Процесс загрузки программы под Windows

Даже когда в функции main() пусто , ничего нет, ни одной команды ваше скомпилированное приложение уже существует и для нее выполняется загрузка большого числа динамических библиотек (dll), которые необходимы для работы любого приложения в Windows.

Вот небольшой пример скомпилированной программы под Windows на Qt 4.8.1 x86 :

фотка 1

Библиотеки dll копируются в оперативную память (Load Image).

Видно , что создается один процесс и несколько потоков.

Первый поток создается Касперским (или для Касперского) :
C:\Program Files (x86)\Common Files\Kaspersky Lab\klhk\klhk_x64\klhkum.dll

Первая dll , помещаемая в память, C:\Windows\System32\ntdll.dll

Ntdll.dll - это ключевой компонент Windows NT/2000/XP/2003. NTDLL является прослойкой между стандартом Win32 API (функции типа CreateFile, PostMessage и т.д.) и NT Native API (функции типа NtCreateFile, KeCreateSemaphore и им подобные). В Windows 9x библиотеки Win32 (KERNEL32.DLL, USER32.DLL, GDI32.DLL, ...) сами вызывали прерывания для передачи управления в ядро (VMM), а в системах на ядре NT они прилинкованы к NTDLL.DLL и та уже вызывает прерывания для обращения к ядру NT.

Native API, они могут использовать только функции, экспортируемые из библиотеки ntdll.dll. Для них недоступны функции WinAPI.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications.

То есть это давняя история , связанная с переходом от windows 95/98 на "последние версии" Windows.

фотка 2

ntdll.dll подписана цифровой подписью Microsoft (sha-256), и другие важные dll обычно также подписаны. Это защищает от несанкционированных изменений библиотек.

