The Windows kernel has a unique system of constructing the names for its routines. It uses a specific set of abbreviations to define each routine’s location, actions, and versioning. Because the Windows kernel has over 800 routines, it is helpful to understand the basic principles of its naming conventions when you are reading sample driver source code.
Most kernel routines use the following naming structure:
<prefix><verb><noun><suffix>
· The prefix is an abbreviation of the kernel-mode component where the routine is located. All routines can be found in either one of the manager components or one of the library components of the kernel operating system.
· The verb indicates the action that is being taken by the kernel.
· The noun indicates the kernel object being acted upon by the routine.
· The suffix differentiates between versions of a routine.
For example, the kernel routine name KeRevertToUserAffinityThreadEx consists of:
· Prefix – Ke – is an abbreviation of the word “kernel” and indicates that this routine is located in the core Kernel Library component.
· Verb – RevertTo – indicates that the kernel action is “revert to”.
· Noun – UserAffinityThread – indicates that a “user affinity thread” is being acted upon by the routine.
· Suffix – Ex – indicates that this is a new version of KeRevertToUserAffinityThread. “Ex” is an abbreviation for extension. It is a common Windows naming convention for new versions of a routine.
The abbreviated prefixes refer to the individual components of the Windows kernel-mode operating system. Each component represents a specific functionality that the operating system provides. The prefixes are a useful shorthand for quickly recognizing the basic functionality and location of each routine. This is particularly useful for reading source code. For example, if you see a routine that is prefixed “Mm”, you will know that it manages memory. Becoming familiar with the abbreviations of the kernel components will make it easier to identify the general principles of how a routine will work in your driver code.
The prefixes for kernel routines, their component locations, and their functionality are:
Aux - Auxiliary Library
Routines that allow access to system capabilities not available directly from the kernel
Clfs – Common Log File System (CLFS) Library
Routines that allow access to the CLFS library
Cc – Cache Manager
Routines that allow access to the Cache Manager
Cm – Configuration Manager
Routines that allow access to the Configuration Manager
Ex – Executive Library
Routines that allow access to the system Executive library. This library provides general policy decisions not covered by other kernel-mode managers or libraries.
Flt – Filter Manager
Routines that allow access to the filter manager
Hal – Hardware Abstraction Layer (HAL)
Routines that allow access to the low-level Hardware Abstraction Layer
Io – I/O Manager
Routines that allow access to the I/O Manager
Ke – Core Kernel Library
Routines that allow access to the core Kernel Library
Mm – Memory Manager
Routines that allow access to the Memory Manager
-- Seth McEvoy [MSFT], WDK Senior Programming Writer
Nt – User-mode Native Services
Routines that allow access to user-mode Native Services
Ob – Object Manager
Routines that allow access to the Object Manager
Po – Power Manager
Routines that allow access to the Power Manager
Ps – Process and Thread Library
Routines that allow access to the Process and Thread Library
Rtl – Run-Time Library
Routines that allow access to the kernel-mode Run-time Library, also includes the Safe String Library
FsRtl – File System Run-time Library
Routines that allow access to the File System Run-time Library
Se – Security Reference Monitor
Routines that allow access to the Security Reference Monitor
Wmi – Windows Management Instrumentation Library
Routines that allow access to the Windows Management Instrumentation Library
Zw – Kernel-mode wrappers for Native Services
Routines that provide kernel-mode access to user-mode Native Services