Windows 7 Kernel Architecture

  Windows 7 Kernel Architecture Changes - api-ms-win-core files

Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs. All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name.
For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions, api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on.

If you look deeply into these files, you'll see that all these files are very small, and the functions in them doen't do anything, and simply returns a 'TRUE' value. Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll:

084010CE 33C0 xor eax, eax 084010D0 40 inc eax 084010D1 C20800 ret 0008 By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files.

Moreover, if we look in the assembly language output of many API functions, we can see that they simply call their corresponding function in one of these api-ms-win-core Dlls. Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump to the RegDeleteValueW in API-MS-Win-Core-LocalRegistry-L1-1-0.dll:

ADVAPI32!RegDeleteValueW: 77C6F301 8BFF mov edi, edi 77C6F303 55 push ebp 77C6F304 8BEC mov ebp, esp 77C6F306 5D pop ebp 77C6F307 EB05 jmp 77C6F30E . . . 77C6F30E FF25B414C677 Jmp dword ptr [77C614B4] <-- [77C614B4] Points the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to empty functions, how is it possible that these functions still works properly ?

The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dlls are replaced with a call to a real function in Windows kernel.
So here's our RegDeleteValueW example again: when loading a program into WinDbg, we can see that the jmp call now points to kernel32!RegDeleteValueW function. That's because during the loading of advapi32.dll, Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to the function address of RegDeleteValueW in kernel32.

75e5f301 8bff mov edi,edi 75e5f303 55 push ebp 75e5f304 8bec mov ebp,esp 75e5f306 5d pop ebp 75e5f307 eb05 jmp ADVAPI32!RegDeleteValueW+0xd (75e5f30e) . . . 75e5f30e ff25b414e575 jmp dword ptr [ADVAPI32+0x14b4 (75e514b4)] ds:0023:75e514b4= {kernel32!RegDeleteValueW (758bd5af)}

Another new dll: kernelbase.dll

In addition to the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dll
In previous versions of Windows, most of the kernel32 functions called to their corresponding functions in ntdll.dll.
In Windows 7, most of the kernel functions call to their corresponding functions in kernelbase.dll, and the kernelbase dll is the one that makes the calls to ntdll.dll

Effects on existing applications - compatibility issues.

Most of the existing applications should not be affected by this kernel change, because all standard API calls still works the same as in previous versions of Windows.
However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel. These kind of applications may not work properly in Windows 7.
My own utilities, RegFromApp and ProcessActivityView failed to work under Windows 7 because of these changes, and that what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7.

API-MS-Win-Core List

Finally, here's the list of all core dll files added to Windows 7 and the functions list that each one of them contain. I used my own DLL Export Viewer utility to generate the list.

