2 /* $Id: zw.h,v 1.9 2003/03/19 23:16:00 gdalsnes Exp $
4 * COPYRIGHT: See COPYING in the top level directory
5 * PROJECT: ReactOS kernel
6 * PURPOSE: System call definitions
7 * FILE: include/ddk/zw.h
9 * ??/??/??: First few functions (David Welch)
10 * ??/??/??: Complete implementation by Ariadne
11 * 13/07/98: Reorganised things a bit (David Welch)
12 * 04/08/98: Added some documentation (Ariadne)
13 * 14/08/98: Added type TIME and change variable type from [1] to [0]
14 * 14/09/98: Added for each Nt call a corresponding Zw Call
20 #include <ntos/security.h>
21 #include <ntos/zwtypes.h>
22 #include <napi/npipe.h>
24 #ifndef _RTLGETPROCESSHEAP_DEFINED_
25 #define _RTLGETPROCESSHEAP_DEFINED_
26 #define RtlGetProcessHeap() (NtCurrentPeb()->ProcessHeap)
29 // semaphore information
31 typedef enum _SEMAPHORE_INFORMATION_CLASS
33 SemaphoreBasicInformation
= 0
34 } SEMAPHORE_INFORMATION_CLASS
;
36 typedef struct _SEMAPHORE_BASIC_INFORMATION
40 } SEMAPHORE_BASIC_INFORMATION
, *PSEMAPHORE_BASIC_INFORMATION
;
44 typedef enum _EVENT_INFORMATION_CLASS
46 EventBasicInformation
= 0
47 } EVENT_INFORMATION_CLASS
;
49 typedef struct _EVENT_BASIC_INFORMATION
53 } EVENT_BASIC_INFORMATION
, *PEVENT_BASIC_INFORMATION
;
56 //#define SECURITY_INFORMATION ULONG
57 //typedef ULONG SECURITY_INFORMATION;
60 * FUNCTION: Adjusts the groups in an access token
62 * TokenHandle = Specifies the access token
63 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
64 * their default state, if false the groups specified in
67 * BufferLength = Specifies the size of the buffer for the PreviousState.
69 * ReturnLength = Bytes written in PreviousState buffer.
70 * REMARKS: The arguments map to the win32 AdjustTokenGroups
77 IN HANDLE TokenHandle
,
78 IN BOOLEAN ResetToDefault
,
79 IN PTOKEN_GROUPS NewState
,
80 IN ULONG BufferLength
,
81 OUT PTOKEN_GROUPS PreviousState OPTIONAL
,
82 OUT PULONG ReturnLength
88 IN HANDLE TokenHandle
,
89 IN BOOLEAN ResetToDefault
,
90 IN PTOKEN_GROUPS NewState
,
91 IN ULONG BufferLength
,
92 OUT PTOKEN_GROUPS PreviousState
,
93 OUT PULONG ReturnLength
101 * TokenHandle = Handle to the access token
102 * DisableAllPrivileges = The resulting suspend count.
108 * The arguments map to the win32 AdjustTokenPrivileges
114 NtAdjustPrivilegesToken(
115 IN HANDLE TokenHandle
,
116 IN BOOLEAN DisableAllPrivileges
,
117 IN PTOKEN_PRIVILEGES NewState
,
118 IN ULONG BufferLength
,
119 OUT PTOKEN_PRIVILEGES PreviousState
,
120 OUT PULONG ReturnLength
125 ZwAdjustPrivilegesToken(
126 IN HANDLE TokenHandle
,
127 IN BOOLEAN DisableAllPrivileges
,
128 IN PTOKEN_PRIVILEGES NewState
,
129 IN ULONG BufferLength
,
130 OUT PTOKEN_PRIVILEGES PreviousState
,
131 OUT PULONG ReturnLength
136 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
139 * ThreadHandle = Handle to the thread that should be resumed
140 * SuspendCount = The resulting suspend count.
142 * A thread is resumed if its suspend count is 0
148 IN HANDLE ThreadHandle
,
149 OUT PULONG SuspendCount
155 IN HANDLE ThreadHandle
,
156 OUT PULONG SuspendCount
160 * FUNCTION: Puts the thread in a alerted state
162 * ThreadHandle = Handle to the thread that should be alerted
168 IN HANDLE ThreadHandle
174 IN HANDLE ThreadHandle
179 * FUNCTION: Allocates a locally unique id
181 * LocallyUniqueId = Locally unique number
186 NtAllocateLocallyUniqueId(
187 OUT LUID
*LocallyUniqueId
192 ZwAllocateLocallyUniqueId(
197 * FUNCTION: Allocates a block of virtual memory in the process address space
199 * ProcessHandle = The handle of the process which owns the virtual memory
200 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
201 * value the system will try to allocate the memory at the address supplied. It rounds
202 * it down to a multiple if the page size.
203 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
204 * the memory will be allocated at a address below a certain value.
205 * RegionSize = The number of bytes to allocate
206 * AllocationType = Indicates the type of virtual memory you like to allocated,
207 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
208 * Protect = Indicates the protection type of the pages allocated, can be a combination of
209 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
210 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
212 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
213 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
214 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
215 * and the AllocationType and ProctectionType map to the other two parameters.
220 NtAllocateVirtualMemory (
221 IN HANDLE ProcessHandle
,
222 IN OUT PVOID
*BaseAddress
,
224 IN OUT PULONG RegionSize
,
225 IN ULONG AllocationType
,
231 ZwAllocateVirtualMemory (
232 IN HANDLE ProcessHandle
,
233 IN OUT PVOID
*BaseAddress
,
235 IN OUT PULONG RegionSize
,
236 IN ULONG AllocationType
,
240 * FUNCTION: Returns from a callback into user mode
244 //FIXME: this function might need 3 parameters
245 NTSTATUS STDCALL
NtCallbackReturn(PVOID Result
,
249 NTSTATUS STDCALL
ZwCallbackReturn(PVOID Result
,
254 * FUNCTION: Cancels a IO request
256 * FileHandle = Handle to the file
260 * This function maps to the win32 CancelIo.
266 IN HANDLE FileHandle
,
267 OUT PIO_STATUS_BLOCK IoStatusBlock
273 IN HANDLE FileHandle
,
274 OUT PIO_STATUS_BLOCK IoStatusBlock
278 * FUNCTION: Sets the status of the event back to non-signaled
280 * EventHandle = Handle to the event
282 * This function maps to win32 function ResetEvent.
289 IN HANDLE EventHandle
295 IN HANDLE EventHandle
299 * FUNCTION: Closes an object handle
301 * Handle = Handle to the object
303 * This function maps to the win32 function CloseHandle.
320 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
323 HandleId = Handle to the object
326 * This function maps to the win32 function ObjectCloseAuditAlarm.
332 NtCloseObjectAuditAlarm(
333 IN PUNICODE_STRING SubsystemName
,
335 IN BOOLEAN GenerateOnClose
340 ZwCloseObjectAuditAlarm(
341 IN PUNICODE_STRING SubsystemName
,
343 IN BOOLEAN GenerateOnClose
347 * FUNCTION: Creates a directory object
349 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
350 * DesiredAccess = Specifies access to the directory
351 * ObjectAttribute = Initialized attributes for the object
352 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
353 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
359 NtCreateDirectoryObject(
360 OUT PHANDLE DirectoryHandle
,
361 IN ACCESS_MASK DesiredAccess
,
362 IN POBJECT_ATTRIBUTES ObjectAttributes
367 ZwCreateDirectoryObject(
368 OUT PHANDLE DirectoryHandle
,
369 IN ACCESS_MASK DesiredAccess
,
370 IN POBJECT_ATTRIBUTES ObjectAttributes
374 * FUNCTION: Creates an event object
376 * EventHandle (OUT) = Caller supplied storage for the resulting handle
377 * DesiredAccess = Specifies access to the event
378 * ObjectAttribute = Initialized attributes for the object
379 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
380 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
381 * automatically after the system has rescheduled a thread waiting on the event.
382 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
383 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
384 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
385 * both parameters aswell ( possibly the order is reversed ).
392 OUT PHANDLE EventHandle
,
393 IN ACCESS_MASK DesiredAccess
,
394 IN POBJECT_ATTRIBUTES ObjectAttributes
,
395 IN BOOLEAN ManualReset
,
396 IN BOOLEAN InitialState
402 OUT PHANDLE EventHandle
,
403 IN ACCESS_MASK DesiredAccess
,
404 IN POBJECT_ATTRIBUTES ObjectAttributes
,
405 IN BOOLEAN ManualReset
,
406 IN BOOLEAN InitialState
410 * FUNCTION: Creates an eventpair object
412 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
413 * DesiredAccess = Specifies access to the event
414 * ObjectAttribute = Initialized attributes for the object
420 OUT PHANDLE EventPairHandle
,
421 IN ACCESS_MASK DesiredAccess
,
422 IN POBJECT_ATTRIBUTES ObjectAttributes
428 OUT PHANDLE EventPairHandle
,
429 IN ACCESS_MASK DesiredAccess
,
430 IN POBJECT_ATTRIBUTES ObjectAttributes
435 * FUNCTION: Creates or opens a file, directory or device object.
437 * FileHandle (OUT) = Caller supplied storage for the resulting handle
438 * DesiredAccess = Specifies the allowed or desired access to the file can
439 * be a combination of DELETE | FILE_READ_DATA ..
440 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
441 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
442 * the file is created and opened or allready existed and is just opened.
443 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
444 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
445 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
446 * CreateOptions = specifies the behavior of the system on file creation.
447 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
448 * EaLength = Extended Attributes buffer size, applies only to files and directories.
449 * REMARKS: This function maps to the win32 CreateFile.
456 OUT PHANDLE FileHandle
,
457 IN ACCESS_MASK DesiredAccess
,
458 IN POBJECT_ATTRIBUTES ObjectAttributes
,
459 OUT PIO_STATUS_BLOCK IoStatusBlock
,
460 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
461 IN ULONG FileAttributes
,
462 IN ULONG ShareAccess
,
463 IN ULONG CreateDisposition
,
464 IN ULONG CreateOptions
,
465 IN PVOID EaBuffer OPTIONAL
,
472 OUT PHANDLE FileHandle
,
473 IN ACCESS_MASK DesiredAccess
,
474 IN POBJECT_ATTRIBUTES ObjectAttributes
,
475 OUT PIO_STATUS_BLOCK IoStatusBlock
,
476 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
477 IN ULONG FileAttributes
,
478 IN ULONG ShareAccess
,
479 IN ULONG CreateDisposition
,
480 IN ULONG CreateOptions
,
481 IN PVOID EaBuffer OPTIONAL
,
486 * FUNCTION: Creates or opens a file, directory or device object.
488 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
489 * DesiredAccess = Specifies the allowed or desired access to the port
491 * NumberOfConcurrentThreads =
492 * REMARKS: This function maps to the win32 CreateIoCompletionPort
499 NtCreateIoCompletion(
500 OUT PHANDLE IoCompletionHandle
,
501 IN ACCESS_MASK DesiredAccess
,
502 IN POBJECT_ATTRIBUTES ObjectAttributes
,
503 IN ULONG NumberOfConcurrentThreads
508 ZwCreateIoCompletion(
509 OUT PHANDLE IoCompletionHandle
,
510 IN ACCESS_MASK DesiredAccess
,
511 IN POBJECT_ATTRIBUTES ObjectAttributes
,
512 IN ULONG NumberOfConcurrentThreads
516 * FUNCTION: Creates a registry key
518 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
519 * DesiredAccess = Specifies the allowed or desired access to the key
520 * It can have a combination of the following values:
521 * KEY_READ | KEY_WRITE | KEY_EXECUTE | KEY_ALL_ACCESS
523 * KEY_QUERY_VALUE The values of the key can be queried.
524 * KEY_SET_VALUE The values of the key can be modified.
525 * KEY_CREATE_SUB_KEYS The key may contain subkeys.
526 * KEY_ENUMERATE_SUB_KEYS Subkeys can be queried.
528 * KEY_CREATE_LINK A symbolic link to the key can be created.
529 * ObjectAttributes = The name of the key may be specified directly in the name field
530 * of object attributes or relative to a key in rootdirectory.
531 * TitleIndex = Might specify the position in the sequential order of subkeys.
532 * Class = Specifies the kind of data, for example REG_SZ for string data. [ ??? ]
533 * CreateOptions = Specifies additional options with which the key is created
534 * REG_OPTION_VOLATILE The key is not preserved across boots.
535 * REG_OPTION_NON_VOLATILE The key is preserved accross boots.
536 * REG_OPTION_CREATE_LINK The key is a symbolic link to another key.
537 * REG_OPTION_BACKUP_RESTORE Key is being opened or created for backup/restore operations.
538 * Disposition = Indicates if the call to NtCreateKey resulted in the creation of a key it
539 * can have the following values: REG_CREATED_NEW_KEY | REG_OPENED_EXISTING_KEY
545 NtCreateKey(OUT PHANDLE KeyHandle
,
546 IN ACCESS_MASK DesiredAccess
,
547 IN POBJECT_ATTRIBUTES ObjectAttributes
,
549 IN PUNICODE_STRING Class OPTIONAL
,
550 IN ULONG CreateOptions
,
551 IN PULONG Disposition OPTIONAL
);
554 ZwCreateKey(OUT PHANDLE KeyHandle
,
555 IN ACCESS_MASK DesiredAccess
,
556 IN POBJECT_ATTRIBUTES ObjectAttributes
,
558 IN PUNICODE_STRING Class OPTIONAL
,
559 IN ULONG CreateOptions
,
560 IN PULONG Disposition OPTIONAL
);
563 * FUNCTION: Creates a mail slot file
565 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
566 * DesiredAccess = Specifies the allowed or desired access to the file
567 * ObjectAttributes = Contains the name of the mailslotfile.
574 * REMARKS: This funciton maps to the win32 function CreateMailSlot
581 NtCreateMailslotFile(
582 OUT PHANDLE MailSlotFileHandle
,
583 IN ACCESS_MASK DesiredAccess
,
584 IN POBJECT_ATTRIBUTES ObjectAttributes
,
585 OUT PIO_STATUS_BLOCK IoStatusBlock
,
586 IN ULONG FileAttributes
,
587 IN ULONG ShareAccess
,
588 IN ULONG MaxMessageSize
,
589 IN PLARGE_INTEGER TimeOut
594 ZwCreateMailslotFile(
595 OUT PHANDLE MailSlotFileHandle
,
596 IN ACCESS_MASK DesiredAccess
,
597 IN POBJECT_ATTRIBUTES ObjectAttributes
,
598 OUT PIO_STATUS_BLOCK IoStatusBlock
,
599 IN ULONG FileAttributes
,
600 IN ULONG ShareAccess
,
601 IN ULONG MaxMessageSize
,
602 IN PLARGE_INTEGER TimeOut
606 * FUNCTION: Creates or opens a mutex
608 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
609 * DesiredAccess = Specifies the allowed or desired access to the port
610 * ObjectAttributes = Contains the name of the mutex.
