This article provides a listing of the _EPROCESS structure of Microsoft Windows Vista RTM (Release To Manufacturing). All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 6.0.6000.16386.
kd> dt -b -v _EPROCESS
struct _EPROCESS, 125 elements, 0x270 bytes
+0x000 Pcb : struct _KPROCESS, 35 elements, 0x80 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 13 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Abandoned : UChar
+0x001 Absolute : UChar
+0x001 NpxIrql : UChar
+0x001 Signalling : UChar
+0x002 Size : UChar
+0x002 Hand : UChar
+0x003 Inserted : UChar
+0x003 DebugActive : UChar
+0x003 DpcActive : UChar
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 ProfileListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 DirectoryTableBase : Uint4B
+0x01c Unused0 : Uint4B
+0x020 LdtDescriptor : struct _KGDTENTRY, 3 elements, 0x8 bytes
+0x000 LimitLow : Uint2B
+0x002 BaseLow : Uint2B
+0x004 HighWord : union , 2 elements, 0x4 bytes
+0x000 Bytes : struct , 4 elements, 0x4 bytes
+0x000 BaseMid : UChar
+0x001 Flags1 : UChar
+0x002 Flags2 : UChar
+0x003 BaseHi : UChar
+0x000 Bits : struct , 10 elements, 0x4 bytes
+0x000 BaseMid : Bitfield Pos 0, 8 Bits
+0x000 Type : Bitfield Pos 8, 5 Bits
+0x000 Dpl : Bitfield Pos 13, 2 Bits
+0x000 Pres : Bitfield Pos 15, 1 Bit
+0x000 LimitHi : Bitfield Pos 16, 4 Bits
+0x000 Sys : Bitfield Pos 20, 1 Bit
+0x000 Reserved_0 : Bitfield Pos 21, 1 Bit
+0x000 Default_Big : Bitfield Pos 22, 1 Bit
+0x000 Granularity : Bitfield Pos 23, 1 Bit
+0x000 BaseHi : Bitfield Pos 24, 8 Bits
+0x028 Int21Descriptor : struct _KIDTENTRY, 4 elements, 0x8 bytes
+0x000 Offset : Uint2B
+0x002 Selector : Uint2B
+0x004 Access : Uint2B
+0x006 ExtendedOffset : Uint2B
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x048 SwapListEntry : struct _SINGLE_LIST_ENTRY, 1 elements, 0x4 bytes
+0x000 Next : Ptr32 to
+0x04c VdmTrapcHandler : Ptr32 to
+0x050 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 AutoAlignment : Bitfield Pos 0, 1 Bit
+0x060 DisableBoost : Bitfield Pos 1, 1 Bit
+0x060 DisableQuantum : Bitfield Pos 2, 1 Bit
+0x060 ReservedFlags : Bitfield Pos 3, 29 Bits
+0x060 ProcessFlags : Int4B
+0x064 BasePriority : Char
+0x065 QuantumReset : Char
+0x066 State : UChar
+0x067 ThreadSeed : UChar
+0x068 PowerState : UChar
+0x069 IdealNode : UChar
+0x06a Visited : UChar
+0x06b Flags : struct _KEXECUTE_OPTIONS, 7 elements, 0x1 bytes
+0x000 ExecuteDisable : Bitfield Pos 0, 1 Bit
+0x000 ExecuteEnable : Bitfield Pos 1, 1 Bit
+0x000 DisableThunkEmulation : Bitfield Pos 2, 1 Bit
+0x000 Permanent : Bitfield Pos 3, 1 Bit
+0x000 ExecuteDispatchEnable : Bitfield Pos 4, 1 Bit
+0x000 ImageDispatchEnable : Bitfield Pos 5, 1 Bit
+0x000 Spare : Bitfield Pos 6, 2 Bits
+0x06b ExecuteOptions : UChar
+0x06c StackCount : Uint4B
+0x070 ProcessListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x078 CycleTime : Uint8B
+0x080 ProcessLock : struct _EX_PUSH_LOCK, 7 elements, 0x4 bytes
+0x000 Locked : Bitfield Pos 0, 1 Bit
+0x000 Waiting : Bitfield Pos 1, 1 Bit
+0x000 Waking : Bitfield Pos 2, 1 Bit
