SYSTEM_CRASH_STATE_INFORMATION

The SYSTEM_CRASH_STATE_INFORMATION structure is is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemCrashDumpStateInformation (0x22). This information class is valid for queries only in versions 3.50 to 5.0. It is valid for ZwSetSystemInformation and NtSetSystemInformation in version 5.0 and higher, but the expected input is instead a SYSTEM_CRASH_DUMP_STATE_INFORMATION.

Documentation Status

The SYSTEM_CRASH_STATE_INFORMATION structure is not documented.

Its only known disclosure by Microsoft is in type information such as Microsoft nowadays includes with public symbol files. For this old structure, however, the type information is instead in two statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51 and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_CRASH_STATE_INFORMATION is 4 bytes, originally, but is 8 bytes in version 5.0.

Offset Definition Versions Remarks
0x00 
ULONG ValidCrashDump;
 3.50 to 5.0 last member in 3.50 to 4.0
0x04 unknown dword 5.0 only  

The ValidCrashDump is TRUE or FALSE according to whether the kernel has created a section in anticipation of ever writing a crash dump file.

The new member for version 5.0 is always zero. Its purpose is unknown.

This page was created on 3rd November 2019.

Copyright © 2019. Geoff Chappell. All rights reserved. Conditions apply.