Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTEXAPI.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are tabulated below. The header NTEXAPI.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
| Line Number | Type |
|---|---|
| 2846 | struct _PEBS_DS_SAVE_AREA |
| 2861 | struct _PROCESSOR_PROFILE_CONTROL_AREA |
| 4049 | struct _WNF_STATE_NAME |
Though only three of the types that are defined in NTEXAPI.H show in the public symbol files for the kernel, hundreds show in symbol files for other modules. Some of these others are kernel-mode drivers, especially for processor power management. Some are user-mode DLLs. Among these are some that are very far removed from system programming, e.g., URLMON.DLL from Internet Explorer. Though the symbol files in question are in effect private symbol files, Microsoft has published them freely in downloadable packages of all the public symbol files for all of Windows, starting with Windows 8. If inclusion of these unusually detailed symbol files in these packages was at first an oversight, it has been left to stand for years, though not for all modules. For instance, it ceased for URLMON.DLL after the 1709 edition of Windows 10.
To anyone with a working knowledge of the documented structures and enumerations for user-mode interaction with the kernel, the types defined in this NTEXAPI.H header that Microsoft keeps very much to itself are an obvious treasure trove. For the record, then, here are the very many types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including NTEXAPI.H when building for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 113 | struct _FILE_PATH |
| 131 | struct _WINDOWS_OS_OPTIONS |
| 144 | struct _BOOT_ENTRY |
| 169 | struct _BOOT_OPTIONS |
| 218 | struct _BOOT_ENTRY_LIST |
| 278 | struct _EFI_DRIVER_ENTRY |
| 288 | struct _EFI_DRIVER_ENTRY_LIST |
| 351 | enum _EVENT_INFORMATION_CLASS |
| 359 | struct _EVENT_BASIC_INFORMATION |
| 528 | enum _MUTANT_INFORMATION_CLASS |
| 537 | struct _MUTANT_BASIC_INFORMATION |
| 543 | struct _MUTANT_OWNER_INFORMATION |
| 597 | enum _SEMAPHORE_INFORMATION_CLASS |
| 605 | struct _SEMAPHORE_BASIC_INFORMATION |
| 662 | enum _TIMER_INFORMATION_CLASS |
| 670 | struct _TIMER_BASIC_INFORMATION |
| 679 | struct _T2_SET_PARAMETERS_V0 |
| 1152 | enum _SYSTEM_INFORMATION_CLASS |
| 1337 | struct _SYSTEM_VDM_INSTEMUL_INFO |
| 1374 | struct _SYSTEM_TIMEOFDAY_INFORMATION |
| 1394 | struct _SYSTEM_BASIC_INFORMATION |
| 1410 | struct _SYSTEM_BASIC_INFORMATION64 |
| 1426 | struct _SYSTEM_PROCESSOR_INFORMATION |
| 1434 | struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION |
| 1443 | struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX |
| 1478 | struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT |
| 1483 | struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION |
| 1489 | struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION |
| 1494 | struct _SYSTEM_PROCESSOR_IDLE_INFORMATION |
| 1519 | struct _SYSTEM_NUMA_PROXIMITY_MAP |
| 1524 | struct _SYSTEM_NUMA_INFORMATION |
| 1534 | struct _SYSTEM_PROCESSOR_POWER_INFORMATION |
| 1557 | struct _SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION |
| 1561 | struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION |
| 1565 | struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION |
| 1571 | struct _SYSTEM_SET_TIME_ADJUST_INFORMATION |
| 1576 | struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION |
| 1583 | struct _SYSTEM_PERFORMANCE_INFORMATION |
| 1674 | struct _SYSTEM_PROCESS_INFORMATION |
| 1711 | struct _SYSTEM_PROCESS_INFORMATION_EXTENSION |
| 1728 | struct _SYSTEM_SESSION_PROCESS_INFORMATION |
| 1734 | struct _SYSTEM_THREAD_INFORMATION |
| 1748 | struct _SYSTEM_EXTENDED_THREAD_INFORMATION |
| 1759 | struct _SYSTEM_PROCESS_ID_INFORMATION |
| 1764 | struct _SYSTEM_CALL_COUNT_INFORMATION |
| 1771 | struct _SYSTEM_DEVICE_DATA_INFORMATION |
| 1779 | struct _SYSTEM_DEVICE_INFORMATION |
| 1788 | struct _SYSTEM_EXCEPTION_INFORMATION |
| 1795 | struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION |
| 1800 | struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX |
| 1806 | struct _SYSTEM_KERNEL_DEBUGGER_FLAGS |
| 1810 | struct _SYSTEM_REGISTRY_QUOTA_INFORMATION |
| 1816 | struct _SYSTEM_GDI_DRIVER_INFORMATION |
| 1825 | struct _SYSTEM_REF_TRACE_INFORMATION |
| 1832 | struct _SYSTEM_MEMORY_LIST_INFORMATION |
| 1843 | struct _SYSTEM_MEMORY_INFORMATION |
| 1854 | struct _SYSTEM_WORKINGSET_ENTRY |
| 1868 | enum _SYSTEM_MEMORY_LIST_COMMAND |
| 1878 | struct _SYSTEM_PREFETCH_OPTIONS |
| 1889 | struct _SYSTEM_PREFETCH_STATS |
| 1902 | struct _SYSTEM_FLAGS_INFORMATION |
| 1906 | struct _SYSTEM_CALL_TIME_INFORMATION |
| 1912 | struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO |
| 1922 | struct _SYSTEM_HANDLE_INFORMATION |
| 1927 | struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX |
| 1938 | struct _SYSTEM_HANDLE_INFORMATION_EX |
| 1944 | struct _SYSTEM_OBJECTTYPE_INFORMATION |
| 1958 | struct _SYSTEM_OBJECT_INFORMATION |
| 1973 | struct _SYSTEM_PAGEFILE_INFORMATION |
| 1981 | struct _SYSTEM_PAGEFILE_INFORMATION_EX |
| 1987 | struct _SYSTEM_VERIFIER_INFORMATION |
| 2015 | struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION |
| 2045 | enum _VERIFIER_MODE |
| 2065 | struct _SYSTEM_VERIFIER_INFORMATION_EX |
| 2084 | struct _SYSTEM_VERIFIER_TRIAGE_INFORMATION |
| 2092 | struct _SYSTEM_VERIFIER_ISSUE |
| 2100 | struct _SYSTEM_VERIFIER_CANCELLATION_INFORMATION |
| 2109 | struct _SYSTEM_VERIFIER_FAULTS_INFORMATION |
| 2116 | struct _MEMORY_SCRUB_INFORMATION |
| 2121 | struct _MEMORY_COMBINE_INFORMATION |
| 2126 | struct _SYSTEM_ROOT_SILO_INFORMATION |
| 2135 | struct _SYSTEM_ENTROPY_TIMING_INFORMATION |
| 2146 | struct _SYSTEM_FILECACHE_INFORMATION |
| 2158 | struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION |
| 2163 | struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION |
| 2169 | struct _SYSTEM_SPECIAL_POOL_INFORMATION |
| 2176 | struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION |
| 2185 | enum _WATCHDOG_HANDLER_ACTION |
| 2199 | enum _WATCHDOG_INFORMATION_CLASS |
| 2210 | struct _SYSTEM_WATCHDOG_TIMER_INFORMATION |
| 2215 | struct _SYSTEM_POLICY_INFORMATION |
| 2228 | struct _SYSTEM_POOL_ENTRY |
| 2240 | struct _SYSTEM_POOL_INFORMATION |
| 2250 | struct _SYSTEM_POOLTAG |
| 2263 | struct _SYSTEM_BIGPOOL_ENTRY |
| 2281 | struct _SYSTEM_POOLTAG_INFORMATION |
| 2286 | struct _SYSTEM_SESSION_POOLTAG_INFORMATION |
