3 Copyright (c) Alex Ionescu. All rights reserved.
11 Type definitions for the Process Manager
15 Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
30 #ifndef NTOS_MODE_USER
36 // KUSER_SHARED_DATA location in User Mode
38 #define USER_SHARED_DATA (0x7FFE0000)
43 #define FLG_STOP_ON_EXCEPTION 0x00000001
44 #define FLG_SHOW_LDR_SNAPS 0x00000002
45 #define FLG_DEBUG_INITIAL_COMMAND 0x00000004
46 #define FLG_STOP_ON_HUNG_GUI 0x00000008
47 #define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010
48 #define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020
49 #define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040
50 #define FLG_HEAP_VALIDATE_ALL 0x00000080
51 #define FLG_POOL_ENABLE_TAIL_CHECK 0x00000100
52 #define FLG_POOL_ENABLE_FREE_CHECK 0x00000200
53 #define FLG_POOL_ENABLE_TAGGING 0x00000400
54 #define FLG_HEAP_ENABLE_TAGGING 0x00000800
55 #define FLG_USER_STACK_TRACE_DB 0x00001000
56 #define FLG_KERNEL_STACK_TRACE_DB 0x00002000
57 #define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000
58 #define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000
59 #define FLG_IGNORE_DEBUG_PRIV 0x00010000
60 #define FLG_ENABLE_CSRDEBUG 0x00020000
61 #define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000
62 #define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000
63 #if (NTDDI_VERSION < NTDDI_WINXP)
64 #define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000
66 #define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000
68 #define FLG_HEAP_DISABLE_COALESCING 0x00200000
69 #define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000
70 #define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000
71 #define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000
72 #define FLG_HEAP_PAGE_ALLOCS 0x02000000
73 #define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000
74 #define FLG_VALID_BITS 0x07FFFFFF
77 // Process priority classes
79 #define PROCESS_PRIORITY_CLASS_INVALID 0
80 #define PROCESS_PRIORITY_CLASS_IDLE 1
81 #define PROCESS_PRIORITY_CLASS_NORMAL 2
82 #define PROCESS_PRIORITY_CLASS_HIGH 3
83 #define PROCESS_PRIORITY_CLASS_REALTIME 4
84 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
85 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
88 // NtCreateProcessEx flags
90 #define PS_REQUEST_BREAKAWAY 1
91 #define PS_NO_DEBUG_INHERIT 2
92 #define PS_INHERIT_HANDLES 4
93 #define PS_LARGE_PAGES 8
94 #define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \
95 PS_NO_DEBUG_INHERIT | \
96 PS_INHERIT_HANDLES | \
100 // Process base priorities
102 #define PROCESS_PRIORITY_IDLE 3
103 #define PROCESS_PRIORITY_NORMAL 8
104 #define PROCESS_PRIORITY_NORMAL_FOREGROUND 9
107 // Process memory priorities
109 #define MEMORY_PRIORITY_BACKGROUND 0
110 #define MEMORY_PRIORITY_UNKNOWN 1
111 #define MEMORY_PRIORITY_FOREGROUND 2
114 // Process Priority Separation Values (OR)
116 #define PSP_VARIABLE_QUANTUMS 4
117 #define PSP_LONG_QUANTUMS 16
119 #ifndef NTOS_MODE_USER
122 // Thread Access Types
124 #define THREAD_QUERY_INFORMATION 0x0040
125 #define THREAD_SET_THREAD_TOKEN 0x0080
126 #define THREAD_IMPERSONATE 0x0100
127 #define THREAD_DIRECT_IMPERSONATION 0x0200
130 // Process Access Types
132 #define PROCESS_TERMINATE 0x0001
133 #define PROCESS_CREATE_THREAD 0x0002
134 #define PROCESS_SET_SESSIONID 0x0004
135 #define PROCESS_VM_OPERATION 0x0008
136 #define PROCESS_VM_READ 0x0010
137 #define PROCESS_VM_WRITE 0x0020
138 #define PROCESS_CREATE_PROCESS 0x0080
139 #define PROCESS_SET_QUOTA 0x0100
140 #define PROCESS_SET_INFORMATION 0x0200
141 #define PROCESS_QUERY_INFORMATION 0x0400
