Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the ARC.H header at
and draws from it the following type definitions:
The header ARC.H is published in the “minwin” directory of the Windows Driver Kit (WDK) for Windows 10 in the original and Version 1511 editions. This was a significant new disclosure. The header as published defines many more structures, but the public symbol files for the kernel in the same versions do not have type information for these.
Indeed, many types that are defined in ARC.H had never or only rarely appeared in any public symbol files for any version. Starting with the 1803 release of Windows 10, however, the public symbol files for the kernel show very many more types as defined in ARC.H. That these many types that were for so long relatively unknown to programmers outside Microsoft are known to the kernel through this one header is surely worth cataloguing.
In the next table, the line numbers in the left column are for the unseen ARC.H for Windows 10 Version 1803, as known from the public symbol files for the kernel in this version, and the line numbers to the right are from the published header for the original Windows 10 release. Line numbers in parentheses are explained after the table.
(Original Windows 10)
|(76)||anonymous union in
|(78)||anonymous struct in
anonymous union in
|(378)||anonymous struct in
|(478)||anonymous struct in
|536||unnamed union Basic in
|537||unnamed struct Component in
unnamed union Basic in
|(697)||anonymous struct in
|(920)||anonymous union in
|(922)||anonymous struct in
anonymous union in
|(933)||anonymous union in
|(935)||anonymous struct in
anonymous union in
|(1193)||anonymous struct in
|1237||unnamed union u in
|1326||unnamed union u in
As only to be expected, the header has grown in the years since its (accidental) disclosure and so the unseen ARC.H for Version 1803 has types that are not in the published ARC.H for the original Windows 10. For these, there is no line number to show on the right.
The explanation is a little more complicated for why the two enumerations BOOT_ENTROPY_SOURCE_RESULT_CODE and BOOT_ENTROPY_SOURCE_ID have no line number on the left. Their definitions can be seen in the accidentally published ARC.H for the original Windows 10. A comment there warns Microsoft’s programmers that
// // Entropy result codes and source IDs // for Boot entropy sources are defined both in arc.h and // ntexapi.h. These two copies must be kept identical. //
The public symbols for the Version 1803 kernel place these enumerations’ definitions in ntexapi.h and thus do not give line numbers of the definitions in ARC.H or even tell anything of whether the definitions remain in ARC.H (though the very nearly matching gap in line numbers suggests a high likelihood that the definitions are still in both headers).
For why some line numbers for Version 1803 are in parentheses, remember that the public symbols for the kernel in the original Windows 10 have only a few of the types that show in the (accidentally) published ARC.H for that version. Although very many more types show in the public symbols for the Version 1803 kernel, they still are not a complete reckoning of types that are defined in the Version 1803 ARC.H. Alert readers will note that the previous sentence is a stronger statement than can be supported just from the public symbols. From these, the strongest deduction is that the public symbols for the Version 1803 kernel do not have all the types that are known from the published ARC.H for two earlier releases of Windows 10. It turns out, however, that there is another source of information about types defined in ARC.H and this not only extends to Version 1803 (indeed, to Version 1903) but is credibly complete.
This other source also is type information such as shows in symbol files. What’s different is that it’s in a statically linked library. That this library, named CLFSMGMT.LIB and distributed in the Software Development Kit (SDK) as if for user-mode programming, credibly has all the types that are defined in the kernel-mode ARC.H is because this library archives an object file that resulted from creating a pre-compiled header. Its type information is therefore not for types that the compiler regarded as used, e.g., in source code for the other object files in the library, but for types that might have got used. A detraction to libraries, in terms of forensic quality, is that even when they are targeted to one version of the operating system they can be correct for their purpose even if built with headers that are not exactly what were used when building the operating system. It happens, however, that this library for Version 1803 was built on the same day as the Version 1803 kernel. For types that are common to the library and the public symbols, the line numbers match. The line numbers from the library are almost certainly correct even for types that are missing from the public symbols. These are the line numbers that are in parentheses.
Some, even many, of these line numbers in parentheses are for anonymous structures and unions which do or don’t get their own records depending on whether the header was compiled as C++ or C. A good handful, however, are thought never to have been revealed in public symbols and might never have been known from freely published materials except for the accidental disclosure of ARC.H for two Windows releases. The last of them, NT_IMAGE_INFO, has been added since and is not known to Google at all today, 9th December 2022.
There is one more complication: the ARC.H that is compiled for the kernel’s public symbol files is not Microsoft’s only ARC.H. It may be a copy or extract for inclusion with a HAL development kit. It is not certainly the same ARC.H, if any, that is compiled when building the kernel itself. Where ARC.H is named in a handful of private symbol files that Microsoft has distributed with otherwise public symbols, a different location is given for it. For instance, in the downloadable package of public symbols for the original release of Windows 10, appxdeploymentclient.pdb names ARC.H in
which is indeed where the kernel gets many of its headers. More study is required.