фотка 3

N/A
A_SHAFinal
A_SHAInit
A_SHAUpdate
AlpcAdjustCompletionListConcurrencyCount
AlpcFreeCompletionListMessage
AlpcGetCompletionListLastMessageInformation
AlpcGetCompletionListMessageAttributes
AlpcGetHeaderSize
AlpcGetMessageAttribute
AlpcGetMessageFromCompletionList
AlpcGetOutstandingCompletionListMessageCount
AlpcInitializeMessageAttribute
AlpcMaxAllowedMessageLength
AlpcRegisterCompletionList
AlpcRegisterCompletionListWorkerThread
AlpcRundownCompletionList
AlpcUnregisterCompletionList
AlpcUnregisterCompletionListWorkerThread
ApiSetQueryApiSetPresence
ApiSetQueryApiSetPresenceEx
CsrAllocateCaptureBuffer
CsrAllocateMessagePointer
CsrCaptureMessageBuffer
CsrCaptureMessageMultiUnicodeStringsInPlace
CsrCaptureMessageString
CsrCaptureTimeout
CsrClientCallServer
CsrClientConnectToServer
CsrFreeCaptureBuffer
CsrGetProcessId
CsrIdentifyAlertableThread
CsrSetPriorityClass
CsrVerifyRegion
DbgBreakPoint
DbgPrint
DbgPrintEx
DbgPrintReturnControlC
DbgPrompt
DbgQueryDebugFilterState
DbgSetDebugFilterState
DbgUiConnectToDbg
DbgUiContinue
DbgUiConvertStateChangeStructure
DbgUiConvertStateChangeStructureEx
DbgUiDebugActiveProcess
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
DbgUiRemoteBreakin
DbgUiSetThreadDebugObject
DbgUiStopDebugging
DbgUiWaitStateChange
DbgUserBreakPoint
EtwCheckCoverage
EtwCreateTraceInstanceId
EtwDeliverDataBlock
EtwEnumerateProcessRegGuids
EtwEventActivityIdControl
EtwEventEnabled
EtwEventProviderEnabled
EtwEventRegister
EtwEventSetInformation
EtwEventUnregister
EtwEventWrite
EtwEventWriteEndScenario
EtwEventWriteEx
EtwEventWriteFull
EtwEventWriteNoRegistration
EtwEventWriteStartScenario
EtwEventWriteString
EtwEventWriteTransfer
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwLogTraceEvent
EtwNotificationRegister
EtwNotificationUnregister
EtwProcessPrivateLoggerRequest
EtwRegisterSecurityProvider
EtwRegisterTraceGuidsA
EtwRegisterTraceGuidsW
EtwReplyNotification
EtwSendNotification
EtwSetMark
EtwTraceEventInstance
EtwTraceMessage
EtwTraceMessageVa
EtwUnregisterTraceGuids
EtwWriteUMSecurityEvent
EtwpCreateEtwThread
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
ExpInterlockedPopEntrySListEnd
ExpInterlockedPopEntrySListFault
ExpInterlockedPopEntrySListResume
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher
KiUserInvertedFunctionTable
LdrAccessResource
LdrAddDllDirectory
LdrAddLoadAsDataTable
LdrAddRefDll
LdrAppxHandleIntegrityFailure
LdrCallEnclave
LdrControlFlowGuardEnforced
LdrCreateEnclave
LdrDeleteEnclave
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrEnumerateLoadedModules
LdrFastFailInLoaderCallout
LdrFindEntryForAddress
LdrFindResourceDirectory_U
LdrFindResourceEx_U
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetDllDirectory
LdrGetDllFullName
LdrGetDllHandle
LdrGetDllHandleByMapping
LdrGetDllHandleByName
LdrGetDllHandleEx
LdrGetDllPath
LdrGetFailureData
LdrGetFileNameFromLoadAsDataTable
LdrGetKnownDllSectionHandle
LdrGetProcedureAddress
LdrGetProcedureAddressEx
LdrGetProcedureAddressForCaller
LdrInitShimEngineDynamic
LdrInitializeEnclave
LdrInitializeThunk
LdrIsModuleSxsRedirected
LdrLoadAlternateResourceModule
LdrLoadAlternateResourceModuleEx
LdrLoadDll
LdrLoadEnclaveModule
LdrLockLoaderLock
LdrOpenImageFileOptionsKey
LdrProcessInitializationComplete
LdrProcessRelocationBlock
LdrProcessRelocationBlockEx
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
LdrQueryModuleServiceTags
LdrQueryOptionalDelayLoadedAPI
LdrQueryProcessModuleInformation
LdrRegisterDllNotification
LdrRemoveDllDirectory
LdrRemoveLoadAsDataTable
LdrResFindResource
LdrResFindResourceDirectory
LdrResGetRCConfig
LdrResRelease
LdrResSearchResource
LdrResolveDelayLoadedAPI
LdrResolveDelayLoadsFromDll
LdrRscIsTypeExist
LdrSetAppCompatDllRedirectionCallback
LdrSetDefaultDllDirectories
LdrSetDllDirectory
LdrSetDllManifestProber
LdrSetImplicitPathOptions
LdrSetMUICacheType
LdrShutdownProcess
LdrShutdownThread
LdrStandardizeSystemPath
LdrSystemDllInitBlock
LdrUnloadAlternateResourceModule
LdrUnloadAlternateResourceModuleEx
LdrUnloadDll
LdrUnlockLoaderLock
LdrUnregisterDllNotification
LdrUpdatePackageSearchPath
LdrVerifyImageMatchesChecksum
LdrVerifyImageMatchesChecksumEx
LdrpResGetMappingSize
LdrpResGetResourceDirectory
MD4Final
MD4Init
MD4Update
MD5Final
MD5Init
MD5Update
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag
NtAcceptConnectPort
NtAccessCheck
NtAccessCheckAndAuditAlarm
NtAccessCheckByType
NtAccessCheckByTypeAndAuditAlarm
NtAccessCheckByTypeResultList
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
NtAcquireCrossVmMutant
NtAcquireProcessActivityReference
NtAddAtom
NtAddAtomEx
NtAddBootEntry
NtAddDriverEntry
NtAdjustGroupsToken
NtAdjustPrivilegesToken
NtAdjustTokenClaimsAndDeviceGroups
NtAlertResumeThread
NtAlertThread
NtAlertThreadByThreadId
NtAllocateLocallyUniqueId
NtAllocateReserveObject
NtAllocateUserPhysicalPages
NtAllocateUserPhysicalPagesEx
NtAllocateUuids
NtAllocateVirtualMemory
NtAllocateVirtualMemoryEx
NtAlpcAcceptConnectPort
NtAlpcCancelMessage
NtAlpcConnectPort
NtAlpcConnectPortEx
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcCreateResourceReserve
NtAlpcCreateSectionView
NtAlpcCreateSecurityContext
NtAlpcDeletePortSection
NtAlpcDeleteResourceReserve
NtAlpcDeleteSectionView
NtAlpcDeleteSecurityContext
NtAlpcDisconnectPort
NtAlpcImpersonateClientContainerOfPort
NtAlpcImpersonateClientOfPort
NtAlpcOpenSenderProcess
NtAlpcOpenSenderThread
NtAlpcQueryInformation
NtAlpcQueryInformationMessage
NtAlpcRevokeSecurityContext
NtAlpcSendWaitReceivePort
NtAlpcSetInformation
NtApphelpCacheControl
NtAreMappedFilesTheSame
NtAssignProcessToJobObject
NtAssociateWaitCompletionPacket
NtCallEnclave
NtCallbackReturn
NtCancelIoFile
NtCancelIoFileEx
NtCancelSynchronousIoFile
NtCancelTimer
NtCancelTimer2
NtCancelWaitCompletionPacket
NtClearEvent
NtClose
NtCloseObjectAuditAlarm
NtCommitComplete
NtCommitEnlistment
NtCommitRegistryTransaction
NtCommitTransaction
NtCompactKeys
NtCompareObjects
NtCompareSigningLevels
NtCompareTokens
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtContinue
NtContinueEx
NtConvertBetweenAuxiliaryCounterAndPerformanceCounter
NtCreateCrossVmEvent
NtCreateCrossVmMutant
NtCreateDebugObject
NtCreateDirectoryObject
NtCreateDirectoryObjectEx
NtCreateEnclave
NtCreateEnlistment
NtCreateEvent
NtCreateEventPair
NtCreateFile
NtCreateIRTimer
NtCreateIoCompletion
NtCreateJobObject
NtCreateJobSet
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateLowBoxToken
NtCreateMailslotFile
NtCreateMutant
NtCreateNamedPipeFile
NtCreatePagingFile
NtCreatePartition
NtCreatePort
NtCreatePrivateNamespace
NtCreateProcess
NtCreateProcessEx
NtCreateProfile
NtCreateProfileEx
NtCreateRegistryTransaction
NtCreateResourceManager
NtCreateSection
NtCreateSectionEx
NtCreateSemaphore
NtCreateSymbolicLinkObject
NtCreateThread
NtCreateThreadEx
NtCreateTimer
NtCreateTimer2
NtCreateToken
NtCreateTokenEx
NtCreateTransaction
NtCreateTransactionManager
NtCreateUserProcess
NtCreateWaitCompletionPacket
NtCreateWaitablePort
NtCreateWnfStateName
NtCreateWorkerFactory
NtDebugActiveProcess
NtDebugContinue
NtDelayExecution
NtDeleteAtom
NtDeleteBootEntry
NtDeleteDriverEntry
NtDeleteFile
NtDeleteKey
NtDeleteObjectAuditAlarm
NtDeletePrivateNamespace
NtDeleteValueKey
NtDeleteWnfStateData
NtDeleteWnfStateName
NtDeviceIoControlFile
NtDirectGraphicsCall
NtDisableLastKnownGood
NtDisplayString
NtDrawText
NtDuplicateObject
NtDuplicateToken
NtEnableLastKnownGood
NtEnumerateBootEntries
NtEnumerateDriverEntries
NtEnumerateKey
NtEnumerateSystemEnvironmentValuesEx
NtEnumerateTransactionObject
NtEnumerateValueKey
NtExtendSection
NtFilterBootOption
NtFilterToken
NtFilterTokenEx
NtFindAtom
NtFlushBuffersFile
NtFlushBuffersFileEx
NtFlushInstallUILanguage
NtFlushInstructionCache
NtFlushKey
NtFlushProcessWriteBuffers
NtFlushVirtualMemory
NtFlushWriteBuffer
NtFreeUserPhysicalPages
NtFreeVirtualMemory
NtFreezeRegistry
NtFreezeTransactions
NtFsControlFile
NtGetCachedSigningLevel
NtGetCompleteWnfStateSubscription
NtGetContextThread
NtGetCurrentProcessorNumber
NtGetCurrentProcessorNumberEx
NtGetDevicePowerState
NtGetMUIRegistryInfo
NtGetNextProcess
NtGetNextThread
NtGetNlsSectionPtr
NtGetNotificationResourceManager
NtGetTickCount
NtGetWriteWatch
NtImpersonateAnonymousToken
NtImpersonateClientOfPort
NtImpersonateThread
NtInitializeEnclave
NtInitializeNlsFiles
NtInitializeRegistry
NtInitiatePowerAction
NtIsProcessInJob
NtIsSystemResumeAutomatic
NtIsUILanguageComitted
NtListenPort
NtLoadDriver
NtLoadEnclaveData
NtLoadKey
NtLoadKey2
NtLoadKey3
NtLoadKeyEx
NtLockFile
NtLockProductActivationKeys
NtLockRegistryKey
NtLockVirtualMemory
NtMakePermanentObject
NtMakeTemporaryObject
NtManageHotPatch
NtManagePartition
NtMapCMFModule
NtMapUserPhysicalPages
NtMapUserPhysicalPagesScatter
NtMapViewOfSection
NtMapViewOfSectionEx
NtModifyBootEntry
NtModifyDriverEntry
NtNotifyChangeDirectoryFile
NtNotifyChangeDirectoryFileEx
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtNotifyChangeSession
NtOpenDirectoryObject
NtOpenEnlistment
NtOpenEvent
NtOpenEventPair
NtOpenFile
NtOpenIoCompletion
NtOpenJobObject
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtOpenMutant
NtOpenObjectAuditAlarm
NtOpenPartition
NtOpenPrivateNamespace
NtOpenProcess
NtOpenProcessToken
NtOpenProcessTokenEx
NtOpenRegistryTransaction
NtOpenResourceManager
NtOpenSection
NtOpenSemaphore
NtOpenSession
NtOpenSymbolicLinkObject
NtOpenThread
NtOpenThreadToken
NtOpenThreadTokenEx
NtOpenTimer
NtOpenTransaction
NtOpenTransactionManager
NtPlugPlayControl
NtPowerInformation
NtPrePrepareComplete
NtPrePrepareEnlistment
NtPrepareComplete
NtPrepareEnlistment
NtPrivilegeCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegedServiceAuditAlarm
NtPropagationComplete
NtPropagationFailed
NtProtectVirtualMemory
NtPssCaptureVaSpaceBulk
NtPulseEvent
NtQueryAttributesFile
NtQueryAuxiliaryCounterFrequency
NtQueryBootEntryOrder
NtQueryBootOptions
NtQueryDebugFilterState
NtQueryDefaultLocale
NtQueryDefaultUILanguage
NtQueryDirectoryFile
NtQueryDirectoryFileEx
NtQueryDirectoryObject
NtQueryDriverEntryOrder
NtQueryEaFile
NtQueryEvent
NtQueryFullAttributesFile
NtQueryInformationAtom
NtQueryInformationByName
NtQueryInformationEnlistment
NtQueryInformationFile
NtQueryInformationJobObject
NtQueryInformationPort
NtQueryInformationProcess
NtQueryInformationResourceManager
NtQueryInformationThread
NtQueryInformationToken
NtQueryInformationTransaction
NtQueryInformationTransactionManager
NtQueryInformationWorkerFactory
NtQueryInstallUILanguage
NtQueryIntervalProfile
NtQueryIoCompletion
NtQueryKey
NtQueryLicenseValue
NtQueryMultipleValueKey
NtQueryMutant
NtQueryObject
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPerformanceCounter
NtQueryPortInformationProcess
NtQueryQuotaInformationFile
NtQuerySection
NtQuerySecurityAttributesToken
NtQuerySecurityObject
NtQuerySecurityPolicy
NtQuerySemaphore
NtQuerySymbolicLinkObject
NtQuerySystemEnvironmentValue
NtQuerySystemEnvironmentValueEx
NtQuerySystemInformation
NtQuerySystemInformationEx
NtQuerySystemTime
NtQueryTimer
NtQueryTimerResolution
NtQueryValueKey
NtQueryVirtualMemory
NtQueryVolumeInformationFile
NtQueryWnfStateData
NtQueryWnfStateNameInformation
NtQueueApcThread
NtQueueApcThreadEx
NtRaiseException
NtRaiseHardError
NtReadFile
NtReadFileScatter
NtReadOnlyEnlistment
NtReadRequestData
NtReadVirtualMemory
NtRecoverEnlistment
NtRecoverResourceManager
NtRecoverTransactionManager
NtRegisterProtocolAddressInformation
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtReleaseMutant
NtReleaseSemaphore
NtReleaseWorkerFactoryWorker
NtRemoveIoCompletion
NtRemoveIoCompletionEx
NtRemoveProcessDebug
NtRenameKey
NtRenameTransactionManager
NtReplaceKey
NtReplacePartitionUnit
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtResetEvent
NtResetWriteWatch
NtRestoreKey
NtResumeProcess
NtResumeThread
NtRevertContainerImpersonation
NtRollbackComplete
NtRollbackEnlistment
NtRollbackRegistryTransaction
NtRollbackTransaction
NtRollforwardTransactionManager
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSerializeBoot
NtSetBootEntryOrder
NtSetBootOptions
NtSetCachedSigningLevel
NtSetCachedSigningLevel2
NtSetContextThread
NtSetDebugFilterState
NtSetDefaultHardErrorPort
NtSetDefaultLocale
NtSetDefaultUILanguage
NtSetDriverEntryOrder
NtSetEaFile
NtSetEvent
NtSetEventBoostPriority
NtSetHighEventPair
NtSetHighWaitLowEventPair
NtSetIRTimer
NtSetInformationDebugObject
NtSetInformationEnlistment
NtSetInformationFile
NtSetInformationJobObject
NtSetInformationKey
NtSetInformationObject
NtSetInformationProcess
NtSetInformationResourceManager
NtSetInformationSymbolicLink
NtSetInformationThread
NtSetInformationToken
NtSetInformationTransaction
NtSetInformationTransactionManager
NtSetInformationVirtualMemory
NtSetInformationWorkerFactory
NtSetIntervalProfile
NtSetIoCompletion
NtSetIoCompletionEx
NtSetLdtEntries
NtSetLowEventPair
NtSetLowWaitHighEventPair
NtSetQuotaInformationFile
NtSetSecurityObject
NtSetSystemEnvironmentValue
NtSetSystemEnvironmentValueEx
NtSetSystemInformation
NtSetSystemPowerState
NtSetSystemTime
NtSetThreadExecutionState
NtSetTimer
NtSetTimer2
NtSetTimerEx
NtSetTimerResolution
NtSetUuidSeed
NtSetValueKey
NtSetVolumeInformationFile
NtSetWnfProcessNotificationEvent
NtShutdownSystem
NtShutdownWorkerFactory
NtSignalAndWaitForSingleObject
NtSinglePhaseReject
NtStartProfile
NtStopProfile
NtSubscribeWnfStateChange
NtSuspendProcess
NtSuspendThread
NtSystemDebugControl
NtTerminateEnclave
NtTerminateJobObject
NtTerminateProcess
NtTerminateThread
NtTestAlert
NtThawRegistry
NtThawTransactions
NtTraceControl
NtTraceEvent
NtTranslateFilePath
NtUmsThreadYield
NtUnloadDriver
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtUnlockFile
NtUnlockVirtualMemory
NtUnmapViewOfSection
NtUnmapViewOfSectionEx
NtUnsubscribeWnfStateChange
NtUpdateWnfStateData
NtVdmControl
NtWaitForAlertByThreadId
NtWaitForDebugEvent
NtWaitForKeyedEvent
NtWaitForMultipleObjects
NtWaitForMultipleObjects32
NtWaitForSingleObject
NtWaitForWorkViaWorkerFactory
NtWaitHighEventPair
NtWaitLowEventPair
NtWorkerFactoryWorkerReady
NtWriteFile
NtWriteFileGather
NtWriteRequestData
NtWriteVirtualMemory
NtYieldExecution
NtdllDefWindowProc_A
NtdllDefWindowProc_W
NtdllDialogWndProc_A
NtdllDialogWndProc_W
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix
PssNtCaptureSnapshot
PssNtDuplicateSnapshot
PssNtFreeRemoteSnapshot
PssNtFreeSnapshot
PssNtFreeWalkMarker
PssNtQuerySnapshot
PssNtValidateDescriptor
PssNtWalkSnapshot
RtlAbortRXact
RtlAbsoluteToSelfRelativeSD
RtlAcquirePebLock
RtlAcquirePrivilege
RtlAcquireReleaseSRWLockExclusive
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlAcquireSRWLockExclusive
RtlAcquireSRWLockShared
RtlActivateActivationContext
RtlActivateActivationContextEx
RtlActivateActivationContextUnsafeFast
RtlAddAccessAllowedAce
RtlAddAccessAllowedAceEx
RtlAddAccessAllowedObjectAce
RtlAddAccessDeniedAce
RtlAddAccessDeniedAceEx
RtlAddAccessDeniedObjectAce
RtlAddAccessFilterAce
RtlAddAce
RtlAddActionToRXact
RtlAddAtomToAtomTable
RtlAddAttributeActionToRXact
RtlAddAuditAccessAce
RtlAddAuditAccessAceEx
RtlAddAuditAccessObjectAce
RtlAddCompoundAce
RtlAddFunctionTable
RtlAddGrowableFunctionTable
RtlAddIntegrityLabelToBoundaryDescriptor
RtlAddMandatoryAce
RtlAddProcessTrustLabelAce
RtlAddRefActivationContext
RtlAddRefMemoryStream
RtlAddResourceAttributeAce
RtlAddSIDToBoundaryDescriptor
RtlAddScopedPolicyIDAce
RtlAddVectoredContinueHandler
RtlAddVectoredExceptionHandler
RtlAddressInSectionTable
RtlAdjustPrivilege
RtlAllocateActivationContextStack
RtlAllocateAndInitializeSid
RtlAllocateAndInitializeSidEx
RtlAllocateHandle
RtlAllocateHeap
RtlAllocateMemoryBlockLookaside
RtlAllocateMemoryZone
RtlAllocateWnfSerializationGroup
RtlAnsiCharToUnicodeChar
RtlAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
RtlAppendAsciizToString
RtlAppendPathElement
RtlAppendStringToString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlApplicationVerifierStop
RtlApplyRXact
RtlApplyRXactNoFlush
RtlAppxIsFileOwnedByTrustedInstaller
RtlAreAllAccessesGranted
RtlAreAnyAccessesGranted
RtlAreBitsClear
RtlAreBitsClearEx
RtlAreBitsSet
RtlAreLongPathsEnabled
RtlAssert
RtlAvlInsertNodeEx
RtlAvlRemoveNode
RtlBarrier
RtlBarrierForDelete
RtlCallEnclaveReturn
RtlCancelTimer
RtlCanonicalizeDomainName
RtlCapabilityCheck
RtlCapabilityCheckForSingleSessionSku
RtlCaptureContext
RtlCaptureContext2
RtlCaptureStackBackTrace
RtlCharToInteger
RtlCheckBootStatusIntegrity
RtlCheckForOrphanedCriticalSections
RtlCheckPortableOperatingSystem
RtlCheckRegistryKey
RtlCheckSandboxedToken
RtlCheckSystemBootStatusIntegrity
RtlCheckTokenCapability
RtlCheckTokenMembership
RtlCheckTokenMembershipEx
RtlCleanUpTEBLangLists
RtlClearAllBits
RtlClearAllBitsEx
RtlClearBit
RtlClearBitEx
RtlClearBits
RtlClearBitsEx
RtlClearThreadWorkOnBehalfTicket
RtlCloneMemoryStream
RtlCloneUserProcess
RtlCmDecodeMemIoResource
RtlCmEncodeMemIoResource
RtlCommitDebugInfo
RtlCommitMemoryStream
RtlCompactHeap
RtlCompareAltitudes
RtlCompareMemory
RtlCompareMemoryUlong
RtlCompareString
RtlCompareUnicodeString
RtlCompareUnicodeStrings
RtlCompleteProcessCloning
RtlCompressBuffer
RtlComputeCrc32
RtlComputeImportTableHash
RtlComputePrivatizedDllName_U
RtlConnectToSm
RtlConsoleMultiByteToUnicodeN
RtlConstructCrossVmEventPath
RtlConstructCrossVmMutexPath
RtlContractHashTable
RtlConvertDeviceFamilyInfoToString
RtlConvertExclusiveToShared
RtlConvertLCIDToString
RtlConvertSRWLockExclusiveToShared
RtlConvertSharedToExclusive
RtlConvertSidToUnicodeString
RtlConvertToAutoInheritSecurityObject
