Reading Notebook: 04-January-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Diagnostic Policy Service, DPS (pp. 330 - 331)
SMART (p. 332) - Don’t confuse with recursive acronym Smart Memory Analysis in Real Time (coined by me)
Windows system responsiveness performance diagnostics (p. 332)
Program Compatibility Assistant, PCA (p. 333)
_EPROCESS and _KPROCESS (pp. 337 - 339) - x64 equivalents from W2K8:
lkd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x0c0 ProcessLock : _EX_PUSH_LOCK
+0x0c8 CreateTime : _LARGE_INTEGER
+0x0d0 ExitTime : _LARGE_INTEGER
+0x0d8 RundownProtect : _EX_RUNDOWN_REF
+0x0e0 UniqueProcessId : Ptr64 Void
+0x0e8 ActiveProcessLinks : _LIST_ENTRY
+0x0f8 QuotaUsage : [3] Uint8B
+0x110 QuotaPeak : [3] Uint8B
+0x128 CommitCharge : Uint8B
+0x130 PeakVirtualSize : Uint8B
+0x138 VirtualSize : Uint8B
+0x140 SessionProcessLinks : _LIST_ENTRY
+0x150 DebugPort : Ptr64 Void
+0x158 ExceptionPortData : Ptr64 Void
+0x158 ExceptionPortValue : Uint8B
+0x158 ExceptionPortState : Pos 0, 3 Bits
+0x160 ObjectTable : Ptr64 _HANDLE_TABLE
+0x168 Token : _EX_FAST_REF
+0x170 WorkingSetPage : Uint8B
+0x178 AddressCreationLock : _EX_PUSH_LOCK
+0x180 RotateInProgress : Ptr64 _ETHREAD
+0x188 ForkInProgress : Ptr64 _ETHREAD
+0x190 HardwareTrigger : Uint8B
+0x198 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x1a0 CloneRoot : Ptr64 Void
+0x1a8 NumberOfPrivatePages : Uint8B
+0x1b0 NumberOfLockedPages : Uint8B
+0x1b8 Win32Process : Ptr64 Void
+0x1c0 Job : Ptr64 _EJOB
+0x1c8 SectionObject : Ptr64 Void
+0x1d0 SectionBaseAddress : Ptr64 Void
+0x1d8 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1e0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x1e8 Win32WindowStation : Ptr64 Void
+0x1f0 InheritedFromUniqueProcessId : Ptr64 Void
+0x1f8 LdtInformation : Ptr64 Void
+0x200 Spare : Ptr64 Void
+0x208 VdmObjects : Ptr64 Void
+0x210 DeviceMap : Ptr64 Void
+0x218 EtwDataSource : Ptr64 Void
+0x220 FreeTebHint : Ptr64 Void
+0x228 PageDirectoryPte : _HARDWARE_PTE
+0x228 Filler : Uint8B
+0x230 Session : Ptr64 Void
+0x238 ImageFileName : [16] UChar
+0x248 JobLinks : _LIST_ENTRY
+0x258 LockedPagesList : Ptr64 Void
+0x260 ThreadListHead : _LIST_ENTRY
+0x270 SecurityPort : Ptr64 Void
+0x278 Wow64Process : Ptr64 Void
+0x280 ActiveThreads : Uint4B
+0x284 ImagePathHash : Uint4B
+0x288 DefaultHardErrorProcessing : Uint4B
+0x28c LastThreadExitStatus : Int4B
+0x290 Peb : Ptr64 _PEB
+0x298 PrefetchTrace : _EX_FAST_REF
+0x2a0 ReadOperationCount : _LARGE_INTEGER
+0x2a8 WriteOperationCount : _LARGE_INTEGER
+0x2b0 OtherOperationCount : _LARGE_INTEGER
+0x2b8 ReadTransferCount : _LARGE_INTEGER
+0x2c0 WriteTransferCount : _LARGE_INTEGER
+0x2c8 OtherTransferCount : _LARGE_INTEGER
+0x2d0 CommitChargeLimit : Uint8B
