Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTRTL_X.H header at
d:\th.public.fre\internal\minwin\priv_sdk\inc
and draws from it the type definitions that are shown in the table below.
The header NTRTL_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all the types that the kernel is known to pick up from NTRTL_X.H are defined in at least one of the standard headers that are included by the source code for almost all kernel-mode projects (even the HAL).
| Line Number | Type | WDM.H | NTDDK.H | NTIFS.H | NTOSP.H |
|---|---|---|---|---|---|
| 129 | union _SLIST_HEADER | 10527 | 190 | ||
| 1058 | enum _RTL_GENERIC_COMPARE_RESULTS | 1947 | |||
| 1181 | struct _RTL_BALANCED_LINKS | 2070 | |||
| 1198 | struct _RTL_AVL_TABLE | 2087 | |||
| 1611 | struct _RTL_SPLAY_LINKS | 2500 | |||
| 2270 | struct _RTL_DYNAMIC_HASH_TABLE_ENTRY | 3159 | |||
| 2303 | struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT | 3192 | |||
| 2309 | struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR | 3198 | |||
| 2318 | struct _RTL_DYNAMIC_HASH_TABLE | 3207 | |||
| 4810 | struct _COMPRESSED_DATA_INFO | 3065 | |||
| 5987 | struct _TIME_FIELDS | 12718 | |||
| 6501 | struct _RTL_BITMAP | 13054 |
Clues have abounded since version 3.10 that these standard headers are constructed from others. If NTRTL_X.H is among these others, then it is the first that is known to contribute to NTOSP.H. As far as can be seen from consistency in line numbering, the lines in NTDDK.H are extracted intact.
For the record, here are the many more types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including this same NTRTL_X.H when building Internet Explorer for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 257 | union _RTL_RUN_ONCE_INTERNAL |
| 348 | unnamed struct for DUMMYRESERVEDSTRUCTNAME
in unnamed union in struct _RTL_BARRIER |
| 370 | union _RTL_ELEVATION_FLAGS |
| 1047 | enum _TABLE_SEARCH_RESULT |
| 1058 | enum _RTL_GENERIC_COMPARE_RESULTS |
| 1181 | struct _RTL_BALANCED_LINKS |
| 1198 | struct _RTL_AVL_TABLE |
| 1611 | struct _RTL_SPLAY_LINKS |
| 1985 | struct _RTL_GENERIC_TABLE |
| 2270 | struct _RTL_DYNAMIC_HASH_TABLE_ENTRY |
| 2303 | struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT |
| 2309 | struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR |
| 2318 | struct _RTL_DYNAMIC_HASH_TABLE |
| 2660 | struct _RTL_HEAP_PARAMETERS |
| 3067 | struct _RTL_QUERY_REGISTRY_TABLE |
| 3334 | struct _RTL_LFG_RNG_STATE |
| 4542 | struct _GENERATE_NAME_CONTEXT |
| 4633 | struct _PREFIX_TABLE_ENTRY |
| 4642 | struct _PREFIX_TABLE |
| 4703 | struct _UNICODE_PREFIX_TABLE_ENTRY |
| 4713 | struct _UNICODE_PREFIX_TABLE |
| 4810 | struct _COMPRESSED_DATA_INFO |
| 5987 | struct _TIME_FIELDS |
| 6501 | struct _RTL_BITMAP |
| 6689 | struct _RTL_BITMAP_RUN |
| 7793 | struct _OSVERSIONINFOEX2A |
| 7808 | struct _OSVERSIONINFOEX2W |
| 7861 | struct _OSVERSIONINFOEXA |
| 7874 | struct _OSVERSIONINFOEXW |
| 8244 | struct _RTL_UMS_CONTEXT |
| 8324 | struct _RTL_UMS_COMPLETION_LIST |
| 8381 | struct _RTL_UMS_SCHEDULER_STARTUP_INFO |
| 8529 | enum _APPCONTAINER_SID_TYPE |
URLMON knows the _RTL_BARRIER structure from including WINNT.H, but what it gets from this is only a reduced definition. The _RTL_BARRIER in NTRTL_X.H has this same reduced definition nested two levels within as a member named DUMMYRESERVEDSTRUCTNAME. WINNT.H retains nothing of the nesting except for its (otherwise excessive) indentation.
The _RTL_RUN_ONCE_INTERNAL at line 257 is named _RTL_RUN_ONCE in other symbol files. It too has a reduced definition in WINNT.H. URLMON has both definitions, the one in NTRTL_X.H apparently being renamed by macro to avoid confusion. Further study may be worthwhile.