Refreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released

Long time no see, huh? :-)

TL;DR: I created and released a complete Windows NT-family syscall table. See the bottom of the post for a link.

For the last couple of years, the Metasploit project (gritz skape!) has been hosting a table of the core Windows kernel services, also known as system calls (originally available at In its final version, the table included information regarding Windows NT (all recent service packs), 2000 (all service packs), XP (up to SP2), 2003 (up to SP1) and Vista (up to SP0). As years passed, new operating system editions were being released by Microsoft, while existing ones had new Service Packs made available for them. Consequently, due to lack of active maintainance, the project has became partially outdated, and eventually disappeared from the metasploit domain around four weeks ago.

Today, I would like to present a table based on the same concept (well, even the layout doesn’t differ too much), but supplemented with information about the originally missing Windows versions, including Windows 8 Developer Preview available since less than two months. The table contains a list of every Windows kernel service found at any point in the history of Windows NT-family, together with the syscall id for all OS editions it was present on. Unfortunately, it lacks the corresponding syscall handlers’ definitions; that’s simply because most of the NTAPI interface is not publicly documented by Microsoft. As such, the project has a primarily informative purpose – you can observe how the Windows native api has evolved through all these years, what kind of functionality might have been introduced in new system versions and which parts were removed, and so on. I believe you can also use it to pick an interesting Windows internals research subject, if you feel like performing one :-)

The most recent version of the table can be found here:

As the table width has grown up to quite a large size (it didn’t fit into my laptop’s monitor), I had to narrow it. In its current form, you can expand and hide information about individual Windows editions, or simply show all of the items (check the Show all and Hide all buttons). As a remainder, I have been also hosting the Windows Graphical System Call list for both 32- and 64-bit system versions (blog post). I will do my best to fill the rest of the empty cells in a few days.

Comments? Suggestions? Feel free to drop a line.

Oh by the way, in case you haven’t noticed yet: Michal Zalewski’s (aka lcamtuf) new book called “The Tangled Web” went public just two days ago. Suffice to say it’s a very solid book, focused on all the small details and quirks the modern client-side web security is all about. For more information, see or

Update (22.11.2011): I have just uploaded the requested 64-bit version of the table, find it here.

Leave a Comment