[caf]

Since NT syscalls follow the x64 calling convention, the kernel does not need to save off volatile registers since that was handled by the compiler emitting instructions before the syscall to save off any volatile registers that needed to be preserved.

Say what? The NT kernel doesn't restore caller-saved registers at syscall exit? This seems extraordinary, because unless it either restores them or zaps them then it will be in danger of leaking internal kernel values to userspace - and if it zaps them then it might as well save and restore them, so userspace won't need to.

[trentnelson]

I think that's referring to the prolog/epilog convention and "homing" of parameter registers, e.g.

Frame struct ReturnAddress dq ? HomeRcx dq ? HomeRdx dq ? HomeR8 dq ? HomeR9 dq ? Frame ends

    NESTED_ENTRY Foo, _TEXT$00

    mov Frame.HomeRcx[rsp], rcx
    mov Frame.HomeRdx[rsp], rcd
    mov Frame.HomeR8[rsp], r8
    mov Frame.HomeR9[rsp], r9

    alloc_stack 64

    END_PROLOG
    
    ; *do stuff*

    BEGIN_EPILOG

    add rsp, 64

    NESTED_END Foo, _TEXT$00

https://msdn.microsoft.com/en-us/library/tawsa7cb.aspx