RtlCopyBitMap
RtlCopyContext
RtlCopyExtendedContext
RtlCopyLuid
RtlCopyLuidAndAttributesArray
RtlCopyMappedMemory
RtlCopyMemory
RtlCopyMemoryNonTemporal
RtlCopyMemoryStreamTo
RtlCopyOutOfProcessMemoryStreamTo
RtlCopySecurityDescriptor
RtlCopySid
RtlCopySidAndAttributesArray
RtlCopyString
RtlCopyUnicodeString
RtlCrc32
RtlCrc64
RtlCreateAcl
RtlCreateActivationContext
RtlCreateAndSetSD
RtlCreateAtomTable
RtlCreateBootStatusDataFile
RtlCreateBoundaryDescriptor
RtlCreateEnvironment
RtlCreateEnvironmentEx
RtlCreateHashTable
RtlCreateHashTableEx
RtlCreateHeap
RtlCreateMemoryBlockLookaside
RtlCreateMemoryZone
RtlCreateProcessParameters
RtlCreateProcessParametersEx
RtlCreateProcessParametersWithTemplate
RtlCreateProcessReflection
RtlCreateQueryDebugBuffer
RtlCreateRegistryKey
RtlCreateSecurityDescriptor
RtlCreateServiceSid
RtlCreateSystemVolumeInformationFolder
RtlCreateTagHeap
RtlCreateTimer
RtlCreateTimerQueue
RtlCreateUmsCompletionList
RtlCreateUmsThreadContext
RtlCreateUnicodeString
RtlCreateUnicodeStringFromAsciiz
RtlCreateUserFiberShadowStack
RtlCreateUserProcess
RtlCreateUserProcessEx
RtlCreateUserSecurityObject
RtlCreateUserStack
RtlCreateUserThread
RtlCreateVirtualAccountSid
RtlCultureNameToLCID
RtlCustomCPToUnicodeN
RtlCutoverTimeToSystemTime
RtlDeCommitDebugInfo
RtlDeNormalizeProcessParams
RtlDeactivateActivationContext
RtlDeactivateActivationContextUnsafeFast
RtlDebugPrintTimes
RtlDecodePointer
RtlDecodeRemotePointer
RtlDecodeSystemPointer
RtlDecompressBuffer
RtlDecompressBufferEx
RtlDecompressFragment
RtlDefaultNpAcl
RtlDelete
RtlDeleteAce
RtlDeleteAtomFromAtomTable
RtlDeleteBarrier
RtlDeleteBoundaryDescriptor
RtlDeleteCriticalSection
RtlDeleteElementGenericTable
RtlDeleteElementGenericTableAvl
RtlDeleteElementGenericTableAvlEx
RtlDeleteFunctionTable
RtlDeleteGrowableFunctionTable
RtlDeleteHashTable
RtlDeleteNoSplay
RtlDeleteRegistryValue
RtlDeleteResource
RtlDeleteSecurityObject
RtlDeleteTimer
RtlDeleteTimerQueue
RtlDeleteTimerQueueEx
RtlDeleteUmsCompletionList
RtlDeleteUmsThreadContext
RtlDequeueUmsCompletionListItems
RtlDeregisterSecureMemoryCacheCallback
RtlDeregisterWait
RtlDeregisterWaitEx
RtlDeriveCapabilitySidsFromName
RtlDestroyAtomTable
RtlDestroyEnvironment
RtlDestroyHandleTable
RtlDestroyHeap
RtlDestroyMemoryBlockLookaside
RtlDestroyMemoryZone
RtlDestroyProcessParameters
RtlDestroyQueryDebugBuffer
RtlDetectHeapLeaks
RtlDetermineDosPathNameType_U
RtlDisableThreadProfiling
RtlDisownModuleHeapAllocation
RtlDllShutdownInProgress
RtlDnsHostNameToComputerName
RtlDoesFileExists_U
RtlDoesNameContainWildCards
RtlDosApplyFileIsolationRedirection_Ustr
RtlDosLongPathNameToNtPathName_U_WithStatus
RtlDosLongPathNameToRelativeNtPathName_U_WithStatus
RtlDosPathNameToNtPathName_U
RtlDosPathNameToNtPathName_U_WithStatus
RtlDosPathNameToRelativeNtPathName_U
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlDosSearchPath_U
RtlDosSearchPath_Ustr
RtlDowncaseUnicodeChar
RtlDowncaseUnicodeString
RtlDrainNonVolatileFlush
RtlDumpResource
RtlDuplicateUnicodeString
RtlEmptyAtomTable
RtlEnableEarlyCriticalSectionEventCreation
RtlEnableThreadProfiling
RtlEnclaveCallDispatch
RtlEnclaveCallDispatchReturn
RtlEncodePointer
RtlEncodeRemotePointer
RtlEncodeSystemPointer
RtlEndEnumerationHashTable
RtlEndStrongEnumerationHashTable
RtlEndWeakEnumerationHashTable
RtlEnterCriticalSection
RtlEnterUmsSchedulingMode
RtlEnumProcessHeaps
RtlEnumerateEntryHashTable
RtlEnumerateGenericTable
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplaying
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEqualComputerName
RtlEqualDomainName
RtlEqualLuid
RtlEqualPrefixSid
RtlEqualSid
RtlEqualString
RtlEqualUnicodeString
RtlEqualWnfChangeStamps
RtlEraseUnicodeString
RtlEthernetAddressToStringA
RtlEthernetAddressToStringW
RtlEthernetStringToAddressA
RtlEthernetStringToAddressW
RtlExecuteUmsThread
RtlExitUserProcess
RtlExitUserThread
RtlExpandEnvironmentStrings
RtlExpandEnvironmentStrings_U
RtlExpandHashTable
RtlExtendCorrelationVector
RtlExtendMemoryBlockLookaside
RtlExtendMemoryZone
RtlExtractBitMap
RtlFillMemory
RtlFillMemoryNonTemporal
RtlFillNonVolatileMemory
RtlFinalReleaseOutOfProcessMemoryStream
RtlFindAceByType
RtlFindActivationContextSectionGuid
RtlFindActivationContextSectionString
RtlFindCharInUnicodeString
RtlFindClearBits
RtlFindClearBitsAndSet
RtlFindClearBitsEx
RtlFindClearRuns
RtlFindClosestEncodableLength
RtlFindExportedRoutineByName
RtlFindLastBackwardRunClear
RtlFindLeastSignificantBit
RtlFindLongestRunClear
RtlFindMessage
RtlFindMostSignificantBit
RtlFindNextForwardRunClear
RtlFindSetBits
RtlFindSetBitsAndClear
RtlFindSetBitsAndClearEx
RtlFindSetBitsEx
RtlFindUnicodeSubstring
RtlFirstEntrySList
RtlFirstFreeAce
RtlFlsAlloc
RtlFlsFree
RtlFlsGetValue
RtlFlsSetValue
RtlFlushHeaps
RtlFlushNonVolatileMemory
RtlFlushNonVolatileMemoryRanges
RtlFlushSecureMemoryCache
RtlFormatCurrentUserKeyPath
RtlFormatMessage
RtlFormatMessageEx
RtlFreeActivationContextStack
RtlFreeAnsiString
RtlFreeHandle
RtlFreeHeap
RtlFreeMemoryBlockLookaside
RtlFreeNonVolatileToken
RtlFreeOemString
RtlFreeSid
RtlFreeThreadActivationContextStack
RtlFreeUTF8String
RtlFreeUnicodeString
RtlFreeUserFiberShadowStack
RtlFreeUserStack
RtlGUIDFromString
RtlGenerate8dot3Name
RtlGetAce
RtlGetActiveActivationContext
RtlGetActiveConsoleId
RtlGetAppContainerNamedObjectPath
RtlGetAppContainerParent
RtlGetAppContainerSidType
RtlGetCallersAddress
RtlGetCompressionWorkSpaceSize
RtlGetConsoleSessionForegroundProcessId
RtlGetControlSecurityDescriptor
RtlGetCriticalSectionRecursionCount
RtlGetCurrentDirectory_U
RtlGetCurrentPeb
RtlGetCurrentProcessorNumber
RtlGetCurrentProcessorNumberEx
RtlGetCurrentServiceSessionId
RtlGetCurrentTransaction
RtlGetCurrentUmsThread
RtlGetDaclSecurityDescriptor
RtlGetDeviceFamilyInfoEnum
RtlGetElementGenericTable
RtlGetElementGenericTableAvl
RtlGetEnabledExtendedFeatures
RtlGetExePath
RtlGetExtendedContextLength
RtlGetExtendedContextLength2
RtlGetExtendedFeaturesMask
RtlGetFileMUIPath
RtlGetFrame
RtlGetFullPathName_U
RtlGetFullPathName_UEx
RtlGetFullPathName_UstrEx
RtlGetFunctionTableListHead
RtlGetGroupSecurityDescriptor
RtlGetIntegerAtom
RtlGetInterruptTimePrecise
RtlGetLastNtStatus
RtlGetLastWin32Error
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlGetLengthWithoutTrailingPathSeperators
RtlGetLocaleFileMappingAddress
RtlGetLongestNtPathLength
RtlGetMultiTimePrecise
RtlGetNativeSystemInformation
RtlGetNextEntryHashTable
RtlGetNextUmsListItem
RtlGetNonVolatileToken
RtlGetNtGlobalFlags
RtlGetNtProductType
RtlGetNtSystemRoot
RtlGetNtVersionNumbers
RtlGetOwnerSecurityDescriptor
RtlGetParentLocaleName
RtlGetPersistedStateLocation
RtlGetProcessHeaps
RtlGetProcessPreferredUILanguages
RtlGetProductInfo
RtlGetReturnAddressHijackTarget
RtlGetSaclSecurityDescriptor
RtlGetSearchPath
RtlGetSecurityDescriptorRMControl
RtlGetSessionProperties
RtlGetSetBootStatusData
RtlGetSuiteMask
RtlGetSystemBootStatus
RtlGetSystemBootStatusEx
RtlGetSystemPreferredUILanguages
RtlGetSystemTimeAndBias
RtlGetSystemTimePrecise
RtlGetThreadErrorMode
RtlGetThreadLangIdByIndex
RtlGetThreadPreferredUILanguages
RtlGetThreadWorkOnBehalfTicket
RtlGetTokenNamedObjectPath
RtlGetUILanguageInfo
RtlGetUmsCompletionListEvent
RtlGetUnloadEventTrace
RtlGetUnloadEventTraceEx
RtlGetUserInfoHeap
RtlGetUserPreferredUILanguages
RtlGetVersion
RtlGrowFunctionTable
RtlGuardCheckLongJumpTarget
RtlHashUnicodeString
RtlHeapTrkInitialize
RtlIdentifierAuthoritySid
RtlIdnToAscii
RtlIdnToNameprepUnicode
RtlIdnToUnicode
RtlImageDirectoryEntryToData
RtlImageNtHeader
RtlImageNtHeaderEx
RtlImageRvaToSection
RtlImageRvaToVa
RtlImpersonateSelf
RtlImpersonateSelfEx
RtlIncrementCorrelationVector
RtlInitAnsiString
RtlInitAnsiStringEx
RtlInitBarrier
RtlInitCodePageTable
RtlInitEnumerationHashTable
RtlInitMemoryStream
RtlInitNlsTables
RtlInitOutOfProcessMemoryStream
RtlInitString
RtlInitStringEx
RtlInitStrongEnumerationHashTable
RtlInitUTF8String
RtlInitUTF8StringEx
RtlInitUnicodeString
RtlInitUnicodeStringEx
RtlInitWeakEnumerationHashTable
RtlInitializeAtomPackage
RtlInitializeBitMap
RtlInitializeBitMapEx
RtlInitializeConditionVariable
RtlInitializeContext
RtlInitializeCorrelationVector
RtlInitializeCriticalSection
RtlInitializeCriticalSectionAndSpinCount
RtlInitializeCriticalSectionEx
RtlInitializeExtendedContext
RtlInitializeExtendedContext2
RtlInitializeGenericTable
RtlInitializeGenericTableAvl
RtlInitializeHandleTable
RtlInitializeNtUserPfn
RtlInitializeRXact
RtlInitializeResource
RtlInitializeSListHead
RtlInitializeSRWLock
RtlInitializeSid
RtlInitializeSidEx
RtlInsertElementGenericTable
RtlInsertElementGenericTableAvl
RtlInsertElementGenericTableFull
RtlInsertElementGenericTableFullAvl
RtlInsertEntryHashTable
RtlInstallFunctionTableCallback
RtlInt64ToUnicodeString
RtlIntegerToChar
RtlIntegerToUnicodeString
RtlInterlockedClearBitRun
RtlInterlockedFlushSList
RtlInterlockedPopEntrySList
RtlInterlockedPushEntrySList
RtlInterlockedPushListSList
RtlInterlockedPushListSListEx
RtlInterlockedSetBitRun
RtlIoDecodeMemIoResource
RtlIoEncodeMemIoResource
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsActivationContextActive
RtlIsCapabilitySid
RtlIsCloudFilesPlaceholder
RtlIsCriticalSectionLocked
RtlIsCriticalSectionLockedByThread
RtlIsCurrentProcess
RtlIsCurrentThread
RtlIsCurrentThreadAttachExempt
RtlIsDosDeviceName_U
RtlIsElevatedRid
RtlIsGenericTableEmpty
RtlIsGenericTableEmptyAvl
RtlIsMultiSessionSku
RtlIsMultiUsersInSessionSku
RtlIsNameInExpression
RtlIsNameInUnUpcasedExpression
RtlIsNameLegalDOS8Dot3
RtlIsNonEmptyDirectoryReparsePointAllowed
RtlIsNormalizedString
RtlIsPackageSid
RtlIsParentOfChildAppContainer
RtlIsPartialPlaceholder
RtlIsPartialPlaceholderFileHandle
RtlIsPartialPlaceholderFileInfo
RtlIsProcessorFeaturePresent
RtlIsStateSeparationEnabled
RtlIsTextUnicode
RtlIsThreadWithinLoaderCallout
RtlIsUntrustedObject
RtlIsValidHandle
RtlIsValidIndexHandle
RtlIsValidLocaleName
RtlIsValidProcessTrustLabelSid
RtlIsZeroMemory
RtlKnownExceptionFilter
RtlLCIDToCultureName
RtlLargeIntegerToChar
RtlLcidToLocaleName
RtlLeaveCriticalSection
RtlLengthRequiredSid
RtlLengthSecurityDescriptor
RtlLengthSid
RtlLengthSidAsUnicodeString
RtlLoadString
RtlLocalTimeToSystemTime
RtlLocaleNameToLcid
RtlLocateExtendedFeature
RtlLocateExtendedFeature2
RtlLocateLegacyContext
RtlLockBootStatusData
RtlLockCurrentThread
RtlLockHeap
RtlLockMemoryBlockLookaside
RtlLockMemoryStreamRegion
RtlLockMemoryZone
RtlLockModuleSection
RtlLogStackBackTrace
RtlLookupAtomInAtomTable
RtlLookupElementGenericTable
RtlLookupElementGenericTableAvl
RtlLookupElementGenericTableFull
RtlLookupElementGenericTableFullAvl
RtlLookupEntryHashTable
RtlLookupFirstMatchingElementGenericTableAvl
RtlLookupFunctionEntry
RtlLookupFunctionTable
RtlMakeSelfRelativeSD
RtlMapGenericMask
RtlMapSecurityErrorToNtStatus
RtlMoveMemory
RtlMultiAppendUnicodeStringBuffer
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
RtlMultipleAllocateHeap
RtlMultipleFreeHeap
RtlNewInstanceSecurityObject
RtlNewSecurityGrantedAccess
RtlNewSecurityObject
RtlNewSecurityObjectEx
RtlNewSecurityObjectWithMultipleInheritance
RtlNormalizeProcessParams
RtlNormalizeSecurityDescriptor
RtlNormalizeString
RtlNotifyFeatureUsage
RtlNtPathNameToDosPathName
RtlNtStatusToDosError
RtlNtStatusToDosErrorNoTeb
RtlNtdllName
RtlNumberGenericTableElements
RtlNumberGenericTableElementsAvl
RtlNumberOfClearBits
RtlNumberOfClearBitsEx
RtlNumberOfClearBitsInRange
RtlNumberOfSetBits
RtlNumberOfSetBitsEx
RtlNumberOfSetBitsInRange
RtlNumberOfSetBitsUlongPtr
RtlOemStringToUnicodeSize
RtlOemStringToUnicodeString
RtlOemToUnicodeN
RtlOpenCurrentUser
RtlOsDeploymentState
RtlOwnerAcesPresent
RtlPcToFileHeader
RtlPinAtomInAtomTable
RtlPopFrame
RtlPrefixString
RtlPrefixUnicodeString
RtlPrepareForProcessCloning
RtlProcessFlsData
RtlProtectHeap
RtlPublishWnfStateData
RtlPushFrame
RtlQueryActivationContextApplicationSettings
RtlQueryAllFeatureConfigurations
RtlQueryAtomInAtomTable
RtlQueryCriticalSectionOwner
RtlQueryDepthSList
RtlQueryDynamicTimeZoneInformation
RtlQueryElevationFlags
RtlQueryEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlQueryFeatureConfiguration
RtlQueryFeatureConfigurationChangeStamp
RtlQueryFeatureUsageNotificationSubscriptions
RtlQueryHeapInformation
RtlQueryImageMitigationPolicy
RtlQueryInformationAcl
RtlQueryInformationActivationContext
RtlQueryInformationActiveActivationContext
RtlQueryInterfaceMemoryStream
RtlQueryModuleInformation
RtlQueryPackageClaims
RtlQueryPackageIdentity
RtlQueryPackageIdentityEx
RtlQueryPerformanceCounter
RtlQueryPerformanceFrequency
RtlQueryProcessBackTraceInformation
RtlQueryProcessDebugInformation
RtlQueryProcessHeapInformation
RtlQueryProcessLockInformation
RtlQueryProcessPlaceholderCompatibilityMode
RtlQueryProtectedPolicy
RtlQueryRegistryValueWithFallback
RtlQueryRegistryValues
RtlQueryRegistryValuesEx
RtlQueryResourcePolicy
RtlQuerySecurityObject
RtlQueryTagHeap
RtlQueryThreadPlaceholderCompatibilityMode
RtlQueryThreadProfiling
RtlQueryTimeZoneInformation
RtlQueryTokenHostIdAsUlong64
RtlQueryUmsThreadInformation
RtlQueryUnbiasedInterruptTime
RtlQueryValidationRunlevel
RtlQueryWnfMetaNotification
RtlQueryWnfStateData
RtlQueryWnfStateDataWithExplicitScope
RtlQueueApcWow64Thread
RtlQueueWorkItem
RtlRaiseCustomSystemEventTrigger
RtlRaiseException
RtlRaiseExceptionForReturnAddressHijack
RtlRaiseNoncontinuableException
RtlRaiseStatus
RtlRandom
RtlRandomEx
RtlRbInsertNodeEx
RtlRbRemoveNode
RtlReAllocateHeap
RtlReadMemoryStream
RtlReadOutOfProcessMemoryStream
RtlReadThreadProfilingData
RtlRealPredecessor
RtlRealSuccessor
RtlRegisterFeatureConfigurationChangeNotification
RtlRegisterForWnfMetaNotification
RtlRegisterSecureMemoryCacheCallback
RtlRegisterThreadWithCsrss
RtlRegisterWait
RtlReleaseActivationContext
RtlReleaseMemoryStream
RtlReleasePath
RtlReleasePebLock
RtlReleasePrivilege
RtlReleaseRelativeName
RtlReleaseResource
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlRemoteCall
RtlRemoveEntryHashTable
RtlRemovePrivileges
RtlRemoveVectoredContinueHandler
RtlRemoveVectoredExceptionHandler
RtlReplaceSidInSd
RtlReplaceSystemDirectoryInPath
RtlReportException
RtlReportExceptionEx
RtlReportSilentProcessExit
RtlReportSqmEscalation
RtlResetMemoryBlockLookaside
RtlResetMemoryZone
RtlResetNtUserPfn
RtlResetRtlTranslations
RtlRestoreBootStatusDefaults
RtlRestoreContext
RtlRestoreLastWin32Error
RtlRestoreSystemBootStatusDefaults
RtlRestoreThreadPreferredUILanguages
RtlRetrieveNtUserPfn
RtlRevertMemoryStream
RtlRunDecodeUnicodeString
RtlRunEncodeUnicodeString
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
RtlRunOnceInitialize
RtlSecondsSince1970ToTime
RtlSecondsSince1980ToTime
RtlSeekMemoryStream
RtlSelfRelativeToAbsoluteSD
RtlSelfRelativeToAbsoluteSD2
RtlSendMsgToSm
RtlSetAllBits
RtlSetAllBitsEx
RtlSetAttributesSecurityDescriptor
RtlSetBit
RtlSetBitEx
RtlSetBits
RtlSetBitsEx
RtlSetControlSecurityDescriptor
RtlSetCriticalSectionSpinCount
RtlSetCurrentDirectory_U
RtlSetCurrentEnvironment
RtlSetCurrentTransaction
RtlSetDaclSecurityDescriptor
RtlSetDynamicTimeZoneInformation
RtlSetEnvironmentStrings
RtlSetEnvironmentVar
RtlSetEnvironmentVariable
RtlSetExtendedFeaturesMask
RtlSetFeatureConfigurations
RtlSetGroupSecurityDescriptor
RtlSetHeapInformation
RtlSetImageMitigationPolicy
RtlSetInformationAcl
RtlSetIoCompletionCallback
RtlSetLastWin32Error
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlSetMemoryStreamSize
RtlSetOwnerSecurityDescriptor
RtlSetPortableOperatingSystem
RtlSetProcessDebugInformation
RtlSetProcessIsCritical
RtlSetProcessPlaceholderCompatibilityMode
RtlSetProcessPreferredUILanguages
RtlSetProtectedPolicy
RtlSetProxiedProcessId
RtlSetSaclSecurityDescriptor
RtlSetSearchPathMode
RtlSetSecurityDescriptorRMControl
RtlSetSecurityObject
RtlSetSecurityObjectEx
RtlSetSystemBootStatus
RtlSetSystemBootStatusEx
RtlSetThreadErrorMode
RtlSetThreadIsCritical
RtlSetThreadPlaceholderCompatibilityMode
RtlSetThreadPoolStartFunc
RtlSetThreadPreferredUILanguages
RtlSetThreadPreferredUILanguages2
RtlSetThreadSubProcessTag
RtlSetThreadWorkOnBehalfTicket
RtlSetTimeZoneInformation
RtlSetTimer
RtlSetUmsThreadInformation
RtlSetUnhandledExceptionFilter
RtlSetUserFlagsHeap
RtlSetUserValueHeap
RtlSidDominates
RtlSidDominatesForTrust
RtlSidEqualLevel
RtlSidHashInitialize
RtlSidHashLookup
RtlSidIsHigherLevel
RtlSizeHeap
RtlSleepConditionVariableCS
RtlSleepConditionVariableSRW
RtlSplay
RtlStartRXact
RtlStatMemoryStream
RtlStringFromGUID
RtlStringFromGUIDEx
RtlStronglyEnumerateEntryHashTable
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlSubscribeForFeatureUsageNotification
RtlSubscribeWnfStateChangeNotification
RtlSubtreePredecessor
RtlSubtreeSuccessor
RtlSwitchedVVI
RtlSystemTimeToLocalTime
RtlTestAndPublishWnfStateData
RtlTestBit
RtlTestBitEx
RtlTestProtectedAccess
RtlTimeFieldsToTime
RtlTimeToElapsedTimeFields
RtlTimeToSecondsSince1970
RtlTimeToSecondsSince1980
RtlTimeToTimeFields
RtlTraceDatabaseAdd
RtlTraceDatabaseCreate
RtlTraceDatabaseDestroy
RtlTraceDatabaseEnumerate
RtlTraceDatabaseFind
RtlTraceDatabaseLock
RtlTraceDatabaseUnlock
RtlTraceDatabaseValidate
RtlTryAcquirePebLock
RtlTryAcquireSRWLockExclusive
RtlTryAcquireSRWLockShared
RtlTryConvertSRWLockSharedToExclusiveOrRelease
RtlTryEnterCriticalSection
RtlUTF8StringToUnicodeString
RtlUTF8ToUnicodeN
RtlUdiv128
RtlUmsThreadYield
RtlUnhandledExceptionFilter
RtlUnhandledExceptionFilter2
RtlUnicodeStringToAnsiSize
RtlUnicodeStringToAnsiString
RtlUnicodeStringToCountedOemString
RtlUnicodeStringToInteger
RtlUnicodeStringToOemSize