+0x2d8 CommitChargePeak : Uint8B
+0x2e0 AweInfo : Ptr64 Void
+0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x2f0 Vm : _MMSUPPORT
+0x358 MmProcessLinks : _LIST_ENTRY
+0x368 ModifiedPageCount : Uint4B
+0x36c Flags2 : Uint4B
+0x36c JobNotReallyActive : Pos 0, 1 Bit
+0x36c AccountingFolded : Pos 1, 1 Bit
+0x36c NewProcessReported : Pos 2, 1 Bit
+0x36c ExitProcessReported : Pos 3, 1 Bit
+0x36c ReportCommitChanges : Pos 4, 1 Bit
+0x36c LastReportMemory : Pos 5, 1 Bit
+0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x36c HandleTableRundown : Pos 7, 1 Bit
+0x36c NeedsHandleRundown : Pos 8, 1 Bit
+0x36c RefTraceEnabled : Pos 9, 1 Bit
+0x36c NumaAware : Pos 10, 1 Bit
+0x36c ProtectedProcess : Pos 11, 1 Bit
+0x36c DefaultPagePriority : Pos 12, 3 Bits
+0x36c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x36c ProcessVerifierTarget : Pos 16, 1 Bit
+0x36c StackRandomizationDisabled : Pos 17, 1 Bit
+0x36c AffinityPermanent : Pos 18, 1 Bit
+0x36c AffinityUpdateEnable : Pos 19, 1 Bit
+0x36c CrossSessionCreate : Pos 20, 1 Bit
+0x370 Flags : Uint4B
+0x370 CreateReported : Pos 0, 1 Bit
+0x370 NoDebugInherit : Pos 1, 1 Bit
+0x370 ProcessExiting : Pos 2, 1 Bit
+0x370 ProcessDelete : Pos 3, 1 Bit
+0x370 Wow64SplitPages : Pos 4, 1 Bit
+0x370 VmDeleted : Pos 5, 1 Bit
+0x370 OutswapEnabled : Pos 6, 1 Bit
+0x370 Outswapped : Pos 7, 1 Bit
+0x370 ForkFailed : Pos 8, 1 Bit
+0x370 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x370 AddressSpaceInitialized : Pos 10, 2 Bits
+0x370 SetTimerResolution : Pos 12, 1 Bit
+0x370 BreakOnTermination : Pos 13, 1 Bit
+0x370 DeprioritizeViews : Pos 14, 1 Bit
+0x370 WriteWatch : Pos 15, 1 Bit
+0x370 ProcessInSession : Pos 16, 1 Bit
+0x370 OverrideAddressSpace : Pos 17, 1 Bit
+0x370 HasAddressSpace : Pos 18, 1 Bit
+0x370 LaunchPrefetched : Pos 19, 1 Bit
+0x370 InjectInpageErrors : Pos 20, 1 Bit
+0x370 VmTopDown : Pos 21, 1 Bit
+0x370 ImageNotifyDone : Pos 22, 1 Bit
+0x370 PdeUpdateNeeded : Pos 23, 1 Bit
+0x370 VdmAllowed : Pos 24, 1 Bit
+0x370 SmapAllowed : Pos 25, 1 Bit
+0x370 ProcessInserted : Pos 26, 1 Bit
+0x370 DefaultIoPriority : Pos 27, 3 Bits
+0x370 ProcessSelfDelete : Pos 30, 1 Bit
+0x370 SpareProcessFlags : Pos 31, 1 Bit
+0x374 ExitStatus : Int4B
+0x378 Spare7 : Uint2B
+0x37a SubSystemMinorVersion : UChar
+0x37b SubSystemMajorVersion : UChar
+0x37a SubSystemVersion : Uint2B
+0x37c PriorityClass : UChar
+0x380 VadRoot : _MM_AVL_TABLE
+0x3c0 Cookie : Uint4B
+0x3c8 AlpcContext : _ALPC_PROCESS_CONTEXT
lkd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x018 ProfileListHead : _LIST_ENTRY
+0x028 DirectoryTableBase : Uint8B
+0x030 Unused0 : Uint8B
+0x038 IopmOffset : Uint2B
+0x040 ActiveProcessors : Uint8B
+0x048 KernelTime : Uint4B
+0x04c UserTime : Uint4B
