SYSTEM_PROCESS_INFORMATION_EXTENSION

The SYSTEM_PROCESS_INFORMATION_EXTENSION structure is an irregularly recurring element in what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemProcessInformation (0x05), SystemExtendedProcessInformation (0x39) or SystemFullProcessInformation (0x94).

The output for these information classes is a sequence of variable-size sets of items, one set per process:

a SYSTEM_PROCESS_INFORMATION;
an array of SYSTEM_THREAD_INFORMATION or SYSTEM_EXTENDED_THREAD_INFORMATION structures, one per thread;
a SYSTEM_PROCESS_INFORMATION_EXTENSION;
variable-size data indicated by members of the preceding structures.

In each set, the NextEntryOffset member at the beginning of the SYSTEM_PROCESS_INFORMATION tells how many bytes to advance from that SYSTEM_PROCESS_INFORMATION to the next, or is zero in the last. The array that follows the SYSTEM_PROCESS_INFORMATION is of SYSTEM_THREAD_INFORMATION structures if the information class is SystemProcessInformation, else SYSTEM_EXTENDED_THREAD_INFORMATION structures. Either way, the NumberOfThreads member tells how many elements are in the array, and thus indirectly locates the SYSTEM_PROCESS_INFORMATION_EXTENSION.

The SYSTEM_PROCESS_INFORMATION_EXTENSION is a relatively recent elaboration of the information returned for each process. Windows versions before 6.2 certainly do not support it. In Windows 10, which is the only version yet studied for this note, the structure is present for all three information classes but some members, notably the ones that locate variable-size data, are non-trivial only for SystemFullProcessInformation.

Documentation Status

The SYSTEM_PROCESS_INFORMATION_EXTENSION structure is not documented.

Layout

The SYSTEM_PROCESS_INFORMATION_EXTENSION is 0xD8 or 0xE0 bytes in 32-bit and 64-bit Windows 10, respectively. Other versions are not yet studied methodically for this note, but it is known that the structure was originally only 0x38 bytes.

Offset (x86)	Offset (x64)	Definition
0x00	0x00	PROCESS_DISK_COUNTERS DiskCounters;
0x28	0x28	ULONGLONG ContextSwitches;
0x30	0x30	union { ULONG Flags; struct { ULONG HasStrongId : 1; ULONG Spare : 31; }; };
0x34	0x34	ULONG UserSidOffset;
0x38	0x38	ULONG PackageFullNameOffset;
0x40	0x40	PROCESS_ENERGY_VALUES EnergyValues;
0xD0	0xD0	ULONG AppIdOffset;
0xD4	0xD8	ULONG_PTR SharedCommitCharge;

Each of the three members UserSidOffset, PackageFullNameOffset and AppIdOffset holds an offset in bytes from the start of the structure to the corresponding variable-size items, else is zero to indicate that the data is not provided. The items are respectively a SID and two null-terminated Unicode strings.