Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the EVNTPROV.H header at
d:\th.public.fre\internal\minwin\priv_sdk\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 105 | struct _EVENT_DATA_DESCRIPTOR |
| 128 | struct _EVENT_DESCRIPTOR |
| 147 | struct _EVENT_FILTER_DESCRIPTOR |
| 156 | struct _EVENT_FILTER_HEADER |
| 180 | enum _EVENT_INFO_CLASS |
A header named EVNTPROV.H is among the headers in the publicly available Windows Driver Kit (WDK) for Windows 10. It is there in the “shared” subdirectory with many other headers that are intended for use in both kernel-mode and user-mode programming.