_EPROCESS Version 5.2.3790.0
Dieser Artikel listet die Struktur _EPROCESS des Microsoft Windows Server 2003. Die Daten dienen als Grundlage zur forensischen Analyse des Arbeitsspeichers. Sie wurden mit dem Windows-Kerneldebugger und ntoskrnl.exe Version 5.2.3790.0 gewonnen. Die Symboldatei stammt von Microsofts Symbol Server.
kd> dt -b -v _EPROCESS
struct _EPROCESS, 101 elements, 0x278 bytes
+0x000 Pcb : struct _KPROCESS, 28 elements, 0x6c bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 ProfileListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 DirectoryTableBase : (2 elements) Uint4B
+0x020 LdtDescriptor : struct _KGDTENTRY, 3 elements, 0x8 bytes
+0x000 LimitLow : Uint2B
+0x002 BaseLow : Uint2B
+0x004 HighWord : union __unnamed, 2 elements, 0x4 bytes
+0x000 Bytes : struct __unnamed, 4 elements, 0x4 bytes
+0x000 BaseMid : UChar
+0x001 Flags1 : UChar
+0x002 Flags2 : UChar
+0x003 BaseHi : UChar
+0x000 Bits : struct __unnamed, 10 elements, 0x4 bytes
+0x000 BaseMid : Bitfield Pos 0, 8 Bits
+0x000 Type : Bitfield Pos 8, 5 Bits
+0x000 Dpl : Bitfield Pos 13, 2 Bits
+0x000 Pres : Bitfield Pos 15, 1 Bit
+0x000 LimitHi : Bitfield Pos 16, 4 Bits
+0x000 Sys : Bitfield Pos 20, 1 Bit
+0x000 Reserved_0 : Bitfield Pos 21, 1 Bit
+0x000 Default_Big : Bitfield Pos 22, 1 Bit
+0x000 Granularity : Bitfield Pos 23, 1 Bit
+0x000 BaseHi : Bitfield Pos 24, 8 Bits
+0x028 Int21Descriptor : struct _KIDTENTRY, 4 elements, 0x8 bytes
+0x000 Offset : Uint2B
+0x002 Selector : Uint2B
+0x004 Access : Uint2B
+0x006 ExtendedOffset : Uint2B
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x048 SwapListEntry : struct _SINGLE_LIST_ENTRY, 1 elements, 0x4 bytes
+0x000 Next : Ptr32 to
+0x04c VdmTrapcHandler : Ptr32 to
+0x050 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a IdealNode : UChar
+0x06b Spare : UChar
+0x06c ProcessLock : struct _EX_PUSH_LOCK, 5 elements, 0x4 bytes
+0x000 Waiting : Bitfield Pos 0, 1 Bit
+0x000 Exclusive : Bitfield Pos 1, 1 Bit
+0x000 Shared : Bitfield Pos 2, 30 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x070 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x078 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x080 RundownProtect : struct _EX_RUNDOWN_REF, 2 elements, 0x4 bytes
+0x000 Count : Uint4B
+0x000 Ptr : Ptr32 to
+0x084 UniqueProcessId : Ptr32 to
+0x088 ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x090 QuotaUsage : (3 elements) Uint4B
+0x09c QuotaPeak : (3 elements) Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x0bc DebugPort : Ptr32 to
+0x0c0 ExceptionPort : Ptr32 to
+0x0c4 ObjectTable : Ptr32 to
+0x0c8 Token : struct _EX_FAST_REF, 3 elements, 0x4 bytes
+0x000 Object : Ptr32 to
+0x000 RefCnt : Bitfield Pos 0, 3 Bits
+0x000 Value : Uint4B
+0x0cc WorkingSetPage : Uint4B
+0x0d0 AddressCreationLock : struct _KGUARDED_MUTEX, 7 elements, 0x20 bytes
+0x000 Count : Int4B
+0x004 Owner : Ptr32 to
+0x008 Contention : Uint4B
+0x00c Event : struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x01c KernelApcDisable : Int2B
