ntifs.h header

This header file is used by Windows file system and filter driver developers. For a complete list of associated header files, see:

For the programming guide, see the File system and minifilter design guide.

ntifs.h contains the following programming interfaces:

IOCTLs

 
FSCTL_MANAGE_BYPASS_IO

The FSCTL_MANAGE_BYPASS_IO control code controls BypassIO operations on a given file in the filter and file system stacks.
FSCTL_MARK_HANDLE

The FSCTL_MARK_HANDLE control code marks a specified file or directory and its change journal record with information about changes to that file or directory.
FSCTL_QUERY_ALLOCATED_RANGES

Learn more about the FSCTL_QUERY_ALLOCATED_RANGES FSCTL.
FSCTL_QUERY_FILE_REGIONS

Learn more about the FSCTL_QUERY_FILE_REGIONS FS control code.
FSCTL_REARRANGE_FILE

Learn more about the FSCTL_REARRANGE_FILE FS control code.
FSCTL_REFS_DEALLOCATE_RANGES_EX

Learn more about the FSCTL_REFS_DEALLOCATE_RANGES_EX FSCTL.
FSCTL_SET_CACHED_RUNS_STATE

Learn more about the FSCTL_SET_CACHED_RUNS_STATE FSCTL.
FSCTL_SET_PURGE_FAILURE_MODE

Learn more about the FSCTL_SET_PURGE_FAILURE_MODE IOCTL.
FSCTL_SHUFFLE_FILE

Learn more about the FSCTL_SHUFFLE_FILE FS control code.
IOCTL_REDIR_QUERY_PATH

Learn more about the IOCTL_REDIR_QUERY_PATH control code.
IOCTL_REDIR_QUERY_PATH_EX

Learn more about the IOCTL_REDIR_QUERY_PATH_EX control code.
IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES

The IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES control code is sent to force a flush of a file system before a volume shadow copy occurs.

Functions

 
CcCanIWrite

Learn more about the CcCanIWrite function.
CcCoherencyFlushAndPurgeCache

The CcCoherencyFlushAndPurgeCache routine flushes and/or purges the cache to ensure cache coherency.
CcCopyRead

The CcCopyRead routine copies data from a cached file to a user buffer.
CcCopyReadEx

Learn more about the CcCopyReadEx routine.
CcCopyWrite

The CcCopyWrite routine copies data from a user buffer to a cached file.
CcCopyWriteEx

Learn more about the CcCopyWriteEx routine.
CcCopyWriteWontFlush

The CcCopyWriteWontFlush macro determines whether the amount of data to be copied in a call to CcCopyWrite is small enough not to require immediate flushing to disk if CcCopyWrite is called with Wait set to FALSE.
CcDeferWrite

The CcDeferWrite routine defers writing to a cached file.
CcFastCopyRead

Learn more about the CcFastCopyRead function.
CcFastCopyWrite

Learn more about the CcFastCopyWrite function.
CcFlushCache

The CcFlushCache routine flushes all or a portion of a cached file to disk.
CcGetCacheFileSize

Learn more about the CcGetCacheFileSize function.
CcGetDirtyPages

The CcGetDirtyPages routine searches for dirty pages in all files that match a given log handle.
CcGetFileObjectFromBcb

Given a pointer to a pinned buffer control block (BCB) for a file, the CcGetFileObjectFromBcb routine returns a pointer to the file object that the cache manager is using for that file.
CcGetFileObjectFromSectionPtrs

Given a pointer to the section object pointers for a cached file, the CcGetFileObjectFromSectionPtrs routine returns a pointer to the file object that the cache manager is using for the file.
CcGetFileObjectFromSectionPtrsRef

When passed a pointer to a SECTION_OBJECT_POINTERS structure for a cached file, the CcGetFileObjectFromSectionPtrsRef routine returns a pointer to the file object that the cache manager is using for the cached file.
CcGetFileSizePointer

Learn more about the CcGetFileSizePointer function.
CcGetFlushedValidData

The CcGetFlushedValidData routine determines how much of a cached file has been flushed to disk.
CcInitializeCacheMap

File systems call the CcInitializeCacheMap routine to cache a file.
CcIsThereDirtyData

The CcIsThereDirtyData routine determines whether a mounted volume contains any files that have dirty data in the system cache.
CcIsThereDirtyDataEx

The CcIsThereDirtyDataEx routine determines whether a volume contains any files that have dirty data in the system cache.
CcMapData

The CcMapData routine maps a specified byte range of a cached file to a buffer in memory.
CcMdlReadComplete

The CcMdlReadComplete routine frees the memory descriptor lists (MDL) created by CcMdlRead for a cached file.
CcMdlWriteAbort

The CcMdlWriteAbort routine frees memory descriptor lists (MDL) created by an earlier call to CcPrepareMdlWrite.
CcMdlWriteComplete

The CcMdlWriteComplete routine frees the memory descriptor lists (MDL) created by CcPrepareMdlWrite for a cached file.
CcPinMappedData

The CcPinMappedData routine pins the specified byte range of a cached file.
CcPinRead

The CcPinRead routine pins the specified byte range of a cached file and reads the pinned data into a buffer in memory.
CcPrepareMdlWrite

The CcPrepareMdlWrite routine provides direct access to cached file memory so that the caller can write data to the file.
CcPreparePinWrite

The CcPreparePinWrite routine pins the specified byte range of a cached file for write access.
CcPurgeCacheSection

The CcPurgeCacheSection routine purges all or a portion of a cached file from the system cache.
CcRemapBcb

The CcRemapBcb routine maps a buffer control block (BCB) an additional time to preserve it through several calls that perform additional maps and unpins.
CcRepinBcb

The CcRepinBcb routine pins a buffer control block (BCB) an additional time to prevent it from being freed by a subsequent call to CcUnpinData.
CcScheduleReadAhead

The CcScheduleReadAhead routine performs read-ahead (also called "lazy read") on a cached file. CcScheduleReadAhead should never be called directly. The CcReadAhead macro should be called instead.
CcScheduleReadAheadEx

Learn more about the CcScheduleReadAheadEx routine.
CcSetAdditionalCacheAttributes

Call the CcSetAdditionalCacheAttributes routine to enable or disable read-ahead (also called "lazy read") or write-behind (also called "lazy write") on a cached file.
CcSetAdditionalCacheAttributesEx

Learn more about the CcSetAdditionalCacheAttributesEx routine.
CcSetBcbOwnerPointer

The CcSetBcbOwnerPointer routine sets the owner thread pointer for a pinned buffer control block (BCB).
CcSetCacheFileSizes

Learn more about the CcSetCacheFileSizes function.
CcSetDirtyPageThreshold

The CcSetDirtyPageThreshold routine sets a per-file dirty page threshold on a cached file.
CcSetDirtyPinnedData

The CcSetDirtyPinnedData routine marks as dirty the buffer control block (BCB) for a pinned buffer whose contents have been modified.
CcSetFileSizes

Learn more about the CcSetFileSizes function.
CcSetFileSizesEx

Learn more about the CcSetFileSizesEx function.
CcSetLogHandleForFile

The CcSetLogHandleForFile routine sets a log handle for a file.
CcSetReadAheadGranularity

The CcSetReadAheadGranularity routine sets the read-ahead granularity for a cached file.
CcUninitializeCacheMap

The CcUninitializeCacheMap routine stops the caching of a cached file.
CcUnpinData

The CcUnpinData routine releases cached file data that was mapped or pinned by an earlier call to CcMapData, CcPinRead, or CcPreparePinWrite.
CcUnpinDataForThread

The CcUnpinDataForThread routine releases pages of a cached file whose buffer control block (BCB) was modified by an earlier call to CcSetBcbOwnerPointer.
CcUnpinRepinnedBcb

The CcUnpinRepinnedBcb routine unpins a repinned buffer control block (BCB).
CcWaitForCurrentLazyWriterActivity

The CcWaitForCurrentLazyWriterActivity routine puts the caller into a wait state until the current batch of lazy writer activity is completed.
CcZeroData

The CcZeroData routine zeros the specified range of bytes in a cached or noncached file.
ExAdjustLookasideDepth

Microsoft reserves the ExAdjustLookasideDepth function for internal use only. Don't use this function in your code.
ExDisableResourceBoostLite

Microsoft reserves the ExDisableResourceBoostLite function for internal use only. Don't use this function in your code.
ExQueryPoolBlockSize

Obsolete.
FsRtlAcknowledgeEcp

Learn more about the FsRtlAcknowledgeEcp routine.
FsRtlAcquireFileExclusive

Microsoft reserves the FsRtlAcquireFileExclusive function for internal use only. Don't use this function in your code.
FsRtlAddBaseMcbEntryEx

The FsRtlAddBaseMcbEntryEx function is used to add a new mapping of virtual block numbers (VBN's) to logical block numbers (LBN's) to an existing map control block (MCB).
FsRtlAddLargeMcbEntry

The FsRtlAddLargeMcbEntry routine adds a new mapping to an existing map control block (MCB).
FsRtlAddMcbEntry

The FsRtlAddMcbEntry function is obsolete.
FsRtlAddToTunnelCache

The FsRtlAddToTunnelCache routine caches a file name that is removed from a directory when a file is renamed or deleted.
FsRtlAllocateAePushLock

Learn more about the FsRtlAllocateAePushLock macro.
FsRtlAllocateExtraCreateParameter

The FsRtlAllocateExtraCreateParameter routine allocates memory for an extra create parameter (ECP) context structure and generates a pointer to that structure.
FsRtlAllocateExtraCreateParameterFromLookasideList

The FsRtlAllocateExtraCreateParameterFromLookasideList routine allocates memory pool from a given lookaside list for an extra create parameter (ECP) context structure, and generates a pointer to that structure.
FsRtlAllocateExtraCreateParameterList

Learn more about the FsRtlAllocateExtraCreateParameterList function.
FsRtlAllocateFileLock

The FsRtlAllocateFileLock routine allocates and initializes a new FILE_LOCK structure.
FsRtlAllocatePoolWithQuotaTag

Learn more about the FsRtlAllocatePoolWithQuotaTag function.
FsRtlAllocatePoolWithTag

Learn more about the FsRtlAllocatePoolWithTag function.
FsRtlAllocateResource

The FsRtlAllocateResource function is obsolete.
FsRtlAreNamesEqual

The FsRtlAreNamesEqual routine determines whether two Unicode strings are equal.
FsRtlAreThereCurrentFileLocks

The FsRtlAreThereCurrentFileLocks macro checks whether any byte range locks exist for the specified file.
FsRtlAreThereCurrentOrInProgressFileLocks

TheFsRtlAreThereCurrentOrInProgressFileLocks routine determines if there are byte range locks assigned to a file or any lock operations in progress for that file.
FsRtlAreThereWaitingFileLocks

The FsRtlAreThereWaitingFileLocks routine checks a file lock queue for any waiting file locks.
FsRtlAreVolumeStartupApplicationsComplete

The FsRtlAreVolumeStartupApplicationsComplete function determines whether volume startup applications have completed processing.
FsRtlBalanceReads

The FsRtlBalanceReads routine signals to a fault-tolerant disk driver that it is now safe to start balancing reads from a mirrored drive.
FsRtlCancellableWaitForMultipleObjects

The FsRtlCancellableWaitForMultipleObjects routine executes a cancelable wait operation (a wait that can be terminated) on one or more dispatcher objects.
FsRtlCancellableWaitForSingleObject

The FsRtlCancellableWaitForSingleObject routine executes a cancelable wait operation (a wait that can be terminated) on a dispatcher object.
FsRtlChangeBackingFileObject

The FsRtlChangeBackingFileObject routine replaces the current file object with a new file object.
FsRtlCheckLockForOplockRequest

Learn more about the FsRtlCheckLockForOplockRequest routine.
FsRtlCheckLockForReadAccess

The FsRtlCheckLockForReadAccess routine determines whether the process associated with a given IRP has read access to a locked region of a file.
FsRtlCheckLockForWriteAccess

The FsRtlCheckLockForWriteAccess routine determines whether the process associated with a given IRP has write access to a locked region of a file.
FsRtlCheckOplock

Learn more about the FsRtlCheckOplock function.
FsRtlCheckOplockEx

Learn more about the FsRtlCheckOplockEx function.
FsRtlCheckOplockEx2

FsRtlCheckOplockEx2 synchronizes the IRP for a file I/O operation with the current opportunistic lock (oplock) state of the file.
FsRtlCheckUpperOplock

Learn more about the FsRtlCheckUpperOplock routine.
FsRtlCompleteRequest

The FsRtlCompleteRequest macro completes an IRP with the specified status.
FsRtlCopyRead

Learn more about the FsRtlCopyRead function.
FsRtlCopyWrite

Learn more about the FsRtlCopyWrite function.
FsRtlCreateSectionForDataScan

The FsRtlCreateSectionForDataScan routine creates a section object.
FsRtlCurrentBatchOplock

A file system or filter driver calls FsRtlCurrentBatchOplock to determine whether there are any batch or filter opportunistic locks (oplocks) on a file.
FsRtlCurrentOplock

A file system or filter driver calls FsRtlCurrentOplock to determine whether there are any opportunistic locks (oplocks) on a file.
FsRtlCurrentOplockH

A file system or filter driver calls FsRtlCurrentOplockH to determine whether there are any CACHE_HANDLE_LEVEL opportunistic locks (oplocks) on a file.
FsRtlDeleteExtraCreateParameterLookasideList

The FsRtlDeleteExtraCreateParameterLookasideList routine frees an extra create parameter (ECP) lookaside list.
FsRtlDeleteKeyFromTunnelCache

The FsRtlDeleteKeyFromTunnelCache routine deletes any tunnel cache entries for files in a directory that is being deleted.
FsRtlDeleteTunnelCache

The FsRtlDeleteTunnelCache routine deletes a tunnel cache.
FsRtlDeregisterUncProvider

The FsRtlDeregisterUncProvider routine deregisters a redirector that was registered as a Universal Naming Convention (UNC) provider with the multiple UNC provider (MUP).
FsRtlDissectDbcs

