The Windows API uses the following naming convention: <Prefix><Operation><Object>.
Internal functions use a variation of the prefix - either the first letter of the prefix followed by an i (for internal) or the full prefix followed by a p (for private). For example, Ki represents internal kernel functions, and Psp refers to internal process support functions.
Listed below are some of the most common prefixes. Use this table when debugging or looking through a Windows binary's import table to quickly understand what a binary is doing.
| Prefix | Description |
|---|---|
| Alpc | Advanced Local Procedure Calls |
| Cc | Common Cache |
| Cm | Configuration manager |
| Dbg | Kernel debug support |
| Dbgk | Debugging Framework for user mode |
| Em | Errata manager |
| Etw | Event Tracing for Windows |
| Ex | Executive support routines |
| FsRtl | File System Runtime Library |
| Hv | Hive library |
| Hvl | Hypervisor library |
| Io | I/O manager |
| Kd | Kernel debugger |
| Ke | Kernel |
| Kse | Kernel Shim Engine |
| Lsa | Local Security Authority |
| Mm | Memory manager |
| Nt | NT system services (accessible from user mode through system calls) |
| Ob | Object manager |
| Pf | Prefetcher |
| Po | Power manager |
| PoFx | Power framework |
| Pp | PnP manager |
| Ppm | Processor power manager |
| Ps | Process support |
| Rtl | Run time library |
| Se | Security Reference Monitor |
| Sm | Store Manager |
| Tm | Transaction manager |
| Ttm | Terminal timeout manager |
| Vf | Driver Verifier |
| Vsl | Virtual Secure Mode library |
| Wdi | Windows Diagnostic Infrastructure |
| Wfp | Windows FingerPrint |
| Whea | Windows Hardware Error Architecture |
| Wmi | Windows Management Instrumentation |
| Zw | Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user. |
References
- Yosifovich, P., Ionescu, A., Russinovich, M. E., & Solomon, D. A. (2017). Chapter 2: System architecture. In Windows internals. Redmond, WA: Microsoft Press.