Geoff Chappell, Software Analyst
The RTL_PROCESS_BACKTRACE_INFORMATION structure is a recurring element in the RTL_PROCESS_BACKTRACES structure that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces at the start of its output buffer when given the information class SystemStackTraceInformation (0x0D).
The RTL_PROCESS_BACKTRACE_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.
Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The RTL_PROCESS_BACKTRACE_INFORMATION is 0x8C or 0x0110 bytes in 32-bit and 64-bit Windows 10, respectively, in version 5.0 and higher. It is 0x4C bytes in earlier versions.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
PSTR SymbolicBackTrace; |
all |
| 0x04 | 0x08 |
ULONG TraceCount; |
all |
| 0x08 | 0x0C |
USHORT Index; |
all |
| 0x0A | 0x0E |
USHORT Depth; |
all |
| 0x0C | 0x10 |
PVOID BackTrace [0x10]; |
3.10 to 4.0 |
PVOID BackTrace [0x20]; |
5.0 and higher |
The stack trace is the array of Depth return addresses that is captured as the BackTrace. It will have been captured at the allocation, creation or initialisation of some sort of resource. What is recorded with the resource is the Index of an RTL_STACK_TRACE_ENTRY within the Stack Trace Database See that even though this index as generated for the RTL_STACK_TRACE_ENTRY can be 32 bits in version 6.0 and higher, what shows of it in this RTL_PROCESS_BACKTRACE_INFORMATION is just the low 16 bits.