142 #define PROCESS_SUSPEND_RESUME 0x0800
143 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
144 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
145 #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
149 #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
154 // Thread Base Priorities
156 #define THREAD_BASE_PRIORITY_LOWRT 15
157 #define THREAD_BASE_PRIORITY_MAX 2
158 #define THREAD_BASE_PRIORITY_MIN -2
159 #define THREAD_BASE_PRIORITY_IDLE -15
164 #define TLS_MINIMUM_AVAILABLE 64
170 #define JOB_OBJECT_ASSIGN_PROCESS 0x1
171 #define JOB_OBJECT_SET_ATTRIBUTES 0x2
172 #define JOB_OBJECT_QUERY 0x4
173 #define JOB_OBJECT_TERMINATE 0x8
174 #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x10
175 #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
182 #define JOB_OBJECT_LIMIT_WORKINGSET 0x1
183 #define JOB_OBJECT_LIMIT_PROCESS_TIME 0x2
184 #define JOB_OBJECT_LIMIT_JOB_TIME 0x4
185 #define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x8
186 #define JOB_OBJECT_LIMIT_AFFINITY 0x10
187 #define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x20
188 #define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x40
189 #define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x80
190 #define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x100
191 #define JOB_OBJECT_LIMIT_JOB_MEMORY 0x200
192 #define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x400
193 #define JOB_OBJECT_LIMIT_BREAKAWAY_OK 0x800
194 #define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK 0x1000
195 #define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE 0x2000
199 // Cross Thread Flags
201 #define CT_TERMINATED_BIT 0x1
202 #define CT_DEAD_THREAD_BIT 0x2
203 #define CT_HIDE_FROM_DEBUGGER_BIT 0x4
204 #define CT_ACTIVE_IMPERSONATION_INFO_BIT 0x8
205 #define CT_SYSTEM_THREAD_BIT 0x10
206 #define CT_HARD_ERRORS_ARE_DISABLED_BIT 0x20
207 #define CT_BREAK_ON_TERMINATION_BIT 0x40
208 #define CT_SKIP_CREATION_MSG_BIT 0x80
209 #define CT_SKIP_TERMINATION_MSG_BIT 0x100
212 // Same Thread Passive Flags
214 #define STP_ACTIVE_EX_WORKER_BIT 0x1
215 #define STP_EX_WORKER_CAN_WAIT_USER_BIT 0x2
216 #define STP_MEMORY_MAKER_BIT 0x4
217 #define STP_KEYED_EVENT_IN_USE_BIT 0x8
220 // Same Thread APC Flags
222 #define STA_LPC_RECEIVED_MSG_ID_VALID_BIT 0x1
223 #define STA_LPC_EXIT_THREAD_CALLED_BIT 0x2
224 #define STA_ADDRESS_SPACE_OWNER_BIT 0x4
225 #define STA_OWNS_WORKING_SET_BITS 0x1F8
228 #define TLS_EXPANSION_SLOTS 1024
232 #define PSF_CREATE_REPORTED_BIT 0x1
233 #define PSF_NO_DEBUG_INHERIT_BIT 0x2
234 #define PSF_PROCESS_EXITING_BIT 0x4
235 #define PSF_PROCESS_DELETE_BIT 0x8
236 #define PSF_WOW64_SPLIT_PAGES_BIT 0x10
237 #define PSF_VM_DELETED_BIT 0x20
238 #define PSF_OUTSWAP_ENABLED_BIT 0x40
239 #define PSF_OUTSWAPPED_BIT 0x80
240 #define PSF_FORK_FAILED_BIT 0x100
241 #define PSF_WOW64_VA_SPACE_4GB_BIT 0x200
242 #define PSF_ADDRESS_SPACE_INITIALIZED_BIT 0x400
243 #define PSF_SET_TIMER_RESOLUTION_BIT 0x1000
244 #define PSF_BREAK_ON_TERMINATION_BIT 0x2000
245 #define PSF_SESSION_CREATION_UNDERWAY_BIT 0x4000
246 #define PSF_WRITE_WATCH_BIT 0x8000
247 #define PSF_PROCESS_IN_SESSION_BIT 0x10000
248 #define PSF_OVERRIDE_ADDRESS_SPACE_BIT 0x20000
249 #define PSF_HAS_ADDRESS_SPACE_BIT 0x40000
250 #define PSF_LAUNCH_PREFETCHED_BIT 0x80000
251 #define PSF_INJECT_INPAGE_ERRORS_BIT 0x100000
252 #define PSF_VM_TOP_DOWN_BIT 0x200000
253 #define PSF_IMAGE_NOTIFY_DONE_BIT 0x400000
254 #define PSF_PDE_UPDATE_NEEDED_BIT 0x800000
255 #define PSF_VDM_ALLOWED_BIT 0x1000000
256 #define PSF_SWAP_ALLOWED_BIT 0x2000000
257 #define PSF_CREATE_FAILED_BIT 0x4000000
258 #define PSF_DEFAULT_IO_PRIORITY_BIT 0x8000000
