Windows 7 Kernel Architecture Changes - api-ms-win-core files Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs. All these filenames begins with 'api-ms-win-core' prefix, followed by the functions category name.

For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions, api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on. If you look deeply into these files, you'll see that all these files are very small, and the functions in them doen't do anything, and simply returns a 'TRUE' value. Just for example, here's the assembly language content of RegDeleteValueW function in api-ms-win-core-localregistry-l1-1-0.dll: 084010CE 33C0 xor eax, eax 084010D0 40 inc eax 084010D1 C20800 ret 0008 By looking in dependency walker utility, we can see that advapi32.dll, kernel32.dll, and other system dll files, are now statically linked to these empty api-ms-win-core files. Moreover, if we look in the assembly language output of many API functions, we can see that they simply call their corresponding function in one of these api-ms-win-core Dlls. Just for example, RegDeleteValueW in advapi32.dll, simply contains a jump to the RegDeleteValueW in API-MS-Win-Core-LocalRegistry-L1-1-0.dll: ADVAPI32!RegDeleteValueW: 77C6F301 8BFF mov edi, edi 77C6F303 55 push ebp 77C6F304 8BEC mov ebp, esp 77C6F306 5D pop ebp 77C6F307 EB05 jmp 77C6F30E . . . 77C6F30E FF25B414C677 Jmp dword ptr [77C614B4] <-- [77C614B4] Points the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW So if RegDeleteValueW in ADVAPI32 and other functions simply jumps to empty functions, how is it possible that these functions still works properly ? The answer is pretty simple: When Windows loads the dll files, all the import entries of these api-ms-win-core Dlls are replaced with a call to a real function in Windows kernel.

So here's our RegDeleteValueW example again: when loading a program into WinDbg, we can see that the jmp call now points to kernel32!RegDeleteValueW function. That's because during the loading of advapi32.dll, Windows automatically replace the import entry of API-MS-Win-Core-LocalRegistry-L1-1-0.RegDeleteValueW to the function address of RegDeleteValueW in kernel32. 75e5f301 8bff mov edi,edi 75e5f303 55 push ebp 75e5f304 8bec mov ebp,esp 75e5f306 5d pop ebp 75e5f307 eb05 jmp ADVAPI32!RegDeleteValueW+0xd (75e5f30e) . . . 75e5f30e ff25b414e575 jmp dword ptr [ADVAPI32+0x14b4 (75e514b4)] ds:0023:75e514b4= {kernel32!RegDeleteValueW (758bd5af)} Another new dll: kernelbase.dll In addition to the new API-MS-Win-Core dll files, there is also another new dll: kernelbase.dll

In previous versions of Windows, most of the kernel32 functions called to their corresponding functions in ntdll.dll.

In Windows 7, most of the kernel functions call to their corresponding functions in kernelbase.dll, and the kernelbase dll is the one that makes the calls to ntdll.dll Effects on existing applications - compatibility issues. Most of the existing applications should not be affected by this kernel change, because all standard API calls still works the same as in previous versions of Windows.

However, there are some diagnostic/debugging applications that rely on the calls chain inside the Windows kernel. These kind of applications may not work properly in Windows 7.

My own utilities, RegFromApp and ProcessActivityView failed to work under Windows 7 because of these changes, and that what led me to discover the kernel changes of Windows 7. These utilities problems already fixed and now they works properly in Windows 7. API-MS-Win-Core List Finally, here's the list of all core dll files added to Windows 7 and the functions list that each one of them contain. I used my own DLL Export Viewer utility to generate the list. DLL File Function Names api-ms-win-core-console-l1-1-0.dll AllocConsole GetConsoleCP GetConsoleMode GetConsoleOutputCP GetNumberOfConsoleInputEvents PeekConsoleInputA ReadConsoleA ReadConsoleInputA ReadConsoleInputW ReadConsoleW SetConsoleCtrlHandler SetConsoleMode WriteConsoleA WriteConsoleW api-ms-win-core-datetime-l1-1-0.dll GetDateFormatA GetDateFormatW GetTimeFormatA GetTimeFormatW api-ms-win-core-debug-l1-1-0.dll DebugBreak IsDebuggerPresent OutputDebugStringA OutputDebugStringW api-ms-win-core-delayload-l1-1-0.dll DelayLoadFailureHook api-ms-win-core-errorhandling-l1-1-0.dll GetErrorMode GetLastError RaiseException SetErrorMode SetLastError SetUnhandledExceptionFilter UnhandledExceptionFilter api-ms-win-core-fibers-l1-1-0.dll FlsAlloc FlsFree FlsGetValue FlsSetValue api-ms-win-core-file-l1-1-0.dll CompareFileTime CreateDirectoryA CreateDirectoryW CreateFileA CreateFileW DefineDosDeviceW DeleteFileA DeleteFileW DeleteVolumeMountPointW FileTimeToLocalFileTime FileTimeToSystemTime FindClose FindCloseChangeNotification FindFirstChangeNotificationA FindFirstChangeNotificationW FindFirstFileA FindFirstFileExA FindFirstFileExW FindFirstFileW FindFirstVolumeW FindNextChangeNotification FindNextFileA FindNextFileW FindNextVolumeW FindVolumeClose FlushFileBuffers GetDiskFreeSpaceA GetDiskFreeSpaceExA GetDiskFreeSpaceExW GetDiskFreeSpaceW GetDriveTypeA GetDriveTypeW GetFileAttributesA GetFileAttributesExA GetFileAttributesExW GetFileAttributesW GetFileInformationByHandle GetFileSize GetFileSizeEx GetFileTime GetFileType GetFinalPathNameByHandleA GetFinalPathNameByHandleW GetFullPathNameA GetFullPathNameW GetLogicalDrives GetLogicalDriveStringsW GetLongPathNameA GetLongPathNameW GetShortPathNameW GetTempFileNameW GetVolumeInformationByHandleW GetVolumeInformationW GetVolumePathNameW LocalFileTimeToFileTime LockFile LockFileEx QueryDosDeviceW ReadFile ReadFileEx ReadFileScatter RemoveDirectoryA RemoveDirectoryW SetEndOfFile SetFileAttributesA SetFileAttributesW SetFileInformationByHandle SetFilePointer SetFilePointerEx SetFileTime SetFileValidData UnlockFile UnlockFileEx WriteFile WriteFileEx WriteFileGather api-ms-win-core-handle-l1-1-0.dll CloseHandle DuplicateHandle GetHandleInformation SetHandleInformation api-ms-win-core-heap-l1-1-0.dll GetProcessHeap GetProcessHeaps HeapAlloc HeapCompact HeapCreate HeapDestroy HeapFree HeapLock HeapQueryInformation HeapReAlloc HeapSetInformation HeapSize HeapSummary HeapUnlock HeapValidate HeapWalk api-ms-win-core-interlocked-l1-1-0.dll InitializeSListHead InterlockedCompareExchange InterlockedCompareExchange64 InterlockedDecrement InterlockedExchange InterlockedExchangeAdd InterlockedFlushSList InterlockedIncrement InterlockedPopEntrySList InterlockedPushEntrySList InterlockedPushListSList QueryDepthSList api-ms-win-core-io-l1-1-0.dll CancelIoEx CreateIoCompletionPort DeviceIoControl GetOverlappedResult GetQueuedCompletionStatus GetQueuedCompletionStatusEx PostQueuedCompletionStatus api-ms-win-core-libraryloader-l1-1-0.dll DisableThreadLibraryCalls FindResourceExW FindStringOrdinal FreeLibrary FreeLibraryAndExitThread FreeResource GetModuleFileNameA GetModuleFileNameW GetModuleHandleA GetModuleHandleExA GetModuleHandleExW GetModuleHandleW GetProcAddress LoadLibraryExA LoadLibraryExW LoadResource LoadStringA LoadStringW LockResource SizeofResource api-ms-win-core-localization-l1-1-0.dll ConvertDefaultLocale FindNLSString FindNLSStringEx GetACP GetCalendarInfoEx GetCalendarInfoW GetCPFileNameFromRegistry