Windows Internals
intermediate

Ntdll & the user/kernel boundary

How user-mode code reaches native system services through ntdll and syscalls.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

Process tree explorer

Walk a sample parent/child tree from System to Explorer and a user app.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

PEB structure

learn.microsoft.com

Microsoft Learn

Using NT and Zw versions of the native system services

learn.microsoft.com

Why it matters

Most Win32 APIs bottom out in ntdll native APIs. Forensics and debugging often start at Nt* calls, not kernel32 exports.

Mental model

Ntdll is the thinnest user-mode layer before the kernel. It marshals parameters and executes the syscall transition.

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • Filentdll.dll

    %SystemRoot%\System32

    Native API stubs and user-mode runtime

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • Syscall stubs live in ntdll; the service number selects the kernel dispatcher routine.
  • Wow64 processes use a thunk layer when calling native syscalls from 32-bit code.

How it works

  1. 1Higher subsystems call ntdll Nt* or Zw* entry points.
  2. 2Syscalls switch to kernel mode with a service number and argument block.
  3. 3The kernel dispatches to the appropriate executive routine and returns status.

Key terms

Native API
Undocumented-but-stable Nt* family implemented by ntdll.
Syscall
Controlled transition from user mode to kernel mode.

CreateFileW under the hood

Kernel32's CreateFile eventually reaches NtCreateFile in ntdll, which enters the kernel I/O path.

Common misconception

Ntdll is not a subsystem like Win32. It is the user-mode stub layer for native system services.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

DLL loader, PEB, and module lists

How Windows loads shared libraries and tracks runtime module state.

Related topic

intermediate

Kernel objects

Handles, object manager, names, and reference counting basics.

Related topic

intermediate

I/O Manager

The kernel component that builds, routes, and completes I/O requests.

Related topic

Related topics

I/O Manager

The kernel component that builds, routes, and completes I/O requests.

Kernel objects

Handles, object manager, names, and reference counting basics.

DLL loader, PEB, and module lists

How Windows loads shared libraries and tracks runtime module state.

Previous

Job objects

Grouping processes with shared limits, UI restrictions, and teardown rules.

Next

Memory management

Virtual address spaces, paging, working sets, and how Windows tracks memory.