Search notes:

WinAPI

WinAPI is the OS-interface for applications running on Windows.
The default calling convention for the Win32 API is stdcall.

DLLs

The documented WinAPI functions are implemented in kernel32.dll, advapi32.dll, gdi32.dll, user32.dll (and others?).
These DLLs forward calls to WinAPI functions to the appropriate and undocumented (for user mode) Native API functions that are exported in ntdll.dll (and still run in user mode).
ntdll.dll then forwards such calls to ntoskrnl.exe and win32k.sys.
Base services for accessing the file system, managing processes and handling devices are implemented in kernel32.dll.
Apparently, with Windows 7, these system libraries were refactored into Kernelbase32.dll.

WOW64

WOW64 allows to run 32 bit processes on 64-bit Windows.
\Windows\SysWOW64

Native System Services / Kernel support functions

WinAPI functions must be distinguished from native system services and kernel support functions: Only WinAPI functions are documented.
Native system services are functions that are callable from user mode. For example, an application might call the WinAPI CreateProcess() function which in turn calls the native system service function NtCreateService().
A Kernel support function can only be called from within kernel mode, very possibly by device drivers
An example is ExAllocatePoolWithTag to allocate memory.

Strings

The Win32 API expects strings to be NULL-terminated while the Native API expects the length of a string.
For example, NtCreateKey gets a pointer to a UNICODE_STRING struct which has the member Length, while RegCreateKeyExW gets an «ordinary» LPCWSTR.
This has the interesting consquence that RegCreateKeyExW cannot be used to create a registry key with a zero character although such keys are possible if created with NtCreateKey.
This behavior also gives rise to the Sysinternals tool RegHide.

No hooking functionality

Windows does not natively provide a system call hooking facility like ptrace on Linux.
Some skilled developers have therefore developped kernel drivers (rootkits) that hooked the System Service Descriptor Table (SSDT) which then allowed to trace system calls on Windows.
With 64-bit versions of Windows, patching the SSDT has become more difficult because of Kernel Patch Protection.

TODO

WinRT

Windows Runtime (=WinRT) is an alternative API, implemented in C++, within the Win32 subsystem.
WinAPI is the underlying technology of WinRT
WinRT must not be confused with Windows RT (a deprecated mobile operating system).

See also

Structered Exception Handling
Process Status (PSAPI)
Using the WinAPI in Visual Basic for Applications
Data types
WinAPI A and W functions.
Debugging
The base WinAPI C definitions are found in the WinBase.h header file.
The Docker Container Base Image Windows.
The Python MessageBox example demonstrates how it is possible to call the user32.dll from Python.
Calling the WinAPI function MessageBox from PowerShell: here and with the cmdLet add-type.
In the world of .NET, WinAPI is «Unmanaged code».

Links

Windows API Index

Index