Geoff Chappell - Software Analyst
The values of the WIN32_CALLOUTS_OPERATION enumeration (formally _WIN32_CALLOUTS_OPERATION) are shared by the kernel and WIN32K.SYS (or, specifically, WIN32KBASE.SYS in Windows 10) in the scheme of callouts through which the kernel subcontracts the user-mode support of the Win32 subsystem.
Before Windows 8, this scheme required the registration of ever more callback routines. At first, these were each an argument of the PsEstablishWin32Callouts function. This could only get more and more clumsy. A reform for Windows XP gathered the routines’ addresses into a structure to pass as the function’s one argument. Windows 8 consolidated this menagerie so that the caller of PsEstablishWin32Callouts supplies just the one routine that fits the EX_CALLBACK_FUNCTION prototype:
NTSTATUS
CalloutDispatchRoutine (
PVOID CallbackContext,
PVOID Argument1,
PVOID Argument2);
Though for general purposes the three arguments for the CalloutDispatchRoutine are pointers to void, what the kernel actually passes for Argument1 is a WIN32_CALLOUTS_OPERATION which in turn tells what is passed as Argument2.
There is, of course, a high correlation between the WIN32_CALLOUT_OPERATION values and the separate routines in earlier versions, and even between each value and the corresponding routine’s index into the earlier structure.
The WIN32_CALLOUTS_OPERATION enumeration is not formally documented but Microsoft has published a C-language definition. This is in the NTOSP.H which Microsoft published with the Windows Driver Kit (WDK) for the original and 1511 releases of Windows 10. Publication of this header was apparently an oversight. Though it is chock full of previously undisclosed definitions for kernel-mode programming, it is supplied in a subdirectory (named “minwin”) of a directory named “um” as if to suggest user-mode programming. Mistake or not, this disclosure has not been repeated in later kits.
An almost equivalent disclosure is of type information from symbol files, presently only for a driver named NetAdapterCx.sys. Starting with the 1803 release of Windows 10, the symbol files for this driver, as made available by Microsoft at its public symbol server, are private symbol files. They have type information for the WIN32_CALLOUTS_OPERATION from the driver’s inclusion of NTOSP.H.
Microsoft’s names for the enumeration and for some of its defined values are known with certainty only for some versions of Windows 10, as described above.
| Value | Symbol | Versions |
|---|---|---|
| 0x00000000 | Win32ProcessCallout | 6.2 and higher |
| 0x00000001 | Win32ThreadCallout | 6.2 and higher |
| 0x00000002 | Win32GlobalAtomTableCallout | 6.2 and higher |
| 0x00000003 | Win32PowerEventCallout | 6.2 and higher |
| 0x00000004 | Win32PowerStateCallout | 6.2 and higher |
| 0x00000005 | Win32PowerInfoCallout | 6.2 and higher |
| 0x00000006 | Win32JobCallout | 6.2 and higher |
| 0x00000007 | Win32BatchFlushCallout | 6.2 and higher |
| 0x00000008 | Win32DesktopOpenCallout | 6.2 and higher |
| 0x00000009 | Win32DesktopOkToCloseCallout | 6.2 and higher |
| 0x0000000A | Win32DesktopCloseCallout | 6.2 and higher |
| 0x0000000B | Win32DesktopDeleteCallout | 6.2 and higher |
| 0x0000000C | Win32WindowStationOkToCloseCallout | 6.2 and higher |
| 0x0000000D | Win32WindowStationCloseCallout | 6.2 and higher |
| 0x0000000E | Win32WindowStationDeleteCallout | 6.2 and higher |
| 0x0000000F | Win32WindowStationParseCallout | 6.2 and higher |
| 0x00000010 | Win32WindowStationOpenCallout | 6.2 and higher |
| 0x00000011 | Win32LicensingCallout | 6.2 and higher |
| 0x00000012 | Win32CompositionObjectOpenCallout | 6.2 and higher |
| 0x00000013 | Win32CompositionObjectOkToCloseCallout | 6.2 and higher |
| 0x00000014 | Win32CompositionObjectCloseCallout | 6.2 and higher |