+0x000 MultipleShared : Bitfield Pos 3, 1 Bit
+0x000 Shared : Bitfield Pos 4, 28 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x088 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x090 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x098 RundownProtect : struct _EX_RUNDOWN_REF, 2 elements, 0x4 bytes
+0x000 Count : Uint4B
+0x000 Ptr : Ptr32 to
+0x09c UniqueProcessId : Ptr32 to
+0x0a0 ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x0a8 QuotaUsage : (3 elements) Uint4B
+0x0b4 QuotaPeak : (3 elements) Uint4B
+0x0c0 CommitCharge : Uint4B
+0x0c4 PeakVirtualSize : Uint4B
+0x0c8 VirtualSize : Uint4B
+0x0cc SessionProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x0d4 DebugPort : Ptr32 to
+0x0d8 ExceptionPortData : Ptr32 to
+0x0d8 ExceptionPortValue : Uint4B
+0x0d8 ExceptionPortState : Bitfield Pos 0, 3 Bits
+0x0dc ObjectTable : Ptr32 to
+0x0e0 Token : struct _EX_FAST_REF, 3 elements, 0x4 bytes
+0x000 Object : Ptr32 to
+0x000 RefCnt : Bitfield Pos 0, 3 Bits
+0x000 Value : Uint4B
+0x0e4 WorkingSetPage : Uint4B
+0x0e8 AddressCreationLock : struct _EX_PUSH_LOCK, 7 elements, 0x4 bytes
+0x000 Locked : Bitfield Pos 0, 1 Bit
+0x000 Waiting : Bitfield Pos 1, 1 Bit
+0x000 Waking : Bitfield Pos 2, 1 Bit
+0x000 MultipleShared : Bitfield Pos 3, 1 Bit
+0x000 Shared : Bitfield Pos 4, 28 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x0ec RotateInProgress : Ptr32 to
+0x0f0 ForkInProgress : Ptr32 to
+0x0f4 HardwareTrigger : Uint4B
+0x0f8 PhysicalVadRoot : Ptr32 to
+0x0fc CloneRoot : Ptr32 to
+0x100 NumberOfPrivatePages : Uint4B
+0x104 NumberOfLockedPages : Uint4B
+0x108 Win32Process : Ptr32 to
+0x10c Job : Ptr32 to
+0x110 SectionObject : Ptr32 to
+0x114 SectionBaseAddress : Ptr32 to
+0x118 QuotaBlock : Ptr32 to
+0x11c WorkingSetWatch : Ptr32 to
+0x120 Win32WindowStation : Ptr32 to
+0x124 InheritedFromUniqueProcessId : Ptr32 to
+0x128 LdtInformation : Ptr32 to
+0x12c VadFreeHint : Ptr32 to
+0x130 VdmObjects : Ptr32 to
+0x134 DeviceMap : Ptr32 to
+0x138 EtwDataSource : Ptr32 to
+0x13c FreeTebHint : Ptr32 to
+0x140 PageDirectoryPte : struct _HARDWARE_PTE_X86, 13 elements, 0x4 bytes
+0x000 Valid : Bitfield Pos 0, 1 Bit
+0x000 Write : Bitfield Pos 1, 1 Bit
+0x000 Owner : Bitfield Pos 2, 1 Bit
+0x000 WriteThrough : Bitfield Pos 3, 1 Bit
+0x000 CacheDisable : Bitfield Pos 4, 1 Bit
+0x000 Accessed : Bitfield Pos 5, 1 Bit
+0x000 Dirty : Bitfield Pos 6, 1 Bit
+0x000 LargePage : Bitfield Pos 7, 1 Bit
+0x000 Global : Bitfield Pos 8, 1 Bit
+0x000 CopyOnWrite : Bitfield Pos 9, 1 Bit
+0x000 Prototype : Bitfield Pos 10, 1 Bit
+0x000 reserved : Bitfield Pos 11, 1 Bit
+0x000 PageFrameNumber : Bitfield Pos 12, 20 Bits
+0x140 Filler : Uint8B
+0x148 Session : Ptr32 to
+0x14c ImageFileName : (16 elements) UChar
+0x15c JobLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x164 LockedPagesList : Ptr32 to
+0x168 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x170 SecurityPort : Ptr32 to
+0x174 PaeTop : Ptr32 to
+0x178 ActiveThreads : Uint4B
+0x17c ImagePathHash : Uint4B
