Geoff Chappell - Software Analyst
The public symbol files NTKRPAMP.PDB and NTKRNLMP.PDB for the original release of Windows 10 tell that the kernel is built with the WHEADEF.H header at
d:\th.public.fre\sdk\inc
and draws from it the type definitions that are tabulated below.
Nowadays, WHEADEF.H is among the headers in the Software Development Kit (SDK) for Windows 10. It is there in the “um” subdirectory with many other headers that are intended only for user-mode programming. It dates from Windows 7, again in the SDK. WHEADEF.H seems never to have been supplied with a Windows Driver Kit (WDK) except in bundles with the SDK. All its significant content is anyway duplicated in NTDDK.H and in NTOSP.H, but no sign is known of how this happens.
NTDDK.H is, of course, a standard header for kernel-mode programming, and NTOSP.H is similar but for Microsoft’s private use (notwithstanding its disclosure in two early editions of the WDK for Windows 10). The kernel’s own source code does not #include either NTDDK.H or NTOSP.H. The definitions that these headers share with WHEADEF.H are in the kernel from including WHEADEF.H. Whether the kernel includes WHEADEF.H directly or through some other header is not known.
In the table, the line numbers on the left are from WHEADEF.H, both as known from the symbol file and from the header as supplied with the SDK for the original release of Windows 10. The line numbers on the right are from the NTDDK.H and NTOSP.H in the contemporaneous WDK.
| Line Number | Type | NTDDK.H | NTOSP.H |
|---|---|---|---|
| 36 | enum _WHEA_ERROR_SOURCE_TYPE | 14160 | 49077 |
| 57 | enum _WHEA_ERROR_SOURCE_STATE | 14181 | 49098 |
| 96 | union _WHEA_NOTIFICATION_FLAGS | 14220 | 49137 |
| 108 | union _XPF_MC_BANK_FLAGS | 14232 | 49149 |
| 117 | union _XPF_MCE_FLAGS | 14241 | 49158 |
| 126 | union _AER_ROOTPORT_DESCRIPTOR_FLAGS | 14250 | 49167 |
| 138 | union _AER_ENDPOINT_DESCRIPTOR_FLAGS | 14262 | 49179 |
| 149 | union _AER_BRIDGE_DESCRIPTOR_FLAGS | 14273 | 49190 |
| 168 | struct _WHEA_NOTIFICATION_DESCRIPTOR | 14292 | 49209 |
| 173 | unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14297 | 49214 |
| 174 | unnamed struct Polled in unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14298 | 49215 |
| 178 | unnamed struct Interrupt in unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14302 | 49219 |
| 187 | unnamed struct LocalInterrupt in unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14311 | 49228 |
| 196 | unnamed struct Sci in unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14320 | 49237 |
| 205 | unnamed struct Nmi in unnamed union u in struct _WHEA_NOTIFICATION_DESCRIPTOR |
14329 | 49246 |
| 223 | struct _WHEA_XPF_MC_BANK_DESCRIPTOR | 14347 | 49264 |
| 241 | struct _WHEA_XPF_MCE_DESCRIPTOR | 14365 | 49282 |
| 257 | struct _WHEA_XPF_CMC_DESCRIPTOR | 14381 | 49298 |
| 266 | struct _WHEA_PCI_SLOT_NUMBER | 14390 | 49307 |
| 267 | unnamed union u in struct _WHEA_PCI_SLOT_NUMBER |
14391 | 49308 |
| 268 | unnamed struct bits in unnamed union u in struct _WHEA_PCI_SLOT_NUMBER |
14392 | 49309 |
| 283 | struct _WHEA_XPF_NMI_DESCRIPTOR | 14407 | 49324 |
| 294 | struct _WHEA_AER_ROOTPORT_DESCRIPTOR | 14418 | 49335 |
| 315 | struct _WHEA_AER_ENDPOINT_DESCRIPTOR | 14439 | 49356 |
| 335 | struct _WHEA_AER_BRIDGE_DESCRIPTOR | 14459 | 49376 |
| 358 | struct _WHEA_GENERIC_ERROR_DESCRIPTOR | 14482 | 49399 |
| 412 | struct _WHEA_IPF_MCA_DESCRIPTOR | 14536 | 49453 |
| 418 | struct _WHEA_IPF_CMC_DESCRIPTOR | 14542 | 49459 |
| 424 | struct _WHEA_IPF_CPE_DESCRIPTOR | 14548 | 49465 |
| 430 | struct _WHEA_ERROR_SOURCE_DESCRIPTOR | 14554 | 49471 |
| 442 | unnamed union Info in struct _WHEA_ERROR_SOURCE_DESCRIPTOR |
14566 | 49483 |
For the record, lines 26 to 470 inclusive of the 475-line WHEADEF.H are duplicated as lines 14150 to 14594 of NTDDK.H and 49067 to 49511 of NTOSP.H. All that’s omitted in this duplication is the copyyright notice and abstract, all as one comment, and the usual few lines at each end for guarding against repeated inclusion, and a few more to include two other headers. Everything that is particular to WHEADEF.H is duplicated in NTDDK.H and NTOSP.H. All the types that are defined in WHEADEF.H (rather than in a header that it includes, notably cper.h) show in the kernel’s public symbols. There are no secrets here. Yet some small observations may be useful.
One is a possibly inconsequential difference of order: NTDDK.H and NTOSP.H both reproduce first from WHEADEF.H and then from CPER.H; a #include of WHEADEF.H picks up the CPER.H definitions first.
Of more practical consequence when debugging the Windows Hardware Error Architecture is what brings all the user-defined types from WHEADEF.H into the kernel’s public symbol files. Because _WHEA_ERROR_SOURCE_DESCRIPTOR has all the others nested within, whatever brought it into the public symbols will have brought in the rest of them. But because the header itself makes no use of _WHEA_ERROR_SOURCE_DESCRIPTOR, a #include of WHEADEF.H does not suffice. It might be used explicitly in the ntsym.c source file that’s compiled for merging type definitions into the public symbols, but the layout of records in the public symbols suggests that the use that brings _WHEA_ERROR_SOURCE_DESCRIPTOR into the public symbols is instead its nesting as the Descriptor member of the _WHEAP_ERROR_SOURCE that’s defined in wheai.h. Inclusion of this header apparently does suffice, which is just as well, else the !whea command as implemented by the KDEXTS.DLL debugger extension would join the many others that do not work well when only public symbols are available.