3

I understand that the windows API does a lot more than what an OS Kernel can be expected to do. My question is what is the connection between Windows API and the Kernel? Does the Windows API contain all the Kernel functions within it as a subset?

quantum231
  • 2,420
  • 3
  • 31
  • 53

2 Answers2

4

The Windows API (aka "Win32") contains many things, including kernel access.

http://technet.microsoft.com/en-us/library/cc768129.aspx

Windows NT Architecture

The layer below Win32 is the "Native API", mediated by "ntdll.dll":

When a Win32 function actually calls into the kernel, it uses a "trap". On Intel x86 PCs), it uses interrupt 0x2e. Here are some good links on how this works:

paulsm4
  • 114,292
  • 17
  • 138
  • 190
  • 3
    Newer versions of Windows typically use the `SYSENTER` instruction instead of `INT 2Eh` – Ben Voigt Jul 30 '13 at 16:34
  • You're absolutely correct. Similarly, older versions of Linux used int 0x80 for kernel traps, while newer versions use SYSCALL (AMD) or SYSENTER (Intel): http://stackoverflow.com/questions/15168822/intel-x86-vs-x64-interrupt-call, http://stackoverflow.com/questions/7407652/implementation-of-system-calls-traps-within-linux-kernel-source – paulsm4 Jul 30 '13 at 18:37
4

There is no connection. The winapi is a layer on top of the native operating system. It was designed to resemble the api of Windows version 3, intended to make porting programs easy. It was one of three api layers, OS/2 and Posix where the other two. But have been removed because nobody used them, the winapi won by a land-slide. The original name was "win32", distinguishing it from the 16-bit version, but that caused too much confusion when 64-bit Windows came around so everybody calls it "winapi" today.

The native operating system looks very different, it resembles VMS a lot. Which is no coincidence, they had the same designer. David Cutler, he used to work for DEC before it imploded. Money changed hands when DEC complained about it.

The native api is undocumented. Intentionally to allow Microsoft to innovate on the OS while still allowing old programs to run. It is not otherwise a well-kept secret, it has been heavily reverse-engineered. And some of it did get documented, like the functions whose name start with "Nt" and "Rtl". Like NtCreateFile and RtlFillMemory. The Rtl functions are part of the glue that marry the winapi to the native api. You'll also get much more exposure to the native api when you write a device driver.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • 3
    While there are no doubt differences, much of the native API has a 1:1 correspondence with the winapi wrappers, such that the flavor (which I guess would be VMS style) shows through strongly in the winapi. – Ben Voigt Jul 30 '13 at 18:40
  • I did not know that something called native API existed, hmm – quantum231 Jul 31 '13 at 08:39