Windows API Function Prefixes

Here’s the list of prefixes for the Windows API function calls you may notice within a call stack. Please also be aware that i means Internal and p means private.

Alpc = Advanced Local Inter-Process Communication

Cc = Common Cache

Cm = Configuration Manager

Dbgk = Debugging Framework for User-Mode

Em = Errata Manager

Etw = Event Tracing for Windows

Ex = Executive support routines

FsRtl = File System driver Run-Time Library 

Hal = Hardware Abstraction Layer

Hvl = Hyper visor Library

Io = I/O Manager

Kd = Kernel Debugger

Ke = Kernel

Lsa = Local Security Authority

Mm = Memory Manager

Nt = NT System Services

Ob = Object Manager

Pf = Prefetcher

Po = Power Manager

Pp = PnP Manager

Ps = Process Support

Rtl = Run-time Library

Se = Security

Tm = Transaction Manager

Vf = Verifier (Driver Verifier)

Whea = Windows Hardware Error Architecture

Wmi = Windows Management Instrumentation

Wdi = Windows Diagnostic Infrastructure

Zw = Similar to NT, but sets access mode to Kernel, which in turn eliminates any parameter validation.



Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Windows Internals. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s