+ Reply to Thread
Results 1 to 2 of 2

Thread: What is the difference between CreateFile, NtCreateFile and ZwCreateFile?

  1. #1
    Junior Member
    Join Date
    Dec 2011
    Posts
    1

    Question What is the difference between CreateFile, NtCreateFile and ZwCreateFile?

    Hi All,

    I have seen some code examples where they use NtCreateFile or ZwCreateFile but not too clear the reason for it. I was hoping someone can give me some insight on these win32 API functions.

    Thanks!

  2. #2
    Junior Member
    Join Date
    Dec 2011
    Posts
    7
    CreateFile - Documented public Win API used in user mode. CreateFile does some initialization and then calls NtCreateFile.
    NtCreateFile - Undocumented Windows internal API that is used in user mode. Note some internal API's are documented.
    ZwCreateFile - Windows API to be called from kernel mode (e.g. Device Drivers ).

    Note: NtCreateFile and ZwCreateFile are identical when calling from user mode. However when calling from Kernel mode the ZwCreateFile sets the previous mode to kernel mode before calling create file function. This gives the ZwCreateFile kernel mode access where Nt version gets user mode access.

    Basically the difference between Zw and Nt in kernel mode is that the Zw prefix functions set the previous mode to kernel mode and the Nt prefix functions leave it unchanged. The previous mode is used in parameter validation to determine if the function is called from user mode or kernel mode.

    Take a look at these links:
    http://www.osronline.com/article.cfm?article=257
    http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
    http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

+ Reply to Thread

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts