Windows library files
Encyclopedia
Like most modern operating systems, Microsoft Windows
supports shared libraries, collections of code which can be used by multiple processes while only being loaded once into memory. Windows terms its shared libraries Dynamic-link libraries
(DLLs).
Most core Windows functionality is contained within Native Applications
and a set of DLLs, which together implement the various subsystems under which code can run (Win32
, Microsoft Windows Services for UNIX
(SUA), Virtual DOS machine
, etc.).
Each subsystem defines and implements a large number of functions, or Application programming interface
s (APIs),
which programs running under the subsystems can call.
These APIs are exported by, and in many cases implemented in,
one or more DLLs specific to the subsystem.
Many other DLLs exist within Windows as components of specific programs or services that are provided with the operating system, and
third-party programs or services added to the system can come with DLLs of their own as well.
These are not considered library files, as they are not (in general) callable by other applications, and are not discussed here.
The HAL implements a number of functions that are implemented in different ways by
different hardware platforms, which in this context, refers mostly to the Chipset
.
Other components in the operating system can then call these functions in the same way on all
platforms, without regard for the actual implementation.
For example, responding to an interrupt is quite different on a machine with an
Advanced Programmable Interrupt Controller
(APIC) than on one without.
The HAL abstracts such differences so that nothing outside the HAL need be concerned with them.
The HAL is loaded into kernel address space and runs in kernel mode,
so routines in the HAL cannot be called directly by applications,
and no user mode APIs correspond directly to HAL routines.
Instead the HAL provides services primarily to the Windows executive and kernel and
to kernel mode device drivers.
Although drivers for most hardware are contained in other files, commonly of file type .sys,
a few core drivers are compiled into Hal.dll.
Kernel mode device drivers for devices on buses such as PCI and PCI Express
directly call routines in the HAL to access I/O ports and registers of their devices.
The drivers use HAL routines because different platforms may require different implementations
of these operations.
The HAL implements the operations appropriately for each platform,
so the same driver executable file can be used on all platforms using the same CPU architecture,
and the driver source file can be portable across all architectures.
On x86 systems there are several different HAL files on the installation media.
The Windows installation procedure determines which ones are appropriate for the current platform
and copies it to the hard drive, renaming it to Hal.dll if necessary.
Among the criteria for this selection are the presence of an ACPI
-compatible BIOS,
the presence of an APIC
, and
whether or not multiple processors are present and enabled.
(The multiple cores of a multi-core CPU, and even the "logical processors" implemented by a
hyperthreading CPU, all count as "processors" for this purpose.)
On x86-64 and Itanium platforms there is just one possible Hal.dll for each CPU architecture.
.
The Native API is the interface used by user-mode components of the operating system that must run without support
from Win32 or other API subsystems.
Most of this API is implemented in ntdll.dll and at the upper edge of ntoskrnl.exe
(and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g., NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by Kernel32.dll.
Applications that are linked directly against this library are known as native applications;
the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process, csrss.exe.
Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must be a native application. csrss.exe is itself a native application.
Despite having a ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is the autochk.exe binary that runs chkdsk
during the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such as csrss.exe.
Unlike Win32 applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe
) and so they must have a different entry point (NtProcessStartup, rather than (w)(Win)MainCRTStartup as is found in a Win32 application), obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using the Rtl heap API, and return execution with a call to NtTerminateProcess (as opposed to ExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.
Though most of the API is undocumented, Native Applications can be built using the Windows Driver Development Kit; many AntiVirus and other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out in userspace.
It is possible, though both unsupported and unusual, for ordinary Windows programs to call functions from Ntdll.dll directly, bypassing the Win32 client libraries. Occasionally this is done to use a native API function that has no Win32 equivalent.
, input/output
operations, (process and thread) creation, and synchronization functions. Many of these are implemented within Kernel32.dll by calling corresponding functions in the native API
, exposed by Ntdll.dll.
(GDI) functions that perform primitive drawing functions for output to video displays and printers.
Applications call GDI functions directly to perform low-level drawing, text output, font management, and similar functions.
It thus enables programs to implement a graphical user interface
that matches the Windows
look and feel.
Programs call functions from Windows USER to perform operations such as
creating and managing windows,
receiving window messages (which are mostly user input such as mouse and keyboard events, but also notifications from the operating system),
displaying text in a window, and displaying message boxes.
Many of the functions in User32.dll call upon GDI functions exported by Gdi32.dll to do the actual rendering of the various elements of the user interface.
Some types of programs will also call GDI functions directly to perform lower-level drawing operations within a window previously created via User32 functions.
It calls functions from both User32.dll and Gdi32.dll to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.
a typical set of library functions required by C and C++ programs. These include string manipulation, memory allocation, C-style input/output calls, etc.
It has also shipped with Windows versions since Windows 2000 for use by other Windows components. In older versions of Windows, programs which linked against Msvcrt.dll were expected to install a compatible copy in the System32 folder, but this contributed to DLL Hell
.
Versions of Visual C++ before 4.0 and since 7.0 have used differently named DLLs for each version (msvcr20.dll, msvcr70.dll, msvcr71.dll, etc.). Applications are required to install the appropriate version.
