Work in progress


The Native API (with capitalized N) is the mostly undocumented application programming interface used internally by the Windows NT family of operating systems. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point is called DriverEntry(), the same as for a Windows Device Driver. However, the application runs in Ring 3 the same as a regular Windows Application. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.
While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process when the Windows API is not yet available.

Return to top

The Native API Architecture

The Windows Native API serves one purpose: as a means for calling operating system services located in kernel mode in a controlled manner. Kernel mode is where the core of Windows executes and it's in kernel mode that components have direct access to hardware and services that perform management of the computer's resources including memory, devices and processes. The Native API is equivalent to the system call interface on traditional monolithic operating systems such as most UNIX versions. On most UNIXes, however, the system call interface is well documented and is generally available for use by standard applications; in Windows the Native API, its system call interface, is hidden from programmers behind higher level APIs : the reason behind this is Windows' architecture, starting from the NT version of the operating system.    

Return to top

See Also