+0x01e SpecialApcDisable : Int2B
+0x01c CombinedApcDisable : Uint4B
+0x0f0 HyperSpaceLock : Uint4B
+0x0f4 ForkInProgress : Ptr32 to
+0x0f8 HardwareTrigger : Uint4B
+0x0fc PhysicalVadRoot : Ptr32 to
+0x100 CloneRoot : Ptr32 to
+0x104 NumberOfPrivatePages : Uint4B
+0x108 NumberOfLockedPages : Uint4B
+0x10c Win32Process : Ptr32 to
+0x110 Job : Ptr32 to
+0x114 SectionObject : Ptr32 to
+0x118 SectionBaseAddress : Ptr32 to
+0x11c QuotaBlock : Ptr32 to
+0x120 WorkingSetWatch : Ptr32 to
+0x124 Win32WindowStation : Ptr32 to
+0x128 InheritedFromUniqueProcessId : Ptr32 to
+0x12c LdtInformation : Ptr32 to
+0x130 VadFreeHint : Ptr32 to
+0x134 VdmObjects : Ptr32 to
+0x138 DeviceMap : Ptr32 to
+0x13c Spare0 : (3 elements) Ptr32 to
+0x148 PageDirectoryPte : struct _HARDWARE_PTE, 13 elements, 0x4 bytes
+0x000 Valid : Bitfield Pos 0, 1 Bit
+0x000 Write : Bitfield Pos 1, 1 Bit
+0x000 Owner : Bitfield Pos 2, 1 Bit
+0x000 WriteThrough : Bitfield Pos 3, 1 Bit
+0x000 CacheDisable : Bitfield Pos 4, 1 Bit
+0x000 Accessed : Bitfield Pos 5, 1 Bit
+0x000 Dirty : Bitfield Pos 6, 1 Bit
+0x000 LargePage : Bitfield Pos 7, 1 Bit
+0x000 Global : Bitfield Pos 8, 1 Bit
+0x000 CopyOnWrite : Bitfield Pos 9, 1 Bit
+0x000 Prototype : Bitfield Pos 10, 1 Bit
+0x000 reserved : Bitfield Pos 11, 1 Bit
+0x000 PageFrameNumber : Bitfield Pos 12, 20 Bits
+0x148 Filler : Uint8B
+0x150 Session : Ptr32 to
+0x154 ImageFileName : (16 elements) UChar
+0x164 JobLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x16c LockedPagesList : Ptr32 to
+0x170 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x178 SecurityPort : Ptr32 to
+0x17c PaeTop : Ptr32 to
+0x180 ActiveThreads : Uint4B
+0x184 GrantedAccess : Uint4B
+0x188 DefaultHardErrorProcessing : Uint4B
+0x18c LastThreadExitStatus : Int4B
+0x190 Peb : Ptr32 to
+0x194 PrefetchTrace : struct _EX_FAST_REF, 3 elements, 0x4 bytes
+0x000 Object : Ptr32 to
+0x000 RefCnt : Bitfield Pos 0, 3 Bits
+0x000 Value : Uint4B
+0x198 ReadOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1a0 WriteOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1a8 OtherOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b0 ReadTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b8 WriteTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1c0 OtherTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1c8 CommitChargeLimit : Uint4B
+0x1cc CommitChargePeak : Uint4B
+0x1d0 AweInfo : Ptr32 to
+0x1d4 SeAuditProcessCreationInfo : struct _SE_AUDIT_PROCESS_CREATION_INFO, 1 elements, 0x4 bytes
+0x000 ImageFileName : Ptr32 to
+0x1d8 Vm : struct _MMSUPPORT, 15 elements, 0x60 bytes
+0x000 WorkingSetExpansionLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x008 LastTrimTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x010 Flags : struct _MMSUPPORT_FLAGS, 12 elements, 0x4 bytes
+0x000 SessionSpace : Bitfield Pos 0, 1 Bit
+0x000 BeingTrimmed : Bitfield Pos 1, 1 Bit
+0x000 SessionLeader : Bitfield Pos 2, 1 Bit
+0x000 TrimHard : Bitfield Pos 3, 1 Bit
