SharedDataFlags in KUSER_SHARED_DATA

The KUSER_SHARED_DATA structure defines the layout of a data area that the kernel places at a pre-set address for sharing with user-mode software. Windows Vista introduced a set of ULONG bit fields in union with a SharedDataFlags member at offset 0x02F0. Not only have most subsequent versions added bits but Windows 8 redefined two of them.

ULONG DbgErrorPortPresent : 1;

ULONG DbgElevationEnabled : 1;

ULONG DbgVirtEnabled : 1;

ULONG DbgInstallerDetectEnabled : 1;

ULONG DbgSystemDllRelocated : 1;

ULONG DbgLkgEnabled : 1;

ULONG DbgDynProcessorEnabled : 1;

ULONG DbgSEHValidationEnabled : 1;

ULONG DbgConsoleBrokerEnabled : 1;

ULONG DbgSecureBootEnabled : 1;

ULONG DbgMultiSessionSku : 1;

ULONG DbgMultiUsersInSessionSku : 1;

ULONG DbgStateSeparationEnabled : 1;

ULONG SpareBits : 27;

ULONG SpareBits : 25;

ULONG SpareBits : 24;

ULONG SpareBits : 23;

ULONG SpareBits : 22;

ULONG SpareBits : 21;

A comment in the C-language definition of KUSER_SHARED_DATA from NTDDK.H says that these “are for the debugger only” and directs programmers to “Use the bit definitions instead.” These evaluate as:

• 0x00000001 as SHARED_GLOBAL_FLAGS_ERROR_PORT;
• 0x00000002 as SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED;
• 0x00000004 as SHARED_GLOBAL_FLAGS_VIRT_ENABLED;
• 0x00000008 as SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED;
• 0x00000010 as SHARED_GLOBAL_FLAGS_SPARE (Windows 7 WDK);
• 0x00000010 as SHARED_GLOBAL_FLAGS_LKG_ENABLED;
• 0x00000020 as SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED;
• 0x00000040 as SHARED_GLOBAL_FLAGS_SEH_VALIDATION_ENABLED (Windows 7 WDK);
• 0x00000040 as SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED;
• 0x00000080 as SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED;
• 0x00000100 as SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU;
• 0x00000200 as SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU;
• 0x00000400 as SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED.

In the Windows Driver Kit (WDK) for Windows Vista, DbgSystemDllRelocated is defined as a bit field but with no corresponding macro.