261 // Vista Process Flags
263 #define PSF2_PROTECTED_BIT 0x800
265 #ifdef NTOS_MODE_USER
267 // Current Process/Thread built-in 'special' handles
269 #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
270 #define ZwCurrentProcess() NtCurrentProcess()
271 #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
272 #define ZwCurrentThread() NtCurrentThread()
275 // Process/Thread/Job Information Classes for NtQueryInformationProcess/Thread/Job
277 typedef enum _PROCESSINFOCLASS
279 ProcessBasicInformation
,
285 ProcessRaisePriority
,
287 ProcessExceptionPort
,
289 ProcessLdtInformation
,
291 ProcessDefaultHardErrorMode
,
292 ProcessIoPortHandlers
,
293 ProcessPooledUsageAndLimits
,
294 ProcessWorkingSetWatch
,
296 ProcessEnableAlignmentFaultFixup
,
297 ProcessPriorityClass
,
298 ProcessWx86Information
,
301 ProcessPriorityBoost
,
303 ProcessSessionInformation
,
304 ProcessForegroundInformation
,
305 ProcessWow64Information
,
306 ProcessImageFileName
,
307 ProcessLUIDDeviceMapsEnabled
,
308 ProcessBreakOnTermination
,
309 ProcessDebugObjectHandle
,
311 ProcessHandleTracing
,
314 ProcessTlsInformation
,
316 ProcessImageInformation
,
319 ProcessInstrumentationCallback
,
320 ProcessThreadStackAllocation
,
321 ProcessWorkingSetWatchEx
,
322 ProcessImageFileNameWin32
,
323 ProcessImageFileMapping
,
324 ProcessAffinityUpdateMode
,
325 ProcessMemoryAllocationMode
,
329 typedef enum _THREADINFOCLASS
331 ThreadBasicInformation
,
336 ThreadImpersonationToken
,
337 ThreadDescriptorTableEntry
,
338 ThreadEnableAlignmentFaultFixup
,
339 ThreadEventPair_Reusable
,
340 ThreadQuerySetWin32StartAddress
,
342 ThreadPerformanceCount
,
344 ThreadIdealProcessor
,
346 ThreadSetTlsArrayAddress
,
348 ThreadHideFromDebugger
,
349 ThreadBreakOnTermination
,
350 ThreadSwitchLegacyState
,
352 ThreadLastSystemCall
,
356 ThreadActualBasePriority
,
357 ThreadTebInformation
,
364 typedef enum _PSPROCESSPRIORITYMODE
366 PsProcessPriorityForeground
,
367 PsProcessPriorityBackground
,
368 PsProcessPrioritySpinning
369 } PSPROCESSPRIORITYMODE
;
371 typedef enum _JOBOBJECTINFOCLASS
373 JobObjectBasicAccountingInformation
= 1,
374 JobObjectBasicLimitInformation
,
375 JobObjectBasicProcessIdList
,
376 JobObjectBasicUIRestrictions
,
377 JobObjectSecurityLimitInformation
,
378 JobObjectEndOfJobTimeInformation
,
379 JobObjectAssociateCompletionPortInformation
,
380 JobObjectBasicAndIoAccountingInformation
,
381 JobObjectExtendedLimitInformation
,
382 JobObjectJobSetInformation
,
383 MaxJobObjectInfoClass
384 } JOBOBJECTINFOCLASS
;
387 // Power Event Events for Win32K Power Event Callback
389 typedef enum _PSPOWEREVENTTYPE
393 PsW32PowerPolicyChanged
= 2,
394 PsW32SystemPowerState
= 3,
396 PsW32DisplayState
= 5,
397 PsW32CapabilitiesChanged
= 6,
398 PsW32SetStateFailed
= 7,
401 PsW32GdiPrepareResumeUI
= 10,
402 PsW32GdiOffRequest
= 11,
403 PsW32MonitorOff
= 12,
407 // Power State Tasks for Win32K Power State Callback
409 typedef enum _POWERSTATETASK
411 PowerState_BlockSessionSwitch
= 0,
413 PowerState_QueryApps
= 2,
414 PowerState_QueryServices
= 3,
415 PowerState_QueryAppsFailed
= 4,
416 PowerState_QueryServicesFailed
= 5,
417 PowerState_SuspendApps
= 6,
418 PowerState_SuspendServices
= 7,
419 PowerState_ShowUI
= 8,
420 PowerState_NotifyWL
= 9,
421 PowerState_ResumeApps
= 10,
422 PowerState_ResumeServices
= 11,
423 PowerState_UnBlockSessionSwitch
= 12,
425 PowerState_BlockInput
= 14,
426 PowerState_UnblockInput
= 15,
430 // Win32K Job Callback Types
432 typedef enum _PSW32JOBCALLOUTTYPE
434 PsW32JobCalloutSetInformation
= 0,
435 PsW32JobCalloutAddProcess
= 1,
436 PsW32JobCalloutTerminate
= 2,
437 } PSW32JOBCALLOUTTYPE
;
440 // Win32K Thread Callback Types
442 typedef enum _PSW32THREADCALLOUTTYPE
444 PsW32ThreadCalloutInitialize
,
445 PsW32ThreadCalloutExit
,
446 } PSW32THREADCALLOUTTYPE
;
449 // Declare empty structure definitions so that they may be referenced by
450 // routines before they are defined
455 struct _WIN32_POWEREVENT_PARAMETERS
;
456 struct _WIN32_POWERSTATE_PARAMETERS
;
457 struct _WIN32_JOBCALLOUT_PARAMETERS
;
458 struct _WIN32_OPENMETHOD_PARAMETERS
;
459 struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
;
460 struct _WIN32_CLOSEMETHOD_PARAMETERS
;
461 struct _WIN32_DELETEMETHOD_PARAMETERS
;
462 struct _WIN32_PARSEMETHOD_PARAMETERS
;
465 // Win32K Process and Thread Callbacks
469 (NTAPI
*PKWIN32_PROCESS_CALLOUT
)(
470 struct _EPROCESS
*Process
,
476 (NTAPI
*PKWIN32_THREAD_CALLOUT
)(
477 struct _ETHREAD
*Thread
,
478 PSW32THREADCALLOUTTYPE Type
483 (NTAPI
*PKWIN32_GLOBALATOMTABLE_CALLOUT
)(
489 (NTAPI
*PKWIN32_POWEREVENT_CALLOUT
)(
490 struct _WIN32_POWEREVENT_PARAMETERS
*Parameters
495 (NTAPI
*PKWIN32_POWERSTATE_CALLOUT
)(
496 struct _WIN32_POWERSTATE_PARAMETERS
*Parameters
501 (NTAPI
*PKWIN32_JOB_CALLOUT
)(
502 struct _WIN32_JOBCALLOUT_PARAMETERS
*Parameters
507 (NTAPI
*PGDI_BATCHFLUSH_ROUTINE
)(
513 (NTAPI
*PKWIN32_OPENMETHOD_CALLOUT
)(
514 struct _WIN32_OPENMETHOD_PARAMETERS
*Parameters
519 (NTAPI
*PKWIN32_OKTOCLOSEMETHOD_CALLOUT
)(
520 struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
*Parameters
525 (NTAPI
*PKWIN32_CLOSEMETHOD_CALLOUT
)(
526 struct _WIN32_CLOSEMETHOD_PARAMETERS
*Parameters
531 (NTAPI
*PKWIN32_DELETEMETHOD_CALLOUT
)(
532 struct _WIN32_DELETEMETHOD_PARAMETERS
*Parameters
537 (NTAPI
*PKWIN32_PARSEMETHOD_CALLOUT
)(
538 struct _WIN32_PARSEMETHOD_PARAMETERS
*Parameters
543 (NTAPI
*PKWIN32_WIN32DATACOLLECTION_CALLOUT
)(
544 struct _EPROCESS
*Process
,
554 (NTAPI
*PLEGO_NOTIFY_ROUTINE
)(
561 (NTAPI
*PPOST_PROCESS_INIT_ROUTINE
)(
566 // Descriptor Table Entry Definition
569 #define _DESCRIPTOR_TABLE_ENTRY_DEFINED
570 typedef struct _DESCRIPTOR_TABLE_ENTRY
573 LDT_ENTRY Descriptor
;
574 } DESCRIPTOR_TABLE_ENTRY
, *PDESCRIPTOR_TABLE_ENTRY
;
581 (NTAPI
*PPEBLOCKROUTINE
)(
586 // PEB Free Block Descriptor
588 typedef struct _PEB_FREE_BLOCK
590 struct _PEB_FREE_BLOCK
* Next
;
592 } PEB_FREE_BLOCK
, *PPEB_FREE_BLOCK
;
597 typedef struct _INITIAL_PEB
599 BOOLEAN InheritedAddressSpace
;
600 BOOLEAN ReadImageFileExecOptions
;
601 BOOLEAN BeingDebugged
;
605 #if (NTDDI_VERSION >= NTDDI_WS03)
608 BOOLEAN ImageUsesLargePages
:1;
609 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
610 BOOLEAN IsProtectedProcess
:1;
611 BOOLEAN IsLegacyProcess
:1;
622 } INITIAL_PEB
, *PINITIAL_PEB
;
627 typedef struct _INITIAL_TEB
629 PVOID PreviousStackBase
;
630 PVOID PreviousStackLimit
;
633 PVOID AllocatedStackBase
;
634 } INITIAL_TEB
, *PINITIAL_TEB
;
637 // TEB Active Frame Structures
639 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
643 } TEB_ACTIVE_FRAME_CONTEXT
, *PTEB_ACTIVE_FRAME_CONTEXT
;
645 typedef struct _TEB_ACTIVE_FRAME
648 struct _TEB_ACTIVE_FRAME
*Previous
;
649 PTEB_ACTIVE_FRAME_CONTEXT Context
;
650 } TEB_ACTIVE_FRAME
, *PTEB_ACTIVE_FRAME
;
652 typedef struct _CLIENT_ID32
656 } CLIENT_ID32
, *PCLIENT_ID32
;
658 typedef struct _CLIENT_ID64
660 ULONG64 UniqueProcess
;
661 ULONG64 UniqueThread
;
662 } CLIENT_ID64
, *PCLIENT_ID64
;
664 #if (NTDDI_VERSION < NTDDI_WS03)
665 typedef struct _Wx86ThreadState
668 PVOID DeallocationCpu
;
669 BOOLEAN UseKnownWx86Dll
;
671 } Wx86ThreadState
, *PWx86ThreadState
;
676 // Process Environment Block (PEB)
677 // Thread Environment Block (TEB)
