KE.H

The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the KE.H header at

d:\th\minkernel\ntos\inc

and draws from it the following type definitions:

Line Number Type
214 enum _KOBJECTS
311 struct _KTHREAD_COUNTERS
283 enum _KPROCESS_STATE
298 enum _KTHREAD_STATE
641 struct _KSCB
692 struct _KSCHEDULING_GROUP_POLICY
713 struct _KSCHEDULING_GROUP
751 struct _KHETERO_PROCESSOR_SET
764 struct _KNODE
814 struct _flags
852 union _KEXECUTE_OPTIONS
871 union _KSTACK_COUNT
884 struct _KPROCESS
1134 enum _KWAIT_BLOCK_STATE
1145 enum _KWAIT_STATE
1160 union _KWAIT_STATUS_REGISTER
1270 struct _KLOCK_ENTRY_LOCK_STATE
1295 struct _KLOCK_ENTRY
1630 struct _KTHREAD
3432 enum _KERNEL_STACK_LIMITS

The _flags structure is the type of the _KNODE member named Flags. That _KNODE is defined first implies that _flags is defined within _KNODE. That _flags is not scoped to _KNODE is indirect evidence of compilation as C, not C++, in versions (such as 6.1) for which the public symbol files do not give the direct evidence of recording compilation with the -TC option. Either way, of course, the evidence is only of whatever source file was compiled to produce the public symbol files. The source files that contribute to the kernel’s code can have been compiled differently: study without source code does have limits to its definiteness.

The header KE.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).

Reconstruction

More types are known from CLFSMGMT.LIB. Indeed, there is good expectation that the type information in this library is a complete reckoning of types defined in KE.H. This is because type information is in the library from the latter’s archiving of an object file that’s a by-product of creating a pre-compiled header. What’s recorded then is not the types that are used but the types that might be used. Moreover, the record of nested types is more detailed due to compilation as C++.

