG DataWritten OPTIONAL
2689 ZwQueryDirectoryObject(
2690 IN HANDLE DirObjHandle
,
2691 OUT POBJDIR_INFORMATION DirObjInformation
,
2692 IN ULONG BufferLength
,
2693 IN BOOLEAN GetNextIndex
,
2694 IN BOOLEAN IgnoreInputIndex
,
2695 IN OUT PULONG ObjectIndex
,
2696 OUT PULONG DataWritten OPTIONAL
2700 * FUNCTION: Queries the extended attributes of a file
2702 * FileHandle = Handle to the event
2703 * IoStatusBlock = Number of times the action is repeated
2717 IN HANDLE FileHandle
,
2718 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2721 IN BOOLEAN ReturnSingleEntry
,
2722 IN PVOID EaList OPTIONAL
,
2723 IN ULONG EaListLength
,
2724 IN PULONG EaIndex OPTIONAL
,
2725 IN BOOLEAN RestartScan
2731 IN HANDLE FileHandle
,
2732 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2735 IN BOOLEAN ReturnSingleEntry
,
2736 IN PVOID EaList OPTIONAL
,
2737 IN ULONG EaListLength
,
2738 IN PULONG EaIndex OPTIONAL
,
2739 IN BOOLEAN RestartScan
2743 * FUNCTION: Queries an event
2745 * EventHandle = Handle to the event
2746 * EventInformationClass = Index of the information structure
2748 EventBasicInformation EVENT_BASIC_INFORMATION
2750 * EventInformation = Caller supplies storage for the information structure
2751 * EventInformationLength = Size of the information structure
2752 * ReturnLength = Data written
2758 IN HANDLE EventHandle
,
2759 IN EVENT_INFORMATION_CLASS EventInformationClass
,
2760 OUT PVOID EventInformation
,
2761 IN ULONG EventInformationLength
,
2762 OUT PULONG ReturnLength
2767 IN HANDLE EventHandle
,
2768 IN EVENT_INFORMATION_CLASS EventInformationClass
,
2769 OUT PVOID EventInformation
,
2770 IN ULONG EventInformationLength
,
2771 OUT PULONG ReturnLength
2775 NtQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2776 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
2779 ZwQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2780 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
2784 NtQueryInformationAtom(
2786 IN ATOM_INFORMATION_CLASS AtomInformationClass
,
2787 OUT PVOID AtomInformation
,
2788 IN ULONG AtomInformationLength
,
2789 OUT PULONG ReturnLength OPTIONAL
2794 NtQueryInformationAtom(
2796 IN ATOM_INFORMATION_CLASS AtomInformationClass
,
2797 OUT PVOID AtomInformation
,
2798 IN ULONG AtomInformationLength
,
2799 OUT PULONG ReturnLength OPTIONAL
2804 * FUNCTION: Queries the information of a file object.
2806 * FileHandle = Handle to the file object
2807 * IoStatusBlock = Caller supplies storage for extended information
2808 * on the current operation.
2809 * FileInformation = Storage for the new file information
2810 * Lenght = Size of the storage for the file information.
2811 * FileInformationClass = Indicates which file information is queried
2813 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2814 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2815 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2816 FileBasicInformation FILE_BASIC_INFORMATION
2817 FileStandardInformation FILE_STANDARD_INFORMATION
2818 FileInternalInformation FILE_INTERNAL_INFORMATION
2819 FileEaInformation FILE_EA_INFORMATION
2820 FileAccessInformation FILE_ACCESS_INFORMATION
2821 FileNameInformation FILE_NAME_INFORMATION
2822 FileRenameInformation FILE_RENAME_INFORMATION
2824 FileNamesInformation FILE_NAMES_INFORMATION
2825 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2826 FilePositionInformation FILE_POSITION_INFORMATION
2827 FileFullEaInformation FILE_FULL_EA_INFORMATION
2828 FileModeInformation FILE_MODE_INFORMATION
2829 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2830 FileAllInformation FILE_ALL_INFORMATION
2832 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2833 FileAlternateNameInformation
2834 FileStreamInformation FILE_STREAM_INFORMATION
2836 FilePipeLocalInformation
2837 FilePipeRemoteInformation
2838 FileMailslotQueryInformation
2839 FileMailslotSetInformation
2840 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2841 FileCopyOnWriteInformation
2842 FileCompletionInformation IO_COMPLETION_CONTEXT
2843 FileMoveClusterInformation
2844 FileOleClassIdInformation
2845 FileOleStateBitsInformation
2846 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2847 FileObjectIdInformation
2848 FileOleAllInformation
2849 FileOleDirectoryInformation
2850 FileContentIndexInformation
2851 FileInheritContentIndexInformation
2853 FileMaximumInformation
2856 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2857 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2862 NtQueryInformationFile(
2863 IN HANDLE FileHandle
,
2864 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2865 OUT PVOID FileInformation
,
2867 IN FILE_INFORMATION_CLASS FileInformationClass
2872 ZwQueryInformationFile(
2874 PIO_STATUS_BLOCK IoStatusBlock
,
2875 PVOID FileInformation
,
2877 FILE_INFORMATION_CLASS FileInformationClass
2881 * FUNCTION: Queries the information of a process object.
2883 * ProcessHandle = Handle to the process object
2884 * ProcessInformation = Index to a certain information structure
2886 ProcessBasicInformation PROCESS_BASIC_INFORMATION
2887 ProcessQuotaLimits QUOTA_LIMITS
2888 ProcessIoCounters IO_COUNTERS
2889 ProcessVmCounters VM_COUNTERS
2890 ProcessTimes KERNEL_USER_TIMES
2891 ProcessBasePriority KPRIORITY
2892 ProcessRaisePriority KPRIORITY
2893 ProcessDebugPort HANDLE
2894 ProcessExceptionPort HANDLE
2895 ProcessAccessToken PROCESS_ACCESS_TOKEN
2896 ProcessLdtInformation LDT_ENTRY ??
2897 ProcessLdtSize ULONG
2898 ProcessDefaultHardErrorMode ULONG
2899 ProcessIoPortHandlers // kernel mode only
2900 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
2901 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
2902 ProcessUserModeIOPL (I/O Privilege Level)
2903 ProcessEnableAlignmentFaultFixup BOOLEAN
2904 ProcessPriorityClass ULONG
2905 ProcessWx86Information ULONG
2906 ProcessHandleCount ULONG
2907 ProcessAffinityMask ULONG
2908 ProcessPooledQuotaLimits QUOTA_LIMITS
2911 * ProcessInformation = Caller supplies storage for the process information structure
2912 * ProcessInformationLength = Size of the process information structure
2913 * ReturnLength = Actual number of bytes written
2916 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
2917 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
2918 GetProcessShutdownParameters functions.
2924 NtQueryInformationProcess(
2925 IN HANDLE ProcessHandle
,
2926 IN CINT ProcessInformationClass
,
2927 OUT PVOID ProcessInformation
,
2928 IN ULONG ProcessInformationLength
,
2929 OUT PULONG ReturnLength
2934 ZwQueryInformationProcess(
2935 IN HANDLE ProcessHandle
,
2936 IN CINT ProcessInformationClass
,
2937 OUT PVOID ProcessInformation
,
2938 IN ULONG ProcessInformationLength
,
2939 OUT PULONG ReturnLength
2944 * FUNCTION: Queries the information of a thread object.
