New and Updated in September 2022

My semi-random walk through kernel-mode structures, continued from July and August, brings both tidying up and new writing. The one is necessary and sometimes pleasurable. The other is curiously exciting even for the slightest types. I hope to keep doing both with as much energy as I can sustain.

Concurrently, I don’t completely neglect the catalogues of exported functions and their histories, but we all know my heart’s just not in it. From the server logs I see that there plainly is a wide need to have these things, and not just for the kernel or NTDLL or even the user-mode KERNEL32 and KERNELBASE, but to have them all done well. I do recognise that I have not achieved this! The essence of the work is not at all hard. Much of the basic listing is easily automated, certainly for any one version, and even for tracking the changes through all versions. The difficulties, of course, come from matching what’s exported with what Microsoft documents. Multiple passes over the years always leave me dissatisfied with my selection of what to present and of how to format it. With the lists for kernel exports and their histories I am getting near to something I can be happy with, but it is strikingly hard work to stick at and this year, especially, is full of interruptions.

Kernel-Mode Windows

Kernel
- Versions
  - Exports History
    - Named Exports
      - 3.10
- User-Defined Types
  - Kernel-Mode
    - ke.h
      - KEXECUTE_OPTIONS
      - KOBJECTS
      - KPROCESS_STATE (new)
      - KSTACK_COUNT
      - KTHREAD_STATE (new)
    - ntosdef.h
      - PP_LOOKASIDE_LIST (new)
    - pop.h
      - POP_CURRENT_BROADCAST (new)
      - POP_POWER_ACTION (new)
      - POP_SLEEP_CHECKPOINT (new)
    - ps.h
      - POWERSTATETASK (new)
      - WIN32_CALLOUTS_OPERATION (new)
      - WIN32_POWERSTATE_PARAMETERS (new)
- Events
  - Kernel-Power

Win32

NTDLL
- Versions
- Exported Functions and Variables
  - The Native API