Windows System Call Tables

The repository contains system call tables collected from all modern and most older releases of Windows, starting with Windows NT.

Both 32-bit and 64-bit builds were analyzed, and the tables were extracted from both the core kernel image (ntoskrnl.exe) and the graphical subsystem (win32k.sys).

Formats

The data is formatted in the CSV and JSON formats for programmatic use, and as an HTML table for manual inspection.

The HTML files are also hosted on my blog under the following links:

• ntoskrnl.exe, x86: http://j00ru.vexillium.org/syscalls/nt/32/
• ntoskrnl.exe, x64: http://j00ru.vexillium.org/syscalls/nt/64/
• win32k.sys, x86: http://j00ru.vexillium.org/syscalls/win32k/32/
• win32k.sys, x64: http://j00ru.vexillium.org/syscalls/win32k/64/

Operating systems

The following major versions of Windows are included in the tables:

Windows Server 2016 and later are not included, as their syscall tables are equivalent to that of Windows 10:

Historical system call counts

Below is a line chart showing the progression of Windows system call development over time. It covers all major desktop versions of Windows starting with Windows NT 4.0 released in August 1996, up to the most recent versions of Windows 10. Server editions are not included as their kernels are equivalent to their desktop counterparts. The analysis was performed on x86 builds for consistency, as this is the only CPU architecture which covers all available systems. There might be very small differences on x64 builds of the kernel or the less popular editions (e.g. Windows NT 4.0 Terminal Server), but they are insignificant for the purpose of this overview chart.

Thanks

We would like to thank the following contributors to the project: Woodmann, Deus, Gynvael Coldwind, MeMek, Alex, Omega Red, Wandering Glitch.

Contact

Mateusz 'j00ru' Jurczyk ([email protected])