Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the PROCPOWR.H header at
d:\th\minkernel\ntos\inc
and draws from it the type definitions that are tabulated below. The PROCPOWR.H header is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
| Line Number | Type |
|---|---|
| 277 | struct _PROCESSOR_IDLE_CONSTRAINTS |
| 292 | struct _PROCESSOR_IDLE_DEPENDENCY |
| 299 | struct _PROCESSOR_IDLE_PREPARE_INFO |
| 310 | struct _PROCESSOR_PLATFORM_STATE_RESIDENCY |
| 315 | struct _PROCESSOR_PLATFORM_STATE_RESIDENCIES |
| 955 | union _PPM_IDLE_SYNCHRONIZATION_STATE |
| 971 | struct _PPM_VETO_ENTRY |
| 977 | struct _PPM_VETO_ACCOUNTING |
| 985 | struct _PPM_IDLE_STATE |
| 1005 | struct _PPM_SELECTION_MENU_ENTRY |
| 1014 | struct _PPM_SELECTION_MENU |
| 1019 | struct _PPM_SELECTION_DEPENDENCY |
| 1024 | struct _PPM_COORDINATED_SELECTION |
| 1031 | struct _PPM_IDLE_STATES |
| 1072 | struct _PROC_IDLE_POLICY |
| 1080 | struct _PPM_FFH_THROTTLE_STATE_INFO |
| 1088 | struct _PROC_FEEDBACK_COUNTER |
| 1108 | struct _PROC_PERF_CONSTAINT |
| 1159 | struct _PROC_PERF_DOMAIN |
| 1230 | struct _PROC_PERF_LOAD |
| 1235 | struct _PPM_SELECTION_STATISTICS |
| 1287 | enum PPM_IDLE_BUCKET_TIME_TYPE |
| 1293 | struct _PROC_IDLE_STATE_BUCKET |
| 1300 | struct _PROC_IDLE_STATE_ACCOUNTING |
| 1312 | struct _PROC_IDLE_ACCOUNTING |
| 1327 | struct _PLATFORM_IDLE_STATE_ACCOUNTING |
| 1339 | struct _PLATFORM_IDLE_ACCOUNTING |
| 1351 | union _PPM_COORDINATED_SYNCHRONIZATION |
| 1369 | struct _PPM_PLATFORM_STATE |
| 1388 | struct _PPM_PLATFORM_STATES |
| 1430 | struct _PROC_IDLE_SNAP |
| 1435 | struct _PROC_PERF_CHECK_SNAP |
| 1447 | struct _PROC_PERF_CHECK |
| 1485 | struct _PROC_FEEDBACK |
| 1594 | struct _PROC_PERF_HISTORY_ENTRY |
| 1601 | struct _PROC_PERF_HISTORY |
| 1611 | struct _PPM_CONCURRENCY_ACCOUNTING |
| 1630 | enum _PROC_HYPERVISOR_STATE |
| 1637 | struct _PROCESSOR_POWER_STATE |
A few of these types that the kernel’s public symbol file picks up from PROCPOWR.H are defined in the NTOSP.H which Microsoft looks to have published by oversight with the original and Version 1511 editions of the Windows 10 WDK. Microsoft’s disclosure of NTOSP.H adds greatly to the types that can be deduced with high confidence as having their definitions in PROCPOWR.H. In the assembling of NTOSP.H from other headers, extraction of lines that are shared with PROCPOWR.H looks to begin at line 52248 (or perhaps 52249) and to end at line 53170.
This range of lines in NTOSP.H is conspicuously neat in its formatting. Extraction of other material from other headers to NTOSP.H and to the standard headers such as WDM.H and NTDDK.H frequently leaves disturbances in otherwise regular use of white space, but the only irregularity here is one instance of two consecutive blank lines (52304 and 52305). Even if this suggests that something of PROCPOWR.H is missing between NTOSP.H lines 52304 and 52305, the known line numbers are consistent with PROCPOWR.H having been copied intact: lines 87 to 952 of PROCPOWR.H can be reconstructed with very high confidence from lines 52305 to 53170 of NTOSP.H.
Still, although contiguity of duplication into NTOSP.H tells of more types in PROCPOWR.H than show in the kernel’s public symbols, the line numbers that are known from the symbols show that the published NTOSP.H reproduces no more than half of the unseen PROCPOWR.H. It would be a fair bet, if not a certainty, that the remainder of PROCPOWR.H also defines at least some types that don’t show in the kernel’s public symbols. There turn out to be only three more—well, that I have yet found—but you can’t know until you look.
In the downloadable package of public symbols for the original Windows 10, the kernel’s are not the only ones that have type information from having included PROCPOWR.H, but the others are few and add little. Far and away the greatest disclosure is not in any symbol file but in a statically linked library—and not one that Microsoft supplies with the WDK. It is instead a curious library named CLFSMGMT.LIB some of whose archived objects do contain kernel-mode code but which Microsoft publishes with the Software Development Kit (SDK) in a subdirectory named “um” as if to suggest it’s intended for user-mode programming.
