TMurgent Technologies

Destination for Application Virtualization

Windows Native API

The Native API is an officially undocumented programming interface in Microsoft Operating Systems that lives below the MFC and WIN32 programming interfaces used by most applications. Portions of this API are documented by Microsoft, mainly for the use of kernel mode driver developers. Sometimes we find these interfaces very useful in user mode programs. The interfaces are always much more efficient (the published win32 APIs have a lot of overhead we might not need nor want), and in many cases expose functionality not available from published interfaces.

Gary Nebbett's book on the Native API for Windows NT and 2000 remains as the standard "undocumented" programming interface to the Microsoft Windows kernel. While Windows XP and 2003 offered little in changes to the interface, mostly to add new interfaces, the "x64" versions of the operating system as well as Vista and the server-to-be-named-later that will follow make important changes that developers that use these interfaces must concern themselves with.

Mark Russinovitch used to document the existence of some new interfaces (without programming details) at his old sysinternals site, but since SysInternals was bought by Microsoft that information has gone away.

The tables below (which is a work in progress) depicts Native API interfaces for which the interface has been tested on various recent OSs and what is known about their being differences from the NT/2000 base. To date, I have focused on documenting only the "Query" interfaces, which allow us to read information out of the kernel.  Feedback to is appreciated.  The details of the differences noted in these tables, when known, are not published here because there are too many lawyers in the world.

Speaking of which, I should add a caution that my publishing this information should not cause anyone to write or use Native API interfaces. Being officially "undocumented" interfaces, Microsoft may change them at any time without notice. With experience, we have learned over the years interfaces that have remained stable enough to write code against that will work on Windows NT and up. After all, Microsoft doesn't want to make changes to break their own software if they can help it. Also note that that while this information is the best known to me at this time and I make no statement as to the correctness nor usefulness of this information.

LAST UPDATED: June 3, 2006

Notations in Tables

In the tables that follow are notations that use the following codes:

System Interface (NtQuerySystemInformation)

Process Interface (NtQueryInformationProcess)

Thread Interface (NtQueryInformationThread)