Given an ANSI or double-byte character set (DBCS) pathname string, the FsRtlDissectDbcs routine returns two strings:_one containing the first file name found in the string, the other containing the remaining unparsed portion of the pathname string.
FsRtlDissectName

Given a Unicode pathname string, the FsRtlDissectName routine returns two strings, one containing the first file name found in the string, the other containing the remaining unparsed portion of the pathname string.
FsRtlDoesDbcsContainWildCards

The FsRtlDoesDbcsContainWildCards routine determines whether an ANSI or double-byte character set (DBCS) string contains wildcard characters.
FsRtlDoesNameContainWildCards

The FsRtlDoesNameContainWildCards routine determines whether a Unicode string contains wildcard characters.
FsRtlFastCheckLockForRead

The FsRtlFastCheckLockForRead routine determines whether the specified process has read access to a locked byte range of a file.
FsRtlFastCheckLockForWrite

The FsRtlFastCheckLockForWrite routine determines whether the specified process has write access to a locked byte range of a file.
FsRtlFastLock

The FsRtlFastLock macro is used by file systems and filter drivers to request a byte-range lock for a file stream.
FsRtlFastUnlockAll

The FsRtlFastUnlockAll routine releases all byte-range locks that were acquired by the specified process for a file.
FsRtlFastUnlockAllByKey

The FsRtlFastUnlockAllByKey routine releases all byte-range locks that were acquired by the specified process, with the specified key value, for a file.
FsRtlFastUnlockSingle

The FsRtlFastUnlockSingle routine releases a byte-range lock that was acquired by the specified process, with the specified key value, file offset, and length, for a file.
FsRtlFindExtraCreateParameter

The FsRtlFindExtraCreateParameter routine searches a given ECP list for an ECP context structure of a given type and returns a pointer to this structure if it is found.
FsRtlFindInTunnelCache

Learn more about the FsRtlFindInTunnelCache function.
FsRtlFreeAePushLock

Learn more about the FsRtlFreeAePushLock macro.
FsRtlFreeExtraCreateParameter

The FsRtlFreeExtraCreateParameter routine frees the memory for an ECP context structure.
FsRtlFreeExtraCreateParameterList

The FsRtlFreeExtraCreateParameterList routine frees an extra create parameter (ECP) list structure.
FsRtlFreeFileLock

The FsRtlFreeFileLock routine uninitializes and frees a file lock structure.
FsRtlGetBypassIoOpenCount

FsRtlGetBypassIoOpenCount returns a count of how many BypassIO opens there are for a given stream.
FsRtlGetBypassIoOpenCountPtr

FsRtlGetBypassIoOpenCountPtr returns a pointer to the count of how many BypassIO opens there are for a given stream.
FsRtlGetEcpListFromIrp

The FsRtlGetEcpListFromIrp routine returns a pointer to an extra create parameter (ECP) context structure list that is associated with a given IRP_MJ_CREATE operation.
FsRtlGetFileSize

The FsRtlGetFileSize routine is used to get the size of a file.
FsRtlGetNextExtraCreateParameter

The FsRtlGetNextExtraCreateParameter routine returns a pointer to the next (or first) extra create parameter (ECP) context structure in a given ECP list.
FsRtlGetNextFileLock

The FsRtlGetNextFileLock routine is used to enumerate the byte-range locks that currently exist for a specified file.
FsRtlGetNextLargeMcbEntry

The FsRtlGetNextLargeMcbEntry routine retrieves a mapping run from a map control block (MCB).
FsRtlGetNextMcbEntry

Learn more about the FsRtlGetNextMcbEntry function.
FsRtlGetPerStreamContextPointer

The FsRtlGetPerStreamContextPointer macro returns the file system's stream context for a file stream.
FsRtlGetSectorSizeInformation

The FsRtlGetSectorSizeInformation routine retrieves the physical and logical sector size information for a storage volume.
FsRtlGetSupportedFeatures

The FsRtlGetSupportedFeatures routine returns the supported features of a volume attached to the specified device object.
FsRtlIncrementCcFastMdlReadWait

The FsRtlIncrementCcFastMdlReadWait routine increments the cache manager's CcFastMdlReadWait performance counter member in a processor control block (PRCB) object.
FsRtlIncrementCcFastReadNotPossible

The FsRtlIncrementCcFastReadNotPossible routine increments the CcFastReadNotPossible performance counter in a per processor control block of cache manager system counters.
FsRtlIncrementCcFastReadNoWait

The FsRtlIncrementCcFastReadNoWait routine increments the CcFastReadNoWait performance counter in a per processor control block of cache manager system counters.
FsRtlIncrementCcFastReadResourceMiss

The FsRtlIncrementCcFastReadResourceMiss routine increments the CcFastReadNotPossible performance counter in a per processor control block of cache manager system counters.
FsRtlIncrementCcFastReadWait

The FsRtlIncrementCcFastReadWait routine increments the CcFastReadWait performance counter in a per processor control block of cache manager system counters.
FsRtlInitExtraCreateParameterLookasideList

The FsRtlInitExtraCreateParameterLookasideList routine initializes a paged or nonpaged pool lookaside list used for the allocation of one or more extra create parameter context structures (ECPs) of fixed size.
FsRtlInitializeBaseMcb

FsRtlInitializeBaseMcb initializes a new map control block (MCB) structure.
FsRtlInitializeBaseMcbEx

FsRtlInitializeBaseMcbEx initializes a new MCB structure.
FsRtlInitializeExtraCreateParameter

The FsRtlInitializeExtraCreateParameter routine initializes an extra create parameter (ECP) context structure.
FsRtlInitializeExtraCreateParameterList

The FsRtlInitializeExtraCreateParameterList routine initializes an extra create parameter (ECP) context structure list.
FsRtlInitializeFileLock

The FsRtlInitializeFileLock routine initializes a FILE_LOCK structure.
FsRtlInitializeLargeMcb

Learn more about the FsRtlInitializeLargeMcb function.
FsRtlInitializeMcb

The FsRtlInitializeMcb function is obsolete.
FsRtlInitializeOplock

FsRtlInitializeOplock initializes an opportunistic lock (oplock) pointer.
FsRtlInitializeTunnelCache

The FsRtlInitializeTunnelCache routine initializes a new tunnel cache for a volume.
FsRtlInitPerStreamContext

The FsRtlInitPerStreamContext macro initializes a filter driver context structure.
FsRtlInsertExtraCreateParameter

The FsRtlInsertExtraCreateParameter routine inserts an extra create parameter (ECP) context structure into an ECP list.
FsRtlInsertPerFileContext

The FsRtlInsertPerFileContext routine associates a FSRTL_PER_FILE_CONTEXT object with a driver-specified context object for a file.
FsRtlInsertPerFileObjectContext

For a "legacy" file system filter driver, the FsRtlInsertPerFileObjectContext function associates context information with a file object.
FsRtlInsertPerStreamContext

The FsRtlInsertPerStreamContext routine associates a file system filter driver's per-stream context structure with a file stream.
FsRtlIsAnsiCharacterLegal

The FsRtlIsAnsiCharacterLegal macro determines whether a character is a legal ANSI character.
FsRtlIsAnsiCharacterLegalFat

The FsRtlIsAnsiCharacterLegalFat macro determines whether an ANSI character is legal for FAT file names.
FsRtlIsAnsiCharacterLegalHpfs

The FsRtlIsAnsiCharacterLegalHpfs macro determines whether an ANSI character is legal for HPFS file names.
FsRtlIsAnsiCharacterLegalNtfs

The FsRtlIsAnsiCharacterLegalNtfs macro determines whether an ANSI character is legal for NTFS file names.
FsRtlIsAnsiCharacterLegalNtfsStream

The FsRtlIsAnsiCharacterLegalNtfsStream macro determines whether an ANSI character is legal for NTFS stream names.
FsRtlIsAnsiCharacterWild

The FsRtlIsAnsiCharacterWild macro determines whether an ANSI character is a wildcard character.
FsRtlIsDaxVolume

This routine queries if the specified file is on a direct access (DAX) volume.
FsRtlIsDbcsInExpression

The FsRtlIsDbcsInExpression routine determines whether an ANSI or double-byte character set (DBCS) string matches the specified pattern.
FsRtlIsEcpAcknowledged

The FsRtlIsEcpAcknowledged routine is used to determine if a given extra create parameter (ECP) context structure has been marked as acknowledged.
FsRtlIsEcpFromUserMode

The FsRtlIsEcpFromUserMode routine determines whether an extra create parameter (ECP) context structure originated from user mode.
FsRtlIsFatDbcsLegal

The FsRtlIsFatDbcsLegal routine determines whether the specified ANSI or double-byte character set (DBCS) string is a legal FAT file name.
FsRtlIsHpfsDbcsLegal

Learn more about the FsRtlIsHpfsDbcsLegal function.
FsRtlIsLeadDbcsCharacter

The FsRtlIsLeadDbcsCharacter macro determines whether a character is a lead byte (the first byte of a character) in a double-byte character set (DBCS).
FsRtlIsNameInExpression

The FsRtlIsNameInExpression routine determines whether a Unicode string matches the specified pattern.
FsRtlIsNameInUnUpcasedExpression

The FsRtlIsNameInUnUpcasedExpression routine determines whether a Unicode string matches the specified pattern.
FsRtlIsNtstatusExpected

The FsRtlIsNtstatusExpected routine determines whether the specified exception is handled by the exception filter.
FsRtlIsPagingFile

The FsRtlIsPagingFile routine determines whether a given file is a paging file.
FsRtlIssueDeviceIoControl

Learn more about the FsRtlIssueDeviceIoControl routine.
FsRtlIsSystemPagingFile

Learn more about the FsRtlIsSystemPagingFile routine.
FsRtlIsTotalDeviceFailure

The FsRtlIsTotalDeviceFailure function (ntifs.h) determines whether a media or other hardware failure has occurred.
FsRtlIsUnicodeCharacterWild

The FsRtlIsUnicodeCharacterWild macro determines whether a Unicode character is a wildcard character.
FsRtlKernelFsControlFile

Learn more about the FsRtlKernelFsControlFile function.
FsRtlLogCcFlushError

The FsRtlLogCcFlushError routine logs a lost delayed-write error and displays a dialog box to the user.
FsRtlLookupBaseMcbEntry

The FsRtlLookupBaseMcbEntry routine retrieves the mapping of a Vbn to an Lbn from an Mcb. It indicates if the mapping exists and the size of the run.
FsRtlLookupLargeMcbEntry

Learn more about the FsRtlLookupLargeMcbEntry function.
FsRtlLookupLastLargeMcbEntry

Learn more about the FsRtlLookupLastLargeMcbEntry function.
FsRtlLookupLastLargeMcbEntryAndIndex

Learn more about the FsRtlLookupLastLargeMcbEntryAndIndex function.
FsRtlLookupLastMcbEntry

Learn more about the FsRtlLookupLastMcbEntry function.
FsRtlLookupMcbEntry

The FsRtlLookupMcbEntry function is obsolete.
FsRtlLookupPerFileContext

The FsRtlLookupPerFileContext routine returns a pointer to a FSRTL_PER_FILE_CONTEXT object that is associated with a specified file.
FsRtlLookupPerFileObjectContext

For a "legacy" file system filter driver, the FsRtlLookupPerFileObjectContext function retrieves context information previously associated with a file object.
FsRtlLookupPerStreamContext

The FsRtlLookupPerStreamContext macro retrieves a per-stream context structure for a file stream.
FsRtlLookupPerStreamContextInternal

Learn more about the FsRtlLookupPerStreamContextInternal function.
FsRtlMdlReadCompleteDev

The FsRtlMdlReadCompleteDev routine completes the read operation that the FsRtlMdlReadDev routine initiated.
FsRtlMdlReadDev

The FsRtlMdlReadDev routine returns a memory descriptor list (MDL) that points directly to the specified byte range in the file cache.
FsRtlMdlReadEx

Learn more about the FsRtlMdlReadEx routine.
FsRtlMdlWriteCompleteDev

The FsRtlMdlWriteCompleteDev routine in ntifs.h frees the resources that FsRtlPrepareMdlWriteDev allocated.
FsRtlMupGetProviderIdFromName

The FsRtlMupGetProviderIdFromName routine gets the provider identifier of a network redirector that is registered with the multiple UNC provider (MUP) from the device name of the network redirector.
FsRtlMupGetProviderInfoFromFileObject

The FsRtlMupGetProviderInfoFromFileObject routine gets information about a network redirector that is registered with the multiple UNC provider (MUP) from a file object for a file that is located on a remote file system.
FsRtlNormalizeNtstatus

The FsRtlNormalizeNtstatus routine translates an arbitrary exception into a status value that is handled by the exception filter.
FsRtlNotifyCleanup

When the last handle to a file object is released, the FsRtlNotifyCleanup routine removes the file object's notify structure, if present, from the specified notify list.
FsRtlNotifyCleanupAll

The FsRtlNotifyCleanupAll routine removes all members of the specified notification list.
FsRtlNotifyFilterChangeDirectory

The FsRtlNotifyFilterChangeDirectory routine creates a notify structure for an IRP_MN_NOTIFY_CHANGE_DIRECTORY request and adds it to the specified notify list.
FsRtlNotifyFilterReportChange

FsRtlNotifyFilterReportChange completes IRP_MN_NOTIFY_CHANGE_DIRECTORY requests that are pending in the specified notify list.
FsRtlNotifyFullChangeDirectory

The FsRtlNotifyFullChangeDirectory routine creates a notify structure for a notification request and adds it to the specified notify list.
FsRtlNotifyFullReportChange

The FsRtlNotifyFullReportChange routine completes pending notify change IRPs.
FsRtlNotifyInitializeSync

The FsRtlNotifyInitializeSync routine allocates and initializes a synchronization object for a notify list.
FsRtlNotifyUninitializeSync

The FsRtlNotifyUninitializeSync routine deallocates the synchronization object for a notify list.
FsRtlNotifyVolumeEvent

The FsRtlNotifyVolumeEvent routine notifies any registered applications that a volume event is occurring.
FsRtlNotifyVolumeEventEx