GetCPInfo GetCPInfoExW GetFileMUIInfo GetFileMUIPath GetLocaleInfoEx GetLocaleInfoW GetNLSVersion GetNLSVersionEx GetOEMCP GetProcessPreferredUILanguages GetSystemDefaultLangID GetSystemDefaultLCID GetSystemPreferredUILanguages GetThreadLocale GetThreadPreferredUILanguages GetThreadUILanguage GetUILanguageInfo GetUserDefaultLangID GetUserDefaultLCID GetUserPreferredUILanguages IsNLSDefinedString IsValidCodePage IsValidLanguageGroup IsValidLocale IsValidLocaleName LCMapStringEx LCMapStringW LocaleNameToLCID NlsCheckPolicy NlsEventDataDescCreate NlsGetCacheUpdateCount NlsUpdateLocale NlsUpdateSystemLocale NlsWriteEtwEvent ResolveLocaleName SetCalendarInfoW SetLocaleInfoW SetThreadLocale VerLanguageNameA VerLanguageNameW api-ms-win-core-localregistry-l1-1-0.dll RegCloseKey RegCreateKeyExA RegCreateKeyExW RegDeleteKeyExA RegDeleteKeyExW RegDeleteTreeA RegDeleteTreeW RegDeleteValueA RegDeleteValueW RegDisablePredefinedCacheEx RegEnumKeyExA RegEnumKeyExW RegEnumValueA RegEnumValueW RegFlushKey RegGetKeySecurity RegGetValueA RegGetValueW RegLoadKeyA RegLoadKeyW RegLoadMUIStringA RegLoadMUIStringW RegNotifyChangeKeyValue RegOpenCurrentUser RegOpenKeyExA RegOpenKeyExW RegOpenUserClassesRoot RegQueryInfoKeyA RegQueryInfoKeyW RegQueryValueExA RegQueryValueExW RegRestoreKeyA RegRestoreKeyW RegSaveKeyExA RegSaveKeyExW RegSetKeySecurity RegSetValueExA RegSetValueExW RegUnLoadKeyA RegUnLoadKeyW api-ms-win-core-memory-l1-1-0.dll CreateFileMappingW FlushViewOfFile MapViewOfFile MapViewOfFileEx OpenFileMappingW ReadProcessMemory UnmapViewOfFile VirtualAlloc VirtualAllocEx VirtualFree VirtualFreeEx VirtualProtect VirtualProtectEx VirtualQuery VirtualQueryEx WriteProcessMemory api-ms-win-core-misc-l1-1-0.dll EnumSystemLocalesA FatalAppExitA FatalAppExitW FormatMessageA FormatMessageW GlobalAlloc GlobalFree IsProcessInJob IsWow64Process LCMapStringA LocalAlloc LocalFree LocalLock LocalReAlloc LocalUnlock lstrcmp lstrcmpA lstrcmpi lstrcmpiA lstrcmpiW lstrcmpW lstrcpyn lstrcpynA lstrcpynW lstrlen lstrlenA lstrlenW NeedCurrentDirectoryForExePathA NeedCurrentDirectoryForExePathW PulseEvent SetHandleCount Sleep Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection api-ms-win-core-namedpipe-l1-1-0.dll ConnectNamedPipe CreateNamedPipeW CreatePipe DisconnectNamedPipe GetNamedPipeAttribute GetNamedPipeClientComputerNameW ImpersonateNamedPipeClient PeekNamedPipe SetNamedPipeHandleState TransactNamedPipe WaitNamedPipeW api-ms-win-core-processenvironment-l1-1-0.dll ExpandEnvironmentStringsA ExpandEnvironmentStringsW FreeEnvironmentStringsA FreeEnvironmentStringsW GetCommandLineA GetCommandLineW GetCurrentDirectoryA GetCurrentDirectoryW GetEnvironmentStrings GetEnvironmentStringsA GetEnvironmentStringsW GetEnvironmentVariableA GetEnvironmentVariableW GetStdHandle SearchPathW SetCurrentDirectoryA SetCurrentDirectoryW SetEnvironmentStringsW SetEnvironmentVariableA SetEnvironmentVariableW SetStdHandle SetStdHandleEx api-ms-win-core-processthreads-l1-1-0.dll CreateProcessA CreateProcessAsUserW CreateProcessW CreateRemoteThread CreateRemoteThreadEx CreateThread DeleteProcThreadAttributeList ExitProcess ExitThread FlushProcessWriteBuffers GetCurrentProcess GetCurrentProcessId GetCurrentThread GetCurrentThreadId GetExitCodeProcess GetExitCodeThread GetPriorityClass GetProcessId GetProcessIdOfThread GetProcessTimes GetProcessVersion GetStartupInfoW GetThreadId GetThreadPriority GetThreadPriorityBoost InitializeProcThreadAttributeList OpenProcessToken OpenThread OpenThreadToken ProcessIdToSessionId QueryProcessAffinityUpdateMode QueueUserAPC ResumeThread SetPriorityClass