Geoff Chappell - Software Analyst
The public symbol files NTKRPAMP.PDB and NTKRNLMP.PDB for the original release of Windows 10 tell that the kernel is built with the NTKEAPI_X.H header at
and draws from it the type definitions that are tabulated below.
No header named NTKEAPI_X.H is known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all ten types that the kernel is known to pick up from NTKEAPI_X.H are also defined in WDM.H, i.e., the standard header for kernel-mode programming. Five are also defined in WINNT.H, which is the standard header for user-mode programming.
Line numbers in the left column are from the unseen NTKEAPI_X.H for the original Windows 10. They are known from the kernel’s public symbols, except that two in parentheses are from other symbol files in the downloadable package of public symbols. Line numbers on the right are from the indicated headers which are readily available in the WDK and Software Development Kit (SDK), again for the original Windows 10.
It is not known whether NTKEAPI_X.H is the source of definitions in WDM.H and WINNT.H or whether all pick them up from some other input, but the former inference is the simpler. Whatever the means of construction, WDM.H occasionally loses lines:
What’s lost, let alone whether it’s important, is not easily assessed without an NTKEAPI_X.H for inspection. Still, out of perhaps not four hundred lines for the unseen NTKEAPI_X.H, more than two hundred are published in the other headers. For the two structures that do not show in these headers, usable C-language definitions can be built from type information in symbol files—but, even better, old definitions by Microsoft (with surprisingly extensive commenting) were published in the WDM.H and WINNT.H from the WDK for Windows 7, and plausibly have not changed since. From these old headers, it might also be inferred that most of what’s missing between KLOCK_QUEUE_HANDLE and KPROFILE_SOURCE is a type definition of a KINTERRUPT_ROUTINE. A workable reconstruction of NTKEAPI_X.H from public inputs could be made with good confidence.
The table above is thought to be complete as a list of classes, enumerations and structures that are defined in the unseen NTKEAPI_X.H. The supporting evidence is not from public symbols but from a statically linked library named CLFSMGMT.LIB which Microsoft publishes with the Software Development Kit (SDK) for Windows 10. Among its archived object files is a by-product of creating a pre-compiled header. What it has for type information is therefore not confined to types that were as used when compiling a source file for merging type information into public symbols. Nor is it confined even to types that counted as used for private symbols when compiling source files that contribute to a binary. The point to a pre-compiled header is to cover all types that might get used for any number of compilations that might yet be done. The library shows all the types that are tabulated above and no others.
For the record, one of the symbol files that have type information for the two structures that do not show in any published header is URLMON.PDB. Starting with Windows 8, the URLMON.PDB in downloadable packages of public symbols is a private symbol file. The corresponding binary is URLMON.DLL from Internet Explorer. It was first presented as a component of Internet Explorer and its version numbering still follows that of Internet Explorer. The disclosure may have been an oversight—it was corrected for the 1803 release of Windows 10—but among its side-effects is proof that, if only during this period after Microsoft’s settlement of an anti-trust suit, source code for this component of Internet Explorer had the use of this header, NTKEAPI_X.H, that Microsoft does not publish even for kernel-mode programming outside Microsoft, let alone for the programming of a competing web browser.