KEXECUTE_OPTIONS

The KEXECUTE_OPTIONS structure (formally _KEXECUTE_OPTIONS, and actually a union in most versions) was introduced simultaneously for version 5.1 in Windows XP SP2 and version 5.2 in Windows Server 2003 SP1. It is here thought to have no purpose outside the KPROCESS. Indeed, it started as nothing but a simple structure of UCHAR bit fields: 

typedef struct _KEXECUTE_OPTIONS {      // late 5.2 to 6.0
    /*  bit fields, see below  */
} KEXECUTE_OPTIONS;

Within the KPROCESS, the KEXECUTE_OPTIONS were originally a member named Flags in union with a UCHAR named ExecuteOptions. Then Windows 7 wrapped the structure of bit fields and its integral overlay (now made volatile) into a union, and Windows 8 added another integral overlay (but without volatile): 

typedef union _KEXECUTE_OPTIONS {       // 6.1 and higher
    struct {
        /*  bit fields, see below  */
    };
    UCHAR volatile ExecuteOptions;
    UCHAR ExceptionOptionsNV;           // 6.2 and higher
} KEXECUTE_OPTIONS;

Either way, the bit fields themselves remain the same except that one was added for Windows Vista SP1:

Mask Definition Versions
0x01 
UCHAR ExecuteDisable : 1;
 late 5.1;
late 5.2 and higher
0x02 
UCHAR ExecuteEnable : 1;
 late 5.1;
late 5.2 and higher
0x04 
UCHAR DisableThunkEmulation : 1;
 late 5.1;
late 5.2 and higher
0x08 
UCHAR Permanent : 1;
 late 5.1;
late 5.2 and higher
0x10 
UCHAR ExecuteDispatchEnable : 1;
 late 5.1;
late 5.2 and higher
0x20 
UCHAR ImageDispatchEnable : 1;
 late 5.1;
late 5.2 and higher
0x40 
UCHAR DisableExceptionChainValidation : 1;
 late 6.0 and higher
  
UCHAR Spare : 2;
 late 5.1;
late 5.2 to early 6.0 
UCHAR Spare : 1;
 late 6.0 and higher

This page was created on 8th October 2017 from material that was first published on 15th June 2016. It was last modified on 30th September 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.