| 2293 | struct _SYSTEM_BIGPOOL_INFORMATION |
| 2298 | struct _SYSTEM_SESSION_BIGPOOL_INFORMATION |
| 2305 | struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION |
| 2313 | struct _SYSTEM_VA_LIST_INFORMATION |
| 2320 | enum _SYSTEM_VA_TYPE |
| 2330 | struct _SYSTEM_CONTEXT_SWITCH_INFORMATION |
| 2345 | struct _SYSTEM_INTERRUPT_INFORMATION |
| 2354 | struct _SYSTEM_DPC_BEHAVIOR_INFORMATION |
| 2364 | struct _SYSTEM_LOOKASIDE_INFORMATION |
| 2376 | struct _SYSTEM_LEGACY_DRIVER_INFORMATION |
| 2386 | struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 |
| 2391 | struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION |
| 2407 | enum _SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS |
| 2413 | struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION |
| 2417 | struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION |
| 2425 | struct _HV_DETAILS |
| 2429 | struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION |
| 2439 | struct _SYSTEM_DMA_PROTECTION_INFORMATION |
| 2444 | struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION |
| 2456 | struct _SYSTEM_SINGLE_MODULE_INFORMATION |
| 2463 | struct _SYSTEM_PROCESSOR_POLICY_INFORMATION |
| 2471 | struct _COVERAGE_UNLOADED_MODULE_ENTRY |
| 2479 | struct _COVERAGE_MODULE_INFO |
| 2491 | enum _COVERAGE_REQUEST_CODES |
| 2497 | struct _COVERAGE_MODULE_REQUEST |
| 2499 | unnamed union for SearchInfo in _COVERAGE_MODULE_REQUEST |
| 2512 | struct _COVERAGE_MODULES |
| 2519 | struct _SYSTEM_PREFETCH_PATCH_INFORMATION |
| 2527 | struct _SYSTEM_SYSTEM_PARTITION_INFORMATION |
| 2531 | struct _SYSTEM_SYSTEM_DISK_INFORMATION |
| 2555 | struct _SYSTEM_CODEINTEGRITY_INFORMATION |
| 2567 | struct _SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION |
| 2576 | struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS |
| 2593 | struct _SYSTEM_VHD_BOOT_INFORMATION |
| 2603 | struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION |
| 2620 | struct _SYSTEM_PLATFORM_BINARY_INFORMATION |
| 2632 | struct _SYSTEM_ACPI_AUDIT_INFORMATION |
| 2647 | struct _QUERY_PERFORMANCE_COUNTER_FLAGS |
| 2658 | struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION |
| 2664 | struct _SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION |
| 2678 | enum _BOOT_ENTROPY_SOURCE_RESULT_CODE |
| 2686 | enum _BOOT_ENTROPY_SOURCE_ID |
| 2729 | struct _BOOT_ENTROPY_SOURCE_NT_RESULT |
| 2739 | struct _BOOT_ENTROPY_NT_RESULT |
| 2746 | enum _SYSTEM_PIXEL_FORMAT |
| 2762 | struct _SYSTEM_BOOT_GRAPHICS_INFORMATION |
| 2777 | struct _SYSTEM_BOOT_LOGO_INFORMATION |
| 2787 | struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION |
| 2793 | struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION |
| 2803 | struct _SYSTEM_SECUREBOOT_INFORMATION |
| 2825 | struct _SYSTEM_TPM_INFORMATION |
| 2833 | struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION |
| 2846 | struct _PEBS_DS_SAVE_AREA |
| 2861 | struct _PROCESSOR_PROFILE_CONTROL_AREA |
| 2871 | struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA |
| 2880 | struct _SYSTEM_CONSOLE_INFORMATION |
| 2891 | struct _SYSTEM_ERROR_PORT_TIMEOUTS |
| 2905 | struct _SYSTEM_ELAM_CERTIFICATE_INFORMATION |
| 2913 | struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION |
| 2924 | struct _SYSTEM_MANUFACTURING_INFORMATION |
| 2944 | struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION |
| 2957 | struct _SYSTEM_INTERRUPT_CPU_SET_INFORMATION |
| 2967 | struct _SYSTEM_CPU_SET_TAG_INFORMATION |
| 3011 | enum _SYSDBG_COMMAND |
| 3052 | struct _SYSDBG_VIRTUAL |
| 3058 | struct _SYSDBG_PHYSICAL |
| 3064 | struct _SYSDBG_CONTROL_SPACE |
| 3071 | struct _SYSDBG_IO_SPACE |
| 3080 | struct _SYSDBG_MSR |
| 3084 | struct _SYSDBG_BUS_DATA |
| 3101 | struct _SYSDBG_TRIAGE_DUMP |
| 3119 | union _SYSDBG_LIVEDUMP_CONTROL_FLAGS |
| 3159 | union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES |
| 3177 | struct _SYSDBG_LIVEDUMP_CONTROL |
| 3218 | enum _HARDERROR_RESPONSE_OPTION |
| 3230 | enum _HARDERROR_RESPONSE |
| 3251 | struct _HARDERROR_MSG |
| 3613 | enum _SHUTDOWN_ACTION |
| 3783 | enum _ATOM_INFORMATION_CLASS |
| 3788 | struct _ATOM_BASIC_INFORMATION |
| 3795 | struct _ATOM_TABLE_INFORMATION |
| 3878 | struct _SL_KMEM_CACHE_VALUE_DESCRIPTOR |
| 3890 | struct _SL_KMEM_CACHE |
| 3903 | struct _SL_APPX_CACHE_VALUE_DESCRIPTOR |
| 3911 | struct _SL_APPC_CACHE |
| 3959 | struct _SL_HWID_DEVICE_INFO |
| 4049 | struct _WNF_STATE_NAME |
| 4069 | enum _WNF_STATE_NAME_LIFETIME |
| 4122 | enum _WNF_DATA_SCOPE |
| 4177 | struct _WNF_TYPE_ID |
| 4253 | enum _WNF_STATE_NAME_INFORMATION |
| 4294 | struct _WNF_DELIVERY_DESCRIPTOR |
If you think that a new, open and responsible Microsoft was reined in by a bruising experience of defending anti-trust suits, then consider first that among the suit’s claims was that Internet Explorer, supposedly in open competition with other web browsers, had extraordinary access to undocumented system-level detail about Windows, for which Microsoft had monopoly power. Then take in the table above as showing very plainly that Internet Explorer was built with the extraordinary access of including the kernel’s NTEXAPI.H header with its definitions of hundreds of undocumented structures.
True, the table shows this extraordinary access only for URLMON.DLL in the original release of Windows 10. A similar table can be prepared from public evidence only starting with Windows 8. For URLMON.DLL in particular, the evidence is gone from Windows 10 in the 1803 release. But if you think this means the access has stopped, look at the symbol file for MSXML6.DLL even as recently as the 2004 release. Why, getting on to two decades after Microsoft’s supposed chastening about using undocumented system interfaces to support middleware anti-competitively, is a user-mode DLL for parsing XML files built with this undocumented access to the kernel?
It’s possible, of course, that this particular favouring of Internet Explorer with undocumented functionality was new for Windows 8, as if years after Microsoft’s settlement was done and dusted, Microsoft thought to start a new form of the same practice that had got it into supposedly so much trouble. Much more credible is that the practice never stopped and that the evidence in Windows 8 and higher is of exactly the advantage that Internet Explorer had all the while that the allegations of anti-competitive practices were litigated and the settlement was supposedly enforced.