Geoff Chappell, Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTTPAPI.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are tabulated below.
The header NTTPAPI.H is not known ever to have been published by Microsoft, but all the types that are picked up from it for the kernel’s public symbol files are defined in WINNT.H, i.e., the standard header for user-mode programming. The line numbers on the left are from the unseen NTTPAPI.H. They are known from the symbol file for the original release of Windows 10. The line numbers on the right are from WINNT.H as published in the Software Development Kit (SDK) for the original release of Windows 10.
| Line Number | Type | WINNT.H |
|---|---|---|
| 74 | enum _TP_CALLBACK_PRIORITY | 20214 |
| 270 | struct _TP_CALLBACK_ENVIRON_V3 | 20241 |
| 278 | unnamed union for u in _TP_CALLBACK_ENVIRON_V3 | 20249 |
| 280 | unnamed struct for s in u in _TP_CALLBACK_ENVIRON_V3 | 20251 |
The definitions in WINNT.H for user-mode programming will have been extracted from NTTPAPI.H, or both are extracted from yet another file that has the master definitions. Some tiny selection of lines from NTTAPI.H can thus be inferred from WINNT.H lines 20203 to 20462.
The wonder is that the public symbol files for the kernel should have these types at all. The user-mode caller of functions in the Thread Pool API provides memory for a _TP_CALLBACK_ENVIRON_V3 (ordinarily referred to by TP_CALLBACK_ENVIRON as a typedef), gets it minimally prepared by passing it to one inline routine and then uses it for various API functions and other inline routines.
The type definition for _TP_CALLBACK_PRIORITY will have been picked up from that of _TP_CALLBACK_ENVIRON_V3, given that the header defines the enumeration ahead of the structure. Several structures that are pointed to from _TP_CALLBACK_ENVIRON_V3 members, namely _ACTIVATION_CONTEXT, _TP_CALLBACK_INSTANCE, _TP_CLEANUP_GROUP and _TP_POOL, are named but without type information. They evidently are not defined in any header that’s included when building the kernel’s public symbol files.
That even _TP_CALLBACK_ENVIRON_V3 has type information in the public symbol files for the kernel may be unintended. The type information for this structure is not referenced within these symbol files except to associate it with the header. To go from what survives in WINNT.H, just including NTTPAPI.H will get type information for _TP_CALLBACK_ENVIRON_V3 into the public symbol files because the structure is used in the inline routine TpInitializeCallbackEnviron.
For the record, here are the many more types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including this same NTRTL_X.H when building Internet Explorer for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 74 | enum _TP_CALLBACK_PRIORITY |
| 270 | struct _TP_CALLBACK_ENVIRON_V3 |
| 960 | struct _TP_TASK_CALLBACKS |
| 965 | struct _TP_TASK |
| 1022 | struct _TP_DIRECT |
| 1068 | enum _TP_DEBUG_CLASS |
| 1074 | struct _TP_DEBUG_FREE_INFO |
| 1078 | enum _TP_LOG_LEVEL |
| 1165 | enum _WORKERFACTORYINFOCLASS |
| 1186 | struct _WORKER_FACTORY_BASIC_INFORMATION |
| 1213 | enum _WORKER_FACTORY_CALLBACK_CLASS |
| 1243 | struct _WORKER_FACTORY_DEFERRED_WORK |
| 1374 | enum _TP_TRACE_TYPE |