Line Number Type
115 struct _KTHREAD_SWITCH_COUNTERS
214 enum _KOBJECTS
270 enum _KAPC_ENVIRONMENT
298 enum _KTHREAD_STATE
283 enum _KPROCESS_STATE
298 enum _KTHREAD_STATE
311 struct _KTHREAD_COUNTERS
325 enum _KDUE_TIME_TYPE
337 enum _KEXPECTED_WAKE_REASON
435 struct _KSERVICE_TABLE_DESCRIPTOR
493 enum KCONTINUE_STATUS
641 struct _KSCB
653 anonymous struct in
struct _KSCB
687 enum _KSCHEDULING_GROUP_TYPE
692 struct _KSCHEDULING_GROUP_POLICY
693 anonymous union in
struct _KSCHEDULING_GROUP_POLICY
696 anonymous struct in
anonymous union in
struct _KSCHEDULING_GROUP_POLICY
702 anonymous union in
struct _KSCHEDULING_GROUP_POLICY
704 anonymous struct in
anonymous union in
struct _KSCHEDULING_GROUP_POLICY
713 struct _KSCHEDULING_GROUP
727 anonymous union in
struct _KSCHEDULING_GROUP
751 struct _KHETERO_PROCESSOR_SET
764 struct _KNODE
770 anonymous struct in
struct _KNODE
796 anonymous union in
anonymous struct in
struct _KNODE
798 anonymous struct in
anonymous union in
anonymous struct in
struct _KNODE
800 anonymous struct in
struct _KNODE
814 struct _flags in
anonymous tag in
struct _KNODE
852 union _KEXECUTE_OPTIONS
853 anonymous struct in
union _KEXECUTE_OPTIONS
871 union _KSTACK_COUNT
873 anonymous struct in
union _KSTACK_COUNT
884 struct _KPROCESS
961 anonymous union in
struct _KPROCESS
962 anonymous struct in
anonymous union in
struct _KPROCESS
1128 enum _ADJUST_REASON
1134 enum _KWAIT_BLOCK_STATE
1145 enum _KWAIT_STATE
1160 union _KWAIT_STATUS_REGISTER
1162 anonymous struct in
union _KWAIT_STATUS_REGISTER
1270 struct _KLOCK_ENTRY_LOCK_STATE
1271 anonymous union in
struct _KLOCK_ENTRY_LOCK_STATE
1272 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY_LOCK_STATE
1281 anonymous union in
struct _KLOCK_ENTRY_LOCK_STATE
1295 struct _KLOCK_ENTRY
1297 anonymous union in
struct _KLOCK_ENTRY
1387 anonymous union in
struct _KLOCK_ENTRY
1389 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1391 anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1393 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1398 anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1400 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1404 anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1406 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1413 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1495 anonymous union in
struct _KLOCK_ENTRY
1498 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1499 anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1501 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1508 anonymous union in
anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1522 anonymous union in
struct _KLOCK_ENTRY
1557 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1569 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1589 anonymous union in
struct _KLOCK_ENTRY
1591 anonymous struct in
anonymous union in
struct _KLOCK_ENTRY
1630 struct _KTHREAD
1712 anonymous union in
struct _KTHREAD
1713 anonymous struct in
anonymous union in
struct _KTHREAD
1772 anonymous union in
struct _KTHREAD
1772 anonymous struct in
anonymous union in
struct _KTHREAD
1805 anonymous struct in
struct _KTHREAD
1828 anonymous union in
struct _KTHREAD
1830 anonymous struct in
anonymous union in
struct _KTHREAD
1859 anonymous union in
struct _KTHREAD
1868 anonymous union in
struct _KTHREAD
1905 anonymous struct in
anonymous union in
struct _KTHREAD
1910 anonymous struct in
anonymous union in
struct _KTHREAD
1915 anonymous struct in
anonymous union in
struct _KTHREAD
1920 anonymous struct in
anonymous union in
struct _KTHREAD
1932 anonymous union in
anonymous struct in
anonymous union in
struct _KTHREAD
1933 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KTHREAD
1970 anonymous union in
struct _KTHREAD
1972 anonymous struct in
anonymous union in
struct _KTHREAD
1980 anonymous union in
struct _KTHREAD
1982 anonymous struct in
anonymous union in
struct _KTHREAD
1986 anonymous union in
anonymous struct in
anonymous union in
struct _KTHREAD
1988 anonymous struct in
anonymous union in
anonymous struct in
anonymous union in
struct _KTHREAD
2001 anonymous union in
struct _KTHREAD
2003 anonymous struct in
anonymous union in
struct _KTHREAD
2025 anonymous union in
struct _KTHREAD
2027 anonymous struct in
anonymous union in
struct _KTHREAD
2036 anonymous union in
struct _KTHREAD
2038 anonymous struct in
anonymous union in
struct _KTHREAD
2043 anonymous struct in
anonymous union in
struct _KTHREAD
2048 anonymous struct in
anonymous union in
struct _KTHREAD
2053 anonymous struct in
anonymous union in
struct _KTHREAD
2058 anonymous struct in
anonymous union in
struct _KTHREAD
2063 anonymous struct in
anonymous union in
struct _KTHREAD
2203 anonymous union in
struct _KTHREAD
2205 anonymous struct in
anonymous union in
struct _KTHREAD
2362 struct _KPROFILE
2367 anonymous union in
struct _KPROFILE
2368 anonymous struct in
anonymous union in
struct _KPROFILE
2375 anonymous struct in
anonymous union in
struct _KPROFILE
3432 enum _KERNEL_STACK_LIMITS
3711 struct _KTHREAD_VALUES
4190 struct _CLOCK_INTERVAL_REQUEST
4869 enum _KTBFLUSH_TYPE
4876 enum _KTBFLUSH_TARGET
5563 struct _KE_PRIVILEGED_PAGE_IDENTITY
5576 anonymous struct in
struct _KE_PRIVILEGED_PAGE_IDENTITY
6696 struct _KSHA256_PARALLEL
6699 anonymous union in
struct _KSHA256_PARALLEL
6731 struct _KWAIT_CHAIN_ENTRY

This page was created on 23rd July 2020 but was not published until 28th October 2020. It was last modified on 19th December 2022.

Copyright © 2020-2022. Geoff Chappell. All rights reserved. Conditions apply.