(OLE) mechanism.
It implements support for shell scrap files.
These are automatically created when you drag selected content from an OLE-capable application into an Explorer window (or onto the Desktop), but you can also use the Object Packager to create them.
They can then be dragged into another OLE-capable application.
Scrap (.shs) files are sometimes used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
supports shared libraries, collections of code which can be used by multiple processes while only being loaded once into memory. Windows terms its shared libraries Dynamic-link libraries
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
(DLLs).
Most core Windows functionality is contained within Native Applications
Native API
The Native API is the publicly- and incompletely-documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point...
and a set of DLLs, which together implement the various subsystems under which code can run (Win32
Windows API
The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces available in the Microsoft Windows operating systems. It was formerly called the Win32 API; however, the name "Windows API" more accurately reflects its roots in 16-bit Windows and its support on...
, Microsoft Windows Services for UNIX
Microsoft Windows Services for UNIX
Windows Services for UNIX or Subsystem for UNIX-based Applications is a software package produced by Microsoft which provides a Unix subsystem and other parts of a full Unix environment on Windows NT and some of its immediate successor operating-systems...
(SUA), Virtual DOS machine
Virtual DOS machine
Virtual DOS machine is Microsoft's technology that allows running legacy DOS and 16-bit Windows programs on Intel 80386 or higher computers when there is already another operating system running and controlling the hardware.-Overview:...
, etc.).
Each subsystem defines and implements a large number of functions, or Application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
s (APIs),
which programs running under the subsystems can call.
These APIs are exported by, and in many cases implemented in,
one or more DLLs specific to the subsystem.
Many other DLLs exist within Windows as components of specific programs or services that are provided with the operating system, and
third-party programs or services added to the system can come with DLLs of their own as well.
These are not considered library files, as they are not (in general) callable by other applications, and are not discussed here.
Internal components
The library files in this section are not used directly by most programs; however, they do help implement functions in other libraries that are so used.Hal.dll
Hal.dll is Windows' Hardware Abstraction Layer, or HAL.The HAL implements a number of functions that are implemented in different ways by
different hardware platforms, which in this context, refers mostly to the Chipset
Chipset
A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...
.
Other components in the operating system can then call these functions in the same way on all
platforms, without regard for the actual implementation.
For example, responding to an interrupt is quite different on a machine with an
Advanced Programmable Interrupt Controller
Advanced Programmable Interrupt Controller
In computing, an Advanced Programmable Interrupt Controller is a more complex Programmable Interrupt Controller than Intel's original types such as the 8259A...
(APIC) than on one without.
The HAL abstracts such differences so that nothing outside the HAL need be concerned with them.
The HAL is loaded into kernel address space and runs in kernel mode,
so routines in the HAL cannot be called directly by applications,
and no user mode APIs correspond directly to HAL routines.
Instead the HAL provides services primarily to the Windows executive and kernel and
to kernel mode device drivers.
Although drivers for most hardware are contained in other files, commonly of file type .sys,
a few core drivers are compiled into Hal.dll.
Kernel mode device drivers for devices on buses such as PCI and PCI Express
PCI Express
PCI Express , officially abbreviated as PCIe, is a computer expansion card standard designed to replace the older PCI, PCI-X, and AGP bus standards...
directly call routines in the HAL to access I/O ports and registers of their devices.
The drivers use HAL routines because different platforms may require different implementations
of these operations.
The HAL implements the operations appropriately for each platform,
so the same driver executable file can be used on all platforms using the same CPU architecture,
and the driver source file can be portable across all architectures.
On x86 systems there are several different HAL files on the installation media.
The Windows installation procedure determines which ones are appropriate for the current platform
and copies it to the hard drive, renaming it to Hal.dll if necessary.
Among the criteria for this selection are the presence of an ACPI
ACPI
ACPI may refer to:*Advanced Configuration and Power Interface for computer configuration and management*Animation Council of the Philippines, Inc....
-compatible BIOS,
the presence of an APIC
Advanced Programmable Interrupt Controller
In computing, an Advanced Programmable Interrupt Controller is a more complex Programmable Interrupt Controller than Intel's original types such as the 8259A...
, and
whether or not multiple processors are present and enabled.
(The multiple cores of a multi-core CPU, and even the "logical processors" implemented by a
hyperthreading CPU, all count as "processors" for this purpose.)
On x86-64 and Itanium platforms there is just one possible Hal.dll for each CPU architecture.
Ntdll.dll
Ntdll.dll exports the Windows Native APINative API
The Native API is the publicly- and incompletely-documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point...
.
The Native API is the interface used by user-mode components of the operating system that must run without support
from Win32 or other API subsystems.
Most of this API is implemented in ntdll.dll and at the upper edge of ntoskrnl.exe
Ntoskrnl.exe
ntoskrnl.exe is the kernel image for the family of Microsoft Windows NT operating systems...
(and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g., NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by Kernel32.dll.
Applications that are linked directly against this library are known as native applications;
the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process, csrss.exe.
Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must be a native application. csrss.exe is itself a native application.