2946 * ThreadHandle = Handle to the thread object
2947 * ThreadInformationClass = Index to a certain information structure
2949 ThreadBasicInformation THREAD_BASIC_INFORMATION
2950 ThreadTimes KERNEL_USER_TIMES
2951 ThreadPriority KPRIORITY
2952 ThreadBasePriority KPRIORITY
2953 ThreadAffinityMask KAFFINITY
2954 ThreadImpersonationToken
2955 ThreadDescriptorTableEntry
2956 ThreadEnableAlignmentFaultFixup
2958 ThreadQuerySetWin32StartAddress
2960 ThreadPerformanceCount
2961 ThreadAmILastThread BOOLEAN
2962 ThreadIdealProcessor ULONG
2963 ThreadPriorityBoost ULONG
2967 * ThreadInformation = Caller supplies torage for the thread information
2968 * ThreadInformationLength = Size of the thread information structure
2969 * ReturnLength = Actual number of bytes written
2972 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
2973 GetThreadPriorityBoost functions.
2980 NtQueryInformationThread(
2981 IN HANDLE ThreadHandle
,
2982 IN THREADINFOCLASS ThreadInformationClass
,
2983 OUT PVOID ThreadInformation
,
2984 IN ULONG ThreadInformationLength
,
2985 OUT PULONG ReturnLength
2991 NtQueryInformationToken(
2992 IN HANDLE TokenHandle
,
2993 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
2994 OUT PVOID TokenInformation
,
2995 IN ULONG TokenInformationLength
,
2996 OUT PULONG ReturnLength
3001 ZwQueryInformationToken(
3002 IN HANDLE TokenHandle
,
3003 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
3004 OUT PVOID TokenInformation
,
3005 IN ULONG TokenInformationLength
,
3006 OUT PULONG ReturnLength
3010 * FUNCTION: Query the interval and the clocksource for profiling
3018 NtQueryIntervalProfile(
3019 OUT PULONG Interval
,
3020 OUT KPROFILE_SOURCE ClockSource
3025 ZwQueryIntervalProfile(
3026 OUT PULONG Interval
,
3027 OUT KPROFILE_SOURCE ClockSource
3034 NtQueryIoCompletion(
3035 IN HANDLE CompletionPort
,
3036 IN ULONG CompletionKey
,
3037 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3038 OUT PULONG NumberOfBytesTransferred
3042 ZwQueryIoCompletion(
3043 IN HANDLE CompletionPort
,
3044 IN ULONG CompletionKey
,
3045 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3046 OUT PULONG NumberOfBytesTransferred
3051 * FUNCTION: Queries the information of a registry key object.
3053 KeyHandle = Handle to a registry key
3054 KeyInformationClass = Index to a certain information structure
3055 KeyInformation = Caller supplies storage for resulting information
3056 Length = Size of the supplied storage
3057 ResultLength = Bytes written
3062 IN HANDLE KeyHandle
,
3063 IN KEY_INFORMATION_CLASS KeyInformationClass
,
3064 OUT PVOID KeyInformation
,
3066 OUT PULONG ResultLength
3072 IN HANDLE KeyHandle
,
3073 IN KEY_INFORMATION_CLASS KeyInformationClass
,
3074 OUT PVOID KeyInformation
,
3076 OUT PULONG ResultLength
3084 NtQueryMultipleValueKey(
3085 IN HANDLE KeyHandle
,
3086 IN OUT PKEY_VALUE_ENTRY ValueList
,
3087 IN ULONG NumberOfValues
,
3089 IN OUT PULONG Length
,
3090 OUT PULONG ReturnLength
3095 ZwQueryMultipleValueKey(
3096 IN HANDLE KeyHandle
,
3097 IN OUT PKEY_VALUE_ENTRY ValueList
,
3098 IN ULONG NumberOfValues
,
3100 IN OUT PULONG Length
,
3101 OUT PULONG ReturnLength
3105 * FUNCTION: Queries the information of a mutant object.
3107 MutantHandle = Handle to a mutant
3108 MutantInformationClass = Index to a certain information structure
3109 MutantInformation = Caller supplies storage for resulting information
3110 Length = Size of the supplied storage
3111 ResultLength = Bytes written
3116 IN HANDLE MutantHandle
,
3117 IN CINT MutantInformationClass
,
3118 OUT PVOID MutantInformation
,
3120 OUT PULONG ResultLength
3126 IN HANDLE MutantHandle
,
3127 IN CINT MutantInformationClass
,
3128 OUT PVOID MutantInformation
,
3130 OUT PULONG ResultLength
3133 * FUNCTION: Queries the information of a object.
3135 ObjectHandle = Handle to a object
3136 ObjectInformationClass = Index to a certain information structure
3138 ObjectBasicInformation
3139 ObjectTypeInformation OBJECT_TYPE_INFORMATION
3140 ObjectNameInformation OBJECT_NAME_INFORMATION
3141 ObjectDataInformation OBJECT_DATA_INFORMATION
3143 ObjectInformation = Caller supplies storage for resulting information
3144 Length = Size of the supplied storage
3145 ResultLength = Bytes written
3151 IN HANDLE ObjectHandle
,
3152 IN CINT ObjectInformationClass
,
3153 OUT PVOID ObjectInformation
,
3155 OUT PULONG ResultLength
3161 IN HANDLE ObjectHandle
,
3162 IN CINT ObjectInformationClass
,
3163 OUT PVOID ObjectInformation
,
3165 OUT PULONG ResultLength
3169 * FUNCTION: Queries the system ( high-resolution ) performance counter.
3171 * Counter = Performance counter
3172 * Frequency = Performance frequency
3174 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
3175 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
3181 NtQueryPerformanceCounter(
3182 IN PLARGE_INTEGER Counter
,
3183 IN PLARGE_INTEGER Frequency
3188 ZwQueryPerformanceCounter(
3189 IN PLARGE_INTEGER Counter
,
3190 IN PLARGE_INTEGER Frequency
3193 * FUNCTION: Queries the information of a section object.
3195 * SectionHandle = Handle to the section link object
3196 * SectionInformationClass = Index to a certain information structure
3197 * SectionInformation (OUT)= Caller supplies storage for resulting information
3198 * Length = Size of the supplied storage
3199 * ResultLength = Data written
3206 IN HANDLE SectionHandle
,
3207 IN CINT SectionInformationClass
,
3208 OUT PVOID SectionInformation
,
3210 OUT PULONG ResultLength
3216 IN HANDLE SectionHandle
,
3217 IN CINT SectionInformationClass
,
3218 OUT PVOID SectionInformation
,
3220 OUT PULONG ResultLength
3225 NtQuerySecurityObject(
3227 IN CINT SecurityObjectInformationClass
,
3228 OUT PVOID SecurityObjectInformation
,
3230 OUT PULONG ReturnLength
3235 ZwQuerySecurityObject(
3237 IN CINT SecurityObjectInformationClass
,
3238 OUT PVOID SecurityObjectInformation
,
3240 OUT PULONG ReturnLength
3245 * FUNCTION: Queries the information of a semaphore.
