Geoff Chappell, Software Analyst
The SYSTEM_PROCESS_ID_INFORMATION structure provides input to and receives output from the ZwQuerySystemInformation or NtQuerySystemInformation functions when given the information class SystemProcessIdInformation (0x58).
The SYSTEM_PROCESS_ID_INFORMATION structure is not documented.
The SYSTEM_PROCESS_ID_INFORMATION is 0x0C or 0x18 bytes in 32-bit and 64-bit Windows, respectively.
Offset (x86) | Offset (x64) | Definition | Remarks |
---|---|---|---|
0x00 | 0x00 |
PVOID ProcessId; |
input only |
0x04 | 0x08 |
UNICODE_STRING ImageName; |
input and output |
The structure exists so that the function can produce the name of the process that is represented by a process ID. The ProcessId exists solely to provide the process ID as input.
The ImageName is input in the sense of describing a buffer that is to receive output. As usual for a UNICODE_STRING, Buffer is the address of memory that may hold a Unicode string that is not necessarily null-terminated, MaximumLength is the number of bytes available, including for any null terminator, and Length is the number of bytes actually held, not counting any null terminator.
On input, Length must be zero, MaximumLength must be a multiple of two, and Buffer may be required to have 2-byte alignment and to lie wholly in user-mode address space.
On success, Length and MaximumLength describe whatever name is copied to Buffer, which is itself unchanged, except that if the process has no name to copy, then MaximumLength is cleared to 0 and Buffer to NULL.
The ImageName is also meaningful as output in the specific failure that has the function return STATUS_INFO_LENGTH_MISMATCH, having set the return length to what was given as SystemInformationLength. The interpretation is that SystemInformationLength was correct but the input MaximumLength was too small for the name. The output MaximumLength is a size that would have sufficed.
It is permitted that MaximumLength be zero on input, in which case Buffer is irrelevant. This allows a caller to defer obtaining memory for the name until learning how much (or that the process has no name).