Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the I386_X.H header at
d:\th\minkernel\ntos\inc
and draws from it the type definitions that are tabulated below. The header I386_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
| Line Number | Type |
|---|---|
| 580 | struct _HARDWARE_PTE |
| 609 | struct _KGDTENTRY |
| 612 | unnamed union HighWord in struct _KGDTENTRY |
| 613 | unnamed struct Bytes in unnamed union HighWord in struct _KGDTENTRY |
| 619 | unnamed struct Bits in unnamed union HighWord in struct _KGDTENTRY |
| 658 | struct _KIDTENTRY |
| 702 | struct _KiIoAccessMap |
| 708 | struct _KTSS |
| 780 | struct _DESCRIPTOR |
| 788 | struct _KSPECIAL_REGISTERS |
| 816 | struct _KPROCESSOR_STATE |
| 844 | enum CPU_VENDORS |
| 858 | struct _KPRCB |
| 1512 | struct _KPCR |
| 1642 | struct _KTRAP_FRAME |
| 2593 | union _CPU_INFO |
Of these types that the kernel is known to pick up from I386_X.H, all but one are defined in the NTOSP.H which is in the “minwin” subdirectory of the Windows 10 WDK for the original release and for Version 1511. One is also defined in the standard header NTDDK.H.
The line numbers on the left are from the unseen I386_X.H from the original Windows 10. They are deduced from public symbols and statically linked libraries, notably CLFSMGMT.LIB which MIcrosoft publishes with the Software Development Kit (SDK) for Windows 10. Those on the right are from readily available headers, also for the original Windows 10.
| Line Number | Type | WDM.H | NTDDK.H | NTOSP.H |
|---|---|---|---|---|
| 580 | struct _HARDWARE_PTE | 2222 | ||
| 581 | anonymous union in struct _HARDWARE_PTE |
2223 | ||
| 582 | anonymous struct in anonymous union in struct _HARDWARE_PTE |
2224 | ||
| 598 | anonymous struct in anonymous union in struct _HARDWARE_PTE |
2240 | ||
| 609 | struct _KGDTENTRY | 2251 | ||
| 612 | unnamed union HighWord in struct _KGDTENTRY |
2254 | ||
| 613 | unnamed struct Bytes in unnamed union HighWord in struct _KGDTENTRY |
2255 | ||
| 619 | unnamed struct Bits in unnamed union HighWord in struct _KGDTENTRY |
2261 | ||
| 658 | struct _KIDTENTRY | 2300 | ||
| 702 | struct _KiIoAccessMap | 2344 | ||
| 708 | struct _KTSS | 2350 | ||
| 780 | struct _DESCRIPTOR | 2422 | ||
| 788 | struct _KSPECIAL_REGISTERS | 2430 | ||
| 816 | struct _KPROCESSOR_STATE | 2458 | ||
| 844 | enum CPU_VENDORS | 2486 | ||
| 858 | struct _KPRCB | 2500 | ||
| 879 | anonymous union in struct _KPRCB |
2521 | ||
| 881 | anonymous struct in anonymous union in struct _KPRCB |
2523 | ||
| 921 | anonymous union in struct _KPRCB |
2563 | ||
| 924 | anonymous struct in anonymous union in struct _KPRCB |
2566 | ||
| 1127 | anonymous union in struct _KPRCB |
|||
| 1130 | anonymous struct in anonymous union in struct _KPRCB |
|||
| 1135 | anonymous struct in anonymous union in struct _KPRCB |
|||
| 1512 | struct _KPCR | 5023 | 2594 | |
| 1526 | anonymous union in struct _KPCR |
5037 | 2608 | |
| 1528 | anonymous struct in anonymous union in struct _KPCR |
5039 | 2610 | |
| 1642 | struct _KTRAP_FRAME | 2702 | ||
| 1769 | struct _KXMM_FRAME | 2829 | ||
| 1780 | struct _KFLOATING_SAVE | 16265 | 2838 | |
| 1795 | union _AMD_L1_CACHE_INFO | 16280 | 2853 | |
| 1797 | anonymous struct in union _AMD_L1_CACHE_INFO |
16282 | 2855 | |
| 1805 | union _AMD_L2_CACHE_INFO | 16290 | 2863 | |
| 1807 | anonymous struct in union _AMD_L2_CACHE_INFO |
16292 | 2865 | |
| 1815 | union _AMD_L3_CACHE_INFO | 16300 | 2873 | |
| 1817 | anonymous struct in union _AMD_L3_CACHE_INFO |
16302 | 2875 | |
| 1831 | enum _INTEL_CACHE_TYPE | 16316 | 2889 | |
| 1840 | union INTEL_CACHE_INFO_EAX | 16325 | 2898 | |
| 1842 | anonymous struct in union INTEL_CACHE_INFO_EAX |
16327 | 2900 | |
| 1853 | union INTEL_CACHE_INFO_EBX | 16338 | 2911 | |
| 1855 | anonymous struct in union INTEL_CACHE_INFO_EBX |
16340 | 2913 | |
| 2046 | enum _INTERLOCKED_RESULT | 5155 | 3089 | |
| 2150 | struct _FAR_JMP_16 | 3172 | ||
| 2160 | struct _PROCESSOR_START_BLOCK | 3182 | ||
| 2410 | struct _UCALLOUT_FRAME | |||
| 2545 | union _PAT_ATTRIBUTES | |||
| 2546 | unnamed struct hw in union _PAT_ATTRIBUTES |
|||
| 2593 | union _CPU_INFO | |||
| 2595 | anonymous struct in union _CPU_INFO |
To go by the line numbers, the several hundred lines from _HARDWARE_PTE to _KPRCB look to be copied exactly from I386_X.H to NTOSP.H. There, however, the duplication becomes selective. The _KPRCB definition in NTOSP.H is not the full definition. It ends after what a comment describes as the “architecturally defined section of the PRCB.” Presumably, the comment is in I386_X.H too, but is there followed by an “end_ntosp” comment that ends the extraction to NTOSP.H, and then by something like five hundred lines of non-architectural _KPRCB members and a “begin_ntosp” comment to resume the extraction ahead of closing the reduced definition.
The smaller _KPCR structure is similarly affected, though without an explanatory comment. Some of the roughly twenty lines, mostly if not entirely for _KPCR members, that are not extracted to NTOSP.H turn up in NTDDK.H. This is a rare case in which the public NTDDK.H has more of a definition than does the private NTOSP.H. Neither of these headers, however, has the full definition from I386_X.H which is knowable from type information in public symbol files for the kernel.