Audit · windows-sys@0.48.0

cargo : windows-sys @ 0.48.0

PE Patrick Elsen signed 2026-05-28 published 2026-05-28

Claims

has-binarieshas-build-exechas-fuzz-testshas-install-exechas-integration-testshas-property-testshas-unit-testsimpl-algorithmimpl-concurrencyimpl-cryptoimpl-datastructureimpl-interpreterimpl-jitimpl-parserimpl-protocolis-benignuses-concurrencyuses-cryptouses-environmentuses-execuses-filesystemuses-interpreteruses-jituses-networkuses-unsafe

Summary

windows-sys 0.48.0 is Microsoft's machine-generated raw FFI binding crate for the Windows API (~16,800 extern declarations, ~497K LOC). The published source is byte-identical to the VCS at the pinned commit. No unsafe blocks in crate-owned code, no build-time execution, no I/O, no tests in the published artifact, and a single dependency on windows-targets. No findings were raised.

Report

Subject

windows-sys 0.48.0 is Microsoft's official machine-generated raw FFI binding crate for the Windows API, published under the windows-rs project. It exposes approximately 16,800 extern "system" function declarations, ~2,559 function-pointer type aliases, and large numbers of constants and structs covering Win32, WDK, and WinRT surface areas. The crate is #![no_std] and ships no runtime logic beyond a small core module containing string-literal macros (s!, w!) and their compile-time UTF-8/UTF-16 helpers. Linking is delegated entirely to the companion crate windows-targets via the windows_targets::link! macro.

Methodology

The workspace was initialized by openvet and the VCS repository checked out at commit 406944152ef28d3273236edc958c2bfbf825775d, which matches the SHA1 recorded in contents/.cargo_vcs_info.json. All source files were compared between contents/ and vcs/ using diff -rq. The contents/src/ tree (281 .rs files) was surveyed with ripgrep for unsafe blocks, FFI declarations, network/filesystem/process/environment API usage, and test scaffolding. The following modules were read in full: src/lib.rs, src/core/mod.rs, src/core/literals.rs, src/Windows/mod.rs. The following modules were sampled (first 30-50 lines): Win32/Foundation, Win32/System/Threading, Win32/Security/Cryptography, Win32/Networking/WinSock, Wdk/System. No build.rs is present. No test files were found in the published package.

This is a scoped audit. Due to the volume of extern "system" declarations (16,800+) and function-pointer type aliases that carry unsafe extern "system" in their type signatures, the following claims were not evaluated and are left unasserted; they must not be read as either satisfied or violated: unsafe-safe, unsafe-documented, unsafe-minimal, unsafe-tested. The crate body itself contains no unsafe { } blocks; all unsafe tokens appear in the type signatures of function-pointer aliases, which the crate does not call. The uses-unsafe claim is therefore false for this crate's own code. Full evaluation of every individual extern declaration's ABI correctness against the Windows SDK headers is infeasible at this scale and is out of scope.

Results

The diff -rq comparison shows that contents/src/ and contents/license-* are byte-identical to the VCS checkout at the pinned commit. The only differences between contents/ and vcs/ are: Cargo.toml (cargo normalization, as expected) and readme.md (present only in the published package, absent from the crate subdirectory in the repo, where the readme path points to a shared docs location). No source divergence was found.

No binary files are present, justifying has-binaries. No build.rs exists, so cargo executes no build script, justifying has-build-exec. There is no install hook, justifying has-install-exec. No test files (#[test], tests/, fuzz/) were found in the published package, justifying has-unit-tests, has-integration-tests, has-fuzz-tests, and has-property-tests; tests live in the upstream workspace and are not published with this crate.

The crate body executes no code at compile time beyond the windows_targets::link! macro expansion, which produces extern "system" declarations. No calls to std::net, std::fs, std::process, or std::env appear anywhere, justifying uses-network, uses-filesystem, uses-exec, and uses-environment. Ripgrep found zero unsafe { } blocks; the 2,559 unsafe hits are all in function-pointer type aliases, not in crate-owned unsafe code, justifying uses-unsafe. No thread::spawn, Mutex, Arc, or async runtime usage exists, justifying uses-concurrency. No cryptographic library is imported or called by this crate's own code, justifying uses-crypto.

The crate declares no algorithms, data structures, parsers, protocols, interpreters, JIT compilers, or cryptographic implementations of its own, justifying impl-crypto, impl-parser, impl-interpreter, impl-jit, impl-protocol, impl-datastructure, impl-algorithm, and impl-concurrency.

No obfuscated code, base64 payloads, suspicious network endpoints, or timing-dependent behavior was found. The crate matches its stated purpose as a thin, machine-generated API surface. Justifies is-benign.

Conclusion

windows-sys 0.48.0 is a large, purely declarative crate. The published source is byte-identical to the VCS at the pinned commit. The crate body contains no unsafe blocks, no I/O, no build-time execution, and no tests in the published artifact. Its sole dependency is windows-targets, which ships the import libraries needed to link Windows DLLs. No findings were raised.

Findings

No findings.

Annotations(3)

`src/Windows`

Machine-generated Win32 and WDK API bindings (281 .rs files). Every file follows the same pattern: windows_targets::link! macro invocations that expand to extern "system" function declarations, type alias definitions (including function-pointer types marked unsafe extern "system"), and integer constants. No hand-written logic, no unsafe blocks in the crate body itself (the unsafe keyword appears only in the function-pointer type aliases that mirror the Win32 ABI). Sampled: Win32/Foundation, Win32/System/Threading, Win32/Security/Cryptography, Win32/Networking/WinSock, Wdk/System. All match expected Win32 signatures. Justifies is-benign, uses-crypto, uses-unsafe, uses-jit, uses-interpreter, impl-crypto, impl-parser, impl-protocol, impl-datastructure, impl-algorithm, impl-concurrency, impl-jit, impl-interpreter.

`src/core`

Defines primitive type aliases (HRESULT, PSTR, GUID, etc.), the s! and w! string literal macros, and the const-eval UTF-8/UTF-16 helper functions decode_utf8_char and utf16_len. All code is pure const-safe computation; no unsafe blocks, no I/O. Justifies uses-unsafe, impl-algorithm (these are trivial const helpers, not a standalone algorithm implementation).

`src/lib.rs`

Top-level crate root. Declares #![no_std], re-exports Windows::*, and exposes pub mod core. No logic, no I/O, no unsafe blocks. Justifies has-binaries, has-build-exec, has-install-exec, uses-network, uses-filesystem, uses-exec, uses-environment, uses-concurrency.