3247 * SemaphoreHandle = Handle to the semaphore object
3248 * SemaphoreInformationClass = Index to a certain information structure
3250 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
3252 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
3253 * Length = Size of the infomation structure
3258 IN HANDLE SemaphoreHandle
,
3259 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass
,
3260 OUT PVOID SemaphoreInformation
,
3262 OUT PULONG ReturnLength
3268 IN HANDLE SemaphoreHandle
,
3269 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass
,
3270 OUT PVOID SemaphoreInformation
,
3272 OUT PULONG ReturnLength
3277 * FUNCTION: Queries the information of a symbolic link object.
3279 * SymbolicLinkHandle = Handle to the symbolic link object
3280 * LinkTarget = resolved name of link
3281 * DataWritten = size of the LinkName.
3287 NtQuerySymbolicLinkObject(
3288 IN HANDLE SymLinkObjHandle
,
3289 OUT PUNICODE_STRING LinkTarget
,
3290 OUT PULONG DataWritten OPTIONAL
3295 ZwQuerySymbolicLinkObject(
3296 IN HANDLE SymLinkObjHandle
,
3297 OUT PUNICODE_STRING LinkName
,
3298 OUT PULONG DataWritten OPTIONAL
3303 * FUNCTION: Queries a system environment variable.
3305 * Name = Name of the variable
3306 * Value (OUT) = value of the variable
3307 * Length = size of the buffer
3308 * ReturnLength = data written
3314 NtQuerySystemEnvironmentValue(
3315 IN PUNICODE_STRING Name
,
3323 ZwQuerySystemEnvironmentValue(
3324 IN PUNICODE_STRING Name
,
3332 * FUNCTION: Queries the system information.
3334 * SystemInformationClass = Index to a certain information structure
3336 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3337 SystemCacheInformation SYSTEM_CACHE_INFORMATION
3338 SystemConfigurationInformation CONFIGURATION_INFORMATION
3340 * SystemInformation = caller supplies storage for the information structure
3341 * Length = size of the structure
3342 ResultLength = Data written
3348 NtQuerySystemInformation(
3349 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
3350 OUT PVOID SystemInformation
,
3352 OUT PULONG ResultLength
3357 ZwQuerySystemInformation(
3358 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
3359 OUT PVOID SystemInformation
,
3361 OUT PULONG ResultLength
3365 * FUNCTION: Retrieves the system time
3367 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
3375 OUT TIME
*CurrentTime
3381 OUT TIME
*CurrentTime
3385 * FUNCTION: Queries information about a timer
3387 * TimerHandle = Handle to the timer
3388 TimerValueInformationClass = Index to a certain information structure
3389 TimerValueInformation = Caller supplies storage for the information structure
3390 Length = Size of the information structure
3391 ResultLength = Data written
3398 IN HANDLE TimerHandle
,
3399 IN CINT TimerInformationClass
,
3400 OUT PVOID TimerInformation
,
3402 OUT PULONG ResultLength
3407 IN HANDLE TimerHandle
,
3408 IN CINT TimerInformationClass
,
3409 OUT PVOID TimerInformation
,
3411 OUT PULONG ResultLength
3415 * FUNCTION: Queries the timer resolution
3417 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
3418 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
3419 ActualResolution (OUT) = Caller should supply storage for the resulting time.
3427 NtQueryTimerResolution (
3428 OUT PULONG MinimumResolution
,
3429 OUT PULONG MaximumResolution
,
3430 OUT PULONG ActualResolution
3435 ZwQueryTimerResolution (
3436 OUT PULONG MinimumResolution
,
3437 OUT PULONG MaximumResolution
,
3438 OUT PULONG ActualResolution
3442 * FUNCTION: Queries a registry key value
3444 * KeyHandle = Handle to the registry key
3445 ValueName = Name of the value in the registry key
3446 KeyValueInformationClass = Index to a certain information structure
3448 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
3449 KeyValueFullInformation = KEY_FULL_INFORMATION
3450 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
3452 KeyValueInformation = Caller supplies storage for the information structure
3453 Length = Size of the information structure
3454 ResultLength = Data written
3461 IN HANDLE KeyHandle
,
3462 IN PUNICODE_STRING ValueName
,
3463 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
3464 OUT PVOID KeyValueInformation
,
3466 OUT PULONG ResultLength
3472 IN HANDLE KeyHandle
,
3473 IN PUNICODE_STRING ValueName
,
3474 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
3475 OUT PVOID KeyValueInformation
,
3477 OUT PULONG ResultLength
3484 * FUNCTION: Queries the virtual memory information.
3486 ProcessHandle = Process owning the virtual address space
3487 BaseAddress = Points to the page where the information is queried for.
3488 * VirtualMemoryInformationClass = Index to a certain information structure
3490 MemoryBasicInformation MEMORY_BASIC_INFORMATION
3492 * VirtualMemoryInformation = caller supplies storage for the information structure
3493 * Length = size of the structure
3494 ResultLength = Data written
3501 NtQueryVirtualMemory(
3502 IN HANDLE ProcessHandle
,
3504 IN IN CINT VirtualMemoryInformationClass
,
3505 OUT PVOID VirtualMemoryInformation
,
3507 OUT PULONG ResultLength
3511 ZwQueryVirtualMemory(
3512 IN HANDLE ProcessHandle
,
3514 IN IN CINT VirtualMemoryInformationClass
,
3515 OUT PVOID VirtualMemoryInformation
,
3517 OUT PULONG ResultLength
3521 * FUNCTION: Queries the volume information
3523 * FileHandle = Handle to a file object on the target volume
3524 * IoStatusBlock = Caller should supply storage for additional status information
3525 * ReturnLength = DataWritten
3526 * FsInformation = Caller should supply storage for the information structure.
3527 * Length = Size of the information structure
3528 * FsInformationClass = Index to a information structure
3530 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
3531 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
3532 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
3533 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
3534 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
3535 FileFsControlInformation
3536 FileFsQuotaQueryInformation --
3537 FileFsQuotaSetInformation --
3538 FileFsMaximumInformation
3540 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
3541 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
3546 NtQueryVolumeInformationFile(
3547 IN HANDLE FileHandle
,
3548 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3549 OUT PVOID FsInformation
,
3551 IN FS_INFORMATION_CLASS FsInformationClass
3556 ZwQueryVolumeInformationFile(
3557 IN HANDLE FileHandle
,
3558 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3559 OUT PVOID FsInformation
,
3561 IN FS_INFORMATION_CLASS FsInformationClass
3564 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
3566 * FUNCTION: Queues a (user) apc to a thread.
