Kernel Services API Reference
The Windows Kernel Services provide low‑level system functionality accessible to drivers and system components. Below are the most commonly used kernel‑mode APIs, grouped by category.
Categories
Process & Thread Management
PsCreateSystemProcess– Create a new system process.PsCreateSystemThread– Create a kernel‑mode thread.PsTerminateProcess– Terminate a process.KeWaitForSingleObject– Wait for a kernel object.
// Example: Creating a system thread
VOID WorkerThread(PVOID StartContext) {
UNREFERENCED_PARAMETER(StartContext);
DbgPrint("Worker thread started\n");
PsTerminateSystemThread(STATUS_SUCCESS);
}
NTSTATUS CreateWorkerThread() {
HANDLE threadHandle;
NTSTATUS status = PsCreateSystemThread(&threadHandle,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
WorkerThread,
NULL);
if (NT_SUCCESS(status)) {
ZwClose(threadHandle);
}
return status;
}
Memory Management
MmAllocatePagesForMdl– Allocate memory pages for an MDL.MmMapLockedPagesSpecifyCache– Map locked pages into system address space.ExAllocatePoolWithTag– Allocate pool memory with a tag.ExFreePoolWithTag– Free pool memory.
// Allocate non‑paged pool memory
PVOID buffer = ExAllocatePoolWithTag(NonPagedPoolNx, 256, 'mytg');
if (buffer) {
RtlZeroMemory(buffer, 256);
// ... use buffer ...
ExFreePoolWithTag(buffer, 'mytg');
}
Synchronization Primitives
KeInitializeEvent/KeSetEvent/KeResetEventKeInitializeMutex/KeWaitForSingleObject/KeReleaseMutexKeInitializeSpinLock/KfAcquireSpinLock/KfReleaseSpinLockRtlInitializeSRWLock/RtlAcquireSRWLockExclusive
IRQL & Interrupts
KeRaiseIrql– Raise the current IRQL.KeLowerIrql– Lower the current IRQL.IoConnectInterruptEx– Register an interrupt service routine.KeSynchronizeExecution– Execute a routine at DISPATCH_LEVEL.
Device I/O
IoCreateDevice– Create a device object.IoDeleteDevice– Delete a device object.IoCreateSymbolicLink– Create a symbolic link for user‑mode access.IoGetDeviceProperty– Retrieve device properties.
Debugging & Diagnostics
DbgPrint– Output debug text to the debugger.KeBugCheckEx– Trigger a bug check (blue screen).RtlAssert– Runtime assertion.WPP tracing– Event tracing for Windows.