Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the CPER.H header at
and draws from it the type definitions that are tablulated below.
Nowadays, CPER.H is among the headers in the Software Development Kit (SDK) for Windows 10. It is there in the “um” subdirectory with many other headers that are intended only for user-mode programming. It dates from Windows 7, again in the SDK. CPER.H seems never to have been supplied with a Windows Driver Kit (WDK) except in bundles with the SDK. All its significant content is anyway duplicated in NTDDK.H and in NTOSP.H, but no sign is known of how this happens. NTDDK.H is, of course, a standard header for kernel-mode programming, but the kernel’s own source code does not include it. The kernel apparently includes CPER.H by including WHEADEF.H.
In the table, the line numbers on the left are from CPER.H, both as known from the symbol file and from the header as supplied with the SDK for the original release of Windows 10. The line numbers on the right are from the NTDDK.H and NTOSP.H in the contemporaneous WDK.
For the record, lines 41 to 1384 inclusive of the 1391-line WHEADEF.H are duplicated as lines 14595 to 15938 of NTDDK.H and 49512 to 50855 of NTOSP.H. In both these standard headers, the definitions they share with CPER.H immediately follow those from WHEADEF.H. The difference apparently doesn’t matter but when building the kernel the CPER.H definitions come first.