What does the "Zw" prefix mean?


If you spend time in kernel mode, you're accustomed to seeing functions with two-letter (or occasionally, three-letter) prefixes that indicate which component they belong to.

Prefix Component Example
Ex Executive ExAllocatePool
Hal Hardware abstraction layer HalGetBusData
Io I/O manager IoAllocateIrp
Ke Kernel KeBugCheck
Ks Kernel streaming KsAcquireControl
Mm Memory manager MmGetPhysicalAddress
Ob Object manager ObReferenceObjectByHandle
Po Power management PoSetSystemState
Se Security SeAccessCheck
Tdi Transport driver interface TdiProviderReady
Zw ???? ZwCancelTimer

What does the "Zw" mean?

Answer: Nothing.

The people who chose the letters wanted to pick something that was unlikely to collide with anything. Perhaps they had a prior bad experience with having chosen a prefix, only to find that somebody ahead of them claimed it already?

Comments (26)
  1. Andre says:

    What does the prefix "tag" mean as in "struct tagX" ?

  2. Zero Wing!

    ZwAYBABTU

    <snip>Extra goo to get past the spam filter.  All work and no play makes Jack a dull boy.  All work and no play makes Jack a dull boy.  All work and no play makes Jack a dull boy.</snip>

  3. Andre says:

    Thanks for the links Anon. Must have missed the posts last year. His book is on my wish list for my birthday :)

  4. Whenever I see a ZwXXX function, it always makes me think of Jamie Zawinski (jwz).

  5. Mark says:

    ZW is also MZ upside-down, which is probably why it was chosen over, say, ZX.

    Shame really, I wish Zimbanza Woobie was real.

  6. Yuhong Bao says:

    BTW, if you are wondering about the "Nt" prefix, the difference between Zw and Nt in kernel mode is that the Zw prefix functions set the previous mode to kernel mode, while the Nt prefix functions leave it unchanged. The previous mode is used in parameter validation to determine if the function is called from user mode or kernel mode.

  7. keithmo says:

    Once upon a time (back when the entire NT dev team could fit into a single conference room), I heard a story about the "Zw" prefix.

    Allegedly, the "z" is from Mark Zbikowski, and the "w" is from Bryan Willman (sp?).

    Then again, there’s a tendency to assume that any MS acronym containing "z" is somehow associated with MarkZ. Of course, given his lengthy tenure at MS and the broad scope of his work, many such acronyms ARE associated with him.

  8. xcud says:

    I worked in the NT build lab from 96-98. I was also under the impression that ZW is directly related to MZ.

    The ‘reflective text theory’ has poetic merit.

  9. A says:

    What about yyy and zzz in Win32k?

  10. KeithMo: Zibo never worked on NT 3.1, so it’s unlikely that the name had anything to do with him (he moved from OS/2 2.0 straight to Win9x and only joined NT after Win2K).

  11. Miral says:

    Could be a homage though, even if he never worked on it…

  12. Jolyon Smith says:

    Maybe it’s an urban myth or a faulty memory, but I though that bits of NT came from OS/2…  I seem to recall something from a LOOOONG time ago about much mirth and hilarity arising from NT throwing up an error message in which the OS seemed to be under the impression that it was OS/2, not NT.

  13. Mark says:

    Larry: I get the impression that MZ is a bit like xyzzy.  Also, ZW is NE rotated 90° – can I blame the Illuminati?

  14. Worf says:

    Well, I guess that explains all the wierd API names I see when writi g drivers on Windows CE. Especially pre-CE6, where drivers ran under a separate process in user space.

    No one I knows really thinks about it… MmMapIoSpace, HalAllocateCommonBuffer, etc. Mixed in with stuff like LockPages, InterruptDone and the like. Just a wild assortment of APIs that I never really gave much thought to, other than their wierd names.

  15. I’ve been curious why so many internal functions are duplicated as both ZwSomething and NtSomething.  E.g., ZwCreateFile and NtCreateFile.

  16. strik says:

    @Aaron Margosis:

    Have a look at the article here: http://www.osronline.com/article.cfm?article=257 which explains why there are NtXXX and ZwXXX functions.

    If you are not registered, the following alternative URL might work: http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=257

  17. Medinoc says:

    And the "Ki" prefix ?

    Does it mean something like "Kernel Interrupts" ?

  18. Mike Dimmick says:

    If the second letter of the prefix is changed to ‘i’ it means ‘internal’. Some prefixes gain a ‘p’ suffix e.g. XxpDoThing to indicate ‘private’.

    The kernel mode prefix scheme is explained in ‘Inside Windows 2000’ and its successors (now named Windows Internals).

  19. Morten says:

    @Medinoc: no, those are high-powered black-belt only functions. Chuck Norris functions, if you will.

    </joke>

  20. ulric says:

    @strik   thanks for the link strik, that’s a good one.

  21. ERock says:

    ASCII Zw is 0011101001110111 in binary. A particularly beautiful binary string in my opinion with ample use of 111, alternating 00/0, and a lone 1 to glue it all together.

  22. Kamendae says:

    I had heard that it stood for Zero Weight, i.e. less overhead because you get a lot less parameter checking due to the "previous mode == kernel" setting that Yuhong Bao mentions above.  That could also be a backronym, though.

  23. scott says:

    @Mark

    I hope there aren’t any people named Zimbanza Woobie out there, when I wrote the article I tried *really* hard to come up with a name that I didn’t think would exist.

    And my apologies to any past, present, or future Zimbanza Woobies :)

  24. Gabe says:

    Larry, I’m pretty sure MarkZ was working on Cairo well before Win2k. He worked on the search/index features of OFS and OLEDB (called Nile back then).

    He had some MIPS machines in his office with the whole NT source tree indexed. It was quite handy!

Comments are closed.