Microsoft Windows library files

Last updated

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

Contents

Internal components

HAL.DLL is a kernel-mode library file and it cannot be used by any user-mode program. NTDLL.DLL is only used by some programs, but it is a dependency of most Win32 libraries used by programs.

HAL.DLL

The Hardware Abstraction Layer in the architecture of Windows NT Windows 2000 architecture.svg
The Hardware Abstraction Layer in the architecture of Windows NT

The Windows Hardware Abstraction Layer (HAL) is implemented in hal.dll. [1] The HAL implements a number of functions that are implemented in different ways by different hardware platforms, which in this context, refers mostly to the chipset. Other components in the operating system can then call these functions in the same way on all platforms, without regard for the actual implementation.

For example, responding to an interrupt is quite different on a machine with an Advanced Programmable Interrupt Controller (APIC) than on one without. The HAL provides a single function for this purpose that works with all kinds of interrupts by various chipsets, so that other components need not be concerned with the differences.

The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type .sys, a few core drivers are compiled into hal.dll.

Kernel mode device drivers for devices on buses such as PCI and PCI Express directly call routines in the HAL to access I/O ports and registers of their devices. The drivers use HAL routines because different platforms may require different implementations of these operations. The HAL implements the operations appropriately for each platform, so the same driver executable file can be used on all platforms using the same CPU architecture, and the driver source file can be portable across all architectures.

On x86 systems prior to Windows 8, there are several different HAL files on the installation media. The Windows installation procedure determines which ones are appropriate for the current platform and copies it to the hard drive, renaming it to hal.dll if necessary. Among the criteria for this selection are: the presence of an ACPI-compatible BIOS, the presence of an APIC, and whether or not multiple processors are present and enabled. (The multiple cores of a multi-core CPU, and even the "logical processors" implemented by a hyperthreading CPU, all count as "processors" for this purpose.) On x86-64 and Itanium platforms there is just one possible hal.dll for each CPU architecture. On Windows 8 and later, the x86 version also only has one HAL.

HAL is merged (or statically linked) into ntoskrnl.exe [2] starting with version 2004 of Windows 10, and the dll only serves as a stub for backwards compatibility.

NTDLL.DLL

NTDLL.DLL exports the Windows Native API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented in NTDLL.DLL and at the upper edge of ntoskrnl.exe (and its variants), and the majority of exported symbols within these libraries are prefixed Nt, for example NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL. [3] [4] [5] The large majority of Windows applications do not call NTDLL.DLL directly. [6]

Applications that are linked directly against this library are said to use the native subsystem; the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process, csrss.exe. Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must use the native subsystem. csrss.exe itself is such an application.

Despite having an ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is the autochk.exe binary that runs chkdsk during the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such as csrss.exe.

Unlike Win32 applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe) and so they must have a different entry point (NtProcessStartup, rather than (w)(Win)MainCRTStartup as is found in a Win32 application), [4] obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using the Rtl heap API, (which the Win32 heap APIs are just wrappers around—no real difference there) and return execution with a call to RtlExitUserProcess (as opposed to ExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps. [7]

Though most of the API is undocumented, Native Applications can be built using the Windows Driver Development Kit; many antivirus software and other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out in userspace.[ citation needed ]

Win32 API

The libraries in this section each implement various subsets of the Win32 API.

KERNEL32.DLL

KERNEL32.DLL exposes to applications most of the Win32 base APIs, such as memory management, input/output (I/O) operations, process and thread creation, and synchronization functions. [8]

GDI32.DLL

GDI32.DLL exports Graphics Device Interface (GDI) functions that perform primitive drawing functions for output to video displays and printers. It is used, for example, in the XP version of Paint. Applications call GDI functions directly to perform low-level drawing (line, rectangle, ellipse), text output, font management, and similar functions. [8] [9]

Initially, GDI supported 16 and 256 color EGA/VGA display cards and monochrome printers. The functionality has expanded over the years, and now includes support for things like TrueType fonts, alpha channels, and multiple monitors. [10]

USER32.DLL

USER32.DLL implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus. It thus enables programs to implement a graphical user interface (GUI) that matches the Windows look and feel. Programs call functions from Windows USER to perform operations such as creating and managing windows, receiving window messages (which are mostly user input such as mouse and keyboard events, but also notifications from the operating system), displaying text in a window, and displaying message boxes.

Many of the functions in USER32.DLL call upon GDI functions exported by GDI32.DLL to do the actual rendering of the various elements of the user interface. Some types of programs will also call GDI functions directly to perform lower-level drawing operations within a window previously created via USER32 functions.

COMCTL32.DLL

COMCTL32.DLL implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views. It calls functions from both USER32.DLL and GDI32.DLL to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.