611 * InitialOwner = If true the calling thread acquires ownership
613 * REMARKS: This funciton maps to the win32 function CreateMutex
620 OUT PHANDLE MutantHandle
,
621 IN ACCESS_MASK DesiredAccess
,
622 IN POBJECT_ATTRIBUTES ObjectAttributes
,
623 IN BOOLEAN InitialOwner
629 OUT PHANDLE MutantHandle
,
630 IN ACCESS_MASK DesiredAccess
,
631 IN POBJECT_ATTRIBUTES ObjectAttributes
,
632 IN BOOLEAN InitialOwner
636 * FUNCTION: Creates a process.
638 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
639 * DesiredAccess = Specifies the allowed or desired access to the process can
640 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
641 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
642 * ParentProcess = Handle to the parent process.
643 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
644 * SectionHandle = Handle to a section object to back the image file
645 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
646 * ExceptionPort = Handle to a exception port.
648 * This function maps to the win32 CreateProcess.
654 OUT PHANDLE ProcessHandle
,
655 IN ACCESS_MASK DesiredAccess
,
656 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
657 IN HANDLE ParentProcess
,
658 IN BOOLEAN InheritObjectTable
,
659 IN HANDLE SectionHandle OPTIONAL
,
660 IN HANDLE DebugPort OPTIONAL
,
661 IN HANDLE ExceptionPort OPTIONAL
667 OUT PHANDLE ProcessHandle
,
668 IN ACCESS_MASK DesiredAccess
,
669 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
670 IN HANDLE ParentProcess
,
671 IN BOOLEAN InheritObjectTable
,
672 IN HANDLE SectionHandle OPTIONAL
,
673 IN HANDLE DebugPort OPTIONAL
,
674 IN HANDLE ExceptionPort OPTIONAL
678 * FUNCTION: Creates a section object.
680 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
681 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
682 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
683 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
684 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
685 * If value specified for a mapped file and the file is not large enough, file will be extended.
686 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
687 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
688 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
695 OUT PHANDLE SectionHandle
,
696 IN ACCESS_MASK DesiredAccess
,
697 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
698 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
699 IN ULONG SectionPageProtection OPTIONAL
,
700 IN ULONG AllocationAttributes
,
701 IN HANDLE FileHandle OPTIONAL
707 OUT PHANDLE SectionHandle
,
708 IN ACCESS_MASK DesiredAccess
,
709 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
710 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
711 IN ULONG SectionPageProtection OPTIONAL
,
712 IN ULONG AllocationAttributes
,
713 IN HANDLE FileHandle OPTIONAL
717 * FUNCTION: Creates a semaphore object for interprocess synchronization.
719 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
720 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
721 * ObjectAttribute = Initialized attributes for the object.
722 * InitialCount = Not necessary zero, might be smaller than zero.
723 * MaximumCount = Maxiumum count the semaphore can reach.
726 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
729 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
733 OUT PHANDLE SemaphoreHandle
,
734 IN ACCESS_MASK DesiredAccess
,
735 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
736 IN LONG InitialCount
,
743 OUT PHANDLE SemaphoreHandle
,
744 IN ACCESS_MASK DesiredAccess
,
745 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
746 IN LONG InitialCount
,
751 * FUNCTION: Creates a symbolic link object
753 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
754 * DesiredAccess = Specifies the allowed or desired access to the thread.
755 * ObjectAttributes = Initialized attributes for the object.
756 * Name = Target name of the symbolic link
761 NtCreateSymbolicLinkObject(
762 OUT PHANDLE SymbolicLinkHandle
,
763 IN ACCESS_MASK DesiredAccess
,
764 IN POBJECT_ATTRIBUTES ObjectAttributes
,
765 IN PUNICODE_STRING Name
770 ZwCreateSymbolicLinkObject(
771 OUT PHANDLE SymbolicLinkHandle
,
772 IN ACCESS_MASK DesiredAccess
,
773 IN POBJECT_ATTRIBUTES ObjectAttributes
,
774 IN PUNICODE_STRING Name
778 * FUNCTION: Creates a waitable timer.
780 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
781 * DesiredAccess = Specifies the allowed or desired access to the timer.
782 * ObjectAttributes = Initialized attributes for the object.
783 * TimerType = Specifies if the timer should be reset manually.
785 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
786 * corresponding fields in OBJECT_ATTRIBUTES structure.
792 OUT PHANDLE TimerHandle
,
793 IN ACCESS_MASK DesiredAccess
,
794 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
795 IN TIMER_TYPE TimerType
801 OUT PHANDLE TimerHandle
,
802 IN ACCESS_MASK DesiredAccess
,
803 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
804 IN TIMER_TYPE TimerType
808 * FUNCTION: Creates a token.
810 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
811 * DesiredAccess = Specifies the allowed or desired access to the process can
812 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
813 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
821 * TokenPrimaryGroup =
825 * This function does not map to a win32 function
832 OUT PHANDLE TokenHandle
,
833 IN ACCESS_MASK DesiredAccess
,
834 IN POBJECT_ATTRIBUTES ObjectAttributes
,
835 IN TOKEN_TYPE TokenType
,
836 IN PLUID AuthenticationId
,
837 IN PLARGE_INTEGER ExpirationTime
,
838 IN PTOKEN_USER TokenUser
,
839 IN PTOKEN_GROUPS TokenGroups
,
840 IN PTOKEN_PRIVILEGES TokenPrivileges
,
841 IN PTOKEN_OWNER TokenOwner
,
842 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
843 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
844 IN PTOKEN_SOURCE TokenSource
850 OUT PHANDLE TokenHandle
,
851 IN ACCESS_MASK DesiredAccess
,
852 IN POBJECT_ATTRIBUTES ObjectAttributes
,
853 IN TOKEN_TYPE TokenType
,
854 IN PLUID AuthenticationId
,
855 IN PLARGE_INTEGER ExpirationTime
,
856 IN PTOKEN_USER TokenUser
,
857 IN PTOKEN_GROUPS TokenGroups
,
858 IN PTOKEN_PRIVILEGES TokenPrivileges
,
859 IN PTOKEN_OWNER TokenOwner
,
860 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
861 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
862 IN PTOKEN_SOURCE TokenSource
866 * FUNCTION: Returns the callers thread TEB.
867 * RETURNS: The resulting teb.
877 * FUNCTION: Deletes an atom from the global atom table
879 * Atom = Identifies the atom to delete
881 * The function maps to the win32 GlobalDeleteAtom
897 * FUNCTION: Deletes a file or a directory
899 * ObjectAttributes = Name of the file which should be deleted
901 * This system call is functionally equivalent to NtSetInformationFile
902 * setting the disposition information.
903 * The function maps to the win32 DeleteFile.
909 IN POBJECT_ATTRIBUTES ObjectAttributes
915 IN POBJECT_ATTRIBUTES ObjectAttributes
919 * FUNCTION: Deletes a registry key
921 * KeyHandle = Handle of the key
936 * FUNCTION: Generates a audit message when an object is deleted
938 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
939 * HandleId= Handle to an audit object
940 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
941 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
947 NtDeleteObjectAuditAlarm (
948 IN PUNICODE_STRING SubsystemName
,
950 IN BOOLEAN GenerateOnClose
955 ZwDeleteObjectAuditAlarm (
956 IN PUNICODE_STRING SubsystemName
,
958 IN BOOLEAN GenerateOnClose
963 * FUNCTION: Deletes a value from a registry key
965 * KeyHandle = Handle of the key
966 * ValueName = Name of the value to delete
974 IN PUNICODE_STRING ValueName
981 IN PUNICODE_STRING ValueName
984 * FUNCTION: Sends IOCTL to the io sub system
986 * DeviceHandle = Points to the handle that is created by NtCreateFile
987 * Event = Event to synchronize on STATUS_PENDING
988 * ApcRoutine = Asynchroneous procedure callback
989 * ApcContext = Callback context.
990 * IoStatusBlock = Caller should supply storage for extra information..
991 * IoControlCode = Contains the IO Control command. This is an
992 * index to the structures in InputBuffer and OutputBuffer.
993 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
994 * InputBufferSize = Size of the input bufffer
995 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
996 * OutputBufferSize = Size of the input bufffer
1002 NtDeviceIoControlFile(
1003 IN HANDLE DeviceHandle
,
1004 IN HANDLE Event OPTIONAL
,
1005 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1006 IN PVOID UserApcContext OPTIONAL
,
1007 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1008 IN ULONG IoControlCode
,
1009 IN PVOID InputBuffer
,
1010 IN ULONG InputBufferSize
,
1011 OUT PVOID OutputBuffer
,
1012 IN ULONG OutputBufferSize
1017 ZwDeviceIoControlFile(
1018 IN HANDLE DeviceHandle
,
1019 IN HANDLE Event OPTIONAL
,
1020 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1021 IN PVOID UserApcContext OPTIONAL
,
1022 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1023 IN ULONG IoControlCode
,
1024 IN PVOID InputBuffer
,
1025 IN ULONG InputBufferSize
,
1026 OUT PVOID OutputBuffer
,
1027 IN ULONG OutputBufferSize
1030 * FUNCTION: Displays a string on the blue screen
1032 * DisplayString = The string to display
1039 IN PUNICODE_STRING DisplayString
1045 IN PUNICODE_STRING DisplayString
1049 * FUNCTION: Returns information about the subkeys of an open key
1051 * KeyHandle = Handle of the key whose subkeys are to enumerated
1052 * Index = zero based index of the subkey for which information is
1054 * KeyInformationClass = Type of information returned
1055 * KeyInformation (OUT) = Caller allocated buffer for the information
1057 * Length = Length in bytes of the KeyInformation buffer
1058 * ResultLength (OUT) = Caller allocated storage which holds
1059 * the number of bytes of information retrieved
1066 IN HANDLE KeyHandle
,
1068 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1069 OUT PVOID KeyInformation
,
1071 OUT PULONG ResultLength
1077 IN HANDLE KeyHandle
,
1079 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1080 OUT PVOID KeyInformation
,
1082 OUT PULONG ResultLength
1085 * FUNCTION: Returns information about the value entries of an open key
1087 * KeyHandle = Handle of the key whose value entries are to enumerated
1088 * Index = zero based index of the subkey for which information is
1090 * KeyInformationClass = Type of information returned
1091 * KeyInformation (OUT) = Caller allocated buffer for the information
1093 * Length = Length in bytes of the KeyInformation buffer
1094 * ResultLength (OUT) = Caller allocated storage which holds
1095 * the number of bytes of information retrieved
1101 NtEnumerateValueKey(
1102 IN HANDLE KeyHandle
,
1104 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1105 OUT PVOID KeyValueInformation
,
1107 OUT PULONG ResultLength
1112 ZwEnumerateValueKey(
1113 IN HANDLE KeyHandle
,
1115 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1116 OUT PVOID KeyValueInformation
,
1118 OUT PULONG ResultLength
1122 * FUNCTION: Flushes chached file data to disk
1124 * FileHandle = Points to the file
1125 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1126 * buffers operation. The information field is set to number of bytes
1130 * This funciton maps to the win32 FlushFileBuffers
1135 IN HANDLE FileHandle
,
1136 OUT PIO_STATUS_BLOCK IoStatusBlock
1142 IN HANDLE FileHandle
,
1143 OUT PIO_STATUS_BLOCK IoStatusBlock
1147 * FUNCTION: Flushes a registry key to disk
1149 * KeyHandle = Points to the registry key handle
1152 * This funciton maps to the win32 RegFlushKey.
1167 * FUNCTION: Flushes the dirty pages to file
1169 * FIXME: Not sure this does (how is the file specified)
1171 NTSTATUS STDCALL
NtFlushWriteBuffer(VOID
);
1172 NTSTATUS STDCALL
ZwFlushWriteBuffer(VOID
);
1175 * FUNCTION: Frees a range of virtual memory
1177 * ProcessHandle = Points to the process that allocated the virtual
1179 * BaseAddress = Points to the memory address, rounded down to a
1180 * multiple of the pagesize
1181 * RegionSize = Limits the range to free, rounded up to a multiple of
1183 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1186 NTSTATUS STDCALL
NtFreeVirtualMemory(IN HANDLE ProcessHandle
,
1187 IN PVOID
*BaseAddress
,
1188 IN PULONG RegionSize
,
1190 NTSTATUS STDCALL
ZwFreeVirtualMemory(IN HANDLE ProcessHandle
,
1191 IN PVOID
*BaseAddress
,
1192 IN PULONG RegionSize
,
1196 * FUNCTION: Sends FSCTL to the filesystem
1198 * DeviceHandle = Points to the handle that is created by NtCreateFile
1199 * Event = Event to synchronize on STATUS_PENDING
1202 * IoStatusBlock = Caller should supply storage for
1203 * IoControlCode = Contains the File System Control command. This is an
1204 * index to the structures in InputBuffer and OutputBuffer.
1205 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1206 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1207 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1208 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1210 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1211 * InputBufferSize = Size of the input bufffer
1212 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1213 * OutputBufferSize = Size of the input bufffer
1214 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1215 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1220 IN HANDLE DeviceHandle
,
1221 IN HANDLE Event OPTIONAL
,
1222 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1223 IN PVOID ApcContext OPTIONAL
,
1224 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1225 IN ULONG IoControlCode
,
1226 IN PVOID InputBuffer
,
1227 IN ULONG InputBufferSize
,
1228 OUT PVOID OutputBuffer
,
1229 IN ULONG OutputBufferSize
1235 IN HANDLE DeviceHandle
,
1236 IN HANDLE Event OPTIONAL
,
1237 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1238 IN PVOID ApcContext OPTIONAL
,
1239 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1240 IN ULONG IoControlCode
,
1241 IN PVOID InputBuffer
,
1242 IN ULONG InputBufferSize
,
1243 OUT PVOID OutputBuffer
,
1244 IN ULONG OutputBufferSize
1248 * FUNCTION: Retrieves the processor context of a thread
1250 * ThreadHandle = Handle to a thread
1251 * Context (OUT) = Caller allocated storage for the processor context
1258 IN HANDLE ThreadHandle
,
1259 OUT PCONTEXT Context
1265 IN HANDLE ThreadHandle
,
1266 OUT PCONTEXT Context
1270 * FUNCTION: Sets a thread to impersonate another
1272 * ThreadHandle = Server thread that will impersonate a client.
1273 ThreadToImpersonate = Client thread that will be impersonated
1274 SecurityQualityOfService = Specifies the impersonation level.
1280 NtImpersonateThread(
1281 IN HANDLE ThreadHandle
,
1282 IN HANDLE ThreadToImpersonate
,
1283 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1288 ZwImpersonateThread(
1289 IN HANDLE ThreadHandle
,
1290 IN HANDLE ThreadToImpersonate
,
1291 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1295 * FUNCTION: Initializes the registry.
1297 * SetUpBoot = This parameter is true for a setup boot.
1302 NtInitializeRegistry(
1307 ZwInitializeRegistry(
1312 * FUNCTION: Loads a driver.
1314 * DriverServiceName = Name of the driver to load
1320 IN PUNICODE_STRING DriverServiceName
1326 IN PUNICODE_STRING DriverServiceName
1330 * FUNCTION: Locks a range of bytes in a file.
1332 * FileHandle = Handle to the file
1333 * Event = Should be null if apc is specified.
1334 * ApcRoutine = Asynchroneous Procedure Callback
1335 * ApcContext = Argument to the callback
1336 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1337 * the completion status and information about the requested lock operation.