+0x050 ReadyListHead : _LIST_ENTRY
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 InstrumentationCallback : Ptr64 Void
+0x070 ThreadListHead : _LIST_ENTRY
+0x080 ProcessLock : Uint8B
+0x088 Affinity : Uint8B
+0x090 AutoAlignment : Pos 0, 1 Bit
+0x090 DisableBoost : Pos 1, 1 Bit
+0x090 DisableQuantum : Pos 2, 1 Bit
+0x090 ReservedFlags : Pos 3, 29 Bits
+0x090 ProcessFlags : Int4B
+0x094 BasePriority : Char
+0x095 QuantumReset : Char
+0x096 State : UChar
+0x097 ThreadSeed : UChar
+0x098 PowerState : UChar
+0x099 IdealNode : UChar
+0x09a Visited : UChar
+0x09b Flags : _KEXECUTE_OPTIONS
+0x09b ExecuteOptions : UChar
+0x0a0 StackCount : Uint8B
+0x0a8 ProcessListEntry : _LIST_ENTRY
+0x0b8 CycleTime : Uint8B
Working set list, MMWSL (p. 340) - I guessed the structure name right:
lkd> dt _MMWSL
nt!_MMWSL
+0x000 FirstFree : Uint4B
+0x004 FirstDynamic : Uint4B
+0x008 LastEntry : Uint4B
+0x00c NextSlot : Uint4B
+0x010 Wsle : Ptr64 _MMWSLE
+0x018 LowestPagableAddress : Ptr64 Void
+0x020 LastInitializedWsle : Uint4B
+0x024 NextEstimationSlot : Uint4B
+0x028 NextAgingSlot : Uint4B
+0x02c EstimatedAvailable : Uint4B
+0x030 GrowthSinceLastEstimate : Uint4B
+0x034 NumberOfCommittedPageTables : Uint4B
+0x038 VadBitMapHint : Uint4B
+0x03c NonDirectCount : Uint4B
+0x040 LastVadBit : Uint4B
+0x044 MaximumLastVadBit : Uint4B
+0x048 LastAllocationSizeHint : Uint4B
+0x04c LastAllocationSize : Uint4B
+0x050 NonDirectHash : Ptr64 _MMWSLE_NONDIRECT_HASH
+0x058 HashTableStart : Ptr64 _MMWSLE_HASH
+0x060 HighestPermittedHashAddress : Ptr64 _MMWSLE_HASH
+0x068 HighestUserAddress : Ptr64 Void
+0x070 MaximumUserPageTablePages : Uint4B
+0x074 MaximumUserPageDirectoryPages : Uint4B
+0x078 CommittedPageTables : Ptr64 Uint4B
+0x080 NumberOfCommittedPageDirectories : Uint4B
+0x088 CommittedPageDirectories : [128] Uint8B
+0x488 NumberOfCommittedPageDirectoryParents : Uint4B
+0x490 CommittedPageDirectoryParents : [1] Uint8B
PEB (pp. 341 - 342) - here’s x64 PEB structure from W2K8:
lkd> dt _PEB
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsLegacyProcess : Pos 2, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
+0x003 SpareBits : Pos 5, 3 Bits
+0x008 Mutant : Ptr64 Void
+0x010 ImageBaseAddress : Ptr64 Void
+0x018 Ldr : Ptr64 _PEB_LDR_DATA
+0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData : Ptr64 Void
+0x030 ProcessHeap : Ptr64 Void
+0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
+0x040 AtlThunkSListPtr : Ptr64 Void
+0x048 IFEOKey : Ptr64 Void
+0x050 CrossProcessFlags : Uint4B
+0x050 ProcessInJob : Pos 0, 1 Bit
+0x050 ProcessInitializing : Pos 1, 1 Bit
+0x050 ProcessUsingVEH : Pos 2, 1 Bit
+0x050 ProcessUsingVCH : Pos 3, 1 Bit
+0x050 ReservedBits0 : Pos 4, 28 Bits