For the next table, the numbers on the left are from the unseen PROCPOWR.H, having been deduced from the CLFSMGMT.LIB for the original Windows 10 (and checked against the more forensically meaningful line numbers from symbol files), and those on the right are from the published NTOSP.H for the original Windows 10.
| Line Number | Type | NTOSP.H |
|---|---|---|
| 71 | struct _PROCESSOR_FEEDBACK_COUNTER | 52289 |
| 72 | anonymous union in struct _PROCESSOR_FEEDBACK_COUNTER |
52290 |
| 277 | struct _PROCESSOR_IDLE_CONSTRAINTS | 52495 |
| 292 | struct _PROCESSOR_IDLE_DEPENDENCY | 52510 |
| 299 | struct _PROCESSOR_IDLE_PREPARE_INFO | 52517 |
| 310 | struct _PROCESSOR_PLATFORM_STATE_RESIDENCY | 52528 |
| 315 | struct _PROCESSOR_PLATFORM_STATE_RESIDENCIES | 52533 |
| 450 | struct _PROCESSOR_IDLE_STATE_EX | 52668 |
| 466 | struct _PROCESSOR_IDLE_STATES_EX | 52684 |
| 506 | struct _PLATFORM_IDLE_STATE | 52724 |
| 517 | struct _PLATFORM_IDLE_STATES | 52735 |
| 529 | struct _COORDINATED_IDLE_DEPENDENCY | 52747 |
| 535 | struct _COORDINATED_IDLE_STATE | 52753 |
| 548 | struct _COORDINATED_IDLE_STATES | 52766 |
| 558 | struct PROCESSOR_IDLE_STATES_HV | 52776 |
| 564 | struct _PROCESSOR_PERF_STATES_HV | 52782 |
| 572 | struct _PROCESSOR_PERF_CAP_HV | 52790 |
| 580 | struct _PROCESSOR_IDLE_DOMAIN | 52798 |
| 584 | struct _PROCESSOR_IDLE_DOMAINS | 52802 |
| 591 | struct _PPM_FORCE_IDLE | 52809 |
| 596 | struct _PROCESSOR_PERF_INFO | 52814 |
| 604 | struct _PROCESSOR_PERF_STATES | 52822 |
| 647 | struct _PROCESSOR_PERF_STATES_COUNTERS_HV | 52865 |
| 658 | struct _PROCESSOR_CAP | 52876 |
| 666 | struct _PROCESSOR_IDLE_VETO | 52884 |
| 674 | struct _PLATFORM_IDLE_VETO | 52892 |
| 681 | struct _PREREGISTERED_VETO_LIST | 52899 |
| 686 | struct _PROCESSOR_LOAD | 52904 |
| 692 | struct _PEP_IDLE_VETO_REQUEST | 52910 |
| 706 | struct _PEP_IDLE_UPDATE_REQUEST | 52924 |
| 927 | struct _PPM_DRIVER_DISPATCH_TABLE | 53145 |
| 955 | union _PPM_IDLE_SYNCHRONIZATION_STATE | |
| 957 | anonymous struct in union _PPM_IDLE_SYNCHRONIZATION_STATE |
|
| 971 | struct _PPM_VETO_ENTRY | |
| 977 | struct _PPM_VETO_ACCOUNTING | |
| 985 | struct _PPM_IDLE_STATE | |
| 1005 | struct _PPM_SELECTION_MENU_ENTRY | |
| 1014 | struct _PPM_SELECTION_MENU | |
| 1019 | struct _PPM_SELECTION_DEPENDENCY | |
| 1024 | struct _PPM_COORDINATED_SELECTION | |
| 1031 | struct _PPM_IDLE_STATES | |
| 1072 | struct _PROC_IDLE_POLICY | |
| 1080 | struct _PPM_FFH_THROTTLE_STATE_INFO | |
| 1088 | struct _PROC_FEEDBACK_COUNTER | |
| 1089 | anonymous union in struct _PROC_FEEDBACK_COUNTER |
|
| 1090 | anonymous struct in anonymous union in struct _PROC_FEEDBACK_COUNTER |
|
| 1094 | anonymous struct in anonymous union in struct _PROC_FEEDBACK_COUNTER |
|
| 1108 | struct _PROC_PERF_CONSTRAINT | |
| 1159 | struct _PROC_PERF_DOMAIN | |
| 1230 | struct _PROC_PERF_LOAD | |
| 1235 | struct _PPM_SELECTION_STATISTICS | |
| 1281 | struct _PPM_IDLE_STATE_BUCKET_INTERVAL | |
| 1287 | enum PPM_IDLE_BUCKET_TIME_TYPE | |
| 1293 | struct _PROC_IDLE_STATE_BUCKET | |
| 1300 | struct _PROC_IDLE_STATE_ACCOUNTING | |
| 1312 | struct _PROC_IDLE_ACCOUNTING | |
| 1327 | struct _PLATFORM_IDLE_STATE_ACCOUNTING | |
| 1339 | struct _PLATFORM_IDLE_ACCOUNTING | |
| 1351 | union _PPM_COORDINATED_SYNCHRONIZATION | |
| 1353 | anonymous struct in union _PPM_COORDINATED_SYNCHRONIZATION |
|
| 1369 | struct _PPM_PLATFORM_STATE | |
| 1381 | anonymous union in struct _PPM_PLATFORM_STATE |
|
| 1388 | struct _PPM_PLATFORM_STATES | |
| 1409 | struct _PLATFORM_IDLE_STATE_ACCOUNTING_EX | |
| 1421 | struct _PLATFORM_IDLE_ACCOUNTING_EX | |
| 1430 | struct _PROC_IDLE_SNAP | |
| 1435 | struct _PROC_PERF_CHECK_SNAP | |
| 1447 | struct _PROC_PERF_CHECK | |
| 1485 | struct _PROC_FEEDBACK | |
| 1594 | struct _PROC_PERF_HISTORY_ENTRY | |
| 1601 | struct _PROC_PERF_HISTORY | |
| 1611 | struct _PPM_CONCURRENCY_ACCOUNTING | |
| 1630 | enum _PROC_HYPERVISOR_STATE | |
| 1637 | struct _PROCESSOR_POWER_STATE | |
| 1782 | anonymous union in struct _PROCESSOR_POWER_STATE |