1338 * ByteOffset = Offset
1339 * Length = Number of bytes to lock.
1340 * Key = Special value to give other threads the possibility to unlock the file
1341 by supplying the key in a call to NtUnlockFile.
1342 * FailImmediatedly = If false the request will block untill the lock is obtained.
1343 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1345 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1346 not be obtained immediately, the device queue is busy and the IRP is queued.
1347 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1348 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1354 IN HANDLE FileHandle
,
1355 IN HANDLE Event OPTIONAL
,
1356 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1357 IN PVOID ApcContext OPTIONAL
,
1358 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1359 IN PLARGE_INTEGER ByteOffset
,
1360 IN PLARGE_INTEGER Length
,
1362 IN BOOLEAN FailImmediatedly
,
1363 IN BOOLEAN ExclusiveLock
1369 IN HANDLE FileHandle
,
1370 IN HANDLE Event OPTIONAL
,
1371 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1372 IN PVOID ApcContext OPTIONAL
,
1373 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1374 IN PLARGE_INTEGER ByteOffset
,
1375 IN PLARGE_INTEGER Length
,
1377 IN BOOLEAN FailImmediatedly
,
1378 IN BOOLEAN ExclusiveLock
1382 * FUNCTION: Makes temporary object that will be removed at next boot.
1384 * Handle = Handle to object
1390 NtMakeTemporaryObject(
1396 ZwMakeTemporaryObject(
1400 * FUNCTION: Maps a view of a section into the virtual address space of a
1403 * SectionHandle = Handle of the section
1404 * ProcessHandle = Handle of the process
1405 * BaseAddress = Desired base address (or NULL) on entry
1406 * Actual base address of the view on exit
1407 * ZeroBits = Number of high order address bits that must be zero
1408 * CommitSize = Size in bytes of the initially committed section of
1410 * SectionOffset = Offset in bytes from the beginning of the section
1411 * to the beginning of the view
1412 * ViewSize = Desired length of map (or zero to map all) on entry
1413 * Actual length mapped on exit
1414 * InheritDisposition = Specified how the view is to be shared with
1416 * AllocateType = Type of allocation for the pages
1417 * Protect = Protection for the committed region of the view
1423 IN HANDLE SectionHandle
,
1424 IN HANDLE ProcessHandle
,
1425 IN OUT PVOID
*BaseAddress
,
1427 IN ULONG CommitSize
,
1428 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
1429 IN OUT PULONG ViewSize
,
1430 IN SECTION_INHERIT InheritDisposition
,
1431 IN ULONG AllocationType
,
1432 IN ULONG AccessProtection
1438 IN HANDLE SectionHandle
,
1439 IN HANDLE ProcessHandle
,
1440 IN OUT PVOID
*BaseAddress
,
1442 IN ULONG CommitSize
,
1443 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
1444 IN OUT PULONG ViewSize
,
1445 IN SECTION_INHERIT InheritDisposition
,
1446 IN ULONG AllocationType
,
1447 IN ULONG AccessProtection
1451 * FUNCTION: Installs a notify for the change of a directory's contents
1453 * FileHandle = Handle to the directory
1455 * ApcRoutine = Start address
1456 * ApcContext = Delimits the range of virtual memory
1457 * for which the new access protection holds
1458 * IoStatusBlock = The new access proctection for the pages
1459 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
1460 * BufferSize = Size of the buffer
1461 CompletionFilter = Can be one of the following values:
1462 FILE_NOTIFY_CHANGE_FILE_NAME
1463 FILE_NOTIFY_CHANGE_DIR_NAME
1464 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
1465 FILE_NOTIFY_CHANGE_ATTRIBUTES
1466 FILE_NOTIFY_CHANGE_SIZE
1467 FILE_NOTIFY_CHANGE_LAST_WRITE
1468 FILE_NOTIFY_CHANGE_LAST_ACCESS
1469 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
1470 FILE_NOTIFY_CHANGE_EA
1471 FILE_NOTIFY_CHANGE_SECURITY
1472 FILE_NOTIFY_CHANGE_STREAM_NAME
1473 FILE_NOTIFY_CHANGE_STREAM_SIZE
1474 FILE_NOTIFY_CHANGE_STREAM_WRITE
1475 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
1478 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
1483 NtNotifyChangeDirectoryFile(
1484 IN HANDLE FileHandle
,
1485 IN HANDLE Event OPTIONAL
,
1486 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1487 IN PVOID ApcContext OPTIONAL
,
1488 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1490 IN ULONG BufferSize
,
1491 IN ULONG CompletionFilter
,
1492 IN BOOLEAN WatchTree
1497 ZwNotifyChangeDirectoryFile(
1498 IN HANDLE FileHandle
,
1499 IN HANDLE Event OPTIONAL
,
1500 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1501 IN PVOID ApcContext OPTIONAL
,
1502 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1504 IN ULONG BufferSize
,
1505 IN ULONG CompletionFilter
,
1506 IN BOOLEAN WatchTree
1510 * FUNCTION: Installs a notfication callback on registry changes
1512 KeyHandle = Handle to the registry key
1513 Event = Event that should be signalled on modification of the key
1514 ApcRoutine = Routine that should be called on modification of the key
1515 ApcContext = Argument to the ApcRoutine
1517 CompletionFilter = Specifies the kind of notification the caller likes to receive.
1518 Can be a combination of the following values:
1520 REG_NOTIFY_CHANGE_NAME
1521 REG_NOTIFY_CHANGE_ATTRIBUTES
1522 REG_NOTIFY_CHANGE_LAST_SET
1523 REG_NOTIFY_CHANGE_SECURITY
1526 Asynchroneous = If TRUE the changes are reported by signalling an event if false
1527 the function will not return before a change occurs.
1528 ChangeBuffer = Will return the old value
1529 Length = Size of the change buffer
1530 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
1532 * REMARKS: If the key is closed the event is signalled aswell.
1539 IN HANDLE KeyHandle
,
1541 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1542 IN PVOID ApcContext OPTIONAL
,
1543 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1544 IN ULONG CompletionFilter
,
1545 IN BOOLEAN Asynchroneous
,
1546 OUT PVOID ChangeBuffer
,
1548 IN BOOLEAN WatchSubtree
1554 IN HANDLE KeyHandle
,
1556 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1557 IN PVOID ApcContext OPTIONAL
,
1558 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1559 IN ULONG CompletionFilter
,
1560 IN BOOLEAN Asynchroneous
,
1561 OUT PVOID ChangeBuffer
,
1563 IN BOOLEAN WatchSubtree
1567 * FUNCTION: Opens an existing directory object
1569 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1570 * DesiredAccess = Requested access to the directory
1571 * ObjectAttributes = Initialized attributes for the object
1577 NtOpenDirectoryObject(
1578 OUT PHANDLE FileHandle
,
1579 IN ACCESS_MASK DesiredAccess
,
1580 IN POBJECT_ATTRIBUTES ObjectAttributes
1584 ZwOpenDirectoryObject(
1585 OUT PHANDLE FileHandle
,
1586 IN ACCESS_MASK DesiredAccess
,
1587 IN POBJECT_ATTRIBUTES ObjectAttributes
1591 * FUNCTION: Opens an existing event
1593 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1594 * DesiredAccess = Requested access to the event
1595 * ObjectAttributes = Initialized attributes for the object
1601 OUT PHANDLE EventHandle
,
1602 IN ACCESS_MASK DesiredAccess
,
1603 IN POBJECT_ATTRIBUTES ObjectAttributes
1609 OUT PHANDLE EventHandle
,
1610 IN ACCESS_MASK DesiredAccess
,
1611 IN POBJECT_ATTRIBUTES ObjectAttributes
1615 * FUNCTION: Opens an existing event pair
1617 * EventHandle (OUT) = Caller supplied storage for the resulting handle
1618 * DesiredAccess = Requested access to the event
1619 * ObjectAttributes = Initialized attributes for the object
1626 OUT PHANDLE EventPairHandle
,
1627 IN ACCESS_MASK DesiredAccess
,
1628 IN POBJECT_ATTRIBUTES ObjectAttributes
1634 OUT PHANDLE EventPairHandle
,
1635 IN ACCESS_MASK DesiredAccess
,
1636 IN POBJECT_ATTRIBUTES ObjectAttributes
1639 * FUNCTION: Opens an existing file
1641 * FileHandle (OUT) = Caller supplied storage for the resulting handle
1642 * DesiredAccess = Requested access to the file
1643 * ObjectAttributes = Initialized attributes for the object
1652 OUT PHANDLE FileHandle
,
1653 IN ACCESS_MASK DesiredAccess
,
1654 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1655 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1656 IN ULONG ShareAccess
,
1657 IN ULONG OpenOptions
1663 OUT PHANDLE FileHandle
,
1664 IN ACCESS_MASK DesiredAccess
,
1665 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1666 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1667 IN ULONG ShareAccess
,
1668 IN ULONG OpenOptions
1672 * FUNCTION: Opens an existing io completion object
1674 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
1675 * DesiredAccess = Requested access to the io completion object
1676 * ObjectAttributes = Initialized attributes for the object
1683 OUT PHANDLE CompetionPort
,
1684 IN ACCESS_MASK DesiredAccess
,
1685 IN POBJECT_ATTRIBUTES ObjectAttributes
1691 OUT PHANDLE CompetionPort
,
1692 IN ACCESS_MASK DesiredAccess
,
1693 IN POBJECT_ATTRIBUTES ObjectAttributes
1697 * FUNCTION: Opens an existing key in the registry
1699 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1700 * DesiredAccess = Requested access to the key
1701 * ObjectAttributes = Initialized attributes for the object
1707 OUT PHANDLE KeyHandle
,
1708 IN ACCESS_MASK DesiredAccess
,
1709 IN POBJECT_ATTRIBUTES ObjectAttributes
1715 OUT PHANDLE KeyHandle
,
1716 IN ACCESS_MASK DesiredAccess
,
1717 IN POBJECT_ATTRIBUTES ObjectAttributes
1720 * FUNCTION: Opens an existing key in the registry
1722 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
1723 * DesiredAccess = Requested access to the mutant
1724 * ObjectAttribute = Initialized attributes for the object
1730 OUT PHANDLE MutantHandle
,
1731 IN ACCESS_MASK DesiredAccess
,
1732 IN POBJECT_ATTRIBUTES ObjectAttributes
1737 OUT PHANDLE MutantHandle
,
1738 IN ACCESS_MASK DesiredAccess
,
1739 IN POBJECT_ATTRIBUTES ObjectAttributes
1743 * FUNCTION: Opens an existing process
1745 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
1746 * DesiredAccess = Requested access to the process
1747 * ObjectAttribute = Initialized attributes for the object
1748 * ClientId = Identifies the process id to open
1754 OUT PHANDLE ProcessHandle
,
1755 IN ACCESS_MASK DesiredAccess
,
1756 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1757 IN PCLIENT_ID ClientId
1762 OUT PHANDLE ProcessHandle
,
1763 IN ACCESS_MASK DesiredAccess
,
1764 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1765 IN PCLIENT_ID ClientId
1768 * FUNCTION: Opens an existing process
1770 * ProcessHandle = Handle of the process of which owns the token
1771 * DesiredAccess = Requested access to the token
1772 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
1774 This function maps to the win32
1781 IN HANDLE ProcessHandle
,
1782 IN ACCESS_MASK DesiredAccess
,
1783 OUT PHANDLE TokenHandle
1789 IN HANDLE ProcessHandle
,
1790 IN ACCESS_MASK DesiredAccess
,
1791 OUT PHANDLE TokenHandle
1795 * FUNCTION: Opens an existing section object
1797 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
1798 * DesiredAccess = Requested access to the key
1799 * ObjectAttribute = Initialized attributes for the object
1806 OUT PHANDLE SectionHandle
,
1807 IN ACCESS_MASK DesiredAccess
,
1808 IN POBJECT_ATTRIBUTES ObjectAttributes
1813 OUT PHANDLE SectionHandle
,
1814 IN ACCESS_MASK DesiredAccess
,
1815 IN POBJECT_ATTRIBUTES ObjectAttributes
1818 * FUNCTION: Opens an existing semaphore
1820 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
1821 * DesiredAccess = Requested access to the semaphore
1822 * ObjectAttribute = Initialized attributes for the object
1828 IN HANDLE SemaphoreHandle
,
1829 IN ACCESS_MASK DesiredAcces
,
1830 IN POBJECT_ATTRIBUTES ObjectAttributes
1835 IN HANDLE SemaphoreHandle
,
1836 IN ACCESS_MASK DesiredAcces
,
1837 IN POBJECT_ATTRIBUTES ObjectAttributes
1840 * FUNCTION: Opens an existing symbolic link
1842 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
1843 * DesiredAccess = Requested access to the symbolic link
1844 * ObjectAttribute = Initialized attributes for the object
1849 NtOpenSymbolicLinkObject(
1850 OUT PHANDLE SymbolicLinkHandle
,
1851 IN ACCESS_MASK DesiredAccess
,
1852 IN POBJECT_ATTRIBUTES ObjectAttributes
1856 ZwOpenSymbolicLinkObject(
1857 OUT PHANDLE SymbolicLinkHandle
,
1858 IN ACCESS_MASK DesiredAccess
,
1859 IN POBJECT_ATTRIBUTES ObjectAttributes
1862 * FUNCTION: Opens an existing thread
1864 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
1865 * DesiredAccess = Requested access to the thread
1866 * ObjectAttribute = Initialized attributes for the object
1867 * ClientId = Identifies the thread to open.
1873 OUT PHANDLE ThreadHandle
,
1874 IN ACCESS_MASK DesiredAccess
,
1875 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1876 IN PCLIENT_ID ClientId
1881 OUT PHANDLE ThreadHandle
,
1882 IN ACCESS_MASK DesiredAccess
,
1883 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1884 IN PCLIENT_ID ClientId
1890 IN HANDLE ThreadHandle
,
1891 IN ACCESS_MASK DesiredAccess
,
1892 IN BOOLEAN OpenAsSelf
,
1893 OUT PHANDLE TokenHandle
1899 IN HANDLE ThreadHandle
,
1900 IN ACCESS_MASK DesiredAccess
,
1901 IN BOOLEAN OpenAsSelf
,
1902 OUT PHANDLE TokenHandle
1905 * FUNCTION: Opens an existing timer
1907 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
1908 * DesiredAccess = Requested access to the timer
1909 * ObjectAttribute = Initialized attributes for the object
1915 OUT PHANDLE TimerHandle
,
1916 IN ACCESS_MASK DesiredAccess
,
1917 IN POBJECT_ATTRIBUTES ObjectAttributes
1922 OUT PHANDLE TimerHandle
,
1923 IN ACCESS_MASK DesiredAccess
,
1924 IN POBJECT_ATTRIBUTES ObjectAttributes
1928 * FUNCTION: Checks an access token for specific privileges
1930 * ClientToken = Handle to a access token structure
1931 * RequiredPrivileges = Specifies the requested privileges.
1932 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
1933 set in the Control member of PRIVILEGES_SET Result
1934 will only be TRUE if all privileges are present in the access token.
