Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTURTL.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 60 | struct _RTL_CRITICAL_SECTION_DEBUG |
| 90 | struct _RTL_CRITICAL_SECTION |
| 432 | struct _RTL_SRWLOCK |
| 3258 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME |
The header NTURTL.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but most of the (few) types that the kernel is known to pick up from this header are defined in WINNT.H. This, of course, is the standard header for user-mode Windows programming. That types from NTURTL.H as learnt from symbol files for the kernel are also defined in WINNT.H is because NTURTL.H exists for user-mode programming—this being, presumably, the point to the U in the name.
The _RTL_CRITICAL_SECTION and _RTL_SRWLOCK, for instance, provide user-mode software with synchronisation that hopes to gain by only rarely passing the waiting and waking to a kernel-mode synchronisation object. The kernel, however, knows nothing of these user-mode structures. For instance, it has no code for entering or leaving a critical section as represented by an _RTL_CRITICAL_SECTION. That _RTL_CRITICAL_SECTION is in the kernel’s symbol files is only because it is used, as the compiler sees it, in defining structures that are shared with user mode, not because the kernel ever does use it.
Though the kernel’s source code includes NTURTL.H, which is enough for coverage in this website’s Kernel study, information about this header is better sought elsewhere than public symbols for the kernel.
Symbol files other than the kernel’s tell of very many more types that are defined in NTURTL.H. Especially helpful is that Microsoft’s downloadable packages of public symbols have since Windows 8 contained private symbol files for a small selection of user-mode DLLs. Several of these, among them some from surprisingly high-level Windows features, were built with access to NTURTL.H for at least one source file. Private symbols for these then tell of types that the compiler regarded as used by a real-world source file rather than the sort of dummy source file that tends to be used for merging type information into public symbol files.
Very little of this much larger view of Run-Time Library (RTL) functionality is exposed through WINNT.H or any other header that Microsoft has published for programmers in general. Even for user-mode programming, NTURTL.H is evidently intended by Microsoft for Microsoft’s programming only. Hardly anything that is defined in NTURTL.H is documented, nor even has a C-language definition republished in WINNT.H or any other header that Microsoft makes available for the general purpose of writing user-mode software to run on Windows, including to in competition with Microsoft’s user-mode software in a supposedly competitive market.
How then does it happen that URLMON.DLL, introduced long ago as a component of Internet Explorer, still with version numbering that follows that of Internet Explorer, is built with access to definitions in this header that Microsoft does not publish for the writers of competing web browsers?
For the record, here are the many more types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including this same NTURTL.H when building Internet Explorer for the original release of 32-bit Windows 10:
| Line Number | Type | WINNT.H |
|---|---|---|
| 60 | struct _RTL_CRITICAL_SECTION_DEBUG | 18731 |
| 90 | struct _RTL_CRITICAL_SECTION | 18761 |
| 113 | struct _RTL_CRITICAL_SECTION_DEBUG32 | |
| 123 | struct _RTL_CRITICAL_SECTION_DEBUG64 | |
| 133 | struct _RTL_CRITICAL_SECTION32 | |
| 142 | struct _RTL_CRITICAL_SECTION64 | |
| 160 | struct _RTL_RESOURCE | |
| 432 | struct _RTL_SRWLOCK_INTERNAL (see note after table) | 18778 |
| (449) | anonymous union in struct _RTL_SRWLOCK |
|
| (451) | anonymous struct in anonymous union in struct _RTL_SRWLOCK |
|
| 559 | struct _RTL_CONDITION_VARIABLE_INTERNAL (see note after table) | 18782 |
| (566) | anonymous union in struct _RTL_CONDITION_VARIABLE |
|
| (568) | anonymous struct in anonymous union in struct _RTL_CONDITION_VARIABLE |
|
| 637 | struct _RTL_UNLOAD_EVENT_TRACE | |
| 647 | struct _RTL_UNLOAD_EVENT_TRACE64 | |
| 657 | struct _RTL_UNLOAD_EVENT_TRACE32 | |
| 710 | enum _RTL_RXACT_OPERATION | |
| 718 | struct _RTL_RXACT_LOG | |
| 736 | struct _RTL_RXACT_CONTEXT | |
| 962 | struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION | |
| 969 | struct _RTLP_PROCESS_REFLECTION_CONTEXT | |