3568 ThreadHandle = Thread to which the apc is queued.
3569 ApcRoutine = Points to the apc routine
3570 NormalContext = Argument to Apc Routine
3571 * SystemArgument1 = Argument of the Apc Routine
3572 SystemArgument2 = Argument of the Apc Routine
3573 * REMARK: If the apc is queued against a thread of a different process than the calling thread
3574 the apc routine should be specified in the address space of the queued thread's process.
3581 HANDLE ThreadHandle
,
3582 PKNORMAL_ROUTINE ApcRoutine
,
3583 PVOID NormalContext
,
3584 PVOID SystemArgument1
,
3585 PVOID SystemArgument2
);
3590 HANDLE ThreadHandle
,
3591 PKNORMAL_ROUTINE ApcRoutine
,
3592 PVOID NormalContext
,
3593 PVOID SystemArgument1
,
3594 PVOID SystemArgument2
);
3598 * FUNCTION: Raises an exception
3600 * ExceptionRecord = Structure specifying the exception
3601 * Context = Context in which the excpetion is raised
3610 IN PEXCEPTION_RECORD ExceptionRecord
,
3611 IN PCONTEXT Context
,
3612 IN BOOLEAN SearchFrames
3618 IN PEXCEPTION_RECORD ExceptionRecord
,
3619 IN PCONTEXT Context
,
3620 IN BOOLEAN SearchFrames
3624 * FUNCTION: Raises a hard error (stops the system)
3626 * Status = Status code of the hard error
3659 * FUNCTION: Read a file
3661 * FileHandle = Handle of a file to read
3662 * Event = This event is signalled when the read operation completes
3663 * UserApcRoutine = Call back , if supplied Event should be NULL
3664 * UserApcContext = Argument to the callback
3665 * IoStatusBlock = Caller should supply storage for additional status information
3666 * Buffer = Caller should supply storage to receive the information
3667 * BufferLength = Size of the buffer
3668 * ByteOffset = Offset to start reading the file
3669 * Key = If a range is lock a matching key will allow the read to continue.
3677 IN HANDLE FileHandle
,
3678 IN HANDLE Event OPTIONAL
,
3679 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3680 IN PVOID UserApcContext OPTIONAL
,
3681 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3683 IN ULONG BufferLength
,
3684 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
3685 IN PULONG Key OPTIONAL
3691 IN HANDLE FileHandle
,
3692 IN HANDLE Event OPTIONAL
,
3693 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3694 IN PVOID UserApcContext OPTIONAL
,
3695 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3697 IN ULONG BufferLength
,
3698 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
3699 IN PULONG Key OPTIONAL
3702 * FUNCTION: Read a file using scattered io
3704 FileHandle = Handle of a file to read
3705 Event = This event is signalled when the read operation completes
3706 * UserApcRoutine = Call back , if supplied Event should be NULL
3707 UserApcContext = Argument to the callback
3708 IoStatusBlock = Caller should supply storage for additional status information
3709 BufferDescription = Caller should supply storage to receive the information
3710 BufferLength = Size of the buffer
3711 ByteOffset = Offset to start reading the file
3712 Key = Key = If a range is lock a matching key will allow the read to continue.
3719 IN HANDLE FileHandle
,
3720 IN HANDLE Event OPTIONAL
,
3721 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3722 IN PVOID UserApcContext OPTIONAL
,
3723 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
3724 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
3725 IN ULONG BufferLength
,
3726 IN PLARGE_INTEGER ByteOffset
,
3727 IN PULONG Key OPTIONAL
3733 IN HANDLE FileHandle
,
3734 IN HANDLE Event OPTIONAL
,
3735 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3736 IN PVOID UserApcContext OPTIONAL
,
3737 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
3738 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
3739 IN ULONG BufferLength
,
3740 IN PLARGE_INTEGER ByteOffset
,
3741 IN PULONG Key OPTIONAL
3744 * FUNCTION: Copies a range of virtual memory to a buffer
3746 * ProcessHandle = Specifies the process owning the virtual address space
3747 * BaseAddress = Points to the address of virtual memory to start the read
3748 * Buffer = Caller supplies storage to copy the virtual memory to.
3749 * NumberOfBytesToRead = Limits the range to read
3750 * NumberOfBytesRead = The actual number of bytes read.
3756 NtReadVirtualMemory(
3757 IN HANDLE ProcessHandle
,
3758 IN PVOID BaseAddress
,
3760 IN ULONG NumberOfBytesToRead
,
3761 OUT PULONG NumberOfBytesRead
3765 ZwReadVirtualMemory(
3766 IN HANDLE ProcessHandle
,
3767 IN PVOID BaseAddress
,
3769 IN ULONG NumberOfBytesToRead
,
3770 OUT PULONG NumberOfBytesRead
3775 * FUNCTION: Debugger can register for thread termination
3777 * TerminationPort = Port on which the debugger likes to be notified.
3782 NtRegisterThreadTerminatePort(
3783 HANDLE TerminationPort
3787 ZwRegisterThreadTerminatePort(
3788 HANDLE TerminationPort
3792 * FUNCTION: Releases a mutant
3794 * MutantHandle = Handle to the mutant
3801 IN HANDLE MutantHandle
,
3802 IN PULONG ReleaseCount OPTIONAL
3808 IN HANDLE MutantHandle
,
3809 IN PULONG ReleaseCount OPTIONAL
3813 * FUNCTION: Releases a semaphore
3815 * SemaphoreHandle = Handle to the semaphore object
3816 * ReleaseCount = Number to decrease the semaphore count
3817 * PreviousCount = Previous semaphore count
3823 IN HANDLE SemaphoreHandle
,
3824 IN LONG ReleaseCount
,
3825 OUT PLONG PreviousCount
3831 IN HANDLE SemaphoreHandle
,
3832 IN LONG ReleaseCount
,
3833 OUT PLONG PreviousCount
3837 * FUNCTION: Removes an io completion
3839 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
3840 * CompletionKey = Requested access to the key
3841 * IoStatusBlock = Caller provides storage for extended status information
3842 * CompletionStatus = Current status of the io operation.
3843 * WaitTime = Time to wait if ..
3848 NtRemoveIoCompletion(
3849 IN HANDLE CompletionPort
,
3850 OUT PULONG CompletionKey
,
3851 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3852 OUT PULONG CompletionStatus
,
3853 IN PLARGE_INTEGER WaitTime
3858 ZwRemoveIoCompletion(
3859 IN HANDLE CompletionPort
,
3860 OUT PULONG CompletionKey
,
3861 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3862 OUT PULONG CompletionStatus
,
3863 IN PLARGE_INTEGER WaitTime
3866 * FUNCTION: Replaces one registry key with another
3868 * ObjectAttributes = Specifies the attributes of the key
3869 * Key = Handle to the key
3870 * ReplacedObjectAttributes = The function returns the old object attributes
3876 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3878 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3883 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3885 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3889 * FUNCTION: Resets a event to a non signaled state
3891 * EventHandle = Handle to the event that should be reset
3892 * NumberOfWaitingThreads = The number of threads released.
3899 PULONG NumberOfWaitingThreads OPTIONAL
3905 PULONG NumberOfWaitingThreads OPTIONAL
3924 * FUNCTION: Decrements a thread's resume count
3926 * ThreadHandle = Handle to the thread that should be resumed
3927 * ResumeCount = The resulting resume count.