1941 IN HANDLE ClientToken
,
1942 IN PPRIVILEGE_SET RequiredPrivileges
,
1949 IN HANDLE ClientToken
,
1950 IN PPRIVILEGE_SET RequiredPrivileges
,
1956 NtPrivilegedServiceAuditAlarm(
1957 IN PUNICODE_STRING SubsystemName
,
1958 IN PUNICODE_STRING ServiceName
,
1959 IN HANDLE ClientToken
,
1960 IN PPRIVILEGE_SET Privileges
,
1961 IN BOOLEAN AccessGranted
1966 ZwPrivilegedServiceAuditAlarm(
1967 IN PUNICODE_STRING SubsystemName
,
1968 IN PUNICODE_STRING ServiceName
,
1969 IN HANDLE ClientToken
,
1970 IN PPRIVILEGE_SET Privileges
,
1971 IN BOOLEAN AccessGranted
1976 NtPrivilegeObjectAuditAlarm(
1977 IN PUNICODE_STRING SubsystemName
,
1979 IN HANDLE ClientToken
,
1980 IN ULONG DesiredAccess
,
1981 IN PPRIVILEGE_SET Privileges
,
1982 IN BOOLEAN AccessGranted
1987 ZwPrivilegeObjectAuditAlarm(
1988 IN PUNICODE_STRING SubsystemName
,
1990 IN HANDLE ClientToken
,
1991 IN ULONG DesiredAccess
,
1992 IN PPRIVILEGE_SET Privileges
,
1993 IN BOOLEAN AccessGranted
1997 * FUNCTION: Entry point for native applications
1999 * Peb = Pointes to the Process Environment Block (PEB)
2001 * Native applications should use this function instead of a main.
2002 * Calling proces should terminate itself.
2012 * FUNCTION: Signals an event and resets it afterwards.
2014 * EventHandle = Handle to the event
2015 * PulseCount = Number of times the action is repeated
2021 IN HANDLE EventHandle
,
2022 IN PULONG PulseCount OPTIONAL
2028 IN HANDLE EventHandle
,
2029 IN PULONG PulseCount OPTIONAL
2033 * FUNCTION: Queries the attributes of a file
2035 * ObjectAttributes = Initialized attributes for the object
2036 * Buffer = Caller supplies storage for the attributes
2041 NtQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2042 OUT PFILE_BASIC_INFORMATION FileInformation
);
2045 ZwQueryAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2046 OUT PFILE_BASIC_INFORMATION FileInformation
);
2049 * FUNCTION: Queries the default locale id
2051 * UserProfile = Type of locale id
2052 * TRUE: thread locale id
2053 * FALSE: system locale id
2054 * DefaultLocaleId = Caller supplies storage for the locale id
2060 NtQueryDefaultLocale(
2061 IN BOOLEAN UserProfile
,
2062 OUT PLCID DefaultLocaleId
2067 ZwQueryDefaultLocale(
2068 IN BOOLEAN UserProfile
,
2069 OUT PLCID DefaultLocaleId
2073 * FUNCTION: Queries a directory file.
2075 * FileHandle = Handle to a directory file
2076 * EventHandle = Handle to the event signaled on completion
2077 * ApcRoutine = Asynchroneous procedure callback, called on completion
2078 * ApcContext = Argument to the apc.
2079 * IoStatusBlock = Caller supplies storage for extended status information.
2080 * FileInformation = Caller supplies storage for the resulting information.
2082 * FileNameInformation FILE_NAMES_INFORMATION
2083 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2084 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2085 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2087 * Length = Size of the storage supplied
2088 * FileInformationClass = Indicates the type of information requested.
2089 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2090 * FileName = Initial directory name to query, that may contain wild cards.
2091 * RestartScan = Number of times the action should be repeated
2092 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2093 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2094 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2099 NtQueryDirectoryFile(
2100 IN HANDLE FileHandle
,
2101 IN HANDLE Event OPTIONAL
,
2102 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2103 IN PVOID ApcContext OPTIONAL
,
2104 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2105 OUT PVOID FileInformation
,
2107 IN FILE_INFORMATION_CLASS FileInformationClass
,
2108 IN BOOLEAN ReturnSingleEntry
,
2109 IN PUNICODE_STRING FileName OPTIONAL
,
2110 IN BOOLEAN RestartScan
2115 ZwQueryDirectoryFile(
2116 IN HANDLE FileHandle
,
2117 IN HANDLE Event OPTIONAL
,
2118 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2119 IN PVOID ApcContext OPTIONAL
,
2120 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2121 OUT PVOID FileInformation
,
2123 IN FILE_INFORMATION_CLASS FileInformationClass
,
2124 IN BOOLEAN ReturnSingleEntry
,
2125 IN PUNICODE_STRING FileName OPTIONAL
,
2126 IN BOOLEAN RestartScan
2130 * FUNCTION: Queries the extended attributes of a file
2132 * FileHandle = Handle to the event
2133 * IoStatusBlock = Number of times the action is repeated
2147 IN HANDLE FileHandle
,
2148 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2151 IN BOOLEAN ReturnSingleEntry
,
2152 IN PVOID EaList OPTIONAL
,
2153 IN ULONG EaListLength
,
2154 IN PULONG EaIndex OPTIONAL
,
2155 IN BOOLEAN RestartScan
2161 IN HANDLE FileHandle
,
2162 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2165 IN BOOLEAN ReturnSingleEntry
,
2166 IN PVOID EaList OPTIONAL
,
2167 IN ULONG EaListLength
,
2168 IN PULONG EaIndex OPTIONAL
,
2169 IN BOOLEAN RestartScan
2173 * FUNCTION: Queries an event
2175 * EventHandle = Handle to the event
2176 * EventInformationClass = Index of the information structure
2178 EventBasicInformation EVENT_BASIC_INFORMATION
2180 * EventInformation = Caller supplies storage for the information structure
2181 * EventInformationLength = Size of the information structure
2182 * ReturnLength = Data written
2188 IN HANDLE EventHandle
,
2189 IN EVENT_INFORMATION_CLASS EventInformationClass
,
2190 OUT PVOID EventInformation
,
2191 IN ULONG EventInformationLength
,
2192 OUT PULONG ReturnLength
2197 IN HANDLE EventHandle
,
2198 IN EVENT_INFORMATION_CLASS EventInformationClass
,
2199 OUT PVOID EventInformation
,
2200 IN ULONG EventInformationLength
,
2201 OUT PULONG ReturnLength
2205 NtQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2206 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
2209 ZwQueryFullAttributesFile(IN POBJECT_ATTRIBUTES ObjectAttributes
,
2210 OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
2213 * FUNCTION: Queries the information of a file object.
2215 * FileHandle = Handle to the file object
2216 * IoStatusBlock = Caller supplies storage for extended information
2217 * on the current operation.
2218 * FileInformation = Storage for the new file information
2219 * Lenght = Size of the storage for the file information.
2220 * FileInformationClass = Indicates which file information is queried
2222 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2223 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2224 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2225 FileBasicInformation FILE_BASIC_INFORMATION
2226 FileStandardInformation FILE_STANDARD_INFORMATION
2227 FileInternalInformation FILE_INTERNAL_INFORMATION
2228 FileEaInformation FILE_EA_INFORMATION
2229 FileAccessInformation FILE_ACCESS_INFORMATION
2230 FileNameInformation FILE_NAME_INFORMATION
2231 FileRenameInformation FILE_RENAME_INFORMATION
2233 FileNamesInformation FILE_NAMES_INFORMATION
2234 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2235 FilePositionInformation FILE_POSITION_INFORMATION
2236 FileFullEaInformation FILE_FULL_EA_INFORMATION
2237 FileModeInformation FILE_MODE_INFORMATION
2238 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2239 FileAllInformation FILE_ALL_INFORMATION
2241 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2242 FileAlternateNameInformation
2243 FileStreamInformation FILE_STREAM_INFORMATION
2245 FilePipeLocalInformation
2246 FilePipeRemoteInformation
2247 FileMailslotQueryInformation
2248 FileMailslotSetInformation
2249 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2250 FileCopyOnWriteInformation
2251 FileCompletionInformation IO_COMPLETION_CONTEXT
2252 FileMoveClusterInformation
2253 FileOleClassIdInformation
2254 FileOleStateBitsInformation
2255 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2256 FileObjectIdInformation
2257 FileOleAllInformation
2258 FileOleDirectoryInformation
2259 FileContentIndexInformation
2260 FileInheritContentIndexInformation
2262 FileMaximumInformation
2265 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2266 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2271 NtQueryInformationFile(
2272 IN HANDLE FileHandle
,
2273 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2274 OUT PVOID FileInformation
,
2276 IN FILE_INFORMATION_CLASS FileInformationClass
2281 ZwQueryInformationFile(
2283 PIO_STATUS_BLOCK IoStatusBlock
,
2284 PVOID FileInformation
,
2286 FILE_INFORMATION_CLASS FileInformationClass
2291 * FUNCTION: Queries the information of a thread object.
2293 * ThreadHandle = Handle to the thread object
2294 * ThreadInformationClass = Index to a certain information structure
2296 ThreadBasicInformation THREAD_BASIC_INFORMATION
2297 ThreadTimes KERNEL_USER_TIMES
2298 ThreadPriority KPRIORITY
2299 ThreadBasePriority KPRIORITY
2300 ThreadAffinityMask KAFFINITY
2301 ThreadImpersonationToken
2302 ThreadDescriptorTableEntry
2303 ThreadEnableAlignmentFaultFixup
2305 ThreadQuerySetWin32StartAddress
2307 ThreadPerformanceCount
2308 ThreadAmILastThread BOOLEAN
2309 ThreadIdealProcessor ULONG
2310 ThreadPriorityBoost ULONG
2314 * ThreadInformation = Caller supplies torage for the thread information
2315 * ThreadInformationLength = Size of the thread information structure
2316 * ReturnLength = Actual number of bytes written
2319 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
2320 GetThreadPriorityBoost functions.
2327 NtQueryInformationThread(
2328 IN HANDLE ThreadHandle
,
2329 IN THREADINFOCLASS ThreadInformationClass
,
2330 OUT PVOID ThreadInformation
,
2331 IN ULONG ThreadInformationLength
,
2332 OUT PULONG ReturnLength
2338 NtQueryInformationToken(
2339 IN HANDLE TokenHandle
,
2340 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
2341 OUT PVOID TokenInformation
,
2342 IN ULONG TokenInformationLength
,
2343 OUT PULONG ReturnLength
2348 ZwQueryInformationToken(
2349 IN HANDLE TokenHandle
,
2350 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
2351 OUT PVOID TokenInformation
,
2352 IN ULONG TokenInformationLength
,
2353 OUT PULONG ReturnLength
2358 NtQueryIoCompletion(
2359 IN HANDLE IoCompletionHandle
,
2360 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass
,
2361 OUT PVOID IoCompletionInformation
,
2362 IN ULONG IoCompletionInformationLength
,
2363 OUT PULONG ResultLength OPTIONAL
2368 ZwQueryIoCompletion(
2369 IN HANDLE IoCompletionHandle
,
2370 IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass
,
2371 OUT PVOID IoCompletionInformation
,
2372 IN ULONG IoCompletionInformationLength
,
2373 OUT PULONG ResultLength OPTIONAL
2377 * FUNCTION: Queries the information of a registry key object.
2379 KeyHandle = Handle to a registry key
2380 KeyInformationClass = Index to a certain information structure
2381 KeyInformation = Caller supplies storage for resulting information
2382 Length = Size of the supplied storage
2383 ResultLength = Bytes written
2388 IN HANDLE KeyHandle
,
2389 IN KEY_INFORMATION_CLASS KeyInformationClass
,
2390 OUT PVOID KeyInformation
,
2392 OUT PULONG ResultLength
2398 IN HANDLE KeyHandle
,
2399 IN KEY_INFORMATION_CLASS KeyInformationClass
,
2400 OUT PVOID KeyInformation
,
2402 OUT PULONG ResultLength
2410 NtQueryMultipleValueKey(
2411 IN HANDLE KeyHandle
,
2412 IN OUT PKEY_VALUE_ENTRY ValueList
,
2413 IN ULONG NumberOfValues
,
2415 IN OUT PULONG Length
,
2416 OUT PULONG ReturnLength
2421 ZwQueryMultipleValueKey(
2422 IN HANDLE KeyHandle
,
2423 IN OUT PKEY_VALUE_ENTRY ValueList
,
2424 IN ULONG NumberOfValues
,
2426 IN OUT PULONG Length
,
2427 OUT PULONG ReturnLength
2431 * FUNCTION: Queries the information of a mutant object.
2433 MutantHandle = Handle to a mutant
2434 MutantInformationClass = Index to a certain information structure
2435 MutantInformation = Caller supplies storage for resulting information
2436 Length = Size of the supplied storage
2437 ResultLength = Bytes written
2442 IN HANDLE MutantHandle
,
2443 IN CINT MutantInformationClass
,
2444 OUT PVOID MutantInformation
,
2446 OUT PULONG ResultLength
2452 IN HANDLE MutantHandle
,
2453 IN CINT MutantInformationClass
,
2454 OUT PVOID MutantInformation
,
2456 OUT PULONG ResultLength
2460 * FUNCTION: Queries the system ( high-resolution ) performance counter.
2462 * Counter = Performance counter
2463 * Frequency = Performance frequency
2465 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
2466 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
2472 NtQueryPerformanceCounter(
2473 IN PLARGE_INTEGER Counter
,
2474 IN PLARGE_INTEGER Frequency
2479 ZwQueryPerformanceCounter(
2480 IN PLARGE_INTEGER Counter
,
2481 IN PLARGE_INTEGER Frequency
2485 * FUNCTION: Queries the information of a semaphore.
2487 * SemaphoreHandle = Handle to the semaphore object
2488 * SemaphoreInformationClass = Index to a certain information structure
2490 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
2492 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
2493 * Length = Size of the infomation structure
2498 IN HANDLE SemaphoreHandle
,
2499 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass
,
2500 OUT PVOID SemaphoreInformation
,
2502 OUT PULONG ReturnLength
2508 IN HANDLE SemaphoreHandle
,
2509 IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass
,
2510 OUT PVOID SemaphoreInformation
,
2512 OUT PULONG ReturnLength
2517 * FUNCTION: Queries the information of a symbolic link object.
2519 * SymbolicLinkHandle = Handle to the symbolic link object
2520 * LinkTarget = resolved name of link
2521 * DataWritten = size of the LinkName.
2527 NtQuerySymbolicLinkObject(
2528 IN HANDLE SymLinkObjHandle
,
2529 OUT PUNICODE_STRING LinkTarget
,
2530 OUT PULONG DataWritten OPTIONAL
2535 ZwQuerySymbolicLinkObject(
2536 IN HANDLE SymLinkObjHandle
,
2537 OUT PUNICODE_STRING LinkName
,
2538 OUT PULONG DataWritten OPTIONAL
2543 * FUNCTION: Queries a system environment variable.
2545 * Name = Name of the variable
2546 * Value (OUT) = value of the variable
2547 * Length = size of the buffer
2548 * ReturnLength = data written
2554 NtQuerySystemEnvironmentValue(
2555 IN PUNICODE_STRING Name
,
2563 ZwQuerySystemEnvironmentValue(
2564 IN PUNICODE_STRING Name
,
2572 * FUNCTION: Queries the system information.
