SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION

The SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION structure provides input to and receives output from the ZwQuerySystemInformation or NtQuerySystemInformation functions when given the information class SystemQueryPerformanceCounterInformation (0x7C).

Documentation Status

The SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION structure used not to be documented. It still has no C-language definition in any header, including WINTERNL.H, from any known development kit. It is however documented with NtQuerySystemInformation as found online today, 28th October 2016. When it was added may be anyone’s guess.

Layout

The SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION is 0x0C bytes in both 32-bit and 64-bit Windows.

Offset Definition Remarks
0x00 
ULONG Version;
 input, must be 1
0x04 
QUERY_PERFORMANCE_COUNTER_FLAGS Flags;
 output
0x08 
QUERY_PERFORMANCE_COUNTER_FLAGS ValidFlags;
 output

The QUERY_PERFORMANCE_COUNTER_FLAGS structure is just a packaging of ULONG bit fields. While it seems not to be used elsewhere, it may as well be presented here: 

union {
    struct {
        ULONG KernelTransition : 1;
        ULONG Reserved : 31;
    };
    ULONG ul;
};

The function sets KernelTransition in the ValidFlags, and sets it or clears it in the Flags according to whether QpcBypassEnabled in the KUSER_SHARED_DATA is zero.

This page was created on 9th July 2016 but was not published until 28th October 2016.

Copyright © 2016. Geoff Chappell. All rights reserved. Conditions apply.