Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTPSAPI_X.H header at
and draws from it the following type definitions:
|230||struct _CLIENT_ID||line 7360 in WDM.H|
|259||struct _EXCEPTION_REGISTRATION_RECORD||line 4274 in NTDDK.H|
|266||struct _NT_TIB||line 4281 in NTDDK.H|
|287||struct _NT_TIB32||line 4302 in NTDDK.H|
|306||struct _NT_TIB64||line 4321 in NTDDK.H|
|855||enum _HARDWARE_COUNTER_TYPE||line 4713 in NTDDK.H|
The header NTPSAPI_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
Although the focus for these pages is on the headers that are known to be included by source code for the kernel, and for this page on the construction of standard kernel-mode headers such as WDM.H and NTDDK.H from apparently more fundamental headers such as this one, it is perhaps as well to note that this construction extends also to the standard user-mode inclusion, WINNT.H. Several of these definitions from NTPSAPI_X.H find their way into WINNT.H.
See also that the forensic method of studying the kernel’s symbol file to learn of header inclusions tells for any one type only which one header the kernel got the definition from, not which of the kernel’s headers define the type. An example is _CLIENT_ID64, which is also defined in WOW64T.H at line 393. The definition in WOW64T expects that _CLIENT_ID64 may be defined already. As far as concerns whatever sequence of inclusions got recorded in the symbol file, the bet must be that NTPSAPI_X.H got included first.
For the record, here are the types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including NTPSAPI_X.H when building for the original release of 32-bit Windows 10:
|675||unnamed struct for Set in _PROCESS_DEVICEMAP_INFORMATION|
|678||unnamed struct for Query in _PROCESS_DEVICEMAP_INFORMATION|
|686||unnamed struct for Set in _PROCESS_DEVICEMAP_INFORMATION_EX|
|690||unnamed struct for Query in _PROCESS_DEVICEMAP_INFORMATION_EX|
The two structures _NT_TIB32 and _NT_TIB64 and the enumeration _HARDWARE_COUNTER_TYPE will have been accessible too, of course, but the symbol file shows that URLMON.DLL got these unremarkably: from WINNT.H, as might any other user-mode DLL.