NTPSAPI_X.H

The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTPSAPI_X.H header at

d:\th.public.fre\internal\sdk\inc

and draws from it the following type definitions:

Line Number Type Remarks
42 struct _PEB_LDR_DATA  
83 struct _GDI_TEB_BATCH  
114 struct _CLIENT_ID64  
230 struct _CLIENT_ID line 7360 in WDM.H
259 struct _EXCEPTION_REGISTRATION_RECORD line 4274 in NTDDK.H
266 struct _NT_TIB line 4281 in NTDDK.H
287 struct _NT_TIB32 line 4302 in NTDDK.H
306 struct _NT_TIB64 line 4321 in NTDDK.H
855 enum _HARDWARE_COUNTER_TYPE line 4713 in NTDDK.H
1382 enum JOB_OBJECT_NET_RATE_CONTROL_FLAGS  
1605 enum _JOBOBJECTINFOCLASS  

The header NTPSAPI_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).

Although the focus for these pages is on the headers that are known to be included by source code for the kernel, and for this page on the construction of standard kernel-mode headers such as WDM.H and NTDDK.H from apparently more fundamental headers such as this one, it is perhaps as well to note that this construction extends also to the standard user-mode inclusion, WINNT.H. Several of these definitions from NTPSAPI_X.H find their way into WINNT.H.

See also that the forensic method of studying the kernel’s symbol file to learn of header inclusions tells for any one type only which one header the kernel got the definition from, not which of the kernel’s headers define the type. An example is _CLIENT_ID64, which is also defined in WOW64T.H at line 393. The definition in WOW64T expects that _CLIENT_ID64 may be defined already. As far as concerns whatever sequence of inclusions got recorded in the symbol file, the bet must be that NTPSAPI_X.H got included first.

For the record, here are the types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including NTPSAPI_X.H when building for the original release of 32-bit Windows 10:

Line Number Type
42 struct _PEB_LDR_DATA
83 struct _GDI_TEB_BATCH
94 struct _Wx86ThreadState
114 struct _CLIENT_ID64
230 struct _CLIENT_ID
259 struct _EXCEPTION_REGISTRATION_RECORD
266 struct _NT_TIB
336 enum _PROCESSINFOCLASS
422 enum _THREADINFOCLASS
491 enum _THREAD_UMS_INFORMATION_COMMAND
498 struct _THREAD_UMS_INFORMATION
578 enum _MEMORY_EXTENSION_TYPE
586 struct _MEMORY_EXHAUSTION_INFORMATION
593 struct _PROCESS_JOB_MEMORY_INFO
612 struct _PAGE_PRIORITY_INFORMATION
620 struct _PROCESS_WS_WATCH_INFORMATION
630 struct _PROCESS_BASIC_INFORMATION
639 struct _PROCESS_EXTENDED_BASIC_INFORMATION
673 struct _PROCESS_DEVICEMAP_INFORMATION
675 unnamed struct for Set in _PROCESS_DEVICEMAP_INFORMATION
678 unnamed struct for Query in _PROCESS_DEVICEMAP_INFORMATION
685 struct _PROCESS_DEVICEMAP_INFORMATION_EX
686 unnamed struct for Set in _PROCESS_DEVICEMAP_INFORMATION_EX
690 unnamed struct for Query in _PROCESS_DEVICEMAP_INFORMATION_EX
708 struct _PROCESS_SESSION_INFORMATION
712 struct _PROCESS_HANDLE_TRACING_ENABLE
716 struct _PROCESS_HANDLE_TRACING_ENABLE_EX
728 struct _PROCESS_HANDLE_TRACING_ENTRY
735 struct _PROCESS_HANDLE_TRACING_QUERY
813 struct _VM_COUNTERS
828 struct _VM_COUNTERS_EX
845 struct _VM_COUNTERS_EX2
855 enum _HARDWARE_COUNTER_TYPE
964 struct _PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY
1003 struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
1012 struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
1021 struct _POOLED_USAGE_AND_LIMITS
1041 struct _PROCESS_ACCESS_TOKEN
1072 struct _PROCESS_EXCEPTION_PORT
1095 struct _KERNEL_USER_TIMES
1182 struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION
1197 struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2
1269 struct _JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION
1313 struct _JOBOBJECT_LIMIT_VIOLATION_INFORMATION
1382 enum JOB_OBJECT_NET_RATE_CONTROL_FLAGS
1419 enum JOB_OBJECT_IO_RATE_CONTROL_FLAGS
1605 enum _JOBOBJECTINFOCLASS

The two structures _NT_TIB32 and _NT_TIB64 and the enumeration _HARDWARE_COUNTER_TYPE will have been accessible too, of course, but the symbol file shows that URLMON.DLL got these unremarkably: from WINNT.H, as might any other user-mode DLL.