Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the ARC.H header at
d:\th.public.fre\halkit\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 105 | enum _TYPE_OF_MEMORY |
| 142 | struct _MEMORY_ALLOCATION_DESCRIPTOR |
The header ARC.H is published in the “minwin” directory of the Windows Driver Kit (WDK) for Windows 10 in the original and Version 1511 editions. This was a significant new disclosure. The header as published defines many more structures, but the public symbol files for the kernel in the same versions do not have type information for these.
Indeed, many types that are defined in ARC.H had never or only rarely appeared in any public symbol files for any version. Starting with the 1803 release of Windows 10, however, the public symbol files for the kernel show very many more types as defined in ARC.H. That these many types that were for so long relatively unknown to programmers outside Microsoft are known to the kernel through this one header is surely worth cataloguing.
In the next table, the line numbers in the left column are for the unseen ARC.H for Windows 10 Version 1803, as known from the public symbol files for the kernel in this version, and the line numbers to the right are from the published header for the original Windows 10 release. Line numbers in parentheses are explained after the table.
| Line Number (Version 1803) |
Type | Line Number (Original Windows 10) |
|---|---|---|
| 58 | enum _CONFIGURATION_CLASS | 58 |
| 69 | struct _CONFIGURATION_COMPONENT | 69 |
| (76) | anonymous union in struct _CONFIGURATION_COMPONENT |
76 |
| (78) | anonymous struct in anonymous union in struct _CONFIGURATION_COMPONENT |
78 |
| 92 | struct _CONFIGURATION_COMPONENT_DATA | 92 |
| 105 | enum _TYPE_OF_MEMORY | 105 |
| 145 | struct _MEMORY_ALLOCATION_DESCRIPTOR | 142 |
| 156 | struct _NLS_DATA_BLOCK | 153 |
| (162) | struct _VHD_DISK_SIGNATURE | 159 |
| (167) | struct _ARC_DISK_SIGNATURE | 164 |
| 180 | struct _ARC_DISK_INFORMATION | 177 |
| 184 | struct _I386_LOADER_BLOCK | 181 |
| 200 | struct _ARM_LOADER_BLOCK | 197 |
| 217 | struct _LOADER_PERFORMANCE_DATA | 214 |
| enum _BOOT_ENTROPY_SOURCE_RESULT_CODE | 229 | |
| enum _BOOT_ENTROPY_SOURCE_ID | 237 | |
| 284 | struct _BOOT_ENTROPY_SOURCE_LDR_RESULT | 280 |
| 302 | struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 | 298 |
| (320) | struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1 | 316 |
| 337 | struct _BOOT_ENTROPY_LDR_RESULT | 333 |
| 349 | struct _LOADER_PARAMETER_HYPERVISOR_EXTENSION | 344 |
| 374 | struct _LOADER_PARAMETER_CI_EXTENSION | 369 |
| (378) | anonymous struct in struct _LOADER_PARAMETER_CI_EXTENSION |
|
| (416) | struct _HAL_EXTENSION_INSTANCE_ENTRY | 383 |
| (432) | struct _HAL_EXTENSION_MODULE_ENTRY | 399 |
| 464 | struct _LOADER_BUGCHECK_PARAMETERS | 431 |
| 477 | struct _LOADER_HIVE_RECOVERY_INFO | |
| (478) | anonymous struct in struct _LOADER_HIVE_RECOVERY_INFO |
|
| 534 | struct _LOADER_RESET_REASON | |
| 536 | unnamed union Basic in struct _LOADER_RESET_REASON |
|
| 537 | unnamed struct Component in unnamed union Basic in struct _LOADER_RESET_REASON |
|
| 632 | struct _LOADER_PARAMETER_EXTENSION | 453 |
| (697) | anonymous struct in struct _LOADER_PARAMETER_EXTENSION |
518 |
| (920) | anonymous union in struct _LOADER_PARAMETER_EXTENSION |
|
| (922) | anonymous struct in anonymous union in struct _LOADER_PARAMETER_EXTENSION |
|
| (933) | anonymous union in struct _LOADER_PARAMETER_EXTENSION |
|
| (935) | anonymous struct in anonymous union in struct _LOADER_PARAMETER_EXTENSION |
|
| 1116 | struct _NETWORK_LOADER_BLOCK | 808 |
| 1130 | struct _VIRTUAL_EFI_RUNTIME_SERVICES | 822 |
| 1153 | struct _EFI_FIRMWARE_INFORMATION | 845 |
| 1187 | struct _PCAT_FIRMWARE_INFORMATION | 879 |
| 1192 | struct _FIRMWARE_INFORMATION_LOADER_BLOCK | 884 |
| (1193) | anonymous struct in struct _FIRMWARE_INFORMATION_LOADER_BLOCK |
885 |
| 1237 | unnamed union u in struct _FIRMWARE_INFORMATION_LOADER_BLOCK |
936 |
| (1256) | struct _BLDR_DATA_TABLE_ENTRY | 955 |
| 1274 | struct _LOADER_PARAMETER_BLOCK | 971 |
| 1326 | unnamed union u in struct _LOADER_PARAMETER_BLOCK |
1023 |
| (1383) | struct _LOADER_HIVE_BLOCK | 1040 |
| (1397) | struct _NT_IMAGE_INFO |
As only to be expected, the header has grown in the years since its (accidental) disclosure and so the unseen ARC.H for Version 1803 has types that are not in the published ARC.H for the original Windows 10. For these, there is no line number to show on the right.
