Definition
The Windows Native API, also known as the Native API, is the low‑level programming interface provided by the Windows NT family of operating systems for direct interaction with the kernel. It consists of a set of undocumented system‑call functions exported primarily by the ntdll.dll library and is used internally by the OS and certain system utilities to perform core operations such as process and thread management, memory handling, and object manipulation.
Overview
The Native API resides beneath the higher‑level Win32 API (the public Windows API) and the various subsystem APIs (e.g., POSIX, OS/2, or Windows Subsystem for Linux). While the Win32 API presents a stable, documented surface for application developers, the Native API offers a more direct conduit to kernel services. Calls made through the Native API are ultimately translated into kernel-mode system calls that the Windows Executive components execute. Because the Native API is not officially documented by Microsoft for external developers, its use is generally limited to system components, certain low‑level utilities, and developers performing advanced debugging, reverse engineering, or compatibility work.
Etymology / Origin
The term “Native API” derives from the notion of a “native” (i.e., directly built‑in) interface to the operating system’s core, as opposed to higher‑level abstractions. It emerged with the introduction of Windows NT 3.1 in 1993, when Microsoft created a microkernel‑inspired architecture that separated user‑mode libraries (ntdll.dll) from the kernel. Early internal documentation referenced the interface as the “NT Native System Services,” later shortened to “Native API.” The prefixes Nt and Zw used for function names (e.g., NtCreateFile, ZwCreateFile) reflect internal naming conventions that differentiate entry points used by user mode (Nt) from those used inside the kernel (Zw).
Characteristics
| Feature | Description |
|---|---|
| Primary Export Library | ntdll.dll (User‑mode) and ntoskrnl.exe (Kernel‑mode) provide the callable entry points. |
| Naming Convention | Functions typically start with Nt or Zw. The two prefixes often refer to the same underlying implementation but differ in how parameter validation is performed. |
| Undocumented | Microsoft does not publish official specifications; knowledge is gathered from reverse engineering, leaked internal documents, and community research. |
| Stability | Because it is undocumented, the API can change between Windows releases, potentially breaking software that relies on specific behavior. |
| Scope | Provides access to core kernel objects: processes, threads, files, registry, security tokens, synchronization primitives, and more. |
| Interaction Model | Calls are marshaled by ntdll.dll into system‑call numbers; the kernel dispatches them via the System Service Descriptor Table (SSDT). |
| Use Cases | System utilities (e.g., csrss.exe, winlogon.exe), early boot components, compatibility layers, low‑level debuggers, and research tools. |
| Security Implications | Direct use bypasses some of the validation performed by higher‑level APIs, which can be exploited if misused; consequently, modern Windows security mitigations (e.g., PatchGuard, driver signing) limit certain Native API interactions. |
Related Topics
- Win32 API – The documented user‑mode API for general Windows application development.
- Windows NT Kernel – The core component that implements the services accessed via the Native API.
ntdll.dll– The user‑mode DLL that houses the exported Native API functions.- System Call Interface (SCI) – The mechanism by which user‑mode code requests kernel services, of which the Native API is a higher‑level wrapper.
- Executive Subsystems – Kernel modules (e.g., Object Manager, I/O Manager) that process Native API requests.
- Windows Subsystem for Linux (WSL) – An example of a subsystem that ultimately relies on the Native API for low‑level operations.
- Reverse Engineering of Windows – Community effort to document the Native API functions and their behavior.
Note: While extensive information about the Windows Native API is available through technical research and community documentation, official Microsoft documentation does not publicly define or guarantee the stability of this interface.