Nt vs Zw exports

[TSlivede]

I am currently using the ZwQueryKey function via CsWin32 which is AFAIK using the wdkmetadata of this project.

As the documentation states 'If the call to this function occurs in user mode, you should use the name "NtQueryKey" instead of "ZwQueryKey".', I would like to use the name NtQueryKey. However, that name does not seem to be included in the wdkmetadata.

Just to be sure, I checked that NtQueryKey isn't just a macro or something. dumpbin /exports C:\windows\System32\ntdll.dll lists NtQueryKey as an exported function. However in a quick search I couldn't actually find if/where/how the wdk headers declare NtQueryKey.

Apart from NtQueryKey specifically, it seems to be a general trend, that no Nt* metadata exists for quite a few Zw* functions. If I didn't make too many mistakes in my ad hoc regex search through the via ilspy decompiled version of the winmd file, there are 121 Zw* declarations but only 104 Nt* declarations in Windows.Wdk.winmd. And it's not only Zw without Nt counterpart, but also Nt without Zw counterpart.

Based on "With a few exceptions, each native system services routine has two slightly different versions that have similar names but different prefixes.", I would assume that there should be much less functions without counterpart. (Counting the exports of ntdll seems to support this (478 times Nt*, 473 times Zw*) - are most of these undocumented, or why are only so few in the metadata?)

Note: I am aware, that this is basically nitpicking, because of this: "For system calls from user mode, the Nt and Zw versions of a routine behave identically.". I still think, that if both variants exist, both should be available via the metadata (if alone for better discoverability).

[mikebattista]

Discussing this over at https://github.com/microsoft/win32metadata/issues/1722.

[mikebattista]

Reopening to capture additional gaps per https://github.com/microsoft/win32metadata/issues/1722#issuecomment-2171684604.