Geoff Chappell - Software Analyst
The HviGetEnlightenmentInformation function obtains the output of a Microsoft-compatible hypervisor’s cpuid leaf 0x40000004.
VOID HviGetEnlightenmentInformation (HV_ENLIGHTENMENT_INFORMATION *);
The one argument provides the address of a structure that is to receive the cpuid output.
The HV_ENLIGHTENMENT_INFORMATION in the declaration is hypothesised as Microsoft’s macro that stands for an appropriate processor-specific structure. For both the x86 (i386) and x64 (amd64) processors, this structure is named HV_X64_ENLIGHTENMENT_INFORMATION. Microsoft is known to define an HV_ARM64_ENLIGHTENMENT_INFORMATION structure when building for other processors, but this lies (far) outside the scope of this website.
The HviGetEnlightenmentInformation function is exported by name from the kernel in version 10.0 and higher.
The version 6.3 kernel has an inline routine that is coded very similarly to the version 10.0 HviGetEnlightenmentInformation, but it looks to be defined rather than used when compiling the source file (ntsym.c) for merging type information into the public symbol file and so its name is not recorded. The symbol file’s unreferenced LF_POINTER (0x1002) record for what was then the HV_ENLIGHTENMENT_INFORMATION structure is here thought to have been generated from the pointer’s use for this inline routine’s argument. That this inline routine in version 6.3 was already named HviGetEnlightenmentInformation and is the origin of the exported function must be very likely.
The HviGetEnlightenmentInformation function is not documented.
If a hypervisor is present and implements Microsoft’s interface—see HviIsHypervisorMicrosoftCompatible—then the function copies to the given address whatever cpuid leaf 0x40000004 produces in the eax, ebx, ecx and edx registers.
Otherwise, the structure at the given address is zeroed. This, in effect, is the function’s indication of failure.