|
The Windows operating system contains [[Compiler|compiled]] versions of these libraries known as [[dynamic-link libraries|dynamically-linked libraries]] ([[.dll]]), which are [[Portable Executable|executable]] libraries that can be used by multiple [[Computer program|programs]] while only one copy of the library is loaded into [[computer memory|memory]]. These are canonically referred to as [[system libraries]] and all programs installed on the system can utilize them.
The Windows SDK additionally distributes compiled versions of these libraries known as [[Statically linked library|statically-linked libraries]] ([[.lib]]), which are non-executable libraries that, in whole or in part, can be embedded into a program when it is compiled.{{disputed inline|talkpage=Talk:Microsoft Windows library files#Do SDKs include statically-linked libraries or import libraries?|date=July 2025}} The most common Windows compilers being [[Visual Studio|Microsoft Visual Studio]] and [[Mingw-w64|MinGW]].
== Internal components ==
HAL.DLL is a kernel-mode library file and it cannot be used by any user-mode program. NTDLL.DLL is only used by some programs, but it is a dependency of most Win32 libraries used by programs.
=== HAL.DLL ===
[[File:Windows_2000_architecture.svg|thumb|The Hardware Abstraction Layer in the [[architecture of Windows NT]]]]
The Windows [[Hardware Abstraction Layer]] (HAL) is implemented in '''hal.dll'''.<ref>{{cite book|author=Blunden, Bill|title=The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System|publisher=Jones & Bartlett Learning|year=2009|isbn=978-1-59822-061-2|page=101|url=https://books.google.com/books?id=DF5AhCOLFrgC&pg=PA101}}</ref> The HAL implements a number of functions that are implemented in different ways by different hardware platforms, which in this context, refers mostly to the [[chipset]]. Other components in the [[operating system]] can then call these functions in the same way on all platforms, without regard for the actual implementation.
For example, responding to an interrupt is quite different on a machine with an [[Advanced Programmable Interrupt Controller|Advanced Programmable Interrupt Controller (APIC)]] than on one without. The HAL provides a single function for this purpose that works with all kinds of interrupts by various chipsets, so that other components need not be concerned with the differences.
The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type [[.sys]], a few core drivers are compiled into '''hal.dll'''.
Kernel mode device drivers for devices on buses such as [[Conventional PCI|PCI]] and [[PCI Express]] directly call routines in the HAL to access [[I/O ports]] and registers of their devices. The drivers use HAL routines because different platforms may require different implementations of these operations. The HAL implements the operations appropriately for each platform, so the same driver executable file can be used on all platforms using the same [[CPU]] architecture, and the driver source file can be portable across all architectures.
On [[x86]] systems prior to [[Windows 8]], there are several different HAL files on the installation media. The Windows installation procedure determines which ones are appropriate for the current platform and copies it to the hard drive, renaming it to '''hal.dll''' if necessary. Among the criteria for this selection are: the presence of an [[ACPI]]-compatible BIOS, the presence of an [[Advanced Programmable Interrupt Controller|APIC]], and whether or not multiple processors are present and enabled. (The multiple cores of a [[multi-core CPU]], and even the "logical processors" implemented by a [[hyperthreading]] CPU, all count as "processors" for this purpose.) On [[x86-64]] and [[Itanium]] platforms there is just one possible '''hal.dll''' for each CPU architecture. On Windows 8 and later, the x86 version also only has one HAL.
HAL is merged (or statically linked) into ntoskrnl.exe<ref>{{cite tweet|number=1154442296391323651|user=PetrBenes|title=Did I miss something? Routines...|date=25 July 2019}}</ref> starting with version 2004 of Windows 10, and the dll only serves as a stub for backwards compatibility.
