SYSTEM_LEGACY_DRIVER_INFORMATION

The SYSTEM_LEGACY_DRIVER_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemLegacyDriverInformation (0x2B).

Documentation Status

The SYSTEM_LEGACY_DRIVER_INFORMATION structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Layout

The SYSTEM_LEGACY_DRIVER_INFORMATION is 0x0C or 0x18 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00 
ULONG VetoType;
0x04 0x08 
UNICODE_STRING VetoList;

The string that VetoList describes by size and address immediately follows this fixed-size structure.

This page was created on 9th July 2016 but was not published until 25th October 2016. It was last modified on 27th June 2019.

Copyright © 2016-2019. Geoff Chappell. All rights reserved. Conditions apply.