683 // Explicit 32 bit PEB/TEB
685 #define EXPLICIT_32BIT
687 #undef EXPLICIT_32BIT
690 // Explicit 64 bit PEB/TEB
692 #define EXPLICIT_64BIT
694 #undef EXPLICIT_64BIT
697 #ifdef NTOS_MODE_USER
700 // Process Information Structures for NtQueryProcessInformation
702 typedef struct _PROCESS_BASIC_INFORMATION
706 ULONG_PTR AffinityMask
;
707 KPRIORITY BasePriority
;
708 ULONG_PTR UniqueProcessId
;
709 ULONG_PTR InheritedFromUniqueProcessId
;
710 } PROCESS_BASIC_INFORMATION
, *PPROCESS_BASIC_INFORMATION
;
712 typedef struct _PROCESS_ACCESS_TOKEN
716 } PROCESS_ACCESS_TOKEN
, *PPROCESS_ACCESS_TOKEN
;
718 typedef struct _PROCESS_DEVICEMAP_INFORMATION
724 HANDLE DirectoryHandle
;
732 } PROCESS_DEVICEMAP_INFORMATION
, *PPROCESS_DEVICEMAP_INFORMATION
;
734 typedef struct _KERNEL_USER_TIMES
736 LARGE_INTEGER CreateTime
;
737 LARGE_INTEGER ExitTime
;
738 LARGE_INTEGER KernelTime
;
739 LARGE_INTEGER UserTime
;
740 } KERNEL_USER_TIMES
, *PKERNEL_USER_TIMES
;
742 typedef struct _PROCESS_SESSION_INFORMATION
745 } PROCESS_SESSION_INFORMATION
, *PPROCESS_SESSION_INFORMATION
;
749 typedef struct _PROCESS_PRIORITY_CLASS
753 } PROCESS_PRIORITY_CLASS
, *PPROCESS_PRIORITY_CLASS
;
756 // Thread Information Structures for NtQueryProcessInformation
758 typedef struct _THREAD_BASIC_INFORMATION
761 PVOID TebBaseAddress
;
763 KAFFINITY AffinityMask
;
765 KPRIORITY BasePriority
;
766 } THREAD_BASIC_INFORMATION
, *PTHREAD_BASIC_INFORMATION
;
768 #ifndef NTOS_MODE_USER
773 typedef struct _JOB_SET_ARRAY
778 } JOB_SET_ARRAY
, *PJOB_SET_ARRAY
;
781 // EPROCESS Quota Structures
783 typedef struct _EPROCESS_QUOTA_ENTRY
789 } EPROCESS_QUOTA_ENTRY
, *PEPROCESS_QUOTA_ENTRY
;
791 typedef struct _EPROCESS_QUOTA_BLOCK
793 EPROCESS_QUOTA_ENTRY QuotaEntry
[3];
794 LIST_ENTRY QuotaList
;
795 ULONG ReferenceCount
;
797 } EPROCESS_QUOTA_BLOCK
, *PEPROCESS_QUOTA_BLOCK
;
800 // Process Pagefault History
802 typedef struct _PAGEFAULT_HISTORY
808 PROCESS_WS_WATCH_INFORMATION WatchInfo
[1];
809 } PAGEFAULT_HISTORY
, *PPAGEFAULT_HISTORY
;
812 // Process Impersonation Information
814 typedef struct _PS_IMPERSONATION_INFORMATION
818 BOOLEAN EffectiveOnly
;
819 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
820 } PS_IMPERSONATION_INFORMATION
, *PPS_IMPERSONATION_INFORMATION
;
823 // Process Termination Port
825 typedef struct _TERMINATION_PORT
827 struct _TERMINATION_PORT
*Next
;
829 } TERMINATION_PORT
, *PTERMINATION_PORT
;
832 // Per-Process APC Rate Limiting
834 typedef struct _PSP_RATE_APC
838 SINGLE_LIST_ENTRY NextApc
;
839 ULONGLONG ExcessCycles
;
841 ULONGLONG TargetGEneration
;
843 } PSP_RATE_APC
, *PPSP_RATE_APC
;
846 // Executive Thread (ETHREAD)
848 typedef struct _ETHREAD
851 LARGE_INTEGER CreateTime
;
854 LARGE_INTEGER ExitTime
;
855 LIST_ENTRY LpcReplyChain
;
856 LIST_ENTRY KeyedWaitChain
;
863 LIST_ENTRY PostBlockList
;
866 struct _TERMINATION_PORT
*TerminationPort
;
867 struct _ETHREAD
*ReaperLink
;
868 PVOID KeyedWaitValue
;
869 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
870 PVOID Win32StartParameter
;
873 KSPIN_LOCK ActiveTimerListLock
;
874 LIST_ENTRY ActiveTimerListHead
;
876 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
877 KSEMAPHORE KeyedWaitSemaphore
;
881 KSEMAPHORE LpcReplySemaphore
;
882 KSEMAPHORE KeyedReplySemaphore
;
886 PVOID LpcReplyMessage
;
887 PVOID LpcWaitingOnPort
;
890 PPS_IMPERSONATION_INFORMATION ImpersonationInfo
;
892 ULONG_PTR TopLevelIrp
;
893 PDEVICE_OBJECT DeviceToVerify
;
894 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
895 PPSP_RATE_APC RateControlApc
;
897 struct _EPROCESS
*ThreadsProcess
;
899 PVOID Win32StartAddress
;
