_EPROCESS version 5.0.2195.7045

This article provides a listing of the _EPROCESS structure of Microsoft Windows 2000, Service Pack 4. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge of this structure could be helpful when analysing a memory dump.

kd> dt -a -b -v _EPROCESS
struct _EPROCESS, 94 elements, 0x290 bytes
   +0x000 Pcb              : struct _KPROCESS, 26 elements, 0x6c bytes
      +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
         +0x000 Type             : UChar
         +0x001 Absolute         : UChar
         +0x002 Size             : UChar
         +0x003 Inserted         : UChar
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
      +0x010 ProfileListHead  : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x018 DirectoryTableBase : (2 elements)  Uint4B
      +0x020 LdtDescriptor    : struct _KGDTENTRY, 3 elements, 0x8 bytes
         +0x000 LimitLow         : Uint2B
         +0x002 BaseLow          : Uint2B
         +0x004 HighWord         : union __unnamed, 2 elements, 0x4 bytes
            +0x000 Bytes            : struct __unnamed, 4 elements, 0x4 bytes
               +0x000 BaseMid          : UChar
               +0x001 Flags1           : UChar
               +0x002 Flags2           : UChar
               +0x003 BaseHi           : UChar
            +0x000 Bits             : struct __unnamed, 10 elements, 0x4 bytes
               +0x000 BaseMid          : Bitfield Pos 0, 8 Bits
               +0x000 Type             : Bitfield Pos 8, 5 Bits
               +0x000 Dpl              : Bitfield Pos 13, 2 Bits
               +0x000 Pres             : Bitfield Pos 15, 1 Bit
               +0x000 LimitHi          : Bitfield Pos 16, 4 Bits
               +0x000 Sys              : Bitfield Pos 20, 1 Bit
               +0x000 Reserved_0       : Bitfield Pos 21, 1 Bit
               +0x000 Default_Big      : Bitfield Pos 22, 1 Bit
               +0x000 Granularity      : Bitfield Pos 23, 1 Bit
               +0x000 BaseHi           : Bitfield Pos 24, 8 Bits
      +0x028 Int21Descriptor  : struct _KIDTENTRY, 4 elements, 0x8 bytes
         +0x000 Offset           : Uint2B
         +0x002 Selector         : Uint2B
         +0x004 Access           : Uint2B
         +0x006 ExtendedOffset   : Uint2B
      +0x030 IopmOffset       : Uint2B
      +0x032 Iopl             : UChar
      +0x033 VdmFlag          : UChar
      +0x034 ActiveProcessors : Uint4B
      +0x038 KernelTime       : Uint4B
      +0x03c UserTime         : Uint4B
      +0x040 ReadyListHead    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x048 SwapListEntry    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x050 ThreadListHead   : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x058 ProcessLock      : Uint4B
      +0x05c Affinity         : Uint4B
      +0x060 StackCount       : Uint2B
      +0x062 BasePriority     : Char
      +0x063 ThreadQuantum    : Char
      +0x064 AutoAlignment    : UChar
      +0x065 State            : UChar
      +0x066 ThreadSeed       : UChar
      +0x067 DisableBoost     : UChar
      +0x068 PowerState       : UChar
      +0x069 DisableQuantum   : UChar
      +0x06a Spare            : (2 elements)  UChar
   +0x06c ExitStatus       : Int4B
   +0x070 LockEvent        : struct _KEVENT, 1 elements, 0x10 bytes
      +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
         +0x000 Type             : UChar
         +0x001 Absolute         : UChar
         +0x002 Size             : UChar
         +0x003 Inserted         : UChar
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
   +0x080 LockCount        : Uint4B
   +0x088 CreateTime       : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x090 ExitTime         : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x098 LockOwner        : Ptr32 to 
   +0x09c UniqueProcessId  : Ptr32 to 
   +0x0a0 ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x0a8 QuotaPeakPoolUsage : (2 elements)  Uint4B
   +0x0b0 QuotaPoolUsage   : (2 elements)  Uint4B
   +0x0b8 PagefileUsage    : Uint4B
   +0x0bc CommitCharge     : Uint4B
   +0x0c0 PeakPagefileUsage : Uint4B
   +0x0c4 PeakVirtualSize  : Uint4B
   +0x0c8 VirtualSize      : Uint4B
   +0x0d0 Vm               : struct _MMSUPPORT, 19 elements, 0x48 bytes
      +0x000 LastTrimTime     : union _LARGE_INTEGER, 4 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
         +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
            +0x000 LowPart          : Uint4B
            +0x004 HighPart         : Int4B
         +0x000 QuadPart         : Int8B
      +0x008 LastTrimFaultCount : Uint4B
      +0x00c PageFaultCount   : Uint4B
      +0x010 PeakWorkingSetSize : Uint4B
      +0x014 WorkingSetSize   : Uint4B
      +0x018 MinimumWorkingSetSize : Uint4B
      +0x01c MaximumWorkingSetSize : Uint4B
      +0x020 VmWorkingSetList : Ptr32 to 
      +0x024 WorkingSetExpansionLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x02c AllowWorkingSetAdjustment : UChar
      +0x02d AddressSpaceBeingDeleted : UChar
      +0x02e ForegroundSwitchCount : UChar
      +0x02f MemoryPriority   : UChar
      +0x030 u                : union __unnamed, 2 elements, 0x4 bytes
         +0x000 LongFlags        : Uint4B
         +0x000 Flags            : struct _MMSUPPORT_FLAGS, 8 elements, 0x4 bytes
            +0x000 SessionSpace     : Bitfield Pos 0, 1 Bit
            +0x000 BeingTrimmed     : Bitfield Pos 1, 1 Bit
            +0x000 ProcessInSession : Bitfield Pos 2, 1 Bit
            +0x000 SessionLeader    : Bitfield Pos 3, 1 Bit
            +0x000 TrimHard         : Bitfield Pos 4, 1 Bit
            +0x000 WorkingSetHard   : Bitfield Pos 5, 1 Bit
            +0x000 WriteWatch       : Bitfield Pos 6, 1 Bit
            +0x000 Filler           : Bitfield Pos 7, 25 Bits
      +0x034 Claim            : Uint4B
      +0x038 NextEstimationSlot : Uint4B
      +0x03c NextAgingSlot    : Uint4B
      +0x040 EstimatedAvailable : Uint4B
      +0x044 GrowthSinceLastEstimate : Uint4B
   +0x118 SessionProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x120 DebugPort        : Ptr32 to 
   +0x124 ExceptionPort    : Ptr32 to 
   +0x128 ObjectTable      : Ptr32 to 
   +0x12c Token            : Ptr32 to 
   +0x130 WorkingSetLock   : struct _FAST_MUTEX, 5 elements, 0x20 bytes
      +0x000 Count            : Int4B
      +0x004 Owner            : Ptr32 to 
      +0x008 Contention       : Uint4B
      +0x00c Event            : struct _KEVENT, 1 elements, 0x10 bytes
         +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
            +0x000 Type             : UChar
            +0x001 Absolute         : UChar
            +0x002 Size             : UChar
            +0x003 Inserted         : UChar
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
               +0x000 Flink            : Ptr32 to 
               +0x004 Blink            : Ptr32 to 
      +0x01c OldIrql          : Uint4B
   +0x150 WorkingSetPage   : Uint4B
   +0x154 ProcessOutswapEnabled : UChar
   +0x155 ProcessOutswapped : UChar
   +0x156 AddressSpaceInitialized : UChar
   +0x157 AddressSpaceDeleted : UChar
   +0x158 AddressCreationLock : struct _FAST_MUTEX, 5 elements, 0x20 bytes
      +0x000 Count            : Int4B
      +0x004 Owner            : Ptr32 to 
      +0x008 Contention       : Uint4B
      +0x00c Event            : struct _KEVENT, 1 elements, 0x10 bytes
         +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
            +0x000 Type             : UChar
            +0x001 Absolute         : UChar
            +0x002 Size             : UChar
            +0x003 Inserted         : UChar
