Dieser Artikel listet die Struktur _ETHREAD von Windows 2000. Die Daten wurden mit dem Windows-Kerneldebugger und ntoskrnl.exe Version 5.0.2195.7045 gewonnen. Sie dienen als Grundlage zur forensischen Analyse des Arbeitsspeichers.
kd> dt -a -b -v _ETHREAD
struct _ETHREAD, 39 elements, 0x248 bytes
+0x000 Tcb : struct _KTHREAD, 69 elements, 0x1b0 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 MutantListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 InitialStack : Ptr32 to
+0x01c StackLimit : Ptr32 to
+0x020 Teb : Ptr32 to
+0x024 TlsArray : Ptr32 to
+0x028 KernelStack : Ptr32 to
+0x02c DebugActive : UChar
+0x02d State : UChar
+0x02e Alerted : (2 elements) UChar
+0x030 Iopl : UChar
+0x031 NpxState : UChar
+0x032 Saturation : Char
+0x033 Priority : Char
+0x034 ApcState : struct _KAPC_STATE, 5 elements, 0x18 bytes
+0x000 ApcListHead : (2 elements) struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Process : Ptr32 to
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
+0x04c ContextSwitches : Uint4B
+0x050 WaitStatus : Int4B
+0x054 WaitIrql : UChar
+0x055 WaitMode : Char
+0x056 WaitNext : UChar
+0x057 WaitReason : UChar
+0x058 WaitBlockList : Ptr32 to
+0x05c WaitListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x064 WaitTime : Uint4B
+0x068 BasePriority : Char
+0x069 DecrementCount : UChar
+0x06a PriorityDecrement : Char
+0x06b Quantum : Char
+0x06c WaitBlock : (4 elements) struct _KWAIT_BLOCK, 6 elements, 0x18 bytes
+0x000 WaitListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x008 Thread : Ptr32 to
+0x00c Object : Ptr32 to
+0x010 NextWaitBlock : Ptr32 to
+0x014 WaitKey : Uint2B
+0x016 WaitType : Uint2B
+0x0cc LegoData : Ptr32 to
+0x0d0 KernelApcDisable : Uint4B
+0x0d4 UserAffinity : Uint4B
+0x0d8 SystemAffinityActive : UChar
+0x0d9 PowerState : UChar
+0x0da NpxIrql : UChar
+0x0db Pad : (1 elements) UChar
+0x0dc ServiceTable : Ptr32 to
+0x0e0 Queue : Ptr32 to
+0x0e4 ApcQueueLock : Uint4B
+0x0e8 Timer : struct _KTIMER, 5 elements, 0x28 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 DueTime : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 QuadPart : Uint8B
+0x018 TimerListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x020 Dpc : Ptr32 to
+0x024 Period : Int4B
+0x110 QueueListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x118 Affinity : Uint4B
+0x11c Preempted : UChar
+0x11d ProcessReadyQueue : UChar
+0x11e KernelStackResident : UChar
+0x11f NextProcessor : UChar
+0x120 CallbackStack : Ptr32 to
+0x124 Win32Thread : Ptr32 to
+0x128 TrapFrame : Ptr32 to
+0x12c ApcStatePointer : (2 elements) Ptr32 to
+0x134 PreviousMode : Char
+0x135 EnableStackSwap : UChar
+0x136 LargeStack : UChar
+0x137 ResourceIndex : UChar
+0x138 KernelTime : Uint4B
+0x13c UserTime : Uint4B
+0x140 SavedApcState : struct _KAPC_STATE, 5 elements, 0x18 bytes
+0x000 ApcListHead : (2 elements) struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Process : Ptr32 to
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
+0x158 Alertable : UChar
+0x159 ApcStateIndex : UChar
+0x15a ApcQueueable : UChar
+0x15b AutoAlignment : UChar
+0x15c StackBase : Ptr32 to
+0x160 SuspendApc : struct _KAPC, 14 elements, 0x30 bytes
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 Spare0 : Uint4B
+0x008 Thread : Ptr32 to
+0x00c ApcListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x014 KernelRoutine : Ptr32 to
+0x018 RundownRoutine : Ptr32 to
+0x01c NormalRoutine : Ptr32 to
+0x020 NormalContext : Ptr32 to
+0x024 SystemArgument1 : Ptr32 to
+0x028 SystemArgument2 : Ptr32 to
+0x02c ApcStateIndex : Char
+0x02d ApcMode : Char
+0x02e Inserted : UChar
+0x190 SuspendSemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Limit : Int4B
+0x1a4 ThreadListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1ac FreezeCount : Char
+0x1ad SuspendCount : Char
+0x1ae IdealProcessor : UChar
+0x1af DisableBoost : UChar
+0x1b0 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b0 NestedFaultCount : Bitfield Pos 0, 2 Bits
+0x1b0 ApcNeeded : Bitfield Pos 2, 1 Bit
+0x1b8 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b8 LpcReplyChain : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1c0 ExitStatus : Int4B
+0x1c0 OfsChain : Ptr32 to
+0x1c4 PostBlockList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1cc TerminationPortList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1d4 ActiveTimerListLock : Uint4B
+0x1d8 ActiveTimerListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1e0 Cid : struct _CLIENT_ID, 2 elements, 0x8 bytes
+0x000 UniqueProcess : Ptr32 to
+0x004 UniqueThread : Ptr32 to
+0x1e8 LpcReplySemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Limit : Int4B
+0x1fc LpcReplyMessage : Ptr32 to
+0x1fc LpcWaitingOnPort : Ptr32 to
+0x200 LpcReplyMessageId : Uint4B
+0x204 PerformanceCountLow : Uint4B
+0x208 ImpersonationInfo : Ptr32 to
+0x20c IrpList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x214 TopLevelIrp : Uint4B
+0x218 DeviceToVerify : Ptr32 to
+0x21c ReadClusterSize : Uint4B
+0x220 ForwardClusterOnly : UChar
+0x221 DisablePageFaultClustering : UChar
+0x222 DeadThread : UChar
+0x223 HideFromDebugger : UChar
+0x224 HasTerminated : Uint4B
+0x228 GrantedAccess : Uint4B
+0x22c ThreadsProcess : Ptr32 to
+0x230 StartAddress : Ptr32 to
+0x234 Win32StartAddress : Ptr32 to
+0x234 LpcReceivedMessageId : Uint4B
+0x238 LpcExitThreadCalled : UChar
+0x239 HardErrorsAreDisabled : UChar
+0x23a LpcReceivedMsgIdValid : UChar
+0x23b ActiveImpersonationInfo : UChar
+0x23c PerformanceCountHigh : Int4B
+0x240 ThreadListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