2574 * SystemInformationClass = Index to a certain information structure
2576 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
2577 SystemCacheInformation SYSTEM_CACHE_INFORMATION
2578 SystemConfigurationInformation CONFIGURATION_INFORMATION
2580 * SystemInformation = caller supplies storage for the information structure
2581 * Length = size of the structure
2582 ResultLength = Data written
2588 NtQuerySystemInformation(
2589 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
2590 OUT PVOID SystemInformation
,
2592 OUT PULONG ResultLength
2597 ZwQuerySystemInformation(
2598 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
2599 OUT PVOID SystemInformation
,
2601 OUT PULONG ResultLength
2605 * FUNCTION: Queries information about a timer
2607 * TimerHandle = Handle to the timer
2608 TimerValueInformationClass = Index to a certain information structure
2609 TimerValueInformation = Caller supplies storage for the information structure
2610 Length = Size of the information structure
2611 ResultLength = Data written
2618 IN HANDLE TimerHandle
,
2619 IN CINT TimerInformationClass
,
2620 OUT PVOID TimerInformation
,
2622 OUT PULONG ResultLength
2627 IN HANDLE TimerHandle
,
2628 IN CINT TimerInformationClass
,
2629 OUT PVOID TimerInformation
,
2631 OUT PULONG ResultLength
2635 * FUNCTION: Queries the timer resolution
2637 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
2638 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
2639 ActualResolution (OUT) = Caller should supply storage for the resulting time.
2647 NtQueryTimerResolution (
2648 OUT PULONG MinimumResolution
,
2649 OUT PULONG MaximumResolution
,
2650 OUT PULONG ActualResolution
2655 ZwQueryTimerResolution (
2656 OUT PULONG MinimumResolution
,
2657 OUT PULONG MaximumResolution
,
2658 OUT PULONG ActualResolution
2662 * FUNCTION: Queries a registry key value
2664 * KeyHandle = Handle to the registry key
2665 ValueName = Name of the value in the registry key
2666 KeyValueInformationClass = Index to a certain information structure
2668 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
2669 KeyValueFullInformation = KEY_FULL_INFORMATION
2670 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
2672 KeyValueInformation = Caller supplies storage for the information structure
2673 Length = Size of the information structure
2674 ResultLength = Data written
2681 IN HANDLE KeyHandle
,
2682 IN PUNICODE_STRING ValueName
,
2683 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
2684 OUT PVOID KeyValueInformation
,
2686 OUT PULONG ResultLength
2692 IN HANDLE KeyHandle
,
2693 IN PUNICODE_STRING ValueName
,
2694 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
2695 OUT PVOID KeyValueInformation
,
2697 OUT PULONG ResultLength
2701 * FUNCTION: Queries the volume information
2703 * FileHandle = Handle to a file object on the target volume
2704 * IoStatusBlock = Caller should supply storage for additional status information
2705 * ReturnLength = DataWritten
2706 * FsInformation = Caller should supply storage for the information structure.
2707 * Length = Size of the information structure
2708 * FsInformationClass = Index to a information structure
2710 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
2711 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
2712 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
2713 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
2714 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
2715 FileFsControlInformation
2716 FileFsQuotaQueryInformation --
2717 FileFsQuotaSetInformation --
2718 FileFsMaximumInformation
2720 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
2721 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
2726 NtQueryVolumeInformationFile(
2727 IN HANDLE FileHandle
,
2728 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2729 OUT PVOID FsInformation
,
2731 IN FS_INFORMATION_CLASS FsInformationClass
2736 ZwQueryVolumeInformationFile(
2737 IN HANDLE FileHandle
,
2738 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2739 OUT PVOID FsInformation
,
2741 IN FS_INFORMATION_CLASS FsInformationClass
2744 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
2746 * FUNCTION: Queues a (user) apc to a thread.
2748 ThreadHandle = Thread to which the apc is queued.
2749 ApcRoutine = Points to the apc routine
2750 NormalContext = Argument to Apc Routine
2751 * SystemArgument1 = Argument of the Apc Routine
2752 SystemArgument2 = Argument of the Apc Routine
2753 * REMARK: If the apc is queued against a thread of a different process than the calling thread
2754 the apc routine should be specified in the address space of the queued thread's process.
2761 HANDLE ThreadHandle
,
2762 PKNORMAL_ROUTINE ApcRoutine
,
2763 PVOID NormalContext
,
2764 PVOID SystemArgument1
,
2765 PVOID SystemArgument2
);
2770 HANDLE ThreadHandle
,
2771 PKNORMAL_ROUTINE ApcRoutine
,
2772 PVOID NormalContext
,
2773 PVOID SystemArgument1
,
2774 PVOID SystemArgument2
);
2778 * FUNCTION: Raises an exception
2780 * ExceptionRecord = Structure specifying the exception
2781 * Context = Context in which the excpetion is raised
2790 IN PEXCEPTION_RECORD ExceptionRecord
,
2791 IN PCONTEXT Context
,
2792 IN BOOLEAN SearchFrames
2798 IN PEXCEPTION_RECORD ExceptionRecord
,
2799 IN PCONTEXT Context
,
2800 IN BOOLEAN SearchFrames
2804 * FUNCTION: Read a file
2806 * FileHandle = Handle of a file to read
2807 * Event = This event is signalled when the read operation completes
2808 * UserApcRoutine = Call back , if supplied Event should be NULL
2809 * UserApcContext = Argument to the callback
2810 * IoStatusBlock = Caller should supply storage for additional status information
2811 * Buffer = Caller should supply storage to receive the information
2812 * BufferLength = Size of the buffer
2813 * ByteOffset = Offset to start reading the file
2814 * Key = If a range is lock a matching key will allow the read to continue.
2822 IN HANDLE FileHandle
,
2823 IN HANDLE Event OPTIONAL
,
2824 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
2825 IN PVOID UserApcContext OPTIONAL
,
2826 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2828 IN ULONG BufferLength
,
2829 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
2830 IN PULONG Key OPTIONAL
2836 IN HANDLE FileHandle
,
2837 IN HANDLE Event OPTIONAL
,
2838 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
2839 IN PVOID UserApcContext OPTIONAL
,
2840 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2842 IN ULONG BufferLength
,
2843 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
2844 IN PULONG Key OPTIONAL
2847 * FUNCTION: Read a file using scattered io
2849 FileHandle = Handle of a file to read
2850 Event = This event is signalled when the read operation completes
2851 * UserApcRoutine = Call back , if supplied Event should be NULL
2852 UserApcContext = Argument to the callback
2853 IoStatusBlock = Caller should supply storage for additional status information
2854 BufferDescription = Caller should supply storage to receive the information
2855 BufferLength = Size of the buffer
2856 ByteOffset = Offset to start reading the file
2857 Key = Key = If a range is lock a matching key will allow the read to continue.
2864 IN HANDLE FileHandle
,
2865 IN HANDLE Event OPTIONAL
,
2866 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
2867 IN PVOID UserApcContext OPTIONAL
,
2868 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
2869 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
2870 IN ULONG BufferLength
,
2871 IN PLARGE_INTEGER ByteOffset
,
2872 IN PULONG Key OPTIONAL
2878 IN HANDLE FileHandle
,
2879 IN HANDLE Event OPTIONAL
,
2880 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
2881 IN PVOID UserApcContext OPTIONAL
,
2882 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
2883 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
2884 IN ULONG BufferLength
,
2885 IN PLARGE_INTEGER ByteOffset
,
2886 IN PULONG Key OPTIONAL
2889 * FUNCTION: Copies a range of virtual memory to a buffer
2891 * ProcessHandle = Specifies the process owning the virtual address space
2892 * BaseAddress = Points to the address of virtual memory to start the read
2893 * Buffer = Caller supplies storage to copy the virtual memory to.
2894 * NumberOfBytesToRead = Limits the range to read
2895 * NumberOfBytesRead = The actual number of bytes read.
2901 NtReadVirtualMemory(
2902 IN HANDLE ProcessHandle
,
2903 IN PVOID BaseAddress
,
2905 IN ULONG NumberOfBytesToRead
,
2906 OUT PULONG NumberOfBytesRead
2910 ZwReadVirtualMemory(
2911 IN HANDLE ProcessHandle
,
2912 IN PVOID BaseAddress
,
2914 IN ULONG NumberOfBytesToRead
,
2915 OUT PULONG NumberOfBytesRead
2920 * FUNCTION: Debugger can register for thread termination
2922 * TerminationPort = Port on which the debugger likes to be notified.
2927 NtRegisterThreadTerminatePort(
2928 HANDLE TerminationPort
2932 ZwRegisterThreadTerminatePort(
2933 HANDLE TerminationPort
2937 * FUNCTION: Releases a mutant
2939 * MutantHandle = Handle to the mutant
2946 IN HANDLE MutantHandle
,
2947 IN PULONG ReleaseCount OPTIONAL
2953 IN HANDLE MutantHandle
,
2954 IN PULONG ReleaseCount OPTIONAL
2958 * FUNCTION: Releases a semaphore
2960 * SemaphoreHandle = Handle to the semaphore object
2961 * ReleaseCount = Number to decrease the semaphore count
2962 * PreviousCount = Previous semaphore count
2968 IN HANDLE SemaphoreHandle
,
2969 IN LONG ReleaseCount
,
2970 OUT PLONG PreviousCount
2976 IN HANDLE SemaphoreHandle
,
2977 IN LONG ReleaseCount
,
2978 OUT PLONG PreviousCount
2982 * FUNCTION: Removes an io completion
2984 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2985 * CompletionKey = Requested access to the key
2986 * IoStatusBlock = Caller provides storage for extended status information
2987 * CompletionStatus = Current status of the io operation.
2988 * WaitTime = Time to wait if ..
2993 NtRemoveIoCompletion(
2994 IN HANDLE IoCompletionHandle
,
2995 OUT PULONG CompletionKey
,
2996 OUT PULONG CompletionValue
,
2997 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2998 IN PLARGE_INTEGER Timeout OPTIONAL
3003 ZwRemoveIoCompletion(
3004 IN HANDLE IoCompletionHandle
,
3005 OUT PULONG CompletionKey
,
3006 OUT PULONG CompletionValue
,
3007 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3008 IN PLARGE_INTEGER Timeout OPTIONAL
3012 * FUNCTION: Replaces one registry key with another
3014 * ObjectAttributes = Specifies the attributes of the key
3015 * Key = Handle to the key
3016 * ReplacedObjectAttributes = The function returns the old object attributes
3022 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3024 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3029 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3031 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3035 * FUNCTION: Resets a event to a non signaled state
3037 * EventHandle = Handle to the event that should be reset
3038 * NumberOfWaitingThreads = The number of threads released.
3045 PULONG NumberOfWaitingThreads OPTIONAL
3051 PULONG NumberOfWaitingThreads OPTIONAL
3070 * FUNCTION: Decrements a thread's resume count
3072 * ThreadHandle = Handle to the thread that should be resumed
3073 * ResumeCount = The resulting resume count.
3075 * A thread is resumed if its suspend count is 0. This procedure maps to
3076 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3082 IN HANDLE ThreadHandle
,
3083 OUT PULONG SuspendCount
3088 IN HANDLE ThreadHandle
,
3089 OUT PULONG SuspendCount
3092 * FUNCTION: Writes the content of a registry key to ascii file
3094 * KeyHandle = Handle to the key
3095 * FileHandle = Handle of the file
3097 This function maps to the Win32 RegSaveKey.
3104 IN HANDLE KeyHandle
,
3105 IN HANDLE FileHandle
3110 IN HANDLE KeyHandle
,
3111 IN HANDLE FileHandle
3115 * FUNCTION: Sets the context of a specified thread.
3117 * ThreadHandle = Handle to the thread
3118 * Context = The processor context.
3125 IN HANDLE ThreadHandle
,
3131 IN HANDLE ThreadHandle
,
3136 * FUNCTION: Sets the default locale id
3138 * UserProfile = Type of locale id
3139 * TRUE: thread locale id
3140 * FALSE: system locale id
3141 * DefaultLocaleId = Locale id
3148 IN BOOLEAN UserProfile
,
3149 IN LCID DefaultLocaleId
3155 IN BOOLEAN UserProfile
,
3156 IN LCID DefaultLocaleId
3160 * FUNCTION: Sets the default hard error port
3162 * PortHandle = Handle to the port
3163 * NOTE: The hard error port is used for first change exception handling
3168 NtSetDefaultHardErrorPort(
3169 IN HANDLE PortHandle
3173 ZwSetDefaultHardErrorPort(
3174 IN HANDLE PortHandle
3178 * FUNCTION: Sets the extended attributes of a file.
3180 * FileHandle = Handle to the file
3181 * IoStatusBlock = Storage for a resulting status and information
3182 * on the current operation.
3183 * EaBuffer = Extended Attributes buffer.
3184 * EaBufferSize = Size of the extended attributes buffer
3190 IN HANDLE FileHandle
,
3191 IN PIO_STATUS_BLOCK IoStatusBlock
,
3198 IN HANDLE FileHandle
,
3199 IN PIO_STATUS_BLOCK IoStatusBlock
,
3204 //FIXME: should I return the event state ?
3207 * FUNCTION: Sets the event to a signalled state.
3209 * EventHandle = Handle to the event
3210 * NumberOfThreadsReleased = The number of threads released
3212 * This procedure maps to the win32 SetEvent function.
3219 IN HANDLE EventHandle
,
3220 PULONG NumberOfThreadsReleased
3226 IN HANDLE EventHandle
,
3227 PULONG NumberOfThreadsReleased
3231 * FUNCTION: Sets the high part of an event pair
3233 EventPair = Handle to the event pair
3240 IN HANDLE EventPairHandle
3246 IN HANDLE EventPairHandle
3249 * FUNCTION: Sets the high part of an event pair and wait for the low part
3251 EventPair = Handle to the event pair
3256 NtSetHighWaitLowEventPair(
3257 IN HANDLE EventPairHandle
3261 ZwSetHighWaitLowEventPair(
3262 IN HANDLE EventPairHandle
3266 * FUNCTION: Sets the information of a file object.
3268 * FileHandle = Handle to the file object
3269 * IoStatusBlock = Caller supplies storage for extended information
3270 * on the current operation.
3271 * FileInformation = Storage for the new file information
3272 * Lenght = Size of the new file information.
3273 * FileInformationClass = Indicates to a certain information structure
3275 FileNameInformation FILE_NAME_INFORMATION
3276 FileRenameInformation FILE_RENAME_INFORMATION
3277 FileStreamInformation FILE_STREAM_INFORMATION
3278 * FileCompletionInformation IO_COMPLETION_CONTEXT
3281 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
3282 * SetNamedPipeHandleState, SetMailslotInfo functions.
3289 NtSetInformationFile(
3290 IN HANDLE FileHandle
,
3291 IN PIO_STATUS_BLOCK IoStatusBlock
,
3292 IN PVOID FileInformation
,
3294 IN FILE_INFORMATION_CLASS FileInformationClass
3298 ZwSetInformationFile(
3299 IN HANDLE FileHandle
,
3300 IN PIO_STATUS_BLOCK IoStatusBlock
,
3301 IN PVOID FileInformation
,
3303 IN FILE_INFORMATION_CLASS FileInformationClass
3307 * FUNCTION: Changes a set of thread specific parameters
3309 * ThreadHandle = Handle to the thread
3310 * ThreadInformationClass = Index to the set of parameters to change.
