Geoff Chappell, Software Analyst
The KSPECIAL_REGISTERS (formally _KSPECIAL_REGISTERS) is a structure for recording processor state that is not ordinarily needed in a CONTEXT structure. It is necessarily highly specific to the processor architecture. Public symbols for the kernel starting with Windows 8 confirm that Microsoft defines the structure separately (in different headers) for different processors. This page concerns itself only with the KSPECIAL_REGISTERS in 32-bit Windows for the processor architecture that’s variously named i386 or x86. The x64 KSPECIAL_REGISTERS is presented separately.
The KSPECIAL_REGISTERS is 0x54 bytes in all known versions. Note that the structure contains a ULONG64 that does not have 8-byte alignment.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
ULONG Cr0; |
all |
| 0x04 |
ULONG Cr2; |
all |
| 0x08 |
ULONG Cr3; |
all |
| 0x0C |
ULONG Cr4; |
all |
| 0x10 |
ULONG KernelDr0; |
all |
| 0x14 |
ULONG KernelDr1; |
all |
| 0x18 |
ULONG KernelDr2; |
all |
| 0x1C |
ULONG KernelDr3; |
all |
| 0x20 |
ULONG KernelDr6; |
all |
| 0x24 |
ULONG KernelDr7; |
all |
| 0x28 |
KDESCRIPTOR Gdtr; |
all |
| 0x30 |
KDESCRIPTOR Idtr; |
all |
| 0x38 |
USHORT Tr; |
all |
| 0x3A |
USHORT Ldtr; |
all |
| 0x3C |
ULONG64 Xcr0; |
all |
| 0x44 |
ULONG ExceptionList; |
all |
| 0x48 |
ULONG Reserved [3]; |
all |