Geoff Chappell - Software Analyst
The MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION structure (formally _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION) is both input and output for the NtManagePartition function when given the information class SystemMemoryPartitionGetMemoryEvents (5).
The MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION structure was introduced for the 1703 release of Windows 10. It is 0x14 or 0x28 bytes in 32-bit and 64-bit Windows, respectively, at least to the 2004 edition of Windows 10.
| Offset (x86) | Offset (x64) | Definition | Remarks |
|---|---|---|---|
| 0x00 | 0x00 |
union {
struct {
ULONG CommitEvents : 1;
ULONG Spare : 31;
};
ULONG AllFlags;
} Flags;
|
input |
| 0x04 | 0x04 |
ULONG HandleAttributes; |
input |
| 0x08 | 0x08 |
ULONG DesiredAccess; |
input |
| 0x0C | 0x10 |
HANDLE LowCommitCondition; |
output |
| 0x10 | 0x18 |
HANDLE HighCommitCondition; |
output |
| 0x14 | 0x20 |
HANDLE MaximumCommitCondition; |
output |
The Flags on input must be exactly 1, i.e., with CommitEvents set and the Spare bits all clear. This apparently indicates that the caller seeks handles for the (three) commit events.
The valid bits for the HandleAttributes on input are 0x00011FF2 and 0x00001DF2 for kernel-mode and user-mode callers, respectively. Put another way, OBJ_KERNEL_HANDLE is not permitted for user-mode callers and the undocumented 0x00010000 bit is allowed only for kernel-mode callers.
The DesiredAccess on input is an access mask of generic, standard and specific rights that are wanted to the opened events.
The LowCommitCondition, HighCommitCondition and MaximumCommitCondition receive handles to a selection of MemoryEvents from the target partition’s MI_PARTITION_CORE, specifically the three that are indexed by LowCommitEvent (6), HighCommitEvent (7) and MaximumCommitEvent (8).