WIN32_CALLOUTS_OPERATION

The values of the WIN32_CALLOUTS_OPERATION enumeration (formally _WIN32_CALLOUTS_OPERATION) are shared by the kernel and WIN32K.SYS (or, specifically, WIN32KBASE.SYS in Windows 10) in the scheme of callouts through which the kernel subcontracts the user-mode support of the Win32 subsystem.

Before Windows 8, this scheme required the registration of ever more callback routines. At first, these were each an argument of the PsEstablishWin32Callouts function. This could only get more and more clumsy. A reform for Windows XP gathered the routines’ addresses into a structure to pass as the function’s one argument. Windows 8 consolidated this menagerie so that the caller of PsEstablishWin32Callouts supplies just the one routine that fits the EX_CALLBACK_FUNCTION prototype:

NTSTATUS 
CalloutDispatchRoutine (
    PVOID CallbackContext, 
    PVOID Argument1, 
    PVOID Argument2);

Though for general purposes the three arguments for the CalloutDispatchRoutine are pointers to void, what the kernel actually passes for Argument1 is a WIN32_CALLOUTS_OPERATION which in turn tells what is passed as Argument2.

There is, of course, a high correlation between the WIN32_CALLOUT_OPERATION values and the separate routines in earlier versions, and even between each value and the corresponding routine’s index into the earlier structure.

Documentation Status

The WIN32_CALLOUTS_OPERATION enumeration is not formally documented but Microsoft has published a C-language definition. This is in the NTOSP.H which Microsoft published with the Windows Driver Kit (WDK) for the original and 1511 releases of Windows 10. Publication of this header was apparently an oversight. Though it is chock full of previously undisclosed definitions for kernel-mode programming, it is supplied in a subdirectory (named “minwin”) of a directory named “um” as if to suggest user-mode programming. Mistake or not, this disclosure has not been repeated in later kits.

An almost equivalent disclosure is of type information from symbol files, presently only for a driver named NetAdapterCx.sys. Starting with the 1803 release of Windows 10, the symbol files for this driver, as made available by Microsoft at its public symbol server, are private symbol files. They have type information for the WIN32_CALLOUTS_OPERATION from the driver’s inclusion of NTOSP.H.

Values

Microsoft’s names for the enumeration and for some of its defined values are known with certainty only for some versions of Windows 10, as described above.

Value Symbol Versions
0x00000000 Win32ProcessCallout 6.2 and higher
0x00000001 Win32ThreadCallout 6.2 and higher
0x00000002 Win32GlobalAtomTableCallout 6.2 and higher
0x00000003 Win32PowerEventCallout 6.2 and higher
0x00000004 Win32PowerStateCallout 6.2 and higher
0x00000005 Win32PowerInfoCallout 6.2 and higher
0x00000006 Win32JobCallout 6.2 and higher
0x00000007 Win32BatchFlushCallout 6.2 and higher
0x00000008 Win32DesktopOpenCallout 6.2 and higher
0x00000009 Win32DesktopOkToCloseCallout 6.2 and higher
0x0000000A Win32DesktopCloseCallout 6.2 and higher
0x0000000B Win32DesktopDeleteCallout 6.2 and higher
0x0000000C Win32WindowStationOkToCloseCallout 6.2 and higher
0x0000000D Win32WindowStationCloseCallout 6.2 and higher
0x0000000E Win32WindowStationDeleteCallout 6.2 and higher
0x0000000F Win32WindowStationParseCallout 6.2 and higher
0x00000010 Win32WindowStationOpenCallout 6.2 and higher
0x00000011 Win32LicensingCallout 6.2 and higher
0x00000012 Win32CompositionObjectOpenCallout 6.2 and higher
0x00000013 Win32CompositionObjectOkToCloseCallout 6.2 and higher
0x00000014 Win32CompositionObjectCloseCallout 6.2 and higher
0x00000015 Win32CompositionObjectDeleteCallout 6.2 and higher
0x00000016 Win32ProcessFreezeCallout 6.2 and higher
0x00000017 Win32ProcessThawCallout 6.2 and higher
0x00000018 Win32JobGetInterferenceCountsCallout 6.3 and higher
0x00000019 Win32GetCpuStatisticsCallout 6.3 and higher
0x0000001A Win32SubsystemProcessQueryCallout 10.0 and higher
0x0000001B Win32RawInputManagerObjectOpenCallout 10.0 and higher
0x0000001C Win32RawInputManagerObjectOkToCloseCallout 10.0 and higher
0x0000001D Win32RawInputManagerObjectCloseCallout 10.0 and higher
0x0000001E Win32RawInputManagerObjectDeleteCallout 10.0 and higher
0x0000001F Win32WakeRitForShutdownCallout 10.0 and higher
0x00000020 Win32WerStartCallout 1511 and higher
0x00000021 Win32CoreMessagingObjectOpenCallout 1607 and higher
0x00000022 Win32CoreMessagingObjectOkToCloseCallout 1607 and higher
0x00000023 Win32CoreMessagingObjectCloseCallout 1607 and higher
0x00000024 Win32CoreMessagingObjectDeleteCallout 1607 and higher
0x00000025 Win32ActivationObjectOpenCallout 1903 and higher
0x00000026 Win32ActivationObjectOkToCloseCallout 1903 and higher
0x00000027 Win32ActivationObjectCloseCallout 1903 and higher
0x00000028 Win32ActivationObjectDeleteCallout 1903 and higher
0x00000025 (1703 to 1809);
0x00000029
Win32ProcessTimerDelayCallout 1703 and higher
0x00000026 (1703 to 1809);
0x0000002A
Win32GetProcessTimerStatisticsCallout 1703 and higher
0x00000018 (6.2);
0x00000020 (10.0);
0x00000021 (1511);
0x00000027 (1803 to 1809);
0x0000002B 
Win32CalloutsMax 10.0 and higher