DLL FileFunction Namesapi-ms-win-core-console-l1-1-0.dllAllocConsoleGetConsoleCPGetConsoleModeGetConsoleOutputCPGetNumberOfConsoleInputEventsPeekConsoleInputAReadConsoleAReadConsoleInputAReadConsoleInputWReadConsoleWSetConsoleCtrlHandlerSetConsoleModeWriteConsoleAWriteConsoleWapi-ms-win-core-datetime-l1-1-0.dllGetDateFormatAGetDateFormatWGetTimeFormatAGetTimeFormatWapi-ms-win-core-debug-l1-1-0.dllDebugBreakIsDebuggerPresentOutputDebugStringAOutputDebugStringWapi-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHookapi-ms-win-core-errorhandling-l1-1-0.dllGetErrorModeGetLastErrorRaiseExceptionSetErrorModeSetLastErrorSetUnhandledExceptionFilterUnhandledExceptionFilterapi-ms-win-core-fibers-l1-1-0.dllFlsAllocFlsFreeFlsGetValueFlsSetValueapi-ms-win-core-file-l1-1-0.dllCompareFileTimeCreateDirectoryACreateDirectoryWCreateFileACreateFileWDefineDosDeviceWDeleteFileADeleteFileWDeleteVolumeMountPointWFileTimeToLocalFileTimeFileTimeToSystemTimeFindCloseFindCloseChangeNotificationFindFirstChangeNotificationAFindFirstChangeNotificationWFindFirstFileAFindFirstFileExAFindFirstFileExWFindFirstFileWFindFirstVolumeWFindNextChangeNotificationFindNextFileAFindNextFileWFindNextVolumeWFindVolumeCloseFlushFileBuffersGetDiskFreeSpaceAGetDiskFreeSpaceExAGetDiskFreeSpaceExWGetDiskFreeSpaceWGetDriveTypeAGetDriveTypeWGetFileAttributesAGetFileAttributesExAGetFileAttributesExWGetFileAttributesWGetFileInformationByHandleGetFileSizeGetFileSizeExGetFileTimeGetFileTypeGetFinalPathNameByHandleAGetFinalPathNameByHandleWGetFullPathNameAGetFullPathNameWGetLogicalDrivesGetLogicalDriveStringsWGetLongPathNameAGetLongPathNameWGetShortPathNameWGetTempFileNameWGetVolumeInformationByHandleWGetVolumeInformationWGetVolumePathNameWLocalFileTimeToFileTimeLockFileLockFileExQueryDosDeviceWReadFileReadFileExReadFileScatterRemoveDirectoryARemoveDirectoryWSetEndOfFileSetFileAttributesASetFileAttributesWSetFileInformationByHandleSetFilePointerSetFilePointerExSetFileTimeSetFileValidDataUnlockFileUnlockFileExWriteFileWriteFileExWriteFileGatherapi-ms-win-core-handle-l1-1-0.dllCloseHandleDuplicateHandleGetHandleInformationSetHandleInformationapi-ms-win-core-heap-l1-1-0.dllGetProcessHeapGetProcessHeapsHeapAllocHeapCompactHeapCreateHeapDestroyHeapFreeHeapLockHeapQueryInformationHeapReAllocHeapSetInformationHeapSizeHeapSummaryHeapUnlockHeapValidateHeapWalkapi-ms-win-core-interlocked-l1-1-0.dllInitializeSListHeadInterlockedCompareExchangeInterlockedCompareExchange64InterlockedDecrementInterlockedExchangeInterlockedExchangeAddInterlockedFlushSListInterlockedIncrementInterlockedPopEntrySListInterlockedPushEntrySListInterlockedPushListSListQueryDepthSListapi-ms-win-core-io-l1-1-0.dllCancelIoExCreateIoCompletionPortDeviceIoControlGetOverlappedResultGetQueuedCompletionStatusGetQueuedCompletionStatusExPostQueuedCompletionStatusapi-ms-win-core-libraryloader-l1-1-0.dllDisableThreadLibraryCallsFindResourceExWFindStringOrdinalFreeLibraryFreeLibraryAndExitThreadFreeResourceGetModuleFileNameAGetModuleFileNameWGetModuleHandleAGetModuleHandleExAGetModuleHandleExWGetModuleHandleWGetProcAddressLoadLibraryExALoadLibraryExWLoadResourceLoadStringALoadStringWLockResourceSizeofResourceapi-ms-win-core-localization-l1-1-0.dllConvertDefaultLocaleFindNLSStringFindNLSStringExGetACPGetCalendarInfoExGetCalendarInfoWGetCPFileNameFromRegistryGetCPInfoGetCPInfoExWGetFileMUIInfoGetFileMUIPathGetLocaleInfoExGetLocaleInfoWGetNLSVersionGetNLSVersionExGetOEMCPGetProcessPreferredUILanguagesGetSystemDefaultLangIDGetSystemDefaultLCIDGetSystemPreferredUILanguagesGetThreadLocaleGetThreadPreferredUILanguagesGetThreadUILanguageGetUILanguageInfoGetUserDefaultLangIDGetUserDefaultLCIDGetUserPreferredUILanguagesIsNLSDefinedStringIsValidCodePageIsValidLanguageGroupIsValidLocaleIsValidLocaleNameLCMapStringExLCMapStringWLocaleNameToLCIDNlsCheckPolicyNlsEventDataDescCreateNlsGetCacheUpdateCountNlsUpdateLocaleNlsUpdateSystemLocaleNlsWriteEtwEventResolveLocaleNameSetCalendarInfoWSetLocaleInfoWSetThreadLocaleVerLanguageNameAVerLanguageNameWapi-ms-win-core-localregistry-l1-1-0.dllRegCloseKeyRegCreateKeyExARegCreateKeyExWRegDeleteKeyExARegDeleteKeyExWRegDeleteTreeARegDeleteTreeWRegDeleteValueARegDeleteValueWRegDisablePredefinedCacheExRegEnumKeyExARegEnumKeyExWRegEnumValueARegEnumValueWRegFlushKeyRegGetKeySecurityRegGetValueARegGetValueWRegLoadKeyARegLoadKeyWRegLoadMUIStringARegLoadMUIStringWRegNotifyChangeKeyValueRegOpenCurrentUserRegOpenKeyExARegOpenKeyExWRegOpenUserClassesRootRegQueryInfoKeyARegQueryInfoKeyWRegQueryValueExARegQueryValueExWRegRestoreKeyARegRestoreKeyWRegSaveKeyExARegSaveKeyExWRegSetKeySecurityRegSetValueExARegSetValueExWRegUnLoadKeyARegUnLoadKeyWapi-ms-win-core-memory-l1-1-0.dllCreateFileMappingWFlushViewOfFileMapViewOfFileMapViewOfFileExOpenFileMappingWReadProcessMemoryUnmapViewOfFileVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExVirtualProtectVirtualProtectExVirtualQueryVirtualQueryExWriteProcessMemoryapi-ms-win-core-misc-l1-1-0.dllEnumSystemLocalesAFatalAppExitAFatalAppExitWFormatMessageAFormatMessageWGlobalAllocGlobalFreeIsProcessInJobIsWow64ProcessLCMapStringALocalAllocLocalFreeLocalLockLocalReAllocLocalUnlocklstrcmplstrcmpAlstrcmpilstrcmpiAlstrcmpiWlstrcmpWlstrcpynlstrcpynAlstrcpynWlstrlenlstrlenAlstrlenWNeedCurrentDirectoryForExePathANeedCurrentDirectoryForExePathWPulseEventSetHandleCountSleepWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionapi-ms-win-core-namedpipe-l1-1-0.dllConnectNamedPipeCreateNamedPipeWCreatePipeDisconnectNamedPipeGetNamedPipeAttributeGetNamedPipeClientComputerNameWImpersonateNamedPipeClientPeekNamedPipeSetNamedPipeHandleStateTransactNamedPipeWaitNamedPipeWapi-ms-win-core-processenvironment-l1-1-0.dllExpandEnvironmentStringsAExpandEnvironmentStringsWFreeEnvironmentStringsAFreeEnvironmentStringsWGetCommandLineAGetCommandLineWGetCurrentDirectoryAGetCurrentDirectoryWGetEnvironmentStringsGetEnvironmentStringsAGetEnvironmentStringsWGetEnvironmentVariableAGetEnvironmentVariableWGetStdHandleSearchPathWSetCurrentDirectoryASetCurrentDirectoryWSetEnvironmentStringsWSetEnvironmentVariableASetEnvironmentVariableWSetStdHandleSetStdHandleExapi-ms-win-core-processthreads-l1-1-0.dllCreateProcessACreateProcessAsUserWCreateProcessWCreateRemoteThreadCreateRemoteThreadExCreateThreadDeleteProcThreadAttributeListExitProcessExitThreadFlushProcessWriteBuffersGetCurrentProcessGetCurrentProcessIdGetCurrentThreadGetCurrentThreadIdGetExitCodeProcessGetExitCodeThreadGetPriorityClassGetProcessIdGetProcessIdOfThreadGetProcessTimesGetProcessVersionGetStartupInfoWGetThreadIdGetThreadPriorityGetThreadPriorityBoostInitializeProcThreadAttributeListOpenProcessTokenOpenThreadOpenThreadTokenProcessIdToSessionIdQueryProcessAffinityUpdateModeQueueUserAPCResumeThreadSetPriorityClassSetProcessAffinityUpdateModeSetProcessShutdownParametersSetThreadPrioritySetThreadPriorityBoostSetThreadStackGuaranteeSetThreadTokenSuspendThreadSwitchToThreadTerminateProcessTerminateThreadTlsAllocTlsFreeTlsGetValueTlsSetValueUpdateProcThreadAttributeapi-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounterQueryPerformanceFrequencyapi-ms-win-core-rtlsupport-l1-1-0.dllRtlCaptureContextRtlCaptureStackBackTraceRtlFillMemoryRtlUnwindapi-ms-win-core-string-l1-1-0.dllCompareStringExCompareStringOrdinalCompareStringWFoldStringWGetStringTypeExWGetStringTypeWMultiByteToWideCharWideCharToMultiByteapi-ms-win-core-synch-l1-1-0.dllAcquireSRWLockExclusiveAcquireSRWLockSharedCancelWaitableTimerCreateEventACreateEventExACreateEventExWCreateEventWCreateMutexACreateMutexExACreateMutexExWCreateMutexWCreateSemaphoreExWCreateWaitableTimerExWDeleteCriticalSectionEnterCriticalSectionInitializeCriticalSectionInitializeCriticalSectionAndSpinCountInitializeCriticalSectionExInitializeSRWLockLeaveCriticalSectionOpenEventAOpenEventWOpenMutexWOpenProcessOpenSemaphoreWOpenWaitableTimerWReleaseMutexReleaseSemaphoreReleaseSRWLockExclusiveReleaseSRWLockSharedResetEventSetCriticalSectionSpinCountSetEventSetWaitableTimerSetWaitableTimerExSleepExTryAcquireSRWLockExclusiveTryAcquireSRWLockSharedTryEnterCriticalSectionWaitForMultipleObjectsExWaitForSingleObjectWaitForSingleObjectExapi-ms-win-core-sysinfo-l1-1-0.dllGetComputerNameExAGetComputerNameExWGetDynamicTimeZoneInformationGetLocalTimeGetLogicalProcessorInformationGetLogicalProcessorInformationExGetSystemDirectoryAGetSystemDirectoryWGetSystemInfoGetSystemTimeGetSystemTimeAdjustmentGetSystemTimeAsFileTimeGetSystemWindowsDirectoryAGetSystemWindowsDirectoryWGetTickCountGetTickCount64GetTimeZoneInformationGetTimeZoneInformationForYearGetVersionGetVersionExAGetVersionExWGetWindowsDirectoryAGetWindowsDirectoryWGlobalMemoryStatusExSetLocalTimeSystemTimeToFileTimeSystemTimeToTzSpecificLocalTimeTzSpecificLocalTimeToSystemTimeapi-ms-win-core-threadpool-l1-1-0.dllCallbackMayRunLongCancelThreadpoolIoChangeTimerQueueTimerCloseThreadpoolCloseThreadpoolCleanupGroupCloseThreadpoolCleanupGroupMembersCloseThreadpoolIoCloseThreadpoolTimerCloseThreadpoolWaitCloseThreadpoolWorkCreateThreadpoolCreateThreadpoolCleanupGroupCreateThreadpoolIoCreateThreadpoolTimerCreateThreadpoolWaitCreateThreadpoolWorkCreateTimerQueueCreateTimerQueueTimerDeleteTimerQueueExDeleteTimerQueueTimerDisassociateCurrentThreadFromCallbackFreeLibraryWhenCallbackReturnsIsThreadpoolTimerSetLeaveCriticalSectionWhenCallbackReturnsQueryThreadpoolStackInformationRegisterWaitForSingleObjectExReleaseMutexWhenCallbackReturnsReleaseSemaphoreWhenCallbackReturnsSetEventWhenCallbackReturnsSetThreadpoolStackInformationSetThreadpoolThreadMaximumSetThreadpoolThreadMinimumSetThreadpoolTimerSetThreadpoolWaitStartThreadpoolIoSubmitThreadpoolWorkTrySubmitThreadpoolCallbackUnregisterWaitExWaitForThreadpoolIoCallbacksWaitForThreadpoolTimerCallbacksWaitForThreadpoolWaitCallbacksWaitForThreadpoolWorkCallbacksapi-ms-win-core-util-l1-1-0.dllBeepDecodePointerDecodeSystemPointerEncodePointerEncodeSystemPointerapi-ms-win-core-xstate-l1-1-0.dllRtlCopyExtendedContextRtlGetEnabledExtendedFeaturesRtlGetExtendedContextLengthRtlGetExtendedFeaturesMaskRtlInitializeExtendedContextRtlLocateExtendedFeatureRtlLocateLegacyContextRtlSetExtendedFeaturesMaskapi-ms-win-security-base-l1-1-0.dllAccessCheckAccessCheckAndAuditAlarmWAccessCheckByTypeAccessCheckByTypeAndAuditAlarmWAccessCheckByTypeResultListAccessCheckByTypeResultListAndAuditAlarmByHandleWAccessCheckByTypeResultListAndAuditAlarmWAddAccessAllowedAceAddAccessAllowedAceExAddAccessAllowedObjectAceAddAccessDeniedAceAddAccessDeniedAceExAddAccessDeniedObjectAceAddAceAddAuditAccessAceAddAuditAccessAceExAddAuditAccessObjectAceAddMandatoryAceAdjustTokenGroupsAdjustTokenPrivilegesAllocateAndInitializeSidAllocateLocallyUniqueIdAreAllAccessesGrantedAreAnyAccessesGrantedCheckTokenMembershipConvertToAutoInheritPrivateObjectSecurityCopySidCreatePrivateObjectSecurityCreatePrivateObjectSecurityExCreatePrivateObjectSecurityWithMultipleInheritanceCreateRestrictedTokenCreateWellKnownSidDeleteAceDestroyPrivateObjectSecurityDuplicateTokenDuplicateTokenExEqualDomainSidEqualPrefixSidEqualSidFindFirstFreeAceFreeSidGetAceGetAclInformationGetFileSecurityWGetKernelObjectSecurityGetLengthSidGetPrivateObjectSecurityGetSecurityDescriptorControlGetSecurityDescriptorDaclGetSecurityDescriptorGroupGetSecurityDescriptorLengthGetSecurityDescriptorOwnerGetSecurityDescriptorRMControlGetSecurityDescriptorSaclGetSidIdentifierAuthorityGetSidLengthRequiredGetSidSubAuthorityGetSidSubAuthorityCountGetTokenInformationGetWindowsAccountDomainSidImpersonateAnonymousTokenImpersonateLoggedOnUserImpersonateSelfInitializeAclInitializeSecurityDescriptorInitializeSidIsTokenRestrictedIsValidAclIsValidRelativeSecurityDescriptorIsValidSecurityDescriptorIsValidSidIsWellKnownSidMakeAbsoluteSDMakeAbsoluteSD2MakeSelfRelativeSDMapGenericMaskObjectCloseAuditAlarmWObjectDeleteAuditAlarmWObjectOpenAuditAlarmWObjectPrivilegeAuditAlarmWPrivilegeCheckPrivilegedServiceAuditAlarmWQuerySecurityAccessMaskRevertToSelfSetAclInformationSetFileSecurityWSetKernelObjectSecuritySetPrivateObjectSecuritySetPrivateObjectSecurityExSetSecurityAccessMaskSetSecurityDescriptorControlSetSecurityDescriptorDaclSetSecurityDescriptorGroupSetSecurityDescriptorOwnerSetSecurityDescriptorRMControlSetSecurityDescriptorSaclSetTokenInformationapi-ms-win-security-lsalookup-l1-1-0.dllLookupAccountNameLocalALookupAccountNameLocalWLookupAccountSidLocalALookupAccountSidLocalWLsaLookupCloseLsaLookupFreeMemoryLsaLookupGetDomainInfoLsaLookupManageSidNameMappingLsaLookupOpenLocalPolicyLsaLookupTranslateNamesLsaLookupTranslateSidsapi-ms-win-security-sddl-l1-1-0.dllConvertSecurityDescriptorToStringSecurityDescriptorWConvertSidToStringSidWConvertStringSecurityDescriptorToSecurityDescriptorWConvertStringSidToSidWapi-ms-win-service-core-l1-1-0.dllRegisterServiceCtrlHandlerExWSetServiceStatusStartServiceCtrlDispatcherWapi-ms-win-service-management-l1-1-0.dllCloseServiceHandleControlServiceExWCreateServiceWDeleteServiceOpenSCManagerWOpenServiceWStartServiceWapi-ms-win-service-management-l2-1-0.dllChangeServiceConfig2WChangeServiceConfigWNotifyServiceStatusChangeWQueryServiceConfig2WQueryServiceConfigWQueryServiceObjectSecurityQueryServiceStatusExSetServiceObjectSecurityapi-ms-win-service-winsvc-l1-1-0.dllChangeServiceConfig2AChangeServiceConfigAControlServiceControlServiceExACreateServiceAI_QueryTagInformationI_ScBroadcastServiceControlMessageI_ScIsSecurityProcessI_ScPnPGetServiceNameI_ScQueryServiceConfigI_ScRpcBindAI_ScRpcBindWI_ScSendPnPMessageI_ScSendTSMessageI_ScValidatePnPServiceNotifyServiceStatusChangeAOpenSCManagerAOpenServiceAQueryServiceConfig2AQueryServiceConfigAQueryServiceStatusRegisterServiceCtrlHandlerARegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerWStartServiceAStartServiceCtrlDispatcherA