Microsoft Windows library files
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.
HAL.DLL is a kernel-mode library file and it cannot be used by any user-mode program. NTDLL.DLL is only used by some programs, but it is a dependency of most Win32 libraries used by programs.
The Windows Hardware Abstraction Layer (HAL) is implemented in hal.dll. The HAL implements a number of functions that are implemented in different ways by different hardware platforms, which in this context, refers mostly to the chipset. Other components in the operating system can then call these functions in the same way on all platforms, without regard for the actual implementation.
For example, responding to an interrupt is quite different on a machine with an Advanced Programmable Interrupt Controller (APIC) than on one without. The HAL provides a single function for this purpose that works with all kinds of interrupts by various chipsets, so that other components need not be concerned with the differences.
The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type .sys, a few core drivers are compiled into hal.dll.
Kernel mode device drivers for devices on buses such as PCI and PCI Express directly call routines in the HAL to access I/O ports and registers of their devices. The drivers use HAL routines because different platforms may require different implementations of these operations. The HAL implements the operations appropriately for each platform, so the same driver executable file can be used on all platforms using the same CPU architecture, and the driver source file can be portable across all architectures.
On x86 systems, there are several different HAL files on the installation media. The Windows installation procedure determines which ones are appropriate for the current platform and copies it to the hard drive, renaming it to hal.dll if necessary. Among the criteria for this selection are: the presence of an ACPI-compatible BIOS, the presence of an APIC, and whether or not multiple processors are present and enabled. (The multiple cores of a multi-core CPU, and even the "logical processors" implemented by a hyperthreading CPU, all count as "processors" for this purpose.) On x86-64 and Itanium platforms there is just one possible hal.dll for each CPU architecture.
HAL is merged (or statically linked) into ntoskrnl.exe starting with version 2004 of Windows 10, and the dll only serves as a stub for backwards compatibility.
NTDLL.DLL exports the Windows Native API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented in NTDLL.DLL and at the upper edge of ntoskrnl.exe (and its variants), and the majority of exported symbols within these libraries are prefixed Nt, for example NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL. The large majority of Windows applications do not call NTDLL.DLL directly.
Applications that are linked directly against this library are said to use the native subsystem; the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process, csrss.exe. Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must use the native subsystem. csrss.exe itself is such an application.
Despite having an ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is the autochk.exe binary that runs chkdsk during the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such as csrss.exe.
Unlike Win32 applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe) and so they must have a different entry point (NtProcessStartup, rather than (w)(Win)MainCRTStartup as is found in a Win32 application), obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using the Rtl heap API, (which the Win32 heap APIs are just wrappers around—no real difference there) and return execution with a call to NtTerminateProcess (as opposed to ExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.
Though most of the API is undocumented, Native Applications can be built using the Windows Driver Development Kit; many antivirus software and other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out in userspace.
The libraries in this section each implement various subsets of the Win32 API.
KERNEL32.DLL exposes to applications most of the Win32 base APIs, such as memory management, input/output (I/O) operations, process and thread creation, and synchronization functions. Many of these are implemented within KERNEL32.DLL by calling corresponding functions in the native API, exposed by NTDLL.DLL.[failed verification]
GDI32.DLL exports Graphics Device Interface (GDI) functions that perform primitive drawing functions for output to video displays and printers. It is used, for example, in the XP version of Paint. Applications call GDI functions directly to perform low-level drawing (line, rectangle, ellipse), text output, font management, and similar functions.
Initially, GDI supported 16 and 256 color EGA/VGA display cards and monochrome printers. The functionality has expanded over the years, and now includes support for things like TrueType fonts, alpha channels, and multiple monitors.
USER32.DLL implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus. It thus enables programs to implement a graphical user interface (GUI) that matches the Windows look and feel. Programs call functions from Windows USER to perform operations such as creating and managing windows, receiving window messages (which are mostly user input such as mouse and keyboard events, but also notifications from the operating system), displaying text in a window, and displaying message boxes.
Many of the functions in USER32.DLL call upon GDI functions exported by GDI32.DLL to do the actual rendering of the various elements of the user interface. Some types of programs will also call GDI functions directly to perform lower-level drawing operations within a window previously created via USER32 functions.
COMCTL32.DLL implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views. It calls functions from both USER32.DLL and GDI32.DLL to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.
COMDLG32.DLL, the Common Dialog Box Library, implements a wide variety of Windows dialog boxes intended to perform what Microsoft deems 'common application tasks'. Starting with the release of Windows Vista, Microsoft considers the "Open" and "Save as" dialog boxes provided by this library as deprecated and replaced by the 'Common Item Dialog API'.
WS2_32.DLL implements the Winsock API, which provides TCP/IP networking functions and provides partial, broken compatibility with other network APIs. wsock.dll and wsock32.dll are older versions for Win3.11 and Win95 compatibility.
ADVAPI32.DLL provides security calls and functions for manipulating the Windows Registry.
NETAPI32.DLL provides functions for querying and managing network interfaces.
SHSCRAP.DLL is part of the Object Linking and Embedding (OLE) mechanism. It implements support for shell scrap files, which are automatically created when you drag selected content from an OLE-capable application into an Explorer window or desktop, but you can also use the Object Packager to create them. They can then be dragged into another OLE-capable application.
This functionality was removed from Windows Vista (and therefore later versions) to improve security and rid the operating system of generally unused functionality. Scrap (.shs) files have been used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled. The functionality can be restored by copying registry entries and the DLL from a Windows XP system.
WINMM.DLL provides access to the original WinMM audio API.
