Microsoft Windows library files: Difference between revisions

The '''Native API''' (with capitalized N) is the publicly mostly undocumented [[application programming interface]] used internally by the [[Windows NT]] family of [[operating system]]s produced by [[Microsoft]], with only about 25 of its 250 functions described in the Windows NT Device Driver Kit.<ref name="nativeapplications">Russinovich, M: [http://www.microsoft.com/technet/sysinternals/information/NativeApplications.mspx Inside Native Windows Applications], ''SysInternals Information''</ref>. Most of them are in '''ntdll.dll''' and [[ntoskrnl.exe]] (and its variants); The majority of exported symbols within these libraries are prefixed '''Nt''', e.g. '''NtDisplayString'''.

Applications that are [[linker|linked]] directly against this library are known as '''Native Applications'''; the primary reason for their existence is to perform low-level tasks such as direct disk [[Input/output|I/O]] that cannot be achieved through the documented Windows API. An example is the '''autochk''' binary that runs '''[[chkdsk]]''' during the system initialisation "[[Blue_Screen_of_DeathBlue Screen of Death#Windows_NTWindows NT|Blue Screen]]". Unlike [[Win32]] Applications, Native Applications instantiate within the Kernel runtime code ([[ntoskrnl.exe]]) and so must manage their own memory using the '''Rtl''' heap API, obtain their command-line arguments via a pointer to an in-memory structure, and return execution with a call to '''NtProcessTerminate''' (as opposed to just terminating). They also have a different entry point of '''NtProcessStartup''' as opposed to '''main/winmain''' to distinguish them from normal Windows binaries - '''main''' is normally a stub that causes Windows to display a warning message, such as "The %PATH% application cannot be run in Win32 mode."<ref name="nativeapplications"/>