3311 * Can be one of the following values:
3313 * ThreadBasicInformation THREAD_BASIC_INFORMATION
3314 * ThreadPriority KPRIORITY //???
3315 * ThreadBasePriority KPRIORITY
3316 * ThreadAffinityMask KAFFINITY //??
3317 * ThreadImpersonationToken ACCESS_TOKEN
3318 * ThreadIdealProcessor ULONG
3319 * ThreadPriorityBoost ULONG
3321 * ThreadInformation = Caller supplies storage for parameters to set.
3322 * ThreadInformationLength = Size of the storage supplied
3327 NtSetInformationThread(
3328 IN HANDLE ThreadHandle
,
3329 IN THREADINFOCLASS ThreadInformationClass
,
3330 IN PVOID ThreadInformation
,
3331 IN ULONG ThreadInformationLength
3335 ZwSetInformationThread(
3336 IN HANDLE ThreadHandle
,
3337 IN THREADINFOCLASS ThreadInformationClass
,
3338 IN PVOID ThreadInformation
,
3339 IN ULONG ThreadInformationLength
3343 * FUNCTION: Changes a set of token specific parameters
3345 * TokenHandle = Handle to the token
3346 * TokenInformationClass = Index to a certain information structure.
3347 * Can be one of the following values:
3349 TokenUser TOKEN_USER
3350 TokenGroups TOKEN_GROUPS
3351 TokenPrivileges TOKEN_PRIVILEGES
3352 TokenOwner TOKEN_OWNER
3353 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
3354 TokenDefaultDacl TOKEN_DEFAULT_DACL
3355 TokenSource TOKEN_SOURCE
3356 TokenType TOKEN_TYPE
3357 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
3358 TokenStatistics TOKEN_STATISTICS
3360 * TokenInformation = Caller supplies storage for information structure.
3361 * TokenInformationLength = Size of the information structure
3367 NtSetInformationToken(
3368 IN HANDLE TokenHandle
,
3369 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
3370 OUT PVOID TokenInformation
,
3371 IN ULONG TokenInformationLength
3376 ZwSetInformationToken(
3377 IN HANDLE TokenHandle
,
3378 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
3379 OUT PVOID TokenInformation
,
3380 IN ULONG TokenInformationLength
3385 * FUNCTION: Sets an io completion
3390 * NumberOfBytesToTransfer =
3391 * NumberOfBytesTransferred =
3397 IN HANDLE IoCompletionPortHandle
,
3398 IN ULONG CompletionKey
,
3399 IN ULONG CompletionValue
,
3400 IN NTSTATUS CompletionStatus
,
3401 IN ULONG CompletionInformation
3407 IN HANDLE IoCompletionPortHandle
,
3408 IN ULONG CompletionKey
,
3409 IN ULONG CompletionValue
,
3410 IN NTSTATUS CompletionStatus
,
3411 IN ULONG CompletionInformation
3415 * FUNCTION: Set properties for profiling
3425 NtSetIntervalProfile(
3427 KPROFILE_SOURCE ClockSource
3432 ZwSetIntervalProfile(
3434 KPROFILE_SOURCE ClockSource
3439 * FUNCTION: Sets the low part of an event pair
3441 EventPair = Handle to the event pair
3456 * FUNCTION: Sets the low part of an event pair and wait for the high part
3458 EventPair = Handle to the event pair
3463 NtSetLowWaitHighEventPair(
3468 ZwSetLowWaitHighEventPair(
3474 NtSetSecurityObject(
3476 IN SECURITY_INFORMATION SecurityInformation
,
3477 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3482 ZwSetSecurityObject(
3484 IN SECURITY_INFORMATION SecurityInformation
,
3485 IN PSECURITY_DESCRIPTOR SecurityDescriptor
3490 * FUNCTION: Sets a system environment variable
3492 * ValueName = Name of the environment variable
3493 * Value = Value of the environment variable
3498 NtSetSystemEnvironmentValue(
3499 IN PUNICODE_STRING VariableName
,
3500 IN PUNICODE_STRING Value
3504 ZwSetSystemEnvironmentValue(
3505 IN PUNICODE_STRING VariableName
,
3506 IN PUNICODE_STRING Value
3509 * FUNCTION: Sets system parameters
3511 * SystemInformationClass = Index to a particular set of system parameters
3512 * Can be one of the following values:
3514 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3516 * SystemInformation = Structure containing the parameters.
3517 * SystemInformationLength = Size of the structure.
3522 NtSetSystemInformation(
3523 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
3524 IN PVOID SystemInformation
,
3525 IN ULONG SystemInformationLength
3530 ZwSetSystemInformation(
3531 IN SYSTEM_INFORMATION_CLASS SystemInformationClass
,
3532 IN PVOID SystemInformation
,
3533 IN ULONG SystemInformationLength
3537 * FUNCTION: Sets the system time
3539 * SystemTime = Old System time
3540 * NewSystemTime = New System time
3546 IN PLARGE_INTEGER SystemTime
,
3547 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3552 IN PLARGE_INTEGER SystemTime
,
3553 IN PLARGE_INTEGER NewSystemTime OPTIONAL
3557 * FUNCTION: Sets the frequency of the system timer
3559 * RequestedResolution =
3561 * ActualResolution =
3566 NtSetTimerResolution(
3567 IN ULONG RequestedResolution
,
3569 OUT PULONG ActualResolution
3573 ZwSetTimerResolution(
3574 IN ULONG RequestedResolution
,
3576 OUT PULONG ActualResolution
3580 * FUNCTION: Sets the value of a registry key
3582 * KeyHandle = Handle to a registry key
3583 * ValueName = Name of the value entry to change
3584 * TitleIndex = pointer to a structure containing the new volume information
3585 * Type = Type of the registry key. Can be one of the values:
3586 * REG_BINARY Unspecified binary data
3587 * REG_DWORD A 32 bit value
3588 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
3589 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
3590 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
3591 * REG_LINK A zero terminated wide character string referring to a symbolic link.
3592 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
3593 * REG_NONE Unspecified type
3594 * REG_SZ A wide character string ( zero terminated )
3595 * REG_RESOURCE_LIST ??
3596 * REG_RESOURCE_REQUIREMENTS_LIST ??
3597 * REG_FULL_RESOURCE_DESCRIPTOR ??
3598 * Data = Contains the data for the registry key.
3599 * DataSize = size of the data.
3605 IN HANDLE KeyHandle
,
3606 IN PUNICODE_STRING ValueName
,
3607 IN ULONG TitleIndex OPTIONAL
,
3615 IN HANDLE KeyHandle
,
3616 IN PUNICODE_STRING ValueName
,
3617 IN ULONG TitleIndex OPTIONAL
,
3624 * FUNCTION: Sets the volume information.
3626 * FileHandle = Handle to the file
3627 * IoStatusBlock = Caller should supply storage for additional status information
3628 * VolumeInformation = pointer to a structure containing the new volume information
3629 * Length = size of the structure.
3630 * VolumeInformationClass = specifies the particular volume information to set
3635 NtSetVolumeInformationFile(
3636 IN HANDLE FileHandle
,
3637 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3638 IN PVOID FsInformation
,
3640 IN FS_INFORMATION_CLASS FsInformationClass
3645 ZwSetVolumeInformationFile(
3646 IN HANDLE FileHandle
,
3647 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3648 IN PVOID FsInformation
,
3650 IN FS_INFORMATION_CLASS FsInformationClass
3654 * FUNCTION: Shuts the system down
3656 * Action = Specifies the type of shutdown, it can be one of the following values:
3657 * ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
3663 IN SHUTDOWN_ACTION Action
3669 IN SHUTDOWN_ACTION Action
3673 /* --- PROFILING --- */
3676 * FUNCTION: Starts profiling
3678 * ProfileHandle = Handle to the profile
3685 HANDLE ProfileHandle
3691 HANDLE ProfileHandle
3695 * FUNCTION: Stops profiling
3697 * ProfileHandle = Handle to the profile
3704 HANDLE ProfileHandle
3710 HANDLE ProfileHandle
3713 /* --- PROCESS MANAGEMENT --- */
3715 //--NtSystemDebugControl
3717 * FUNCTION: Terminates the execution of a process.
3719 * ThreadHandle = Handle to the process
3720 * ExitStatus = The exit status of the process to terminate with.
3722 Native applications should kill themselves using this function.
3728 IN HANDLE ProcessHandle
,
3729 IN NTSTATUS ExitStatus
3734 IN HANDLE ProcessHandle
,
3735 IN NTSTATUS ExitStatus
3738 /* --- DEVICE DRIVER CONTROL --- */
3741 * FUNCTION: Unloads a driver.
3743 * DriverServiceName = Name of the driver to unload
3749 IN PUNICODE_STRING DriverServiceName
3754 IN PUNICODE_STRING DriverServiceName
3757 /* --- VIRTUAL MEMORY MANAGEMENT --- */
3760 * FUNCTION: Writes a range of virtual memory
3762 * ProcessHandle = The handle to the process owning the address space.
3763 * BaseAddress = The points to the address to write to
3764 * Buffer = Pointer to the buffer to write
3765 * NumberOfBytesToWrite = Offset to the upper boundary to write
3766 * NumberOfBytesWritten = Total bytes written
3768 * This function maps to the win32 WriteProcessMemory
3773 NtWriteVirtualMemory(
3774 IN HANDLE ProcessHandle
,
3775 IN PVOID BaseAddress
,
3777 IN ULONG NumberOfBytesToWrite
,
3778 OUT PULONG NumberOfBytesWritten
3783 ZwWriteVirtualMemory(
3784 IN HANDLE ProcessHandle
,
3785 IN PVOID BaseAddress
,
3787 IN ULONG NumberOfBytesToWrite
,
3788 OUT PULONG NumberOfBytesWritten
3792 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
3794 * ProcessHandle = Handle to the process
3795 * BaseAddress = The address where the mapping begins
3797 This procedure maps to the win32 UnMapViewOfFile
3802 NtUnmapViewOfSection(
3803 IN HANDLE ProcessHandle
,
3804 IN PVOID BaseAddress
3808 ZwUnmapViewOfSection(
3809 IN HANDLE ProcessHandle
,
3810 IN PVOID BaseAddress
3813 /* --- OBJECT SYNCHRONIZATION --- */
3816 * FUNCTION: Signals an object and wait for an other one.
3818 * SignalObject = Handle to the object that should be signaled
3819 * WaitObject = Handle to the object that should be waited for
3820 * Alertable = True if the wait is alertable
3821 * Time = The time to wait
3826 NtSignalAndWaitForSingleObject(
3827 IN HANDLE SignalObject
,
3828 IN HANDLE WaitObject
,
3829 IN BOOLEAN Alertable
,
3830 IN PLARGE_INTEGER Time
3835 NtSignalAndWaitForSingleObject(
3836 IN HANDLE SignalObject
,
3837 IN HANDLE WaitObject
,
3838 IN BOOLEAN Alertable
,
3839 IN PLARGE_INTEGER Time
3843 * FUNCTION: Waits for an object to become signalled.
3845 * Object = The object handle
3846 * Alertable = If true the wait is alertable.
3847 * Time = The maximum wait time.
3849 * This function maps to the win32 WaitForSingleObjectEx.
3854 NtWaitForSingleObject (
3856 IN BOOLEAN Alertable
,
3857 IN PLARGE_INTEGER Time
3862 ZwWaitForSingleObject (
3864 IN BOOLEAN Alertable
,
3865 IN PLARGE_INTEGER Time
3868 /* --- EVENT PAIR OBJECT --- */
3871 * FUNCTION: Waits for the high part of an eventpair to become signalled
3873 * EventPairHandle = Handle to the event pair.
3879 NtWaitHighEventPair(
3880 IN HANDLE EventPairHandle
3885 ZwWaitHighEventPair(
3886 IN HANDLE EventPairHandle
3890 * FUNCTION: Waits for the low part of an eventpair to become signalled
3892 * EventPairHandle = Handle to the event pair.
3898 IN HANDLE EventPairHandle
3904 IN HANDLE EventPairHandle
3907 /* --- FILE MANAGEMENT --- */
3910 * FUNCTION: Unlocks a range of bytes in a file.
3912 * FileHandle = Handle to the file
3913 * IoStatusBlock = Caller should supply storage for a structure containing
3914 * the completion status and information about the requested unlock operation.
3915 The information field is set to the number of bytes unlocked.
3916 * ByteOffset = Offset to start the range of bytes to unlock
3917 * Length = Number of bytes to unlock.
3918 * Key = Special value to enable other threads to unlock a file than the
3919 thread that locked the file. The key supplied must match with the one obtained
3920 in a previous call to NtLockFile.
3922 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
3923 not be obtained immediately, the device queue is busy and the IRP is queued.
3924 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
3925 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
3930 IN HANDLE FileHandle
,
3931 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3932 IN PLARGE_INTEGER ByteOffset
,
3933 IN PLARGE_INTEGER Lenght
,
3934 OUT PULONG Key OPTIONAL
3939 IN HANDLE FileHandle
,
3940 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3941 IN PLARGE_INTEGER ByteOffset
,
3942 IN PLARGE_INTEGER Lenght
,
3943 OUT PULONG Key OPTIONAL
3947 * FUNCTION: Writes data to a file
3949 * FileHandle = The handle a file ( from NtCreateFile )
3950 * Event = Specifies a event that will become signalled when the write operation completes.
3951 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
3952 * ApcContext = Argument to the Apc Routine
3953 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
3954 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
3955 * Length = Size in bytest of the buffer
3956 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
3957 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
3958 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
3959 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
3962 * This function maps to the win32 WriteFile.
3963 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
3964 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
3965 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
3970 IN HANDLE FileHandle
,
3971 IN HANDLE Event OPTIONAL
,
3972 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
3973 IN PVOID ApcContext OPTIONAL
,
3974 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3977 IN PLARGE_INTEGER ByteOffset
,
3978 IN PULONG Key OPTIONAL
3984 IN HANDLE FileHandle
,
3985 IN HANDLE Event OPTIONAL
,
3986 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
3987 IN PVOID ApcContext OPTIONAL
,
3988 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3991 IN PLARGE_INTEGER ByteOffset
,
3992 IN PULONG Key OPTIONAL
3996 * FUNCTION: Writes a file
3998 * FileHandle = The handle of the file
4000 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
4001 * ApcContext = Argument to the Apc Routine
4002 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
4003 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
4004 * BufferLength = Size in bytest of the buffer
4005 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
4006 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
4007 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
4008 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
4009 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
4011 * This function maps to the win32 WriteFile.
4012 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4013 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4014 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4020 IN HANDLE FileHandle
,
4021 IN HANDLE Event OPTIONAL
,
4022 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
4023 IN PVOID ApcContext OPTIONAL
,
4024 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4025 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
4026 IN ULONG BufferLength
,
4027 IN PLARGE_INTEGER ByteOffset
,
4028 IN PULONG Key OPTIONAL
4034 IN HANDLE FileHandle
,
4035 IN HANDLE Event OPTIONAL
,
4036 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
4037 IN PVOID ApcContext OPTIONAL
,
4038 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4039 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
4040 IN ULONG BufferLength
,
4041 IN PLARGE_INTEGER ByteOffset
,
4042 IN PULONG Key OPTIONAL
4046 /* --- THREAD MANAGEMENT --- */
4049 * FUNCTION: Increments a thread's resume count
4051 * ThreadHandle = Handle to the thread that should be resumed
4052 * PreviousSuspendCount = The resulting/previous suspend count.
