PrcbPad11 in the KPRCB (amd64)

The 1703 release of Windows 10 rearranged the x64 KPRCB structure’s architecturally defined section. Moving the cache-aligned ProcessorState member from near to the start of this section to what was then its end created 0x10 bytes of otherwise unused alignment space immediately before this member’s new position. This was at first defined just as PrcbPad11. The reason to make a separate page of this is that although this padding is still defined just as PrcbPad11 in the KPRCB definitions in NTHAL.H and NTOSP.H, such as they are known from public symbols, it has been put to some moderately elaborate use in the full definition which those public symbols place in AMD64_X.H.

KPRCB Offset Definition Versions
0xF0 
ULONG64 PrcbPad11 [2];
 1703 to 1709;
1803 and higher (reduced) 
union {
    struct {
        /*  changing members, see below  */
    };
    ULONG64 PrcbPad11 [2];
};
 1803 and higher (full)

To be clear, all KPRCB definitions place PrcbPad11 at offset 0xF0 but the full definition in version 1803 and higher has this in union with a structure whose members have actual use:

KPRCB Offset Definition Versions
0xF0 
ULONG64 TrappedSecurityDomain;
 1803 and higher
0xF8 
union {
    USHORT BpbState;
    struct {
        USHORT BpbIbrsPresent : 1;              // 0x0001
        USHORT BpbStibpPresent : 1;             // 0x0002
        USHORT BpbSmepPresent : 1;              // 0x0004
        USHORT BpbSimulateSpecCtrl : 1;         // 0x0008
        USHORT BpbSimulateIbpb : 1;             // 0x0010
        USHORT BpbIbpbPresent : 1;              // 0x0020
        USHORT BpbCpuIdle : 1;                  // 0x0040
        USHORT BpbClearSpecCtrlOnIdle : 1;      // 0x0080
        USHORT BpbHTDisabled : 1;               // 0x0100
        USHORT BpbUserToUserOnly : 1;           // 0x0200
        USHORT BpbReserved : 6;
    };
};
 1803 only 
union {
    UCHAR BpbState;
    struct {
        UCHAR BpbCpuIdle : 1;                  // 0x01
        UCHAR BpbFlushRsbOnTrap : 1;           // 0x02
        UCHAR BpbIbpbOnReturn : 1;             // 0x04
        UCHAR BpbIbpbOnTrap : 1;               // 0x08
        UCHAR BpbIbpbOnRetpolineExit : 1;      // 0x10
        UCHAR BpbStateReserved : 3;
    };
};
 1809 and higher
0xF9 
union {
    UCHAR BpbFeatures;
    struct {
        UCHAR BpbClearOnIdle : 1;              // 0x01
        UCHAR BpbEnabled : 1;                  // 0x02
        UCHAR BpbSmep : 1;                     // 0x04
        UCHAR BpbFeaturesReserved : 5;
    };
};
 1809 and higher
0xFA 
UCHAR BpbSpecCtrlValue;
 1803 only 
UCHAR BpbCurrentSpecCtrl;
 1809 and higher
0xFB 
UCHAR BpbCtxSwapSetValue;
 1803 only 
UCHAR BpbKernelSpecCtrl;
 1809 and higher
0xFC 
UCHAR BpbPad [4];
 1803 only 
UCHAR BpbNmiSpecCtrl;
 1809 and higher
0xFD 
UCHAR BpbUserSpecCtrl;
 1809 and higher
0xFE 
SHORT volatile PairRegister;
 1809 and higher

This page was created on 2nd January 2021 from previously published material.

Copyright © 2018-2021. Geoff Chappell. All rights reserved. Conditions apply.