SetProcessAffinityUpdateMode SetProcessShutdownParameters SetThreadPriority SetThreadPriorityBoost SetThreadStackGuarantee SetThreadToken SuspendThread SwitchToThread TerminateProcess TerminateThread TlsAlloc TlsFree TlsGetValue TlsSetValue UpdateProcThreadAttribute api-ms-win-core-profile-l1-1-0.dll QueryPerformanceCounter QueryPerformanceFrequency api-ms-win-core-rtlsupport-l1-1-0.dll RtlCaptureContext RtlCaptureStackBackTrace RtlFillMemory RtlUnwind api-ms-win-core-string-l1-1-0.dll CompareStringEx CompareStringOrdinal CompareStringW FoldStringW GetStringTypeExW GetStringTypeW MultiByteToWideChar WideCharToMultiByte api-ms-win-core-synch-l1-1-0.dll AcquireSRWLockExclusive AcquireSRWLockShared CancelWaitableTimer CreateEventA CreateEventExA CreateEventExW CreateEventW CreateMutexA CreateMutexExA CreateMutexExW CreateMutexW CreateSemaphoreExW CreateWaitableTimerExW DeleteCriticalSection EnterCriticalSection InitializeCriticalSection InitializeCriticalSectionAndSpinCount InitializeCriticalSectionEx InitializeSRWLock LeaveCriticalSection OpenEventA OpenEventW OpenMutexW OpenProcess OpenSemaphoreW OpenWaitableTimerW ReleaseMutex ReleaseSemaphore ReleaseSRWLockExclusive ReleaseSRWLockShared ResetEvent SetCriticalSectionSpinCount SetEvent SetWaitableTimer SetWaitableTimerEx SleepEx TryAcquireSRWLockExclusive TryAcquireSRWLockShared TryEnterCriticalSection WaitForMultipleObjectsEx WaitForSingleObject WaitForSingleObjectEx api-ms-win-core-sysinfo-l1-1-0.dll GetComputerNameExA GetComputerNameExW GetDynamicTimeZoneInformation GetLocalTime GetLogicalProcessorInformation GetLogicalProcessorInformationEx GetSystemDirectoryA GetSystemDirectoryW GetSystemInfo GetSystemTime GetSystemTimeAdjustment GetSystemTimeAsFileTime GetSystemWindowsDirectoryA GetSystemWindowsDirectoryW GetTickCount GetTickCount64 GetTimeZoneInformation GetTimeZoneInformationForYear GetVersion GetVersionExA GetVersionExW GetWindowsDirectoryA GetWindowsDirectoryW GlobalMemoryStatusEx SetLocalTime SystemTimeToFileTime SystemTimeToTzSpecificLocalTime TzSpecificLocalTimeToSystemTime api-ms-win-core-threadpool-l1-1-0.dll CallbackMayRunLong CancelThreadpoolIo ChangeTimerQueueTimer CloseThreadpool CloseThreadpoolCleanupGroup CloseThreadpoolCleanupGroupMembers CloseThreadpoolIo CloseThreadpoolTimer CloseThreadpoolWait CloseThreadpoolWork CreateThreadpool CreateThreadpoolCleanupGroup CreateThreadpoolIo CreateThreadpoolTimer CreateThreadpoolWait CreateThreadpoolWork CreateTimerQueue CreateTimerQueueTimer DeleteTimerQueueEx DeleteTimerQueueTimer DisassociateCurrentThreadFromCallback FreeLibraryWhenCallbackReturns IsThreadpoolTimerSet LeaveCriticalSectionWhenCallbackReturns QueryThreadpoolStackInformation RegisterWaitForSingleObjectEx ReleaseMutexWhenCallbackReturns ReleaseSemaphoreWhenCallbackReturns SetEventWhenCallbackReturns SetThreadpoolStackInformation SetThreadpoolThreadMaximum SetThreadpoolThreadMinimum SetThreadpoolTimer SetThreadpoolWait StartThreadpoolIo SubmitThreadpoolWork TrySubmitThreadpoolCallback UnregisterWaitEx WaitForThreadpoolIoCallbacks WaitForThreadpoolTimerCallbacks WaitForThreadpoolWaitCallbacks WaitForThreadpoolWorkCallbacks api-ms-win-core-util-l1-1-0.dll Beep DecodePointer DecodeSystemPointer EncodePointer EncodeSystemPointer api-ms-win-core-xstate-l1-1-0.dll RtlCopyExtendedContext RtlGetEnabledExtendedFeatures RtlGetExtendedContextLength RtlGetExtendedFeaturesMask RtlInitializeExtendedContext RtlLocateExtendedFeature RtlLocateLegacyContext RtlSetExtendedFeaturesMask api-ms-win-security-base-l1-1-0.dll AccessCheck AccessCheckAndAuditAlarmW AccessCheckByType AccessCheckByTypeAndAuditAlarmW