4054 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
4055 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
4056 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
4062 IN HANDLE ThreadHandle
,
4063 IN PULONG PreviousSuspendCount
4069 IN HANDLE ThreadHandle
,
4070 IN PULONG PreviousSuspendCount
4074 * FUNCTION: Terminates the execution of a thread.
4076 * ThreadHandle = Handle to the thread
4077 * ExitStatus = The exit status of the thread to terminate with.
4083 IN HANDLE ThreadHandle
,
4084 IN NTSTATUS ExitStatus
4089 IN HANDLE ThreadHandle
,
4090 IN NTSTATUS ExitStatus
4093 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
4108 * FUNCTION: Yields the callers thread.
4123 /* --- PLUG AND PLAY --- */
4133 NtGetPlugPlayEvent (
4137 /* --- POWER MANAGEMENT --- */
4140 NtSetSystemPowerState(IN POWER_ACTION SystemAction
,
4141 IN SYSTEM_POWER_STATE MinSystemState
,
4144 /* --- DEBUG SUBSYSTEM --- */
4147 NtSystemDebugControl(DEBUG_CONTROL_CODE ControlCode
,
4149 ULONG InputBufferLength
,
4151 ULONG OutputBufferLength
,
4152 PULONG ReturnLength
);
4154 /* --- VIRTUAL DOS MACHINE (VDM) --- */
4158 NtVdmControl (ULONG ControlCode
, PVOID ControlData
);
4164 NtW32Call(IN ULONG RoutineIndex
,
4166 IN ULONG ArgumentLength
,
4167 OUT PVOID
* Result OPTIONAL
,
4168 OUT PULONG ResultLength OPTIONAL
);
4170 /* --- CHANNELS --- */
4192 NtReplyWaitSendChannel (
4198 NtSendWaitReplyChannel (
4204 NtSetContextChannel (
4208 /* --- MISCELLANEA --- */
4210 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
4221 NtQueryOleDirectoryFile (
4226 * FUNCTION: Checks a clients access rights to a object
4228 * SecurityDescriptor = Security information against which the access is checked
4229 * ClientToken = Represents a client
4233 * ReturnLength = Bytes written
4235 * AccessStatus = Indicates if the ClientToken allows the requested access
4236 * REMARKS: The arguments map to the win32 AccessCheck
4243 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
4244 IN HANDLE ClientToken
,
4245 IN ACCESS_MASK DesiredAcces
,
4246 IN PGENERIC_MAPPING GenericMapping
,
4247 OUT PPRIVILEGE_SET PrivilegeSet
,
4248 OUT PULONG ReturnLength
,
4249 OUT PULONG GrantedAccess
,
4250 OUT PBOOLEAN AccessStatus
4256 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
4257 IN HANDLE ClientToken
,
4258 IN ACCESS_MASK DesiredAcces
,
4259 IN PGENERIC_MAPPING GenericMapping
,
4260 OUT PPRIVILEGE_SET PrivilegeSet
,
4261 OUT PULONG ReturnLength
,
4262 OUT PULONG GrantedAccess
,
4263 OUT PBOOLEAN AccessStatus
4269 IN ACCESS_MASK DesiredAccess
,
4270 OUT PHANDLE KeyHandle
);
4273 #ifndef __USE_W32API
4276 * FUNCTION: Continues a thread with the specified context
4278 * Context = Specifies the processor context
4279 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
4280 * be PASSIVE_LEVEL or APC_LEVEL
4282 * NtContinue can be used to continue after an exception or apc.
4285 //FIXME This function might need another parameter
4290 IN PCONTEXT Context
,
4291 IN BOOLEAN TestAlert
4294 NTSTATUS STDCALL
ZwContinue(IN PCONTEXT Context
, IN CINT IrqLevel
);
4297 * FUNCTION: Retrieves the system time
4299 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
4307 OUT TIME
*CurrentTime
4313 OUT TIME
*CurrentTime
4317 * FUNCTION: Loads a registry key.
4319 * KeyHandle = Handle to the registry key
4320 * ObjectAttributes = ???
4323 * This procedure maps to the win32 procedure RegLoadKey
4330 POBJECT_ATTRIBUTES ObjectAttributes
,
4337 POBJECT_ATTRIBUTES ObjectAttributes
,
4342 * FUNCTION: Copies a handle from one process space to another
4344 * SourceProcessHandle = The source process owning the handle. The source process should have opened
4345 * the SourceHandle with PROCESS_DUP_HANDLE access.
4346 * SourceHandle = The handle to the object.
4347 * TargetProcessHandle = The destination process owning the handle
4348 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
4349 * DesiredAccess = The desired access to the handle.
4350 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
4351 * Options = Specifies special actions upon duplicating the handle. Can be
4352 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
4353 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
4354 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
4355 * the DesiredAccess paramter and just grant the same access to the new
4358 * REMARKS: This function maps to the win32 DuplicateHandle.
4364 IN HANDLE SourceProcessHandle
,
4365 IN HANDLE SourceHandle
,
4366 IN HANDLE TargetProcessHandle
,
4367 OUT PHANDLE TargetHandle
,
4368 IN ACCESS_MASK DesiredAccess
,
4369 IN BOOLEAN InheritHandle
,
4376 IN HANDLE SourceProcessHandle
,
4377 IN PHANDLE SourceHandle
,
4378 IN HANDLE TargetProcessHandle
,
4379 OUT PHANDLE TargetHandle
,
4380 IN ACCESS_MASK DesiredAccess
,
4381 IN BOOLEAN InheritHandle
,
4386 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
4388 * SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
4390 * ObjectAttributes =
4397 * REMARKS: The arguments map to the win32 AccessCheck
4403 NtAccessCheckAndAuditAlarm(
4404 IN PUNICODE_STRING SubsystemName
,
4405 IN PHANDLE ObjectHandle
,
4406 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4407 IN ACCESS_MASK DesiredAccess
,
4408 IN PGENERIC_MAPPING GenericMapping
,
4409 IN BOOLEAN ObjectCreation
,
4410 OUT PULONG GrantedAccess
,
4411 OUT PBOOLEAN AccessStatus
,
4412 OUT PBOOLEAN GenerateOnClose
4417 ZwAccessCheckAndAuditAlarm(
4418 IN PUNICODE_STRING SubsystemName
,
4419 IN PHANDLE ObjectHandle
,
4420 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4421 IN ACCESS_MASK DesiredAccess
,
4422 IN PGENERIC_MAPPING GenericMapping
,
4423 IN BOOLEAN ObjectCreation
,
4424 OUT PULONG GrantedAccess
,
4425 OUT PBOOLEAN AccessStatus
,
4426 OUT PBOOLEAN GenerateOnClose
4430 * FUNCTION: Adds an atom to the global atom table
4432 * AtomString = The string to add to the atom table.
4433 * Atom (OUT) = Caller supplies storage for the resulting atom.
4434 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
4441 IN OUT PRTL_ATOM Atom
4449 IN OUT PRTL_ATOM Atom
4455 PULARGE_INTEGER Time
,
4463 PULARGE_INTEGER Time
,
4469 * FUNCTION: Cancels a timer
4471 * TimerHandle = Handle to the timer
4472 * CurrentState = Specifies the state of the timer when cancelled.
4474 * The arguments to this function map to the function CancelWaitableTimer.
4480 IN HANDLE TimerHandle
,
4481 OUT PBOOLEAN CurrentState OPTIONAL
4487 IN HANDLE TimerHandle
,
4488 OUT ULONG ElapsedTime
4492 * FUNCTION: Creates a paging file.
4494 * FileName = Name of the pagefile
4495 * InitialSize = Specifies the initial size in bytes
4496 * MaximumSize = Specifies the maximum size in bytes
4497 * Reserved = Reserved for future use
4503 IN PUNICODE_STRING FileName
,
4504 IN PLARGE_INTEGER InitialSize
,
4505 IN PLARGE_INTEGER MaxiumSize
,
4512 IN PUNICODE_STRING FileName
,
4513 IN PLARGE_INTEGER InitialSize
,
4514 IN PLARGE_INTEGER MaxiumSize
,
4519 * FUNCTION: Creates a user mode thread
4521 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
4522 * DesiredAccess = Specifies the allowed or desired access to the thread.
4523 * ObjectAttributes = Initialized attributes for the object.
4524 * ProcessHandle = Handle to the threads parent process.
4525 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
4526 * ThreadContext = Initial processor context for the thread.
4527 * InitialTeb = Initial user mode stack context for the thread.
4528 * CreateSuspended = Specifies if the thread is ready for scheduling
4530 * This function maps to the win32 function CreateThread.
4536 OUT PHANDLE ThreadHandle
,
4537 IN ACCESS_MASK DesiredAccess
,
4538 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
4539 IN HANDLE ProcessHandle
,
4540 OUT PCLIENT_ID ClientId
,
4541 IN PCONTEXT ThreadContext
,
4542 IN PINITIAL_TEB InitialTeb
,
4543 IN BOOLEAN CreateSuspended
4549 OUT PHANDLE ThreadHandle
,
4550 IN ACCESS_MASK DesiredAccess
,
4551 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
4552 IN HANDLE ProcessHandle
,
4553 OUT PCLIENT_ID ClientId
,
4554 IN PCONTEXT ThreadContext
,
4555 IN PINITIAL_TEB InitialTeb
,
4556 IN BOOLEAN CreateSuspended
4562 IN HANDLE ExistingToken
,
4563 IN ACCESS_MASK DesiredAccess
,
4564 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4565 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
4566 IN TOKEN_TYPE TokenType
,
4567 OUT PHANDLE NewToken
4573 IN HANDLE ExistingToken
,
4574 IN ACCESS_MASK DesiredAccess
,
4575 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4576 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
4577 IN TOKEN_TYPE TokenType
,
4578 OUT PHANDLE NewToken
4582 * FUNCTION: Finds a atom
4584 * AtomName = Name to search for.
4585 * Atom = Caller supplies storage for the resulting atom
4588 * This funciton maps to the win32 GlobalFindAtom
4594 OUT PRTL_ATOM Atom OPTIONAL
4601 OUT PRTL_ATOM Atom OPTIONAL
4605 * FUNCTION: Flushes a the processors instruction cache
4607 * ProcessHandle = Points to the process owning the cache
4608 * BaseAddress = // might this be a image address ????
4609 * NumberOfBytesToFlush =
4612 * This funciton is used by debuggers
4616 NtFlushInstructionCache(
4617 IN HANDLE ProcessHandle
,
4618 IN PVOID BaseAddress
,
4619 IN UINT NumberOfBytesToFlush
4624 ZwFlushInstructionCache(
4625 IN HANDLE ProcessHandle
,
4626 IN PVOID BaseAddress
,
4627 IN UINT NumberOfBytesToFlush
4631 * FUNCTION: Flushes virtual memory to file
4633 * ProcessHandle = Points to the process that allocated the virtual memory
4634 * BaseAddress = Points to the memory address
4635 * NumberOfBytesToFlush = Limits the range to flush,
4636 * NumberOfBytesFlushed = Actual number of bytes flushed
4639 * Check return status on STATUS_NOT_MAPPED_DATA
4643 NtFlushVirtualMemory(
4644 IN HANDLE ProcessHandle
,
4645 IN PVOID BaseAddress
,
4646 IN ULONG NumberOfBytesToFlush
,
4647 OUT PULONG NumberOfBytesFlushed OPTIONAL
4652 ZwFlushVirtualMemory(
4653 IN HANDLE ProcessHandle
,
4654 IN PVOID BaseAddress
,
4655 IN ULONG NumberOfBytesToFlush
,
4656 OUT PULONG NumberOfBytesFlushed OPTIONAL
4660 * FUNCTION: Retrieves the uptime of the system
4662 * UpTime = Number of clock ticks since boot.
4678 * FUNCTION: Loads a registry key.
4680 * KeyHandle = Handle to the registry key
4681 * ObjectAttributes = ???
4683 * This procedure maps to the win32 procedure RegLoadKey
4690 POBJECT_ATTRIBUTES ObjectAttributes
4697 POBJECT_ATTRIBUTES ObjectAttributes
4701 * FUNCTION: Locks a range of virtual memory.
4703 * ProcessHandle = Handle to the process
4704 * BaseAddress = Lower boundary of the range of bytes to lock.
4705 * NumberOfBytesLock = Offset to the upper boundary.
4706 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
4708 This procedure maps to the win32 procedure VirtualLock
4709 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
4713 NtLockVirtualMemory(
4714 HANDLE ProcessHandle
,
4716 ULONG NumberOfBytesToLock
,
4717 PULONG NumberOfBytesLocked
4722 ZwLockVirtualMemory(
4723 HANDLE ProcessHandle
,
4725 ULONG NumberOfBytesToLock
,
4726 PULONG NumberOfBytesLocked
4731 NtOpenObjectAuditAlarm(
4732 IN PUNICODE_STRING SubsystemName
,
4734 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4735 IN HANDLE ClientToken
,
4736 IN ULONG DesiredAccess
,
4737 IN ULONG GrantedAccess
,
4738 IN PPRIVILEGE_SET Privileges
,
4739 IN BOOLEAN ObjectCreation
,
4740 IN BOOLEAN AccessGranted
,
4741 OUT PBOOLEAN GenerateOnClose
4746 ZwOpenObjectAuditAlarm(
4747 IN PUNICODE_STRING SubsystemName
,
4749 IN POBJECT_ATTRIBUTES ObjectAttributes
,
4750 IN HANDLE ClientToken
,
4751 IN ULONG DesiredAccess
,
4752 IN ULONG GrantedAccess
,
4753 IN PPRIVILEGE_SET Privileges
,
4754 IN BOOLEAN ObjectCreation
,
4755 IN BOOLEAN AccessGranted
,
4756 OUT PBOOLEAN GenerateOnClose
4760 * FUNCTION: Set the access protection of a range of virtual memory
4762 * ProcessHandle = Handle to process owning the virtual address space
4763 * BaseAddress = Start address
4764 * NumberOfBytesToProtect = Delimits the range of virtual memory
4765 * for which the new access protection holds
4766 * NewAccessProtection = The new access proctection for the pages
4767 * OldAccessProtection = Caller should supply storage for the old
4771 * The function maps to the win32 VirtualProtectEx
4776 NtProtectVirtualMemory(
4777 IN HANDLE ProcessHandle
,
4778 IN PVOID BaseAddress
,
4779 IN ULONG NumberOfBytesToProtect
,
4780 IN ULONG NewAccessProtection
,
4781 OUT PULONG OldAccessProtection
4786 ZwProtectVirtualMemory(
4787 IN HANDLE ProcessHandle
,
4788 IN PVOID BaseAddress
,
4789 IN ULONG NumberOfBytesToProtect
,
4790 IN ULONG NewAccessProtection
,
4791 OUT PULONG OldAccessProtection
4796 NtQueryInformationAtom(
4798 IN ATOM_INFORMATION_CLASS AtomInformationClass
,
4799 OUT PVOID AtomInformation
,
4800 IN ULONG AtomInformationLength
,
4801 OUT PULONG ReturnLength OPTIONAL
4806 ZwQueryInformationAtom(
4808 IN ATOM_INFORMATION_CLASS AtomInformationClass
,
4809 OUT PVOID AtomInformation
,
4810 IN ULONG AtomInformationLength
,
4811 OUT PULONG ReturnLength OPTIONAL
4815 * FUNCTION: Query information about the content of a directory object
4817 DirObjInformation = Buffer must be large enough to hold the name strings too
4818 GetNextIndex = If TRUE :return the index of the next object in this directory in ObjectIndex
4819 If FALSE: return the number of objects in this directory in ObjectIndex
4820 IgnoreInputIndex= If TRUE: ignore input value of ObjectIndex always start at index 0
4821 If FALSE use input value of ObjectIndex
4822 ObjectIndex = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
4823 DataWritten = Actual size of the ObjectIndex ???
4828 NtQueryDirectoryObject(
4829 IN HANDLE DirObjHandle
,
4830 OUT POBJDIR_INFORMATION DirObjInformation
,
4831 IN ULONG BufferLength
,
4832 IN BOOLEAN GetNextIndex
,
4833 IN BOOLEAN IgnoreInputIndex
,
4834 IN OUT PULONG ObjectIndex
,
4835 OUT PULONG DataWritten OPTIONAL
4840 ZwQueryDirectoryObject(
4841 IN HANDLE DirObjHandle
,
4842 OUT POBJDIR_INFORMATION DirObjInformation
,
4843 IN ULONG BufferLength
,
4844 IN BOOLEAN GetNextIndex
,
4845 IN BOOLEAN IgnoreInputIndex
,
4846 IN OUT PULONG ObjectIndex
,
4847 OUT PULONG DataWritten OPTIONAL
4851 * FUNCTION: Queries the information of a process object.