+0x000 MaximumWorkingSetHard : Bitfield Pos 4, 1 Bit
+0x000 ForceTrim : Bitfield Pos 5, 1 Bit
+0x000 MinimumWorkingSetHard : Bitfield Pos 6, 1 Bit
+0x000 Available0 : Bitfield Pos 7, 1 Bit
+0x001 MemoryPriority : Bitfield Pos 0, 8 Bits
+0x002 GrowWsleHash : Bitfield Pos 0, 1 Bit
+0x002 AcquiredUnsafe : Bitfield Pos 1, 1 Bit
+0x002 Available : Bitfield Pos 2, 14 Bits
+0x014 PageFaultCount : Uint4B
+0x018 PeakWorkingSetSize : Uint4B
+0x01c GrowthSinceLastEstimate : Uint4B
+0x020 MinimumWorkingSetSize : Uint4B
+0x024 MaximumWorkingSetSize : Uint4B
+0x028 VmWorkingSetList : Ptr32 to
+0x02c Claim : Uint4B
+0x030 NextEstimationSlot : Uint4B
+0x034 NextAgingSlot : Uint4B
+0x038 EstimatedAvailable : Uint4B
+0x03c WorkingSetSize : Uint4B
+0x040 WorkingSetMutex : struct _KGUARDED_MUTEX, 7 elements, 0x20 bytes
+0x000 Count : Int4B
+0x004 Owner : Ptr32 to
+0x008 Contention : Uint4B
+0x00c Event : struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x01c KernelApcDisable : Int2B
+0x01e SpecialApcDisable : Int2B
+0x01c CombinedApcDisable : Uint4B
+0x238 MmProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x240 ModifiedPageCount : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Bitfield Pos 0, 1 Bit
+0x248 NoDebugInherit : Bitfield Pos 1, 1 Bit
+0x248 ProcessExiting : Bitfield Pos 2, 1 Bit
+0x248 ProcessDelete : Bitfield Pos 3, 1 Bit
+0x248 Wow64SplitPages : Bitfield Pos 4, 1 Bit
+0x248 VmDeleted : Bitfield Pos 5, 1 Bit
+0x248 OutswapEnabled : Bitfield Pos 6, 1 Bit
+0x248 Outswapped : Bitfield Pos 7, 1 Bit
+0x248 ForkFailed : Bitfield Pos 8, 1 Bit
+0x248 Wow64VaSpace4Gb : Bitfield Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Bitfield Pos 10, 2 Bits
+0x248 SetTimerResolution : Bitfield Pos 12, 1 Bit
+0x248 BreakOnTermination : Bitfield Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Bitfield Pos 14, 1 Bit
+0x248 WriteWatch : Bitfield Pos 15, 1 Bit
+0x248 ProcessInSession : Bitfield Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Bitfield Pos 17, 1 Bit
+0x248 HasAddressSpace : Bitfield Pos 18, 1 Bit
+0x248 LaunchPrefetched : Bitfield Pos 19, 1 Bit
+0x248 InjectInpageErrors : Bitfield Pos 20, 1 Bit
+0x248 VmTopDown : Bitfield Pos 21, 1 Bit
+0x248 ImageNotifyDone : Bitfield Pos 22, 1 Bit
+0x248 PdeUpdateNeeded : Bitfield Pos 23, 1 Bit
+0x248 VdmAllowed : Bitfield Pos 24, 1 Bit
+0x248 Unused : Bitfield Pos 25, 7 Bits
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x258 VadRoot : struct _MM_AVL_TABLE, 6 elements, 0x20 bytes
+0x000 BalancedRoot : struct _MMADDRESS_NODE, 5 elements, 0x14 bytes
+0x000 u1 : union __unnamed, 2 elements, 0x4 bytes
+0x000 Balance : Bitfield Pos 0, 2 Bits
+0x000 Parent : Ptr32 to
+0x004 LeftChild : Ptr32 to
+0x008 RightChild : Ptr32 to
+0x00c StartingVpn : Uint4B
+0x010 EndingVpn : Uint4B
+0x014 DepthOfTree : Bitfield Pos 0, 5 Bits
+0x014 Unused : Bitfield Pos 5, 3 Bits
+0x014 NumberGenericTableElements : Bitfield Pos 8, 24 Bits
+0x018 NodeHint : Ptr32 to
+0x01c NodeFreeHint : Ptr32 to
