OBJECT_TYPE_INFORMATION

The OBJECT_TYPE_INFORMATION structure (formally _OBJECT_TYPE_INFORMATION) is what a successful call to ZwQueryObject or NtQueryObject produces at the start of its output buffer when given the information class ObjectTypeInformation (2). The information so obtained is about the type of whatever object is referenced by the Handle argument.

The structure is alternatively a recurring element in the output of a successful query for ObjectTypesInformation (3).

Documentation Status

The OBJECT_TYPE_INFORMATION structure is not documented. This is plainly very much by design. A PUBLIC_OBJECT_TYPE_INFORMATION is defined in WINTERNL.H from the Software Development Kit (SDK) and in NTIFS.H from the Windows Driver Kit (WDK). Even then, this availability doesn’t begin until the kits for Windows 7. This public definition—which does, remember, have a different name—provides only for the TypeName plus an array which is commented as being “reserved for internal use”.

Microsoft does publish the practical equivalent of a C-language definition as type information in a handful of private symbol files that Microsoft has included in packages of public symbol files, starting with Windows 8, and continues to make available through Microsoft’s public symbol server. These private symbol files are not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure. They are instead for various higher-level user-mode DLLs such as URLMON.DLL. The latter is here singled out because of its origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use.

Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The OBJECT_TYPE_INFORMATION is 0x60 or 0x68 bytes in 32-bit and 64-bit Windows, respectively, in version 3.50 and higher. If the structure is defined for version 3.10, it has only the first member and is only eight bytes.

UNICODE_STRING TypeName;

ULONG TotalNumberOfObjects;

ULONG TotalNumberOfHandles;

ULONG TotalPagedPoolUsage;

ULONG TotalNonPagedPoolUsage;

ULONG TotalNamePoolUsage;

ULONG TotalHandleTableUsage;

ULONG HighWaterNumberOfObjects;

ULONG HighWaterNumberOfHandles;

ULONG HighWaterPagedPoolUsage;

ULONG HighWaterNonPagedPoolUsage;

ULONG HighWaterNamePoolUsage;

ULONG HighWaterHandleTableUsage;

ULONG InvalidAttributes;

GENERIC_MAPPING GenericMapping;

ULONG ValidAccessMask;

BOOLEAN SecurityRequired;

BOOLEAN MaintainHandleCount;

UCHAR TypeIndex;

ULONG PoolType;

ULONG DefaultPagedPoolCharge;

ULONG DefaultNonPagedPoolCharge;

The structure is followed by the object type’s name as a null-terminated string of Unicode characters. The size (in bytes, not counting the terminating null) and the address are respectively the Length and Buffer members of the TypeName.

For the ReturnLength argument of ZwQueryObject in version 3.50 and higher, the total size of the structure and name is rounded up for 4 or 8-byte alignment in 32-bit and 64-bit Windows, respectively. This anticipates that the structure and name may be just one description of an object type in a sequence of descriptions of all the object types. The OBJECT_TYPE_INFORMATION in each then has its natural alignment. There is a side-effect, however: the alignment is not allowed for when computing the TypeInfoSize in the OBJECT_BASIC_INFORMATION.