3929 * A thread is resumed if its suspend count is 0. This procedure maps to
3930 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3936 IN HANDLE ThreadHandle
,
3937 OUT PULONG SuspendCount
3942 IN HANDLE ThreadHandle
,
3943 OUT PULONG SuspendCount
3946 * FUNCTION: Writes the content of a registry key to ascii file
3948 * KeyHandle = Handle to the key
3949 * FileHandle = Handle of the file
3951 This function maps to the Win32 RegSaveKey.
3958 IN HANDLE KeyHandle
,
3959 IN HANDLE FileHandle
3964 IN HANDLE KeyHandle
,
3965 IN HANDLE FileHandle
3969 * FUNCTION: Sets the context of a specified thread.
3971 * ThreadHandle = Handle to the thread
3972 * Context = The processor context.
3979 IN HANDLE ThreadHandle
,
3985 IN HANDLE ThreadHandle
,
3990 * FUNCTION: Sets the default locale id
3992 * UserProfile = Type of locale id
3993 * TRUE: thread locale id
3994 * FALSE: system locale id
3995 * DefaultLocaleId = Locale id
4002 IN BOOLEAN UserProfile
,
4003 IN LCID DefaultLocaleId
4009 IN BOOLEAN UserProfile
,
4010 IN LCID DefaultLocaleId
4014 * FUNCTION: Sets the default hard error port
4016 * PortHandle = Handle to the port
4017 * NOTE: The hard error port is used for first change exception handling
4022 NtSetDefaultHardErrorPort(
4023 IN HANDLE PortHandle
4027 ZwSetDefaultHardErrorPort(
4028 IN HANDLE PortHandle
4032 * FUNCTION: Sets the extended attributes of a file.
4034 * FileHandle = Handle to the file
4035 * IoStatusBlock = Storage for a resulting status and information
4036 * on the current operation.
4037 * EaBuffer = Extended Attributes buffer.
4038 * EaBufferSize = Size of the extended attributes buffer
4044 IN HANDLE FileHandle
,
4045 IN PIO_STATUS_BLOCK IoStatusBlock
,
4052 IN HANDLE FileHandle
,
4053 IN PIO_STATUS_BLOCK IoStatusBlock
,
4058 //FIXME: should I return the event state ?
4061 * FUNCTION: Sets the event to a signalled state.
4063 * EventHandle = Handle to the event
4064 * NumberOfThreadsReleased = The number of threads released
4066 * This procedure maps to the win32 SetEvent function.
4073 IN HANDLE EventHandle
,
4074 PULONG NumberOfThreadsReleased
4080 IN HANDLE EventHandle
,
4081 PULONG NumberOfThreadsReleased
4085 * FUNCTION: Sets the high part of an event pair
4087 EventPair = Handle to the event pair
4094 IN HANDLE EventPairHandle
4100 IN HANDLE EventPairHandle
4103 * FUNCTION: Sets the high part of an event pair and wait for the low part
4105 EventPair = Handle to the event pair
4110 NtSetHighWaitLowEventPair(
4111 IN HANDLE EventPairHandle
4115 ZwSetHighWaitLowEventPair(
4116 IN HANDLE EventPairHandle
4120 * FUNCTION: Sets the information of a file object.
4122 * FileHandle = Handle to the file object
4123 * IoStatusBlock = Caller supplies storage for extended information
4124 * on the current operation.
4125 * FileInformation = Storage for the new file information
4126 * Lenght = Size of the new file information.
4127 * FileInformationClass = Indicates to a certain information structure
4129 FileNameInformation FILE_NAME_INFORMATION
4130 FileRenameInformation FILE_RENAME_INFORMATION
4131 FileStreamInformation FILE_STREAM_INFORMATION
4132 * FileCompletionInformation IO_COMPLETION_CONTEXT
4135 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
4136 * SetNamedPipeHandleState, SetMailslotInfo functions.
4143 NtSetInformationFile(
4144 IN HANDLE FileHandle
,
4145 IN PIO_STATUS_BLOCK IoStatusBlock
,
4146 IN PVOID FileInformation
,
4148 IN FILE_INFORMATION_CLASS FileInformationClass
4152 ZwSetInformationFile(
4153 IN HANDLE FileHandle
,
4154 IN PIO_STATUS_BLOCK IoStatusBlock
,
4155 IN PVOID FileInformation
,
4157 IN FILE_INFORMATION_CLASS FileInformationClass
4163 * FUNCTION: Sets the information of a registry key.
4165 * KeyHandle = Handle to the registry key
4166 * KeyInformationClass = Index to the a certain information structure.
4167 Can be one of the following values:
4169 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
4171 KeyInformation = Storage for the new information
4172 * KeyInformationLength = Size of the information strucure
4178 NtSetInformationKey(
4179 IN HANDLE KeyHandle
,
4180 IN CINT KeyInformationClass
,
4181 IN PVOID KeyInformation
,
4182 IN ULONG KeyInformationLength
4187 ZwSetInformationKey(
4188 IN HANDLE KeyHandle
,
4189 IN CINT KeyInformationClass
,
4190 IN PVOID KeyInformation
,
4191 IN ULONG KeyInformationLength
4194 * FUNCTION: Changes a set of object specific parameters
4197 * ObjectInformationClass = Index to the set of parameters to change.
4200 ObjectBasicInformation
4201 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4202 ObjectAllInformation
4203 ObjectDataInformation OBJECT_DATA_INFORMATION
4204 ObjectNameInformation OBJECT_NAME_INFORMATION
4207 * ObjectInformation = Caller supplies storage for parameters to set.
4208 * Length = Size of the storage supplied
4213 NtSetInformationObject(
4214 IN HANDLE ObjectHandle
,
4215 IN CINT ObjectInformationClass
,
4216 IN PVOID ObjectInformation
,
4222 ZwSetInformationObject(
4223 IN HANDLE ObjectHandle
,
4224 IN CINT ObjectInformationClass
,
4225 IN PVOID ObjectInformation
,
4230 * FUNCTION: Changes a set of process specific parameters
4232 * ProcessHandle = Handle to the process
4233 * ProcessInformationClass = Index to a information structure.
4235 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
4236 * ProcessQuotaLimits QUOTA_LIMITS
4237 * ProcessBasePriority KPRIORITY
4238 * ProcessRaisePriority KPRIORITY
4239 * ProcessDebugPort HANDLE
4240 * ProcessExceptionPort HANDLE
4241 * ProcessAccessToken PROCESS_ACCESS_TOKEN
4242 * ProcessDefaultHardErrorMode ULONG
4243 * ProcessPriorityClass ULONG
4244 * ProcessAffinityMask KAFFINITY //??
4246 * ProcessInformation = Caller supplies storage for information to set.