The explanation is a little more complicated for why the two enumerations BOOT_ENTROPY_SOURCE_RESULT_CODE and BOOT_ENTROPY_SOURCE_ID have no line number on the left. Their definitions can be seen in the accidentally published ARC.H for the original Windows 10. A comment there warns Microsoft’s programmers that
// // Entropy result codes and source IDs // for Boot entropy sources are defined both in arc.h and // ntexapi.h. These two copies must be kept identical. //
The public symbols for the Version 1803 kernel place these enumerations’ definitions in ntexapi.h and thus do not give line numbers of the definitions in ARC.H or even tell anything of whether the definitions remain in ARC.H (though the very nearly matching gap in line numbers suggests a high likelihood that the definitions are still in both headers).
For why some line numbers for Version 1803 are in parentheses, remember that the public symbols for the kernel in the original Windows 10 have only a few of the types that show in the (accidentally) published ARC.H for that version. Although very many more types show in the public symbols for the Version 1803 kernel, they still are not a complete reckoning of types that are defined in the Version 1803 ARC.H. Alert readers will note that the previous sentence is a stronger statement than can be supported just from the public symbols. From these, the strongest deduction is that the public symbols for the Version 1803 kernel do not have all the types that are known from the published ARC.H for two earlier releases of Windows 10. It turns out, however, that there is another source of information about types defined in ARC.H and this not only extends to Version 1803 (indeed, to Version 1903) but is credibly complete.
This other source also is type information such as shows in symbol files. What’s different is that it’s in a statically linked library. That this library, named CLFSMGMT.LIB and distributed in the Software Development Kit (SDK) as if for user-mode programming, credibly has all the types that are defined in the kernel-mode ARC.H is because this library archives an object file that resulted from creating a pre-compiled header. Its type information is therefore not for types that the compiler regarded as used, e.g., in source code for the other object files in the library, but for types that might have got used. A detraction to libraries, in terms of forensic quality, is that even when they are targeted to one version of the operating system they can be correct for their purpose even if built with headers that are not exactly what were used when building the operating system. It happens, however, that this library for Version 1803 was built on the same day as the Version 1803 kernel. For types that are common to the library and the public symbols, the line numbers match. The line numbers from the library are almost certainly correct even for types that are missing from the public symbols. These are the line numbers that are in parentheses.
Some, even many, of these line numbers in parentheses are for anonymous structures and unions which do or don’t get their own records depending on whether the header was compiled as C++ or C. A good handful, however, are thought never to have been revealed in public symbols and might never have been known from freely published materials except for the accidental disclosure of ARC.H for two Windows releases. The last of them, NT_IMAGE_INFO, has been added since and is not known to Google at all today, 9th December 2022.
There is one more complication: the ARC.H that is compiled for the kernel’s public symbol files is not Microsoft’s only ARC.H. It may be a copy or extract for inclusion with a HAL development kit. It is not certainly the same ARC.H, if any, that is compiled when building the kernel itself. Where ARC.H is named in a handful of private symbol files that Microsoft has distributed with otherwise public symbols, a different location is given for it. For instance, in the downloadable package of public symbols for the original release of Windows 10, appxdeploymentclient.pdb names ARC.H in
d:\th.public.fre\internal\sdk\inc\minwin
which is indeed where the kernel gets many of its headers. More study is required.