+0x058 KernelCallbackTable : Ptr64 Void
+0x058 UserSharedInfoPtr : Ptr64 Void
+0x060 SystemReserved : [1] Uint4B
+0x064 SpareUlong : Uint4B
+0x068 SparePebPtr0 : Uint8B
+0x070 TlsExpansionCounter : Uint4B
+0x078 TlsBitmap : Ptr64 Void
+0x080 TlsBitmapBits : [2] Uint4B
+0x088 ReadOnlySharedMemoryBase : Ptr64 Void
+0x090 HotpatchInformation : Ptr64 Void
+0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
+0x0a0 AnsiCodePageData : Ptr64 Void
+0x0a8 OemCodePageData : Ptr64 Void
+0x0b0 UnicodeCaseTableData : Ptr64 Void
+0x0b8 NumberOfProcessors : Uint4B
+0x0bc NtGlobalFlag : Uint4B
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
+0x0c8 HeapSegmentReserve : Uint8B
+0x0d0 HeapSegmentCommit : Uint8B
+0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
+0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
+0x0e8 NumberOfHeaps : Uint4B
+0x0ec MaximumNumberOfHeaps : Uint4B
+0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
+0x0f8 GdiSharedHandleTable : Ptr64 Void
+0x100 ProcessStarterHelper : Ptr64 Void
+0x108 GdiDCAttributeList : Uint4B
+0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
+0x118 OSMajorVersion : Uint4B
+0x11c OSMinorVersion : Uint4B
+0x120 OSBuildNumber : Uint2B
+0x122 OSCSDVersion : Uint2B
+0x124 OSPlatformId : Uint4B
+0x128 ImageSubsystem : Uint4B
+0x12c ImageSubsystemMajorVersion : Uint4B
+0x130 ImageSubsystemMinorVersion : Uint4B
+0x138 ActiveProcessAffinityMask : Uint8B
+0x140 GdiHandleBuffer : [60] Uint4B
+0x230 PostProcessInitRoutine : Ptr64 void
+0x238 TlsExpansionBitmap : Ptr64 Void
+0x240 TlsExpansionBitmapBits : [32] Uint4B
+0x2c0 SessionId : Uint4B
+0x2c8 AppCompatFlags : _ULARGE_INTEGER
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x2d8 pShimData : Ptr64 Void
+0x2e0 AppCompatInfo : Ptr64 Void
+0x2e8 CSDVersion : _UNICODE_STRING
+0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x318 MinimumStackCommit : Uint8B
+0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO
+0x328 FlsListHead : _LIST_ENTRY
+0x338 FlsBitmap : Ptr64 Void
+0x340 FlsBitmapBits : [4] Uint4B
+0x350 FlsHighIndex : Uint4B
+0x358 WerRegistrationData : Ptr64 Void
+0x360 WerShipAssertPtr : Ptr64 Void
PEB and pointers to process heap (p. 340) - couldn’t find them after PEB on x86 and x64. Needs more clarification:
7: kd> !peb
PEB at 7ffdb000
[...]
7: kd> dt _PEB
ntdll!_PEB
[...]
+0x22c FlsHighIndex : Uint4B
7: kd> dd 7ffdb000 +0x22c +4
7ffdb230 00000000 00000000 00000000 00000000
7ffdb240 00000000 00000000 00000000 00000000
7ffdb250 00000000 00000000 00000000 00000000
7ffdb260 00000000 00000000 00000000 00000000
7ffdb270 00000000 00000000 00000000 00000000
7ffdb280 00000000 00000000 00000000 00000000
7ffdb290 00000000 00000000 00000000 00000000
7ffdb2a0 00000000 00000000 00000000 00000000