_DISPATCHER_HEADER

The Windows NT kernel provides some mechanisms to synchronize concurrent access to resources. All objects which can be waited for start with a structure named _DISPATCHER_HEADER. This structure mainly describes an objects type, size and state. In addition it contains a list of threads waiting for the object. The structure is declared in the files Ntddk.h or wdm.h of the DDK. For in-depth information about synchronization objects I recommend reading the Microsoft Developer Network and chapter 3 of Windows Internals by Mark Russinovich and David Solomon.

+0x000 Header           : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
   +0x000 Type             : UChar
   +0x001 Absolute         : UChar
   +0x002 Size             : UChar
   +0x003 Inserted         : UChar
   +0x004 SignalState      : Int4B
   +0x008 WaitListHead     : struct _LIST_ENTRY, 2 elements, 0x8 bytes
      +0x000 Flink            : Ptr32 to 
      +0x004 Blink            : Ptr32 to 

In return a thread's control structure contains a list of _KWAIT_BLOCK structures, which point to all objects the thread is waiting for.

Sven B. Schreiber (Undocumented Windows 2000 Secrets, Addison Wesley, 2001) documents the following code for the Type member:

As I found out type code differ not between Windows versions ranging from Windows 2000 up to Vista/Longhorn. Of course this does not apply to the Size member, too. This field states the size of the _DISPATCHER_HEADERS and the accompanying object specific data, expressed in terms of DWORDs (32 bits).

While looking at control structures of active and terminated processes and threads I have never found any value for Absolute and Inserted beside null. Unfortunately I wasn't able to attain authoritative documentation for both field's function. Therefore I will refrain from using these two fields in search patterns for processes and threads.