InitFlags in PS_CREATE_INFO

In a PS_CREATE_INFO structure as input to NtCreateUserProcess, the State member is necessarily PsCreateInitialState (0) and the remainder of the structure is interpreted as the InitState branch of an unnamed union. Within the InitState is a set of flags in union with a ULONG named InitFlags. The flags themselves are a mixture of UCHAR and USHORT bit fields.

Microsoft’s names and types in the following tabulation of these flags are known from a smattering of private symbol files that Microsoft included in packages of public symbol files starting with Windows 8.

Offset / Mask	Definition	Versions
0x00 / 0x01	UCHAR WriteOutputOnExit : 1;	6.0 and higher
0x00 / 0x02	UCHAR DetectManifest : 1;	6.0 and higher
0x00 / 0x04	UCHAR IFEOSkipDebugger : 1;	6.2 and higher
0x00 / 0x08	UCHAR IFEODoNotPropagateKeyState : 1;	6.2 and higher
	UCHAR SpareBits1 : 6;	6.0 to 6.1
	UCHAR SpareBits1 : 4;	6.2 and higher
0x01 / 0x03 (6.0 to 6.1)	UCHAR IFEOKeyState : 2;	6.0 to 6.1
	UCHAR SpareBits2 : 6;	6.0 to 6.1
	UCHAR SpareBits2 : 8;	6.2 and higher
0x02 / 0xFFFF	USHORT ProhibitedImageCharacteristics : 16;	6.0 and higher

For the two-bit IFEOKeyState in the second byte, the value 3 is explicitly invalid. The cases 0, 1 and 2 were later separated into combinations of new bits in the first byte:

0 becomes that neither of IFEOSkipDebugger and IFEODoNotPropagateKeyState is set;
1 becomes that only IFEOSkipDebugger is set;
2 becomes that both are set.

This reworking of the two-bit field for Windows 8 created the oddity that the second byte has all eight bits explicitly spare.