PrcbPad12a in the KPRCB (amd64)

The 1703 release of Windows 10 rearranged the x64 KPRCB structure’s architecturally defined section. Moving the cache-aligned ProcessorState member from near to the start of this section to what was then its end created a gap of 0x30 bytes immediately after this member’s new position to meet the peculiar alignment requirement of the LockQueue that starts the non-architectural section. This space was at first defined as PrcbPad12 at offset 0x06C0. It started getting used in the 1803 release, at which time some odd things happen—odd enough to make a separate page about it.

Ordinarily, when padding gets brought into actual use, it shifts and shrinks until it’s all used. For this padding, however, the different KPRCB definitions show different use. The necessary background is that the kernel and some few other modules have the full definition from AMD64_X.H, but most other modules for which the public symbol files have any type information for the KPRCB have it for only a reduced definition from NTHAL.H or NTOSP.H. Of these three headers, only NTOSP.H is known to have ever been published, and only then for the original and 1511 releases of Windows 10.

By the 1809 release of Windows 10, eight bytes of what had been PrcbPad12 are carved out for use, but the reduced KPRCB definition shows them only as PrcbPad12a:

KPRCB Offset Definition Versions
0x06D0 
ULONG64 PrcbPad12a;
 1809 and higher (reduced) 
union {
    struct {
        /*  meaningful members, see below  */
    };
    ULONG64 PrcbPad12a;
};
 1809 and higher (full)

The full definition has PrcbPad12a in union with meaningful members:

KPRCB Offset Definition Versions
0x06D0 
UCHAR BpbRetpolineExitSpecCtrl;
 1809 and higher
0x06D1 
UCHAR BpbTrappedRetpolineExitSpecCtrl;
 1809 and higher
0x06D2 
union {
    UCHAR BpbTrappedBpbState;
    struct {
        UCHAR BpbTrappedCpuIdle : 1;               // 0x01
        UCHAR BpbTrappedFlushRsbOnTrap : 1;        // 0x02
        UCHAR BpbTrappedIbpbOnReturn : 1;          // 0x04
        UCHAR BpbTrappedIbpbOnTrap : 1;            // 0x08
        UCHAR BpbTrappedIbpbOnRetpolineExit : 1;   // 0x10
        UCHAR BpbtrappedBpbStateReserved : 3;
    };
};
 1809 and higher
0x06D3 
union {
    UCHAR BpbRetpolineState;
    struct {
        UCHAR BpbRunningNonRetpolineCode : 1;      // 0x01
        UCHAR BpbIndirectCallsSafe : 1;            // 0x02
        UCHAR BpbRetpolineEnabled : 1;             // 0x04
        UCHAR BpbRetpolineStateReserved : 5;
    };
};
 1809 and higher
0x06D4 
ULONG PrcbPad12b;
 1809 and higher

This page was created on 2nd January 2021.

Copyright © 2018-2021. Geoff Chappell. All rights reserved. Conditions apply.