Geoff Chappell, Software Analyst
An array of SYSTEM_INTERRUPT_INFORMATION structures, one per processor, is produced in the output buffer by a successful call to the following functions:
when given the information class SystemInterruptInformation (0x17).
The SYSTEM_INTERRUPT_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there has the whole structure as one array of bytes, named Reserved1. Documentation of NtQuerySystemInformation describes the structure as “opaque” and suggests that whatever is produced in it for the SystemInterruptInformation case “can be used to generate an unpredictable seed for a random number generator.”
Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.
Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_INTERRUPT_INFORMATION is 0x18 bytes in both 32-bit and 64-bit Windows.
| Offset | Definition |
|---|---|
| 0x00 |
ULONG ContextSwitches; |
| 0x04 |
ULONG DpcCount; |
| 0x08 |
ULONG DpcRate; |
| 0x0C |
ULONG TimeIncrement; |
| 0x10 |
ULONG DpcBypassCount; |
| 0x14 |
ULONG ApcBypassCount; |
Most members are loaded directly from similary named members in the processor’s KPRCB. Version 5.1 discontinues the DpcBypassCount and ApcBypassCount as KPRCB members. Though they remain in the SYSTEM_INTERRUPT_INFORMATION, queries always produce zero.
The TimeIncrement is from an internal variable. It is the number of 100ns units between timer interrupts as currently arranged with the HAL. Note that this current time increment is not necessarily what kernel-mode callers can learn through the KeQueryTimeIncrement function (which is instead the maximum time increment).