+0x180 DefaultHardErrorProcessing : Uint4B
+0x184 LastThreadExitStatus : Int4B
+0x188 Peb : Ptr32 to
+0x18c PrefetchTrace : struct _EX_FAST_REF, 3 elements, 0x4 bytes
+0x000 Object : Ptr32 to
+0x000 RefCnt : Bitfield Pos 0, 3 Bits
+0x000 Value : Uint4B
+0x190 ReadOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x198 WriteOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1a0 OtherOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1a8 ReadTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b0 WriteTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1b8 OtherTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct , 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x1c0 CommitChargeLimit : Uint4B
+0x1c4 CommitChargePeak : Uint4B
+0x1c8 AweInfo : Ptr32 to
+0x1cc SeAuditProcessCreationInfo : struct _SE_AUDIT_PROCESS_CREATION_INFO, 1 elements, 0x4 bytes
+0x000 ImageFileName : Ptr32 to
+0x1d0 Vm : struct _MMSUPPORT, 18 elements, 0x48 bytes
+0x000 WorkingSetExpansionLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x008 LastTrimStamp : Uint2B
+0x00a NextPageColor : Uint2B
+0x00c Flags : struct _MMSUPPORT_FLAGS, 14 elements, 0x4 bytes
+0x000 SessionSpace : Bitfield Pos 0, 1 Bit
+0x000 ModwriterAttached : Bitfield Pos 1, 1 Bit
+0x000 TrimHard : Bitfield Pos 2, 1 Bit
+0x000 MaximumWorkingSetHard : Bitfield Pos 3, 1 Bit
+0x000 ForceTrim : Bitfield Pos 4, 1 Bit
+0x000 MinimumWorkingSetHard : Bitfield Pos 5, 1 Bit
+0x000 SessionMaster : Bitfield Pos 6, 1 Bit
+0x000 TrimmerAttached : Bitfield Pos 7, 1 Bit
+0x001 TrimmerDetaching : Bitfield Pos 0, 1 Bit
+0x001 Reserved : Bitfield Pos 1, 7 Bits
+0x002 MemoryPriority : Bitfield Pos 0, 8 Bits
+0x003 WsleDeleted : Bitfield Pos 0, 1 Bit
+0x003 VmExiting : Bitfield Pos 1, 1 Bit
+0x003 Available : Bitfield Pos 2, 6 Bits
+0x010 PageFaultCount : Uint4B
+0x014 PeakWorkingSetSize : Uint4B
+0x018 Spare0 : Uint4B
+0x01c MinimumWorkingSetSize : Uint4B
+0x020 MaximumWorkingSetSize : Uint4B
+0x024 VmWorkingSetList : Ptr32 to
+0x028 Claim : Uint4B
+0x02c Spare : (1 elements) Uint4B
+0x030 WorkingSetPrivateSize : Uint4B
+0x034 WorkingSetSizeOverhead : Uint4B
+0x038 WorkingSetSize : Uint4B
+0x03c ExitEvent : Ptr32 to
+0x040 WorkingSetMutex : struct _EX_PUSH_LOCK, 7 elements, 0x4 bytes
+0x000 Locked : Bitfield Pos 0, 1 Bit
+0x000 Waiting : Bitfield Pos 1, 1 Bit
+0x000 Waking : Bitfield Pos 2, 1 Bit
+0x000 MultipleShared : Bitfield Pos 3, 1 Bit
+0x000 Shared : Bitfield Pos 4, 28 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x044 AccessLog : Ptr32 to
+0x218 MmProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x220 ModifiedPageCount : Uint4B
+0x224 Flags2 : Uint4B
+0x224 JobNotReallyActive : Bitfield Pos 0, 1 Bit
+0x224 AccountingFolded : Bitfield Pos 1, 1 Bit
+0x224 NewProcessReported : Bitfield Pos 2, 1 Bit
+0x224 ExitProcessReported : Bitfield Pos 3, 1 Bit
+0x224 ReportCommitChanges : Bitfield Pos 4, 1 Bit
+0x224 LastReportMemory : Bitfield Pos 5, 1 Bit
+0x224 ReportPhysicalPageChanges : Bitfield Pos 6, 1 Bit
