Geoff Chappell - Software Analyst
The HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES (formally _HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES) collects the flags that a Microsoft-compatible hypervisor’s cpuid leaf 0x40000007 produces in the eax, ebx, ecx and edx registers.
The HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES is new for Windows 10. Though its name suggests a specialisation to the x64 processor, the structure is defined identically for both 32-bit and 64-bit Windows.
The kernel is not known to expose this structure or any reading of cpuid leaf 0x40000007 through any interface, documented or not, even in kernel mode.
For its own use, the kernel ignores cpuid leaf 0x40000007 unless the CpuManagement flag is set in the HV_PARTITION_PRIVILEGE_MASK obtained by reading cpuid leaf 0x40000003. Even then, some of the kernel’s use—indeed, all known use before Version 1803—depends on reading and writing the Model-Specific Register (MSR) 0x40000004.
The HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES is not documented. The hypervisor’s cpuid implementation is documented in the Hypervisor Top-Level Functional Specification (TLFS). What’s offered today, 12th November 2016, as the specification’s most recent version is a PDF that is three years old (version 4.0b, dated August 2013). it extends only to leaf 0x40000006. Revelation of cpuid leaf 0x40000007 apparently had to wait for version 5.0a, dated February 2017. Better late than never, perhaps, but the reality behind the superficially fine words of the Microsoft Open Specification Promise is that the Hyper-V implementation, and presumably Microsoft’s use of it to Microsoft’s advantage for Microsoft’s purposes, runs ahead of the documentation that Microsoft opens for general use.
As for the HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES as Microsoft’s particular expression of the output from cpuid leaf 0x40000007, disclosure by Microsoft is conspicuously thin. The practical equivalent of a C-language definition is published as type information in symbol files, but in the downloadable packages of public symbols for 32-bit and 64-bit Windows 10, type information for HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES appears only in the symbol files for URLMON.DLL. This is a user-mode DLL that originated as a component of Internet Explorer (and still follows Internet Explorer’s version numbering). Well might you wonder what this DLL has to do with the hypervisor such that its symbol files have type information for this structure but the kernel’s don’t! Symbol files for URLMON.DLL starting with Windows 8, both in packages of Windows symbols and when downloaded from Microsoft’s public symbol server, happen to be private symbols. This surely was an oversight, but however this disclosure came about, Microsoft stopped it for Version 1803. That URLMON.DLL knows of the HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES is because some URLMON.DLL source code has a #include for a header named hvgdk_mini.h. Microsoft is known to use his header for its own programming of the Windows kernel but is not known to have ever made it available for use by programmers in general (let alone by the programmers of competing web browsers).
Type information for the HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES turns out to have been also disclosed in the relatively plain sight of two statically linked libraries. I say relatively plain because even experts tend to overlook that libraries can hold type information. Beware anyway that type information in statically linked libraries does not always match the operating system that the library is supposedly intended for. One of the libraries, named CLFSMGMT.LIB, is among the many that are supplied with the Software Development Kit (SDK) for user-mode programming. Type information for the HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES drops out of this library in Version 2004. The other is more obviously related to hypervisors. It is named KDHV.LIB. Microsoft distributes it among the programming samples in the Debugging Tools for Windows. It has type information for the HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES for all versions of Windows 10 at least to the 2004 release.
The HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES is 0x10 bytes in both 32-bit and 64-bit Windows. Offsets and definitions below are from type information in symbol files for URLMON.DLL before Version 1803 and then in KDHV.LIB.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
/* changing bit fields, see below */ |
10.0 and higher |
| 0x04 |
/* bit fields, see below */ |
10.0 and higher |
| 0x08 |
UINT32 ReservedEcx; |
10.0 to 1709 |
/* bit fields, see below */ |
1803 and higher | |
| 0x0C |
UINT32 ReservedEdx; |
10.0 and higher |
| Mask | Definition | Versions |
|---|---|---|
| 0x00000001 |
UINT32 StartLogicalProcessor : 1; |
10.0 and higher |
| 0x00000002 |
UINT32 CreateRootVirtualProcessor : 1; |
10.0 and higher |
| 0x00000004 |
UINT32 PerformanceCounterSync : 1; |
1703 and higher |
UINT32 Reserved0 : 29; |
10.0 and higher | |
UINT32 Reserved0 : 28; |
1703 and higher | |
| 0x80000000 |
UINT32 ReservedIdentityBit : 1; |
10.0 and higher |
Though PerformanceCounterSync is defined for the first half-yearly release in 2017, according to the symbol files, it gets no mention in the TLFS version 5.0c dated July 2018. It is listed, however, in version 6.0b dated February 2020.
| Mask | Definition |
|---|---|
| 0x00000001 |
UINT32 ProcessorPowerManagement : 1; |
| 0x00000002 |
UINT32 MwaitIdleStates : 1; |
| 0x00000004 |
UINT32 LogicalProcessorIdling : 1; |
UINT32 Reserved1 : 29; |
| Mask | Definition | Versions |
|---|---|---|
| 0x00000001 |
UINT32 RemapGuestUncached : 1; |
1803 and higher |
UINT32 ReservedZ2 : 31; |
1803 and higher |
The RemapGuestUncached flag is not only defined in symbol files for the March 2018 release but is used by this version’s kernel. This might be thought early enough to get a mention in the TLFS version 5.0c dated July 2018. It is listed, however, in version 6.0b dated February 2020.