SYSTEM_CALL_TIME_INFORMATION

The SYSTEM_CALL_TIME_INFORMATION structure may be what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation would produce in its output buffer when given the information class SystemCallTimeInformation (0x0A). Instead, all versions yet inspected that don’t reject this information class as invalid instead reject it as not implemented. Perhaps it is implemented in some debug build.

Documentation Status

The SYSTEM_CALL_TIME_INFORMATION structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_CALL_TIME_INFORMATION is 0x10 bytes in both 32-bit and 64-bit Windows.

Offset Definition
0x00 
ULONG Length;
0x04 
ULONG TotalCalls;
0x08 
LARGE_INTEGER TimeOfCalls [ANYSIZE_ARRAY];

This page was created on 9th July 2016 but was not published until 25th October 2016. It was last modified on 27th June 2019.

Copyright © 2016-2019. Geoff Chappell. All rights reserved. Conditions apply.