Dieser Artikel listet die Struktur _ETHREAD des Microsoft Windows Server 2003. Die Daten dienen als Grundlage zur forensischen Analyse des Arbeitsspeichers. Sie wurden mit dem Windows-Kerneldebugger und ntoskrnl.exe Version 5.2.3790.0 gewonnen. Die Symboldatei stammt von Microsofts Symbol Server.
kd> dt -b -v _ETHREAD
struct _ETHREAD, 55 elements, 0x260 bytes
+0x000 Tcb : struct _KTHREAD, 80 elements, 0x1c8 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 MutantListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 InitialStack : Ptr32 to
+0x01c StackLimit : Ptr32 to
+0x020 KernelStack : Ptr32 to
+0x024 ThreadLock : Uint4B
+0x028 ContextSwitches : Uint4B
+0x02c State : UChar
+0x02d NpxState : UChar
+0x02e WaitIrql : UChar
+0x02f WaitMode : Char
+0x030 Teb : Ptr32 to
+0x034 ApcState : struct _KAPC_STATE, 5 elements, 0x18 bytes
+0x000 ApcListHead : (2 elements) struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Process : Ptr32 to
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
+0x04c ApcQueueLock : Uint4B
+0x050 WaitStatus : Int4B
+0x054 WaitBlockList : Ptr32 to
+0x058 Alertable : UChar
+0x059 WaitNext : UChar
+0x05a WaitReason : UChar
+0x05b Priority : Char
+0x05c EnableStackSwap : UChar
+0x05d SwapBusy : UChar
+0x05e Alerted : (2 elements) UChar
+0x060 WaitListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x060 SwapListEntry : struct _SINGLE_LIST_ENTRY, 1 elements, 0x4 bytes
+0x000 Next : Ptr32 to
+0x068 Queue : Ptr32 to
+0x06c WaitTime : Uint4B
+0x070 KernelApcDisable : Int2B
+0x072 SpecialApcDisable : Int2B
+0x070 CombinedApcDisable : Uint4B
+0x078 Timer : struct _KTIMER, 5 elements, 0x28 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 DueTime : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 QuadPart : Uint8B
+0x018 TimerListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x020 Dpc : Ptr32 to
+0x024 Period : Int4B
+0x0a0 WaitBlock : (4 elements) struct _KWAIT_BLOCK, 6 elements, 0x18 bytes
+0x000 WaitListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x008 Thread : Ptr32 to
+0x00c Object : Ptr32 to
+0x010 NextWaitBlock : Ptr32 to
+0x014 WaitKey : Uint2B
+0x016 WaitType : Uint2B
+0x100 QueueListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x108 ApcStateIndex : UChar
+0x109 ApcQueueable : UChar
+0x10a Preempted : UChar
+0x10b ProcessReadyQueue : UChar
+0x10c KernelStackResident : UChar
+0x10d Saturation : Char
+0x10e IdealProcessor : UChar
+0x10f NextProcessor : UChar
+0x110 BasePriority : Char
+0x111 Spare4 : UChar
+0x112 PriorityDecrement : Char
+0x113 Quantum : Char
+0x114 SystemAffinityActive : UChar
+0x115 PreviousMode : Char
+0x116 ResourceIndex : UChar
+0x117 DisableBoost : UChar
+0x118 UserAffinity : Uint4B
+0x11c Process : Ptr32 to
+0x120 Affinity : Uint4B
+0x124 ServiceTable : Ptr32 to
+0x128 ApcStatePointer : (2 elements) Ptr32 to
+0x130 SavedApcState : struct _KAPC_STATE, 5 elements, 0x18 bytes
+0x000 ApcListHead : (2 elements) struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Process : Ptr32 to
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
+0x148 CallbackStack : Ptr32 to
+0x14c Win32Thread : Ptr32 to
+0x150 TrapFrame : Ptr32 to
+0x154 KernelTime : Uint4B
+0x158 UserTime : Uint4B
+0x15c StackBase : Ptr32 to
+0x160 SuspendApc : struct _KAPC, 14 elements, 0x30 bytes
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 Spare0 : Uint4B
+0x008 Thread : Ptr32 to
+0x00c ApcListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x014 KernelRoutine : Ptr32 to
+0x018 RundownRoutine : Ptr32 to
+0x01c NormalRoutine : Ptr32 to
+0x020 NormalContext : Ptr32 to