The FsRtlNotifyVolumeEventEx routine notifies any registered applications that a volume event is occurring. Volume events include the volume being locked, unlocked, mounted, or made read-only.
FsRtlNumberOfRunsInLargeMcb

The FsRtlNumberOfRunsInLargeMcb routine returns the number of runs in a map control block (MCB).
FsRtlNumberOfRunsInMcb

The FsRtlNumberOfRunsInMcb function is obsolete.
FsRtlOplockBreakH

The FsRtlOplockBreakH routine breaks CACHE_HANDLE_LEVEL opportunistic locks (oplocks).
FsRtlOplockBreakToNone

The FsRtlOplockBreakToNone function is obsolete.
FsRtlOplockBreakToNoneEx

The FsRtlOplockBreakToNoneEx routine breaks all opportunistic locks (oplocks) immediately without regard for any oplock key.
FsRtlOplockFsctrl

FsRtlOplockFsctrl performs various opportunistic lock (oplock) operations on behalf of a file system or filter driver.
FsRtlOplockFsctrlEx

The FsRtlOplockFsctrlEx routine performs various opportunistic lock (oplock) operations on behalf of a file system or filter driver.
FsRtlOplockGetAnyBreakOwnerProcess

FsRtlOplockGetAnyBreakOwnerProcess gets an owner of an allegedly breaking oplock.
FsRtlOplockIsFastIoPossible

Learn more about the FsRtlOplockIsFastIoPossible function.
FsRtlOplockIsSharedRequest

The FsRtlOplockIsSharedRequest routine determines if a request for an opportunistic lock (oplock) wants a shared oplock.
FsRtlOplockKeysEqual

The FsRtlOplockKeysEqual routine compares the opportunistic lock (oplock) keys that are stored in the file object extensions of two file objects.
FsRtlPostPagingFileStackOverflow

The FsRtlPostPagingFileStackOverflow routine posts a paging file stack overflow item to the stack overflow thread.
FsRtlPostStackOverflow

The FsRtlPostStackOverflow routine posts a stack overflow item to the stack overflow thread.
FsRtlPrepareMdlWriteDev

The FsRtlPrepareMdlWriteDev routine returns a linked list of memory descriptor lists (MDLs) that point to the specified range of cached file data to write data directly to the cache.
FsRtlPrepareMdlWriteEx

The FsRtlPrepareMdlWriteEx routine returns a linked list of memory descriptor lists (MDLs) that point to the specified range of cached file data to write data directly to the cache.
FsRtlPrepareToReuseEcp

Learn more about the FsRtlPrepareToReuseEcp routine.
FsRtlPrivateLock

The FsRtlPrivateLock function is obsolete.
FsRtlProcessFileLock

The FsRtlProcessFileLock routine processes and completes an IRP for a file lock operation.
FsRtlQueryCachedVdl

The current valid data length (VDL) for a cached file is retrieved with the FsRtlQueryCachedVdl routine.
FsRtlQueryInformationFile

Learn more about the FsRtlQueryInformationFile function.
FsRtlQueryKernelEaFile

The routine FsRtlQueryKernelEaFile is used to build an explicit QueryEA request and synchronously wait for it to complete, returning the result. This allows the caller to do this by FileObject instead of a handle.
FsRtlRegisterFileSystemFilterCallbacks

File system filter drivers and file systems call the FsRtlRegisterFileSystemFilterCallbacks routine to register notification callback routines to be invoked when the underlying file system performs certain operations.
FsRtlRegisterUncProvider

The FsRtlRegisterUncProvider routine registers a network redirector as a universal naming convention (UNC) provider with the system multiple UNC provider (MUP).
FsRtlRegisterUncProviderEx

The FsRtlRegisterUncProviderEx routine registers a network redirector as a universal naming convention (UNC) provider with the system multiple UNC provider (MUP).
FsRtlReleaseFile

Microsoft reserves the FsRtlReleaseFile function for internal use only. Don't use this function in your code.
FsRtlRemoveBaseMcbEntry

The FsRtlRemoveBaseMcbEntry function is the work routine for removing a large mcb entry. It does so without taking out the mcb GuardedMutex.
FsRtlRemoveDotsFromPath

The FsRtlRemoveDotsFromPath routine removes unnecessary occurrences of '.' and '..' from the specified path.
FsRtlRemoveExtraCreateParameter

The FsRtlRemoveExtraCreateParameter routine searches an ECP list for an ECP context structure and, if found, detaches it from the ECP list.
FsRtlRemoveLargeMcbEntry

The FsRtlRemoveLargeMcbEntry routine removes one or more mappings from a map control block (MCB).
FsRtlRemoveMcbEntry

The FsRtlRemoveMcbEntry function is obsolete.
FsRtlRemovePerFileContext

Learn more about the FsRtlRemovePerFileContext function.
FsRtlRemovePerFileObjectContext

For a "legacy" file system filter driver, the FsRtlRemovePerFileObjectContext function unlinks a per-file-object context information structure from the list of per-file-object contexts previously associated with a file object.
FsRtlRemovePerStreamContext

Learn more about the FsRtlRemovePerStreamContext function.
FsRtlResetLargeMcb

The FsRtlResetLargeMcb routine truncates a map control block (MCB) structure to contain zero mapping pairs. It does not shrink the mapping pairs array.
FsRtlSetEcpListIntoIrp

The FsRtlSetEcpListIntoIrp routine attaches an extra create parameter (ECP) context structure list to an IRP_MJ_CREATE operation.
FsRtlSetKernelEaFile

The routine FsRtlQueryKernelEaFile is used to set, modify and/or delete extended attribute (EA) values for a file and synchronously wait for it to complete, returning a result.
FsRtlSetupAdvancedHeader

The FsRtlSetupAdvancedHeader macro is used by file systems to initialize an FSRTL_ADVANCED_FCB_HEADER structure for use with filter contexts.
FsRtlSetupAdvancedHeaderEx

The FsRtlSetupAdvancedHeaderEx macro is used by file systems to initialize an FSRTL_ADVANCED_FCB_HEADER structure for use with both stream and file contexts.
FsRtlSetupAdvancedHeaderEx2

Learn more about the FsRtlSetupAdvancedHeaderEx2 function.
FsRtlSplitLargeMcb

The FsRtlSplitLargeMcb routine inserts a hole into the mappings in a map control block (MCB).
FsRtlSupportsPerFileContexts

The FsRtlSupportsPerFileContexts macro checks if per file context information is supported by the file system that is associated with a specified FILE_OBJECT.
FsRtlTeardownPerFileContexts

File systems call theFsRtlTeardownPerFileContexts routine to free FSRTL_PER_FILE_CONTEXT objects that are associated with a file control block (FCB) structure.
FsRtlTeardownPerStreamContexts

The FsRtlTeardownPerStreamContexts routine frees all per-stream context structures associated with a given FSRTL_ADVANCED_FCB_HEADER structure.
FsRtlTestAnsiCharacter

The FsRtlTestAnsiCharacter macro determines whether an ANSI or double-byte character set (DBCS) character meets the specified criteria.
FsRtlTruncateLargeMcb

The FsRtlTruncateLargeMcb routine truncates a large map control block (MCB).
FsRtlTruncateMcb

The FsRtlTruncateMcb function is obsolete.
FsRtlUninitializeBaseMcb

The FsRtlUninitializeBaseMcb function uninitializes a map control block (MCB) structure. After calling this routine the input Mcb structure must be re-initialized before being used again.
FsRtlUninitializeFileLock

The FsRtlUninitializeFileLock routine uninitializes a FILE_LOCK structure.
FsRtlUninitializeLargeMcb

The FsRtlUninitializeLargeMcb routine uninitializes a large map-control block (MCB).
FsRtlUninitializeMcb

The FsRtlUninitializeMcb function is obsolete.
FsRtlUninitializeOplock

FsRtlUninitializeOplock uninitializes an opportunistic lock (oplock) pointer.
FsRtlUpperOplockFsctrl

Learn more about the FsRtlUpperOplockFsctrl routine.
FsRtlValidateReparsePointBuffer

The FsRtlValidateReparsePointBuffer routine verifies that the specified reparse point buffer is valid.
GetSecurityUserInfo

The GetSecurityUserInfo function retrieves information about a logon session.
IoAcquireVpbSpinLock

Learn more about the IoAcquireVpbSpinLock function.
IoCheckDesiredAccess

Microsoft reserves the IoCheckDesiredAccess function for internal use only. Don't use this function in your code.
IoCheckEaBufferValidity

Learn more about the IoCheckEaBufferValidity function.
IoCheckFileObjectOpenedAsCopyDestination

Learn more about the IoCheckFileObjectOpenedAsCopyDestination function.
IoCheckFileObjectOpenedAsCopySource

Learn more about the IoCheckFileObjectOpenedAsCopySource function.
IoCheckFunctionAccess

Microsoft reserves the IoCheckFunctionAccess function for internal use only. Don't use this function in your code.
IoCheckQuerySetFileInformation

Microsoft reserves the IoCheckQuerySetFileInformation function for internal use only. Don't use this function in your code.
IoCheckQuerySetVolumeInformation

Microsoft reserves the IoCheckQuerySetVolumeInformation function for internal use only. Don't use this function in your code.
IoCheckQuotaBufferValidity

Learn more about the IoCheckQuotaBufferValidity function.
IoCreateStreamFileObject

The IoCreateStreamFileObject routine creates a new stream file object.
IoCreateStreamFileObjectEx

The IoCreateStreamFileObjectEx routine creates a new stream file object.
IoCreateStreamFileObjectEx2

Learn more about the IoCreateStreamFileObjectEx2 routine.
IoCreateStreamFileObjectLite

The IoCreateStreamFileObjectLite routine creates a new stream file object, but does not cause an IRP_MJ_CLEANUP request to be sent to the file system driver stack.
IoEnumerateDeviceObjectList

Learn more about the IoEnumerateDeviceObjectList routine.
IoEnumerateRegisteredFiltersList

The IoEnumerateRegisteredFiltersList routine enumerates the file system filter drivers that have registered with the system.
IoFastQueryNetworkAttributes

Microsoft reserves the IoFastQueryNetworkAttributes function for internal use only. Don't use this function in your code.
IoGetAttachedDevice

Learn more about the IoGetAttachedDevice function.
IoGetAttachedDeviceReference

Learn more about the IoGetAttachedDeviceReference routine.
IoGetBaseFileSystemDeviceObject

Microsoft reserves the IoGetBaseFileSystemDeviceObject function for internal use only. Don't use this function in your code.
IoGetConfigurationInformation

Learn more about the IoGetConfigurationInformation function.
IoGetDeviceAttachmentBaseRef

The IoGetDeviceAttachmentBaseRef routine returns a pointer to the lowest-level device object in a file system or device driver stack.
IoGetDeviceToVerify

Learn more about the IoGetDeviceToVerify function.
IoGetDiskDeviceObject

The IoGetDiskDeviceObject routine retrieves a pointer to the disk device object associated with a given file system volume device object.
IoGetLowerDeviceObject

Learn more about the IoGetLowerDeviceObject function.
IoGetRequestorProcess

The IoGetRequestorProcess routine returns a process pointer for the thread that originally requested a given I/O operation.
IoGetRequestorProcessId

The IoGetRequestorProcessId routine returns the unique 32-bit process ID for the thread that originally requested a given I/O operation.
IoGetRequestorSessionId

The IoGetRequestorSessionId routine returns the session ID for the process that originally requested a given I/O operation.
IoGetTopLevelIrp

The IoGetTopLevelIrp routine in ntifs.h returns the value of the TopLevelIrp field of the current thread.
IoInitializePriorityInfo

The IoInitializePriorityInfo routine initializes a structure of type IO_PRIORITY_INFO.
IoIsFileOpenedExclusively

Microsoft reserves the IoIsFileOpenedExclusively macro for internal use only. Don't use this macro in your code.
IoIsOperationSynchronous

Learn more about the IoIsOperationSynchronous function.
IoIsSystemThread

The IoIsSystemThread routine checks whether a given thread is a system thread.
IoIsValidNameGraftingBuffer

Microsoft reserves the IoIsValidNameGraftingBuffer function for internal use only. Don't use this function in your code.
IoPageRead

Microsoft reserves the IoPageRead function for internal use only. Don't use this function in your code.
IoQueryFileDosDeviceName

The IoQueryFileDosDeviceName routine retrieves an MS-DOS device name for a file.
IoQueryFileInformation

Microsoft reserves the IoQueryFileInformation function for internal use only. Don't use this function in your code.
IoQueryVolumeInformation

Microsoft reserves the IoQueryVolumeInformation function for internal use only. Don't use this function in your code.
IoQueueThreadIrp

Microsoft reserves the IoQueueThreadIrp function for internal use only. Don't use this function in your code.
IoRegisterFileSystem

The IoRegisterFileSystem routine adds a file system's control device object to the global file system queue.
IoRegisterFsRegistrationChange

Learn more about the IoRegisterFsRegistrationChange function.
IoRegisterFsRegistrationChangeEx

The IoRegisterFsRegistrationChangeEx routine registers a file system filter driver's notification routine to be called whenever a file system registers or unregisters itself as an active file system.
IoRegisterFsRegistrationChangeMountAware

The IoRegisterFsRegistrationChangeMountAware routine registers a file system filter driver's notification routine. This notification routine is called whenever a file system registers or unregisters itself as an active file system.
IoReleaseVpbSpinLock

The IoReleaseVpbSpinLock routine releases the Volume Parameter Block (VPB) spin lock.
IoReplaceFileObjectName

Learn more about the IoReplaceFileObjectName routine.
IoSetDeviceToVerify

Learn more about the IoSetDeviceToVerify routine.
IoSetInformation

Microsoft reserves the IoSetInformation function for internal use only. Don't use this function in your code.
IoSetStartIoAttributes

The IoSetStartIoAttributes routine in ntifs.h sets attributes for the driver's StartIo routine.
IoSetTopLevelIrp

The IoSetTopLevelIrp routine in ntifs.h sets the value of the TopLevelIrp field of the current thread.
IoSizeOfIrp

