Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTMMAPI.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are tabulated below. The header NTMMAPI.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
| Line Number | Type |
|---|---|
| 305 | struct _SECTION_IMAGE_INFORMATION |
Though public symbols for the kernel show only one type as defined in NTMMAPI.H, many more show in symbol files for other modules. Among these are user-mode DLLs that are very far removed from system programming, e.g., URLMON.DLL from Internet Explorer. Though the symbol files in question are in effect private symbol files, Microsoft has published them freely in downloadable packages of all the public symbol files for all of Windows, starting with Windows 8. If inclusion of these unusually detailed symbol files in these packages was at first an oversight, it has been left to stand for years, though not for all modules. For instance, it ceased for URLMON.DLL after the 1709 edition of Windows 10.
To anyone with a working knowledge of the documented structures and enumerations for user-mode interaction with the kernel, the types defined in this NTMMAPI.H header that Microsoft keeps very much to itself are an obvious treasure trove. This is specially remarkable in the context of Microsoft’s settlement of an anti-trust suit among whose allegations were that Microsoft’s products such as Internet Explorer had access to Microsoft’s operating system, a monopoly product, which Microsoft did not provide to these products’ competitors. For the record, then, here are the very many types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including the unpublished NTMMAPI.H when building for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 50 | struct _MEMORY_WORKING_SET_BLOCK |
| 67 | enum _MEMORY_WORKING_SET_EX_LOCATION |
| 74 | struct _MEMORY_WORKING_SET_EX_BLOCK |
| 93 | unnamed struct Invalid in anonymous union in struct _MEMORY_WORKING_SET_EX_BLOCK |
| 119 | struct _MEMORY_WORKING_SET_EX_INFORMATION |
| 121 | unnamed union u1 in struct _MEMORY_WORKING_SET_EX_INFORMATION |
| 127 | struct _MEMORY_WORKING_SET_INFORMATION |
| 132 | struct _MEMORY_SHARED_COMMIT_INFORMATION |
| 138 | struct _MEMORY_REGION_INFORMATION |
| 146 | struct _MEMORY_RANGE_ENTRY |
| 151 | enum _VIRTUAL_MEMORY_INFORMATION_CLASS |
| 158 | struct _MEMORY_IMAGE_INFORMATION |
| 201 | struct _MEMORY_FRAME_INFORMATION |
| 211 | struct _FILEOFFSET_INFORMATION |
| 217 | struct _PAGEDIR_INFORMATION |
| 223 | struct _UNIQUE_PROCESS_INFORMATION |
| 229 | struct _MMPFN_IDENTITY |
| 230 | unnamed union u1 in struct _MMPFN_IDENTITY |
| 237 | unnamed union u2 in struct _MMPFN_IDENTITY |
| 238 | unnamed struct e1 in unnamed union u2 in struct _MMPFN_IDENTITY |
| 242 | unnamed struct e2 in unnamed union u2 in struct _MMPFN_IDENTITY |
| 252 | enum _MM_ETW_WORKING_SET_TYPE |
| 259 | union _MM_ETW_PAGE_EXTRA_INFO |
| 260 | unnamed struct e1 in union _MM_ETW_PAGE_EXTRA_INFO |
| 263 | unnamed struct e2 in union _MM_ETW_PAGE_EXTRA_INFO |
| 272 | struct _MM_ETW_PAGE_INFO |
| 276 | struct _MM_ETW_PAGE_INFO_EX |
| 281 | struct _MM_ETW_WORKING_SET_PFN_RUNDOWN |
| 287 | enum _SECTION_INFORMATION_CLASS |
| 294 | struct _SECTIONBASICINFO |
| 305 | struct _SECTION_IMAGE_INFORMATION |
| 347 | struct _SECTION_IMAGE_INFORMATION32 |
| 388 | struct _SECTION_IMAGE_INFORMATION64 |
| 437 | struct _PHYSICAL_CHANNEL_RUN |
| 445 | struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION |
| 461 | struct _SYSTEM_MEMORY_CHANNEL_INFORMATION |
| 488 | enum _PROCESS_WORKING_SET_OPERATION |
| 504 | struct _PROCESS_WORKING_SET_CONTROL |
| 526 | struct _MEMORY_PARTITION_TRANSFER_INFORMATION |
| 532 | struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION |
| 538 | struct _MEMORY_PARTITION_PAGEFILE_INFORMATION |
| 545 | struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION |
| 557 | struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION |
| 563 | enum _MEMORY_PARTITION_INFORMATION_CLASS |
This looks to be a complete reckoning of named classes, enumerations, structures and unions that are defined in the unseen NTMMAPI.H. A contemporaneous statically linked library named CLFSMGMT.LIB has its type information from creating a pre-compiled header, such that it almost certainly is complete for its inclusions from NTMMAPI.H, and yet it adds only anonymous structures and unions that are nested within the types listed above.