RtlUnicodeStringToOemString
RtlUnicodeStringToUTF8String
RtlUnicodeToCustomCPN
RtlUnicodeToMultiByteN
RtlUnicodeToMultiByteSize
RtlUnicodeToOemN
RtlUnicodeToUTF8N
RtlUniform
RtlUnlockBootStatusData
RtlUnlockCurrentThread
RtlUnlockHeap
RtlUnlockMemoryBlockLookaside
RtlUnlockMemoryStreamRegion
RtlUnlockMemoryZone
RtlUnlockModuleSection
RtlUnregisterFeatureConfigurationChangeNotification
RtlUnsubscribeFromFeatureUsageNotifications
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlUnsubscribeWnfNotificationWithCompletionCallback
RtlUnsubscribeWnfStateChangeNotification
RtlUnwind
RtlUnwindEx
RtlUpcaseUnicodeChar
RtlUpcaseUnicodeString
RtlUpcaseUnicodeStringToAnsiString
RtlUpcaseUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToOemString
RtlUpcaseUnicodeToCustomCPN
RtlUpcaseUnicodeToMultiByteN
RtlUpcaseUnicodeToOemN
RtlUpdateClonedCriticalSection
RtlUpdateClonedSRWLock
RtlUpdateTimer
RtlUpperChar
RtlUpperString
RtlUserFiberStart
RtlUserThreadStart
RtlValidAcl
RtlValidProcessProtection
RtlValidRelativeSecurityDescriptor
RtlValidSecurityDescriptor
RtlValidSid
RtlValidateCorrelationVector
RtlValidateHeap
RtlValidateProcessHeaps
RtlValidateUnicodeString
RtlVerifyVersionInfo
RtlVirtualUnwind
RtlWaitForWnfMetaNotification
RtlWaitOnAddress
RtlWakeAddressAll
RtlWakeAddressAllNoFence
RtlWakeAddressSingle
RtlWakeAddressSingleNoFence
RtlWakeAllConditionVariable
RtlWakeConditionVariable
RtlWalkFrameChain
RtlWalkHeap
RtlWeaklyEnumerateEntryHashTable
RtlWerpReportException
RtlWnfCompareChangeStamp
RtlWnfDllUnloadCallback
RtlWow64CallFunction64
RtlWow64EnableFsRedirection
RtlWow64EnableFsRedirectionEx
RtlWow64GetCpuAreaInfo
RtlWow64GetCurrentCpuArea
RtlWow64GetCurrentMachine
RtlWow64GetEquivalentMachineCHPE
RtlWow64GetProcessMachines
RtlWow64GetSharedInfoProcess
RtlWow64GetThreadContext
RtlWow64GetThreadSelectorEntry
RtlWow64IsWowGuestMachineSupported
RtlWow64LogMessageInEventLogger
RtlWow64PopAllCrossProcessWorkFromWorkList
RtlWow64PopCrossProcessWorkFromFreeList
RtlWow64PushCrossProcessWorkOntoFreeList
RtlWow64PushCrossProcessWorkOntoWorkList
RtlWow64RequestCrossProcessHeavyFlush
RtlWow64SetThreadContext
RtlWow64SuspendProcess
RtlWow64SuspendThread
RtlWriteMemoryStream
RtlWriteNonVolatileMemory
RtlWriteRegistryValue
RtlZeroHeap
RtlZeroMemory
RtlZombifyActivationContext
RtlpApplyLengthFunction
RtlpCheckDynamicTimeZoneInformation
RtlpCleanupRegistryKeys
RtlpConvertAbsoluteToRelativeSecurityAttribute
RtlpConvertCultureNamesToLCIDs
RtlpConvertLCIDsToCultureNames
RtlpConvertRelativeToAbsoluteSecurityAttribute
RtlpCreateProcessRegistryInfo
RtlpEnsureBufferSize
RtlpExecuteUmsThread
RtlpFreezeTimeBias
RtlpGetDeviceFamilyInfoEnum
RtlpGetLCIDFromLangInfoNode
RtlpGetNameFromLangInfoNode
RtlpGetSystemDefaultUILanguage
RtlpGetUserOrMachineUILanguage4NLS
RtlpInitializeLangRegistryInfo
RtlpIsQualifiedLanguage
RtlpLoadMachineUIByPolicy
RtlpLoadUserUIByPolicy
RtlpMergeSecurityAttributeInformation
RtlpMuiFreeLangRegistryInfo
RtlpMuiRegCreateRegistryInfo
RtlpMuiRegFreeRegistryInfo
RtlpMuiRegLoadRegistryInfo
RtlpNotOwnerCriticalSection
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
RtlpQueryDefaultUILanguage
RtlpQueryProcessDebugInformationFromWow64
RtlpQueryProcessDebugInformationRemote
RtlpRefreshCachedUILanguage
RtlpSetInstallLanguage
RtlpSetPreferredUILanguages
RtlpSetUserPreferredUILanguages
RtlpTimeFieldsToTime
RtlpTimeToTimeFields
RtlpUmsExecuteYieldThreadEnd
RtlpUmsThreadYield
RtlpUnWaitCriticalSection
RtlpVerifyAndCommitUILanguageSettings
RtlpWaitForCriticalSection
RtlpWow64CtxFromAmd64
RtlpWow64GetContextOnAmd64
RtlpWow64SetContextOnAmd64
RtlxAnsiStringToUnicodeSize
RtlxOemStringToUnicodeSize
RtlxUnicodeStringToAnsiSize
RtlxUnicodeStringToOemSize
SbExecuteProcedure
SbSelectProcedure
ShipAssert
ShipAssertGetBufferInfo
ShipAssertMsgA
ShipAssertMsgW
TpAllocAlpcCompletion
TpAllocAlpcCompletionEx
TpAllocCleanupGroup
TpAllocIoCompletion
TpAllocJobNotification
TpAllocPool
TpAllocTimer
TpAllocWait
TpAllocWork
TpAlpcRegisterCompletionList
TpAlpcUnregisterCompletionList
TpCallbackDetectedUnrecoverableError
TpCallbackIndependent
TpCallbackLeaveCriticalSectionOnCompletion
TpCallbackMayRunLong
TpCallbackReleaseMutexOnCompletion
TpCallbackReleaseSemaphoreOnCompletion
TpCallbackSendAlpcMessageOnCompletion
TpCallbackSendPendingAlpcMessage
TpCallbackSetEventOnCompletion
TpCallbackUnloadDllOnCompletion
TpCancelAsyncIoOperation
TpCaptureCaller
TpCheckTerminateWorker
TpDbgDumpHeapUsage
TpDbgSetLogRoutine
TpDisablePoolCallbackChecks
TpDisassociateCallback
TpIsTimerSet
TpPostWork
TpQueryPoolStackInformation
TpReleaseAlpcCompletion
TpReleaseCleanupGroup
TpReleaseCleanupGroupMembers
TpReleaseIoCompletion
TpReleaseJobNotification
TpReleasePool
TpReleaseTimer
TpReleaseWait
TpReleaseWork
TpSetDefaultPoolMaxThreads
TpSetDefaultPoolStackInformation
TpSetPoolMaxThreads
TpSetPoolMaxThreadsSoftLimit
TpSetPoolMinThreads
TpSetPoolStackInformation
TpSetPoolThreadBasePriority
TpSetPoolThreadCpuSets
TpSetPoolWorkerThreadIdleTimeout
TpSetTimer
TpSetTimerEx
TpSetWait
TpSetWaitEx
TpSimpleTryPost
TpStartAsyncIoOperation
TpTimerOutstandingCallbackCount
TpTrimPools
TpWaitForAlpcCompletion
TpWaitForIoCompletion
TpWaitForJobNotification
TpWaitForTimer
TpWaitForWait
TpWaitForWork
VerSetConditionMask
WerReportExceptionWorker
WerReportSQMEvent
WinSqmAddToAverageDWORD
WinSqmAddToStream
WinSqmAddToStreamEx
WinSqmCheckEscalationAddToStreamEx
WinSqmCheckEscalationSetDWORD
WinSqmCheckEscalationSetDWORD64
WinSqmCheckEscalationSetString
WinSqmCommonDatapointDelete
WinSqmCommonDatapointSetDWORD
WinSqmCommonDatapointSetDWORD64
WinSqmCommonDatapointSetStreamEx
WinSqmCommonDatapointSetString
WinSqmEndSession
WinSqmEventEnabled
WinSqmEventWrite
WinSqmGetEscalationRuleStatus
WinSqmGetInstrumentationProperty
WinSqmIncrementDWORD
WinSqmIsOptedIn
WinSqmIsOptedInEx
WinSqmIsSessionDisabled
WinSqmSetDWORD
WinSqmSetDWORD64
WinSqmSetEscalationInfo
WinSqmSetIfMaxDWORD
WinSqmSetIfMinDWORD
WinSqmSetString
WinSqmStartSession
WinSqmStartSessionForPartner
WinSqmStartSqmOptinListener
ZwAcceptConnectPort
ZwAccessCheck
ZwAccessCheckAndAuditAlarm
ZwAccessCheckByType
ZwAccessCheckByTypeAndAuditAlarm
ZwAccessCheckByTypeResultList
ZwAccessCheckByTypeResultListAndAuditAlarm
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
ZwAcquireCrossVmMutant
ZwAcquireProcessActivityReference
ZwAddAtom
ZwAddAtomEx
ZwAddBootEntry
ZwAddDriverEntry
ZwAdjustGroupsToken
ZwAdjustPrivilegesToken
ZwAdjustTokenClaimsAndDeviceGroups
ZwAlertResumeThread
ZwAlertThread
ZwAlertThreadByThreadId
ZwAllocateLocallyUniqueId
ZwAllocateReserveObject
ZwAllocateUserPhysicalPages
ZwAllocateUserPhysicalPagesEx
ZwAllocateUuids
ZwAllocateVirtualMemory
ZwAllocateVirtualMemoryEx
ZwAlpcAcceptConnectPort
ZwAlpcCancelMessage
ZwAlpcConnectPort
ZwAlpcConnectPortEx
ZwAlpcCreatePort
ZwAlpcCreatePortSection
ZwAlpcCreateResourceReserve
ZwAlpcCreateSectionView
ZwAlpcCreateSecurityContext
ZwAlpcDeletePortSection
ZwAlpcDeleteResourceReserve
ZwAlpcDeleteSectionView
ZwAlpcDeleteSecurityContext
ZwAlpcDisconnectPort
ZwAlpcImpersonateClientContainerOfPort
ZwAlpcImpersonateClientOfPort
ZwAlpcOpenSenderProcess
ZwAlpcOpenSenderThread
ZwAlpcQueryInformation
ZwAlpcQueryInformationMessage
ZwAlpcRevokeSecurityContext
ZwAlpcSendWaitReceivePort
ZwAlpcSetInformation
ZwApphelpCacheControl
ZwAreMappedFilesTheSame
ZwAssignProcessToJobObject
ZwAssociateWaitCompletionPacket
ZwCallEnclave
ZwCallbackReturn
ZwCancelIoFile
ZwCancelIoFileEx
ZwCancelSynchronousIoFile
ZwCancelTimer
ZwCancelTimer2
ZwCancelWaitCompletionPacket
ZwClearEvent
ZwClose
ZwCloseObjectAuditAlarm
ZwCommitComplete
ZwCommitEnlistment
ZwCommitRegistryTransaction
ZwCommitTransaction
ZwCompactKeys
ZwCompareObjects
ZwCompareSigningLevels
ZwCompareTokens
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwContinue
ZwContinueEx
ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter
ZwCreateCrossVmEvent
ZwCreateCrossVmMutant
ZwCreateDebugObject
ZwCreateDirectoryObject
ZwCreateDirectoryObjectEx
ZwCreateEnclave
ZwCreateEnlistment
ZwCreateEvent
ZwCreateEventPair
ZwCreateFile
ZwCreateIRTimer
ZwCreateIoCompletion
ZwCreateJobObject
ZwCreateJobSet
ZwCreateKey
ZwCreateKeyTransacted
ZwCreateKeyedEvent
ZwCreateLowBoxToken
ZwCreateMailslotFile
ZwCreateMutant
ZwCreateNamedPipeFile
ZwCreatePagingFile
ZwCreatePartition
ZwCreatePort
ZwCreatePrivateNamespace
ZwCreateProcess
ZwCreateProcessEx
ZwCreateProfile
ZwCreateProfileEx
ZwCreateRegistryTransaction
ZwCreateResourceManager
ZwCreateSection
ZwCreateSectionEx
ZwCreateSemaphore
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwCreateThreadEx
ZwCreateTimer
ZwCreateTimer2
ZwCreateToken
ZwCreateTokenEx
ZwCreateTransaction
ZwCreateTransactionManager
ZwCreateUserProcess
ZwCreateWaitCompletionPacket
ZwCreateWaitablePort
ZwCreateWnfStateName
ZwCreateWorkerFactory
ZwDebugActiveProcess
ZwDebugContinue
ZwDelayExecution
ZwDeleteAtom
ZwDeleteBootEntry
ZwDeleteDriverEntry
ZwDeleteFile
ZwDeleteKey
ZwDeleteObjectAuditAlarm
ZwDeletePrivateNamespace
ZwDeleteValueKey
ZwDeleteWnfStateData
ZwDeleteWnfStateName
ZwDeviceIoControlFile
ZwDirectGraphicsCall
ZwDisableLastKnownGood
ZwDisplayString
ZwDrawText
ZwDuplicateObject
ZwDuplicateToken
ZwEnableLastKnownGood
ZwEnumerateBootEntries
ZwEnumerateDriverEntries
ZwEnumerateKey
ZwEnumerateSystemEnvironmentValuesEx
ZwEnumerateTransactionObject
ZwEnumerateValueKey
ZwExtendSection
ZwFilterBootOption
ZwFilterToken
ZwFilterTokenEx
ZwFindAtom
ZwFlushBuffersFile
ZwFlushBuffersFileEx
ZwFlushInstallUILanguage
ZwFlushInstructionCache
ZwFlushKey
ZwFlushProcessWriteBuffers
ZwFlushVirtualMemory
ZwFlushWriteBuffer
ZwFreeUserPhysicalPages
ZwFreeVirtualMemory
ZwFreezeRegistry
ZwFreezeTransactions
ZwFsControlFile
ZwGetCachedSigningLevel
ZwGetCompleteWnfStateSubscription
ZwGetContextThread
ZwGetCurrentProcessorNumber
ZwGetCurrentProcessorNumberEx
ZwGetDevicePowerState
ZwGetMUIRegistryInfo
ZwGetNextProcess
ZwGetNextThread
ZwGetNlsSectionPtr
ZwGetNotificationResourceManager
ZwGetWriteWatch
ZwImpersonateAnonymousToken
ZwImpersonateClientOfPort
ZwImpersonateThread
ZwInitializeEnclave
ZwInitializeNlsFiles
ZwInitializeRegistry
ZwInitiatePowerAction
ZwIsProcessInJob
ZwIsSystemResumeAutomatic
ZwIsUILanguageComitted
ZwListenPort
ZwLoadDriver
ZwLoadEnclaveData
ZwLoadKey
ZwLoadKey2
ZwLoadKey3
ZwLoadKeyEx
ZwLockFile
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwLockVirtualMemory
ZwMakePermanentObject
ZwMakeTemporaryObject
ZwManageHotPatch
ZwManagePartition
ZwMapCMFModule
ZwMapUserPhysicalPages
ZwMapUserPhysicalPagesScatter
ZwMapViewOfSection
ZwMapViewOfSectionEx
ZwModifyBootEntry
ZwModifyDriverEntry
ZwNotifyChangeDirectoryFile
ZwNotifyChangeDirectoryFileEx
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeSession
ZwOpenDirectoryObject
ZwOpenEnlistment
ZwOpenEvent
ZwOpenEventPair
ZwOpenFile
ZwOpenIoCompletion
ZwOpenJobObject
ZwOpenKey
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwOpenKeyTransactedEx
ZwOpenKeyedEvent
ZwOpenMutant
ZwOpenObjectAuditAlarm
ZwOpenPartition
ZwOpenPrivateNamespace
ZwOpenProcess
ZwOpenProcessToken
ZwOpenProcessTokenEx
ZwOpenRegistryTransaction
ZwOpenResourceManager
ZwOpenSection
ZwOpenSemaphore
ZwOpenSession
ZwOpenSymbolicLinkObject
ZwOpenThread
ZwOpenThreadToken
ZwOpenThreadTokenEx
ZwOpenTimer
ZwOpenTransaction
ZwOpenTransactionManager
ZwPlugPlayControl
ZwPowerInformation
ZwPrePrepareComplete
ZwPrePrepareEnlistment
ZwPrepareComplete
ZwPrepareEnlistment
ZwPrivilegeCheck
ZwPrivilegeObjectAuditAlarm
ZwPrivilegedServiceAuditAlarm
ZwPropagationComplete
ZwPropagationFailed
ZwProtectVirtualMemory
ZwPssCaptureVaSpaceBulk
ZwPulseEvent
ZwQueryAttributesFile
ZwQueryAuxiliaryCounterFrequency
ZwQueryBootEntryOrder
ZwQueryBootOptions
ZwQueryDebugFilterState
ZwQueryDefaultLocale
ZwQueryDefaultUILanguage
ZwQueryDirectoryFile
ZwQueryDirectoryFileEx
ZwQueryDirectoryObject
ZwQueryDriverEntryOrder
ZwQueryEaFile
ZwQueryEvent
ZwQueryFullAttributesFile
ZwQueryInformationAtom
ZwQueryInformationByName
ZwQueryInformationEnlistment
ZwQueryInformationFile
ZwQueryInformationJobObject
ZwQueryInformationPort
ZwQueryInformationProcess
ZwQueryInformationResourceManager
ZwQueryInformationThread
ZwQueryInformationToken
ZwQueryInformationTransaction
ZwQueryInformationTransactionManager
ZwQueryInformationWorkerFactory
ZwQueryInstallUILanguage
ZwQueryIntervalProfile
ZwQueryIoCompletion
ZwQueryKey
ZwQueryLicenseValue
ZwQueryMultipleValueKey
ZwQueryMutant
ZwQueryObject
ZwQueryOpenSubKeys
ZwQueryOpenSubKeysEx
ZwQueryPerformanceCounter
ZwQueryPortInformationProcess
ZwQueryQuotaInformationFile
ZwQuerySection
ZwQuerySecurityAttributesToken
ZwQuerySecurityObject
ZwQuerySecurityPolicy
ZwQuerySemaphore
ZwQuerySymbolicLinkObject
ZwQuerySystemEnvironmentValue
ZwQuerySystemEnvironmentValueEx
ZwQuerySystemInformation
ZwQuerySystemInformationEx
ZwQuerySystemTime
ZwQueryTimer
ZwQueryTimerResolution
ZwQueryValueKey
ZwQueryVirtualMemory
ZwQueryVolumeInformationFile
ZwQueryWnfStateData
ZwQueryWnfStateNameInformation
ZwQueueApcThread
ZwQueueApcThreadEx
ZwRaiseException
ZwRaiseHardError
ZwReadFile
ZwReadFileScatter
ZwReadOnlyEnlistment
ZwReadRequestData
ZwReadVirtualMemory
ZwRecoverEnlistment
ZwRecoverResourceManager
ZwRecoverTransactionManager
ZwRegisterProtocolAddressInformation
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwReleaseMutant
ZwReleaseSemaphore
ZwReleaseWorkerFactoryWorker
ZwRemoveIoCompletion
ZwRemoveIoCompletionEx
ZwRemoveProcessDebug
ZwRenameKey
ZwRenameTransactionManager
ZwReplaceKey
ZwReplacePartitionUnit
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwResetEvent
ZwResetWriteWatch
ZwRestoreKey
ZwResumeProcess
ZwResumeThread
ZwRevertContainerImpersonation
ZwRollbackComplete
ZwRollbackEnlistment
ZwRollbackRegistryTransaction
ZwRollbackTransaction
ZwRollforwardTransactionManager
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSerializeBoot
ZwSetBootEntryOrder
ZwSetBootOptions
ZwSetCachedSigningLevel
ZwSetCachedSigningLevel2
ZwSetContextThread
ZwSetDebugFilterState
ZwSetDefaultHardErrorPort
ZwSetDefaultLocale
ZwSetDefaultUILanguage
ZwSetDriverEntryOrder
ZwSetEaFile
ZwSetEvent
ZwSetEventBoostPriority
ZwSetHighEventPair
ZwSetHighWaitLowEventPair
ZwSetIRTimer
ZwSetInformationDebugObject
ZwSetInformationEnlistment
ZwSetInformationFile
ZwSetInformationJobObject
ZwSetInformationKey
ZwSetInformationObject
ZwSetInformationProcess
ZwSetInformationResourceManager
ZwSetInformationSymbolicLink
ZwSetInformationThread
ZwSetInformationToken
ZwSetInformationTransaction
ZwSetInformationTransactionManager
ZwSetInformationVirtualMemory
ZwSetInformationWorkerFactory
ZwSetIntervalProfile
ZwSetIoCompletion
ZwSetIoCompletionEx
ZwSetLdtEntries
ZwSetLowEventPair
ZwSetLowWaitHighEventPair
ZwSetQuotaInformationFile
ZwSetSecurityObject
ZwSetSystemEnvironmentValue
ZwSetSystemEnvironmentValueEx
ZwSetSystemInformation
ZwSetSystemPowerState
ZwSetSystemTime
ZwSetThreadExecutionState
ZwSetTimer
ZwSetTimer2
ZwSetTimerEx
ZwSetTimerResolution
ZwSetUuidSeed
ZwSetValueKey
ZwSetVolumeInformationFile
ZwSetWnfProcessNotificationEvent
ZwShutdownSystem
ZwShutdownWorkerFactory
ZwSignalAndWaitForSingleObject
ZwSinglePhaseReject
ZwStartProfile
ZwStopProfile
ZwSubscribeWnfStateChange
ZwSuspendProcess
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateEnclave
ZwTerminateJobObject
ZwTerminateProcess
ZwTerminateThread
ZwTestAlert
ZwThawRegistry
ZwThawTransactions
ZwTraceControl
ZwTraceEvent
ZwTranslateFilePath
ZwUmsThreadYield
ZwUnloadDriver
ZwUnloadKey
ZwUnloadKey2
ZwUnloadKeyEx
ZwUnlockFile
ZwUnlockVirtualMemory
ZwUnmapViewOfSection
ZwUnmapViewOfSectionEx
ZwUnsubscribeWnfStateChange
ZwUpdateWnfStateData
ZwVdmControl
ZwWaitForAlertByThreadId
ZwWaitForDebugEvent
ZwWaitForKeyedEvent
ZwWaitForMultipleObjects
ZwWaitForMultipleObjects32
ZwWaitForSingleObject
ZwWaitForWorkViaWorkerFactory
ZwWaitHighEventPair
ZwWaitLowEventPair
ZwWorkerFactoryWorkerReady
ZwWriteFile
ZwWriteFileGather
ZwWriteRequestData
ZwWriteVirtualMemory
ZwYieldExecution
__C_specific_handler
__chkstk
__isascii
__iscsym
__iscsymf
__misaligned_access
__toascii
_atoi64
_errno
_fltused
_i64toa
_i64toa_s
_i64tow
_i64tow_s
_itoa
_itoa_s
_itow
_itow_s
_lfind
_local_unwind
_ltoa
_ltoa_s
_ltow
_ltow_s
_makepath_s
_memccpy
_memicmp
_setjmp
_setjmpex
_snprintf
_snprintf_s
_snscanf_s
_snwprintf
_snwprintf_s
_snwscanf_s
_splitpath
_splitpath_s
_strcmpi
_stricmp
_strlwr
_strlwr_s
_strnicmp
_strnset_s
_strset_s
_strupr
_strupr_s
_swprintf
_ui64toa
_ui64toa_s
_ui64tow
_ui64tow_s
_ultoa
_ultoa_s
_ultow
_ultow_s
_vscprintf
_vscwprintf
_vsnprintf
_vsnprintf_s
_vsnwprintf
_vsnwprintf_s
_vswprintf
_wcsicmp
_wcslwr
_wcslwr_s
_wcsnicmp
_wcsnset_s
_wcsset_s
_wcstoi64
_wcstoui64
_wcsupr
_wcsupr_s
_wmakepath_s
_wsplitpath_s
_wtoi
_wtoi64
_wtol
abs
atan
atan2
atoi
atol
bsearch
bsearch_s
ceil
cos
fabs
floor
isalnum
isalpha
iscntrl
isdigit
isgraph
islower
isprint
ispunct
isspace
isupper
iswalnum
iswalpha
iswascii
iswctype
iswdigit
iswgraph
iswlower
iswprint
iswspace
iswxdigit
isxdigit
labs
log
longjmp
mbstowcs
memchr
memcmp
memcpy
memcpy_s
memmove
memmove_s
memset
pow
qsort
qsort_s
sin
sprintf
sprintf_s
sqrt
sscanf
sscanf_s
strcat
strcat_s
strchr
strcmp
strcpy
strcpy_s
strcspn
strlen
strncat
strncat_s
strncmp
strncpy
strncpy_s
strnlen
strpbrk
strrchr
strspn
strstr
strtok_s
strtol
strtoul
swprintf
swprintf_s
swscanf_s
tan
tolower
toupper
towlower
towupper
vDbgPrintEx
vDbgPrintExWithPrefix
vsprintf
vsprintf_s
vswprintf_s
wcscat
wcscat_s
wcschr
wcscmp
wcscpy
wcscpy_s
wcscspn
wcslen
wcsncat
wcsncat_s
wcsncmp
wcsncpy
wcsncpy_s
wcsnlen
wcspbrk
wcsrchr
wcsspn
wcsstr
wcstok_s
wcstol
wcstombs
wcstoul


Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via the SSDT. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not.[1] The Zw prefix does not stand for anything.[2]
Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system).
Dbg are debugging functions such as a software breakpoint.
Ki are upcalls from kernel mode for events like APC dispatching.
Ldr are loader functions for PE file handling and starting of new processes.
Nls for National Language Support (similar to code pages).
Pfx for prefix handling.
Tp for threadpool handling.


tive API, они могут использовать только функции, экспортируемые из библиотеки ntdll.dll. Для них недоступны функции WinAPI.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications.

То есть это давняя история , связанная с переходом от windows 95/98 на "последние версии" Windows.

фотка 4

N/A
A_SHAFinal
A_SHAInit
A_SHAUpdate
AlpcAdjustCompletionListConcurrencyCount
AlpcFreeCompletionListMessage
AlpcGetCompletionListLastMessageInformation
AlpcGetCompletionListMessageAttributes
AlpcGetHeaderSize
AlpcGetMessageAttribute
AlpcGetMessageFromCompletionList
AlpcGetOutstandingCompletionListMessageCount
AlpcInitializeMessageAttribute
AlpcMaxAllowedMessageLength
AlpcRegisterCompletionList
AlpcRegisterCompletionListWorkerThread
AlpcRundownCompletionList
AlpcUnregisterCompletionList
AlpcUnregisterCompletionListWorkerThread
ApiSetQueryApiSetPresence
ApiSetQueryApiSetPresenceEx
CsrAllocateCaptureBuffer
CsrAllocateMessagePointer
CsrCaptureMessageBuffer
CsrCaptureMessageMultiUnicodeStringsInPlace
CsrCaptureMessageString
CsrCaptureTimeout
CsrClientCallServer
CsrClientConnectToServer
CsrFreeCaptureBuffer
CsrGetProcessId
CsrIdentifyAlertableThread
CsrSetPriorityClass
CsrVerifyRegion
DbgBreakPoint
DbgPrint
DbgPrintEx
DbgPrintReturnControlC
DbgPrompt
DbgQueryDebugFilterState
DbgSetDebugFilterState
DbgUiConnectToDbg
DbgUiContinue
DbgUiConvertStateChangeStructure
DbgUiConvertStateChangeStructureEx
DbgUiDebugActiveProcess
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
DbgUiRemoteBreakin
DbgUiSetThreadDebugObject
DbgUiStopDebugging
DbgUiWaitStateChange
DbgUserBreakPoint
EtwCheckCoverage
EtwCreateTraceInstanceId
EtwDeliverDataBlock
EtwEnumerateProcessRegGuids
EtwEventActivityIdControl
EtwEventEnabled
EtwEventProviderEnabled
EtwEventRegister
EtwEventSetInformation
EtwEventUnregister
EtwEventWrite
EtwEventWriteEndScenario
EtwEventWriteEx
EtwEventWriteFull
EtwEventWriteNoRegistration
EtwEventWriteStartScenario
EtwEventWriteString
EtwEventWriteTransfer
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwLogTraceEvent
EtwNotificationRegister
EtwNotificationUnregister
EtwProcessPrivateLoggerRequest
EtwRegisterSecurityProvider
EtwRegisterTraceGuidsA
EtwRegisterTraceGuidsW
EtwReplyNotification
EtwSendNotification
EtwSetMark
EtwTraceEventInstance
EtwTraceMessage
EtwTraceMessageVa
EtwUnregisterTraceGuids
EtwWriteUMSecurityEvent
EtwpCreateEtwThread
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
ExpInterlockedPopEntrySListEnd
ExpInterlockedPopEntrySListFault
ExpInterlockedPopEntrySListResume
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher
KiUserInvertedFunctionTable
LdrAccessResource
LdrAddDllDirectory
LdrAddLoadAsDataTable
LdrAddRefDll
LdrAppxHandleIntegrityFailure
LdrCallEnclave
LdrControlFlowGuardEnforced
LdrCreateEnclave
LdrDeleteEnclave
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrEnumerateLoadedModules
LdrFastFailInLoaderCallout
LdrFindEntryForAddress
LdrFindResourceDirectory_U
LdrFindResourceEx_U
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetDllDirectory
LdrGetDllFullName
LdrGetDllHandle
LdrGetDllHandleByMapping
LdrGetDllHandleByName
LdrGetDllHandleEx
LdrGetDllPath
LdrGetFailureData
LdrGetFileNameFromLoadAsDataTable
LdrGetKnownDllSectionHandle
LdrGetProcedureAddress
LdrGetProcedureAddressEx
LdrGetProcedureAddressForCaller
LdrInitShimEngineDynamic
LdrInitializeEnclave
LdrInitializeThunk
LdrIsModuleSxsRedirected
LdrLoadAlternateResourceModule
LdrLoadAlternateResourceModuleEx
LdrLoadDll
LdrLoadEnclaveModule
LdrLockLoaderLock
LdrOpenImageFileOptionsKey
LdrProcessInitializationComplete
LdrProcessRelocationBlock
LdrProcessRelocationBlockEx
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
LdrQueryModuleServiceTags
LdrQueryOptionalDelayLoadedAPI
LdrQueryProcessModuleInformation
LdrRegisterDllNotification
LdrRemoveDllDirectory
LdrRemoveLoadAsDataTable
LdrResFindResource
LdrResFindResourceDirectory
LdrResGetRCConfig
LdrResRelease
LdrResSearchResource
LdrResolveDelayLoadedAPI
LdrResolveDelayLoadsFromDll
LdrRscIsTypeExist
LdrSetAppCompatDllRedirectionCallback
LdrSetDefaultDllDirectories
LdrSetDllDirectory
LdrSetDllManifestProber
LdrSetImplicitPathOptions
LdrSetMUICacheType
LdrShutdownProcess
LdrShutdownThread
LdrStandardizeSystemPath
LdrSystemDllInitBlock
LdrUnloadAlternateResourceModule
LdrUnloadAlternateResourceModuleEx
LdrUnloadDll
LdrUnlockLoaderLock
LdrUnregisterDllNotification
LdrUpdatePackageSearchPath
LdrVerifyImageMatchesChecksum
LdrVerifyImageMatchesChecksumEx
LdrpResGetMappingSize
LdrpResGetResourceDirectory
MD4Final
MD4Init
MD4Update
MD5Final
MD5Init
MD5Update
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag
NtAcceptConnectPort
NtAccessCheck
NtAccessCheckAndAuditAlarm
NtAccessCheckByType
NtAccessCheckByTypeAndAuditAlarm
NtAccessCheckByTypeResultList
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
NtAcquireCrossVmMutant
NtAcquireProcessActivityReference
NtAddAtom
NtAddAtomEx
NtAddBootEntry
NtAddDriverEntry
NtAdjustGroupsToken
NtAdjustPrivilegesToken
NtAdjustTokenClaimsAndDeviceGroups
NtAlertResumeThread
NtAlertThread
NtAlertThreadByThreadId
NtAllocateLocallyUniqueId
NtAllocateReserveObject
NtAllocateUserPhysicalPages
NtAllocateUserPhysicalPagesEx
NtAllocateUuids
NtAllocateVirtualMemory
NtAllocateVirtualMemoryEx
NtAlpcAcceptConnectPort
NtAlpcCancelMessage
NtAlpcConnectPort
NtAlpcConnectPortEx
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcCreateResourceReserve
NtAlpcCreateSectionView
NtAlpcCreateSecurityContext
NtAlpcDeletePortSection
NtAlpcDeleteResourceReserve
NtAlpcDeleteSectionView
NtAlpcDeleteSecurityContext
NtAlpcDisconnectPort
NtAlpcImpersonateClientContainerOfPort
NtAlpcImpersonateClientOfPort
NtAlpcOpenSenderProcess
NtAlpcOpenSenderThread
NtAlpcQueryInformation
NtAlpcQueryInformationMessage
NtAlpcRevokeSecurityContext
NtAlpcSendWaitReceivePort
NtAlpcSetInformation
NtApphelpCacheControl
NtAreMappedFilesTheSame
NtAssignProcessToJobObject
NtAssociateWaitCompletionPacket
NtCallEnclave
NtCallbackReturn
NtCancelIoFile
NtCancelIoFileEx
NtCancelSynchronousIoFile
NtCancelTimer
NtCancelTimer2
NtCancelWaitCompletionPacket
NtClearEvent
NtClose
NtCloseObjectAuditAlarm
NtCommitComplete
NtCommitEnlistment
NtCommitRegistryTransaction
NtCommitTransaction
NtCompactKeys
NtCompareObjects
NtCompareSigningLevels
NtCompareTokens
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtContinue
NtContinueEx
NtConvertBetweenAuxiliaryCounterAndPerformanceCounter
NtCreateCrossVmEvent
NtCreateCrossVmMutant
NtCreateDebugObject
NtCreateDirectoryObject
NtCreateDirectoryObjectEx
NtCreateEnclave
NtCreateEnlistment
NtCreateEvent
NtCreateEventPair
NtCreateFile
NtCreateIRTimer
NtCreateIoCompletion
NtCreateJobObject
NtCreateJobSet
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateLowBoxToken
NtCreateMailslotFile
NtCreateMutant
NtCreateNamedPipeFile
NtCreatePagingFile
NtCreatePartition
NtCreatePort
NtCreatePrivateNamespace
NtCreateProcess
NtCreateProcessEx
NtCreateProfile
NtCreateProfileEx
NtCreateRegistryTransaction
NtCreateResourceManager
NtCreateSection
NtCreateSectionEx
NtCreateSemaphore
NtCreateSymbolicLinkObject
NtCreateThread
NtCreateThreadEx
NtCreateTimer
NtCreateTimer2
NtCreateToken
NtCreateTokenEx
NtCreateTransaction
NtCreateTransactionManager
NtCreateUserProcess
NtCreateWaitCompletionPacket
NtCreateWaitablePort
NtCreateWnfStateName
NtCreateWorkerFactory
NtDebugActiveProcess
NtDebugContinue
NtDelayExecution
NtDeleteAtom
NtDeleteBootEntry
NtDeleteDriverEntry
NtDeleteFile
NtDeleteKey
NtDeleteObjectAuditAlarm
NtDeletePrivateNamespace
NtDeleteValueKey
NtDeleteWnfStateData
NtDeleteWnfStateName
NtDeviceIoControlFile
NtDirectGraphicsCall
NtDisableLastKnownGood
NtDisplayString
NtDrawText
NtDuplicateObject
NtDuplicateToken
NtEnableLastKnownGood
NtEnumerateBootEntries
NtEnumerateDriverEntries
NtEnumerateKey
NtEnumerateSystemEnvironmentValuesEx
NtEnumerateTransactionObject
NtEnumerateValueKey
NtExtendSection
NtFilterBootOption
NtFilterToken
NtFilterTokenEx
NtFindAtom
NtFlushBuffersFile
NtFlushBuffersFileEx
NtFlushInstallUILanguage
NtFlushInstructionCache
NtFlushKey
NtFlushProcessWriteBuffers
NtFlushVirtualMemory
NtFlushWriteBuffer
NtFreeUserPhysicalPages
NtFreeVirtualMemory
NtFreezeRegistry
NtFreezeTransactions
NtFsControlFile
NtGetCachedSigningLevel
NtGetCompleteWnfStateSubscription
NtGetContextThread
NtGetCurrentProcessorNumber
NtGetCurrentProcessorNumberEx
NtGetDevicePowerState
NtGetMUIRegistryInfo
NtGetNextProcess
NtGetNextThread
NtGetNlsSectionPtr
NtGetNotificationResourceManager
NtGetTickCount
NtGetWriteWatch
NtImpersonateAnonymousToken
NtImpersonateClientOfPort
NtImpersonateThread
NtInitializeEnclave
NtInitializeNlsFiles
NtInitializeRegistry
NtInitiatePowerAction
NtIsProcessInJob
NtIsSystemResumeAutomatic
NtIsUILanguageComitted
NtListenPort
NtLoadDriver
NtLoadEnclaveData
NtLoadKey
NtLoadKey2
NtLoadKey3
NtLoadKeyEx
NtLockFile
NtLockProductActivationKeys
NtLockRegistryKey
NtLockVirtualMemory
NtMakePermanentObject
NtMakeTemporaryObject
NtManageHotPatch
NtManagePartition
NtMapCMFModule
NtMapUserPhysicalPages
NtMapUserPhysicalPagesScatter
NtMapViewOfSection
NtMapViewOfSectionEx
NtModifyBootEntry
NtModifyDriverEntry
NtNotifyChangeDirectoryFile
NtNotifyChangeDirectoryFileEx
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtNotifyChangeSession
NtOpenDirectoryObject
NtOpenEnlistment
NtOpenEvent
NtOpenEventPair
NtOpenFile
NtOpenIoCompletion
NtOpenJobObject
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtOpenMutant
NtOpenObjectAuditAlarm
NtOpenPartition
NtOpenPrivateNamespace
NtOpenProcess
NtOpenProcessToken
NtOpenProcessTokenEx
NtOpenRegistryTransaction
NtOpenResourceManager
NtOpenSection
NtOpenSemaphore
NtOpenSession
NtOpenSymbolicLinkObject
NtOpenThread
NtOpenThreadToken
NtOpenThreadTokenEx
NtOpenTimer
NtOpenTransaction
NtOpenTransactionManager
NtPlugPlayControl
NtPowerInformation
NtPrePrepareComplete
NtPrePrepareEnlistment
NtPrepareComplete
NtPrepareEnlistment
NtPrivilegeCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegedServiceAuditAlarm
NtPropagationComplete
NtPropagationFailed
NtProtectVirtualMemory
NtPssCaptureVaSpaceBulk
NtPulseEvent
NtQueryAttributesFile
NtQueryAuxiliaryCounterFrequency
NtQueryBootEntryOrder
NtQueryBootOptions
NtQueryDebugFilterState
NtQueryDefaultLocale
NtQueryDefaultUILanguage
NtQueryDirectoryFile
NtQueryDirectoryFileEx
NtQueryDirectoryObject
NtQueryDriverEntryOrder
NtQueryEaFile
NtQueryEvent
NtQueryFullAttributesFile
NtQueryInformationAtom
NtQueryInformationByName
NtQueryInformationEnlistment
NtQueryInformationFile
NtQueryInformationJobObject
NtQueryInformationPort
NtQueryInformationProcess
NtQueryInformationResourceManager
NtQueryInformationThread
NtQueryInformationToken
NtQueryInformationTransaction
NtQueryInformationTransactionManager
NtQueryInformationWorkerFactory
NtQueryInstallUILanguage
NtQueryIntervalProfile
NtQueryIoCompletion
NtQueryKey
NtQueryLicenseValue
NtQueryMultipleValueKey
NtQueryMutant
NtQueryObject
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPerformanceCounter
NtQueryPortInformationProcess
NtQueryQuotaInformationFile
NtQuerySection
NtQuerySecurityAttributesToken
NtQuerySecurityObject
NtQuerySecurityPolicy
NtQuerySemaphore
NtQuerySymbolicLinkObject
NtQuerySystemEnvironmentValue
NtQuerySystemEnvironmentValueEx
NtQuerySystemInformation
NtQuerySystemInformationEx
NtQuerySystemTime
NtQueryTimer
NtQueryTimerResolution
NtQueryValueKey
NtQueryVirtualMemory
NtQueryVolumeInformationFile
NtQueryWnfStateData
NtQueryWnfStateNameInformation
NtQueueApcThread
NtQueueApcThreadEx
NtRaiseException
NtRaiseHardError
NtReadFile
NtReadFileScatter
NtReadOnlyEnlistment
NtReadRequestData
NtReadVirtualMemory
NtRecoverEnlistment
NtRecoverResourceManager
NtRecoverTransactionManager
NtRegisterProtocolAddressInformation
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtReleaseMutant
NtReleaseSemaphore
NtReleaseWorkerFactoryWorker
NtRemoveIoCompletion
NtRemoveIoCompletionEx
NtRemoveProcessDebug
NtRenameKey
NtRenameTransactionManager
NtReplaceKey
NtReplacePartitionUnit
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtResetEvent
NtResetWriteWatch
NtRestoreKey
NtResumeProcess
NtResumeThread
NtRevertContainerImpersonation
NtRollbackComplete
NtRollbackEnlistment
NtRollbackRegistryTransaction
NtRollbackTransaction
NtRollforwardTransactionManager
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSerializeBoot
NtSetBootEntryOrder
NtSetBootOptions
NtSetCachedSigningLevel
NtSetCachedSigningLevel2
NtSetContextThread
NtSetDebugFilterState
NtSetDefaultHardErrorPort
NtSetDefaultLocale
NtSetDefaultUILanguage
NtSetDriverEntryOrder
NtSetEaFile
NtSetEvent
NtSetEventBoostPriority
NtSetHighEventPair
NtSetHighWaitLowEventPair
NtSetIRTimer
NtSetInformationDebugObject
NtSetInformationEnlistment
NtSetInformationFile
NtSetInformationJobObject
NtSetInformationKey
NtSetInformationObject
NtSetInformationProcess
NtSetInformationResourceManager
NtSetInformationSymbolicLink
NtSetInformationThread
NtSetInformationToken
NtSetInformationTransaction
NtSetInformationTransactionManager
NtSetInformationVirtualMemory
NtSetInformationWorkerFactory
NtSetIntervalProfile
NtSetIoCompletion
NtSetIoCompletionEx
NtSetLdtEntries
NtSetLowEventPair
NtSetLowWaitHighEventPair
NtSetQuotaInformationFile
NtSetSecurityObject
NtSetSystemEnvironmentValue
NtSetSystemEnvironmentValueEx
NtSetSystemInformation
NtSetSystemPowerState
NtSetSystemTime
NtSetThreadExecutionState
NtSetTimer
NtSetTimer2
NtSetTimerEx
NtSetTimerResolution
NtSetUuidSeed
NtSetValueKey
NtSetVolumeInformationFile
NtSetWnfProcessNotificationEvent
NtShutdownSystem
NtShutdownWorkerFactory
NtSignalAndWaitForSingleObject
NtSinglePhaseReject
NtStartProfile
NtStopProfile
NtSubscribeWnfStateChange
NtSuspendProcess
NtSuspendThread
NtSystemDebugControl
NtTerminateEnclave
NtTerminateJobObject
NtTerminateProcess
NtTerminateThread
NtTestAlert
NtThawRegistry
NtThawTransactions
NtTraceControl
NtTraceEvent
NtTranslateFilePath
NtUmsThreadYield
NtUnloadDriver
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtUnlockFile
NtUnlockVirtualMemory
NtUnmapViewOfSection
NtUnmapViewOfSectionEx
NtUnsubscribeWnfStateChange
NtUpdateWnfStateData
NtVdmControl
NtWaitForAlertByThreadId
NtWaitForDebugEvent
NtWaitForKeyedEvent
NtWaitForMultipleObjects
NtWaitForMultipleObjects32
NtWaitForSingleObject
NtWaitForWorkViaWorkerFactory
NtWaitHighEventPair
NtWaitLowEventPair
NtWorkerFactoryWorkerReady
NtWriteFile
NtWriteFileGather
NtWriteRequestData
NtWriteVirtualMemory
NtYieldExecution
NtdllDefWindowProc_A
NtdllDefWindowProc_W
NtdllDialogWndProc_A
NtdllDialogWndProc_W
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix
PssNtCaptureSnapshot
PssNtDuplicateSnapshot
PssNtFreeRemoteSnapshot
PssNtFreeSnapshot
PssNtFreeWalkMarker
PssNtQuerySnapshot
PssNtValidateDescriptor
PssNtWalkSnapshot
RtlAbortRXact
RtlAbsoluteToSelfRelativeSD
RtlAcquirePebLock
RtlAcquirePrivilege
RtlAcquireReleaseSRWLockExclusive
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlAcquireSRWLockExclusive
RtlAcquireSRWLockShared
RtlActivateActivationContext
RtlActivateActivationContextEx
RtlActivateActivationContextUnsafeFast
RtlAddAccessAllowedAce
RtlAddAccessAllowedAceEx
RtlAddAccessAllowedObjectAce
RtlAddAccessDeniedAce
RtlAddAccessDeniedAceEx
RtlAddAccessDeniedObjectAce
RtlAddAccessFilterAce
RtlAddAce
RtlAddActionToRXact
RtlAddAtomToAtomTable
RtlAddAttributeActionToRXact
RtlAddAuditAccessAce
RtlAddAuditAccessAceEx
RtlAddAuditAccessObjectAce
RtlAddCompoundAce
RtlAddFunctionTable
RtlAddGrowableFunctionTable
RtlAddIntegrityLabelToBoundaryDescriptor
RtlAddMandatoryAce
RtlAddProcessTrustLabelAce
RtlAddRefActivationContext
RtlAddRefMemoryStream
RtlAddResourceAttributeAce
RtlAddSIDToBoundaryDescriptor
RtlAddScopedPolicyIDAce
RtlAddVectoredContinueHandler
RtlAddVectoredExceptionHandler
RtlAddressInSectionTable
RtlAdjustPrivilege
RtlAllocateActivationContextStack
RtlAllocateAndInitializeSid
RtlAllocateAndInitializeSidEx
RtlAllocateHandle
RtlAllocateHeap
RtlAllocateMemoryBlockLookaside
RtlAllocateMemoryZone
RtlAllocateWnfSerializationGroup
RtlAnsiCharToUnicodeChar
RtlAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
RtlAppendAsciizToString
RtlAppendPathElement
RtlAppendStringToString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlApplicationVerifierStop
RtlApplyRXact
RtlApplyRXactNoFlush
RtlAppxIsFileOwnedByTrustedInstaller
RtlAreAllAccessesGranted
RtlAreAnyAccessesGranted
RtlAreBitsClear
RtlAreBitsClearEx
RtlAreBitsSet
RtlAreLongPathsEnabled
RtlAssert
RtlAvlInsertNodeEx
RtlAvlRemoveNode
RtlBarrier
RtlBarrierForDelete
RtlCallEnclaveReturn
RtlCancelTimer
RtlCanonicalizeDomainName
RtlCapabilityCheck
RtlCapabilityCheckForSingleSessionSku
RtlCaptureContext
RtlCaptureContext2
RtlCaptureStackBackTrace
RtlCharToInteger
RtlCheckBootStatusIntegrity
RtlCheckForOrphanedCriticalSections
RtlCheckPortableOperatingSystem
RtlCheckRegistryKey
RtlCheckSandboxedToken
RtlCheckSystemBootStatusIntegrity
RtlCheckTokenCapability
RtlCheckTokenMembership
RtlCheckTokenMembershipEx
RtlCleanUpTEBLangLists
RtlClearAllBits
RtlClearAllBitsEx
RtlClearBit
RtlClearBitEx
RtlClearBits
RtlClearBitsEx
RtlClearThreadWorkOnBehalfTicket
RtlCloneMemoryStream
RtlCloneUserProcess
RtlCmDecodeMemIoResource
RtlCmEncodeMemIoResource
RtlCommitDebugInfo
RtlCommitMemoryStream
RtlCompactHeap
RtlCompareAltitudes
RtlCompareMemory
RtlCompareMemoryUlong
RtlCompareString
RtlCompareUnicodeString
RtlCompareUnicodeStrings
RtlCompleteProcessCloning