COMDLG32.DLL

COMDLG32.DLL, the Common Dialog Box Library, implements a wide variety of Windows dialog boxes intended to perform what Microsoft deems 'common application tasks'. Starting with the release of Windows Vista, Microsoft considers the "Open" and "Save as" dialog boxes provided by this library as deprecated and replaced by the 'Common Item Dialog API'. [11]

WS2_32.DLL

WS2_32.DLL implements the Winsock API, which provides TCP/IP networking functions and provides partial, broken compatibility with other network APIs. wsock.dll and wsock32.dll are older versions for Win3.11 and Win95 compatibility.

ADVAPI32.DLL

ADVAPI32.DLL, the Advanced Windows 32 Base API DLL, [12] provides security calls and functions for manipulating the Windows Registry.

NETAPI32.DLL

NETAPI32.DLL provides functions for querying and managing network interfaces.

OLE32.DLL

OLE32.DLL provides the Component Object Model, as well as Object Linking and Embedding.

Other APIs

SHSCRAP.DLL

SHSCRAP.DLL is part of the Object Linking and Embedding (OLE) mechanism. It implements support for shell scrap files, which are automatically created when you drag selected content from an OLE-capable application into an Explorer window or desktop, [13] but you can also use the Object Packager to create them. They can then be dragged into another OLE-capable application.

This functionality was removed from Windows Vista (and therefore later versions) to improve security and rid the operating system of generally unused functionality. [14] Scrap (.shs) files have been used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled. [15] The functionality can be restored by copying registry entries and the DLL from a Windows XP system. [16]

WINMM.DLL

WINMM.DLL provides access to the original WinMM audio API.

IMM32.DLL

IMM32 is responsible for invoking and interacting with the Input Method Editor.

Runtime libraries

MSVCRT.DLL, MSVCP*.DLL and CRTDLL.DLL

MSVCRT.DLL is the C standard library for the Visual C++ (MSVC) compiler from version 4.2 to 6.0. It provides programs compiled by these versions of MSVC with most of the standard C library functions. These include string manipulation, memory allocation, C-style input/output calls, and others. MSVCP*.DLL is the corresponding C++ library.

It has shipped with Windows versions since Windows 95 OSR2.5 for use by other Windows components; earlier versions shipped with the CRTDLL.DLL library instead. In older versions of Windows, programs which linked against MSVCRT.DLL were expected to install a compatible copy in the System32 folder, but this contributed to DLL Hell because many installers failed to check the library version against the installed version before replacing it.

Versions of MSVC before 4.0 and from 7.0 to 12.0 used differently named DLLs for each version (MSVCR20.DLL, MSVCR70.DLL, MSVCR71.DLL, MSVCP110.DLL, etc.). Applications are required to install the appropriate version, [17] and Microsoft offers Visual C++ Redistributable packages for this purpose, though Windows typically comes with one version already installed.

This runtime library is used by programs written in Visual C++ and a few other compilers (e.g. MinGW). Some compilers have their own runtime libraries.

With Version 14.0 (Visual Studio 2015), most of the C/C++ runtime was moved into a new DLL, UCRTBASE.DLL, which conforms closely with C99. Universal C Run Time (UCRT) from Windows 10 onwards become a component part of Windows, so every compiler (either non MS, like GCC or Clang/LLVM) can link against UCRT. Additionally, C/C++ programs using UCRTBASE.DLL need to link against another new DLL, the Visual C++ Runtime. At Version 14.0, this was VCRUNTIME140.DLL. [18] The name has the potential to change at future versions, but has not done so as far as of Version 17.0.

Source code for runtime libraries is included in Visual C++ [19] for reference and debugging (e.g. in C:\Program Files\Microsoft Visual Studio 11.0\VC\crt\src).

Other runtime libraries

.NET Framework libraries

Programs written in C#, Visual Basic.NET, C++/CLI and other .NET languages require the .NET Framework. It has many libraries (one of them is mscorlib.dll  Multilanguage Standard Common Object Runtime Library, formerly Microsoft Common Object Runtime Library [20] ) and so-called assemblies (e.g. System.Windows.Forms.dll).

See also

Related Research Articles

<span class="mw-page-title-main">Wine (software)</span> Windows compatibility software

Wine is a free and open-source compatibility layer to allow application software and computer games developed for Microsoft Windows to run on Unix-like operating systems. Developers can compile Windows applications against WineLib to help port them to Unix-like systems. Wine is predominantly written using black-box testing reverse-engineering, to avoid copyright issues. No code emulation or virtualization occurs. Wine is primarily developed for Linux and macOS.

<span class="mw-page-title-main">Windows API</span> Microsofts core set of application programming interfaces on Windows

The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running. Programs access API functionality via dynamic-link library (DLL) technology.

Win32s is a 32-bit application runtime environment for the Microsoft Windows 3.1 and 3.11 operating systems. It allowed some 32-bit applications to run on the 16-bit operating system using call thunks. A beta version of Win32s was available in October 1992. Version 1.10 was released in July 1993 simultaneously with Windows NT 3.1.

<span class="mw-page-title-main">Phar Lap Software</span> Software company

Phar Lap Software, Inc., was a software company specializing in software development tools for DOS operating systems. The company was named after the champion New Zealand racehorse Phar Lap. They were most noted for their software allowing developers to access memory beyond the 640 KiB limit of DOS and were an author of the VCPI standard.

