Techwiki:Ntoskrnl/KPROCESS
/* * NAME: KPROCESS * DESCRIPTION: Internal Kernel Process Structure. * PORTABILITY: Architecture Dependent. * KERNEL VERSION: 5.2 */
DISPATCHER_HEADER Header /* 000 */ LIST_ENTRY ProfileListHead; /* 010 */ PHYSICAL_ADDRESS DirectoryTableBase; /* 018 */ KGDTENTRY LdtDescriptor; /* 020 */ KIDTENTRY Int21Descriptor; /* 028 */ USHORT IopmOffset; /* 030 */ UCHAR Iopl; /* 032 */ UCHAR Unused; /* 033 */ ULONG ActiveProcessors; /* 034 */ ULONG KernelTime; /* 038 */ ULONG UserTime; /* 03C */ LIST_ENTRY ReadyListHead; /* 040 */ SINGLE_LIST_ENTRY SwapListEntry; /* 048 */ PVOID VdmTrapcHandler /* 04C */ LIST_ENTRY ThreadListHead; /* 050 */ KSPIN_LOCK ProcessLock; /* 058 */ KAFFINITY Affinity; /* 05C */ union { struct { ULONG AutoAlignment:1; /* 060.0 */ ULONG DisableBoost:1; /* 060.1 */ ULONG DisableQuantum:1; /* 060.2 */ ULONG ReservedFlags:29; /* 060.3 */ }; ULONG ProcessFlags; /* 060 */ }; CHAR BasePriority; /* 064 */ CHAR QuantumReset; /* 065 */ UCHAR State; /* 066 */ UCHAR ThreadSeed; /* 067 */ UCHAR PowerState; /* 068 */ UCHAR IdealNode; /* 069 */ UCHAR Visited; /* 06A */ KEXECUTE_OPTIONS Flags; /* 06B */ ULONG StackCount; /* 06C */ LIST_ENTRY ProcessListEntry; /* 070 */
Descriptions
Header
Contains the common header that every Dispatcher Object must have. Allows the Process to be waited on.
ProfileListHead
Contains a list of the currently associated Profile Objects with this Process' Address Space.
DirectoryTableBase
Contains the Physical Address of the Page Table Directory for the Process' Address Space.
LdtDescriptor
Contains the GDT (Global Descriptor Table) Entry for the LDT (Local Descriptor Table) of this process. Used for 16-bit emulation.
Int21Descriptor
Contains the IDT (Interrupt Descriptor Table) Entry for Interrupt 21 emulation, used by 16-bit emulation.
IopmOffset
Contains the offset to the IOPM (Input/Output Privilege Map) used to determine which Interrupts are available for which mode (CPL0, 1, 2 or 3).
Iopl
Contains the current IOPL (Input/Output Privilege Level), basically termining if the Process currently has access to Interrupts. Usually the same as the CPL.
Unused
Contained the VDM Flag in Kernel <= 5.0. Deprecated.
To replace this functionality, check if EPROCESS->VdmObjects == NULL.
ActiveProcessors
Contains a bitmask of the Processors that are currently running this Process.
KernelTime
Time that the Process has spent in CPL 0 (Kernel-Mode).
UserTime
Time that the Process has spent in CPL 3 (User-Mode).
ReadyListHead
Threads which are in the Process's Ready List and have not yet been inserted into the Dispatcher Ready List. Used when In or Out Swapping Processes from Memory.
SwapListEntry
Links the Process with the Kernel In/Out Swap List. Used during In or Out Swapping.
VdmTrapcHandler
Contains a pointer to the function handling the CTRL+C interrupt. Used during 16-bit emulation.
ThreadListHead
Contains the list of current Kernel Threads associated with this Process.
ProcessLock
Contains a Spinlock used when Locking the Process. Very seldomly used by the Kernel.
Affinity
Contains the Affinity Mask for this Process, which is to say on which CPUs is it allowed to run.
AutoAlignment
On non-x86 platforms, determines if Memory I/O inside this Process' Address Space will be automatically aligned to the right boundary for this platform.
DisableBoost
DisableQuantum
Determines if the Threads which are children to this Process will not have Quantums; that is to say, they will never automatically engage in a context switch if they have been running for too long.
ReservedFlags
Reserved space for future flag expansion.
ProcessFlags
Global value to be used when quickly masking certain Process Flags.
BasePriority
Determines the Base Priority which every Thread that is a child to this Process will have.
QuantumReset
Determines to which value the Quantum of a Thread will be Reset when it has expired. This value is set into the corresponding Thread's QuantumReset during KeInitializeThread, and never read again. Known as ThreadsQuantum in Kernel <= 5.1.
State
Determines the current memory state of the Process. Can be InTransition, InMemory or other Swap States.
ThreadSeed
Used by KeSetIdealProcessorThread to calculate the Ideal Processor for a Thread. Incremented by one each time the Ideal Processor is set.
PowerState
IdealNode
In a clustered environment, determines on which Node of the Cluster this Process should ideally run on.
Visited
Flags
Contains the flags for the NX bit setting for this Process' Address Space.
StackCount
The number of Resident Stacks currently associated to this Process. Biased by one if a Thread is attached. The Process is usually outswapped if this reaches zero.
ProcessListEntry
Links this Process into the global Kernel Process List.