apimon.exe -g ktpass.exe: why api time and time callees is Negative?

apimon.exe -g whoami.exe:whoami.exe only load one module:ntdll.dll,but cmd /ntsd whoami.exe:there are 6 modules:ModLoad: 01000000 0100b000 whoami.exeModLoad: 7c920000 7c9b6000 ntdll.dllModLoad: 7c800000 7c91e000 C:\WINDOWS\system32\kernel32.dllModLoad: 77da0000 77e49000 C:\WINDOWS\system32\ADVAPI32.dllModLoad: 77e50000 77ee2000 C:\WINDOWS\system32\RPCRT4.dllModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll

Hi there,whoami.exe calls ntdll.dll and uses the functions exposed by ntdll.dll probably dll hooking , it is difficult to interpret the internal implementation of the applicaitons.

thank you very much!hook is very hard obiects....