Learn more about the IoSizeOfIrp routine.
IoStartNextPacket

Learn more about the IoStartNextPacket routine.
IoStartNextPacketByKey

Learn more about the IoStartNextPacketByKey routine.
IoStartPacket

Learn more about the IoStartPacket routine.
IoStartTimer

Learn more about the IoStartTimer routine.
IoStopTimer

Learn more about the IoStopTimer routine.
IoSynchronousPageWrite

Microsoft reserves the IoSynchronousPageWrite function for internal use only. Don't use this function in your code.
IoThreadToProcess

The IoThreadToProcess routine returns a pointer to the process for the specified thread.
IoUnregisterFileSystem

The IoUnregisterFileSystem routine removes a file system's control device object from the global file system queue.
IoUnregisterFsRegistrationChange

The IoUnregisterFsRegistrationChange routine unregisters file system filter driver's file system registration change notification routine.
IoVerifyVolume

Learn more about the IoVerifyVolume function.
IoWriteErrorLogEntry

Learn more about the IoWriteErrorLogEntry routine.
IsReparseTagMicrosoft

The IsReparseTagMicrosoft macro determines whether a reparse point tag indicates a Microsoft reparse point.
IsReparseTagNameSurrogate

The IsReparseTagNameSurrogate macro determines whether a tag's associated reparse point is a surrogate for another named entity, such as a volume mount point.
IsReparseTagValid

Microsoft reserves the IsReparseTagValid macro for internal use only. Don't use this macro in your code.
KeAcquireQueuedSpinLock

Learn more about the KeAcquireQueuedSpinLock function.
KeAttachProcess

The KeAttachProcess function is obsolete.
KeDetachProcess

The KeDetachProcess function is obsolete.
KeGetProcessorIndexFromNumber

The KeGetProcessorIndexFromNumber routine in ntifs.h converts a group number and a group-relative processor number to a systemwide processor index.
KeGetProcessorNumberFromIndex

The KeGetProcessorNumberFromIndex routine in ntifs.h converts a systemwide processor index to a group number and a group-relative processor number.
KeInitializeMutant

Microsoft reserves the KeInitializeMutant function for internal use only. Don't use this function in your code.
KeInitializeQueue

The KeInitializeQueue routine initializes a queue object on which threads can wait for entries.
KeInsertHeadQueue

The KeInsertHeadQueue routine inserts an entry at the head of the given queue if it cannot immediately use the entry to satisfy a thread wait.
KeInsertQueue

The KeInsertQueue routine inserts an entry at the tail of the given queue if it cannot immediately use the entry to satisfy a thread wait.
KeQueryPerformanceCounter

Learn more about the KeQueryPerformanceCounter routine.
KeReadStateMutant

Microsoft reserves the KeReadStateMutant function for internal use only. Don't use this function in your code.
KeReadStateQueue

Microsoft reserves the KeReadStateQueue function for internal use only. Don't use this function in your code.
KeReleaseMutant

Microsoft reserves the KeReleaseMutant function for internal use only. Don't use this function in your code.
KeReleaseQueuedSpinLock

Microsoft reserves the KeReleaseQueuedSpinLock function for internal use only. Don't use this function in your code.
KeRemoveQueue

Learn more about the KeRemoveQueue function.
KeRundownQueue

The KeRundownQueue routine cleans up a queue object, flushing any queued entries.
KeSetIdealProcessorThread

Microsoft reserves the KeSetIdealProcessorThread function for internal use only. Don't use this function in your code.
KeSetKernelStackSwapEnable

Learn more about the KeSetKernelStackSwapEnable routine.
KeStackAttachProcess

The KeStackAttachProcess routine attaches the current thread to the address space of the target process.
KeStallExecutionProcessor

Learn more about the KeStallExecutionProcessor routine.
KeTryToAcquireQueuedSpinLock

Microsoft reserves the KeTryToAcquireQueuedSpinLock function for internal use only. Don't use this function in your code.
KeUnstackDetachProcess

The KeUnstackDetachProcess routine detaches the current thread from the address space of a process and restores the previous attach state.
MapSecurityError

The MapSecurityError function maps a security interface SECURITY_STATUS status code to a corresponding NSTATUS status code.
MmCanFileBeTruncated

Learn more about the MmCanFileBeTruncated function.
MmDoesFileHaveUserWritableReferences

Learn more about the MmDoesFileHaveUserWritableReferences function.
MmFlushImageSection

The MmFlushImageSection routine flushes the image section for a file.
MmForceSectionClosed

The MmForceSectionClosed routine deletes the data and image sections for a file that is no longer in use.
MmForceSectionClosedEx

The MmForceSectionClosedEx function examines the section object pointers. If they are NULL, no further action is taken and the value TRUE is returned.
MmGetMaximumFileSectionSize

The MmGetMaximumFileSectionSize returns the maximum possible size of a file section for the current version of Windows.
MmIsRecursiveIoFault

The MmIsRecursiveIoFault routine determines whether the current page fault is occurring during an I/O operation.
MmPrefetchPages

The MmPrefetchPages routine reads groups of pages from secondary storage in the optimal fashion.
MmSetAddressRangeModified

The MmSetAddressRangeModified routine marks currently valid pages in the specified range of the system cache as modified.
NtAllocateVirtualMemory

Learn more about the NtAllocateVirtualMemory routine.
NtClose

Learn more about the NtClose routine.
NtCopyFileChunk

Learn more about the NtCopyFileChunk function.
NtCreateFile

Learn more about the NtCreateFile function.
NtCreateSection

Learn about the NtCreateSection function.
NtCreateSectionEx

Creates a section object.
NtDeviceIoControlFile

Learn more about the NtDeviceIoControlFile function.
NtDuplicateToken

Learn more about the NtDuplicateToken function.
NtFlushBuffersFileEx

Learn more about the NtFlushBuffersFileEx routine.
NtFreeVirtualMemory

Learn more about the NtFreeVirtualMemory routine.
NtFsControlFile

Learn more about the NtFsControlFile routine.
NtLockFile

The NtLockFile routine requests a byte-range lock for the specified file.
NtOpenFile

Learn more about the NtOpenFile routine.
NtOpenProcessToken

The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token.
NtOpenProcessTokenEx

The NtOpenProcessTokenEx routine opens the access token associated with a process, and returns a handle that can be used to access that token.
NtOpenThreadToken

The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
NtOpenThreadTokenEx

The NtOpenThreadTokenEx routine opens the access token associated with a thread.
NtPrivilegeCheck

The NtPrivilegeCheck routine determines whether a specified set of privileges is enabled in the subject's access token.
NtQueryDirectoryFile

The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle.
NtQueryDirectoryFileEx

Learn more about NtQueryDirectoryFileEx
NtQueryInformationByName

Learn more about the NtQueryInformationByName function.
NtQueryInformationFile

The NtQueryInformationFile routine returns various kinds of information about a file object.
NtQueryInformationToken

The NtQueryInformationToken routine retrieves a specified type of information about an access token.
NtQueryObject

The NtQueryObject routine provides information about a supplied object. If the call occurs in user mode, use the name NtQueryObject.
NtQueryQuotaInformationFile

The NtQueryQuotaInformationFile routine retrieves quota entries associated with the volume specified by the FileHandle parameter.
NtQuerySecurityObject

The NtQuerySecurityObject routine retrieves a copy of an object's security descriptor. A security descriptor can be in absolute or self-relative form.
NtQueryVirtualMemory

Learn more about the NtQueryVirtualMemory function.
NtQueryVolumeInformationFile

This routine retrieves information about the volume associated with a given file, directory, storage device, or volume.
NtReadFile

Learn more about the NtReadFile routine.
NtSetInformationFile

The NtSetInformationFile routine in ntifs.h changes various kinds of information about a file object.
NtSetInformationThread

Learn how the ZwSetInformationThread routine sets the priority of a thread.
NtSetInformationToken

The NtSetInformationToken routine modifies information in a specified token. The calling process must have access rights to set the information.
NtSetQuotaInformationFile

The NtSetQuotaInformationFile routine changes quota entries for the volume associated with the FileHandle parameter.
NtSetSecurityObject

Learn more about the NtSetSecurityObject routine.
NtUnlockFile

The NtUnlockFile routine in unlocks a byte-range lock in a file. If the call is in user mode, use the name NtUnlockFile instead of ZwUnlockFile.
NtWriteFile

Learn more about the NtWriteFile routine.
ObInsertObject

Microsoft reserves the ObInsertObject function for internal use only. Don't use this function in your code.
ObIsKernelHandle

The ObIsKernelHandle routine determines whether the specified handle is a kernel handle.
ObMakeTemporaryObject

Microsoft reserves the ObMakeTemporaryObject function for internal use only. Don't use this function in your code.
ObOpenObjectByPointer

The ObOpenObjectByPointer function opens an object referenced by a pointer and returns a handle to the object.
ObQueryNameString

The ObQueryNameString routine supplies the name, if there is one, of a given object to which the caller has a pointer.
ObQueryObjectAuditingByHandle

Microsoft reserves the ObQueryObjectAuditingByHandle function for internal use only. Don't use this function in your code.
PoCallDriver

The PoCallDriver routine in ntifs.h passes a power IRP to the next-lower driver in the device stack. (Windows Server 2003, Windows XP, and Windows 2000 only.).
PoClearPowerRequest

Learn more about the PoClearPowerRequest routine.
PoCreatePowerRequest

Learn more about the PoCreatePowerRequest routine.
PoDeletePowerRequest

Learn more about the PoDeletePowerRequest routine.
PoEndDeviceBusy

Learn more about the PoEndDeviceBusy routine.
PoQueryWatchdogTime

Learn more about the PoQueryWatchdogTime routine.
PoRegisterDeviceForIdleDetection

Learn more about the PoRegisterDeviceForIdleDetection routine.
PoRegisterPowerSettingCallback

Learn more about the PoRegisterPowerSettingCallback routine.
PoRegisterSystemState

Learn more about the PoRegisterSystemState routine.
PoSetDeviceBusyEx

Learn more about the PoSetDeviceBusyEx routine.
PoSetPowerRequest

Learn more about the PoSetPowerRequest function.
PoSetPowerState

Learn more about the PoSetPowerState function.
PoStartDeviceBusy

The PoStartDeviceBusy routine in ntifs.h marks the start of a period of time in which the device is busy.
PoStartNextPowerIrp

The PoStartNextPowerIrp routine in ntifs.h signals the power manager that the driver is ready to handle the next power IRP.
PoUnregisterPowerSettingCallback

The PoUnregisterPowerSettingCallback routine in ntifs.h unregisters a power-setting callback routine that a driver previously registered.
PoUnregisterSystemState

The PoUnregisterSystemState routine in ntifs.h cancels a system state registration created by PoRegisterSystemState.
PsChargePoolQuota

Learn more about the PsChargePoolQuota function.
PsDereferenceImpersonationToken

The PsDereferenceImpersonationToken routine decrements the reference count of an impersonation token.
PsDereferencePrimaryToken

The PsDereferencePrimaryToken routine decrements the reference count of a primary token.
PsGetCurrentThread

Learn how the PsGetCurrentThread routine identifies the current thread.
PsGetProcessExitTime

The PsGetProcessExitTime routine returns the exit time for the current process.
PsImpersonateClient

The PsImpersonateClient routine causes a server thread to impersonate a client.
PsIsDiskCountersEnabled

The enabled state of the per process disk I/O counters is returned by the PsIsDiskCountersEnabled routine.
PsIsSystemThread

The PsIsSystemThread routine checks whether a given thread is a system thread.
PsIsThreadTerminating

The PsIsThreadTerminating routine checks whether a thread is terminating.
PsLookupProcessByProcessId

The PsLookupProcessByProcessId routine accepts the process ID of a process and returns a referenced pointer to EPROCESS structure of the process.
PsLookupThreadByThreadId

The PsLookupThreadByThreadId routine accepts the thread ID of a thread and returns a referenced pointer to the ETHREAD structure of the thread.
PsReferenceImpersonationToken

Learn more about the PsReferenceImpersonationToken function.
PsReferencePrimaryToken

Learn more about the PsReferencePrimaryToken function.
PsReturnPoolQuota

Learn more about the PsReturnPoolQuota function.
PsRevertToSelf

The PsRevertToSelf routine ends the calling thread's impersonation of a client.
PsUpdateDiskCounters

The PsUpdateDiskCounters routine updates the disk I/O counters of a given process.
RtlAbsoluteToSelfRelativeSD

The RtlAbsoluteToSelfRelativeSD routine creates a new security descriptor in self-relative format by using a security descriptor in absolute format as a template.
RtlAddAccessAllowedAce

The RtlAddAccessAllowedAce routine adds an access-allowed access control entry (ACE) to an access control list (ACL). The access is granted to the specified security identifier (SID).
RtlAddAccessAllowedAceEx

Learn more about the RtlAddAccessAllowedAceEx function.
RtlAddAce

Learn more about the RtlAddAce function.
RtlAllocateAndInitializeSid

Microsoft reserves the RtlAllocateAndInitializeSid function for internal use only. Don't use this function in your code.
RtlAllocateHeap

The RtlAllocateHeap routine allocates a block of memory from a heap.
RtlAppendStringToString

The RtlAppendStringToString routine concatenates two counted strings. It copies bytes from the source up to the length of the destination buffer.
RtlCaptureContext

The RtlCaptureContext function retrieves a context record in the context of the caller.
RtlCaptureStackBackTrace

Learn more about the RtlCaptureStackBackTrace function.
RtlCompareMemoryUlong

The RtlCompareMemoryUlong routine returns how many bytes in a block of memory match a specified pattern.
RtlCompressBuffer

Learn more about the RtlCompressBuffer function.
RtlCompressChunks

Microsoft reserves the RtlCompressChunks function for internal use only. Don't use this function in your code.
RtlConvertSidToUnicodeString

The RtlConvertSidToUnicodeString routine generates a printable Unicode string representation of a security identifier (SID).
RtlCopyLuid

The RtlCopyLuid routine copies a locally unique identifier (LUID) to a buffer.
RtlCopySid