Known interpretations for the callout routine’s Argument2 are:

Argument1 Argument2
Win32ProcessCallout pointer to WIN32_PROCESS_CALLOUT_PARAMETERS
Win32ThreadCallout pointer to WIN32_THREAD_CALLOUT_PARAMETERS
Win32GlobalAtomTableCallout pointer to variable to receive address of global atom table
Win32PowerEventCallout pointer to WIN32_POWEREVENT_PARAMETERS
Win32PowerStateCallout pointer to WIN32_POWERSTATE_PARAMETERS
Win32PowerInfoCallout pointer to WIN32_POWERINFO_CALLOUT_PARAMETERS
Win32JobCallout pointer to WIN32_JOBCALLOUT_PARAMETERS
Win32DesktopOpenCallout
Win32WindowStationOpenCallout
Win32CompositionObjectOpenCallout
Win32RawInputManagerObjectOpenCallout
Win32CoreMessagingObjectOpenCallout
Win32ActivationObjectOpenCallout
pointer to WIN32_OPENMETHOD_PARAMETERS
Win32DesktopOkToCloseCallout
Win32WindowStationOkToCloseCallout
Win32CompositionObjectOkToCloseCallout
Win32RawInputManagerObjectOkToCloseCallout
Win32CoreMessagingObjectOkToCloseCallout
Win32ActivationObjectOkToCloseCallout
pointer to WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
Win32DesktopCloseCallout
Win32WindowStationCloseCallout
Win32CompositionObjectCloseCallout
Win32RawInputManagerObjectCloseCallout
Win32CoreMessagingObjectCloseCallout
Win32ActivationObjectCloseCallout
pointer to WIN32_CLOSEMETHOD_PARAMETERS
Win32DesktopDeleteCallout
Win32WindowStationDeleteCallout
Win32CompositionObjectDeleteCallout
Win32RawInputManagerObjectDeleteCallout
Win32CoreMessagingObjectDeleteCallout
Win32ActivationObjectDeleteCallout
pointer to WIN32_DELETEMETHOD_PARAMETERS
Win32WindowStationParseCallout pointer to WIN32_PARSEMETHOD_PARAMETERS
Win32JobGetInterferenceCountsCallout pointer to WIN32_JOBINTERFERENCEINFO_CALLOUT_PARAMETERS
Win32SubsystemProcessQueryCallout pointer to WIN32_SUBSYSTEM_PROCESS_QUERY_CALLOUT_PARAMETERS
Win32ProcessTimerDelayCallout pointer to WIN32_PROCESS_TIMERDELAY_CALLOUT_PARAMETERS
Win32GetProcessTimerStatisticsCallout pointer to WIN32_PROCESS_TIMER_STATISTICS_CALLOUT_PARAMETERS