4247 * ProcessInformationLength = Size of the information structure
4252 NtSetInformationProcess(
4253 IN HANDLE ProcessHandle
,
4254 IN CINT ProcessInformationClass
,
4255 IN PVOID ProcessInformation
,
4256 IN ULONG ProcessInformationLength
4260 ZwSetInformationProcess(
4261 IN HANDLE ProcessHandle
,
4262 IN CINT ProcessInformationClass
,
4263 IN PVOID ProcessInformation
,
4264 IN ULONG ProcessInformationLength
4267 * FUNCTION: Changes a set of thread specific parameters
4269 * ThreadHandle = Handle to the thread
4270 * ThreadInformationClass = Index to the set of parameters to change.
4271 * Can be one of the following values:
4273 * ThreadBasicInformation THREAD_BASIC_INFORMATION
4274 * ThreadPriority KPRIORITY //???
4275 * ThreadBasePriority KPRIORITY
4276 * ThreadAffinityMask KAFFINITY //??
4277 * ThreadImpersonationToken ACCESS_TOKEN
4278 * ThreadIdealProcessor ULONG
4279 * ThreadPriorityBoost ULONG
4281 * ThreadInformation = Caller supplies storage for parameters to set.
4282 * ThreadInformationLength = Size of the storage supplied
4287 NtSetInformationThread(
4288 IN HANDLE ThreadHandle
,
4289 IN THREADINFOCLASS ThreadInformationClass
,
4290 IN PVOID ThreadInformation
,
4291 IN ULONG ThreadInformationLength
4295 ZwSetInformationThread(
4296 IN HANDLE ThreadHandle
,
4297 IN THREADINFOCLASS ThreadInformationClass
,
4298 IN PVOID ThreadInformation
,
4299 IN ULONG ThreadInformationLength
4303 * FUNCTION: Changes a set of token specific parameters
4305 * TokenHandle = Handle to the token
4306 * TokenInformationClass = Index to a certain information structure.
4307 * Can be one of the following values:
4309 TokenUser TOKEN_USER
4310 TokenGroups TOKEN_GROUPS
4311 TokenPrivileges TOKEN_PRIVILEGES
4312 TokenOwner TOKEN_OWNER
4313 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
4314 TokenDefaultDacl TOKEN_DEFAULT_DACL
4315 TokenSource TOKEN_SOURCE
4316 TokenType TOKEN_TYPE
4317 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
4318 TokenStatistics TOKEN_STATISTICS
4320 * TokenInformation = Caller supplies storage for information structure.
4321 * TokenInformationLength = Size of the information structure
4327 NtSetInformationToken(
4328 IN HANDLE TokenHandle
,
4329 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
4330 OUT PVOID TokenInformation
,
4331 IN ULONG TokenInformationLength
4336 ZwSetInformationToken(
4337 IN HANDLE TokenHandle
,
4338 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
4339 OUT PVOID TokenInformation
,
4340 IN ULONG TokenInformationLength
4345 * FUNCTION: Sets an io completion
4350 * NumberOfBytesToTransfer =
4351 * NumberOfBytesTransferred =
4357 IN HANDLE CompletionPort
,
4358 IN ULONG CompletionKey
,
4359 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4360 IN ULONG NumberOfBytesToTransfer
,
4361 OUT PULONG NumberOfBytesTransferred
4366 IN HANDLE CompletionPort
,
4367 IN ULONG CompletionKey
,
4368 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4369 IN ULONG NumberOfBytesToTransfer
,
4370 OUT PULONG NumberOfBytesTransferred
4374 * FUNCTION: Set properties for profiling
4384 NtSetIntervalProfile(
4386 KPROFILE_SOURCE ClockSource
4391 ZwSetIntervalProfile(
4393 KPROFILE_SOURCE ClockSource
4398 * FUNCTION: Sets the low part of an event pair
4400 EventPair = Handle to the event pair
4415 * FUNCTION: Sets the low part of an event pair and wait for the high part
4417 EventPair = Handle to the event pair
4422 NtSetLowWaitHighEventPair(
4427 ZwSetLowWaitHighEventPair(
4433 NtSetSecurityObject(
4435 IN SECURITY_INFORMATION SecurityInformation
,
4436 IN PSECURITY_DESCRIPTOR SecurityDescriptor
4441 ZwSetSecurityObject(
4443 IN SECURITY_INFORMATION SecurityInformation
,
4444 IN PSECURITY_DESCRIPTOR SecurityDescriptor
4449 * FUNCTION: Sets a system environment variable
4451 * ValueName = Name of the environment variable
4452 * Value = Value of the environment variable
4457 NtSetSystemEnvironmentValue(
4458 IN PUNICODE_STRING VariableName
,
4459 IN PUNICODE_STRING Value
4463 ZwSetSystemEnvironmentValue(
4464 IN PUNICODE_STRING VariableName
,
4465 IN PUNICODE_STRING Value
4468 * FUNCTION: Sets system parameters
4470 * SystemInformationClass = Index to a particular set of system parameters
4471 * Can be one of the following values:
4473 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
4475 * SystemInformation = Structure containing the parameters.
4476 * SystemInformationLength = Size of the structure.
4481 NtSetSystemInformation(
4482 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
4483 IN PVOID SystemInformation
,
4484 IN ULONG SystemInformationLength
4489 ZwSetSystemInformation(
4490 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
4491 IN PVOID SystemInformation
,
4492 IN ULONG SystemInformationLength
4496 * FUNCTION: Sets the system time
4498 * SystemTime = Old System time
4499 * NewSystemTime = New System time
4505 IN PLARGE_INTEGER SystemTime
,
4506 IN PLARGE_INTEGER NewSystemTime OPTIONAL
4511 IN PLARGE_INTEGER SystemTime
,
4512 IN PLARGE_INTEGER NewSystemTime OPTIONAL
4515 * FUNCTION: Sets the characteristics of a timer
4517 * TimerHandle = Handle to the timer
4518 * DueTime = Time before the timer becomes signalled for the first time.
4519 * TimerApcRoutine = Completion routine can be called on time completion
4520 * TimerContext = Argument to the completion routine
4521 * Resume = Specifies if the timer should repeated after completing one cycle
4522 * Period = Cycle of the timer
4523 * REMARKS: This routine maps to the win32 SetWaitableTimer.
4529 IN HANDLE TimerHandle
,
4530 IN PLARGE_INTEGER DueTime
,
4531 IN PTIMERAPCROUTINE TimerApcRoutine
,
4532 IN PVOID TimerContext
,
4534 IN ULONG Period OPTIONAL
,
4535 OUT PBOOLEAN PreviousState OPTIONAL
4540 IN HANDLE TimerHandle
,
4541 IN PLARGE_INTEGER DueTime
,
4542 IN PTIMERAPCROUTINE TimerApcRoutine
,
4543 IN PVOID TimerContext
,
4545 IN ULONG Period OPTIONAL
,
4546 OUT PBOOLEAN PreviousState OPTIONAL
4550 * FUNCTION: Sets the frequency of the system timer
4552 * RequestedResolution =
4554 * ActualResolution =
4559 NtSetTimerResolution(
4560 IN ULONG RequestedResolution
,
4562 OUT PULONG ActualResolution
4566 ZwSetTimerResolution(
4567 IN ULONG RequestedResolution
,
4569 OUT PULONG ActualResolution
4573 * FUNCTION: Sets the value of a registry key
4575 * KeyHandle = Handle to a registry key
4576 * ValueName = Name of the value entry to change
4577 * TitleIndex = pointer to a structure containing the new volume information
4578 * Type = Type of the registry key. Can be one of the values:
4579 * REG_BINARY Unspecified binary data
4580 * REG_DWORD A 32 bit value
4581 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
4582 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
4583 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
4584 * REG_LINK A zero terminated wide character string referring to a symbolic link.
