If you have ever written debugging software for Windows NT, you know it doesn't take long before you can get stuck. Things as simple as enumerating processes or querying system performance are difficult due to the lack of detailed documentation. In an interesting Microsoft Systems Journal (MSJ) article series, Matt Pietrek presented two methods for getting at some internal system data. The first one involves querying the so-called Performance Counters stored in the registry (see "Under The Hood," MSJ, March/April, 1996). The other method uses a specialpurpose system module named psapi.dll ("Under The Hood," MSJ, August 1996). Both methods work well, but give just a tiny glimpse of the wealth of data used internally by Windows NT.

NtQuerySysteminformation()

While trying to figure out how the kill.exe utility (from the NT Resource Kit) works, I discovered it uses the mysterious Nt-- QuerySystemlnformation() function exported by ntdll.dll to get a list of processes currently running. With this list, kill.exe is able to force termination of a process by name, simply by looking up the name in the process list and retrieving the associated process ID, which is stored in this list, too. This looked interesting enough to warrant a closer look. To my surprise, that NtQuerySystemInformation() is apparently the general front door from usermode code into internal kernel-mode data structures.

One of the things that puzzled me most was the complete lack of documentation on this function. Even the NT Device Driver Kit (DDK) header files ntddk.h and nt-- def.h, that usually provide answers to many questions about NT internals, are amazingly ignorant about any aspects of NtQuerySysteninformation(). No API prototype, no info class definitions-just a single mention of the name in the comments to the definition of the structure CONFIGURATION_INFORMATION. Searching for "NtQuerySystemInformation" in the DDK help yields no hits at all. That's about as undocumented as a system API ever could be! In this article, I'll reveal what kind of data this API gives you access to, and provide a DLL and demo program that lets you display most of that data on the screen (both available electronically; see "Resource Center," page 5).

It's simple to find out what parameters have to be passed to this function-you simply check how the NT core modules...