Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTRTL_X.H header at
and draws from it the type definitions that are shown in the table below.
The header NTRTL_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all the types that the kernel is known to pick up from NTRTL_X.H are defined in at least one of the standard headers that are included by the source code for almost all kernel-mode projects (even the HAL).
Clues have abounded since version 3.10 that these standard headers are constructed from others. If NTRTL_X.H is among these others, then it is the first that is known to contribute to NTOSP.H. As far as can be seen from consistency in line numbering, the lines in NTDDK.H are extracted intact.
For the record, here are the many more types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including this same NTRTL_X.H when building Internet Explorer for the original release of 32-bit Windows 10:
|348||unnamed struct for DUMMYRESERVEDSTRUCTNAME
in unnamed union
in struct _RTL_BARRIER
URLMON knows the _RTL_BARRIER structure from including WINNT.H, but what it gets from this is only a reduced definition. The _RTL_BARRIER in NTRTL_X.H has this same reduced definition nested two levels within as a member named DUMMYRESERVEDSTRUCTNAME. WINNT.H retains nothing of the nesting except for its (otherwise excessive) indentation.
The _RTL_RUN_ONCE_INTERNAL at line 257 is named _RTL_RUN_ONCE in other symbol files. It too has a reduced definition in WINNT.H. URLMON has both definitions, the one in NTRTL_X.H apparently being renamed by macro to avoid confusion. Further study may be worthwhile.