The RtlCopySid routine copies the value of a security identifier (SID) to a buffer.
RtlCreateAcl

The RtlCreateAcl routine creates and initializes an access control list (ACL).
RtlCreateHeap

The RtlCreateHeap routine creates a heap object that can be used by the calling process. This routine reserves space in the virtual address space of the process and allocates physical storage for a specified initial portion of this block.
RtlCreateSecurityDescriptorRelative

The RtlCreateSecurityDescriptorRelative routine initializes a new security descriptor in self-relative format.
RtlCreateSystemVolumeInformationFolder

The RtlCreateSystemVolumeInformationFolder routine verifies the existence of the "System Volume Information" folder on a file system volume. If the folder is not present, then the folder is created.
RtlCreateUnicodeString

The RtlCreateUnicodeString routine creates a new counted Unicode string.
RtlCustomCPToUnicodeN

Microsoft reserves the RtlCustomCPToUnicodeN function for internal use only. Don't use this function in your code.
RtlDecompressBuffer

Learn more about the RtlDecompressBuffer function.
RtlDecompressBufferEx

Learn more about the RtlDecompressBufferEx function.
RtlDecompressBufferEx2

Learn more about the RtlDecompressBufferEx2 function.
RtlDecompressChunks

Microsoft reserves the RtlDecompressChunks function for internal use only. Don't use this function in your code.
RtlDecompressFragment

Learn more about the RtlDecompressFragment function.
RtlDecompressFragmentEx

Learn more about the RtlDecompressFragmentEx function.
RtlDeleteAce

Learn more about the RtlDeleteAce function.
RtlDescribeChunk

Microsoft reserves the RtlDescribeChunk function for internal use only. Don't use this function in your code.
RtlDestroyHeap

The RtlDestroyHeap routine destroys the specified heap object. RtlDestroyHeap decommits and releases all the pages of a private heap object, and it invalidates the handle to the heap.
RtlDowncaseUnicodeString

The RtlDowncaseUnicodeString routine converts the specified Unicode source string to lowercase. The translation conforms to the current system locale information.
RtlEqualPrefixSid

The RtlEqualPrefixSid routine determines whether two security-identifier (SID) prefixes are equal. An SID prefix is the entire SID except for the last subauthority value.
RtlEqualSid

The RtlEqualSid routine determines whether two security identifier (SID) values are equal. Two SIDs must match exactly to be considered equal.
RtlFillMemoryUlong

The RtlFillMemoryUlong routine fills the specified range of memory with one or more repetitions of a ULONG value.
RtlFillMemoryUlonglong

The RtlFillMemoryUlonglong routine fills a given range of memory with one or more repetitions of a given ULONGLONG value.
RtlFindUnicodePrefix

The RtlFindUnicodePrefix routine searches for the best match for a given Unicode file name in a prefix table.
RtlFreeHeap

The RtlFreeHeap routine frees a memory block that was allocated from a heap by RtlAllocateHeap.
RtlFreeOemString

The RtlFreeOemString routine releases storage that was allocated by any of the Rtl..ToOemString routines.
RtlFreeSid

Microsoft reserves the RtlFreeSid function for internal use only. Don't use this function in your code.
RtlGenerate8dot3Name

Learn more about the RtlGenerate8dot3Name function.
RtlGetAce

The RtlGetAce routine obtains a pointer to an access control entry (ACE) in an access control list (ACL).
RtlGetAcesBufferSize

Learn more about the RtlGetAcesBufferSize function.
RtlGetCompressionWorkSpaceSize

Learn more about the RtlGetCompressionWorkSpaceSize function.
RtlGetDaclSecurityDescriptor

The RtlGetDaclSecurityDescriptor routine returns a pointer to the discretionary ACL (DACL) for a security descriptor.
RtlGetGroupSecurityDescriptor

The RtlGetGroupSecurityDescriptor routine returns the primary group information for a given security descriptor.
RtlGetOwnerSecurityDescriptor

The RtlGetOwnerSecurityDescriptor routine returns the owner information for a given security descriptor.
RtlGetSaclSecurityDescriptor

The RtlGetSaclSecurityDescriptor routine returns a pointer to the system ACL (SACL) for a security descriptor.
RtlIdentifierAuthoritySid

Microsoft reserves the RtlIdentifierAuthoritySid function for internal use only. Don't use this function in your code.
RtlInitCodePageTable

Microsoft reserves the RtlInitCodePageTable function for internal use only. Don't use this function in your code.
RtlInitializeSid

The RtlInitializeSid routine initializes a security identifier (SID) structure.
RtlInitializeSidEx

The RtlInitializeSidEx routine initializes a pre-allocated security identifier (SID) structure.
RtlInitializeUnicodePrefix

The RtlInitializeUnicodePrefix routine initializes a prefix table.
RtlInitStringEx

The RtlInitStringEx routine in ntifs.h initializes a counted string of 8-bit characters. RtlInitStringEx does not alter the source string.
RtlInitUTF8StringEx

RtlInitUTF8StringEx initializes a counted string of UTF-8 characters.
RtlInsertUnicodePrefix

The RtlInsertUnicodePrefix routine inserts a new element into a Unicode prefix table.
RtlIsCloudFilesPlaceholder

The RtlIsCloudFilesPlaceholder routine determines if a file or a directory is a CloudFiles placeholder, based on the FileAttributes and ReparseTag values of the file.
RtlIsNameLegalDOS8Dot3

The RtlIsNameLegalDOS8Dot3 routine determines whether a given name represents a valid short (8.3) file name.
RtlIsPartialPlaceholder

The RtlIsPartialPlaceholder routine determines if a file or a directory is a CloudFiles placeholder, based on the FileAttributes and ReparseTag values of the file.
RtlIsPartialPlaceholderFileHandle

The RtlIsPartialPlaceholderFileHandle routine determines if a file is a known type of placeholder, based on a file handle.
RtlIsPartialPlaceholderFileInfo

The RtlIsPartialPlaceholderFileInfo routine determines if a file is a known type of placeholder, based on the information returned by NtQueryInformationFile or NtQueryDirectoryFile.
RtlIsValidOemCharacter

The RtlIsValidOemCharacter routine determines if the specified Unicode character can be mapped to a valid OEM character.
RtlLengthRequiredSid

The RtlLengthRequiredSid routine returns the length, in bytes, of the buffer required to store a security identifier (SID) with a specified number of subauthorities.
RtlLengthSid

The RtlLengthSid routine returns the length, in bytes, of a valid security identifier (SID).
RtlMultiByteToUnicodeN

The RtlMultiByteToUnicodeN routine translates the specified source string into a Unicode string, using the current system ANSI code page (ACP). The source string is not necessarily from a multibyte character set.
RtlMultiByteToUnicodeSize

The RtlMultiByteToUnicodeSize routine determines the number of bytes that are required to store the Unicode translation for the specified source string.
RtlNextUnicodePrefix

The RtlNextUnicodePrefix routine is used to enumerate the elements in a Unicode prefix table.
RtlNtStatusToDosError

The RtlNtStatusToDosError routine converts the specified NTSTATUS code to its equivalent system error code.
RtlNtStatusToDosErrorNoTeb

Microsoft reserves the RtlNtStatusToDosErrorNoTeb function for internal use only. Don't use this function in your code.
RtlOemStringToCountedUnicodeSize

The RtlOemStringToCountedUnicodeSize routine determines the size, in bytes, that a given OEM string will be after it is translated into a counted Unicode string.
RtlOemStringToCountedUnicodeString

The RtlOemStringToCountedUnicodeString routine translates the specified source string into a Unicode string using the current system OEM code page.
RtlOemStringToUnicodeSize

The RtlOemStringToUnicodeSize routine determines the size, in bytes, that a given OEM string will be after it is translated into a null-terminated Unicode string.
RtlOemStringToUnicodeString

The RtlOemStringToUnicodeString routine translates a given source string into a null-terminated Unicode string using the current system OEM code page.
RtlOemToUnicodeN

The RtlOemToUnicodeN routine translates the specified source string into a Unicode string, using the current system OEM code page.
RtlQueryPackageIdentity

RtlQueryPackageIdentity
RtlQueryPackageIdentityEx

RtlQueryPackageIdentityEx returns the associated full package name. It can optionally also return the package relative application name, and whether an application is considered packaged.
RtlQueryProcessPlaceholderCompatibilityMode

RtlQueryProcessPlaceholderCompatibilityMode returns the placeholder compatibility mode for the current process.
RtlQueryThreadPlaceholderCompatibilityMode

RtlQueryThreadPlaceholderCompatibilityMode returns the placeholder compatibility mode for the current thread.
RtlRandom

The RtlRandom routine returns a random number that was generated from a given seed value.
RtlRandomEx

The RtlRandomEx routine returns a random number that was generated from a given seed value.
RtlRemoveUnicodePrefix

The RtlRemoveUnicodePrefix routine removes an element from a prefix table.
RtlReserveChunk

Microsoft reserves the RtlReserveChunk function for internal use only. Don't use this function in your code.
RtlSecondsSince1970ToTime

The RtlSecondsSince1970ToTime routine converts the elapsed time, in seconds, since the beginning of 1970 to an absolute system time value.
RtlSecondsSince1980ToTime

The RtlSecondsSince1980ToTime routine converts the elapsed time, in seconds, since the beginning of 1980 to an absolute system time value.
RtlSelfRelativeToAbsoluteSD

The RtlSelfRelativeToAbsoluteSD routine creates a new security descriptor in absolute format by using a security descriptor in self-relative format as a template.
RtlSetGroupSecurityDescriptor

The RtlSetGroupSecurityDescriptor routine sets the primary group information of an absolute-format security descriptor. It replaces any primary group information that is already present in the security descriptor.
RtlSetOwnerSecurityDescriptor

The RtlSetOwnerSecurityDescriptor routine sets the owner information of an absolute-format security descriptor. It replaces any owner information that is already present in the security descriptor.
RtlSetProcessPlaceholderCompatibilityMode

RtlSetProcessPlaceholderCompatibilityMode sets the placeholder compatibility mode for the current process.
RtlSetThreadPlaceholderCompatibilityMode

RtlSetThreadPlaceholderCompatibilityMode sets the placeholder compatibility mode for the current thread.
RtlSubAuthorityCountSid

Microsoft reserves the RtlSubAuthorityCountSid function for internal use only. Don't use this function in your code.
RtlSubAuthoritySid

The RtlSubAuthoritySid routine returns a pointer to a specified subauthority of a security identifier (SID).
RtlTimeToSecondsSince1970

The RtlTimeToSecondsSince1970 routine converts a given absolute system time value to the elapsed time, in seconds, since the beginning of 1970.
RtlTimeToSecondsSince1980

The RtlTimeToSecondsSince1980 routine converts a given absolute system time value to the elapsed time, in seconds, since the beginning of 1980.
RtlUnicodeStringToCountedOemString

The RtlUnicodeStringToCountedOemString routine translates the specified Unicode source string into a counted OEM string using the current system OEM code page.
RtlUnicodeStringToOemSize

The RtlUnicodeStringToOemSize routine determines the size, in bytes, that a given Unicode string will be after it is translated into an OEM string.
RtlUnicodeStringToOemString

The RtlUnicodeStringToOemString routine translates a given Unicode source string into an OEM string using the current system OEM code page.
RtlUnicodeStringToUTF8String

RtlUnicodeStringToUTF8String converts the specified Unicode string to a UTF-8 string.
RtlUnicodeToCustomCPN

Microsoft reserves the RtlUnicodeToCustomCPN function for internal use only. Don't use this function in your code.
RtlUnicodeToMultiByteN

The RtlUnicodeToMultiByteN routine translates the specified Unicode string into a new character string, using the current system ANSI code page (ACP). The translated string is not necessarily from a multibyte character set.
RtlUnicodeToMultiByteSize

The RtlUnicodeToMultiByteSize routine determines the number of bytes that are required to store the multibyte translation for the specified Unicode string. The translation is assumed to use the current system ANSI code page (ACP).
RtlUnicodeToOemN

The RtlUnicodeToOemN routine translates a given Unicode string to an OEM string, using the current system OEM code page.
RtlUnicodeToUTF8N

The RtlUnicodeToUTF8N routine in ntifs.h converts a Unicode string to a UTF-8 string. The UTF-8 output is null-terminated only if the Unicode input string is.
RtlUpcaseUnicodeStringToCountedOemString

Learn more about the RtlUpcaseUnicodeStringToCountedOemString function.
RtlUpcaseUnicodeStringToOemString

The RtlUpcaseUnicodeStringToOemString routine translates a given Unicode source string into an uppercase OEM string using the current system OEM code page.
RtlUpcaseUnicodeToCustomCPN

Microsoft reserves the RtlUpcaseUnicodeToCustomCPN function for internal use only. Don't use this function in your code.
RtlUpcaseUnicodeToMultiByteN

The RtlUpcaseUnicodeToMultiByteN routine translates the specified Unicode string into a new uppercase character string, using the current system ANSI code page (ACP). The translated string is not necessarily from a multibyte character set.
RtlUpcaseUnicodeToOemN

The RtlUpcaseUnicodeToOemN routine translates a given Unicode string into an uppercase OEM string, using the current system OEM code page.
RtlUTF8StringToUnicodeString

The RtlUTF8StringToUnicodeString routine converts the specified UTF-8 string to a Unicode string.
RtlUTF8ToUnicodeN

The RtlUTF8ToUnicodeN routine in ntifs.h converts a UTF-8 string to a Unicode string. The Unicode output is null-terminated only if the UTF-8 input string is.
RtlValidSid

The RtlValidSid routine validates a security identifier (SID) by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum.
RtlxOemStringToUnicodeSize

Microsoft reserves the RtlxOemStringToUnicodeSize function for internal use only. Don't use this function in your code.
RtlxUnicodeStringToOemSize

Microsoft reserves the RtlxUnicodeStringToOemSize function for internal use only. Don't use this function in your code.
SeAccessCheckFromState

