Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTKEAPI_X.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are shown in the table below.
The header NTKEAPI_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all the types that the kernel is known to pick up from NTKEAPI_X.H are defined in the standard header WDM.H. The line numbers on the left are from the unseen NTKEAPI_X.H but are known from the symbol file. Those on the right are from the WDM.H that is readily available in the WDK for Windows 10.
| Line Number | Type | WDM.H |
|---|---|---|
| 47 | struct _KSYSTEM_TIME | 259 |
| 124 | enum _KSPIN_LOCK_QUEUE_NUMBER | 334 |
| 147 | struct _KSPIN_LOCK_QUEUE | 357 |
| 152 | struct _KLOCK_QUEUE_HANDLE | 362 |
| 178 | enum _KPROFILE_SOURCE | 370 |
| 214 | struct _M128A | 404 |
| 223 | struct _XSAVE_FORMAT | 413 |
| 255 | struct _XSAVE_AREA_HEADER | 445 |
| 261 | struct _XSAVE_AREA | 451 |
| 266 | struct _XSTATE_CONTEXT | 456 |
It is not known whether NTKEAPI_X.H is the source of definitions in WDM.H or whether both pick them up from yet another header, but the former inference is the simpler. If it’s true, then NTKEAPI_X.H is the first known input for generating WDM.H.
Whatever the means of construction, WDM.H is a consistent loser of lines. NTKEAPI_X.H, which Microsoft keeps to itself, has a little more of this material than does WDM.H. What the extra is, let alone whether it’s important, is not easily assessed without an NTKEAPI_X.H for inspection.
For the record, Microsoft’s possibly accidental inclusion of private symbol files for URLMON.DLL in downloadable packages of public symbol files shows that two more types were accessible to the source code for URLMON.DLL from including NTKEAPI_X.H when building for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 296 | struct _CONTEXT_CHUNK |
| 326 | struct _CONTEXT_EX |
Neither of these types is known from headers that Microsoft publishes for either kernel-mode or user-mode programming by programmers outside Microsoft.