Windows 7 Kernel Architecture Changes - api-ms-win-core files
Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs.
All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name.
For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions,
api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions,
api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on.
If you look deeply into these files, you'll see that all these files are very small, and the functions in them
doen't do anything, and simply returns a 'TRUE' value.
Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll:
084010CE 33C0 xor eax, eax
084010D0 40 inc eax
084010D1 C20800 ret 0008
By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files,
are now statically linked to these empty api-ms-win-core files.
Moreover, if we look in the assembly language output of many API functions, we can see that they simply
call their corresponding function in one of these api-ms-win-core Dlls.
Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump to the RegDeleteValueW in
API-MS-Win-Core-LocalRegistry-L1-1-0.dll:
ADVAPI32!RegDeleteValueW:
77C6F301 8BFF mov edi, edi
77C6F303 55 push ebp
77C6F304 8BEC mov ebp, esp
77C6F306 5D pop ebp
77C6F307 EB05 jmp 77C6F30E
.
.
.
77C6F30E FF25B414C677 Jmp dword ptr [77C614B4] <-- [77C614B4] Points the import entry
of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW
So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to empty functions, how is it possible
that these functions still works properly ?
The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dlls
are replaced with a call to a real function in Windows kernel.
So here's our RegDeleteValueW example again: when loading a program into WinDbg, we can see that
the jmp call now points to kernel32!RegDeleteValueW function. That's because during the loading of advapi32.dll,
Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to the
function address of RegDeleteValueW in kernel32.
75e5f301 8bff mov edi,edi
75e5f303 55 push ebp
75e5f304 8bec mov ebp,esp
75e5f306 5d pop ebp
75e5f307 eb05 jmp ADVAPI32!RegDeleteValueW+0xd (75e5f30e)
.
.
.
75e5f30e ff25b414e575 jmp dword ptr [ADVAPI32+0x14b4 (75e514b4)] ds:0023:75e514b4=
{kernel32!RegDeleteValueW (758bd5af)}
Another new dll: kernelbase.dll
In addition to the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dll
In previous versions of Windows, most of the kernel32 functions called to their corresponding functions in ntdll.dll.
In Windows 7, most of the kernel functions call to their corresponding functions in kernelbase.dll,
and the kernelbase dll is the one that makes the calls to ntdll.dll
Effects on existing applications - compatibility issues.
Most of the existing applications should not be affected by this kernel change, because all standard
API calls still works the same as in previous versions of Windows.
However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel.
These kind of applications may not work properly in Windows 7.
My own utilities, RegFromApp and ProcessActivityView failed to work under Windows 7 because of these changes, and
that what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7.
API-MS-Win-Core List
Finally, here's the list of all core dll files added to Windows 7 and the functions list that each one
of them contain.
I used my own DLL Export Viewer utility to generate the list.
| DLL File
| Function Names
|
| api-ms-win-core-console-l1-1-0.dll
|
|
AllocConsole
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleA
ReadConsoleInputA
ReadConsoleInputW
ReadConsoleW
SetConsoleCtrlHandler
SetConsoleMode
WriteConsoleA
WriteConsoleW
| api-ms-win-core-datetime-l1-1-0.dll
|
|
GetDateFormatA
GetDateFormatW
GetTimeFormatA
GetTimeFormatW
| api-ms-win-core-debug-l1-1-0.dll
|
|
DebugBreak
IsDebuggerPresent
OutputDebugStringA
OutputDebugStringW
| api-ms-win-core-delayload-l1-1-0.dll
|
|
DelayLoadFailureHook
| api-ms-win-core-errorhandling-l1-1-0.dll
|
|
GetErrorMode
GetLastError
RaiseException
SetErrorMode
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
| api-ms-win-core-fibers-l1-1-0.dll
|
|
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
