Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the PROCPOWR.H header at
and draws from it the type definitions that are tabulated below. The PROCPOWR.H header is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
A few of these types that the kernel’s public symbol file picks up from PROCPOWR.H are defined in the NTOSP.H which Microsoft looks to have published by oversight with the original and Version 1511 editions of the Windows 10 WDK. Microsoft’s disclosure of NTOSP.H adds greatly to the types that can be deduced with high confidence as having their definitions in PROCPOWR.H. In the assembling of NTOSP.H from other headers, extraction of lines that are shared with PROCPOWR.H looks to begin at line 52248 (or perhaps 52249) and to end at line 53170.
This range of lines in NTOSP.H is conspicuously neat in its formatting. Extraction of other material from other headers to NTOSP.H and to the standard headers such as WDM.H and NTDDK.H frequently leaves disturbances in otherwise regular use of white space, but the only irregularity here is one instance of two consecutive blank lines (52304 and 52305). Even if this suggests that something of PROCPOWR.H is missing between NTOSP.H lines 52304 and 52305, the known line numbers are consistent with PROCPOWR.H having been copied intact: lines 87 to 952 of PROCPOWR.H can be reconstructed with very high confidence from lines 52305 to 53170 of NTOSP.H.
Still, although contiguity of duplication into NTOSP.H tells of more types in PROCPOWR.H than show in the kernel’s public symbols, the line numbers that are known from the symbols show that the published NTOSP.H reproduces no more than half of the unseen PROCPOWR.H. It would be a fair bet, if not a certainty, that the remainder of PROCPOWR.H also defines at least some types that don’t show in the kernel’s public symbols. There turn out to be only three more—well, that I have yet found—but you can’t know until you look.
In the downloadable package of public symbols for the original Windows 10, the kernel’s are not the only ones that have type information from having included PROCPOWR.H, but the others are few and add little. Far and away the greatest disclosure is not in any symbol file but in a statically linked library—and not one that Microsoft supplies with the WDK. It is instead a curious library named CLFSMGMT.LIB some of whose archived objects do contain kernel-mode code but which Microsoft publishes with the Software Development Kit (SDK) in a subdirectory named “um” as if to suggest it’s intended for user-mode programming.
For the next table, the numbers on the left are from the unseen PROCPOWR.H, having been deduced from the CLFSMGMT.LIB for the original Windows 10 (and checked against the more forensically meaningful line numbers from symbol files), and those on the right are from the published NTOSP.H for the original Windows 10.
|72||anonymous union in
|957||anonymous struct in
|1089||anonymous union in
|1090||anonymous struct in
anonymous union in
|1094||anonymous struct in
anonymous union in
|1353||anonymous struct in
|1381||anonymous union in
|1782||anonymous union in