SYSTEM_HANDLE_TABLE_ENTRY_INFO

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is a recurring element in the SYSTEM_HANDLE_INFORMATION that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemHandleInformation (0x10).

Documentation Status

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is 0x10 or 0x18 bytes in 32-bit and 64-bit Windows, respectively, in version 3.50 and higher. It is 0x18 bytes in version 3.10.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
ULONG UniqueProcessId;
 3.10 to 3.50 
USHORT UniqueProcessId;
 3.51 and higher
0x04 (3.10)   unknown dword 3.10 only
0x08 (3.10);
0x02 		0x02 
ULONG CreatorBackTraceIndex;
 3.10 only
not present 3.50 only 
USHORT CreatorBackTraceIndex;
 3.51 and higher
0x0C (3.10);
0x04 		0x04 
UCHAR ObjectTypeIndex;
 all
0x0D (3.10);
0x05 		0x05 
UCHAR HandleAttributes;
 all
0x0E (3.10);
0x06 		0x06 
USHORT HandleValue;
 all
0x10 (3.10);
0x08 		0x08 
PVOID Object;
 all
0x14 (3.10);
0x0C 		0x10 
ULONG GrantedAccess;
 all

This page was created on 9th July 2016 but was not published until 25th October 2016. It was last modified on 30th June 2020.

Copyright © 2016-2020. Geoff Chappell. All rights reserved. Conditions apply.