As we learned recently, Microsoft has stripped type information from symbols in some versions of ntdll.

Imagine I have the source code of a library and I would like to publish public symbols, but remove some type definitions from that PDB, how would I technically achieve this, especially without breaking the PDB identity information (timestamp and checksum)?

I could not find a compiler switch in the online documentation that would allow me to pass a list of types to be excluded.

Note that I don't want to switch from private symbols to public symbols but reduce public symbols.

WinDbg comes with a tool named PDBCopy. The -f command line switch allows filtering public symbols:

C:\Program Files\Windows Kits\10\Debuggers\x64>pdbcopy /?

PDBCopy v12.00.30523
usage: PDBCopy <source_pdb> <destination_pdb> [-p] [-s] [-f] [-F] [-a] [-A] [-?]
        [-p]                remove private debug information
        [-s]                create new signature
        [-f:{@file|symbol}] filter specific public symbols out of stripped pdb
        [-F:{@file|symbol}] leave only specific public symbols in stripped pdb
        [-a]                leave all annotation symbols in stripped pdb
        [-a:{@file|symbol}] filter specific annotation symbols out of stripped pdb
        [-A:{@file|symbol}] leave only specific annotation symbols in stripped pdb
        [-?]                display this message

This exists at least since WinDbg 6.8. The -a switches have been added in WinDbg 6.12.