Despite having a ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is the autochk.exe binary that runs chkdsk
CHKDSK
CHKDSK is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the file system integrity status of hard disks and floppy disk and can fix logical file system errors. It is similar to the fsck command in Unix.The command is implemented as an executable...
during the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such as csrss.exe.
Unlike Win32 applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe
Ntoskrnl.exe
ntoskrnl.exe is the kernel image for the family of Microsoft Windows NT operating systems...
) and so they must have a different entry point (NtProcessStartup, rather than (w)(Win)MainCRTStartup as is found in a Win32 application), obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using the Rtl heap API, and return execution with a call to NtTerminateProcess (as opposed to ExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.
Though most of the API is undocumented, Native Applications can be built using the Windows Driver Development Kit; many AntiVirus and other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out in userspace.
It is possible, though both unsupported and unusual, for ordinary Windows programs to call functions from Ntdll.dll directly, bypassing the Win32 client libraries. Occasionally this is done to use a native API function that has no Win32 equivalent.
Kernel32.dll
Kernel32.dll exposes to applications most of the Win32 base APIs, such as memory managementMemory management
Memory management is the act of managing computer memory. The essential requirement of memory management is to provide ways to dynamically allocate portions of memory to programs at their request, and freeing it for reuse when no longer needed. This is critical to the computer system.Several...
, input/output
Input/output
In computing, input/output, or I/O, refers to the communication between an information processing system , and the outside world, possibly a human, or another information processing system. Inputs are the signals or data received by the system, and outputs are the signals or data sent from it...
operations, (process and thread) creation, and synchronization functions. Many of these are implemented within Kernel32.dll by calling corresponding functions in the native API
Native API
The Native API is the publicly- and incompletely-documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft.. It is predominately used during system boot, when other components of Windows are unavailable. The Program Entry point...
, exposed by Ntdll.dll.
Gdi32.dll
Gdi32.dll exports Graphics Device InterfaceGraphics Device Interface
The Graphics Device Interface is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers....
(GDI) functions that perform primitive drawing functions for output to video displays and printers.
Applications call GDI functions directly to perform low-level drawing, text output, font management, and similar functions.
User32.dll
user32.dll implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus.It thus enables programs to implement a graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
that matches the Windows
look and feel.
Programs call functions from Windows USER to perform operations such as
creating and managing windows,
receiving window messages (which are mostly user input such as mouse and keyboard events, but also notifications from the operating system),
displaying text in a window, and displaying message boxes.
Many of the functions in User32.dll call upon GDI functions exported by Gdi32.dll to do the actual rendering of the various elements of the user interface.
Some types of programs will also call GDI functions directly to perform lower-level drawing operations within a window previously created via User32 functions.
Comctl32.dll
comctl32.dll implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views.It calls functions from both User32.dll and Gdi32.dll to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.
Msvcrt.dll and variants
Msvcrt.dll is the Microsoft Visual C++ Run-Time for Visual C++ version 4.2 to 6.0. It provides programs compiled with these versions of Visual C++Visual C++
Microsoft Visual C++ is a commercial , integrated development environment product from Microsoft for the C, C++, and C++/CLI programming languages...
a typical set of library functions required by C and C++ programs. These include string manipulation, memory allocation, C-style input/output calls, etc.
It has also shipped with Windows versions since Windows 2000 for use by other Windows components. In older versions of Windows, programs which linked against Msvcrt.dll were expected to install a compatible copy in the System32 folder, but this contributed to DLL Hell
DLL hell
In computing, DLL Hell is a term for the complications that arise when working with dynamic link libraries used with Microsoft Windows operating systems, particularly legacy 16-bit editions which all run in a single memory space....
.
Versions of Visual C++ before 4.0 and since 7.0 have used differently named DLLs for each version (msvcr20.dll, msvcr70.dll, msvcr71.dll, etc.). Applications are required to install the appropriate version.
Shscrap.dll
shscrap.dll is part of the Object Linking and EmbeddingObject Linking and Embedding
Object Linking and Embedding is a technology developed by Microsoft that allows embedding and linking to documents and other objects. For developers, it brought OLE Control eXtension , a way to develop and use custom user interface elements...
(OLE) mechanism.
It implements support for shell scrap files.
These are automatically created when you drag selected content from an OLE-capable application into an Explorer window (or onto the Desktop), but you can also use the Object Packager to create them.
They can then be dragged into another OLE-capable application.
Scrap (.shs) files are sometimes used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled.
See also
- Architecture of Windows NT
- Windows NT startup processWindows NT Startup ProcessThe Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize...
- List of Microsoft Windows components
- Windows APIWindows APIThe Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces available in the Microsoft Windows operating systems. It was formerly called the Win32 API; however, the name "Windows API" more accurately reflects its roots in 16-bit Windows and its support on...
- Dynamic link library
External links
- API calls list - USER32.DLL - Tips for using the User API Client Library with Visual Basic
- API calls list - Kernel32.dll - Tips for using the Kernel API Client Library with Visual Basic
- Native API reference
- Unofficial website that documents most of the Native API methods