In user mode, the Nt and Zw API groups are identical. In kernel mode, they are different. The Nt API contains the actual implementation. The Zw API uses the system call mechanism and ensures that it is called in kernel mode, and there is no need to check the parameters if they contain user mode addresses. Otherwise, you could use the user mode API with kernel parameters that would not be good. So this is just a security mechanism.
Chris source
share