Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTDBG.H header at
d:\th.public.fre\halkit\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 119 | struct _DBGKM_EXCEPTION32 |
| 124 | struct _DBGKM_EXCEPTION64 |
| 3469 | struct _X86_DBGKD_CONTROL_SET |
| 3482 | struct _IA64_DBGKD_CONTROL_SET |
| 3488 | struct _AMD64_DBGKD_CONTROL_SET |
| 3495 | struct _ARM_DBGKD_CONTROL_SET |
| 3501 | struct _ARM64_DBGKD_CONTROL_SET |
| 3508 | struct _ARMCE_DBGKD_CONTROL_SET |
| 3514 | struct _PPC_DBGKD_CONTROL_SET |
| 3521 | struct _DBGKD_ANY_CONTROL_SET |
| 3631 | struct _X86_KTRAP_FRAME |
| 3739 | struct _X86_KTRAP_FRAME_BLUE |
| 5237 | struct _DBGKD_LOAD_SYMBOLS32 |
| 5246 | struct _DBGKD_LOAD_SYMBOLS64 |
| 5455 | struct _DBGKD_READ_MEMORY32 |
| 5461 | struct _DBGKD_READ_MEMORY64 |
| 5499 | struct _DBGKD_WRITE_MEMORY32 |
| 5505 | struct _DBGKD_WRITE_MEMORY64 |
| 5543 | struct _DBGKD_GET_CONTEXT |
| 5551 | struct _DBGKD_SET_CONTEXT |
| 5555 | struct _DBGKD_CONTEXT_EX |
| 5563 | struct _DBGKD_WRITE_BREAKPOINT32 |
| 5568 | struct _DBGKD_WRITE_BREAKPOINT64 |
| 5573 | struct _DBGKD_WRITE_CUSTOM_BREAKPOINT |
| 5607 | struct _DBGKD_RESTORE_BREAKPOINT |
| 5611 | struct _DBGKD_BREAKPOINTEX |
| 5616 | struct _DBGKD_CONTINUE |
| 5625 | struct _DBGKD_CONTINUE2 |
| 5638 | struct _DBGKD_READ_WRITE_IO32 |
| 5644 | struct _DBGKD_READ_WRITE_IO64 |
| 5678 | struct _DBGKD_READ_WRITE_IO_EXTENDED32 |
| 5687 | struct _DBGKD_READ_WRITE_IO_EXTENDED64 |
| 5730 | struct _DBGKD_READ_WRITE_MSR |
| 5737 | struct _DBGKD_QUERY_SPECIAL_CALLS |
| 5742 | struct _DBGKD_SET_SPECIAL_CALL32 |
| 5746 | struct _DBGKD_SET_SPECIAL_CALL64 |
| 5766 | struct _DBGKD_SET_INTERNAL_BREAKPOINT32 |
| 5781 | struct _DBGKD_SET_INTERNAL_BREAKPOINT64 |
| 5791 | struct _DBGKD_GET_INTERNAL_BREAKPOINT32 |
| 5801 | struct _DBGKD_GET_INTERNAL_BREAKPOINT64 |
| 5868 | struct _DBGKD_SEARCH_MEMORY |
| 5878 | struct _DBGKD_GET_SET_BUS_DATA |
| 5890 | struct _DBGKD_FILL_MEMORY |
| 5912 | struct _DBGKD_QUERY_MEMORY |
| 5923 | struct _DBGKD_SWITCH_PARTITION |
| 5930 | struct _DBGKD_MANIPULATE_STATE32 |
| 5935 | unnamed union u in _DBGKD_MANIPULATE_STATE32 |
| 5964 | struct _DBGKD_MANIPULATE_STATE64 |
| 5969 | unnamed union u in _DBGKD_MANIPULATE_STATE64 |
The header NTDBG.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK). That said, many of the structures are well known from a different header, named WINDBGKD.H, that Microsoft supplied among the directories of sample code up to and including the DDK for Windows NT 4.0 and in the ordinary INC directory in the DDK for Windows 2000. Then, it appears to have been withdrawn from publication. This was concurrent with an extensive reworking of all levels of debugger support in Windows XP, notably the unification of debuggers as interface layers above a Debugger Engine (DBGENG.DLL) and the explicit provision for kernel-mode debugging over transports other than a serial port. All this presumably had as a (welcome) consequence that the details of the kernel’s interaction with the debugger no longer should be any benefit to third-party programmers who sought to add to the built-in debugger support.