902 PKSTART_ROUTINE StartAddress
;
903 ULONG LpcReceivedMessageId
;
905 LIST_ENTRY ThreadListEntry
;
906 EX_RUNDOWN_REF RundownProtect
;
907 EX_PUSH_LOCK ThreadLock
;
908 #if (NTDDI_VERSION < NTDDI_LONGHORN)
909 ULONG LpcReplyMessageId
;
911 ULONG ReadClusterSize
;
912 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
915 ACCESS_MASK GrantedAccess
;
922 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
923 ULONG ThreadInserted
:1;
927 ULONG HideFromDebugger
:1;
928 ULONG ActiveImpersonationInfo
:1;
929 ULONG SystemThread
:1;
930 ULONG HardErrorsAreDisabled
:1;
931 ULONG BreakOnTermination
:1;
932 ULONG SkipCreationMsg
:1;
933 ULONG SkipTerminationMsg
:1;
934 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
935 ULONG CreateMsgSent
:1;
936 ULONG ThreadIoPriority
:3;
937 ULONG ThreadPagePriority
:3;
938 ULONG PendingRatecontrol
:1;
941 ULONG CrossThreadFlags
;
947 ULONG ActiveExWorker
:1;
948 ULONG ExWorkerCanWaitUser
:1;
950 ULONG KeyedEventInUse
:1;
951 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
952 ULONG RateApcState
:2;
955 ULONG SameThreadPassiveFlags
;
961 ULONG LpcReceivedMsgIdValid
:1;
962 ULONG LpcExitThreadCalled
:1;
963 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
966 ULONG AddressSpaceOwner
:1;
968 ULONG OwnsProcessWorkingSetExclusive
:1;
969 ULONG OwnsProcessWorkingSetShared
:1;
970 ULONG OwnsSystemWorkingSetExclusive
:1;
971 ULONG OwnsSystemWorkingSetShared
:1;
972 ULONG OwnsSessionWorkingSetExclusive
:1;
973 ULONG OwnsSessionWorkingSetShared
:1;
974 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
975 ULONG SupressSymbolLoad
:1;
977 ULONG PriorityRegionActive
:4;
982 ULONG SameThreadApcFlags
;
984 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
985 UCHAR CacheManagerActive
;
987 UCHAR ForwardClusterOnly
;
989 UCHAR DisablePageFaultClustering
;
990 UCHAR ActiveFaultCount
;
991 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
996 ULONG AlpcReceiveAttributeSet
;
998 LIST_ENTRY AlpcWaitListEntry
;
999 KSEMAPHORE AlpcWaitSemaphore
;
1000 ULONG CacheManagerCount
;
1005 // Executive Process (EPROCESS)
1007 typedef struct _EPROCESS
1010 EX_PUSH_LOCK ProcessLock
;
1011 LARGE_INTEGER CreateTime
;
1012 LARGE_INTEGER ExitTime
;
1013 EX_RUNDOWN_REF RundownProtect
;
1014 HANDLE UniqueProcessId
;
1015 LIST_ENTRY ActiveProcessLinks
;
1016 ULONG QuotaUsage
[3]; /* 0=PagedPool, 1=NonPagedPool, 2=Pagefile */
1017 ULONG QuotaPeak
[3]; /* ditto */
1019 ULONG PeakVirtualSize
;
1021 LIST_ENTRY SessionProcessLinks
;
1023 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1026 PVOID ExceptionPortData
;
1027 ULONG ExceptionPortValue
;
1028 UCHAR ExceptionPortState
:3;
1031 PVOID ExceptionPort
;
1033 PHANDLE_TABLE ObjectTable
;
1035 ULONG WorkingSetPage
;
1036 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1037 EX_PUSH_LOCK AddressCreationLock
;
1038 PETHREAD RotateInProgress
;
1040 KGUARDED_MUTEX AddressCreationLock
;
1041 KSPIN_LOCK HyperSpaceLock
;
1043 PETHREAD ForkInProgress
;
1044 ULONG HardwareTrigger
;
1045 PMM_AVL_TABLE PhysicalVadRoot
;
1047 ULONG NumberOfPrivatePages
;
1048 ULONG NumberOfLockedPages
;
1049 PVOID
*Win32Process
;
1051 PVOID SectionObject
;
1052 PVOID SectionBaseAddress
;
1053 PEPROCESS_QUOTA_BLOCK QuotaBlock
;
1054 PPAGEFAULT_HISTORY WorkingSetWatch
;
1055 PVOID Win32WindowStation
;
1056 HANDLE InheritedFromUniqueProcessId
;
1057 PVOID LdtInformation
;
1061 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1062 PVOID EtwDataSource
;
1069 HARDWARE_PTE PageDirectoryPte
;
1073 CHAR ImageFileName
[16];
1074 LIST_ENTRY JobLinks
;
1075 PVOID LockedPagesList
;
1076 LIST_ENTRY ThreadListHead
;
