Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTMMAPI.H header at
and draws from it the type definitions that are tabulated below. The header NTMMAPI.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
Though public symbols for the kernel show only one type as defined in NTMMAPI.H, many more show in symbol files for other modules. Among these are user-mode DLLs that are very far removed from system programming, e.g., URLMON.DLL from Internet Explorer. Though the symbol files in question are in effect private symbol files, Microsoft has published them freely in downloadable packages of all the public symbol files for all of Windows, starting with Windows 8. If inclusion of these unusually detailed symbol files in these packages was at first an oversight, it has been left to stand for years, though not for all modules. For instance, it ceased for URLMON.DLL after the 1709 edition of Windows 10.
To anyone with a working knowledge of the documented structures and enumerations for user-mode interaction with the kernel, the types defined in this NTMMAPI.H header that Microsoft keeps very much to itself are an obvious treasure trove. This is specially remarkable in the context of Microsoft’s settlement of an anti-trust suit among whose allegations were that Microsoft’s products such as Internet Explorer had access to Microsoft’s operating system, a monopoly product, which Microsoft did not provide to these products’ competitors. For the record, then, here are the very many types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including the unpublished NTMMAPI.H when building for the original release of 32-bit Windows 10:
|93||unnamed struct Invalid in
anonymous union in
|121||unnamed union u1 in
|230||unnamed union u1 in
|237||unnamed union u2 in
|238||unnamed struct e1 in
unnamed union u2 in
|242||unnamed struct e2 in
unnamed union u2 in
|260||unnamed struct e1 in
|263||unnamed struct e2 in
This looks to be a complete reckoning of named classes, enumerations, structures and unions that are defined in the unseen NTMMAPI.H. A contemporaneous statically linked library named CLFSMGMT.LIB has its type information from creating a pre-compiled header, such that it almost certainly is complete for its inclusions from NTMMAPI.H, and yet it adds only anonymous structures and unions that are nested within the types listed above.