| 0x00000015 | Win32CompositionObjectDeleteCallout | 6.2 and higher |
| 0x00000016 | Win32ProcessFreezeCallout | 6.2 and higher |
| 0x00000017 | Win32ProcessThawCallout | 6.2 and higher |
| 0x00000018 | Win32JobGetInterferenceCountsCallout | 6.3 and higher |
| 0x00000019 | Win32GetCpuStatisticsCallout | 6.3 and higher |
| 0x0000001A | Win32SubsystemProcessQueryCallout | 10.0 and higher |
| 0x0000001B | Win32RawInputManagerObjectOpenCallout | 10.0 and higher |
| 0x0000001C | Win32RawInputManagerObjectOkToCloseCallout | 10.0 and higher |
| 0x0000001D | Win32RawInputManagerObjectCloseCallout | 10.0 and higher |
| 0x0000001E | Win32RawInputManagerObjectDeleteCallout | 10.0 and higher |
| 0x0000001F | Win32WakeRitForShutdownCallout | 10.0 and higher |
| 0x00000020 | Win32WerStartCallout | 1511 and higher |
| 0x00000021 | Win32CoreMessagingObjectOpenCallout | 1607 and higher |
| 0x00000022 | Win32CoreMessagingObjectOkToCloseCallout | 1607 and higher |
| 0x00000023 | Win32CoreMessagingObjectCloseCallout | 1607 and higher |
| 0x00000024 | Win32CoreMessagingObjectDeleteCallout | 1607 and higher |
| 0x00000025 | Win32ActivationObjectOpenCallout | 1903 and higher |
| 0x00000026 | Win32ActivationObjectOkToCloseCallout | 1903 and higher |
| 0x00000027 | Win32ActivationObjectCloseCallout | 1903 and higher |
| 0x00000028 | Win32ActivationObjectDeleteCallout | 1903 and higher |
| 0x00000025 (1703 to 1809); 0x00000029 |
Win32ProcessTimerDelayCallout | 1703 and higher |
| 0x00000026 (1703 to 1809); 0x0000002A |
Win32GetProcessTimerStatisticsCallout | 1703 and higher |
| 0x00000018 (6.2); 0x00000020 (10.0); 0x00000021 (1511); 0x00000027 (1803 to 1809); 0x0000002B |
Win32CalloutsMax | 10.0 and higher |
Known interpretations for the callout routine’s Argument2 are:
| Argument1 | Argument2 |
|---|---|
| Win32ProcessCallout | pointer to WIN32_PROCESS_CALLOUT_PARAMETERS |
| Win32ThreadCallout | pointer to WIN32_THREAD_CALLOUT_PARAMETERS |
| Win32GlobalAtomTableCallout | pointer to variable to receive address of global atom table |
| Win32PowerEventCallout | pointer to WIN32_POWEREVENT_PARAMETERS |
| Win32PowerStateCallout | pointer to WIN32_POWERSTATE_PARAMETERS |
| Win32PowerInfoCallout | pointer to WIN32_POWERINFO_CALLOUT_PARAMETERS |
| Win32JobCallout | pointer to WIN32_JOBCALLOUT_PARAMETERS |
| Win32DesktopOpenCallout Win32WindowStationOpenCallout Win32CompositionObjectOpenCallout Win32RawInputManagerObjectOpenCallout Win32CoreMessagingObjectOpenCallout Win32ActivationObjectOpenCallout |
pointer to WIN32_OPENMETHOD_PARAMETERS |
| Win32DesktopOkToCloseCallout Win32WindowStationOkToCloseCallout Win32CompositionObjectOkToCloseCallout Win32RawInputManagerObjectOkToCloseCallout Win32CoreMessagingObjectOkToCloseCallout Win32ActivationObjectOkToCloseCallout |
pointer to WIN32_OKAYTOCLOSEMETHOD_PARAMETERS |
| Win32DesktopCloseCallout Win32WindowStationCloseCallout Win32CompositionObjectCloseCallout Win32RawInputManagerObjectCloseCallout Win32CoreMessagingObjectCloseCallout Win32ActivationObjectCloseCallout |
pointer to WIN32_CLOSEMETHOD_PARAMETERS |
| Win32DesktopDeleteCallout Win32WindowStationDeleteCallout Win32CompositionObjectDeleteCallout Win32RawInputManagerObjectDeleteCallout Win32CoreMessagingObjectDeleteCallout Win32ActivationObjectDeleteCallout |
pointer to WIN32_DELETEMETHOD_PARAMETERS |
| Win32WindowStationParseCallout | pointer to WIN32_PARSEMETHOD_PARAMETERS |
| Win32JobGetInterferenceCountsCallout | pointer to WIN32_JOBINTERFERENCEINFO_CALLOUT_PARAMETERS |
| Win32SubsystemProcessQueryCallout | pointer to WIN32_SUBSYSTEM_PROCESS_QUERY_CALLOUT_PARAMETERS |
| Win32ProcessTimerDelayCallout | pointer to WIN32_PROCESS_TIMERDELAY_CALLOUT_PARAMETERS |
| Win32GetProcessTimerStatisticsCallout | pointer to WIN32_PROCESS_TIMER_STATISTICS_CALLOUT_PARAMETERS |