Geoff Chappell - Software Analyst
The PEB got two sets of flags for Application Compatibility in Windows XP, one each apparently for kernel and user issues. The kernel set is named AppCompatFlags and is reliably at offsets 0x01D8 and 0x02C8 in 32-bit and 64-bit Windows, respectively. As a set, these flags are a ULARGE_INTEGER. Individual flags are defined by macros. Microsoft’s names for them therefore do not show in public symbol files and might have been unknown forever except that Microsoft published some in a header named APCOMPAT.H in the Enterprise edition of the Windows Driver Kit (WDK) for the original and 1511 releases of Windows 10.
| Mask | Name |
|---|---|
| 0x00000001 | KACF_OLDGETSHORTPATHNAME |
| 0x00000002 | KACF_VERSIONLIE_NOT_USED |
| 0x00000004 | not defined |
| 0x00000008 | KACF_GETDISKFREESPACE |
| 0x00000010 | not defined |
| 0x00000020 | KACF_FTMFROMCURRENTAPT |
| 0x00000040 | KACF_DISALLOWORBINDINGCHANGES |
| 0x00000080 | KACF_OLE32VALIDATEPTRS |
| 0x00000100 | KACF_DISABLECICERO |
| 0x00000200 | KACF_OLE32ENABLEASYNCDOCFILE |
| 0x00000400 | KACF_OLE32ENABLELEGACYEXCEPTIONHANDLING |
| 0x00000800 | KACF_RPCDISABLENDRCLIENTHARDENING |
| 0x00001000 | KACF_RPCDISABLENDRMAYBENULL_SIZEIS |
| 0x00002000 | KACF_DISABLEALLDDEHACK_NOT_USED |
| 0x00004000 | KACF_RPCDISABLENDR61_RANGE |
| 0x00008000 | KACF_RPC32ENABLELEGACYEXCEPTIONHANDLING |
| 0x00010000 | KACF_OLE32DOCFILEUSELEGACYNTFSFLAGS |
| 0x00020000 | KACF_RPCDISABLENDRCONSTIIDCHECK |
| 0x00040000 | KACF_USERDISABLEFORWARDERPATCH |
| 0x00080000 | not defined |
| 0x00100000 | KACF_OLE32DISABLENEW_WMPAINT_DISPATCH |
| 0x00200000 | KACF_ADDRESTRICTEDSIDINCOINITIALIZESECURITY |
| 0x00400000 | KACF_ALLOCDEBUGINFOFORCRITSECTIONS |
| 0x00800000 | KACF_OLEAUT32ENABLEUNSAFELOADTYPELIBRELATIVE |
| 0x01000000 | KACF_ALLOWMAXIMIZEDWINDOWGAMMA |
| 0x80000000 | KACF_DONOTADDTOCACHE |
That the AppCompatFlags represent kernel compatibility issues, as distinct from the issues that have the separate AppCompatFlagsUser member, looks to be entirely a user-mode distinction, as originally modelled by the separation of KERNEL32 and USER32. APPHELP loads them from the MASK attribute of a <FLAG> tag whose TYPE is KERNEL.