Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the EVNTCONS.H header at
d:\th.public.fre\internal\minwin\priv_sdk\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 64 | struct _EVENT_HEADER_EXTENDED_DATA_ITEM |
| 140 | struct _EVENT_HEADER |
| 166 | struct _EVENT_RECORD |
A header named EVNTCONS.H is among the headers in the publicly available Windows Driver Kit (WDK) for Windows 10. It is there in the “um” subdirectory with many other headers for user-mode programming.
For completeness, note that the kernel uses other types that are defined in this header but which do not show in the public symbol files—and the header defines types that are not used by the kernel:
| Line Number | Type |
|---|---|
| 64 | struct _EVENT_HEADER_EXTENDED_DATA_ITEM |
| 83 | struct _EVENT_EXTENDED_ITEM_INSTANCE |
| 89 | struct _EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID |
| 93 | struct _EVENT_EXTENDED_ITEM_TS_ID |
| 97 | struct _EVENT_EXTENDED_ITEM_STACK_TRACE32 |
| 102 | struct _EVENT_EXTENDED_ITEM_STACK_TRACE64 |
| 107 | struct _EVENT_EXTENDED_ITEM_PEBS_INDEX |
| 111 | struct _EVENT_EXTENDED_ITEM_PMC_COUNTERS |
| 115 | struct _EVENT_EXTENDED_ITEM_PROCESS_START_KEY |
| 119 | struct _EVENT_EXTENDED_ITEM_EVENT_KEY |
| 140 | struct _EVENT_HEADER |
| 166 | struct _EVENT_RECORD |
| 219 | enum ETW_PROVIDER_TRAIT_TYPE |
| 295 | enum EVENTSECURITYOPERATION |