RtlCompressBuffer - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTRTL_H

NTSYSAPI
NTSTATUS
NTAPI
RtlCompressBuffer(
    _In_ USHORT CompressionFormatAndEngine,
    _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
    _In_ ULONG UncompressedBufferSize,
    _Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer,
    _In_ ULONG CompressedBufferSize,
    _In_ ULONG UncompressedChunkSize,
    _Out_ PULONG FinalCompressedSize,
    _In_ PVOID WorkSpace
    );

#endif

View code on GitHub
// ntifs.h

NT_RTL_COMPRESS_API NTSTATUS RtlCompressBuffer(
  [in]  USHORT CompressionFormatAndEngine,
  [in]  PUCHAR UncompressedBuffer,
  [in]  ULONG  UncompressedBufferSize,
  [out] PUCHAR CompressedBuffer,
  [in]  ULONG  CompressedBufferSize,
  [in]  ULONG  UncompressedChunkSize,
  [out] PULONG FinalCompressedSize,
  [in]  PVOID  WorkSpace
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntifs-rtlcompressbuffer)

RtlCompressBuffer function

Description

The RtlCompressBuffer function compresses a buffer and can be used by a file system driver to facilitate the implementation of file compression.

Parameters

CompressionFormatAndEngine [in]

A bitmask that specifies the compression format and engine type. This parameter must be set to a valid bitwise OR combination of one format type and one engine type. For example, COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_STANDARD.

The meanings of these, and other related values, are as follows.

Value Meaning
COMPRESSION_FORMAT_NONE Not supported by this function.
COMPRESSION_FORMAT_DEFAULT Not supported by this function.
COMPRESSION_FORMAT_LZNT1 The function will perform LZ compression.
COMPRESSION_FORMAT_XPRESS The function will perform Xpress compression.
COMPRESSION_FORMAT_XPRESS_HUFF The function will perform Xpress Huffman compression.
COMPRESSION_ENGINE_STANDARD The UncompressedBuffer buffer is compressed using an algorithm that provides a balance between data compression and performance. This value cannot be used with COMPRESSION_ENGINE_MAXIMUM.
COMPRESSION_ENGINE_MAXIMUM The UncompressedBuffer buffer is compressed using an algorithm that provides maximum data compression but with relatively slower performance. This value cannot be used with COMPRESSION_ENGINE_STANDARD.
COMPRESSION_ENGINE_HIBER Not supported by this function.

UncompressedBuffer [in]

A pointer to a caller-allocated buffer (allocated from paged or non-paged pool) that contains the data to be compressed. This parameter is required and cannot be NULL.

UncompressedBufferSize [in]

The size, in bytes, of the UncompressedBuffer buffer.

CompressedBuffer [out]

A pointer to a caller-allocated buffer (allocated from paged or non-paged pool) that receives the compressed data. This parameter is required and cannot be NULL.

CompressedBufferSize [in]

The size, in bytes, of the CompressedBuffer buffer.

UncompressedChunkSize [in]

The chunk size to use when compressing the UncompressedBuffer buffer. This parameter must be one of the following values: 512, 1024, 2048, or 4096. The operating system uses 4096, and the recommended value for this parameter is also 4096.

FinalCompressedSize [out]

A pointer to a caller-allocated variable that receives the size, in bytes, of the compressed data stored in CompressedBuffer. This parameter is required and cannot be NULL.

WorkSpace [in]

A pointer to a caller-allocated work space buffer used by the RtlCompressBuffer function during compression. Use the RtlGetCompressionWorkSpaceSize function to determine the correct work space buffer size.

Return value

RtlCompressBuffer returns an appropriate error status value, such as one of the following.

Return code Description
STATUS_SUCCESS The UncompressedBuffer buffer was successfully compressed.
STATUS_BUFFER_ALL_ZEROS The UncompressedBuffer buffer was successfully compressed, but this buffer contains only zeros.
STATUS_INVALID_PARAMETER An invalid compression format was specified through the CompressionFormat parameter. If CompressionFormat is either COMPRESSION_FORMAT_NONE or COMPRESSION_FORMAT_DEFAULT (but not both), this value is returned.
STATUS_UNSUPPORTED_COMPRESSION An invalid compression format was specified through the CompressionFormat parameter. If CompressionFormat is not one of the following, STATUS_UNSUPPORTED_COMPRESSION is returned: COMPRESSION_FORMAT_LZNT1, COMPRESSION_FORMAT_XPRESS, COMPRESSION_FORMAT_XPRESS_HUFF
STATUS_NOT_SUPPORTED An invalid compression engine was specified through the CompressionFormatAndEngine parameter. If CompressionFormatAndEngine is not COMPRESSION_ENGINE_STANDARD or COMPRESSION_ENGINE_MAXIMUM (but not both), this value is returned.
STATUS_BUFFER_TOO_SMALL The compressed buffer is too small to hold the compressed data. That is, FinalCompressedSize is greater than CompressedBufferSize.

Remarks

The RtlCompressBuffer function takes as input an uncompressed buffer and produces its compressed equivalent provided that the compressed data fits within the specified destination buffer.

To determine the correct buffer size for the WorkSpace parameter, use the RtlGetCompressionWorkSpaceSize function.

To decompress a compressed buffer, use the RtlDecompressBuffer function.

To extract an uncompressed fragment from a compressed buffer, use the RtlDecompressFragment function.

See also

FILE_COMPRESSION_INFORMATION

RtlDecompressBuffer

RtlDecompressFragment

RtlGetCompressionWorkSpaceSize

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

CompressionFormat

Only lower 2 bytes are supported. Higher byte means Compression Engine. Lower byte means Compressing Format.

Compression format (0-15). Bits 4-7 are unused.

In NT 4.0 sp6 only LZNT1 is supported.

#define COMPRESSION_FORMAT_NONE     (0x0000)        // [result:STATUS_INVALID_PARAMETER]
#define COMPRESSION_FORMAT_DEFAULT  (0x0001)        // [result:STATUS_INVALID_PARAMETER]
#define COMPRESSION_FORMAT_LZNT1    (0x0002)
#define COMPRESSION_FORMAT_NS3      (0x0003)        // STATUS_NOT_SUPPORTED
#define ...                                         // STATUS_NOT_SUPPORTED
#define COMPRESSION_FORMAT_NS15     (0x000F)        // STATUS_NOT_SUPPORTED

#define COMPRESSION_FORMAT_SPARSE   (0x4000)        // ??? [result:STATUS_INVALID_PARAMETER]

Compression engine.

It's level of compression. Higher level means better results, but longer time used for compression process.
In NT 4.0 sp6 engines works only with compression (specified in RtlDecompressBuffer are ignored).

#define COMPRESSION_ENGINE_STANDARD (0x0000)        // Standard compression
#define COMPRESSION_ENGINE_MAXIMUM  (0x0100)        // Maximum (slowest but better)
#define COMPRESSION_ENGINE_HIBER    (0x0200)        // STATUS_NOT_SUPPORTED

Unknown

Put 0x1000 here. Probably means page size.

pDestinationSize

Size of data after compression.

WorkspaceBuffer

See RtlGetCompressionWorkSpaceSize for more information.

See also

Edit description on GitHub