Geoff Chappell - Software Analyst
The SILOOBJECT_BASIC_INFORMATION structure is what a successful call to ZwQueryInformationJobObject or NtQueryInformationJobObject produces in its output buffer when given the information class JobObjectSiloBasicInformation (0x24).
The SILOOBJECT_BASIC_INFORMATION is not documented but Microsoft publishes a C-language definition in the WINNT.H for each edition of Windows 10. Beware that these published definitions for each version do not hint that the structure was ever defined differently for earlier versions.
Though the SILOOBJECT_BASIC_INFORMATION is used for output through an API to both kernel-mode and user-mode callers, it varied while Microsoft’s implementation of silos was yet to settle:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 | 0x14 | 0x20 |
| 1511 | 0x2C | 0x2C |
| 1607 to 2004 | 0x10 | 0x10 |
Except for the original Windows 10, the structure is not just the same size in 32-bit and 64-bit Windows but is identical internally.
These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s C-language definitions in WINNT.H.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
HANDLE SiloIdNumber; |
10.0 only |
GUID SiloIdNumber; |
1511 only | ||
DWORD SiloId; |
1607 and higher | ||
| 0x04 (10.0); 0x10 (1511); 0x04 |
0x08 (10.0); 0x10 (1511); 0x04 |
HANDLE SiloParentIdNumber; |
10.0 only |
GUID SiloParentIdNumber; |
1511 only | ||
DWORD SiloParentId; |
1607 and higher | ||
| 0x08 (10.0); 0x20 (1511); 0x08 |
0x10 (10.0); 0x20 (1511); 0x08 |
DWORD NumberOfProcesses; |
10.0 and higher |
| 0x0C (10.0); 0x24 (1511) |
0x14 (10.0); 0x24 (1511) |
DWORD NumberOfChildSilos; |
10.0 to 1511 |
| 0x10 (10.0); 0x28 (1511); 0x0C |
0x18 (10.0); 0x28 (1511); 0x0C |
BOOLEAN IsInServerSilo; |
10.0 and higher |
| 0x0D | 0x0D |
BYTE Reserved [3]; |
1607 and higher |
The nature of the silo identifier changed through the early versions while the silo implementation was still in flux. Originally, the identifier is allocated from a handle table and is retrieved from the ESILO. Version 1511 instead retrieves the ContainerId from the EJOB. What Microsoft settled on for Version 1607 is the 32-bit JobId.