4585 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
4586 * REG_NONE Unspecified type
4587 * REG_SZ A wide character string ( zero terminated )
4588 * REG_RESOURCE_LIST ??
4589 * REG_RESOURCE_REQUIREMENTS_LIST ??
4590 * REG_FULL_RESOURCE_DESCRIPTOR ??
4591 * Data = Contains the data for the registry key.
4592 * DataSize = size of the data.
4598 IN HANDLE KeyHandle
,
4599 IN PUNICODE_STRING ValueName
,
4600 IN ULONG TitleIndex OPTIONAL
,
4608 IN HANDLE KeyHandle
,
4609 IN PUNICODE_STRING ValueName
,
4610 IN ULONG TitleIndex OPTIONAL
,
4617 * FUNCTION: Sets the volume information.
4619 * FileHandle = Handle to the file
4620 * IoStatusBlock = Caller should supply storage for additional status information
4621 * VolumeInformation = pointer to a structure containing the new volume information
4622 * Length = size of the structure.
4623 * VolumeInformationClass = specifies the particular volume information to set
4628 NtSetVolumeInformationFile(
4629 IN HANDLE FileHandle
,
4630 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4631 IN PVOID FsInformation
,
4633 IN FS_INFORMATION_CLASS FsInformationClass
4638 ZwSetVolumeInformationFile(
4639 IN HANDLE FileHandle
,
4640 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4641 IN PVOID FsInformation
,
4643 IN FS_INFORMATION_CLASS FsInformationClass
4647 * FUNCTION: Shuts the system down
4649 * Action = Specifies the type of shutdown, it can be one of the following values:
4650 * ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
4656 IN SHUTDOWN_ACTION Action
4662 IN SHUTDOWN_ACTION Action
4666 /* --- PROFILING --- */
4669 * FUNCTION: Starts profiling
4671 * ProfileHandle = Handle to the profile
4678 HANDLE ProfileHandle
4684 HANDLE ProfileHandle
4688 * FUNCTION: Stops profiling
4690 * ProfileHandle = Handle to the profile
4697 HANDLE ProfileHandle
4703 HANDLE ProfileHandle
4706 /* --- PROCESS MANAGEMENT --- */
4708 //--NtSystemDebugControl
4710 * FUNCTION: Terminates the execution of a process.
4712 * ThreadHandle = Handle to the process
4713 * ExitStatus = The exit status of the process to terminate with.
4715 Native applications should kill themselves using this function.
4721 IN HANDLE ProcessHandle
,
4722 IN NTSTATUS ExitStatus
4727 IN HANDLE ProcessHandle
,
4728 IN NTSTATUS ExitStatus
4731 /* --- DEVICE DRIVER CONTROL --- */
4734 * FUNCTION: Unloads a driver.
4736 * DriverServiceName = Name of the driver to unload
4742 IN PUNICODE_STRING DriverServiceName
4747 IN PUNICODE_STRING DriverServiceName
4750 /* --- VIRTUAL MEMORY MANAGEMENT --- */
4753 * FUNCTION: Writes a range of virtual memory
4755 * ProcessHandle = The handle to the process owning the address space.
4756 * BaseAddress = The points to the address to write to
4757 * Buffer = Pointer to the buffer to write
4758 * NumberOfBytesToWrite = Offset to the upper boundary to write
4759 * NumberOfBytesWritten = Total bytes written
4761 * This function maps to the win32 WriteProcessMemory
4766 NtWriteVirtualMemory(
4767 IN HANDLE ProcessHandle
,
4768 IN PVOID BaseAddress
,
4770 IN ULONG NumberOfBytesToWrite
,
4771 OUT PULONG NumberOfBytesWritten
4776 ZwWriteVirtualMemory(
4777 IN HANDLE ProcessHandle
,
4778 IN PVOID BaseAddress
,
4780 IN ULONG NumberOfBytesToWrite
,
4781 OUT PULONG NumberOfBytesWritten
4785 * FUNCTION: Unlocks a range of virtual memory.
4787 * ProcessHandle = Handle to the process
4788 * BaseAddress = Lower boundary of the range of bytes to unlock.
4789 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
4790 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
4792 This procedure maps to the win32 procedure VirtualUnlock
4793 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
4797 NtUnlockVirtualMemory(
4798 IN HANDLE ProcessHandle
,
4799 IN PVOID BaseAddress
,
4800 IN ULONG NumberOfBytesToUnlock
,
4801 OUT PULONG NumberOfBytesUnlocked OPTIONAL
4806 ZwUnlockVirtualMemory(
4807 IN HANDLE ProcessHandle
,
4808 IN PVOID BaseAddress
,
4809 IN ULONG NumberOfBytesToUnlock
,
4810 OUT PULONG NumberOfBytesUnlocked OPTIONAL
4813 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
4815 * ProcessHandle = Handle to the process
4816 * BaseAddress = The address where the mapping begins
4818 This procedure maps to the win32 UnMapViewOfFile
4823 NtUnmapViewOfSection(
4824 IN HANDLE ProcessHandle
,
4825 IN PVOID BaseAddress
4829 ZwUnmapViewOfSection(
4830 IN HANDLE ProcessHandle
,
4831 IN PVOID BaseAddress
4834 /* --- OBJECT SYNCHRONIZATION --- */
4837 * FUNCTION: Signals an object and wait for an other one.
4839 * SignalObject = Handle to the object that should be signaled
4840 * WaitObject = Handle to the object that should be waited for
4841 * Alertable = True if the wait is alertable
4842 * Time = The time to wait
4847 NtSignalAndWaitForSingleObject(
4848 IN HANDLE SignalObject
,
4849 IN HANDLE WaitObject
,
4850 IN BOOLEAN Alertable
,
4851 IN PLARGE_INTEGER Time
4856 NtSignalAndWaitForSingleObject(
4857 IN HANDLE SignalObject
,
4858 IN HANDLE WaitObject
,
4859 IN BOOLEAN Alertable
,
4860 IN PLARGE_INTEGER Time
4864 * FUNCTION: Waits for multiple objects to become signalled.
4866 * Count = The number of objects
4867 * Object = The array of object handles
4868 * WaitType = Can be one of the values UserMode or KernelMode
4869 * Alertable = If true the wait is alertable.
4870 * Time = The maximum wait time.
4872 * This function maps to the win32 WaitForMultipleObjectEx.
4877 NtWaitForMultipleObjects (
4881 IN BOOLEAN Alertable
,
4882 IN PLARGE_INTEGER Time
4887 ZwWaitForMultipleObjects (
4891 IN BOOLEAN Alertable
,
4892 IN PLARGE_INTEGER Time
4896 * FUNCTION: Waits for an object to become signalled.