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
               +0x000 Flink            : Ptr32 to 
               +0x004 Blink            : Ptr32 to 
      +0x01c OldIrql          : Uint4B
   +0x178 HyperSpaceLock   : Uint4B
   +0x17c ForkInProgress   : Ptr32 to 
   +0x180 VmOperation      : Uint2B
   +0x182 ForkWasSuccessful : UChar
   +0x183 MmAgressiveWsTrimMask : UChar
   +0x184 VmOperationEvent : Ptr32 to 
   +0x188 PaeTop           : Ptr32 to 
   +0x18c LastFaultCount   : Uint4B
   +0x190 ModifiedPageCount : Uint4B
   +0x194 VadRoot          : Ptr32 to 
   +0x198 VadHint          : Ptr32 to 
   +0x19c CloneRoot        : Ptr32 to 
   +0x1a0 NumberOfPrivatePages : Uint4B
   +0x1a4 NumberOfLockedPages : Uint4B
   +0x1a8 NextPageColor    : Uint2B
   +0x1aa ExitProcessCalled : UChar
   +0x1ab CreateProcessReported : UChar
   +0x1ac SectionHandle    : Ptr32 to 
   +0x1b0 Peb              : Ptr32 to 
   +0x1b4 SectionBaseAddress : Ptr32 to 
   +0x1b8 QuotaBlock       : Ptr32 to 
   +0x1bc LastThreadExitStatus : Int4B
   +0x1c0 WorkingSetWatch  : Ptr32 to 
   +0x1c4 Win32WindowStation : Ptr32 to 
   +0x1c8 InheritedFromUniqueProcessId : Ptr32 to 
   +0x1cc GrantedAccess    : Uint4B
   +0x1d0 DefaultHardErrorProcessing : Uint4B
   +0x1d4 LdtInformation   : Ptr32 to 
   +0x1d8 VadFreeHint      : Ptr32 to 
   +0x1dc VdmObjects       : Ptr32 to 
   +0x1e0 DeviceMap        : Ptr32 to 
   +0x1e4 SessionId        : Uint4B
   +0x1e8 PhysicalVadList  : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x1f0 PageDirectoryPte : struct _HARDWARE_PTE_X86, 13 elements, 0x4 bytes
      +0x000 Valid            : Bitfield Pos 0, 1 Bit
      +0x000 Write            : Bitfield Pos 1, 1 Bit
      +0x000 Owner            : Bitfield Pos 2, 1 Bit
      +0x000 WriteThrough     : Bitfield Pos 3, 1 Bit
      +0x000 CacheDisable     : Bitfield Pos 4, 1 Bit
      +0x000 Accessed         : Bitfield Pos 5, 1 Bit
      +0x000 Dirty            : Bitfield Pos 6, 1 Bit
      +0x000 LargePage        : Bitfield Pos 7, 1 Bit
      +0x000 Global           : Bitfield Pos 8, 1 Bit
      +0x000 CopyOnWrite      : Bitfield Pos 9, 1 Bit
      +0x000 Prototype        : Bitfield Pos 10, 1 Bit
      +0x000 reserved         : Bitfield Pos 11, 1 Bit
      +0x000 PageFrameNumber  : Bitfield Pos 12, 20 Bits
   +0x1f0 Filler           : Uint8B
   +0x1f8 PaePageDirectoryPage : Uint4B
   +0x1fc ImageFileName    : (16 elements)  UChar
   +0x20c VmTrimFaultValue : Uint4B
   +0x210 SetTimerResolution : UChar
   +0x211 PriorityClass    : UChar
   +0x212 SubSystemMinorVersion : UChar
   +0x213 SubSystemMajorVersion : UChar
   +0x212 SubSystemVersion : Uint2B
   +0x214 Win32Process     : Ptr32 to 
   +0x218 Job              : Ptr32 to 
   +0x21c JobStatus        : Uint4B
   +0x220 JobLinks         : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x228 LockedPagesList  : Ptr32 to 
   +0x22c SecurityPort     : Ptr32 to 
   +0x230 Wow64Process     : Ptr32 to 
   +0x238 ReadOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x240 WriteOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x248 OtherOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x250 ReadTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x258 WriteTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x260 OtherTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x268 CommitChargeLimit : Uint4B
   +0x26c CommitChargePeak : Uint4B
   +0x270 ThreadListHead   : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x278 VadPhysicalPagesBitMap : Ptr32 to 
   +0x27c VadPhysicalPages : Uint4B
   +0x280 AweLock          : Uint4B
   +0x284 pImageFileName   : Ptr32 to 
   +0x288 Session          : Ptr32 to 
   +0x28c Flags            : Uint4B

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12