locked
Do ntdll.dll routines have same level of authority as ntoskrnl.exe calls? RRS feed

  • Question

  • I know that the ntdll.dll exposes the USERMODE side of the native api. However, most of the functions in ntdll seem to work with the same level of authority  as the kernel mode routines in ntoskrnl.exe. So I was just wondering, does ntdll have any restrictions as to what it can do because it’s for usermode programs, or does have the exact same level of authority authority as ntoskrnl, and just for use by usermode programs?

    thanks.

    Thursday, May 3, 2018 5:13 PM

All replies

  • The windows Native API (Ntdll.dll) is a user-mode library. So it can't do anything that user-mode library can't and it doesn't have permission do directly call kernel-mode code .

    What it does is pass through one special interface the kernel provides in order to receive user mode calls. Depending on the version and on the CPU, the ntdll functions load a couple of registers with (a)a number representing the id of the requested operation, and (b) the address of the stack, containing arguments for this operation. The it does something that causes the CPU to transition into kernel-mode, and start executing the entry point for system calls.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 4, 2018 6:14 AM
  • It is appreciated that you can mark the helpful suggestions as an answer, helping us close the thread.

    Thanks in advance.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 7, 2018 9:51 AM