SYSTEM_EXCEPTION_INFORMATION

The SYSTEM_EXCEPTION_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemExceptionInformation (0x21).

Documentation Status

The SYSTEM_EXCEPTION_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there has the whole structure as one array of bytes, named Reserved1. Documentation of NtQuerySystemInformation describes the structure as “opaque” and suggests that whatever is produced in it for the SystemExceptionInformation case “can be used to generate an unpredictable seed for a random number generator.”

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_EXCEPTION_INFORMATION is 0x10 bytes in both 32-bit and 64-bit Windows, starting with version 4.0, but is only 0x0C bytes originally.

ULONG AlignmentFixupCount;

ULONG ExceptionDispatchCount;

ULONG FloatingEmulationCount;

ULONG ByteWordEmulationCount;

The first two or three counts, and perhaps all four in principle, are aggregated over all processors from the similarly named members of the KPRCB for each processor. (The KPRCB members have a Ke prefix.) Since version 6.0 discontinued floating-point emulation, the FloatingPointEmulationCount is always zero. Whatever may have been intended by the extension for version 4.0 (perhaps for some other processor architecture), the ByteWordEmulationCount is always zero.