| api-ms-win-core-file-l1-1-0.dll
|
|
CompareFileTime
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
DefineDosDeviceW
DeleteFileA
DeleteFileW
DeleteVolumeMountPointW
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstChangeNotificationW
FindFirstFileA
FindFirstFileExA
FindFirstFileExW
FindFirstFileW
FindFirstVolumeW
FindNextChangeNotification
FindNextFileA
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetDriveTypeA
GetDriveTypeW
GetFileAttributesA
GetFileAttributesExA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetFinalPathNameByHandleA
GetFinalPathNameByHandleW
GetFullPathNameA
GetFullPathNameW
GetLogicalDrives
GetLogicalDriveStringsW
GetLongPathNameA
GetLongPathNameW
GetShortPathNameW
GetTempFileNameW
GetVolumeInformationByHandleW
GetVolumeInformationW
GetVolumePathNameW
LocalFileTimeToFileTime
LockFile
LockFileEx
QueryDosDeviceW
ReadFile
ReadFileEx
ReadFileScatter
RemoveDirectoryA
RemoveDirectoryW
SetEndOfFile
SetFileAttributesA
SetFileAttributesW
SetFileInformationByHandle
SetFilePointer
SetFilePointerEx
SetFileTime
SetFileValidData
UnlockFile
UnlockFileEx
WriteFile
WriteFileEx
WriteFileGather
| api-ms-win-core-handle-l1-1-0.dll
|
|
CloseHandle
DuplicateHandle
GetHandleInformation
SetHandleInformation
| api-ms-win-core-heap-l1-1-0.dll
|
|
GetProcessHeap
GetProcessHeaps
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapLock
HeapQueryInformation
HeapReAlloc
HeapSetInformation
HeapSize
HeapSummary
HeapUnlock
HeapValidate
HeapWalk
| api-ms-win-core-interlocked-l1-1-0.dll
|
|
InitializeSListHead
InterlockedCompareExchange
InterlockedCompareExchange64
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedFlushSList
InterlockedIncrement
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedPushListSList
QueryDepthSList
| api-ms-win-core-io-l1-1-0.dll
|
|
CancelIoEx
CreateIoCompletionPort
DeviceIoControl
GetOverlappedResult
GetQueuedCompletionStatus
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
| api-ms-win-core-libraryloader-l1-1-0.dll
|
|
DisableThreadLibraryCalls
FindResourceExW
FindStringOrdinal
FreeLibrary
FreeLibraryAndExitThread
FreeResource
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleExW
GetModuleHandleW
GetProcAddress
LoadLibraryExA
LoadLibraryExW
LoadResource
LoadStringA
LoadStringW
LockResource
SizeofResource
| api-ms-win-core-localization-l1-1-0.dll
|
|
ConvertDefaultLocale
FindNLSString
FindNLSStringEx
GetACP
GetCalendarInfoEx
GetCalendarInfoW
GetCPFileNameFromRegistry
GetCPInfo
GetCPInfoExW
GetFileMUIInfo
GetFileMUIPath
GetLocaleInfoEx
GetLocaleInfoW
GetNLSVersion
GetNLSVersionEx
GetOEMCP
GetProcessPreferredUILanguages
GetSystemDefaultLangID
GetSystemDefaultLCID
GetSystemPreferredUILanguages
GetThreadLocale
GetThreadPreferredUILanguages
GetThreadUILanguage
GetUILanguageInfo
GetUserDefaultLangID
GetUserDefaultLCID
GetUserPreferredUILanguages
IsNLSDefinedString
IsValidCodePage
IsValidLanguageGroup
IsValidLocale
IsValidLocaleName
LCMapStringEx
LCMapStringW
LocaleNameToLCID
NlsCheckPolicy
NlsEventDataDescCreate
NlsGetCacheUpdateCount
NlsUpdateLocale
NlsUpdateSystemLocale
NlsWriteEtwEvent
ResolveLocaleName
SetCalendarInfoW
SetLocaleInfoW
SetThreadLocale
VerLanguageNameA
VerLanguageNameW
| api-ms-win-core-localregistry-l1-1-0.dll
|
|
RegCloseKey
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteTreeA
RegDeleteTreeW
RegDeleteValueA
RegDeleteValueW
RegDisablePredefinedCacheEx
RegEnumKeyExA
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegFlushKey
RegGetKeySecurity
RegGetValueA
RegGetValueW
RegLoadKeyA
RegLoadKeyW
RegLoadMUIStringA
RegLoadMUIStringW
RegNotifyChangeKeyValue
RegOpenCurrentUser
RegOpenKeyExA
RegOpenKeyExW
RegOpenUserClassesRoot
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyExA
RegSaveKeyExW
RegSetKeySecurity
RegSetValueExA
RegSetValueExW
RegUnLoadKeyA
RegUnLoadKeyW
| api-ms-win-core-memory-l1-1-0.dll
|
|
CreateFileMappingW
FlushViewOfFile
MapViewOfFile
MapViewOfFileEx
OpenFileMappingW
ReadProcessMemory
UnmapViewOfFile
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQuery
VirtualQueryEx
WriteProcessMemory
| api-ms-win-core-misc-l1-1-0.dll
|
|
EnumSystemLocalesA
FatalAppExitA
FatalAppExitW
FormatMessageA