RtlCompressBuffer
RtlComputeCrc32
RtlComputeImportTableHash
RtlComputePrivatizedDllName_U
RtlConnectToSm
RtlConsoleMultiByteToUnicodeN
RtlConstructCrossVmEventPath
RtlConstructCrossVmMutexPath
RtlContractHashTable
RtlConvertDeviceFamilyInfoToString
RtlConvertExclusiveToShared
RtlConvertLCIDToString
RtlConvertSRWLockExclusiveToShared
RtlConvertSharedToExclusive
RtlConvertSidToUnicodeString
RtlConvertToAutoInheritSecurityObject
RtlCopyBitMap
RtlCopyContext
RtlCopyExtendedContext
RtlCopyLuid
RtlCopyLuidAndAttributesArray
RtlCopyMappedMemory
RtlCopyMemory
RtlCopyMemoryNonTemporal
RtlCopyMemoryStreamTo
RtlCopyOutOfProcessMemoryStreamTo
RtlCopySecurityDescriptor
RtlCopySid
RtlCopySidAndAttributesArray
RtlCopyString
RtlCopyUnicodeString
RtlCrc32
RtlCrc64
RtlCreateAcl
RtlCreateActivationContext
RtlCreateAndSetSD
RtlCreateAtomTable
RtlCreateBootStatusDataFile
RtlCreateBoundaryDescriptor
RtlCreateEnvironment
RtlCreateEnvironmentEx
RtlCreateHashTable
RtlCreateHashTableEx
RtlCreateHeap
RtlCreateMemoryBlockLookaside
RtlCreateMemoryZone
RtlCreateProcessParameters
RtlCreateProcessParametersEx
RtlCreateProcessParametersWithTemplate
RtlCreateProcessReflection
RtlCreateQueryDebugBuffer
RtlCreateRegistryKey
RtlCreateSecurityDescriptor
RtlCreateServiceSid
RtlCreateSystemVolumeInformationFolder
RtlCreateTagHeap
RtlCreateTimer
RtlCreateTimerQueue
RtlCreateUmsCompletionList
RtlCreateUmsThreadContext
RtlCreateUnicodeString
RtlCreateUnicodeStringFromAsciiz
RtlCreateUserFiberShadowStack
RtlCreateUserProcess
RtlCreateUserProcessEx
RtlCreateUserSecurityObject
RtlCreateUserStack
RtlCreateUserThread
RtlCreateVirtualAccountSid
RtlCultureNameToLCID
RtlCustomCPToUnicodeN
RtlCutoverTimeToSystemTime
RtlDeCommitDebugInfo
RtlDeNormalizeProcessParams
RtlDeactivateActivationContext
RtlDeactivateActivationContextUnsafeFast
RtlDebugPrintTimes
RtlDecodePointer
RtlDecodeRemotePointer
RtlDecodeSystemPointer
RtlDecompressBuffer
RtlDecompressBufferEx
RtlDecompressFragment
RtlDefaultNpAcl
RtlDelete
RtlDeleteAce
RtlDeleteAtomFromAtomTable
RtlDeleteBarrier
RtlDeleteBoundaryDescriptor
RtlDeleteCriticalSection
RtlDeleteElementGenericTable
RtlDeleteElementGenericTableAvl
RtlDeleteElementGenericTableAvlEx
RtlDeleteFunctionTable
RtlDeleteGrowableFunctionTable
RtlDeleteHashTable
RtlDeleteNoSplay
RtlDeleteRegistryValue
RtlDeleteResource
RtlDeleteSecurityObject
RtlDeleteTimer
RtlDeleteTimerQueue
RtlDeleteTimerQueueEx
RtlDeleteUmsCompletionList
RtlDeleteUmsThreadContext
RtlDequeueUmsCompletionListItems
RtlDeregisterSecureMemoryCacheCallback
RtlDeregisterWait
RtlDeregisterWaitEx
RtlDeriveCapabilitySidsFromName
RtlDestroyAtomTable
RtlDestroyEnvironment
RtlDestroyHandleTable
RtlDestroyHeap
RtlDestroyMemoryBlockLookaside
RtlDestroyMemoryZone
RtlDestroyProcessParameters
RtlDestroyQueryDebugBuffer
RtlDetectHeapLeaks
RtlDetermineDosPathNameType_U
RtlDisableThreadProfiling
RtlDisownModuleHeapAllocation
RtlDllShutdownInProgress
RtlDnsHostNameToComputerName
RtlDoesFileExists_U
RtlDoesNameContainWildCards
RtlDosApplyFileIsolationRedirection_Ustr
RtlDosLongPathNameToNtPathName_U_WithStatus
RtlDosLongPathNameToRelativeNtPathName_U_WithStatus
RtlDosPathNameToNtPathName_U
RtlDosPathNameToNtPathName_U_WithStatus
RtlDosPathNameToRelativeNtPathName_U
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlDosSearchPath_U
RtlDosSearchPath_Ustr
RtlDowncaseUnicodeChar
RtlDowncaseUnicodeString
RtlDrainNonVolatileFlush
RtlDumpResource
RtlDuplicateUnicodeString
RtlEmptyAtomTable
RtlEnableEarlyCriticalSectionEventCreation
RtlEnableThreadProfiling
RtlEnclaveCallDispatch
RtlEnclaveCallDispatchReturn
RtlEncodePointer
RtlEncodeRemotePointer
RtlEncodeSystemPointer
RtlEndEnumerationHashTable
RtlEndStrongEnumerationHashTable
RtlEndWeakEnumerationHashTable
RtlEnterCriticalSection
RtlEnterUmsSchedulingMode
RtlEnumProcessHeaps
RtlEnumerateEntryHashTable
RtlEnumerateGenericTable
RtlEnumerateGenericTableAvl
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplaying
RtlEnumerateGenericTableWithoutSplayingAvl
RtlEqualComputerName
RtlEqualDomainName
RtlEqualLuid
RtlEqualPrefixSid
RtlEqualSid
RtlEqualString
RtlEqualUnicodeString
RtlEqualWnfChangeStamps
RtlEraseUnicodeString
RtlEthernetAddressToStringA
RtlEthernetAddressToStringW
RtlEthernetStringToAddressA
RtlEthernetStringToAddressW
RtlExecuteUmsThread
RtlExitUserProcess
RtlExitUserThread
RtlExpandEnvironmentStrings
RtlExpandEnvironmentStrings_U
RtlExpandHashTable
RtlExtendCorrelationVector
RtlExtendMemoryBlockLookaside
RtlExtendMemoryZone
RtlExtractBitMap
RtlFillMemory
RtlFillMemoryNonTemporal
RtlFillNonVolatileMemory
RtlFinalReleaseOutOfProcessMemoryStream
RtlFindAceByType
RtlFindActivationContextSectionGuid
RtlFindActivationContextSectionString
RtlFindCharInUnicodeString
RtlFindClearBits
RtlFindClearBitsAndSet
RtlFindClearBitsEx
RtlFindClearRuns
RtlFindClosestEncodableLength
RtlFindExportedRoutineByName
RtlFindLastBackwardRunClear
RtlFindLeastSignificantBit
RtlFindLongestRunClear
RtlFindMessage
RtlFindMostSignificantBit
RtlFindNextForwardRunClear
RtlFindSetBits
RtlFindSetBitsAndClear
RtlFindSetBitsAndClearEx
RtlFindSetBitsEx
RtlFindUnicodeSubstring
RtlFirstEntrySList
RtlFirstFreeAce
RtlFlsAlloc
RtlFlsFree
RtlFlsGetValue
RtlFlsSetValue
RtlFlushHeaps
RtlFlushNonVolatileMemory
RtlFlushNonVolatileMemoryRanges
RtlFlushSecureMemoryCache
RtlFormatCurrentUserKeyPath
RtlFormatMessage
RtlFormatMessageEx
RtlFreeActivationContextStack
RtlFreeAnsiString
RtlFreeHandle
RtlFreeHeap
RtlFreeMemoryBlockLookaside
RtlFreeNonVolatileToken
RtlFreeOemString
RtlFreeSid
RtlFreeThreadActivationContextStack
RtlFreeUTF8String
RtlFreeUnicodeString
RtlFreeUserFiberShadowStack
RtlFreeUserStack
RtlGUIDFromString
RtlGenerate8dot3Name
RtlGetAce
RtlGetActiveActivationContext
RtlGetActiveConsoleId
RtlGetAppContainerNamedObjectPath
RtlGetAppContainerParent
RtlGetAppContainerSidType
RtlGetCallersAddress
RtlGetCompressionWorkSpaceSize
RtlGetConsoleSessionForegroundProcessId
RtlGetControlSecurityDescriptor
RtlGetCriticalSectionRecursionCount
RtlGetCurrentDirectory_U
RtlGetCurrentPeb
RtlGetCurrentProcessorNumber
RtlGetCurrentProcessorNumberEx
RtlGetCurrentServiceSessionId
RtlGetCurrentTransaction
RtlGetCurrentUmsThread
RtlGetDaclSecurityDescriptor
RtlGetDeviceFamilyInfoEnum
RtlGetElementGenericTable
RtlGetElementGenericTableAvl
RtlGetEnabledExtendedFeatures
RtlGetExePath
RtlGetExtendedContextLength
RtlGetExtendedContextLength2
RtlGetExtendedFeaturesMask
RtlGetFileMUIPath
RtlGetFrame
RtlGetFullPathName_U
RtlGetFullPathName_UEx
RtlGetFullPathName_UstrEx
RtlGetFunctionTableListHead
RtlGetGroupSecurityDescriptor
RtlGetIntegerAtom
RtlGetInterruptTimePrecise
RtlGetLastNtStatus
RtlGetLastWin32Error
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlGetLengthWithoutTrailingPathSeperators
RtlGetLocaleFileMappingAddress
RtlGetLongestNtPathLength
RtlGetMultiTimePrecise
RtlGetNativeSystemInformation
RtlGetNextEntryHashTable
RtlGetNextUmsListItem
RtlGetNonVolatileToken
RtlGetNtGlobalFlags
RtlGetNtProductType
RtlGetNtSystemRoot
RtlGetNtVersionNumbers
RtlGetOwnerSecurityDescriptor
RtlGetParentLocaleName
RtlGetPersistedStateLocation
RtlGetProcessHeaps
RtlGetProcessPreferredUILanguages
RtlGetProductInfo
RtlGetReturnAddressHijackTarget
RtlGetSaclSecurityDescriptor
RtlGetSearchPath
RtlGetSecurityDescriptorRMControl
RtlGetSessionProperties
RtlGetSetBootStatusData
RtlGetSuiteMask
RtlGetSystemBootStatus
RtlGetSystemBootStatusEx
RtlGetSystemPreferredUILanguages
RtlGetSystemTimeAndBias
RtlGetSystemTimePrecise
RtlGetThreadErrorMode
RtlGetThreadLangIdByIndex
RtlGetThreadPreferredUILanguages
RtlGetThreadWorkOnBehalfTicket
RtlGetTokenNamedObjectPath
RtlGetUILanguageInfo
RtlGetUmsCompletionListEvent
RtlGetUnloadEventTrace
RtlGetUnloadEventTraceEx
RtlGetUserInfoHeap
RtlGetUserPreferredUILanguages
RtlGetVersion
RtlGrowFunctionTable
RtlGuardCheckLongJumpTarget
RtlHashUnicodeString
RtlHeapTrkInitialize
RtlIdentifierAuthoritySid
RtlIdnToAscii
RtlIdnToNameprepUnicode
RtlIdnToUnicode
RtlImageDirectoryEntryToData
RtlImageNtHeader
RtlImageNtHeaderEx
RtlImageRvaToSection
RtlImageRvaToVa
RtlImpersonateSelf
RtlImpersonateSelfEx
RtlIncrementCorrelationVector
RtlInitAnsiString
RtlInitAnsiStringEx
RtlInitBarrier
RtlInitCodePageTable
RtlInitEnumerationHashTable
RtlInitMemoryStream
RtlInitNlsTables
RtlInitOutOfProcessMemoryStream
RtlInitString
RtlInitStringEx
RtlInitStrongEnumerationHashTable
RtlInitUTF8String
RtlInitUTF8StringEx
RtlInitUnicodeString
RtlInitUnicodeStringEx
RtlInitWeakEnumerationHashTable
RtlInitializeAtomPackage
RtlInitializeBitMap
RtlInitializeBitMapEx
RtlInitializeConditionVariable
RtlInitializeContext
RtlInitializeCorrelationVector
RtlInitializeCriticalSection
RtlInitializeCriticalSectionAndSpinCount
RtlInitializeCriticalSectionEx
RtlInitializeExtendedContext
RtlInitializeExtendedContext2
RtlInitializeGenericTable
RtlInitializeGenericTableAvl
RtlInitializeHandleTable
RtlInitializeNtUserPfn
RtlInitializeRXact
RtlInitializeResource
RtlInitializeSListHead
RtlInitializeSRWLock
RtlInitializeSid
RtlInitializeSidEx
RtlInsertElementGenericTable
RtlInsertElementGenericTableAvl
RtlInsertElementGenericTableFull
RtlInsertElementGenericTableFullAvl
RtlInsertEntryHashTable
RtlInstallFunctionTableCallback
RtlInt64ToUnicodeString
RtlIntegerToChar
RtlIntegerToUnicodeString
RtlInterlockedClearBitRun
RtlInterlockedFlushSList
RtlInterlockedPopEntrySList
RtlInterlockedPushEntrySList
RtlInterlockedPushListSList
RtlInterlockedPushListSListEx
RtlInterlockedSetBitRun
RtlIoDecodeMemIoResource
RtlIoEncodeMemIoResource
RtlIpv4AddressToStringA
RtlIpv4AddressToStringExA
RtlIpv4AddressToStringExW
RtlIpv4AddressToStringW
RtlIpv4StringToAddressA
RtlIpv4StringToAddressExA
RtlIpv4StringToAddressExW
RtlIpv4StringToAddressW
RtlIpv6AddressToStringA
RtlIpv6AddressToStringExA
RtlIpv6AddressToStringExW
RtlIpv6AddressToStringW
RtlIpv6StringToAddressA
RtlIpv6StringToAddressExA
RtlIpv6StringToAddressExW
RtlIpv6StringToAddressW
RtlIsActivationContextActive
RtlIsCapabilitySid
RtlIsCloudFilesPlaceholder
RtlIsCriticalSectionLocked
RtlIsCriticalSectionLockedByThread
RtlIsCurrentProcess
RtlIsCurrentThread
RtlIsCurrentThreadAttachExempt
RtlIsDosDeviceName_U
RtlIsElevatedRid
RtlIsGenericTableEmpty
RtlIsGenericTableEmptyAvl
RtlIsMultiSessionSku
RtlIsMultiUsersInSessionSku
RtlIsNameInExpression
RtlIsNameInUnUpcasedExpression
RtlIsNameLegalDOS8Dot3
RtlIsNonEmptyDirectoryReparsePointAllowed
RtlIsNormalizedString
RtlIsPackageSid
RtlIsParentOfChildAppContainer
RtlIsPartialPlaceholder
RtlIsPartialPlaceholderFileHandle
RtlIsPartialPlaceholderFileInfo
RtlIsProcessorFeaturePresent
RtlIsStateSeparationEnabled
RtlIsTextUnicode
RtlIsThreadWithinLoaderCallout
RtlIsUntrustedObject
RtlIsValidHandle
RtlIsValidIndexHandle
RtlIsValidLocaleName
RtlIsValidProcessTrustLabelSid
RtlIsZeroMemory
RtlKnownExceptionFilter
RtlLCIDToCultureName
RtlLargeIntegerToChar
RtlLcidToLocaleName
RtlLeaveCriticalSection
RtlLengthRequiredSid
RtlLengthSecurityDescriptor
RtlLengthSid
RtlLengthSidAsUnicodeString
RtlLoadString
RtlLocalTimeToSystemTime
RtlLocaleNameToLcid
RtlLocateExtendedFeature
RtlLocateExtendedFeature2
RtlLocateLegacyContext
RtlLockBootStatusData
RtlLockCurrentThread
RtlLockHeap
RtlLockMemoryBlockLookaside
RtlLockMemoryStreamRegion
RtlLockMemoryZone
RtlLockModuleSection
RtlLogStackBackTrace
RtlLookupAtomInAtomTable
RtlLookupElementGenericTable
RtlLookupElementGenericTableAvl
RtlLookupElementGenericTableFull
RtlLookupElementGenericTableFullAvl
RtlLookupEntryHashTable
RtlLookupFirstMatchingElementGenericTableAvl
RtlLookupFunctionEntry
RtlLookupFunctionTable
RtlMakeSelfRelativeSD
RtlMapGenericMask
RtlMapSecurityErrorToNtStatus
RtlMoveMemory
RtlMultiAppendUnicodeStringBuffer
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
RtlMultipleAllocateHeap
RtlMultipleFreeHeap
RtlNewInstanceSecurityObject
RtlNewSecurityGrantedAccess
RtlNewSecurityObject
RtlNewSecurityObjectEx
RtlNewSecurityObjectWithMultipleInheritance
RtlNormalizeProcessParams
RtlNormalizeSecurityDescriptor
RtlNormalizeString
RtlNotifyFeatureUsage
RtlNtPathNameToDosPathName
RtlNtStatusToDosError
RtlNtStatusToDosErrorNoTeb
RtlNtdllName
RtlNumberGenericTableElements
RtlNumberGenericTableElementsAvl
RtlNumberOfClearBits
RtlNumberOfClearBitsEx
RtlNumberOfClearBitsInRange
RtlNumberOfSetBits
RtlNumberOfSetBitsEx
RtlNumberOfSetBitsInRange
RtlNumberOfSetBitsUlongPtr
RtlOemStringToUnicodeSize
RtlOemStringToUnicodeString
RtlOemToUnicodeN
RtlOpenCurrentUser
RtlOsDeploymentState
RtlOwnerAcesPresent
RtlPcToFileHeader
RtlPinAtomInAtomTable
RtlPopFrame
RtlPrefixString
RtlPrefixUnicodeString
RtlPrepareForProcessCloning
RtlProcessFlsData
RtlProtectHeap
RtlPublishWnfStateData
RtlPushFrame
RtlQueryActivationContextApplicationSettings
RtlQueryAllFeatureConfigurations
RtlQueryAtomInAtomTable
RtlQueryCriticalSectionOwner
RtlQueryDepthSList
RtlQueryDynamicTimeZoneInformation
RtlQueryElevationFlags
RtlQueryEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlQueryFeatureConfiguration
RtlQueryFeatureConfigurationChangeStamp
RtlQueryFeatureUsageNotificationSubscriptions
RtlQueryHeapInformation
RtlQueryImageMitigationPolicy
RtlQueryInformationAcl
RtlQueryInformationActivationContext
RtlQueryInformationActiveActivationContext
RtlQueryInterfaceMemoryStream
RtlQueryModuleInformation
RtlQueryPackageClaims
RtlQueryPackageIdentity
RtlQueryPackageIdentityEx
RtlQueryPerformanceCounter
RtlQueryPerformanceFrequency
RtlQueryProcessBackTraceInformation
RtlQueryProcessDebugInformation
RtlQueryProcessHeapInformation
RtlQueryProcessLockInformation
RtlQueryProcessPlaceholderCompatibilityMode
RtlQueryProtectedPolicy
RtlQueryRegistryValueWithFallback
RtlQueryRegistryValues
RtlQueryRegistryValuesEx
RtlQueryResourcePolicy
RtlQuerySecurityObject
RtlQueryTagHeap
RtlQueryThreadPlaceholderCompatibilityMode
RtlQueryThreadProfiling
RtlQueryTimeZoneInformation
RtlQueryTokenHostIdAsUlong64
RtlQueryUmsThreadInformation
RtlQueryUnbiasedInterruptTime
RtlQueryValidationRunlevel
RtlQueryWnfMetaNotification
RtlQueryWnfStateData
RtlQueryWnfStateDataWithExplicitScope
RtlQueueApcWow64Thread
RtlQueueWorkItem
RtlRaiseCustomSystemEventTrigger
RtlRaiseException
RtlRaiseExceptionForReturnAddressHijack
RtlRaiseNoncontinuableException
RtlRaiseStatus
RtlRandom
RtlRandomEx
RtlRbInsertNodeEx
RtlRbRemoveNode
RtlReAllocateHeap
RtlReadMemoryStream
RtlReadOutOfProcessMemoryStream
RtlReadThreadProfilingData
RtlRealPredecessor
RtlRealSuccessor
RtlRegisterFeatureConfigurationChangeNotification
RtlRegisterForWnfMetaNotification
RtlRegisterSecureMemoryCacheCallback
RtlRegisterThreadWithCsrss
RtlRegisterWait
RtlReleaseActivationContext
RtlReleaseMemoryStream
RtlReleasePath
RtlReleasePebLock
RtlReleasePrivilege
RtlReleaseRelativeName
RtlReleaseResource
RtlReleaseSRWLockExclusive
RtlReleaseSRWLockShared
RtlRemoteCall
RtlRemoveEntryHashTable
RtlRemovePrivileges
RtlRemoveVectoredContinueHandler
RtlRemoveVectoredExceptionHandler
RtlReplaceSidInSd
RtlReplaceSystemDirectoryInPath
RtlReportException
RtlReportExceptionEx
RtlReportSilentProcessExit
RtlReportSqmEscalation
RtlResetMemoryBlockLookaside
RtlResetMemoryZone
RtlResetNtUserPfn
RtlResetRtlTranslations
RtlRestoreBootStatusDefaults
RtlRestoreContext
RtlRestoreLastWin32Error
RtlRestoreSystemBootStatusDefaults
RtlRestoreThreadPreferredUILanguages
RtlRetrieveNtUserPfn
RtlRevertMemoryStream
RtlRunDecodeUnicodeString
RtlRunEncodeUnicodeString
RtlRunOnceBeginInitialize
RtlRunOnceComplete
RtlRunOnceExecuteOnce
RtlRunOnceInitialize
RtlSecondsSince1970ToTime
RtlSecondsSince1980ToTime
RtlSeekMemoryStream
RtlSelfRelativeToAbsoluteSD
RtlSelfRelativeToAbsoluteSD2
RtlSendMsgToSm
RtlSetAllBits
RtlSetAllBitsEx
RtlSetAttributesSecurityDescriptor
RtlSetBit
RtlSetBitEx
RtlSetBits
RtlSetBitsEx
RtlSetControlSecurityDescriptor
RtlSetCriticalSectionSpinCount
RtlSetCurrentDirectory_U
RtlSetCurrentEnvironment
RtlSetCurrentTransaction
RtlSetDaclSecurityDescriptor
RtlSetDynamicTimeZoneInformation
RtlSetEnvironmentStrings
RtlSetEnvironmentVar
RtlSetEnvironmentVariable
RtlSetExtendedFeaturesMask
RtlSetFeatureConfigurations
RtlSetGroupSecurityDescriptor
RtlSetHeapInformation
RtlSetImageMitigationPolicy
RtlSetInformationAcl
RtlSetIoCompletionCallback
RtlSetLastWin32Error
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlSetMemoryStreamSize
RtlSetOwnerSecurityDescriptor
RtlSetPortableOperatingSystem
RtlSetProcessDebugInformation
RtlSetProcessIsCritical
RtlSetProcessPlaceholderCompatibilityMode
RtlSetProcessPreferredUILanguages
RtlSetProtectedPolicy
RtlSetProxiedProcessId
RtlSetSaclSecurityDescriptor
RtlSetSearchPathMode
RtlSetSecurityDescriptorRMControl
RtlSetSecurityObject
RtlSetSecurityObjectEx
RtlSetSystemBootStatus
RtlSetSystemBootStatusEx
RtlSetThreadErrorMode
RtlSetThreadIsCritical
RtlSetThreadPlaceholderCompatibilityMode
RtlSetThreadPoolStartFunc
RtlSetThreadPreferredUILanguages
RtlSetThreadPreferredUILanguages2
RtlSetThreadSubProcessTag
RtlSetThreadWorkOnBehalfTicket
RtlSetTimeZoneInformation
RtlSetTimer
RtlSetUmsThreadInformation
RtlSetUnhandledExceptionFilter
RtlSetUserFlagsHeap
RtlSetUserValueHeap
RtlSidDominates
RtlSidDominatesForTrust
RtlSidEqualLevel
RtlSidHashInitialize
RtlSidHashLookup
RtlSidIsHigherLevel
RtlSizeHeap
RtlSleepConditionVariableCS
RtlSleepConditionVariableSRW
RtlSplay
RtlStartRXact
RtlStatMemoryStream
RtlStringFromGUID
RtlStringFromGUIDEx
RtlStronglyEnumerateEntryHashTable
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlSubscribeForFeatureUsageNotification
RtlSubscribeWnfStateChangeNotification
RtlSubtreePredecessor
RtlSubtreeSuccessor
RtlSwitchedVVI
RtlSystemTimeToLocalTime
RtlTestAndPublishWnfStateData
RtlTestBit
RtlTestBitEx
RtlTestProtectedAccess
RtlTimeFieldsToTime
RtlTimeToElapsedTimeFields
RtlTimeToSecondsSince1970
RtlTimeToSecondsSince1980
RtlTimeToTimeFields
RtlTraceDatabaseAdd
RtlTraceDatabaseCreate
RtlTraceDatabaseDestroy
RtlTraceDatabaseEnumerate
RtlTraceDatabaseFind
RtlTraceDatabaseLock
RtlTraceDatabaseUnlock
RtlTraceDatabaseValidate
RtlTryAcquirePebLock
