Geoff Chappell, Software Analyst
The SYSTEM_HYPERVISOR_QUERY_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemHypervisorInformation (0x5B).
The SYSTEM_HYPERVISOR_QUERY_INFORMATION structure is not documented.
The SYSTEM_HYPERVISOR_QUERY_INFORMATION is 0x10 bytes in 32-bit and 64-bit Windows.
| Offset | Definition |
|---|---|
| 0x00 |
BOOLEAN HypervisorConnected; |
| 0x01 |
BOOLEAN HypervisorDebuggingEnabled; |
| 0x02 |
BOOLEAN HypervisorPresent; |
| 0x03 |
UCHAR Spare0 [5]; |
| 0x08 |
ULONGLONG EnabledEnlightenments; |
Microsoft’s assembly-language names for some of the EnabledEnlightenments are known from the KS386.INC and KSAMD64.INC headers that Microsoft supplies in both the Windows Driver Kit (WDK) and the Software Development Kit (SDK) for various Windows versions.
| Mask | Name |
|---|---|
| 0x00000001 | HV_MMU_USE_HYPERCALL_FOR_ADDRESS_SWITCH |
| 0x00000002 | HV_MMU_USE_HYPERCALL_FOR_LOCAL_FLUSH |
| 0x00000004 | HV_MMU_USE_HYPERCALL_FOR_REMOTE_FLUSH |
| 0x00000010 | HV_APIC_ENLIGHTENED |
| 0x00000040 | HV_KE_USE_HYPERCALL_FOR_LONG_SPIN_WAIT |
| 0x00002000 (6.2 to 6.3); 0x00001000 |
HV_DEPRECATE_AUTO_EOI |
It is not known why the numerical value of HV_DEPRECATE_AUTO_EOI has changed for the Windows 10 kits.
Independently of what names might be learnt from Microsoft, the following quick survey of individual bits is obtained by looking at how the kernel initialises the variable that EnabledEnlightenments is copied from. The kernel from the original Windows 10 is known to set the following from various flags and other data that are learnt from the cpuid instruction.
| Mask | Origin in CPUID Output |
|---|---|
| 0x00000001 | UseHypercallForAddressSpaceSwitch in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000002 | UseHypercallForLocalFlush in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000004 | UseHypercallForRemoveFlush in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000008 | ReservedIdentityBit in HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES |
| 0x00000010 | UseApicMsrs in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000020 | UseRelaxedTiming in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000040 | positive LongSpinWaitCount in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00000080 | XmmRegistersForFastHypercallAvailable in HV_X64_HYPERVISOR_FEATURES |
| 0x00000100 | AccessPartitionReferenceCounter and AccessPartitionReferenceTsc in HV_PARTITION_PRIVILEGE_MASK |
| 0x00000200 | GuestIdleAvailable in HV_X64_HYPERVISOR_FEATURES |
| 0x00000400 | ProcessorPowerManagement in HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES |
| 0x00000800 | NumaDistanceQueryAvailable in HV_X64_HYPERVISOR_FEATURES |
| 0x00001000 | UseInterruptRemapping in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00002000 | DeprecateAutoEoi in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00004000 | GuestCrashRegsAvailable in HV_X64_HYPERVISOR_FEATURES |
| 0x00008000 | UseSyntheticClusterIpi in HV_X64_ENLIGHTENMENT_INFORMATION |
| 0x00010000 | StartVirtualProcessor in HV_PARTITION_PRIVILEGE_MASK |
| 0x00020000 | ReservedIdentityBit in HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES |
| 0x00040000 | MwaitIdleStates in HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES |
| 0x00080000 | LogicalProcessorIdling in HV_X64_HYPERVISOR_CPU_MANAGEMENT_FEATURES |