FormatMessageW
GlobalAlloc
GlobalFree
IsProcessInJob
IsWow64Process
LCMapStringA
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalUnlock
lstrcmp
lstrcmpA
lstrcmpi
lstrcmpiA
lstrcmpiW
lstrcmpW
lstrcpyn
lstrcpynA
lstrcpynW
lstrlen
lstrlenA
lstrlenW
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW
PulseEvent
SetHandleCount
Sleep
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
| api-ms-win-core-namedpipe-l1-1-0.dll
|
|
ConnectNamedPipe
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
GetNamedPipeAttribute
GetNamedPipeClientComputerNameW
ImpersonateNamedPipeClient
PeekNamedPipe
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
| api-ms-win-core-processenvironment-l1-1-0.dll
|
|
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetCommandLineA
GetCommandLineW
GetCurrentDirectoryA
GetCurrentDirectoryW
GetEnvironmentStrings
GetEnvironmentStringsA
GetEnvironmentStringsW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetStdHandle
SearchPathW
SetCurrentDirectoryA
SetCurrentDirectoryW
SetEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
SetStdHandle
SetStdHandleEx
| api-ms-win-core-processthreads-l1-1-0.dll
|
|
CreateProcessA
CreateProcessAsUserW
CreateProcessW
CreateRemoteThread
CreateRemoteThreadEx
CreateThread
DeleteProcThreadAttributeList
ExitProcess
ExitThread
FlushProcessWriteBuffers
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetPriorityClass
GetProcessId
GetProcessIdOfThread
GetProcessTimes
GetProcessVersion
GetStartupInfoW
GetThreadId
GetThreadPriority
GetThreadPriorityBoost
InitializeProcThreadAttributeList
OpenProcessToken
OpenThread
OpenThreadToken
ProcessIdToSessionId
QueryProcessAffinityUpdateMode
QueueUserAPC
ResumeThread
SetPriorityClass
SetProcessAffinityUpdateMode
SetProcessShutdownParameters
SetThreadPriority
SetThreadPriorityBoost
SetThreadStackGuarantee
SetThreadToken
SuspendThread
SwitchToThread
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UpdateProcThreadAttribute
| api-ms-win-core-profile-l1-1-0.dll
|
|
QueryPerformanceCounter
QueryPerformanceFrequency
| api-ms-win-core-rtlsupport-l1-1-0.dll
|
|
RtlCaptureContext
RtlCaptureStackBackTrace
RtlFillMemory
RtlUnwind
| api-ms-win-core-string-l1-1-0.dll
|
|
CompareStringEx
CompareStringOrdinal
CompareStringW
FoldStringW
GetStringTypeExW
GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
| api-ms-win-core-synch-l1-1-0.dll
|
|
AcquireSRWLockExclusive
AcquireSRWLockShared
CancelWaitableTimer
CreateEventA
CreateEventExA
CreateEventExW
CreateEventW
CreateMutexA
CreateMutexExA
CreateMutexExW
CreateMutexW
CreateSemaphoreExW
CreateWaitableTimerExW
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSRWLock
LeaveCriticalSection
OpenEventA
OpenEventW
OpenMutexW
OpenProcess
OpenSemaphoreW
OpenWaitableTimerW
ReleaseMutex
ReleaseSemaphore
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ResetEvent
SetCriticalSectionSpinCount
SetEvent
SetWaitableTimer
SetWaitableTimerEx
SleepEx
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
TryEnterCriticalSection
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
| api-ms-win-core-sysinfo-l1-1-0.dll
|
|
GetComputerNameExA
GetComputerNameExW
GetDynamicTimeZoneInformation
GetLocalTime
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAdjustment
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetTickCount
GetTickCount64
GetTimeZoneInformation
GetTimeZoneInformationForYear
GetVersion
GetVersionExA
GetVersionExW
GetWindowsDirectoryA
GetWindowsDirectoryW
GlobalMemoryStatusEx
SetLocalTime
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
| api-ms-win-core-threadpool-l1-1-0.dll
|
|
CallbackMayRunLong
CancelThreadpoolIo
ChangeTimerQueueTimer
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CreateThreadpool
CreateThreadpoolCleanupGroup
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
CreateTimerQueue
CreateTimerQueueTimer
DeleteTimerQueueEx
DeleteTimerQueueTimer
DisassociateCurrentThreadFromCallback
FreeLibraryWhenCallbackReturns
IsThreadpoolTimerSet
LeaveCriticalSectionWhenCallbackReturns
QueryThreadpoolStackInformation
RegisterWaitForSingleObjectEx
ReleaseMutexWhenCallbackReturns
ReleaseSemaphoreWhenCallbackReturns