AccessCheckByTypeResultList AccessCheckByTypeResultListAndAuditAlarmByHandleW AccessCheckByTypeResultListAndAuditAlarmW AddAccessAllowedAce AddAccessAllowedAceEx AddAccessAllowedObjectAce AddAccessDeniedAce AddAccessDeniedAceEx AddAccessDeniedObjectAce AddAce AddAuditAccessAce AddAuditAccessAceEx AddAuditAccessObjectAce AddMandatoryAce AdjustTokenGroups AdjustTokenPrivileges AllocateAndInitializeSid AllocateLocallyUniqueId AreAllAccessesGranted AreAnyAccessesGranted CheckTokenMembership ConvertToAutoInheritPrivateObjectSecurity CopySid CreatePrivateObjectSecurity CreatePrivateObjectSecurityEx CreatePrivateObjectSecurityWithMultipleInheritance CreateRestrictedToken CreateWellKnownSid DeleteAce DestroyPrivateObjectSecurity DuplicateToken DuplicateTokenEx EqualDomainSid EqualPrefixSid EqualSid FindFirstFreeAce FreeSid GetAce GetAclInformation GetFileSecurityW GetKernelObjectSecurity GetLengthSid GetPrivateObjectSecurity GetSecurityDescriptorControl GetSecurityDescriptorDacl GetSecurityDescriptorGroup GetSecurityDescriptorLength GetSecurityDescriptorOwner GetSecurityDescriptorRMControl GetSecurityDescriptorSacl GetSidIdentifierAuthority GetSidLengthRequired GetSidSubAuthority GetSidSubAuthorityCount GetTokenInformation GetWindowsAccountDomainSid ImpersonateAnonymousToken ImpersonateLoggedOnUser ImpersonateSelf InitializeAcl InitializeSecurityDescriptor InitializeSid IsTokenRestricted IsValidAcl IsValidRelativeSecurityDescriptor IsValidSecurityDescriptor IsValidSid IsWellKnownSid MakeAbsoluteSD MakeAbsoluteSD2 MakeSelfRelativeSD MapGenericMask ObjectCloseAuditAlarmW ObjectDeleteAuditAlarmW ObjectOpenAuditAlarmW ObjectPrivilegeAuditAlarmW PrivilegeCheck PrivilegedServiceAuditAlarmW QuerySecurityAccessMask RevertToSelf SetAclInformation SetFileSecurityW SetKernelObjectSecurity SetPrivateObjectSecurity SetPrivateObjectSecurityEx SetSecurityAccessMask SetSecurityDescriptorControl SetSecurityDescriptorDacl SetSecurityDescriptorGroup SetSecurityDescriptorOwner SetSecurityDescriptorRMControl SetSecurityDescriptorSacl SetTokenInformation api-ms-win-security-lsalookup-l1-1-0.dll LookupAccountNameLocalA LookupAccountNameLocalW LookupAccountSidLocalA LookupAccountSidLocalW LsaLookupClose LsaLookupFreeMemory LsaLookupGetDomainInfo LsaLookupManageSidNameMapping LsaLookupOpenLocalPolicy LsaLookupTranslateNames LsaLookupTranslateSids api-ms-win-security-sddl-l1-1-0.dll ConvertSecurityDescriptorToStringSecurityDescriptorW ConvertSidToStringSidW ConvertStringSecurityDescriptorToSecurityDescriptorW ConvertStringSidToSidW api-ms-win-service-core-l1-1-0.dll RegisterServiceCtrlHandlerExW SetServiceStatus StartServiceCtrlDispatcherW api-ms-win-service-management-l1-1-0.dll CloseServiceHandle ControlServiceExW CreateServiceW DeleteService OpenSCManagerW OpenServiceW StartServiceW api-ms-win-service-management-l2-1-0.dll ChangeServiceConfig2W ChangeServiceConfigW NotifyServiceStatusChangeW QueryServiceConfig2W QueryServiceConfigW QueryServiceObjectSecurity QueryServiceStatusEx SetServiceObjectSecurity api-ms-win-service-winsvc-l1-1-0.dll ChangeServiceConfig2A ChangeServiceConfigA ControlService ControlServiceExA CreateServiceA I_QueryTagInformation I_ScBroadcastServiceControlMessage I_ScIsSecurityProcess I_ScPnPGetServiceName I_ScQueryServiceConfig I_ScRpcBindA I_ScRpcBindW I_ScSendPnPMessage I_ScSendTSMessage I_ScValidatePnPService NotifyServiceStatusChangeA OpenSCManagerA OpenServiceA QueryServiceConfig2A QueryServiceConfigA QueryServiceStatus RegisterServiceCtrlHandlerA RegisterServiceCtrlHandlerExA RegisterServiceCtrlHandlerW StartServiceA StartServiceCtrlDispatcherA