ntdll.dll vs. ntoskrnl.exe

Casper Hornstrup chorns at users.sourceforge.net
Sat Sep 14 19:29:26 CDT 2002

> Hi,
On Sun, 15 Sep 2002 01:36:36 +0200, Steven Edwards wrote:
> > Jan Kratochvil wrote:
> > > What are the differences between "ntdll.dll" and "ntoskrnl.exe"?
> > If you are talking about Rtl and Zw functions I think that ntdll 
> > should
> > still export the same things that ntoskrnl.exe does but 
> under a differnt 
> > name. What functions are you speaking of that are missing 
> from ntdll but 
> > are in ntoskrnl?
> Out of 101 functions imported from "ntoskrnl.exe" only 21 are 
> found also in "ntdll.dll". Missing ones are 
> IoReleaseVpbSpinLock, IoAcquireVpbSpinLock, 
> KeInitializeSpinLock, MmProbeAndLockPages etc.

Those functions you mention that are missing are kernel-mode only APIs,
ie. only kernel-mode drivers use them.

> But I was more interested in the backround - how it is ever 
> possible that Windows system at all has two basic libraries 
> from one vendor with similiar function name interfaces with 
> function name colliding each other?

Calling ntoskrnl.exe a "basic library" is a major understatement ;-)
Ntoskrnl.exe is _the_ core OS component. It provides OS services like
memory management, process and thread management, I/O infrastructure,
etc. Ntdll.dll is the kernel-mode/user-mode gateway between ntoskrnl.exe
and applications (ie. the syscall interface). Ntdll.dll wraps services
that are available to applications.

> OK, there is no technical 
> problem as it has different namespaces but just why they did 
> it? 

To provide OS services to applications.

> And do behave functions in these two libraries on the 
> native W32 system exactly the same?

They are the same functions. They are just accessed differently
on where you call them from (kernel-mode or user-mode).

> It is described just once 
> in the documentation.  :-?

Most of these APIs are undocumented by MS. Most likely done to be able
change the APIs in future versions of Windows if needed.