Windows USER is a component of the Microsoft Windows operating system that provides core functionality for building simple user interfaces. The component has existed in all versions of Windows, and includes functionality for window management, message passing, input processing and standard controls.

<span class="mw-page-title-main">Architecture of Windows NT</span> Structure of the operating system

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.

The Native API is a lightweight application programming interface (API) used by Windows NT's kernel and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.

A hybrid kernel is an operating system kernel whose architecture attempts to combine aspects and benefits of microkernel and monolithic kernel architectures used in operating systems.

The Session Manager Subsystem, or smss.exe, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.

The Microsoft Windows family of operating systems employ some specific exception handling mechanisms.

The Client/Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem. In modern versions of Windows, it is primarily involved with process and thread management, console window handling, side-by-side assembly loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to kernel mode starting with Windows NT 4.0 to improve performance.

windows.h is a source code header file that Microsoft provides for the development of programs that access the Windows API (WinAPI) via C language syntax. It declares the WinAPI functions, associated data types and common macros.

The booting process of Microsoft Windows varies between different releases.

XBLite is a free open-source BASIC programming language compiler and development system. It was started in 2001 by David Szafranski in order to provide a Windows exclusive version of the XBasic dialect. XBLite is released under the GNU GPL licensing scheme, Standard libraries are released under the GNU LGPL licensing scheme.

<span class="mw-page-title-main">Microsoft POSIX subsystem</span> Subsystem shipped with the first versions of Windows NT

Microsoft POSIX subsystem is one of four subsystems shipped with the first versions of Windows NT, the other three being the Win32 subsystem which provided the primary API for Windows NT, plus the OS/2 and security subsystems.

<span class="mw-page-title-main">Architecture of Windows 9x</span>

The Windows 9x series of operating systems refers to a series of Microsoft Windows operating systems produced from 1995 to 2000. They are based on the Windows 95 kernel which is a monolithic kernel. The basic code is similar in function to MS-DOS. They are 16-/32-bit hybrids and require support from MS-DOS to operate.

In computing the Process Environment Block is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.

Mingw-w64 is a free and open-source suite of development tools that generate Portable Executable (PE) binaries for Microsoft Windows. It was forked in 2005–2010 from MinGW.

References

  1. Blunden, Bill (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones & Bartlett Learning. p. 101. ISBN   978-1-59822-061-2.
  2. @PetrBenes (25 July 2019). "Did I miss something? Routines..." (Tweet) via Twitter.
  3. Eilam, Eldad (2011). Reversing: Secrets of Reverse Engineering. John Wiley & Sons. pp. 68–69. ISBN   978-1-118-07976-8.
  4. 1 2 "Inside Native Windows Applications". Microsoft . Archived from the original on 2010-09-12. Retrieved 2011-12-14.
  5. Russinovich, Mark A. & Solomon, David A. (2009). Windows® Internals. O'Reilly Media. p. 136. ISBN   978-0-7356-3796-2.
  6. Marceau, Carla & Stillerman, Matt (2006). "Modular behavior profiles in systems with shared libraries". In Neng, Peng; et al. (eds.). Information and Communications Security: 8th International Conference, ICICS 2006  Raleigh, NC, USA, December 4–7, 2006  proceedings. Springer. p. 371. ISBN   978-3-540-49496-6.
  7. "Inside Native Applications". Archived from the original on 2010-10-23. Retrieved 2017-08-26.
  8. 1 2 "Identifying Functions in DLLs". .NET Framework documentation. Microsoft. 2022-03-11 via Microsoft Learn.
  9. See also, the documentation for the Wine implementation of GDI32.DLL: Wine API: gdi32.dll
  10. Yuan, Feng (2001). Windows graphics programming: Win32 GDI and DirectDraw . Prentice Hall Professional. p.  71. ISBN   978-0-13-086985-2.
  11. "Common Dialog Box Library (Windows)". msdn.microsoft.com. Retrieved 2017-10-25.
  12. Microsoft (8 October 2009). "How RPC Works: Remote Procedure Call (RPC) | Microsoft Learn" . Retrieved 11 September 2023.
  13. "WD: What is a Scrap (.shs) file?". Microsoft Knowledge Base.
  14. Raymond Chen. "Windows Confidential: Scrapping the Scraps" . Retrieved 2011-12-14.
  15. "VBS.Stages.A". Symantec . Archived from the original on November 10, 2006.
  16. "How to open SHS files" . Retrieved 2011-12-14.
  17. "C Run-Time Libraries". Archived from the original on 2011-12-07. Retrieved 2011-12-14.
  18. "C++ binary compatibility 2015-2022". 11 March 2024.
  19. "Source Code for the C Run-Time Functions". 15 September 2006.
  20. "What does the "ms" in "mscorlib" stand for - hint: It's not "Microsoft"". 31 January 2004.