Windows Kernel Function Prefixes

When kernel debugging, you will see a lot of windows kernel internal function names with two letter prefixes (assuming you have symbols).  Knowing what the prefixes mean can help you figure out what is going on.  I will give you a quick rundown of some of the basics.

Common Prefixes:

Cc	Cache manager
Cm	Configuration manager
Ex	Executive support routines
FsRtl	File system driver run time lib
Hal	Hardware abstraction layer
Io	IO manager
Ke	Kernel
Lpc	Local procedure call
Lsa	Local security authority
Mm	Memory manager
Nt	System services
Ob	Object manager
Po	Power manager
Pp	PnP manager
Ps	Process support
Rtl	Runtime lib
Se	Security
Wmi	Windows management instrumentation
Zw	Kernel version of Nt functions

Within these prefixes, there are variations to denote internal (second letter changed to an 'i') or private functions (an extra p is tacked on the end of the prefix.  For instance, an internal PnP function would have the Pi prefix instead of Pp.