Learn more about the SeAccessCheckFromState function.
SeAccessCheckFromStateEx

Learn more about the SeAccessCheckFromStateEx function.
SeAppendPrivileges

The SeAppendPrivileges routine appends additional privileges to the privilege set in an access state structure.
SeAuditHardLinkCreation

Microsoft reserves the SeAuditHardLinkCreation function for internal use only. Don't use this function in your code.
SeAuditingFileEvents

The SeAuditingFileEvents routine determines whether file open events are currently being audited.
SeAuditingFileOrGlobalEvents

The SeAuditingFileOrGlobalEvents routine determines whether file or global events are currently being audited.
SeAuditingHardLinkEvents

Microsoft reserves the SeAuditingHardLinkEvents function for internal use only. Don't use this function in your code.
SeCaptureSubjectContext

The SeCaptureSubjectContext routine in ntifs.h captures the security context of the calling thread for access validation and auditing.
SeCaptureSubjectContextEx

Learn more about the SeCaptureSubjectContextEx function.
SecLookupAccountName

SecLookupAccountName accepts an account as input and retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.
SecLookupAccountSid

SecLookupAccountSid accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.
SecLookupWellKnownSid

SecLookupWellKnownSid accepts a well-known security identifier (SID) type as input and retrieves the local security identifier (SID) for this well known SID.
SecMakeSPN

SecMakeSPN creates a service provider name string that can be used when communicating with specific security service providers.
SecMakeSPNEx

SecMakeSPNEx creates a service provider name string that can be used when communicating with specific security service providers.
SecMakeSPNEx2

SecMakeSPNEx2 creates a service provider name string that can be used when it communicates with specific security service providers.
SeCreateClientSecurity

Learn more about the SeCreateClientSecurity function.
SeCreateClientSecurityFromSubjectContext

Learn more about the SeCreateClientSecurityFromSubjectContext routine.
SeDeleteClientSecurity

The SeDeleteClientSecurity routine deletes a client security context.
SeDeleteObjectAuditAlarm

The SeDeleteObjectAuditAlarm routine generates audit and alarm messages for an object that is marked for deletion.
SeFilterToken

Learn more about the SeFilterToken function.
SeFreePrivileges

The SeFreePrivileges routine frees a privilege set returned by SeAccessCheck.
SeImpersonateClient

The SeImpersonateClient function is obsolete.
SeImpersonateClientEx

The SeImpersonateClientEx routine causes a thread to impersonate a user.
SeLengthSid

The SeLengthSid macro is obsolete.
SeLocateProcessImageName

Learn more about the SeLocateProcessImageName function.
SeLockSubjectContext

Learn more about the SeLockSubjectContext function.
SeMarkLogonSessionForTerminationNotification

The SeMarkLogonSessionForTerminationNotification routine marks a logon session so that the caller's registered callback routine is called when the logon session terminates.
SeOpenObjectAuditAlarm

The SeOpenObjectAuditAlarm routine generates audit and alarm messages when an attempt is made to open an object.
SeOpenObjectForDeleteAuditAlarm

The SeOpenObjectForDeleteAuditAlarm routine generates audit and alarm messages when an attempt is made to open an object for deletion.
SePrivilegeCheck

The SePrivilegeCheck routine determines whether a specified set of privileges is enabled in the subject's access token.
SeQueryAuthenticationIdToken

The SeQueryAuthenticationIdToken routine retrieves the authentication ID of an access token.
SeQueryInformationToken

The SeQueryInformationToken routine retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
SeQuerySecurityDescriptorInfo

The SeQuerySecurityDescriptorInfo routine retrieves a copy of an object's security descriptor.
SeQuerySessionIdToken

Microsoft reserves the SeQuerySessionIdToken function for internal use only. Don't use this function in your code.
SeQuerySubjectContextToken

Learn more about the SeQuerySubjectContextToken macro.
SeRegisterLogonSessionTerminatedRoutine

The SeRegisterLogonSessionTerminatedRoutine routine registers a callback routine to be called when a logon session terminates. A logon session terminates when the last token referencing the logon session is deleted.
SeReleaseSubjectContext

Learn more about the SeReleaseSubjectContext routine.
SeSetAccessStateGenericMapping

The SeSetAccessStateGenericMapping routine sets the generic mapping field of an ACCESS_STATE structure.
SeSetSecurityDescriptorInfo

Learn more about the SeSetSecurityDescriptorInfo function.
SeSetSecurityDescriptorInfoEx

Learn more about the SeSetSecurityDescriptorInfoEx function.
SeSetSessionIdToken

Microsoft reserves the SeSetSessionIdToken function for internal use only. Don't use this function in your code.
SeTokenGetNoChildProcessRestricted

The SeTokenGetNoChildProcessRestricted routine determines the state of the no child process mitigation. It is not possible to be enforced and audit-only at the same time.
SeTokenIsAdmin

The SeTokenIsAdmin routine determines whether a token contains the local administrators group.
SeTokenIsNoChildProcessRestrictionEnforced

The SeTokenIsNoChildProcessRestrictionEnforced routine determines if the token carries the no child process restriction.
SeTokenIsRestricted

The SeTokenIsRestricted routine determines whether a token contains a list of restricting security identifiers (SID).
SeTokenSetNoChildProcessRestricted

The SeTokenSetNoChildProcessRestricted routine sets the TOKEN_AUDIT_NO_CHILD_PROCESS or TOKEN_AUDIT_NO_CHILD_PROCESS flags in the token.
SeTokenType

Microsoft reserves the SeTokenType function for internal use only. Don't use this function in your code.
SeUnlockSubjectContext

Learn more about the SeUnlockSubjectContext routine.
SeUnregisterLogonSessionTerminatedRoutine

The SeUnregisterLogonSessionTerminatedRoutine routine unregisters a callback routine that was registered by an earlier call to SeRegisterLogonSessionTerminatedRoutine.
ZwAllocateVirtualMemory

The ZwAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process.
ZwCreateEvent

The ZwCreateEvent routine creates an event object, sets the initial state of the event to the specified value, and opens a handle to the object with the specified desired access.
ZwDeleteFile

Learn more about the ZwDeleteFile function.
ZwDeviceIoControlFile

Learn how the ZwDeviceIoControlFile routine sends a control code directly to a specified device driver, causing the corresponding driver to perform the specified operation.
ZwDuplicateObject

The ZwDuplicateObject routine creates a handle that is a duplicate of the specified source handle.
ZwDuplicateToken

Learn more about the ZwDuplicateToken function.
ZwFlushBuffersFile

The ZwFlushBuffersFile routine is called by a file system filter driver to send a flush request for the specified file to the file system.
ZwFlushBuffersFileEx

The ZwFlushBuffersFileEx routine is called by a file system filter driver to send a flush request for a given file to the file system. An optional flush operation flag can be set to control how file data is written to storage.
ZwFlushVirtualMemory

The ZwFlushVirtualMemory routine flushes a range of virtual addresses within the virtual address space of a specified process which map to a data file back out to the data file if they have been modified.
ZwFreeVirtualMemory

The ZwFreeVirtualMemory routine releases, decommits, or both, a region of pages within the virtual address space of a specified process.
ZwFsControlFile

The ZwFsControlFile routine sends a control code directly to a specified file system or file system filter driver, causing the corresponding driver to perform the specified action.
ZwLockFile

Learn more about the ZwLockFile routine.
ZwNotifyChangeKey

Learn more about the ZwNotifyChangeKey function.
ZwOpenDirectoryObject

The ZwOpenDirectoryObject routine opens an existing directory object.
ZwOpenProcessTokenEx

The ZwOpenProcessTokenEx routine opens the access token associated with a process.
ZwOpenThreadTokenEx

The ZwOpenThreadTokenEx routine opens the access token associated with a thread.
ZwQueryDirectoryFile

The ZwQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle.
ZwQueryDirectoryFileEx

Learn more about the ZwQueryDirectoryFileEx function.
ZwQueryEaFile

Learn more about the ZwQueryEaFile function.
ZwQueryInformationToken

The ZwQueryInformationToken routine retrieves a specified type of information about an access token.
ZwQueryObject

The ZwQueryObject routine provides information about a supplied object. If the call to NtQueryObject is in user mode, use the name NtQueryObject.
ZwQueryQuotaInformationFile

The ZwQueryQuotaInformationFile routine retrieves quota entries associated with the volume specified by the FileHandle parameter.
ZwQuerySecurityObject

The ZwQuerySecurityObject routine retrieves a copy of an object's security descriptor. A security descriptor can be in absolute or self-relative form.
ZwQueryVirtualMemory

The ZwQueryVirtualMemory routine determines the state, protection, and type of a region of pages within the virtual address space of the subject process.
ZwQueryVolumeInformationFile

Learn how the ZwQueryVolumeInformationFile routine retrieves information about the volume associated with a given file, directory, storage device, or volume.
ZwSetEaFile

Learn more about the ZwSetEaFile function.
ZwSetEvent

The ZwSetEvent routine sets an event object to a Signaled state and attempts to satisfy as many waits as possible.
ZwSetInformationToken

The ZwSetInformationToken routine modifies information in a specified token. The calling process must have appropriate access rights to set the information.
ZwSetInformationVirtualMemory

The ZwSetInformationVirtualMemory routine performs an operation on a specified list of address ranges in the user address space of a process.
ZwSetQuotaInformationFile

The ZwSetQuotaInformationFile routine changes quota entries for the volume associated with the FileHandle parameter. All of the quota entries in the specified buffer are applied to the volume.
ZwSetSecurityObject

The ZwSetSecurityObject routine sets an object's security state.
ZwSetVolumeInformationFile

The ZwSetVolumeInformationFile routine modifies information about the volume associated with a given file, directory, storage device, or volume.
ZwUnlockFile

The ZwUnlockFile routine unlocks a byte-range lock in a file.
ZwWaitForSingleObject

Learn more about the ZwWaitForSingleObject routine.

Callback functions

 
ALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK

Learn more about the ALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK callback function.
DRIVER_FS_NOTIFICATION

A PDRIVER_FS_NOTIFICATION-typed routine is called by the operating system when a file system registers or unregisters itself by using IoRegisterFileSystem or IoUnregisterFileSystem.
FREE_VIRTUAL_MEMORY_EX_CALLBACK

Learn more about the FREE_VIRTUAL_MEMORY_EX_CALLBACK callback function.
PCOMPLETE_LOCK_IRP_ROUTINE

Learn more about the PCOMPLETE_LOCK_IRP_ROUTINE callback function.
PFSRTL_EXTRA_CREATE_PARAMETER_CLEANUP_CALLBACK

A filter driver can register a PFSRTL_EXTRA_CREATE_PARAMETER_CLEANUP_CALLBACK-typed routine as the filter driver's CleanupCallback callback routine for an extra create parameter (ECP) context structure.
PUNLOCK_ROUTINE

Learn more about the PUNLOCK_ROUTINE callback routine.
QUERY_VIRTUAL_MEMORY_CALLBACK

Learn more about the QUERY_VIRTUAL_MEMORY_CALLBACK callback function.
RTL_HEAP_COMMIT_ROUTINE

Learn more about the RTL_HEAP_COMMIT_ROUTINE callback routine.

Structures

 
ACCESS_ALLOWED_ACE

The ACCESS_ALLOWED_ACE structure defines an access-control entry (ACE) for the discretionary access-control list (DACL) that controls access to an object.
ACCESS_DENIED_ACE

The ACCESS_DENIED_ACE structure defines an access-control entry (ACE) for the discretionary access-control list (DACL) controlling access to an object.
ACE_HEADER

The ACE_HEADER structure describes the type and size of an access-control entry (ACE).
ATOMIC_CREATE_ECP_CONTEXT

This structure allows supplemental operations to be performed on a file atomically during create.
BOOT_AREA_INFO

The BOOT_AREA_INFO structure contains the output for the FSCTL_GET_BOOT_AREA_INFO control code.
CC_FILE_SIZES

Learn more about the CC_FILE_SIZES structure.
COPY_INFORMATION

Learn more about the COPY_INFORMATION structure.
CREATE_REDIRECTION_ECP_CONTEXT

Learn more about the CREATE_REDIRECTION_ECP_CONTEXT structure.
CSV_DOWN_LEVEL_OPEN_ECP_CONTEXT

Learn more about the CSV_DOWN_LEVEL_OPEN_ECP_CONTEXT structure.
CSV_QUERY_FILE_REVISION_ECP_CONTEXT

Learn more about the CSV_QUERY_FILE_REVISION_ECP_CONTEXT structure.
CSV_QUERY_FILE_REVISION_ECP_CONTEXT_FILE_ID_128

Learn more about the CSV_QUERY_FILE_REVISION_ECP_CONTEXT_FILE_ID_128 structure.
CSV_SET_HANDLE_PROPERTIES_ECP_CONTEXT

Learn more about the CSV_SET_HANDLE_PROPERTIES_ECP_CONTEXT structure.
DUAL_OPLOCK_KEY_ECP_CONTEXT

Learn more about the DUAL_OPLOCK_KEY_ECP_CONTEXT structure.
ECP_OPEN_PARAMETERS

The ECP_OPEN_PARAMETERS structure allows a caller to specify the purpose of opening of a file without interfering with existing handles and/or oplocks on the file.
ENCRYPTION_KEY_CTRL_INPUT

Learn more about: ENCRYPTION_KEY_CTRL_INPUT structure
FILE_ACCESS_INFORMATION

The FILE_ACCESS_INFORMATION structure is used to query for or set the access rights of a file.
FILE_ALL_INFORMATION

The FILE_ALL_INFORMATION structure is a container for several FILE_XXX_INFORMATION structures.
FILE_ALLOCATED_RANGE_BUFFER

Learn more about the FILE_ALLOCATED_RANGE_BUFFER structure.
FILE_ALLOCATION_INFORMATION

Learn more about the FILE_ALLOCATION_INFORMATION structure.
FILE_BOTH_DIR_INFORMATION

The FILE_BOTH_DIR_INFORMATION structure is used to query detailed information for the files in a directory.
FILE_CASE_SENSITIVE_INFORMATION

The FILE_CASE_SENSITIVE_INFORMATION structure is used to query or set per-directory case-sensitive information.
FILE_COMPLETION_INFORMATION

