What is the difference between NtCreateProcess and ZwCreateProcess?

About

Asked 6/11, 2010 at 22:42 Answered 16/4, 2012 at 20:53

Solved windows winapi createprocess kernel-mode ntdll

What is the difference between NtCreateProcess and ZwCreateProcess? In ntdll.dll, both NtCreateProcess and ZwCreateProcess point to exactly the same address

Smarmy answered 6/11, 2010 at 22:42 Comment(0)

In user-mode the groups of Nt and Zw APIs are identical. In kernel mode they are different. The Nt API contains the actual implementation. The Zw API uses a system-call mechanism and ensures that it is calling in kernel-mode and that there is no need to check the parameters if they contain user-mode addresses. Otherwise you could use the API from user-mode with kernel parameters which would not be good. So it is just a safety mechanism.

Tatting answered 21/1, 2011 at 17:15 Comment(2)

Does "kernel mode" also include processes running with System integrity level? – Fabrice 18/12, 2017 at 19:22

@Fabrice no it does not – Lately 25/11, 2021 at 8:53

Aside from the already given answer (which I don't want to parrot), in my opinion the best answer can be found on OSR Online: here.

Alternatively you can read books on the Native API, such as the one from Gary Nebbett called "Windows NT/2000 Native API Reference", he devotes some space to this very question, or you can use WinDbg (pronounced as "wind-bag") yourself.

Lately answered 16/4, 2012 at 20:53 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags