KSTACK_COUNT

The KSTACK_COUNT union (formally _KSTACK_COUNT) was introduced for Windows 7. It has no known purpose outside the KPROCESS, which has one as its StackCount member. Earlier versions of the KPROCESS also have a StackCount, but as a USHORT starting with version 3.50 and then as a ULONG_PTR starting with version 5.2 SP1. The whole point to defining the KSTACK_COUNT was to rework the integral StackCount into bit fields: 

typedef union _KSTACK_COUNT {           // 6.1 only
    LONG volatile Value;
    struct {
        /*  bit fields, see below  */
    };
} KSTACK_COUNT;

Windows 8 shifts the volatility outside to StackCount as a KPROCESS member: 

typedef union _KSTACK_COUNT {           // 6.2 and higher
    LONG Value;
    struct {
        /*  bit fields, see below  */
    };
} KSTACK_COUNT;

Whatever these slight details of the packaging, the bit fields have been very nearly stable:

Mask Definition Versions Remarks
0x00000007 
ULONG volatile State : 3;
 6.1 only previously UCHAR at 0x66 and 0x96 
ULONG State : 3;
 6.2 and higher  
0xFFFFFFF8 
ULONG StackCount : 29;
 6.1 and higher previously ULONG_PTR at 0x6C and 0xA0

The State also has earlier history—as a UCHAR all the way back to version 3.10. For all practical effect, the KSTACK_COUNT does nothing but save one byte by narrowing the earlier one-byte State and four-byte StackCount members so that they fit into four bytes as bit fields. Anyway, the State takes its values from the KPROCESS_STATE enumeration.

This page was created on 8th October 2017 from material that was first published on 15th June 2016. It was last modified on 30th September 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.