SetEventWhenCallbackReturns
SetThreadpoolStackInformation
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
SetThreadpoolTimer
SetThreadpoolWait
StartThreadpoolIo
SubmitThreadpoolWork
TrySubmitThreadpoolCallback
UnregisterWaitEx
WaitForThreadpoolIoCallbacks
WaitForThreadpoolTimerCallbacks
WaitForThreadpoolWaitCallbacks
WaitForThreadpoolWorkCallbacks
| api-ms-win-core-util-l1-1-0.dll
|
|
Beep
DecodePointer
DecodeSystemPointer
EncodePointer
EncodeSystemPointer
| api-ms-win-core-xstate-l1-1-0.dll
|
|
RtlCopyExtendedContext
RtlGetEnabledExtendedFeatures
RtlGetExtendedContextLength
RtlGetExtendedFeaturesMask
RtlInitializeExtendedContext
RtlLocateExtendedFeature
RtlLocateLegacyContext
RtlSetExtendedFeaturesMask
| api-ms-win-security-base-l1-1-0.dll
|
|
AccessCheck
AccessCheckAndAuditAlarmW
AccessCheckByType
AccessCheckByTypeAndAuditAlarmW
AccessCheckByTypeResultList
AccessCheckByTypeResultListAndAuditAlarmByHandleW
AccessCheckByTypeResultListAndAuditAlarmW
AddAccessAllowedAce
AddAccessAllowedAceEx
AddAccessAllowedObjectAce
AddAccessDeniedAce
AddAccessDeniedAceEx
AddAccessDeniedObjectAce
AddAce
AddAuditAccessAce
AddAuditAccessAceEx
AddAuditAccessObjectAce
AddMandatoryAce
AdjustTokenGroups
AdjustTokenPrivileges
AllocateAndInitializeSid
AllocateLocallyUniqueId
AreAllAccessesGranted
AreAnyAccessesGranted
CheckTokenMembership
ConvertToAutoInheritPrivateObjectSecurity
CopySid
CreatePrivateObjectSecurity
CreatePrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
CreateRestrictedToken
CreateWellKnownSid
DeleteAce
DestroyPrivateObjectSecurity
DuplicateToken
DuplicateTokenEx
EqualDomainSid
EqualPrefixSid
EqualSid
FindFirstFreeAce
FreeSid
GetAce
GetAclInformation
GetFileSecurityW
GetKernelObjectSecurity
GetLengthSid
GetPrivateObjectSecurity
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorRMControl
GetSecurityDescriptorSacl
GetSidIdentifierAuthority
GetSidLengthRequired
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetWindowsAccountDomainSid
ImpersonateAnonymousToken
ImpersonateLoggedOnUser
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
IsTokenRestricted
IsValidAcl
IsValidRelativeSecurityDescriptor
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
MakeAbsoluteSD
MakeAbsoluteSD2
MakeSelfRelativeSD
MapGenericMask
ObjectCloseAuditAlarmW
ObjectDeleteAuditAlarmW
ObjectOpenAuditAlarmW
ObjectPrivilegeAuditAlarmW
PrivilegeCheck
PrivilegedServiceAuditAlarmW
QuerySecurityAccessMask
RevertToSelf
SetAclInformation
SetFileSecurityW
SetKernelObjectSecurity
SetPrivateObjectSecurity
SetPrivateObjectSecurityEx
SetSecurityAccessMask
SetSecurityDescriptorControl
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorRMControl
SetSecurityDescriptorSacl
SetTokenInformation
| api-ms-win-security-lsalookup-l1-1-0.dll
|
|
LookupAccountNameLocalA
LookupAccountNameLocalW
LookupAccountSidLocalA
LookupAccountSidLocalW
LsaLookupClose
LsaLookupFreeMemory
LsaLookupGetDomainInfo
LsaLookupManageSidNameMapping
LsaLookupOpenLocalPolicy
LsaLookupTranslateNames
LsaLookupTranslateSids
| api-ms-win-security-sddl-l1-1-0.dll
|
|
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
| api-ms-win-service-core-l1-1-0.dll
|
|
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
| api-ms-win-service-management-l1-1-0.dll
|
|
CloseServiceHandle
ControlServiceExW
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
| api-ms-win-service-management-l2-1-0.dll
|
|
ChangeServiceConfig2W
ChangeServiceConfigW
NotifyServiceStatusChangeW
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceObjectSecurity
QueryServiceStatusEx
SetServiceObjectSecurity
| api-ms-win-service-winsvc-l1-1-0.dll
|
|
ChangeServiceConfig2A
ChangeServiceConfigA
ControlService
ControlServiceExA
CreateServiceA
I_QueryTagInformation
I_ScBroadcastServiceControlMessage
I_ScIsSecurityProcess
I_ScPnPGetServiceName
I_ScQueryServiceConfig
I_ScRpcBindA
I_ScRpcBindW
I_ScSendPnPMessage
I_ScSendTSMessage
I_ScValidatePnPService
NotifyServiceStatusChangeA
OpenSCManagerA
OpenServiceA
QueryServiceConfig2A
QueryServiceConfigA
QueryServiceStatus
RegisterServiceCtrlHandlerA
RegisterServiceCtrlHandlerExA
RegisterServiceCtrlHandlerW
StartServiceA
StartServiceCtrlDispatcherA