Cross-Process Flags in the PEB

Windows Vista added a new set of bit fields to the PEB, reliably at offsets 0x28 and 0x50 in 32-bit and 64-bit Windows respectively. A single ULONG, named CrossProcessFlags, overlays the bits.

Mask Definition Versions
0x00000001 
ULONG ProcessInJob : 1;
 6.0 and higher
0x00000002 
ULONG ProcessInitializing : 1;
 6.0 and higher
0x00000004 
ULONG ProcessUsingVEH : 1;
 6.1 and higher
0x00000008 
ULONG ProcessUsingVCH : 1;
 6.1 and higher
0x00000010 
ULONG ProcessUsingFTH : 1;
 6.1 and higher
0x00000020 
ULONG ProcessPreviouslyThrottled : 1;
 1703 and higher
0x00000040 
ULONG ProcessCurrentlyThrottled : 1;
 1703 and higher
0x00000080 
ULONG ProcessImagesHotPatched : 1;
 1809 and higher
  
ULONG ReservedBits0 : 30;
 6.0 only 
ULONG ReservedBits0 : 27;
 6.1 to 1607 
ULONG ReservedBits0 : 25;
 1703 to 1803 
ULONG ReservedBits0 : 24;
 1809 and higher

This page was created on 15th December 2016 from material first published on 29th April 2016. It was last modified on 23rd October 2020.

Copyright © 2016-2020. Geoff Chappell. All rights reserved. Conditions apply.