=== NTDLL.DLL ===
NTDLL.DLL exports the Windows [[Native API]]. The Native API is the interface used by user-mode components of the operating system that must run without support from [[Win32]] or other API subsystems. Most of this API is implemented in '''NTDLL.DLL''' and at the upper edge of [[ntoskrnl.exe]] (and its variants), and the majority of exported symbols within these libraries are prefixed '''Nt''', for example '''NtDisplayString'''. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL.<ref name="Eldad-2011-pp68-69">{{cite book|author=Eilam, Eldad|title=Reversing: Secrets of Reverse Engineering|publisher=John Wiley & Sons|year=2011|isbn=978-1-118-07976-8|pages=68–69|url=https://books.google.com/books?id=_78HnPPRU_oC&pg=PT68}}</ref><ref name="nativeapplications">{{cite web|url=httphttps://wwwlearn.microsoft.com/technet/sysinternals/informationresources/NativeApplications.mspxinside-native-applications|title=Inside Native Windows Applications|website=[[Microsoft Learn]]|archive-url=https://web.archive.org/web/20100912231625/http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx|archive-date=2010-09-12|access-date=20112025-1207-1421}}</ref><ref>{{cite book|author1=Russinovich, Mark A. |author2=Solomon, David A. |name-list-style=amp |title=Windows® Internals|publisher=O'Reilly Media|year=2009|isbn=978-0-7356-3796-2|page=136|url=https://books.google.com/books?id=VgjAQjsc6g8C&pg=PT136}}</ref> The large majority of Windows applications do not call NTDLL.DLL directly.<ref>{{cite bookconference|chaptertitle=Modular behavior profiles in systems with shared libraries|editor=Neng, Peng |display-editors=etal |book-title=Information and Communications Security: 8th International Conference, ICICS 2006{{snd}} Raleigh, NC, USA, December 4–7, 2006{{snd}} proceedings|publisher=Springer|year=2006|isbn=978-3-540-49496-6|page=371|chapter-url=https://books.google.com/books?id=U9pY5GfzqsIC&pg=PA371|author1=Marceau, Carla |author2=Stillerman, Matt |name-list-style=amp }}</ref>
Applications that are [[Linker (computing)|linked]] directly against this library are said to use the '''native subsystem'''; the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process, [[csrss.exe]]. Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must use the native subsystem. [[csrss.exe]] itself is such an application.
Despite having an ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is the '''autochk.exe''' binary that runs '''[[chkdsk]]''' during the system initialization "Blue Screen"<!--do not link this to "Blue Screen of Death (BSOD)"! This is not it!-->. Other prominent examples are the services that implement the various subsystems, such as [[csrss.exe]].
Unlike [[Win32]] applications, native applications instantiate within the Kernel runtime code ([[ntoskrnl.exe]]) and so they must have a different entry point ('''NtProcessStartup''', rather than '''(w)(Win)MainCRTStartup''' as is found in a Win32 application),<ref name="nativeapplications"/> obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using the '''Rtl''' heap API, (which the Win32 heap APIs are just wrappers around—no real difference there) and return execution with a call to '''RtlExitUserProcess''' (as opposed to '''ExitProcess'''). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.<ref>{{Cite web |url=https://technet.microsoft.com/en-us/sysinternals/bb897447.aspx |title=Inside Native Applications |access-date=2017-08-26 |archive-date=2010-10-23 |archive-url=https://web.archive.org/web/20101023130328/http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx |url-statusname=dead"nativeapplications" }}</ref>
Though mostMost of the Native API is not publicly documented or supported. This allows the API to evolve without having to guarantee retro-[[backwards compatibility]], and breaking changes are thus possible without notification. Native Applications can be built using the Windows Driver Development Kit.<ref>{{cite web | title=Windows Server 2003 DDK | website=[[Microsoft]] | url=http://www.microsoft.com/whdc/devtools/ddk/default.mspx Windows Driver Development Kit].}}</ref>
== Win32 API ==
=== COMDLG32.DLL ===
'''COMDLG32.DLL''', the Common Dialog Box Library, implements a wide variety of Windows dialog boxes intended to perform what Microsoft deems 'common application tasks'. Starting with the release of Windows Vista, Microsoft considers the "Open" and "Save as" dialog boxes provided by this library as deprecated and replaced by the 'Common Item Dialog API'.<ref>{{Cite web|url=https://msdnlearn.microsoft.com/en-uswindows/librarywin32/windowsdlgbox/desktop/ms645524(v=vs.85).aspxcommon-dialog-box-library|title=Common Dialog Box Library (Windows)- Win32 apps|website=msdn.microsoft.com|language=en[[Microsoft Learn]]|access-date=20172025-1007-2521}}</ref>
=== WS2_32.DLL ===
== Other APIs ==
=== SHSCRAP.DLL ===
'''SHSCRAP.DLL''' is part of the [[Object Linking and Embedding|Object Linking and Embedding (OLE)]] mechanism. It implements support for [[Shell Scrap Object File|shell scrap file]]s, which are automatically created when you drag selected content from an OLE-capable application into an Explorer window or desktop,<ref>{{cite web |url=https://support.microsoft.com/en-us/kb/138275/ |title=WD: What is a Scrap (.shs) file? |work=Microsoft Knowledge Base |url-status=dead |archive-date=2015-08-11 |archive-url=https://web.archive.org/web/20150811125202/https://support.microsoft.com/en-us/kb/138275/}}</ref> but you can also use the [[Object Packager]] to create them. They can then be dragged into another OLE-capable application.
