Geoff Chappell - Software Analyst
From the very beginning of Windows, each process has a one-byte summary of its state. The KPROCESS keeps this as its State member. This is originally a self-standing UCHAR but Windows 7 truncated it to the low 3 bits, now as a UCHAR bit field still named State, of a KSTACK_COUNT named StackCount. However its packaged, it takes its values from the KPROCESS_STATE enumeration.
Microsoft does not document the KPROCESS_STATE but Microsoft’s names and values are known from public symbol files for the kernel, starting with Windows 7.
| Value | Name | Versions |
|---|---|---|
| 0x00 | ProcessInMemory | all |
| 0x01 | ProcessOutOfMemory | all |
| 0x02 | ProcessInTransition | all |
| 0x03 | ProcessOutTransition | 5.1 and higher |
| 0x04 | ProcessInSwap | 5.1 and higher |
| 0x05 | ProcessOutSwap | 5.1 and higher |
| 0x06 | ProcessRetryOutSwap | 10.0 and higher |
| 0x06 (6.1 to 6.3); 0x07 |
ProcessAllSwapStates | 6.1 and higher |