4853 * ProcessHandle = Handle to the process object
4854 * ProcessInformation = Index to a certain information structure
4856 ProcessBasicInformation PROCESS_BASIC_INFORMATION
4857 ProcessQuotaLimits QUOTA_LIMITS
4858 ProcessIoCounters IO_COUNTERS
4859 ProcessVmCounters VM_COUNTERS
4860 ProcessTimes KERNEL_USER_TIMES
4861 ProcessBasePriority KPRIORITY
4862 ProcessRaisePriority KPRIORITY
4863 ProcessDebugPort HANDLE
4864 ProcessExceptionPort HANDLE
4865 ProcessAccessToken PROCESS_ACCESS_TOKEN
4866 ProcessLdtInformation LDT_ENTRY ??
4867 ProcessLdtSize ULONG
4868 ProcessDefaultHardErrorMode ULONG
4869 ProcessIoPortHandlers // kernel mode only
4870 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
4871 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
4872 ProcessUserModeIOPL (I/O Privilege Level)
4873 ProcessEnableAlignmentFaultFixup BOOLEAN
4874 ProcessPriorityClass ULONG
4875 ProcessWx86Information ULONG
4876 ProcessHandleCount ULONG
4877 ProcessAffinityMask ULONG
4878 ProcessPooledQuotaLimits QUOTA_LIMITS
4881 * ProcessInformation = Caller supplies storage for the process information structure
4882 * ProcessInformationLength = Size of the process information structure
4883 * ReturnLength = Actual number of bytes written
4886 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
4887 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
4888 GetProcessShutdownParameters functions.
4894 NtQueryInformationProcess(
4895 IN HANDLE ProcessHandle
,
4896 IN CINT ProcessInformationClass
,
4897 OUT PVOID ProcessInformation
,
4898 IN ULONG ProcessInformationLength
,
4899 OUT PULONG ReturnLength
4904 ZwQueryInformationProcess(
4905 IN HANDLE ProcessHandle
,
4906 IN CINT ProcessInformationClass
,
4907 OUT PVOID ProcessInformation
,
4908 IN ULONG ProcessInformationLength
,
4909 OUT PULONG ReturnLength
4913 * FUNCTION: Query the interval and the clocksource for profiling
4921 NtQueryIntervalProfile(
4922 OUT PULONG Interval
,
4923 OUT KPROFILE_SOURCE ClockSource
4928 ZwQueryIntervalProfile(
4929 OUT PULONG Interval
,
4930 OUT KPROFILE_SOURCE ClockSource
4934 * FUNCTION: Queries the information of a object.
4936 ObjectHandle = Handle to a object
4937 ObjectInformationClass = Index to a certain information structure
4939 ObjectBasicInformation
4940 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4941 ObjectNameInformation OBJECT_NAME_INFORMATION
4942 ObjectDataInformation OBJECT_DATA_INFORMATION
4944 ObjectInformation = Caller supplies storage for resulting information
4945 Length = Size of the supplied storage
4946 ResultLength = Bytes written
4952 IN HANDLE ObjectHandle
,
4953 IN CINT ObjectInformationClass
,
4954 OUT PVOID ObjectInformation
,
4956 OUT PULONG ResultLength
4962 IN HANDLE ObjectHandle
,
4963 IN CINT ObjectInformationClass
,
4964 OUT PVOID ObjectInformation
,
4966 OUT PULONG ResultLength
4971 NtQuerySecurityObject(
4973 IN SECURITY_INFORMATION SecurityInformation
,
4974 OUT PSECURITY_DESCRIPTOR SecurityDescriptor
,
4976 OUT PULONG ResultLength
4981 ZwQuerySecurityObject(
4983 IN SECURITY_INFORMATION SecurityInformation
,
4984 OUT PSECURITY_DESCRIPTOR SecurityDescriptor
,
4986 OUT PULONG ResultLength
4990 * FUNCTION: Queries the virtual memory information.
4992 ProcessHandle = Process owning the virtual address space
4993 BaseAddress = Points to the page where the information is queried for.
4994 * VirtualMemoryInformationClass = Index to a certain information structure
4996 MemoryBasicInformation MEMORY_BASIC_INFORMATION
4998 * VirtualMemoryInformation = caller supplies storage for the information structure
4999 * Length = size of the structure
5000 ResultLength = Data written
5007 NtQueryVirtualMemory(
5008 IN HANDLE ProcessHandle
,
5010 IN IN CINT VirtualMemoryInformationClass
,
5011 OUT PVOID VirtualMemoryInformation
,
5013 OUT PULONG ResultLength
5018 ZwQueryVirtualMemory(
5019 IN HANDLE ProcessHandle
,
5021 IN IN CINT VirtualMemoryInformationClass
,
5022 OUT PVOID VirtualMemoryInformation
,
5024 OUT PULONG ResultLength
5028 * FUNCTION: Raises a hard error (stops the system)
5030 * Status = Status code of the hard error
5063 * FUNCTION: Sets the information of a registry key.
5065 * KeyHandle = Handle to the registry key
5066 * KeyInformationClass = Index to the a certain information structure.
5067 Can be one of the following values:
5069 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
5071 KeyInformation = Storage for the new information
5072 * KeyInformationLength = Size of the information strucure
5078 NtSetInformationKey(
5079 IN HANDLE KeyHandle
,
5080 IN CINT KeyInformationClass
,
5081 IN PVOID KeyInformation
,
5082 IN ULONG KeyInformationLength
5087 ZwSetInformationKey(
5088 IN HANDLE KeyHandle
,
5089 IN CINT KeyInformationClass
,
5090 IN PVOID KeyInformation
,
5091 IN ULONG KeyInformationLength
5095 * FUNCTION: Changes a set of object specific parameters
5098 * ObjectInformationClass = Index to the set of parameters to change.
5101 ObjectBasicInformation
5102 ObjectTypeInformation OBJECT_TYPE_INFORMATION
5103 ObjectAllInformation
5104 ObjectDataInformation OBJECT_DATA_INFORMATION
5105 ObjectNameInformation OBJECT_NAME_INFORMATION
5108 * ObjectInformation = Caller supplies storage for parameters to set.
5109 * Length = Size of the storage supplied
5114 NtSetInformationObject(
5115 IN HANDLE ObjectHandle
,
5116 IN CINT ObjectInformationClass
,
5117 IN PVOID ObjectInformation
,
5123 ZwSetInformationObject(
5124 IN HANDLE ObjectHandle
,
5125 IN CINT ObjectInformationClass
,
5126 IN PVOID ObjectInformation
,
5131 * FUNCTION: Changes a set of process specific parameters
5133 * ProcessHandle = Handle to the process
5134 * ProcessInformationClass = Index to a information structure.
5136 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
5137 * ProcessQuotaLimits QUOTA_LIMITS
5138 * ProcessBasePriority KPRIORITY
5139 * ProcessRaisePriority KPRIORITY
5140 * ProcessDebugPort HANDLE
5141 * ProcessExceptionPort HANDLE
5142 * ProcessAccessToken PROCESS_ACCESS_TOKEN
5143 * ProcessDefaultHardErrorMode ULONG
5144 * ProcessPriorityClass ULONG
5145 * ProcessAffinityMask KAFFINITY //??
5147 * ProcessInformation = Caller supplies storage for information to set.
5148 * ProcessInformationLength = Size of the information structure
5153 NtSetInformationProcess(
5154 IN HANDLE ProcessHandle
,
5155 IN CINT ProcessInformationClass
,
5156 IN PVOID ProcessInformation
,
5157 IN ULONG ProcessInformationLength
5162 ZwSetInformationProcess(
5163 IN HANDLE ProcessHandle
,
5164 IN CINT ProcessInformationClass
,
5165 IN PVOID ProcessInformation
,
5166 IN ULONG ProcessInformationLength
5170 * FUNCTION: Sets the characteristics of a timer
5172 * TimerHandle = Handle to the timer
5173 * DueTime = Time before the timer becomes signalled for the first time.
5174 * TimerApcRoutine = Completion routine can be called on time completion
5175 * TimerContext = Argument to the completion routine
5176 * Resume = Specifies if the timer should repeated after completing one cycle
5177 * Period = Cycle of the timer
5178 * REMARKS: This routine maps to the win32 SetWaitableTimer.
5184 IN HANDLE TimerHandle
,
5185 IN PLARGE_INTEGER DueTime
,
5186 IN PTIMERAPCROUTINE TimerApcRoutine
,
5187 IN PVOID TimerContext
,
5189 IN ULONG Period OPTIONAL
,
5190 OUT PBOOLEAN PreviousState OPTIONAL
5196 IN HANDLE TimerHandle
,
5197 IN PLARGE_INTEGER DueTime
,
5198 IN PTIMERAPCROUTINE TimerApcRoutine
,
5199 IN PVOID TimerContext
,
5201 IN ULONG Period OPTIONAL
,
5202 OUT PBOOLEAN PreviousState OPTIONAL
5206 * FUNCTION: Unloads a registry key.
5208 * KeyHandle = Handle to the registry key
5210 * This procedure maps to the win32 procedure RegUnloadKey
5226 * FUNCTION: Unlocks a range of virtual memory.
5228 * ProcessHandle = Handle to the process
5229 * BaseAddress = Lower boundary of the range of bytes to unlock.
5230 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
5231 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
5233 This procedure maps to the win32 procedure VirtualUnlock
5234 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
5238 NtUnlockVirtualMemory(
5239 IN HANDLE ProcessHandle
,
5240 IN PVOID BaseAddress
,
5241 IN ULONG NumberOfBytesToUnlock
,
5242 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5247 ZwUnlockVirtualMemory(
5248 IN HANDLE ProcessHandle
,
5249 IN PVOID BaseAddress
,
5250 IN ULONG NumberOfBytesToUnlock
,
5251 OUT PULONG NumberOfBytesUnlocked OPTIONAL
5255 * FUNCTION: Waits for multiple objects to become signalled.
5257 * Count = The number of objects
5258 * Object = The array of object handles
5259 * WaitType = Can be one of the values UserMode or KernelMode
5260 * Alertable = If true the wait is alertable.
5261 * Time = The maximum wait time.
5263 * This function maps to the win32 WaitForMultipleObjectEx.
5268 NtWaitForMultipleObjects (
5271 IN WAIT_TYPE WaitType
,
5272 IN BOOLEAN Alertable
,
5273 IN PLARGE_INTEGER Time
5278 ZwWaitForMultipleObjects (
5281 IN WAIT_TYPE WaitType
,
5282 IN BOOLEAN Alertable
,
5283 IN PLARGE_INTEGER Time
5287 * FUNCTION: Creates a profile
5289 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
5290 * ObjectAttribute = Initialized attributes for the object
5291 * ImageBase = Start address of executable image
5292 * ImageSize = Size of the image
5293 * Granularity = Bucket size
5294 * Buffer = Caller supplies buffer for profiling info
5295 * ProfilingSize = Buffer size
5296 * ClockSource = Specify 0 / FALSE ??
5297 * ProcessorMask = A value of -1 indicates disables per processor profiling,
5298 otherwise bit set for the processor to profile.
5300 * This function maps to the win32 CreateProcess.
5306 NtCreateProfile(OUT PHANDLE ProfileHandle
,
5307 IN HANDLE ProcessHandle
,
5310 IN ULONG Granularity
,
5312 IN ULONG ProfilingSize
,
5313 IN KPROFILE_SOURCE Source
,
5314 IN ULONG ProcessorMask
);
5319 OUT PHANDLE ProfileHandle
,
5320 IN POBJECT_ATTRIBUTES ObjectAttributes
,
5323 IN ULONG Granularity
,
5325 IN ULONG ProfilingSize
,
5326 IN ULONG ClockSource
,
5327 IN ULONG ProcessorMask
5331 * FUNCTION: Delays the execution of the calling thread.
5333 * Alertable = If TRUE the thread is alertable during is wait period
5334 * Interval = Specifies the interval to wait.
5348 IN BOOLEAN Alertable
,
5353 * FUNCTION: Extends a section
5355 * SectionHandle = Handle to the section
5356 * NewMaximumSize = Adjusted size
5362 IN HANDLE SectionHandle
,
5363 IN ULONG NewMaximumSize
5369 IN HANDLE SectionHandle
,
5370 IN ULONG NewMaximumSize
5374 * FUNCTION: Queries the information of a section object.
5376 * SectionHandle = Handle to the section link object
5377 * SectionInformationClass = Index to a certain information structure
5378 * SectionInformation (OUT)= Caller supplies storage for resulting information
5379 * Length = Size of the supplied storage
5380 * ResultLength = Data written
5387 IN HANDLE SectionHandle
,
5388 IN CINT SectionInformationClass
,
5389 OUT PVOID SectionInformation
,
5391 OUT PULONG ResultLength
5397 IN HANDLE SectionHandle
,
5398 IN CINT SectionInformationClass
,
5399 OUT PVOID SectionInformation
,
5401 OUT PULONG ResultLength
5404 typedef struct _SECTION_IMAGE_INFORMATION
5411 USHORT MinorSubsystemVersion
;
5412 USHORT MajorSubsystemVersion
;
5414 ULONG Characteristics
;
5419 } SECTION_IMAGE_INFORMATION
, *PSECTION_IMAGE_INFORMATION
;
5421 #endif /* !__USE_W32API */
5423 #endif /* __DDK_ZW_H */