Geoff Chappell, Software Analyst
The KSPECIAL_REGISTERS (formally _KSPECIAL_REGISTERS) is a structure for recording processor state that is not ordinarily needed in a CONTEXT structure. It is necessarily highly specific to the processor architecture. Public symbols for the kernel starting with Windows 8 confirm that Microsoft defines the structure separately (in different headers) for different processors. This page concerns itself only with the KSPECIAL_REGISTERS in 64-bit Windows for the processor architecture that’s variously named amd64 or x64. The x86 KSPECIAL_REGISTERS is presented separately.
The KSPECIAL_REGISTERS is 0xD8 bytes before version 6.2 and is then 0xE0 bytes.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
ULONG64 Cr0; |
all |
| 0x08 |
ULONG64 Cr2; |
all |
| 0x10 |
ULONG64 Cr3; |
all |
| 0x18 |
ULONG64 Cr4; |
all |
| 0x20 |
ULONG64 KernelDr0; |
all |
| 0x28 |
ULONG64 KernelDr1; |
all |
| 0x30 |
ULONG64 KernelDr2; |
all |
| 0x38 |
ULONG64 KernelDr3; |
all |
| 0x40 |
ULONG64 KernelDr6; |
all |
| 0x48 |
ULONG64 KernelDr7; |
all |
| 0x50 |
KDESCRIPTOR Gdtr; |
all |
| 0x60 |
KDESCRIPTOR Idtr; |
all |
| 0x70 |
USHORT Tr; |
all |
| 0x72 |
USHORT Ldtr; |
all |
| 0x74 |
ULONG MxCsr; |
all |
| 0x78 |
ULONG64 DebugControl; |
all |
| 0x80 |
ULONG64 LastBranchToRip; |
all |
| 0x88 |
ULONG64 LastBranchFromRip; |
all |
| 0x90 |
ULONG64 LastExceptionToRip; |
all |
| 0x98 |
ULONG64 LastExceptionFromRip; |
all |
| 0xA0 |
ULONG64 Cr8; |
all |
| 0xA8 |
ULONG64 MsrGsBase; |
all |
| 0xB0 |
ULONG64 MsrGsSwap; |
all |
| 0xB8 |
ULONG64 MsrStar; |
all |
| 0xC0 |
ULONG64 MsrLStar; |
all |
| 0xC8 |
ULONG64 MsrCStar; |
all |
| 0xD0 |
ULONG64 MsrSyscallMask; |
all |
| 0xD8 |
ULONG64 Xcr0; |
6.2 and higher |