Geoff Chappell, Software Analyst
Symbol files that Microsoft has published for Windows 8 and higher tell of user-mode code that is compiled with the NTREGAPI.H header at
d:\th.public.fre\internal\sdk\inc\minwin
The header NTREGAPI.H is not known to have been published by Microsoft. None of the types that it is known to define appear in any published header. NTREGAPI.H thus looks to be Microsoft’s private header for parts of the kernel’s Registry API that Microsoft regards as being for the use of its own user-mode binaries but of nobody else’s. The public parts are defined in the unpublished NTREGAPI_X.H and are shared with published headers such as WDM.H and WINNT.H.
The table below is of types that are defined in NTREGAPI.H as known from LF_UDT_MOD_SRC_LINE (0x1607) records in symbol files for the original release of Windows 10.
| Line Number | Type |
|---|---|
| 82 | struct _KEY_FLAGS_INFORMATION |
| 90 | struct _KEY_HANDLE_TAGS_INFORMATION |
| 98 | enum _REG_ACTION |
| 104 | struct _REG_NOTIFY_INFORMATION |
| 111 | struct KEY_PID_ARRAY |
| 116 | struct _KEY_OPEN_SUBKEYS_INFORMATION |
| 150 | enum _JOURNAL_CHANGE_INFORMATION_CLASS |
| 165 | struct _JOURNAL_CREATE_DELETE_KEY_INFORMATION |
| 177 | struct _JOURNAL_RENAME_KEY_INFORMATION |
| 185 | struct _JOURNAL_SET_DELETE_VALUE_INFORMATION |
| 199 | struct _JOURNAL_SET_KEY_SECURITY_INFORMATION |
| 210 | struct _JOURNAL_SET_KEY_USER_FLAGS_INFORMATION |
| 219 | struct _JOURNAL_SET_KEY_LAST_WRITE_TIME_INFORMATION |
| 228 | struct _JOURNAL_TRANSACTION_BOUNDARY_INFORMATION |
| 244 | enum _JOURNAL_INFORMATION_CLASS |
| 250 | struct _JOURNAL_ABSOLUTE_INFORMATION |
| 257 | struct _JOURNAL_CLIENT_INFORMATION |
Do not miss that one of the symbol files that show access to these private definitions for the Registry API is URLMON.PDB. The corresponding binary is URLMON.DLL, which was introduced for Internet Explorer as long ago as 1996 and still has its version numbers in step with those of Internet Explorer. In 2002, Microsoft settled an anti-trust suit which had as one element that something called Microsoft middleware—Internet Explorer being specified as an example—should have no more access to any Windows interface than is available to competing software.
Clearly, the source code for Internet Explorer as built for Windows 8, and since, uses an essentially secret header for the user-mode interface that the kernel exposes for registry access. This source-code access contravenes any plain reading of the settlement. If it is new for Windows 8, then the settlement evidently did not constrain Microsoft for long. If Internet Explorer had this access at the time of the settlement, then Microsoft didn’t disclose it or the courts and regulators either missed it or excused it.