SYSTEM_THREAD_INFORMATION

The SYSTEM_THREAD_INFORMATION structure is an irregularly recurring element in what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemProcessInformation (0x05).

This information class produces descriptions not just of the running processes but also of those processes’ threads. A quick summary is that the information for each process is a fixed-size SYSTEM_PROCESS_INFORMATION structure and the following variable-size data:

• an array of SYSTEM_THREAD_INFORMATION structures, one per thread;
• and a null-terminated Unicode string for the process’s name.

The totality of the output for all processes is a sequence of these sets, one per process. In each set, the NextEntryOffset member at the beginning of the SYSTEM_PROCESS_INFORMATION tells how many bytes to advance from that SYSTEM_PROCESS_INFORMATION to the next, or is zero in the last. The NumberOfThreads member in a SYSTEM_PROCESS_INFORMATION tells how many SYSTEM_THREAD_INFORMATION structures are in the array that immediately follows the SYSTEM_PROCESS_INFORMATION.

Documentation Status

The SYSTEM_THREAD_INFORMATION structure was for many years undocumented. It is nowadays documented online as part of the Terminal Services Terminal Server (MS-TSTS) Runtime Interface Protocol. It is not known when Microsoft first published this documentation, which includes a complete C-language definition. The copyright notice for the particular page is for 2016 but the MS-TSTS documentation in general seems to have been published first in 2013.

Layout

The size of a SYSTEM_THREAD_INFORMATION is 0x40 or 0x50 bytes in 32-bit and 64-bit Windows, respectively.

LARGE_INTEGER KernelTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER CreateTime;

ULONG WaitTime;

PVOID StartAddress;

CLIENT_ID ClientId;

LONG Priority;

LONG BasePriority;

ULONG ContextSwitches;

ULONG ThreadState;

ULONG WaitReason;