+0x224 HandleTableRundown : Bitfield Pos 7, 1 Bit
+0x224 NeedsHandleRundown : Bitfield Pos 8, 1 Bit
+0x224 RefTraceEnabled : Bitfield Pos 9, 1 Bit
+0x224 NumaAware : Bitfield Pos 10, 1 Bit
+0x224 ProtectedProcess : Bitfield Pos 11, 1 Bit
+0x224 DefaultPagePriority : Bitfield Pos 12, 3 Bits
+0x224 PrimaryTokenFrozen : Bitfield Pos 15, 1 Bit
+0x224 ProcessVerifierTarget : Bitfield Pos 16, 1 Bit
+0x224 StackRandomizationDisabled : Bitfield Pos 17, 1 Bit
+0x228 Flags : Uint4B
+0x228 CreateReported : Bitfield Pos 0, 1 Bit
+0x228 NoDebugInherit : Bitfield Pos 1, 1 Bit
+0x228 ProcessExiting : Bitfield Pos 2, 1 Bit
+0x228 ProcessDelete : Bitfield Pos 3, 1 Bit
+0x228 Wow64SplitPages : Bitfield Pos 4, 1 Bit
+0x228 VmDeleted : Bitfield Pos 5, 1 Bit
+0x228 OutswapEnabled : Bitfield Pos 6, 1 Bit
+0x228 Outswapped : Bitfield Pos 7, 1 Bit
+0x228 ForkFailed : Bitfield Pos 8, 1 Bit
+0x228 Wow64VaSpace4Gb : Bitfield Pos 9, 1 Bit
+0x228 AddressSpaceInitialized : Bitfield Pos 10, 2 Bits
+0x228 SetTimerResolution : Bitfield Pos 12, 1 Bit
+0x228 BreakOnTermination : Bitfield Pos 13, 1 Bit
+0x228 DeprioritizeViews : Bitfield Pos 14, 1 Bit
+0x228 WriteWatch : Bitfield Pos 15, 1 Bit
+0x228 ProcessInSession : Bitfield Pos 16, 1 Bit
+0x228 OverrideAddressSpace : Bitfield Pos 17, 1 Bit
+0x228 HasAddressSpace : Bitfield Pos 18, 1 Bit
+0x228 LaunchPrefetched : Bitfield Pos 19, 1 Bit
+0x228 InjectInpageErrors : Bitfield Pos 20, 1 Bit
+0x228 VmTopDown : Bitfield Pos 21, 1 Bit
+0x228 ImageNotifyDone : Bitfield Pos 22, 1 Bit
+0x228 PdeUpdateNeeded : Bitfield Pos 23, 1 Bit
+0x228 VdmAllowed : Bitfield Pos 24, 1 Bit
+0x228 SmapAllowed : Bitfield Pos 25, 1 Bit
+0x228 ProcessInserted : Bitfield Pos 26, 1 Bit
+0x228 DefaultIoPriority : Bitfield Pos 27, 3 Bits
+0x228 SparePsFlags1 : Bitfield Pos 30, 2 Bits
+0x22c ExitStatus : Int4B
+0x230 Spare7 : Uint2B
+0x232 SubSystemMinorVersion : UChar
+0x233 SubSystemMajorVersion : UChar
+0x232 SubSystemVersion : Uint2B
+0x234 PriorityClass : UChar
+0x238 VadRoot : struct _MM_AVL_TABLE, 6 elements, 0x20 bytes
+0x000 BalancedRoot : struct _MMADDRESS_NODE, 5 elements, 0x14 bytes
+0x000 u1 : union , 2 elements, 0x4 bytes
+0x000 Balance : Bitfield Pos 0, 2 Bits
+0x000 Parent : Ptr32 to
+0x004 LeftChild : Ptr32 to
+0x008 RightChild : Ptr32 to
+0x00c StartingVpn : Uint4B
+0x010 EndingVpn : Uint4B
+0x014 DepthOfTree : Bitfield Pos 0, 5 Bits
+0x014 Unused : Bitfield Pos 5, 3 Bits
+0x014 NumberGenericTableElements : Bitfield Pos 8, 24 Bits
+0x018 NodeHint : Ptr32 to
+0x01c NodeFreeHint : Ptr32 to
+0x258 Cookie : Uint4B
+0x25c AlpcContext : struct _ALPC_PROCESS_CONTEXT, 3 elements, 0x10 bytes
+0x000 Lock : struct _EX_PUSH_LOCK, 7 elements, 0x4 bytes
+0x000 Locked : Bitfield Pos 0, 1 Bit
+0x000 Waiting : Bitfield Pos 1, 1 Bit
+0x000 Waking : Bitfield Pos 2, 1 Bit
+0x000 MultipleShared : Bitfield Pos 3, 1 Bit
+0x000 Shared : Bitfield Pos 4, 28 Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 to
+0x004 ViewListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x00c PagedPoolQuotaCache : Uint4B