RtlTryAcquireSRWLockExclusive
RtlTryAcquireSRWLockShared
RtlTryConvertSRWLockSharedToExclusiveOrRelease
RtlTryEnterCriticalSection
RtlUTF8StringToUnicodeString
RtlUTF8ToUnicodeN
RtlUdiv128
RtlUmsThreadYield
RtlUnhandledExceptionFilter
RtlUnhandledExceptionFilter2
RtlUnicodeStringToAnsiSize
RtlUnicodeStringToAnsiString
RtlUnicodeStringToCountedOemString
RtlUnicodeStringToInteger
RtlUnicodeStringToOemSize
RtlUnicodeStringToOemString
RtlUnicodeStringToUTF8String
RtlUnicodeToCustomCPN
RtlUnicodeToMultiByteN
RtlUnicodeToMultiByteSize
RtlUnicodeToOemN
RtlUnicodeToUTF8N
RtlUniform
RtlUnlockBootStatusData
RtlUnlockCurrentThread
RtlUnlockHeap
RtlUnlockMemoryBlockLookaside
RtlUnlockMemoryStreamRegion
RtlUnlockMemoryZone
RtlUnlockModuleSection
RtlUnregisterFeatureConfigurationChangeNotification
RtlUnsubscribeFromFeatureUsageNotifications
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlUnsubscribeWnfNotificationWithCompletionCallback
RtlUnsubscribeWnfStateChangeNotification
RtlUnwind
RtlUnwindEx
RtlUpcaseUnicodeChar
RtlUpcaseUnicodeString
RtlUpcaseUnicodeStringToAnsiString
RtlUpcaseUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToOemString
RtlUpcaseUnicodeToCustomCPN
RtlUpcaseUnicodeToMultiByteN
RtlUpcaseUnicodeToOemN
RtlUpdateClonedCriticalSection
RtlUpdateClonedSRWLock
RtlUpdateTimer
RtlUpperChar
RtlUpperString
RtlUserFiberStart
RtlUserThreadStart
RtlValidAcl
RtlValidProcessProtection
RtlValidRelativeSecurityDescriptor
RtlValidSecurityDescriptor
RtlValidSid
RtlValidateCorrelationVector
RtlValidateHeap
RtlValidateProcessHeaps
RtlValidateUnicodeString
RtlVerifyVersionInfo
RtlVirtualUnwind
RtlWaitForWnfMetaNotification
RtlWaitOnAddress
RtlWakeAddressAll
RtlWakeAddressAllNoFence
RtlWakeAddressSingle
RtlWakeAddressSingleNoFence
RtlWakeAllConditionVariable
RtlWakeConditionVariable
RtlWalkFrameChain
RtlWalkHeap
RtlWeaklyEnumerateEntryHashTable
RtlWerpReportException
RtlWnfCompareChangeStamp
RtlWnfDllUnloadCallback
RtlWow64CallFunction64
RtlWow64EnableFsRedirection
RtlWow64EnableFsRedirectionEx
RtlWow64GetCpuAreaInfo
RtlWow64GetCurrentCpuArea
RtlWow64GetCurrentMachine
RtlWow64GetEquivalentMachineCHPE
RtlWow64GetProcessMachines
RtlWow64GetSharedInfoProcess
RtlWow64GetThreadContext
RtlWow64GetThreadSelectorEntry
RtlWow64IsWowGuestMachineSupported
RtlWow64LogMessageInEventLogger
RtlWow64PopAllCrossProcessWorkFromWorkList
RtlWow64PopCrossProcessWorkFromFreeList
RtlWow64PushCrossProcessWorkOntoFreeList
RtlWow64PushCrossProcessWorkOntoWorkList
RtlWow64RequestCrossProcessHeavyFlush
RtlWow64SetThreadContext
RtlWow64SuspendProcess
RtlWow64SuspendThread
RtlWriteMemoryStream
RtlWriteNonVolatileMemory
RtlWriteRegistryValue
RtlZeroHeap
RtlZeroMemory
RtlZombifyActivationContext
RtlpApplyLengthFunction
RtlpCheckDynamicTimeZoneInformation
RtlpCleanupRegistryKeys
RtlpConvertAbsoluteToRelativeSecurityAttribute
RtlpConvertCultureNamesToLCIDs
RtlpConvertLCIDsToCultureNames
RtlpConvertRelativeToAbsoluteSecurityAttribute
RtlpCreateProcessRegistryInfo
RtlpEnsureBufferSize
RtlpExecuteUmsThread
RtlpFreezeTimeBias
RtlpGetDeviceFamilyInfoEnum
RtlpGetLCIDFromLangInfoNode
RtlpGetNameFromLangInfoNode
RtlpGetSystemDefaultUILanguage
RtlpGetUserOrMachineUILanguage4NLS
RtlpInitializeLangRegistryInfo
RtlpIsQualifiedLanguage
RtlpLoadMachineUIByPolicy
RtlpLoadUserUIByPolicy
RtlpMergeSecurityAttributeInformation
RtlpMuiFreeLangRegistryInfo
RtlpMuiRegCreateRegistryInfo
RtlpMuiRegFreeRegistryInfo
RtlpMuiRegLoadRegistryInfo
RtlpNotOwnerCriticalSection
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
RtlpQueryDefaultUILanguage
RtlpQueryProcessDebugInformationFromWow64
RtlpQueryProcessDebugInformationRemote
RtlpRefreshCachedUILanguage
RtlpSetInstallLanguage
RtlpSetPreferredUILanguages
RtlpSetUserPreferredUILanguages
RtlpTimeFieldsToTime
RtlpTimeToTimeFields
RtlpUmsExecuteYieldThreadEnd
RtlpUmsThreadYield
RtlpUnWaitCriticalSection
RtlpVerifyAndCommitUILanguageSettings
RtlpWaitForCriticalSection
RtlpWow64CtxFromAmd64
RtlpWow64GetContextOnAmd64
RtlpWow64SetContextOnAmd64
RtlxAnsiStringToUnicodeSize
RtlxOemStringToUnicodeSize
RtlxUnicodeStringToAnsiSize
RtlxUnicodeStringToOemSize
SbExecuteProcedure
SbSelectProcedure
ShipAssert
ShipAssertGetBufferInfo
ShipAssertMsgA
ShipAssertMsgW
TpAllocAlpcCompletion
TpAllocAlpcCompletionEx
TpAllocCleanupGroup
TpAllocIoCompletion
TpAllocJobNotification
TpAllocPool
TpAllocTimer
TpAllocWait
TpAllocWork
TpAlpcRegisterCompletionList
TpAlpcUnregisterCompletionList
TpCallbackDetectedUnrecoverableError
TpCallbackIndependent
TpCallbackLeaveCriticalSectionOnCompletion
TpCallbackMayRunLong
TpCallbackReleaseMutexOnCompletion
TpCallbackReleaseSemaphoreOnCompletion
TpCallbackSendAlpcMessageOnCompletion
TpCallbackSendPendingAlpcMessage
TpCallbackSetEventOnCompletion
TpCallbackUnloadDllOnCompletion
TpCancelAsyncIoOperation
TpCaptureCaller
TpCheckTerminateWorker
TpDbgDumpHeapUsage
TpDbgSetLogRoutine
TpDisablePoolCallbackChecks
TpDisassociateCallback
TpIsTimerSet
TpPostWork
TpQueryPoolStackInformation
TpReleaseAlpcCompletion
TpReleaseCleanupGroup
TpReleaseCleanupGroupMembers
TpReleaseIoCompletion
TpReleaseJobNotification
TpReleasePool
TpReleaseTimer
TpReleaseWait
TpReleaseWork
TpSetDefaultPoolMaxThreads
TpSetDefaultPoolStackInformation
TpSetPoolMaxThreads
TpSetPoolMaxThreadsSoftLimit
TpSetPoolMinThreads
TpSetPoolStackInformation
TpSetPoolThreadBasePriority
TpSetPoolThreadCpuSets
TpSetPoolWorkerThreadIdleTimeout
TpSetTimer
TpSetTimerEx
TpSetWait
TpSetWaitEx
TpSimpleTryPost
TpStartAsyncIoOperation
TpTimerOutstandingCallbackCount
TpTrimPools
TpWaitForAlpcCompletion
TpWaitForIoCompletion
TpWaitForJobNotification
TpWaitForTimer
TpWaitForWait
TpWaitForWork
VerSetConditionMask
WerReportExceptionWorker
WerReportSQMEvent
WinSqmAddToAverageDWORD
WinSqmAddToStream
WinSqmAddToStreamEx
WinSqmCheckEscalationAddToStreamEx
WinSqmCheckEscalationSetDWORD
WinSqmCheckEscalationSetDWORD64
WinSqmCheckEscalationSetString
WinSqmCommonDatapointDelete
WinSqmCommonDatapointSetDWORD
WinSqmCommonDatapointSetDWORD64
WinSqmCommonDatapointSetStreamEx
WinSqmCommonDatapointSetString
WinSqmEndSession
WinSqmEventEnabled
WinSqmEventWrite
WinSqmGetEscalationRuleStatus
WinSqmGetInstrumentationProperty
WinSqmIncrementDWORD
WinSqmIsOptedIn
WinSqmIsOptedInEx
WinSqmIsSessionDisabled
WinSqmSetDWORD
WinSqmSetDWORD64
WinSqmSetEscalationInfo
WinSqmSetIfMaxDWORD
WinSqmSetIfMinDWORD
WinSqmSetString
WinSqmStartSession
WinSqmStartSessionForPartner
WinSqmStartSqmOptinListener
ZwAcceptConnectPort
ZwAccessCheck
ZwAccessCheckAndAuditAlarm
ZwAccessCheckByType
ZwAccessCheckByTypeAndAuditAlarm
ZwAccessCheckByTypeResultList
ZwAccessCheckByTypeResultListAndAuditAlarm
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
ZwAcquireCrossVmMutant
ZwAcquireProcessActivityReference
ZwAddAtom
ZwAddAtomEx
ZwAddBootEntry
ZwAddDriverEntry
ZwAdjustGroupsToken
ZwAdjustPrivilegesToken
ZwAdjustTokenClaimsAndDeviceGroups
ZwAlertResumeThread
ZwAlertThread
ZwAlertThreadByThreadId
ZwAllocateLocallyUniqueId
ZwAllocateReserveObject
ZwAllocateUserPhysicalPages
ZwAllocateUserPhysicalPagesEx
ZwAllocateUuids
ZwAllocateVirtualMemory
ZwAllocateVirtualMemoryEx
ZwAlpcAcceptConnectPort
ZwAlpcCancelMessage
ZwAlpcConnectPort
ZwAlpcConnectPortEx
ZwAlpcCreatePort
ZwAlpcCreatePortSection
ZwAlpcCreateResourceReserve
ZwAlpcCreateSectionView
ZwAlpcCreateSecurityContext
ZwAlpcDeletePortSection
ZwAlpcDeleteResourceReserve
ZwAlpcDeleteSectionView
ZwAlpcDeleteSecurityContext
ZwAlpcDisconnectPort
ZwAlpcImpersonateClientContainerOfPort
ZwAlpcImpersonateClientOfPort
ZwAlpcOpenSenderProcess
ZwAlpcOpenSenderThread
ZwAlpcQueryInformation
ZwAlpcQueryInformationMessage
ZwAlpcRevokeSecurityContext
ZwAlpcSendWaitReceivePort
ZwAlpcSetInformation
ZwApphelpCacheControl
ZwAreMappedFilesTheSame
ZwAssignProcessToJobObject
ZwAssociateWaitCompletionPacket
ZwCallEnclave
ZwCallbackReturn
ZwCancelIoFile
ZwCancelIoFileEx
ZwCancelSynchronousIoFile
ZwCancelTimer
ZwCancelTimer2
ZwCancelWaitCompletionPacket
ZwClearEvent
ZwClose
ZwCloseObjectAuditAlarm
ZwCommitComplete
ZwCommitEnlistment
ZwCommitRegistryTransaction
ZwCommitTransaction
ZwCompactKeys
ZwCompareObjects
ZwCompareSigningLevels
ZwCompareTokens
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwContinue
ZwContinueEx
ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter
ZwCreateCrossVmEvent
ZwCreateCrossVmMutant
ZwCreateDebugObject
ZwCreateDirectoryObject
ZwCreateDirectoryObjectEx
ZwCreateEnclave
ZwCreateEnlistment
ZwCreateEvent
ZwCreateEventPair
ZwCreateFile
ZwCreateIRTimer
ZwCreateIoCompletion
ZwCreateJobObject
ZwCreateJobSet
ZwCreateKey
ZwCreateKeyTransacted
ZwCreateKeyedEvent
ZwCreateLowBoxToken
ZwCreateMailslotFile
ZwCreateMutant
ZwCreateNamedPipeFile
ZwCreatePagingFile
ZwCreatePartition
ZwCreatePort
ZwCreatePrivateNamespace
ZwCreateProcess
ZwCreateProcessEx
ZwCreateProfile
ZwCreateProfileEx
ZwCreateRegistryTransaction
ZwCreateResourceManager
ZwCreateSection
ZwCreateSectionEx
ZwCreateSemaphore
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwCreateThreadEx
ZwCreateTimer
ZwCreateTimer2
ZwCreateToken
ZwCreateTokenEx
ZwCreateTransaction
ZwCreateTransactionManager
ZwCreateUserProcess
ZwCreateWaitCompletionPacket
ZwCreateWaitablePort
ZwCreateWnfStateName
ZwCreateWorkerFactory
ZwDebugActiveProcess
ZwDebugContinue
ZwDelayExecution
ZwDeleteAtom
ZwDeleteBootEntry
ZwDeleteDriverEntry
ZwDeleteFile
ZwDeleteKey
ZwDeleteObjectAuditAlarm
ZwDeletePrivateNamespace
ZwDeleteValueKey
ZwDeleteWnfStateData
ZwDeleteWnfStateName
ZwDeviceIoControlFile
ZwDirectGraphicsCall
ZwDisableLastKnownGood
ZwDisplayString
ZwDrawText
ZwDuplicateObject
ZwDuplicateToken
ZwEnableLastKnownGood
ZwEnumerateBootEntries
ZwEnumerateDriverEntries
ZwEnumerateKey
ZwEnumerateSystemEnvironmentValuesEx
ZwEnumerateTransactionObject
ZwEnumerateValueKey
ZwExtendSection
ZwFilterBootOption
ZwFilterToken
ZwFilterTokenEx
ZwFindAtom
ZwFlushBuffersFile
ZwFlushBuffersFileEx
ZwFlushInstallUILanguage
ZwFlushInstructionCache
ZwFlushKey
ZwFlushProcessWriteBuffers
ZwFlushVirtualMemory
ZwFlushWriteBuffer
ZwFreeUserPhysicalPages
ZwFreeVirtualMemory
ZwFreezeRegistry
ZwFreezeTransactions
ZwFsControlFile
ZwGetCachedSigningLevel
ZwGetCompleteWnfStateSubscription
ZwGetContextThread
ZwGetCurrentProcessorNumber
ZwGetCurrentProcessorNumberEx
ZwGetDevicePowerState
ZwGetMUIRegistryInfo
ZwGetNextProcess
ZwGetNextThread
ZwGetNlsSectionPtr
ZwGetNotificationResourceManager
ZwGetWriteWatch
ZwImpersonateAnonymousToken
ZwImpersonateClientOfPort
ZwImpersonateThread
ZwInitializeEnclave
ZwInitializeNlsFiles
ZwInitializeRegistry
ZwInitiatePowerAction
ZwIsProcessInJob
ZwIsSystemResumeAutomatic
ZwIsUILanguageComitted
ZwListenPort
ZwLoadDriver
ZwLoadEnclaveData
ZwLoadKey
ZwLoadKey2
ZwLoadKey3
ZwLoadKeyEx
ZwLockFile
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwLockVirtualMemory
ZwMakePermanentObject
ZwMakeTemporaryObject
ZwManageHotPatch
ZwManagePartition
ZwMapCMFModule
ZwMapUserPhysicalPages
ZwMapUserPhysicalPagesScatter
ZwMapViewOfSection
ZwMapViewOfSectionEx
ZwModifyBootEntry
ZwModifyDriverEntry
ZwNotifyChangeDirectoryFile
ZwNotifyChangeDirectoryFileEx
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeSession
ZwOpenDirectoryObject
ZwOpenEnlistment
ZwOpenEvent
ZwOpenEventPair
ZwOpenFile
ZwOpenIoCompletion
ZwOpenJobObject
ZwOpenKey
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwOpenKeyTransactedEx
ZwOpenKeyedEvent
ZwOpenMutant
ZwOpenObjectAuditAlarm
ZwOpenPartition
ZwOpenPrivateNamespace
ZwOpenProcess
ZwOpenProcessToken
ZwOpenProcessTokenEx
ZwOpenRegistryTransaction
ZwOpenResourceManager
ZwOpenSection
ZwOpenSemaphore
ZwOpenSession
ZwOpenSymbolicLinkObject
ZwOpenThread
ZwOpenThreadToken
ZwOpenThreadTokenEx
ZwOpenTimer
ZwOpenTransaction
ZwOpenTransactionManager
ZwPlugPlayControl
ZwPowerInformation
ZwPrePrepareComplete
ZwPrePrepareEnlistment
ZwPrepareComplete
ZwPrepareEnlistment
ZwPrivilegeCheck
ZwPrivilegeObjectAuditAlarm
ZwPrivilegedServiceAuditAlarm
ZwPropagationComplete
ZwPropagationFailed
ZwProtectVirtualMemory
ZwPssCaptureVaSpaceBulk
ZwPulseEvent
ZwQueryAttributesFile
ZwQueryAuxiliaryCounterFrequency
ZwQueryBootEntryOrder
ZwQueryBootOptions
ZwQueryDebugFilterState
ZwQueryDefaultLocale
ZwQueryDefaultUILanguage
ZwQueryDirectoryFile
ZwQueryDirectoryFileEx
ZwQueryDirectoryObject
ZwQueryDriverEntryOrder
ZwQueryEaFile
ZwQueryEvent
ZwQueryFullAttributesFile
ZwQueryInformationAtom
ZwQueryInformationByName
ZwQueryInformationEnlistment
ZwQueryInformationFile
ZwQueryInformationJobObject
ZwQueryInformationPort
ZwQueryInformationProcess
ZwQueryInformationResourceManager
ZwQueryInformationThread
ZwQueryInformationToken
ZwQueryInformationTransaction
ZwQueryInformationTransactionManager
ZwQueryInformationWorkerFactory
ZwQueryInstallUILanguage
ZwQueryIntervalProfile
ZwQueryIoCompletion
ZwQueryKey
ZwQueryLicenseValue
ZwQueryMultipleValueKey
ZwQueryMutant
ZwQueryObject
ZwQueryOpenSubKeys
ZwQueryOpenSubKeysEx
ZwQueryPerformanceCounter
ZwQueryPortInformationProcess
ZwQueryQuotaInformationFile
ZwQuerySection
ZwQuerySecurityAttributesToken
ZwQuerySecurityObject
ZwQuerySecurityPolicy
ZwQuerySemaphore
ZwQuerySymbolicLinkObject
ZwQuerySystemEnvironmentValue
ZwQuerySystemEnvironmentValueEx
ZwQuerySystemInformation
ZwQuerySystemInformationEx
ZwQuerySystemTime
ZwQueryTimer
ZwQueryTimerResolution
ZwQueryValueKey
ZwQueryVirtualMemory
ZwQueryVolumeInformationFile
ZwQueryWnfStateData
ZwQueryWnfStateNameInformation
ZwQueueApcThread
ZwQueueApcThreadEx
ZwRaiseException
ZwRaiseHardError
ZwReadFile
ZwReadFileScatter
ZwReadOnlyEnlistment
ZwReadRequestData
ZwReadVirtualMemory
ZwRecoverEnlistment
ZwRecoverResourceManager
ZwRecoverTransactionManager
ZwRegisterProtocolAddressInformation
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwReleaseMutant
ZwReleaseSemaphore
ZwReleaseWorkerFactoryWorker
ZwRemoveIoCompletion
ZwRemoveIoCompletionEx
ZwRemoveProcessDebug
ZwRenameKey
ZwRenameTransactionManager
ZwReplaceKey
ZwReplacePartitionUnit
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwResetEvent
ZwResetWriteWatch
ZwRestoreKey
ZwResumeProcess
ZwResumeThread
ZwRevertContainerImpersonation
ZwRollbackComplete
ZwRollbackEnlistment
ZwRollbackRegistryTransaction
ZwRollbackTransaction
ZwRollforwardTransactionManager
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSerializeBoot
ZwSetBootEntryOrder
ZwSetBootOptions
ZwSetCachedSigningLevel
ZwSetCachedSigningLevel2
ZwSetContextThread
ZwSetDebugFilterState
ZwSetDefaultHardErrorPort
ZwSetDefaultLocale
ZwSetDefaultUILanguage
ZwSetDriverEntryOrder
ZwSetEaFile
ZwSetEvent
ZwSetEventBoostPriority
ZwSetHighEventPair
ZwSetHighWaitLowEventPair
ZwSetIRTimer
ZwSetInformationDebugObject
ZwSetInformationEnlistment
ZwSetInformationFile
ZwSetInformationJobObject
ZwSetInformationKey
ZwSetInformationObject
ZwSetInformationProcess
ZwSetInformationResourceManager
ZwSetInformationSymbolicLink
ZwSetInformationThread
ZwSetInformationToken
ZwSetInformationTransaction
ZwSetInformationTransactionManager
ZwSetInformationVirtualMemory
ZwSetInformationWorkerFactory
ZwSetIntervalProfile
ZwSetIoCompletion
ZwSetIoCompletionEx
ZwSetLdtEntries
ZwSetLowEventPair
ZwSetLowWaitHighEventPair
ZwSetQuotaInformationFile
ZwSetSecurityObject
ZwSetSystemEnvironmentValue
ZwSetSystemEnvironmentValueEx
ZwSetSystemInformation
ZwSetSystemPowerState
ZwSetSystemTime
ZwSetThreadExecutionState
ZwSetTimer
ZwSetTimer2
ZwSetTimerEx
ZwSetTimerResolution
ZwSetUuidSeed
ZwSetValueKey
ZwSetVolumeInformationFile
ZwSetWnfProcessNotificationEvent
ZwShutdownSystem
ZwShutdownWorkerFactory
ZwSignalAndWaitForSingleObject
ZwSinglePhaseReject
ZwStartProfile
ZwStopProfile
ZwSubscribeWnfStateChange
ZwSuspendProcess
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateEnclave
ZwTerminateJobObject
ZwTerminateProcess
ZwTerminateThread
ZwTestAlert
ZwThawRegistry
ZwThawTransactions
ZwTraceControl
ZwTraceEvent
ZwTranslateFilePath
ZwUmsThreadYield
ZwUnloadDriver
ZwUnloadKey
ZwUnloadKey2
ZwUnloadKeyEx
ZwUnlockFile
ZwUnlockVirtualMemory
ZwUnmapViewOfSection
ZwUnmapViewOfSectionEx
ZwUnsubscribeWnfStateChange
ZwUpdateWnfStateData
ZwVdmControl
ZwWaitForAlertByThreadId
ZwWaitForDebugEvent
ZwWaitForKeyedEvent
ZwWaitForMultipleObjects
ZwWaitForMultipleObjects32
ZwWaitForSingleObject
ZwWaitForWorkViaWorkerFactory
ZwWaitHighEventPair
ZwWaitLowEventPair
ZwWorkerFactoryWorkerReady
ZwWriteFile
ZwWriteFileGather
ZwWriteRequestData
ZwWriteVirtualMemory
ZwYieldExecution
__C_specific_handler
__chkstk
__isascii
__iscsym
__iscsymf
__misaligned_access
__toascii
_atoi64
_errno
_fltused
_i64toa
_i64toa_s
_i64tow
_i64tow_s
_itoa
_itoa_s
_itow
_itow_s
_lfind
_local_unwind
_ltoa
_ltoa_s
_ltow
_ltow_s
_makepath_s
_memccpy
_memicmp
_setjmp
_setjmpex
_snprintf
_snprintf_s
_snscanf_s
_snwprintf
_snwprintf_s
_snwscanf_s
_splitpath
_splitpath_s
_strcmpi
_stricmp
_strlwr
_strlwr_s
_strnicmp
_strnset_s
_strset_s
_strupr
_strupr_s
_swprintf
_ui64toa
_ui64toa_s
_ui64tow
_ui64tow_s
_ultoa
_ultoa_s
_ultow
_ultow_s
_vscprintf
_vscwprintf
_vsnprintf
_vsnprintf_s
_vsnwprintf
_vsnwprintf_s
_vswprintf
_wcsicmp
_wcslwr
_wcslwr_s
_wcsnicmp
_wcsnset_s
_wcsset_s
_wcstoi64
_wcstoui64
_wcsupr
_wcsupr_s
_wmakepath_s
_wsplitpath_s
_wtoi
_wtoi64
_wtol
abs
atan
atan2
atoi
atol
bsearch
bsearch_s
ceil
cos
fabs
floor
isalnum
isalpha
iscntrl
isdigit
isgraph
islower
isprint
ispunct
isspace
isupper
iswalnum
iswalpha
iswascii
iswctype
iswdigit
iswgraph
iswlower
iswprint
iswspace
iswxdigit
isxdigit
labs
log
longjmp
mbstowcs
memchr
memcmp
memcpy
memcpy_s
memmove
memmove_s
memset
pow
qsort
qsort_s
sin
sprintf
sprintf_s
sqrt
sscanf
sscanf_s
strcat
strcat_s
strchr
strcmp
strcpy
strcpy_s
strcspn
strlen
strncat
strncat_s
strncmp
strncpy
strncpy_s
strnlen
strpbrk
strrchr
strspn
strstr
strtok_s
strtol
strtoul
swprintf
swprintf_s
swscanf_s
tan
tolower
toupper
towlower
towupper
vDbgPrintEx
vDbgPrintExWithPrefix
vsprintf
vsprintf_s
vswprintf_s
wcscat
wcscat_s
wcschr
wcscmp
wcscpy
wcscpy_s
wcscspn
wcslen
wcsncat
wcsncat_s
wcsncmp
wcsncpy
wcsncpy_s
wcsnlen
wcspbrk
wcsrchr
wcsspn
wcsstr
wcstok_s
wcstol
wcstombs
wcstoul