4898 * Object = The object handle
4899 * Alertable = If true the wait is alertable.
4900 * Time = The maximum wait time.
4902 * This function maps to the win32 WaitForSingleObjectEx.
4907 NtWaitForSingleObject (
4909 IN BOOLEAN Alertable
,
4910 IN PLARGE_INTEGER Time
4915 ZwWaitForSingleObject (
4917 IN BOOLEAN Alertable
,
4918 IN PLARGE_INTEGER Time
4921 /* --- EVENT PAIR OBJECT --- */
4924 * FUNCTION: Waits for the high part of an eventpair to become signalled
4926 * EventPairHandle = Handle to the event pair.
4932 NtWaitHighEventPair(
4933 IN HANDLE EventPairHandle
4938 ZwWaitHighEventPair(
4939 IN HANDLE EventPairHandle
4943 * FUNCTION: Waits for the low part of an eventpair to become signalled
4945 * EventPairHandle = Handle to the event pair.
4951 IN HANDLE EventPairHandle
4957 IN HANDLE EventPairHandle
4960 /* --- FILE MANAGEMENT --- */
4963 * FUNCTION: Unlocks a range of bytes in a file.
4965 * FileHandle = Handle to the file
4966 * IoStatusBlock = Caller should supply storage for a structure containing
4967 * the completion status and information about the requested unlock operation.
4968 The information field is set to the number of bytes unlocked.
4969 * ByteOffset = Offset to start the range of bytes to unlock
4970 * Length = Number of bytes to unlock.
4971 * Key = Special value to enable other threads to unlock a file than the
4972 thread that locked the file. The key supplied must match with the one obtained
4973 in a previous call to NtLockFile.
4975 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
4976 not be obtained immediately, the device queue is busy and the IRP is queued.
4977 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
4978 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
4983 IN HANDLE FileHandle
,
4984 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4985 IN PLARGE_INTEGER ByteOffset
,
4986 IN PLARGE_INTEGER Lenght
,
4987 OUT PULONG Key OPTIONAL
4992 IN HANDLE FileHandle
,
4993 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4994 IN PLARGE_INTEGER ByteOffset
,
4995 IN PLARGE_INTEGER Lenght
,
4996 OUT PULONG Key OPTIONAL
5000 * FUNCTION: Writes data to a file
5002 * FileHandle = The handle a file ( from NtCreateFile )
5003 * Event = Specifies a event that will become signalled when the write operation completes.
5004 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
5005 * ApcContext = Argument to the Apc Routine
5006 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
5007 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
5008 * Length = Size in bytest of the buffer
5009 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
5010 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
5011 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
5012 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
5015 * This function maps to the win32 WriteFile.
5016 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
5017 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
5018 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
5023 IN HANDLE FileHandle
,
5024 IN HANDLE Event OPTIONAL
,
5025 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5026 IN PVOID ApcContext OPTIONAL
,
5027 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5030 IN PLARGE_INTEGER ByteOffset
,
5031 IN PULONG Key OPTIONAL
5037 IN HANDLE FileHandle
,
5038 IN HANDLE Event OPTIONAL
,
5039 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5040 IN PVOID ApcContext OPTIONAL
,
5041 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5044 IN PLARGE_INTEGER ByteOffset
,
5045 IN PULONG Key OPTIONAL
5049 * FUNCTION: Writes a file
5051 * FileHandle = The handle of the file
5053 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
5054 * ApcContext = Argument to the Apc Routine
5055 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
5056 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
5057 * BufferLength = Size in bytest of the buffer
5058 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
5059 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
5060 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
5061 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
5062 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
5064 * This function maps to the win32 WriteFile.
5065 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
5066 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
5067 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
5073 IN HANDLE FileHandle
,
5074 IN HANDLE Event OPTIONAL
,
5075 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5076 IN PVOID ApcContext OPTIONAL
,
5077 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5078 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
5079 IN ULONG BufferLength
,
5080 IN PLARGE_INTEGER ByteOffset
,
5081 IN PULONG Key OPTIONAL
5087 IN HANDLE FileHandle
,
5088 IN HANDLE Event OPTIONAL
,
5089 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5090 IN PVOID ApcContext OPTIONAL
,
5091 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5092 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
5093 IN ULONG BufferLength
,
5094 IN PLARGE_INTEGER ByteOffset
,
5095 IN PULONG Key OPTIONAL
5099 /* --- THREAD MANAGEMENT --- */
5102 * FUNCTION: Increments a thread's resume count
5104 * ThreadHandle = Handle to the thread that should be resumed
5105 * PreviousSuspendCount = The resulting/previous suspend count.
5107 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
5108 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
5109 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
5115 IN HANDLE ThreadHandle
,
5116 IN PULONG PreviousSuspendCount
5122 IN HANDLE ThreadHandle
,
5123 IN PULONG PreviousSuspendCount
5127 * FUNCTION: Terminates the execution of a thread.
5129 * ThreadHandle = Handle to the thread
5130 * ExitStatus = The exit status of the thread to terminate with.
5136 IN HANDLE ThreadHandle
,
5137 IN NTSTATUS ExitStatus
5142 IN HANDLE ThreadHandle
,
5143 IN NTSTATUS ExitStatus
5146 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
5161 * FUNCTION: Yields the callers thread.
5178 * --- Local Procedure Call Facility
5179 * These prototypes are unknown as yet
5180 * (stack sizes by Peter-Michael Hager)
5183 /* --- REGISTRY --- */
5186 * FUNCTION: Unloads a registry key.
5188 * KeyHandle = Handle to the registry key
5190 * This procedure maps to the win32 procedure RegUnloadKey
5205 /* --- PLUG AND PLAY --- */
5215 NtGetPlugPlayEvent (
5219 /* --- POWER MANAGEMENT --- */
5222 NtSetSystemPowerState(IN POWER_ACTION SystemAction
,
5223 IN SYSTEM_POWER_STATE MinSystemState
,
5226 /* --- DEBUG SUBSYSTEM --- */
5229 NtSystemDebugControl(DEBUG_CONTROL_CODE ControlCode
,
5231 ULONG InputBufferLength
,
5233 ULONG OutputBufferLength
,
5234 PULONG ReturnLength
);
5236 /* --- VIRTUAL DOS MACHINE (VDM) --- */
5240 NtVdmControl (ULONG ControlCode
, PVOID ControlData
);
5246 NtW32Call(IN ULONG RoutineIndex
,
5248 IN ULONG ArgumentLength
,
5249 OUT PVOID
* Result OPTIONAL
,
5250 OUT PULONG ResultLength OPTIONAL
);
5252 /* --- CHANNELS --- */
5274 NtReplyWaitSendChannel (
5280 NtSendWaitReplyChannel (
5286 NtSetContextChannel (
5290 /* --- MISCELLANEA --- */
5292 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
5304 NtQueryOleDirectoryFile (
5308 #endif /* __DDK_ZW_H */