IMM32 is responsible for invoking and interacting with the Input Method Editor.
MSVCRT.DLL, MSVCP*.DLL and CRTDLL.DLL
MSVCRT.DLL is the C standard library for the Visual C++ (MSVC) compiler from version 4.2 to 6.0. It provides programs compiled by these versions of MSVC with most of the standard C library functions. These include string manipulation, memory allocation, C-style input/output calls, and others. MSVCP*.DLL is the corresponding C++ library.
It has shipped with Windows versions since Windows 95 OSR2.5 for use by other Windows components; earlier versions shipped with the CRTDLL.DLL library instead. In older versions of Windows, programs which linked against MSVCRT.DLL were expected to install a compatible copy in the System32 folder, but this contributed to DLL Hell because many installers failed to check the library version against the installed version before replacing it.
Versions of MSVC before 4.0 and from 7.0 to 13.0 used differently named DLLs for each version (MSVCR20.DLL, MSVCR70.DLL, MSVCR71.DLL, MSVCP110.DLL, etc.). Applications are required to install the appropriate version, and Microsoft offers Visual C++ Redistributable packages for this purpose, though Windows typically comes with one version already installed.
With Version 14.0, most of the C/C++ runtime was moved into a new DLL, UCRTBASE.DLL. However, C/C++ programs using UCRTBASE.DLL are forced to link against another new DLL, the VCRuntime. At Version 14.0, this was VCRUNTIME140.DLL. The name has the potential to change at future versions, but has not done so as far as Version 17.0.
Source code for runtime libraries is included in Visual C++ for reference and debugging (e.g. in
C:\Program Files\Microsoft Visual Studio 11.0\VC\crt\src).
This runtime library is used by programs written in Visual C++ and a few other compilers (e.g. MinGW). Some compilers have their own runtime libraries.
Other runtime libraries
- ATL*.DLL – Active Template Library
- MFC*.DLL – Microsoft Foundation Classes
- MSVBVM60.DLL – Visual Basic 6.0 Virtual Machine (Visual Basic.NET programs require .NET Framework instead)
- VCOMP*.DLL – Microsoft OpenMP runtime
- VCRUNTIME*.DLL – Microsoft VCRuntime, for MSVC 14.0+
- MSVCIRT.DLL – Microsoft C++ Library, contains the deprecated C++ classes from <iostream.h> (note the file extension) for MS C 9 and 10 (MSVC 2.x, 4.x) (Back then, the draft C++ Standard Library was integrated within MSVCRT.DLL. It was split up with the release of Visual C++ 5.0)
.NET Framework libraries
Programs written in C#, Visual Basic.NET, C++/CLI and other .NET languages require the .NET Framework. It has many libraries (one of them is mscorlib.dll – Multilanguage Standard Common Object Runtime Library, formerly Microsoft Common Object Runtime Library) and so-called assemblies (e.g. System.Windows.Forms.dll).
- Architecture of Windows NT
- Windows NT startup process
- List of Microsoft Windows components
- Windows API
- Dynamic link library
- Blunden, Bill (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones & Bartlett Learning. p. 101. ISBN 978-1-59822-061-2.
- @PetrBenes (25 July 2019). "Did I miss something? Routines..." (Tweet) – via Twitter.
- Eilam, Eldad (2011). Reversing: Secrets of Reverse Engineering. John Wiley & Sons. pp. 68–69. ISBN 978-1-118-07976-8.
- "Inside Native Windows Applications". Microsoft. Archived from the original on 2010-09-12. Retrieved 2011-12-14.
- Russinovich, Mark A. & Solomon, David A. (2009). Windows® Internals. O'Reilly Media. p. 136. ISBN 978-0-7356-3796-2.
- Marceau, Carla & Stillerman, Matt (2006). "Modular behavior profiles in systems with shared libraries". In Neng, Peng; et al. (eds.). Information and Communications Security: 8th International Conference, ICICS 2006 – Raleigh, NC, USA, December 4–7, 2006 – proceedings. Springer. p. 371. ISBN 978-3-540-49496-6.
- "Inside Native Applications". Archived from the original on 2010-10-23. Retrieved 2017-08-26.
- Visual Studio Developer Center: Identifying Functions in DLLs
- See also, the documentation for the Wine implementation of GDI32.DLL: Wine API: gdi32.dll
- Yuan, Feng (2001). Windows graphics programming: Win32 GDI and DirectDraw. Prentice Hall Professional. p. 71. ISBN 978-0-13-086985-2.
- "Common Dialog Box Library (Windows)". msdn.microsoft.com. Retrieved 2017-10-25.
- "WD: What is a Scrap (.shs) file?". Microsoft Knowledge Base.
- Raymond Chen. "Windows Confidential: Scrapping the Scraps". Retrieved 2011-12-14.
- "VBS.Stages.A". symantec.com.
- "How to open SHS files". Retrieved 2011-12-14.
- "C Run-Time Libraries". Archived from the original on 2011-12-07. Retrieved 2011-12-14.
- "C++ binary compatibility 2015-2022".
- "Source Code for the C Run-Time Functions".
- "What does the "ms" in "mscorlib" stand for - hint: It's not "Microsoft"".
- API calls list (USER32.DLL) Archived 2015-11-21 at the Wayback Machine – Tips for using the User API Client Library with Visual Basic
- API calls list (KERNEL32.DLL) Archived 2015-11-21 at the Wayback Machine – Tips for using the Kernel API Client Library with Visual Basic
- Native API reference
- Unofficial website that documents most of the Native API methods
- Retrieving the KERNEL32.DLL base address