The FILE_COMPLETION_INFORMATION structure contains the port handle and key for an I/O completion port created for a file handle.
FILE_COMPRESSION_INFORMATION

The FILE_COMPRESSION_INFORMATION structure describes the state of a compressed data buffer.
FILE_DESIRED_STORAGE_CLASS_INFORMATION

Contains the information for the Desired Storage Class attribute.
FILE_DIRECTORY_INFORMATION

The FILE_DIRECTORY_INFORMATION structure is used to query detailed information for the files in a directory.
FILE_EA_INFORMATION

The FILE_EA_INFORMATION structure is used to query for the size of the extended attributes (EA) for a file.
FILE_FS_ATTRIBUTE_INFORMATION

Learn more about the FILE_FS_ATTRIBUTE_INFORMATION structure.
FILE_FS_CONTROL_INFORMATION

Learn more about the FILE_FS_CONTROL_INFORMATION structure.
FILE_FS_DRIVER_PATH_INFORMATION

The FILE_FS_DRIVER_PATH_INFORMATION structure is used to query whether a given driver is in the I/O path for a file system volume.
FILE_FS_PERSISTENT_VOLUME_INFORMATION

Learn more about the FILE_FS_PERSISTENT_VOLUME_INFORMATION structure.
FILE_FULL_DIR_INFORMATION

The FILE_FULL_DIR_INFORMATION structure is used to query detailed information for the files in a directory.
FILE_GET_EA_INFORMATION

The FILE_GET_EA_INFORMATION structure is used to query for extended-attribute (EA) information.
FILE_GET_QUOTA_INFORMATION

The FILE_GET_QUOTA_INFORMATION structure is used to query for quota information.
FILE_ID_64_EXTD_BOTH_DIR_INFORMATION

Learn more about the FILE_ID_64_EXTD_BOTH_DIR_INFORMATION structure.
FILE_ID_64_EXTD_DIR_INFORMATION

Learn more about the FILE_ID_64_EXTD_DIR_INFORMATION structure.
FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION

Learn more about the FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION structure.
FILE_ID_ALL_EXTD_DIR_INFORMATION

Learn more about the FILE_ID_ALL_EXTD_DIR_INFORMATION structure.
FILE_ID_BOTH_DIR_INFORMATION

The FILE_ID_BOTH_DIR_INFORMATION structure is used to query file reference number information for the files in a directory.
FILE_ID_EXTD_BOTH_DIR_INFORMATION

Learn more about the FILE_ID_EXTD_BOTH_DIR_INFORMATION structure.
FILE_ID_EXTD_DIR_INFORMATION

Learn more about the FILE_ID_EXTD_DIR_INFORMATION structure.
FILE_ID_FULL_DIR_INFORMATION

The FILE_ID_FULL_DIR_INFORMATION structure is used to query detailed information for the files in a directory.
FILE_ID_GLOBAL_TX_DIR_INFORMATION

The FILE_ID_GLOBAL_TX_DIR_INFORMATION structure contains information about transactional visibility for the files in a directory.
FILE_ID_INFORMATION

FILE_ID_INFORMATION is used to query file identification information.
FILE_INTERNAL_INFORMATION

Learn more about FILE_INTERNAL_INFORMATION structure.
FILE_KNOWN_FOLDER_INFORMATION

Learn more about the FILE_KNOWN_FOLDER_INFORMATION structure.
FILE_LEVEL_TRIM

The FILE_LEVEL_TRIM structure contains an array of byte ranges to trim for a file.
FILE_LEVEL_TRIM_OUTPUT

The FILE_LEVEL_TRIM_OUTPUT structure contains the results of a trim operation performed by an FSCTL_FILE_LEVEL_TRIM request.
FILE_LEVEL_TRIM_RANGE

Contains the offset and length of a trim range for a file.
FILE_LINK_ENTRY_INFORMATION

The FILE_LINK_ENTRY_INFORMATION structure describes a single NTFS hard link to an existing file.
FILE_LINK_INFORMATION

The FILE_LINK_INFORMATION structure is used to create an NTFS hard link to an existing file.
FILE_LINKS_INFORMATION

Learn more about the FILE_LINKS_INFORMATION structure.
FILE_LOCK

Learn more about the FILE_LOCK structure.
FILE_LOCK_INFO

Learn more about the FILE_LOCK_INFO structure.
FILE_MAILSLOT_QUERY_INFORMATION

The FILE_MAILSLOT_QUERY_INFORMATION structure contains information about a mailslot.
FILE_MAILSLOT_SET_INFORMATION

The FILE_MAILSLOT_SET_INFORMATION structure is used to set a value on a mailslot.
FILE_MODE_INFORMATION

The FILE_MODE_INFORMATION structure is used to query or set the access mode of a file.
FILE_NAMES_INFORMATION

A FILE_NAMES_INFORMATION structure used to query detailed information about the names of files in a directory.
FILE_NETWORK_PHYSICAL_NAME_INFORMATION

Learn more about _FILE_NETWORK_PHYSICAL_NAME_INFORMATION structure.
FILE_NOTIFY_EXTENDED_INFORMATION

Learn more about the FILE_NOTIFY_EXTENDED_INFORMATION structure.
FILE_NOTIFY_FULL_INFORMATION

Learn more about the FILE_NOTIFY_FULL_INFORMATION structure.
FILE_NOTIFY_INFORMATION

Learn more about the FILE_NOTIFY_INFORMATION structure.
FILE_OBJECTID_INFORMATION

Learn more about the FILE_OBJECTID_INFORMATION structure.
FILE_PIPE_INFORMATION

The FILE_PIPE_INFORMATION structure contains information about a named pipe that is not specific to the local or the remote end of the pipe.
FILE_PIPE_LOCAL_INFORMATION

The FILE_PIPE_LOCAL_INFORMATION structure contains information about the local end of a named pipe.
FILE_PIPE_REMOTE_INFORMATION

The FILE_PIPE_REMOTE_INFORMATION structure contains information about the remote end of a named pipe.
FILE_PROVIDER_EXTERNAL_INFO_V0

Learn more about the FILE_PROVIDER_EXTERNAL_INFO_V0 structure.
FILE_PROVIDER_EXTERNAL_INFO_V1

Learn more about the FILE_PROVIDER_EXTERNAL_INFO_V1 structure.
FILE_QUOTA_INFORMATION

The FILE_QUOTA_INFORMATION structure is used to query or set per-user quota information for each of the files in a directory.
FILE_REGION_INFO

Learn more about the FILE_REGION_INFO structure.
FILE_REGION_INPUT

Learn more about the FILE_REGION_INPUT structure.
FILE_REGION_OUTPUT

Learn more about the FILE_REGION_OUTPUT structure.
FILE_REMOTE_PROTOCOL_INFORMATION

The FILE_REMOTE_PROTOCOL_INFORMATION structure contains file remote protocol information.
FILE_RENAME_INFORMATION

The FILE_RENAME_INFORMATION structure is used to rename a file.
FILE_REPARSE_POINT_INFORMATION

The FILE_REPARSE_POINT_INFORMATION structure is used to query for information about a reparse point.
FILE_STANDARD_LINK_INFORMATION

FILE_STANDARD_LINK_INFORMATION is used to query file link information.
FILE_STAT_BASIC_INFORMATION

Learn more about FILE_STAT_BASIC_INFORMATION structure.
FILE_STAT_INFORMATION

The FILE_STAT_INFORMATION structure contains metadata about a file.
FILE_STAT_LX_INFORMATION

The FILE_STAT_LX_INFORMATION structure contains metadata about a file.
FILE_STORAGE_RESERVE_ID_INFORMATION

Learn more about the FILE_STORAGE_RESERVE_ID_INFORMATION structure.
FILE_STREAM_INFORMATION

Learn more about FILE_STREAM_INFORMATION structure.
FILE_TIMESTAMPS

The FILE_TIMESTAMPS structure specifies the last recorded instance of specific actions on a file.
FILE_ZERO_DATA_INFORMATION

The _FILE_ZERO_DATA_INFORMATION structure contains a range of a file to set to zeros. This structure is used by the FSCTL_SET_ZERO_DATA control code.
FILE_ZERO_DATA_INFORMATION_EX

The _FILE_ZERO_DATA_INFORMATION_EX structure contains a range of a file to set to zeros. This structure is used by the FSCTL_SET_ZERO_DATA control code.
FS_BPIO_INFO

The FS_BPIO_INFO structure provides information about the BypassIO state of the volume.
FS_BPIO_INPUT

The FS_BPIO_INPUT structure specifies the requested BypassIO operation and flags for the FSCTL_MANAGE_BYPASS_IO control code.
FS_BPIO_OUTPUT

The FS_BPIO_OUTPUT structure is used to return information about the BypassIO operation for the FSCTL_MANAGE_BYPASS_IO control code.
FS_BPIO_RESULTS

The FS_BPIO_RESULTS structure defines BypassIO operation-specific outputs for FS_BPIO_OP_ENABLE and FS_BPIO_OP_QUERY operations when a driver is failing the operation.
FS_FILTER_CALLBACK_DATA

FS_FILTER_CALLBACK_DATA is the callback data structure for a FS_FILTER_CALLBACKS's FS_FILTER_CALLBACK or FS_FILTER_COMPLETION_CALLBACK operation.
FS_FILTER_CALLBACKS

The FS_FILTER_CALLBACKS structure contains the entry points of caller-supplied notification callback routines.
FS_FILTER_SECTION_SYNC_OUTPUT

The FS_FILTER_SECTION_SYNC_OUTPUT structure contains information describing the attributes of the section that is being created.
FSCTL_OFFLOAD_READ_INPUT

Learn more about the FSCTL_OFFLOAD_READ_INPUT structure.
FSCTL_OFFLOAD_READ_OUTPUT

The FSCTL_OFFLOAD_READ_OUTPUT structure contains the output for the FSCTL_OFFLOAD_READ control code request.
FSCTL_OFFLOAD_WRITE_INPUT

Learn more about the FSCTL_OFFLOAD_WRITE_INPUT structure.
FSCTL_OFFLOAD_WRITE_OUTPUT

Learn more about the FSCTL_OFFLOAD_WRITE_OUTPUT structure.
FSCTL_QUERY_VOLUME_NUMA_INFO_OUTPUT

The FSCTL_QUERY_VOLUME_NUMA_INFO_OUTPUT structure specifies the Non-Uniform Memory Architecture (NUMA) node the volume resides on.
FSRTL_ADVANCED_FCB_HEADER

The FSRTL_ADVANCED_FCB_HEADER structure contains context information that a file system maintains about a file.
FSRTL_COMMON_FCB_HEADER

Learn more about the FSRTL_COMMON_FCB_HEADER structure.
FSRTL_PER_FILE_CONTEXT

A legacy file system filter driver can use a FSRTL_PER_FILE_CONTEXT structure to associate driver-specific context information to an open file.
FSRTL_PER_FILEOBJECT_CONTEXT

The opaque FSRTL_PER_FILEOBJECT_CONTEXT structure is used by the operating system to track file system filter-driver-defined context information structures for a file object.
FSRTL_PER_STREAM_CONTEXT

The FSRTL_PER_STREAM_CONTEXT structure contains context information that a file system filter driver maintains about a file stream.
IO_CREATE_STREAM_FILE_OPTIONS

Learn more about the IO_CREATE_STREAM_FILE_OPTIONS structure.
IO_DEVICE_HINT_ECP_CONTEXT

Learn more about the IO_DEVICE_HINT_ECP_CONTEXT structure.
IO_PRIORITY_INFO

The IO_PRIORITY_INFO structure is used to hold thread priority information.
IO_STOP_ON_SYMLINK_FILTER_ECP_v0

Learn more about: IO_STOP_ON_SYMLINK_FILTER_ECP_v0 structure
LINK_TRACKING_INFORMATION

Learn more about the LINK_TRACKING_INFORMATION structure.
MARK_HANDLE_INFO

A MARK_HANDLE_INFO structure is passed as the input buffer during a FSCTL_MARK_HANDLE control code request.
MARK_HANDLE_INFO32

Version of MARK_HANDLE_INFO structure used for thunking.
MEMORY_BASIC_INFORMATION

Contains information about a range of pages in the virtual address space of a process.
NETWORK_APP_INSTANCE_EA

An Extended Attribute (EA) structure for processes using Server Message Block (SMB) Cluster Client Failover.
NETWORK_APP_INSTANCE_ECP_CONTEXT

The NETWORK_APP_INSTANCE_ECP_CONTEXT structure is an Extra Create Parameter (ECP) and contains an application instance identifier to associate with a file.
NETWORK_OPEN_ECP_CONTEXT

The NETWORK_OPEN_ECP_CONTEXT structure is used to interpret network extra create parameter (ECP) contexts on files.
NETWORK_OPEN_ECP_CONTEXT_V0

The NETWORK_OPEN_ECP_CONTEXT_V0 structure is used to interpret network extra create parameter (ECP) contexts on files.
NFS_OPEN_ECP_CONTEXT

The NFS_OPEN_ECP_CONTEXT structure is used by the Network File System (NFS) server to open files in response to client requests.
OPEN_REPARSE_LIST

Points to a list of OPEN_REPARSE_LIST_ENTRY structures that specify the tag and possibly GUID that should be opened directly without returning STATUS_REPARSE.
OPEN_REPARSE_LIST_ENTRY

This structure supports callers opening specific reparse points without inhibiting reparse behavior for all classes of reparse points.
OPLOCK_KEY_ECP_CONTEXT

Learn more about the OPLOCK_KEY_ECP_CONTEXT structure.
OPLOCK_NOTIFY_PARAMS

The OPLOCK_NOTIFY_PARAMS structure is passed as a parameter to a NotifyRoutine callback when such a callback is provided to FsRtlCheckOplockEx2.
PREFETCH_OPEN_ECP_CONTEXT

Learn more about the PREFETCH_OPEN_ECP_CONTEXT structure.
PUBLIC_OBJECT_BASIC_INFORMATION

