What does the “Zw” prefix mean?
If you spend time in kernel mode, you’re accustomed to seeing functions with two-letter (or occasionally, three-letter) prefixes that indicate which component they belong to.
| Prefix | Component | Example |
|---|---|---|
Ex |
Executive | ExAllocatePool |
Hal |
Hardware abstraction layer | HalGetBusData |
Io |
I/O manager | IoAllocateIrp |
Ke |
Kernel | KeBugCheck |
Ks |
Kernel streaming | KsAcquireControl |
Mm |
Memory manager | MmGetPhysicalAddress |
Ob |
Object manager | ObReferenceObjectByHandle |
Po |
Power management | PoSetSystemState |
Se |
Security | SeAccessCheck |
Tdi |
Transport driver interface | TdiProviderReady |
Zw |
???? | ZwCancelTimer |
What does the “Zw” mean?
Answer: Nothing.
The people who chose the letters wanted to pick something that was unlikely to collide with anything. Perhaps they had a prior bad experience with having chosen a prefix, only to find that somebody ahead of them claimed it already?
Light
Dark
0 comments