Geoff Chappell, Software Analyst
The SYSTEM_CALL_COUNT_INFORMATION structure is a fixed-size header for the variable amount of data that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemCallCountInformation (0x06).
Starting with version 10.0, SystemCallCountInformation is not implemented and SYSTEM_CALL_COUNT_INFORMATION has no known use.
The SYSTEM_CALL_COUNT_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.
Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_CALL_COUNT_INFORMATION is 0x08 bytes in both 32-bit and 64-bit Windows in all versions starting from 3.51 but is only 0x04 bytes in version 3.50.
| Offset | Definition | Versions | Remarks |
|---|---|---|---|
| 0x00 |
ULONG Length; |
3.50 and higher | last member in 3.50 |
| 0x04 |
ULONG NumberOfTables; |
3.51 and higher |
The fixed-size header introduces entry counts of system calls. The Length is the total size in bytes, i.e., of both the fixed-size header and the variable-size data that follows it. In version 3.50, the variable-size data is simply a dword that tells how many 32-bit counts follow.
Version 3.51 brought the KeAddSystemServiceTable function and its notion of separate sets of system calls. Each set has its own table of entry counts. The variable-size data is first an array of dwords, one per table, and then the tables. Each of the dwords is in turn the number of 32-bit counts in the corresponding table.
It happens that for any one version, the NumberOfTables is pre-set: