Geoff Chappell, Software Analyst
The KPROCESSOR_STATE (formally _KPROCESSOR_STATE) is a relatively simple aggregate of processor state that the kernel saves and restores before and after freezing a processor’s execution. Each of its components is necessarily highly specific to the processor architecture. Public symbols for the kernel starting with Windows 8 confirm that Microsoft defines the structure separately (in different headers) for different processors. This page concerns itself only with the KPROCESSOR_STATE in 64-bit Windows for the processor architecture that’s variously named amd64 or x64. The x86 KPROCESSOR_STATE is presented separately.
The KPROCESSOR_STATE is 0x05B0 bytes up to and including the 1607 release of Windows 10, but is 0x05C0 bytes in later versions because of cache-line alignment to 0x40 bytes.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
KSPECIAL_REGISTERS SpecialRegisters; |
all |
| 0xE0 |
CONTEXT ContextFrame; |
all |
Versions before 6.2 have eight bytes of unused alignment space between the two members, the KSPECIAL_REGISTERS being only 0xD8 bytes, the (x64) CONTEXT having 16-byte alignment.