The PUBLIC_OBJECT_BASIC_INFORMATION structure holds a subset of the full information that is available for an object.
PUBLIC_OBJECT_TYPE_INFORMATION

The PUBLIC_OBJECT_TYPE_INFORMATION structure holds the type name of the object.
QUERY_FILE_LAYOUT_INPUT

The QUERY_FILE_LAYOUT_INPUT structure selects which file layout entries are returned from a FSCTL_QUERY_FILE_LAYOUT request.
QUERY_FILE_LAYOUT_OUTPUT

The QUERY_FILE_LAYOUT_OUTPUT structure serves as a header for the file layout entries that are returned from a FSCTL_QUERY_FILE_LAYOUT request.
QUERY_ON_CREATE_EA_INFORMATION

The QUERY_ON_CREATE_EA_INFORMATION structure is used to write file information when FltRequestFileInfoOnCreateCompletion is called with the QoCFileEaInformation flag set in the InfoClassFlags parameter.
QUERY_ON_CREATE_ECP_CONTEXT

QUERY_ON_CREATE_ECP_CONTEXT is reserved for system use.
QUERY_ON_CREATE_FILE_LX_INFORMATION

The QUERY_ON_CREATE_FILE_LX_INFORMATION structure is used to write a file's Linux metadata extended attributes when FltRequestFileInfoOnCreateCompletion is called with the QoCFileLxInformation flag set in the InfoClassFlags parameter.
QUERY_ON_CREATE_FILE_STAT_INFORMATION

The QUERY_ON_CREATE_FILE_STAT_INFORMATION structure is used to write file information when FltRequestFileInfoOnCreateCompletion is called with the QoCFileStatInformation flag set in the InfoClassFlags parameter.
QUERY_ON_CREATE_SECURITY_INFORMATION

The QUERY_ON_CREATE_SECURITY_INFORMATION structure is used to write file information when FltRequestSecurityInfoOnCreateCompletion is called in pre-create.
QUERY_ON_CREATE_USN_INFORMATION

The QUERY_ON_CREATE_USN_INFORMATION structure is used to write file information when FltRequestFileInfoOnCreateCompletion is called with the QoCFileUsnInformation flag set in the InfoClassFlags parameter.
QUERY_PATH_REQUEST

Learn more about the QUERY_PATH_REQUEST structure.
QUERY_PATH_REQUEST_EX

Learn more about the QUERY_PATH_REQUEST_EX structure.
QUERY_PATH_RESPONSE

Learn more about the QUERY_PATH_RESPONSE structure.
READ_AHEAD_PARAMETERS

Learn more about the READ_AHEAD_PARAMETERS structure.
REARRANGE_FILE_DATA

Learn more about the REARRANGE_FILE_DATA structure.
REFS_DEALLOCATE_RANGES_INPUT_BUFFER_EX

Learn more about the REFS_DEALLOCATE_RANGES_INPUT_BUFFER_EX structure.
REFS_SMR_VOLUME_GC_PARAMETERS

The REFS_SMR_VOLUME_GC_PARAMETERS structure.
REFS_SMR_VOLUME_INFO_OUTPUT

The REFS_SMR_VOLUME_INFO_OUTPUT structure describes a Shingled Magnetic Recording (SMR) volume's current state on space and garbage collection activities.
REPARSE_DATA_BUFFER

The REPARSE_DATA_BUFFER structure contains reparse point data for a Microsoft reparse point.
REPARSE_DATA_BUFFER_EX

The REPARSE_DATA_BUFFER_EX structure contains data for a reparse point.
REPARSE_GUID_DATA_BUFFER

The REPARSE_GUID_DATA_BUFFER structure contains reparse point data for a reparse point.
RKF_BYPASS_ECP_CONTEXT

Learn more about the RKF_BYPASS_ECP_CONTEXT structure.
RTL_HEAP_PARAMETERS

Learn more about the RTL_HEAP_PARAMETERS structure.
RTL_SEGMENT_HEAP_MEMORY_SOURCE

The RTL_SEGMENT_HEAP_MEMORY_SOURCE structure specifies the segment heap memory source.
RTL_SEGMENT_HEAP_PARAMETERS

The RTL_SEGMENT_HEAP_PARAMETERS structure contains the segment heap parameters.
RTL_SEGMENT_HEAP_VA_CALLBACKS

Learn more about the RTL_SEGMENT_HEAP_VA_CALLBACKS structure.
SE_EXPORTS

Learn more about the SE_EXPORTS structure.
SE_SID

The SE_SID union holds the maximum-sized valid Security Identifier (SID). The structure occupies 68-bytes and is suitable for stack allocation.
SE_TOKEN_USER

The SE_TOKEN_USER structure holds the maximum-sized valid user SID that can be returned by SeQueryInformationToken, GetTokenInformation, or ZwQueryInformationToken with the TokenUser information class. This structure is suitable for stack allocation.
SEC_CERTIFICATE_REQUEST_CONTEXT

Learn more about the SEC_CERTIFICATE_REQUEST_CONTEXT structure.
SECURITY_DESCRIPTOR

The SECURITY_DESCRIPTOR structure contains the security information associated with an object. Drivers use this structure to set and query an object's security status.
SET_CACHED_RUNS_STATE_INPUT_BUFFER

Learn more about the SET_CACHED_RUNS_STATE_INPUT_BUFFER structure.
SET_DAX_ALLOC_ALIGNMENT_HINT_INPUT

Learn more about the SET_DAX_ALLOC_ALIGNMENT_HINT_INPUT structure.
SET_PURGE_FAILURE_MODE_INPUT

Learn more about the SET_PURGE_FAILURE_MODE_INPUT structure.
SHUFFLE_FILE_DATA

Lear more about the SHUFFLE_FILE_DATA structure.
SID

The security identifier (SID) structure is a variable-length structure used to uniquely identify users or groups.
SID_AND_ATTRIBUTES

The SID_AND_ATTRIBUTES structure represents a security identifier (SID) and its attributes. SIDs are used to uniquely identify users or groups.
SID_AND_ATTRIBUTES_HASH

Learn more about the SID_AND_ATTRIBUTES_HASH structure.
SID_IDENTIFIER_AUTHORITY

The SID_IDENTIFIER_AUTHORITY structure represents the top-level authority of a security identifier (SID).
SRV_OPEN_ECP_CONTEXT

The SRV_OPEN_ECP_CONTEXT structure is used by a server to conditionally open files in response to client requests.
SYSTEM_ALARM_ACE

Reserved for future use.
SYSTEM_AUDIT_ACE

The SYSTEM_AUDIT_ACE structure defines an access-control entry (ACE) for the system access-control list (ACL) specifying what types of access cause system-level notifications.
SYSTEM_PROCESS_TRUST_LABEL_ACE

Reserved.
SYSTEM_RESOURCE_ATTRIBUTE_ACE

The SYSTEM_RESOURCE_ATTRIBUTE_ACE structure defines an access-control entry (ACE) for the system access-control list (ACL) specifying what rights a particular claim has to a resource.
SYSTEM_SCOPED_POLICY_ID_ACE

The SYSTEM_SCOPED_POLICY_ID_ACE structure defines an access-control entry (ACE) for the system access-control list (ACL) specifying rights for a scoped policy identifier.
TOKEN_ACCESS_INFORMATION

Learn more about the TOKEN_ACCESS_INFORMATION structure.
TOKEN_CONTROL

The TOKEN_CONTROL structure contains information that identifies an access token.
TOKEN_DEFAULT_DACL

The TOKEN_DEFAULT_DACL structure specifies a discretionary access-control list (DACL).
TOKEN_GROUPS

TOKEN_GROUPS contains information about the group security identifiers (SID) in an access token.
TOKEN_GROUPS_AND_PRIVILEGES

TOKEN_GROUPS_AND_PRIVILEGES contains information about the group security identifiers (SIDs) and privileges in an access token.
TOKEN_MANDATORY_POLICY

Learn more about the TOKEN_MANDATORY_POLICY structure.
TOKEN_ORIGIN

The TOKEN_ORIGIN structure contains information about the origin of the logon session.
TOKEN_OWNER

TOKEN_OWNER contains the default owner security identifier (SID) that will be applied to newly created objects.
TOKEN_PRIMARY_GROUP

TOKEN_PRIMARY_GROUP specifies a group security identifier (SID) for an access token.
TOKEN_PRIVILEGES

TOKEN_PRIVILEGES contains information about a set of privileges for an access token.
TOKEN_SOURCE

TOKEN_SOURCE identifies the source of an access token.
TOKEN_STATISTICS

TOKEN_STATISTICS contains information about an access token. A driver can retrieve this information by calling SeQueryInformationToken or ZwQueryInformationToken.
TOKEN_USER

TOKEN_USER identifies the user associated with an access token.
TUNNEL

Learn more about the TUNNEL structure.
VETO_BINDING_ECP_CONTEXT

Learn more about the VETO_BINDING_ECP_CONTEXT structure.
VIRTUAL_STORAGE_SET_BEHAVIOR_INPUT

Learn more about: _VIRTUAL_STORAGE_SET_BEHAVIOR_INPUT structure
VIRTUALIZATION_INSTANCE_INFO_INPUT_EX

Learn more about: _VIRTUALIZATION_INSTANCE_INFO_INPUT_EX structure
WIM_PROVIDER_ADD_OVERLAY_INPUT

Learn more about the WIM_PROVIDER_ADD_OVERLAY_INPUT structure.
WIM_PROVIDER_EXTERNAL_INFO

Learn more about the WIM_PROVIDER_EXTERNAL_INFO structure.
WIM_PROVIDER_OVERLAY_ENTRY

Learn more about the WIM_PROVIDER_OVERLAY_ENTRY structure.
WIM_PROVIDER_REMOVE_OVERLAY_INPUT

Learn more about the WIM_PROVIDER_REMOVE_OVERLAY_INPUT structure.
WIM_PROVIDER_SUSPEND_OVERLAY_INPUT

Learn more about the WIM_PROVIDER_SUSPEND_OVERLAY_INPUT structure.
WIM_PROVIDER_UPDATE_OVERLAY_INPUT

Learn more about the WIM_PROVIDER_UPDATE_OVERLAY_INPUT structure.
WOF_EXTERNAL_FILE_ID

Learn more about the WOF_EXTERNAL_FILE_ID structure.
WOF_EXTERNAL_INFO

Learn more about the WOF_EXTERNAL_INFO structure.
WOF_VERSION_INFO

Learn more about the WOF_VERSION_INFO structure.

Enumerations

 
CSV_CONTROL_OP

Specifies the type of cluster shared volume (CSV) control operation to use with the FSCTL_CSV_CONTROL control code.
CSV_DOWN_LEVEL_FILE_TYPE

Learn more about the CSV_DOWN_LEVEL_FILE_TYPE enumerator
FILE_KNOWN_FOLDER_TYPE

Learn more about the FILE_KNOWN_FOLDER_TYPE enumeration.
FILE_STORAGE_TIER_CLASS

Defines values for the type of desired storage class.
FS_BPIO_INFLAGS

FS_BPIO_INFLAGS defines the BypassIO input flags for the FSCTL_MANAGE_BYPASS_IO control code.
FS_BPIO_OPERATIONS

FS_BPIO_OPERATIONS defines the various BypassIO operations supported by the FSCTL_MANAGE_BYPASS_IO control code.
FS_BPIO_OUTFLAGS

FS_BPIO_OUTFLAGS defines the BypassIO output flags for the FSCTL_MANAGE_BYPASS_IO control code.
FSRTL_CHANGE_BACKING_TYPE

The FSRTL_CHANGE_BACKING_TYPE enumeration specifies the type of cache or control area that a file object designates.
HEAP_MEMORY_INFO_CLASS

Learn more about the HEAP_MEMORY_INFO_CLASS enumeration.
LINK_TRACKING_INFORMATION_TYPE

Learn more about the LINK_TRACKING_INFORMATION_TYPE enumeration.
MEMORY_INFORMATION_CLASS

Defines classes of memory information that can be retrieved by using the ZwQueryVirtualMemory function.
NETWORK_OPEN_INTEGRITY_QUALIFIER

The NETWORK_OPEN_INTEGRITY_QUALIFIER enumeration type contains values that identify the kind of integrity restriction to attach to a file.
NETWORK_OPEN_LOCATION_QUALIFIER

The NETWORK_OPEN_LOCATION_QUALIFIER enumeration type contains values that identify the kind of location restriction to attach to a file.
OBJECT_INFORMATION_CLASS

The OBJECT_INFORMATION_CLASS enumeration type represents the type of information to supply about an object.
OPLOCK_NOTIFY_REASON

OPLOCK_NOTIFY_REASON specifies the reason for calling the notification callback provided to FsRtlCheckOplockEx2.
REFS_DEALLOCATE_RANGES_ALLOCATOR

Learn more about the REFS_DEALLOCATE_RANGES_ALLOCATOR enumeration.
REFS_SMR_VOLUME_GC_ACTION

Learn more about the REFS_SMR_VOLUME_GC_ACTION enumeration.
REFS_SMR_VOLUME_GC_METHOD

Learn more about the REFS_SMR_VOLUME_GC_METHOD enumeration.
REFS_SMR_VOLUME_GC_STATE

Learn more about the REFS_SMR_VOLUME_GC_STATE enumeration.
RTL_MEMORY_TYPE

Defines the memory type the heap is supposed to use.
SID_NAME_USE

The SID_NAME_USE enumeration type contains values that specify the type of a security identifier (SID).
SRV_INSTANCE_TYPE

The SRV_INSTANCE_TYPE enumeration type describes the SRV instance type for an SRV_OPEN_ECP_CONTEXT.
STORAGE_RESERVE_ID

Defines the storage reserve ID of a file, directory, or storage reserve area.
TOKEN_INFORMATION_CLASS

Learn more about the TOKEN_INFORMATION_CLASS enumeration.
TOKEN_TYPE

The TOKEN_TYPE enumeration type contains values that differentiate between a primary token and an impersonation token.
VIRTUAL_STORAGE_BEHAVIOR_CODE

Configures file system-specific behaviors used on virtual storage devices.