1079 ULONG ActiveThreads
;
1080 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1081 ULONG ImagePathHash
;
1083 ACCESS_MASK GrantedAccess
;
1085 ULONG DefaultHardErrorProcessing
;
1086 NTSTATUS LastThreadExitStatus
;
1088 EX_FAST_REF PrefetchTrace
;
1089 LARGE_INTEGER ReadOperationCount
;
1090 LARGE_INTEGER WriteOperationCount
;
1091 LARGE_INTEGER OtherOperationCount
;
1092 LARGE_INTEGER ReadTransferCount
;
1093 LARGE_INTEGER WriteTransferCount
;
1094 LARGE_INTEGER OtherTransferCount
;
1095 ULONG CommitChargeLimit
;
1096 ULONG CommitChargePeak
;
1098 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo
;
1100 LIST_ENTRY MmProcessLinks
;
1101 ULONG ModifiedPageCount
;
1102 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1107 ULONG JobNotReallyActive
:1;
1108 ULONG AccountingFolded
:1;
1109 ULONG NewProcessReported
:1;
1110 ULONG ExitProcessReported
:1;
1111 ULONG ReportCommitChanges
:1;
1112 ULONG LastReportMemory
:1;
1113 ULONG ReportPhysicalPageChanges
:1;
1114 ULONG HandleTableRundown
:1;
1115 ULONG NeedsHandleRundown
:1;
1116 ULONG RefTraceEnabled
:1;
1118 ULONG ProtectedProcess
:1;
1119 ULONG DefaultPagePriority
:3;
1120 ULONG ProcessDeleteSelf
:1;
1121 ULONG ProcessVerifierTarget
:1;
1132 ULONG CreateReported
:1;
1133 ULONG NoDebugInherit
:1;
1134 ULONG ProcessExiting
:1;
1135 ULONG ProcessDelete
:1;
1136 ULONG Wow64SplitPages
:1;
1138 ULONG OutswapEnabled
:1;
1141 ULONG Wow64VaSpace4Gb
:1;
1142 ULONG AddressSpaceInitialized
:2;
1143 ULONG SetTimerResolution
:1;
1144 ULONG BreakOnTermination
:1;
1145 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1146 ULONG DeprioritizeViews
:1;
1148 ULONG SessionCreationUnderway
:1;
1151 ULONG ProcessInSession
:1;
1152 ULONG OverrideAddressSpace
:1;
1153 ULONG HasAddressSpace
:1;
1154 ULONG LaunchPrefetched
:1;
1155 ULONG InjectInpageErrors
:1;
1157 ULONG ImageNotifyDone
:1;
1158 ULONG PdeUpdateNeeded
:1;
1160 ULONG SmapAllowed
:1;
1161 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1162 ULONG ProcessInserted
:1;
1164 ULONG CreateFailed
:1;
1166 ULONG DefaultIoPriority
:3;
1167 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1168 ULONG SparePsFlags1
:2;
1176 NTSTATUS ExitStatus
;
1177 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
1180 USHORT NextPageColor
;
1186 UCHAR SubSystemMinorVersion
;
1187 UCHAR SubSystemMajorVersion
;
1189 USHORT SubSystemVersion
;
1191 UCHAR PriorityClass
;
1192 MM_AVL_TABLE VadRoot
;
1197 // Job Token Filter Data
1199 #include <pshpack1.h>
1200 typedef struct _PS_JOB_TOKEN_FILTER
1202 ULONG CapturedSidCount
;
1203 PSID_AND_ATTRIBUTES CapturedSids
;
1204 ULONG CapturedSidsLength
;
1205 ULONG CapturedGroupCount
;
1206 PSID_AND_ATTRIBUTES CapturedGroups
;
1207 ULONG CapturedGroupsLength
;
1208 ULONG CapturedPrivilegeCount
;
1209 PLUID_AND_ATTRIBUTES CapturedPrivileges
;
1210 ULONG CapturedPrivilegesLength
;
1211 } PS_JOB_TOKEN_FILTER
, *PPS_JOB_TOKEN_FILTER
;
1214 // Executive Job (EJOB)
1216 typedef struct _EJOB
1219 LIST_ENTRY JobLinks
;
1220 LIST_ENTRY ProcessListHead
;
1222 LARGE_INTEGER TotalUserTime
;
1223 LARGE_INTEGER TotalKernelTime
;
1224 LARGE_INTEGER ThisPeriodTotalUserTime
;
1225 LARGE_INTEGER ThisPeriodTotalKernelTime
;
1226 ULONG TotalPageFaultCount
;
1227 ULONG TotalProcesses
;
1228 ULONG ActiveProcesses
;
1229 ULONG TotalTerminatedProcesses
;
1230 LARGE_INTEGER PerProcessUserTimeLimit
;
1231 LARGE_INTEGER PerJobUserTimeLimit
;
1233 ULONG MinimumWorkingSetSize
;
1234 ULONG MaximumWorkingSetSize
;
1235 ULONG ActiveProcessLimit
;
1237 UCHAR PriorityClass
;
1238 ULONG UIRestrictionsClass
;
1239 ULONG SecurityLimitFlags
;
1241 PPS_JOB_TOKEN_FILTER Filter
