Geoff Chappell - Software Analyst
DRAFT: Take more than your usual care.
Executing the cpuid instruction with 1 in eax produces a second set of feature flags in ecx, which are here treated as elaborating the feature flags in edx from cpuid leaf 1.
Intel’s Application Node 485, which seems to be no longer available online from Intel, dates Intel’s documentation of these ecx flags, if not their introduction to the processor, to November 2002. The Windows kernel doesn’t care about any of them until roughly four years later, for Windows Vista. Of the three ecx flags that Microsoft started with, one had only very short-lived support and seems never to have been documented by either Microsoft or Intel.
| Mask | Symbolic Name | Versions |
|---|---|---|
| 0x00000001 | SSE3 | 6.0 and higher |
| 0x00000002 | PCLMULQDQ | 6.3 and higher |
| 0x00000004 | DTES64 | 6.2 and higher (x86 only) |
| 0x00000020 | VMX | 6.2 and higher |
| 0x00000200 | SSSE3 | 6.3 and higher |
| 0x00002000 | CMPXCHG16B | 6.0 and higher (x64 only) |
| 0x00010000 | Reserved | 6.0 only |
| 0x02000000 | AESNI | 6.3 and higher |
| 0x04000000 | XSAVE | 6.1 and higher |
| 0x08000000 | OSXSAVE | 10.0 and higher |
| 0x10000000 | AVX | 10.0 and higher |
| 0x40000000 | RDRAND | 6.3 and higher |
| 0x80000000 | Reserved | 6.0 and higher |
The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
Early Intel documentation named this EST.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
The Windows kernel is not known to use this feature flag.
Early Intel documentation named this CX16. It signifies the availability of the cmpxchg16b instruction. The 32-bit kernel does not even look for this. The 64-bit kernel has come to regard it as essential. Without it, versions 6.3 and higher of the x64 kernel stop Windows with the bug check UNSUPPORTED_PROCESSOR (0x5D).
AMD’s documentation has this bit as reserved. Current Intel documentation gives “xTPR Update Control” as this bit’s mnemonic. The simpler xTPR is from early documentation. Whatever the name, the Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
This bit is known to the 32-bit and 64-bit kernels for Windows Vista even though Intel and AMD both have it as reserved. Provided that the vendor is GenuineIntel, the bit translates to 0x00100000 (bit 20) or 0x00200000 (bit 21) in the FeatureFlags member of the KPRCB for 32-bit and 64-bit Windows respectively. If it is set for all processors, it passes into the internal variable KeFeatureFlags and to the PF_CHANNELS_ENABLED member of the ProcessorFeatures array in the KUSER_SHARED_DATA. It there becomes documented by Microsoft as telling that the “processor channels are enabled.”
For both the 32-bit and 64-bit kernels the essential reaction to this reserved cpuid feature flag is to set what is nowadays documented as the UMIP bit (11) in cr4. According to Intel, this now prevents the sgdt, sidt, sldt, smsw and str instructions from executing in user mode. Intel’s documentation from 2006, however, had this cr4 bit as reserved. The mechanism for the 32-bit kernel sets this bit in cr4 bit from a callback routine to execute on each processor. Symbol files name the routine as Ki386EnableChannels, surely confirming that whatever was in Intel’s public documentation at the time, or has been since, the 0x00010000 bit in ecx from cpuid leaf 1 was at least thought by Microsoft to tell of processor channels.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
The Windows kernel is not known to use this feature flag.
The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
The Windows kernel is not known to use this feature flag.
AMD’s documentation has this bit as reserved. The Windows kernel is not known to use this feature flag.
The Windows kernel is not known to use this feature flag.
Intel’s documentation has this bit as reserved but with the unusually specific note that it “Always returns 0.” To AMD, it is “Reserved for use by hypervisor to indicate guest status.” Reserved or not, named or not—the name RAZ is AMD’s—both the 32-bit and 64-bit kernels rely on it for discovering whether Windows is running under a hypervisor. The exported (but undocumented) function HviIsAnyHypervisorPresent is nothing but a test for this reserved bit. Given that this bit is set, executing cpuid with eax in a range starting at 0x40000000 may then identify the hypervisor and discover its capabilities, and thus influence how (or even whether) the kernel wants to execute under it.
Microsoft has documented this feature flag’s importance to hypervisors. The HV_CPUID_RESULT structure, which Microsoft documents in the Windows Driver Kit (WDK) for Windows 7, marks out bit 31 of these ecx feature flags as VersionAndFeatures.HypervisorPresent.