Bit Field in the PEB

The build of version 5.2 for Windows Server 2003 SP1 defined bit fields in what had been a SpareBool at offset 0x03 in the PEB. A single byte, named BitField, overlays the bits.

Mask Definition Versions
0x01 
UCHAR ImageUsedLargePages : 1;
 late 5.2 and higher
0x02 
UCHAR IsProtectedProcess : 1;
 6.0 and higher
0x04 (6.0 to 6.2) 
UCHAR IsLegacyProcess : 1;
 6.0 to 6.2
0x08 (6.0 to 6.2);
0x04 
UCHAR IsImageDynamicallyRelocated : 1;
 6.0 and higher
0x10 (late 6.0 to 6.2);
0x08 
UCHAR SkipPatchingUser32Forwarders : 1;
 late 6.0 and higher
0x20 (6.2);
0x10 
UCHAR IsPackagedProcess : 1;
 6.2 and higher
0x40 (6.2);
0x20 
UCHAR IsAppContainer: 1;
 6.2 and higher
0x40 
UCHAR IsProtectedProcessLight : 1;
 6.3 and higher
0x80 
UCHAR IsLongPathAwareProcess : 1;
 1607 and higher
  
UCHAR SpareBits : 7;
 late 5.2 only 
UCHAR SpareBits : 4;
 early 6.0 only 
UCHAR SpareBits : 3;
 late 6.0 to 6.1 
UCHAR SpareBits : 1;
 6.2 to 1511

This page was created on 15th December 2016 from material first published on 29th April 2016. It was last modified on 5th September 2018.

Copyright © 2016-2018. Geoff Chappell. All rights reserved. Conditions apply.