;
1242 ULONG EndOfJobTimeAction
;
1243 PVOID CompletionPort
;
1244 PVOID CompletionKey
;
1246 ULONG SchedulingClass
;
1247 ULONGLONG ReadOperationCount
;
1248 ULONGLONG WriteOperationCount
;
1249 ULONGLONG OtherOperationCount
;
1250 ULONGLONG ReadTransferCount
;
1251 ULONGLONG WriteTransferCount
;
1252 ULONGLONG OtherTransferCount
;
1254 ULONG ProcessMemoryLimit
;
1255 ULONG JobMemoryLimit
;
1256 ULONG PeakProcessMemoryUsed
;
1257 ULONG PeakJobMemoryUsed
;
1258 ULONG CurrentJobMemoryUsed
;
1259 #if (NTDDI_VERSION >= NTDDI_WINXP) && (NTDDI_VERSION < NTDDI_WS03)
1260 FAST_MUTEX MemoryLimitsLock
;
1261 #elif (NTDDI_VERSION >= NTDDI_WS03) && (NTDDI_VERSION < NTDDI_LONGHORN)
1262 KGUARDED_MUTEX MemoryLimitsLock
;
1263 #elif (NTDDI_VERSION >= NTDDI_LONGHORN)
1264 EX_PUSH_LOCK MemoryLimitsLock
;
1266 LIST_ENTRY JobSetLinks
;
1270 #include <poppack.h>
1273 // Win32K Callback Registration Data
1275 typedef struct _WIN32_POWEREVENT_PARAMETERS
1277 PSPOWEREVENTTYPE EventNumber
;
1279 } WIN32_POWEREVENT_PARAMETERS
, *PWIN32_POWEREVENT_PARAMETERS
;
1281 typedef struct _WIN32_POWERSTATE_PARAMETERS
1284 POWER_ACTION SystemAction
;
1285 SYSTEM_POWER_STATE MinSystemState
;
1287 POWERSTATETASK PowerStateTask
;
1288 } WIN32_POWERSTATE_PARAMETERS
, *PWIN32_POWERSTATE_PARAMETERS
;
1290 typedef struct _WIN32_JOBCALLOUT_PARAMETERS
1293 PSW32JOBCALLOUTTYPE CalloutType
;
1295 } WIN32_JOBCALLOUT_PARAMETERS
, *PWIN32_JOBCALLOUT_PARAMETERS
;
1297 typedef struct _WIN32_OPENMETHOD_PARAMETERS
1299 OB_OPEN_REASON OpenReason
;
1302 ULONG GrantedAccess
;
1304 } WIN32_OPENMETHOD_PARAMETERS
, *PWIN32_OPENMETHOD_PARAMETERS
;
1306 typedef struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
1311 KPROCESSOR_MODE PreviousMode
;
1312 } WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
, *PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS
;
1314 typedef struct _WIN32_CLOSEMETHOD_PARAMETERS
1318 ACCESS_MASK AccessMask
;
1319 ULONG ProcessHandleCount
;
1320 ULONG SystemHandleCount
;
1321 } WIN32_CLOSEMETHOD_PARAMETERS
, *PWIN32_CLOSEMETHOD_PARAMETERS
;
1323 typedef struct _WIN32_DELETEMETHOD_PARAMETERS
1326 } WIN32_DELETEMETHOD_PARAMETERS
, *PWIN32_DELETEMETHOD_PARAMETERS
;
1328 typedef struct _WIN32_PARSEMETHOD_PARAMETERS
1332 PACCESS_STATE AccessState
;
1333 KPROCESSOR_MODE AccessMode
;
1335 OUT PUNICODE_STRING CompleteName
;
1336 PUNICODE_STRING RemainingName
;
1338 PSECURITY_QUALITY_OF_SERVICE SecurityQos
;
1340 } WIN32_PARSEMETHOD_PARAMETERS
, *PWIN32_PARSEMETHOD_PARAMETERS
;
1342 typedef struct _WIN32_CALLOUTS_FPNS
1344 PKWIN32_PROCESS_CALLOUT ProcessCallout
;
1345 PKWIN32_THREAD_CALLOUT ThreadCallout
;
1346 PKWIN32_GLOBALATOMTABLE_CALLOUT GlobalAtomTableCallout
;
1347 PKWIN32_POWEREVENT_CALLOUT PowerEventCallout
;
1348 PKWIN32_POWERSTATE_CALLOUT PowerStateCallout
;
1349 PKWIN32_JOB_CALLOUT JobCallout
;
1350 PGDI_BATCHFLUSH_ROUTINE BatchFlushRoutine
;
1351 PKWIN32_OPENMETHOD_CALLOUT DesktopOpenProcedure
;
1352 PKWIN32_OKTOCLOSEMETHOD_CALLOUT DesktopOkToCloseProcedure
;
1353 PKWIN32_CLOSEMETHOD_CALLOUT DesktopCloseProcedure
;
1354 PKWIN32_DELETEMETHOD_CALLOUT DesktopDeleteProcedure
;
1355 PKWIN32_OKTOCLOSEMETHOD_CALLOUT WindowStationOkToCloseProcedure
;
1356 PKWIN32_CLOSEMETHOD_CALLOUT WindowStationCloseProcedure
;
1357 PKWIN32_DELETEMETHOD_CALLOUT WindowStationDeleteProcedure
;
1358 PKWIN32_PARSEMETHOD_CALLOUT WindowStationParseProcedure
;
1359 PKWIN32_OPENMETHOD_CALLOUT WindowStationOpenProcedure
;
1360 PKWIN32_WIN32DATACOLLECTION_CALLOUT Win32DataCollectionProcedure
;
1361 } WIN32_CALLOUTS_FPNS
, *PWIN32_CALLOUTS_FPNS
;
1363 #endif // !NTOS_MODE_USER
1365 #endif // _PSTYPES_H