_ETHREAD version 5.0.2195.7045

This article provides a listing of the _ETHREAD structure of Microsoft Windows 2000. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge about this structure could be helpful when analysing a memory dump.

kd> dt -a -b -v _ETHREAD
struct _ETHREAD, 39 elements, 0x248 bytes
   +0x000 Tcb              : struct _KTHREAD, 69 elements, 0x1b0 bytes
      +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
         +0x000 Type             : UChar
         +0x001 Absolute         : UChar
         +0x002 Size             : UChar
         +0x003 Inserted         : UChar
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
      +0x010 MutantListHead   : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x018 InitialStack     : Ptr32 to 
      +0x01c StackLimit       : Ptr32 to 
      +0x020 Teb              : Ptr32 to 
      +0x024 TlsArray         : Ptr32 to 
      +0x028 KernelStack      : Ptr32 to 
      +0x02c DebugActive      : UChar
      +0x02d State            : UChar
      +0x02e Alerted          : (2 elements)  UChar
      +0x030 Iopl             : UChar
      +0x031 NpxState         : UChar
      +0x032 Saturation       : Char
      +0x033 Priority         : Char
      +0x034 ApcState         : struct _KAPC_STATE, 5 elements, 0x18 bytes
         +0x000 ApcListHead      : (2 elements)  struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
         +0x010 Process          : Ptr32 to 
         +0x014 KernelApcInProgress : UChar
         +0x015 KernelApcPending : UChar
         +0x016 UserApcPending   : UChar
      +0x04c ContextSwitches  : Uint4B
      +0x050 WaitStatus       : Int4B
      +0x054 WaitIrql         : UChar
      +0x055 WaitMode         : Char
      +0x056 WaitNext         : UChar
      +0x057 WaitReason       : UChar
      +0x058 WaitBlockList    : Ptr32 to 
      +0x05c WaitListEntry    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x064 WaitTime         : Uint4B
      +0x068 BasePriority     : Char
      +0x069 DecrementCount   : UChar
      +0x06a PriorityDecrement : Char
      +0x06b Quantum          : Char
      +0x06c WaitBlock        : (4 elements)  struct _KWAIT_BLOCK, 6 elements, 0x18 bytes
         +0x000 WaitListEntry    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
         +0x008 Thread           : Ptr32 to 
         +0x00c Object           : Ptr32 to 
         +0x010 NextWaitBlock    : Ptr32 to 
         +0x014 WaitKey          : Uint2B
         +0x016 WaitType         : Uint2B
      +0x0cc LegoData         : Ptr32 to 
      +0x0d0 KernelApcDisable : Uint4B
      +0x0d4 UserAffinity     : Uint4B
      +0x0d8 SystemAffinityActive : UChar
      +0x0d9 PowerState       : UChar
      +0x0da NpxIrql          : UChar
      +0x0db Pad              : (1 elements)  UChar
      +0x0dc ServiceTable     : Ptr32 to 
      +0x0e0 Queue            : Ptr32 to 
      +0x0e4 ApcQueueLock     : Uint4B
      +0x0e8 Timer            : struct _KTIMER, 5 elements, 0x28 bytes
         +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
            +0x000 Type             : UChar
            +0x001 Absolute         : UChar
            +0x002 Size             : UChar
            +0x003 Inserted         : UChar
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
               +0x000 Flink            : Ptr32 to 
               +0x004 Blink            : Ptr32 to 
         +0x010 DueTime          : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
            +0x000 LowPart          : Uint4B
            +0x004 HighPart         : Uint4B
            +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
               +0x000 LowPart          : Uint4B
               +0x004 HighPart         : Uint4B
            +0x000 QuadPart         : Uint8B
         +0x018 TimerListEntry   : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
         +0x020 Dpc              : Ptr32 to 
         +0x024 Period           : Int4B
      +0x110 QueueListEntry   : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x118 Affinity         : Uint4B
      +0x11c Preempted        : UChar
      +0x11d ProcessReadyQueue : UChar
      +0x11e KernelStackResident : UChar
      +0x11f NextProcessor    : UChar
      +0x120 CallbackStack    : Ptr32 to 
      +0x124 Win32Thread      : Ptr32 to 
      +0x128 TrapFrame        : Ptr32 to 
      +0x12c ApcStatePointer  : (2 elements)  Ptr32 to 
      +0x134 PreviousMode     : Char
      +0x135 EnableStackSwap  : UChar
      +0x136 LargeStack       : UChar
      +0x137 ResourceIndex    : UChar
      +0x138 KernelTime       : Uint4B
      +0x13c UserTime         : Uint4B
      +0x140 SavedApcState    : struct _KAPC_STATE, 5 elements, 0x18 bytes
         +0x000 ApcListHead      : (2 elements)  struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
         +0x010 Process          : Ptr32 to 
         +0x014 KernelApcInProgress : UChar
         +0x015 KernelApcPending : UChar
         +0x016 UserApcPending   : UChar
      +0x158 Alertable        : UChar
      +0x159 ApcStateIndex    : UChar
      +0x15a ApcQueueable     : UChar
      +0x15b AutoAlignment    : UChar
      +0x15c StackBase        : Ptr32 to 
      +0x160 SuspendApc       : struct _KAPC, 14 elements, 0x30 bytes
         +0x000 Type             : Int2B
         +0x002 Size             : Int2B
         +0x004 Spare0           : Uint4B
         +0x008 Thread           : Ptr32 to 
         +0x00c ApcListEntry     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
         +0x014 KernelRoutine    : Ptr32 to 
         +0x018 RundownRoutine   : Ptr32 to 
         +0x01c NormalRoutine    : Ptr32 to 
         +0x020 NormalContext    : Ptr32 to 
         +0x024 SystemArgument1  : Ptr32 to 
         +0x028 SystemArgument2  : Ptr32 to 
         +0x02c ApcStateIndex    : Char
         +0x02d ApcMode          : Char
         +0x02e Inserted         : UChar
      +0x190 SuspendSemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
         +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
            +0x000 Type             : UChar
            +0x001 Absolute         : UChar
            +0x002 Size             : UChar
            +0x003 Inserted         : UChar
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
               +0x000 Flink            : Ptr32 to 
               +0x004 Blink            : Ptr32 to 
         +0x010 Limit            : Int4B
      +0x1a4 ThreadListEntry  : struct _LIST_ENTRY, 2 elements, 0x8 bytes
         +0x000 Flink            : Ptr32 to 
         +0x004 Blink            : Ptr32 to 
      +0x1ac FreezeCount      : Char
      +0x1ad SuspendCount     : Char
      +0x1ae IdealProcessor   : UChar
      +0x1af DisableBoost     : UChar
   +0x1b0 CreateTime       : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x1b0 NestedFaultCount : Bitfield Pos 0, 2 Bits
   +0x1b0 ApcNeeded        : Bitfield Pos 2, 1 Bit
   +0x1b8 ExitTime         : union _LARGE_INTEGER, 4 elements, 0x8 bytes
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x1b8 LpcReplyChain    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x1c0 ExitStatus       : Int4B
   +0x1c0 OfsChain         : Ptr32 to 
   +0x1c4 PostBlockList    : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x1cc TerminationPortList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x1d4 ActiveTimerListLock : Uint4B
   +0x1d8 ActiveTimerListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x1e0 Cid              : struct _CLIENT_ID, 2 elements, 0x8 bytes
      +0x000 UniqueProcess    : Ptr32 to 
      +0x004 UniqueThread     : Ptr32 to 
   +0x1e8 LpcReplySemaphore : struct _KSEMAPHORE, 2 elements, 0x14 bytes
      +0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
         +0x000 Type             : UChar
         +0x001 Absolute         : UChar
         +0x002 Size             : UChar
         +0x003 Inserted         : UChar
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
            +0x000 Flink            : Ptr32 to 
            +0x004 Blink            : Ptr32 to 
      +0x010 Limit            : Int4B
   +0x1fc LpcReplyMessage  : Ptr32 to 
   +0x1fc LpcWaitingOnPort : Ptr32 to 
   +0x200 LpcReplyMessageId : Uint4B
   +0x204 PerformanceCountLow : Uint4B
   +0x208 ImpersonationInfo : Ptr32 to 
   +0x20c IrpList          : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 
   +0x214 TopLevelIrp      : Uint4B
   +0x218 DeviceToVerify   : Ptr32 to 
   +0x21c ReadClusterSize  : Uint4B
   +0x220 ForwardClusterOnly : UChar
   +0x221 DisablePageFaultClustering : UChar
   +0x222 DeadThread       : UChar
   +0x223 HideFromDebugger : UChar
   +0x224 HasTerminated    : Uint4B
   +0x228 GrantedAccess    : Uint4B
   +0x22c ThreadsProcess   : Ptr32 to 
   +0x230 StartAddress     : Ptr32 to 
   +0x234 Win32StartAddress : Ptr32 to 
   +0x234 LpcReceivedMessageId : Uint4B
   +0x238 LpcExitThreadCalled : UChar
   +0x239 HardErrorsAreDisabled : UChar
   +0x23a LpcReceivedMsgIdValid : UChar
   +0x23b ActiveImpersonationInfo : UChar
   +0x23c PerformanceCountHigh : Int4B
   +0x240 ThreadListEntry  : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12