Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTSEAPI_X.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are shown in the table below.
The header NTSEAPI_X.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all the types that the kernel is known to pick up from NTSEAPI_X.H are defined in one or another of the standard headers that are included by the source code for almost all kernel-mode projects (even the HAL). The line numbers on the left are from the unseen NTSEAPI_X.H but are known from the symbol file. Those on the right are from the WDM.H and NTIFS.H that are readily available in the WDK for Windows 10.
| Line Number | Type | WDM.H | NTIFS.H | Remarks |
|---|---|---|---|---|
| 192 | struct _GENERIC_MAPPING | 5155 | ||
| 215 | struct _LUID_AND_ATTRIBUTES | 5176 | WDM.H loses 2 | |
| 259 | struct _SID_IDENTIFIER_AUTHORITY | 115 | ||
| 267 | struct _SID | 123 | ||
| 317 | struct _SID_AND_ATTRIBUTES | 173 | ||
| 332 | struct _SID_AND_ATTRIBUTES_HASH | 188 | ||
| 942 | struct _ACL | 5200 | ||
| 1445 | struct _SECURITY_DESCRIPTOR_RELATIVE | 897 | ||
| 1455 | struct _SECURITY_DESCRIPTOR | 907 | ||
| 1598 | struct _PRIVILEGE_SET | 5246 | ||
| 1675 | struct _ACCESS_REASONS | 1042 | ||
| 1912 | enum _SECURITY_IMPERSONATION_LEVEL | 5303 | ||
| 1996 | enum _TOKEN_TYPE | 1207 | ||
| 2019 | enum _TOKEN_INFORMATION_CLASS | 1230 | ||
| 2102 | struct _TOKEN_PRIVILEGES | 1313 | ||
| 2169 | struct _TOKEN_MANDATORY_POLICY | 1380 | ||
| 2175 | struct _TOKEN_ACCESS_INFORMATION | 1386 | ||
| 2197 | struct _TOKEN_AUDIT_POLICY | 1408 | ||
| 2203 | struct _TOKEN_SOURCE | 1414 | ||
| 2224 | struct _TOKEN_CONTROL | 1435 | ||
| 2532 | struct _SECURITY_QUALITY_OF_SERVICE | 5330 |
It is not known whether NTSEAPI_X.H is the source of definitions in WDM.H and NTIFS.H or whether all pick them up from yet another header, but the former inference is the simpler. If it’s true, then NTSEAPI_X.H is the first known input for generating NTIFS.H.