Nt or Zw are system calls declared in ntdll.dll and ntoskrnl.exe. When called from ntdll.dll in user mode, these groups are almost exactly the same; they trap into kernel mode and call the equivalent function in ntoskrnl.exe via the SSDT. When calling the functions directly in ntoskrnl.exe (only possible in kernel mode), the Zw variants ensure kernel mode, whereas the Nt variants do not.[1] The Zw prefix does not stand for anything.[2]
Rtl is the second largest group of ntdll calls. These comprise the (extended) C Run-Time Library, which includes many utility functions that can be used by native applications, yet don't directly involve kernel support.
Csr are client-server functions that are used to communicate with the Win32 subsystem process, csrss.exe (csrss stands for client/server runtime sub-system).
Dbg are debugging functions such as a software breakpoint.
Ki are upcalls from kernel mode for events like APC dispatching.
Ldr are loader functions for PE file handling and starting of new processes.
Nls for National Language Support (similar to code pages).
Pfx for prefix handling.
Tp for threadpool handling.

kernel32.dll

C:\Windows\SysWOW64\kernel32.dll

kernel32.dll — динамически подключаемая библиотека, являющаяся ядром всех версий ОС Microsoft Windows. Она предоставляет приложениям многие базовые API Win32, такие как управление памятью, операции ввода-вывода, создание процессов и потоков и функции синхронизации.