This functionality was removed from Windows Vista (and therefore later versions) to improve security and rid the operating system of generally unused functionality.<ref name="scrap_the_scraps">{{cite web|url=https://technetlearn.microsoft.com/en-us/previous-versions/technet-magazine/2008.02.windowsconfidentialcc194424(v=msdn.aspx10)|title=Windows Confidential: Scrapping the Scraps |author=Raymond Chen |access-date=20112025-1207-1421}}</ref> Scrap (.shs) files have been used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled.<ref>{{cite web |url=https://www.symantec.com/security_response/writeup.jsp?docid=2000-121915-4852-99 |archive-url=https://web.archive.org/web/20061110163040/http://www.symantec.com/security_response/writeup.jsp?docid=2000-121915-4852-99 |url-status=dead |archive-date=November 10, 2006 |title=VBS.Stages.A |website=[[Broadcom#Symantec enterprise security|Symantec]]}}</ref> The functionality can be restored by copying registry entries and the [[Dynamic-link library|DLL]] from a [[Windows XP]] system.<ref name="scrap_restore_hack">{{cite web|url=https://answers.microsoft.com/en-us/office/forum/office_2010-word/how-to-open-shs-files/c4618ebd-e248-4340-ab6a-1b79fd808c46|title=How to open SHS files|access-date=2011-12-14}}</ref>
=== WINMM.DLL ===
=== UCRT ===
With Version 14.0 ([[Visual_Studio|Visual Studio 2015]]), most of the C/C++ runtime was moved into a new DLL, UCRTBASE.DLL, which conforms closely with C99[.<ref name="upgrade your code">{{cite web | title=Upgrade your code to the Universal CRT | url=https://learn.microsoft.com/en-us/cpp/porting/upgrade-your-code-to-the-universal-crt?view=msvc-170]. }}</ref> '''Universal C Run Time''' ('''UCRT''') from Windows 10 onwards become a component part of Windows[https://learn.microsoft.com/en-us/cpp/porting/,<ref name="upgrade- your- code-to-the-universal-crt?view=msvc-170]," /> so every compiler (either non MS, like [[GNU_Compiler_Collection|GCC]] or [[Clang]]/[[LLVM]]) can link against UCRT[.<ref>{{cite web | title=MSYS2 - Environments | url=https://www.msys2.org/docs/environments/]. }}</ref> Additionally, C/C++ programs using UCRTBASE.DLL need to link against another new DLL, the Visual C++ Runtime. At Version 14.0, this was VCRUNTIME140.DLL.<ref>{{cite web | url=https://docslearn.microsoft.com/en-us/cpp/porting/binary-compat-2015-2017?view=msvc-170 | title=C++ binary compatibility 2015-2022 | date=11 March30 2024January 2025}}</ref> The name has the potential to change at future versions, but has not done so as far as of Version 17.0.
Source code for runtime libraries is included in Visual C++<ref>{{cite web | url=httphttps://msdnlearn.microsoft.com/en-us/libraryprevious-versions/visualstudio/visual-studio-6.0/aa296413(v=vs.60).aspx | title=Source Code for the C Run-Time Functions | date=15 September 2006 }}</ref> for reference and debugging (e.g. in <code>C:\Program Files\Microsoft Visual Studio 11.0\VC\crt\src</code>).
=== Other runtime libraries ===
* [https://web.archive.org/web/20060315213024/http://www.sysinternals.com/Information/NativeApi.html Native API reference]
* [http://undocumented.ntinternals.net/ Unofficial website that documents most of the Native API methods]
* [httphttps://uberskill.blogspot.com/2012/07/retrieving-kernel32dll-base-address.html Retrieving the KERNEL32.DLL base address]
{{Windows Components}}
| 