OutputFlags in PS_CREATE_INFO

In a PS_CREATE_INFO structure on output from NtCreateUserProcess, the State member may be PsCreateSuccess (6). The remainder of the structure is then interpreted as the SuccessState branch of an unnamed union. Within the SuccessState is a set of flags in union with a ULONG named OutputFlags. The flags themselves are a mixture of UCHAR and USHORT bit fields.

Microsoft’s names and types in the following tabulation of these flags are known from a smattering of private symbol files that Microsoft included in packages of public symbol files starting with Windows 8.

Offset / Mask Definition Versions
0x00 / 0x01 
UCHAR ProtectedProcess : 1;
 6.0 and higher
0x00 / 0x02 
UCHAR AddressSpaceOverride : 1;
 6.0 and higher
0x00 / 0x04 
UCHAR DevOverrideEnabled : 1;
 6.0 and higher
0x00 / 0x08 
UCHAR ManifestDetected : 1;
 6.0 and higher
0x00 / 0x10 
UCHAR ProtectedProcessLight : 1;
 6.3 and higher
  
UCHAR SpareBits1 : 4;
 6.0 to 6.2 
UCHAR SpareBits1 : 3;
 6.3 and higher
  
UCHAR SpareBits2 : 8;
 6.0 and higher
  
USHORT SpareBits3 : 16;
 6.0 and higher

No use of the second byte or high word is known in any version.

This page was created on 3rd August 2022 from material first published on 23rd February 2019.

Copyright © 2019-2022. Geoff Chappell. All rights reserved. Conditions apply.