You're not kidding, the Windows API has functions that almost seemed designed for malicious use, such as SetWindowsHook, which by default is capable of injecting a new callback procedure into every single process running on the system. However, this is probably just my perception, this function has legitimate uses.
Microsoft are their own worst enemy, I think.
One thing that a younger generation may not remember or even know about is that Microsoft was forced to hand over their entire API, along with source code because they were called on it. Initially they kept those API calls secret, but eventually the anti-virus companies (whom use API hooks for proactive reasons) took them to court & it was forced to be made public. Er well, someone took them to court & then the APIs went public. Either way, you can read it for yourself :
Court order disclosure of API