| 1087 | struct _RTL_RELATIVE_NAME | |
| 1093 | enum _RTL_PATH_TYPE | |
| 1348 | struct RTL_ACE_DATA | |
| 1523 | struct _RTL_PERTHREAD_CURDIR | |
| 1605 | struct _RTL_HEAP_TAG_INFO | |
| 1699 | struct _RTL_HEAP_WALK_ENTRY | |
| (1705) | anonymous union in struct _RTL_HEAP_WALK_ENTRY |
|
| 1706 | unnamed struct Block in anonymous union in struct _RTL_HEAP_WALK_ENTRY |
|
| 1712 | unnamed struct Segment in anonymous union in struct _RTL_HEAP_WALK_ENTRY |
|
| 1729 | struct _RTL_HEAP_ENTRY | |
| 1733 | unnamed union u in struct _RTL_HEAP_ENTRY |
|
| 1734 | unnamed struct s1 in unnamed union u in struct _RTL_HEAP_ENTRY |
|
| 1738 | unnamed struct s2 in unnamed union u in struct _RTL_HEAP_ENTRY |
|
| 1764 | struct _RTL_HEAP_TAG | |
| 1773 | struct _RTL_HEAP_INFORMATION | |
| 1789 | struct _RTL_PROCESS_HEAPS | |
| 1800 | enum _HEAP_INFORMATION_CLASS | 18796 |
| (1941) | struct _HEAP_OPTIMIZE_RESOURCES_INFORMATION | 18818 |
| 1859 | struct _RTLP_VIRTUALIZED_HEAP | |
| 1865 | struct _RTLP_VIRTUALIZED_HEAPS_INFO | |
| 1894 | struct _PROCESS_HEAP_INFORMATION | |
| 1907 | struct _HEAP_INFORMATION | |
| 1918 | struct _HEAP_REGION_INFORMATION | |
| 1931 | struct _HEAP_RANGE_INFORMATION | |
| 1959 | struct _HEAP_BLOCK_EXTRA_INFORMATION | |
| 1969 | struct _HEAP_BLOCK_INFORMATION | |
| 1981 | struct _HEAP_BLOCK_SETTABLE_INFORMATION | |
| 1989 | struct _SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION | |
| 2001 | struct _HEAP_PERFORMANCE_COUNTERS_INFORMATION | |
| 2030 | struct _HEAP_INFORMATION_ITEM | |
| (2035) | anonymous union in struct _HEAP_INFORMATION_ITEM |
|
| 2057 | struct _HEAP_EXTENDED_INFORMATION | |
| (2065) | anonymous union in struct _HEAP_EXTENDED_INFORMATION |
|
| 2126 | struct _RTL_DEBUG_INFORMATION | |
| (2139) | anonymous union in struct _RTL_DEBUG_INFORMATION |
|
| 2155 | struct _RTL_DEBUG_INFORMATION32 | |
| (2168) | anonymous union in struct _RTL_DEBUG_INFORMATION32 |
|
| 2184 | struct _RTL_QUERY_DEBUG_INFORMATION_INFO | |
| 2208 | struct _RTL_QUERY_DEBUG_VIRTUAL_PROCESS | |
| 2326 | struct _RTL_HANDLE_TABLE_ENTRY | |
| (2327) | anonymous union in struct _RTL_HANDLE_TABLE_ENTRY |
|
| 2335 | struct _RTL_HANDLE_TABLE | |
| 2561 | struct _FLS_DATA | |
| (2715) | enum _ACTIVATION_CONTEXT_INFO_CLASS | 18857 |
| (2744) | struct _ACTIVATION_CONTEXT_QUERY_INDEX | 18877 |
| (2796) | struct _ACTIVATION_CONTEXT_BASIC_INFORMATION | |
| (2797) | anonymous union in struct _ACTIVATION_CONTEXT_BASIC_INFORMATION |
|
| (2801) | anonymous union in struct _ACTIVATION_CONTEXT_BASIC_INFORMATION |
|
| (2821) | struct _ASSEMBLY_FILE_DETAILED_INFORMATION | 18890 |
| (2840) | struct _ACTIVATION_CONTEXT_ASSEMBLY_DETAILED_INFORMATION | 18909 |
| (2868) | enum ACTCTX_REQUESTED_RUN_LEVEL | 19937 |
| (2876) | struct _ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION | 18945 |
| (2885) | enum ACTCTX_COMPATIBILITY_ELEMENT_TYPE | 18954 |
| (2891) | struct _COMPATIBILITY_CONTEXT_ELEMENT | 18960 |
| (2905) | struct _ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION | 18974 |
| (2918) | struct _SUPPORTED_OS_INFO | 18987 |
| (2923) | struct _ACTIVATION_CONTEXT_DETAILED_INFORMATION | 18992 |
| 2942 | struct _FINDFIRSTACTIVATIONCONTEXTSECTION | |
| 3013 | struct _ASSEMBLY_STORAGE_MAP_RESOLUTION_CALLBACK_DATA_RESOLUTION_BEGINNING | |
| 3032 | struct _ASSEMBLY_STORAGE_MAP_RESOLUTION_CALLBACK_DATA_GET_ROOT | |
| 3040 | struct _ASSEMBLY_STORAGE_MAP_RESOLUTION_CALLBACK_DATA_RESOLUTION_SUCCESSFUL | |
| 3045 | struct _ASSEMBLY_STORAGE_MAP_RESOLUTION_CALLBACK_DATA_RESOLUTION_ENDING | |
| 3049 | union _ASSEMBLY_STORAGE_MAP_RESOLUTION_CALLBACK_DATA | |
| 3097 | struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA_2600 | |
| 3112 | struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA_ASSEMBLY_METADATA | |
| 3121 | struct _ACTIVATION_CONTEXT_SECTION_KEYED_DATA | |
| 3170 | struct _ACTIVATION_CONTEXT_ASSEMBLY_DATA | |
| 3258 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME | |
| 3268 | struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC | |
| 3274 | struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED | |
| 3403 | enum _WOW64_FUNCTION_CODE64 | |
| (4358) | struct _HARDWARE_COUNTER_DATA | 19012 |
| (4366) | struct _PERFORMANCE_DATA | 19020 |
The names _RTL_SRWLOCK_INTERNAL and _RTL_CONDITION_VARIALE_INTERNAL look to be created by macros so that URLMON.DLL has both the full definitions of _RTL_SRWLOCK and _RTL_CONDITION_VARIABLE from NTURTL.H and the reduced definitions from WINNT.H.