+0x024 SystemArgument1 : Ptr32 to
+0x028 SystemArgument2 : Ptr32 to
+0x02c ApcStateIndex : Char
+0x02d ApcMode : Char
+0x02e Inserted : UChar
+0x190 SuspendSemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Limit : Int4B
+0x1a4 TlsArray : Ptr32 to
+0x1a8 LegoData : Ptr32 to
+0x1ac ThreadListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1b4 LargeStack : UChar
+0x1b5 PowerState : UChar
+0x1b6 NpxIrql : UChar
+0x1b7 Spare5 : UChar
+0x1b8 AutoAlignment : UChar
+0x1b9 Iopl : UChar
+0x1ba FreezeCount : Char
+0x1bb SuspendCount : Char
+0x1bc Spare0 : (1 elements) UChar
+0x1bd UserIdealProcessor : UChar
+0x1be DeferredProcessor : UChar
+0x1bf AdjustReason : UChar
+0x1c0 AdjustIncrement : Char
+0x1c1 Spare2 : (3 elements) UChar
+0x1c8 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1c8 NestedFaultCount : Bitfield Pos 0, 2 Bits
+0x1c8 ApcNeeded : Bitfield Pos 2, 1 Bit
+0x1d0 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1d0 LpcReplyChain : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1d0 KeyedWaitChain : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1d8 ExitStatus : Int4B
+0x1d8 OfsChain : Ptr32 to
+0x1dc PostBlockList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1e4 TerminationPort : Ptr32 to
+0x1e4 ReaperLink : Ptr32 to
+0x1e4 KeyedWaitValue : Ptr32 to
+0x1e8 ActiveTimerListLock : Uint4B
+0x1ec ActiveTimerListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1f4 Cid : struct _CLIENT_ID, 2 elements, 0x8 bytes
+0x000 UniqueProcess : Ptr32 to
+0x004 UniqueThread : Ptr32 to
+0x1fc LpcReplySemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Limit : Int4B
+0x1fc KeyedWaitSemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 8 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 Limit : Int4B
+0x210 LpcReplyMessage : Ptr32 to
+0x210 LpcWaitingOnPort : Ptr32 to
+0x214 ImpersonationInfo : Ptr32 to
+0x218 IrpList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x220 TopLevelIrp : Uint4B
+0x224 DeviceToVerify : Ptr32 to
+0x228 ThreadsProcess : Ptr32 to
+0x22c StartAddress : Ptr32 to
+0x230 Win32StartAddress : Ptr32 to
+0x230 LpcReceivedMessageId : Uint4B
+0x234 ThreadListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x23c RundownProtect : struct _EX_RUNDOWN_REF, 2 elements, 0x4 bytes
+0x000 Count : Uint4B
+0x000 Ptr : Ptr32 to
+0x240 ThreadLock : struct _EX_PUSH_LOCK, 5 elements, 0x4 bytes
+0x000 Waiting : Bitfield Pos 0, 1 Bit
+0x000 Exclusive : Bitfield Pos 1, 1 Bit
+0x000 Shared : Bitfield Pos 2, 30 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x244 LpcReplyMessageId : Uint4B
+0x248 ReadClusterSize : Uint4B
+0x24c GrantedAccess : Uint4B
+0x250 CrossThreadFlags : Uint4B
+0x250 Terminated : Bitfield Pos 0, 1 Bit
+0x250 DeadThread : Bitfield Pos 1, 1 Bit
+0x250 HideFromDebugger : Bitfield Pos 2, 1 Bit
+0x250 ActiveImpersonationInfo : Bitfield Pos 3, 1 Bit
+0x250 SystemThread : Bitfield Pos 4, 1 Bit
+0x250 HardErrorsAreDisabled : Bitfield Pos 5, 1 Bit
+0x250 BreakOnTermination : Bitfield Pos 6, 1 Bit
+0x250 SkipCreationMsg : Bitfield Pos 7, 1 Bit
+0x250 SkipTerminationMsg : Bitfield Pos 8, 1 Bit
+0x254 SameThreadPassiveFlags : Uint4B
+0x254 ActiveExWorker : Bitfield Pos 0, 1 Bit
+0x254 ExWorkerCanWaitUser : Bitfield Pos 1, 1 Bit
+0x254 MemoryMaker : Bitfield Pos 2, 1 Bit
+0x254 KeyedEventInUse : Bitfield Pos 3, 1 Bit
+0x258 SameThreadApcFlags : Uint4B
+0x258 LpcReceivedMsgIdValid : Bitfield Pos 0, 1 Bit
+0x258 LpcExitThreadCalled : Bitfield Pos 1, 1 Bit
+0x258 AddressSpaceOwner : Bitfield Pos 2, 1 Bit
+0x25c ForwardClusterOnly : UChar
+0x25d DisablePageFaultClustering : UChar
