KTHREAD (6.2 and Higher)

The KTHREAD structure is the Kernel Core’s portion of the ETHREAD structure. The latter is the thread object as exposed through the Object Manager. The KTHREAD is the core of it.

Variability

The KTHREAD structure is plainly internal to the kernel and its layout varies greatly between Windows versions and even between builds. Indeed, it is the most highly variable of all significant kernel-mode structures—so much so that tracking its history looks to be imposisble on one page and is therefore spread over several:

• versions 3.10 to 3.50;
• versions 3.51 to 5.1;
• version 5.2 before SP1;
• versions 5.2 SP1 to 6.1;
• versions 6.2 and higher.

Though the KTHREAD does seem to have settled down since its last large-scale rearrangement for Windows 8, it still varies between versions, especially between successive half-yearly updates of Windows 10. Some sense of this variability can be gained just from the structure’s changing size.

Even with attention narrowed just to recent Windows versions, description of the KTHREAD is unusually complicated. Specially notable is the packing of small members into spare fields in other members. Some such reused fields are explicitly spare, as with several members of the KAPC structure. WDM.H even defines macros to ease the reference to these fields by their offsets. Other reuse is available only because of alignment padding, as with the last byte of the KAPC_STATE for 32-bit Windows. As if this weren’t messy enough by itself, the greater opportunity for this reuse in the 64-bit builds, whose wider pointers tend to create more alignment padding as a side-effect, allows that more than a few members are placed very differently in the 32-bit and 64-bit builds.

Layout

It is well known that the KTHREAD is a kernel object that can be waited on until it gets signalled, as happens when the thread ends its execution. In the DISPATCHER_HEADER at the beginning of a KTHREAD, the Type is ThreadObject (6) in the KOBJECTS enumeration. Ever since version 5.2, some other members of this DISPATCHER_HEADER are specific to the KTHREAD.

DISPATCHER_HEADER Header;

PVOID SListFaultAddress;

ULONGLONG QuantumTarget;

PVOID InitialStack;

PVOID volatile StackLimit;

PVOID StackBase;

KSPIN_LOCK ThreadLock;

ULONGLONG volatile CycleTime;

ULONG volatile HighCycleTime;

PVOID ServiceTable;

ULONG CurrentRunTime;

ULONG ExpectedRunTime;

PVOID KernelStack;

XSAVE_FORMAT *StateSaveArea;

KSCHEDULING_GROUP *SchedulingGroup;

KWAIT_STATUS_REGISTER WaitRegister;

BOOLEAN volatile Running;

BOOLEAN Alerted [2];

union {
    struct {
        /*  bit fields, follow link  */
    };
    LONG MiscFlags;
};

union {
    struct {
        /*  bit fields, follow link  */
    };
    LONG volatile ThreadFlags;
};

UCHAR volatile Tag;

UCHAR SystemHeteroCpuPolicy;

UCHAR UserHeteroCpuPolicy : 7;
UCHAR ExplicitSystemHeteroCpuPolicy : 1;

UCHAR Spare0;

union {
    struct {
        UCHAR RunningNonRetpolineCode : 1;
        UCHAR SpecCtrlSpare : 7;
    };
    UCHAR SpecCtrl;
};

ULONG SystemCallNumber;

ULONG Spare1;

ULONG ReadyTime;

PVOID FirstArgument;

KTRAP_FRAME *TrapFrame;

union {
    KAPC_STATE ApcState;
    /*  overlay, see below  */
};

Overlaying the ApcState is first some padding to get past the defined members of the KAPC_STATE to the space that’s left for alignment:

struct {
    UCHAR ApcStateFill [KAPC_STATE_ACTUAL_LENGTH];
    /*  5 bytes, see below  */
};

With this construction, the 64-bit builds squeeze five bytes into the end of the 0x30-byte ApcState. In 32-bit builds, only the first fits the 0x18-byte ApcState: the remaining four just follow as if they had been declared outside the union. Disregard the construction, and the members that are packed with the ApcState are:

CHAR Priority;

ULONG UserIdealProcessor;

The structures used for larger members of the KTHREAD tend to have more spare space in the 64-bit builds, whose wider pointers have a wider alignment requirement. There follow a few members that the 32-bit builds don’t treat to this packing game. The 64-bit builds pack them with the WaitBlock member (further into the structure).

ULONG ContextSwitches;

UCHAR volatile State;

CHAR NpxState;

CHAR Spare12;

KIRQL WaitIrql;

KPROCESSOR_MODE WaitMode;

LONG_PTR volatile WaitStatus;

KWAIT_BLOCK *WaitBlockList;

union {
    LIST_ENTRY WaitListEntry;
    SINGLE_LIST_ENTRY SwapListEntry;
};

KQUEUE * volatile Queue;

DISPATCHER_HEADER * volatile Queue;

Version 6.3 introduced a new type of queue object, and so Queue can point to either a KQUEUE (as for earlier versions) or to a KPRIQUEUE. Both can be waited on and therefore both begin with a DISPATCHER_HEADER.

PVOID Teb;

ULONGLONG RelativeTimerBias;

KTIMER Timer;

union {
    KWAIT_BLOCK WaitBlock [4];
    /*  overlay, see below  */
};

Overlaying the long-standing WaitBlock array are a succession of structures that each pad from the start of the array to spare or resuable members:

#ifdef _AMD64_                      // SpareLong exists only for x64
struct {
    UCHAR WaitBlockFill4 [FIELD_OFFSET (KWAIT_BLOCK, SpareLong)];
    /*  reclaimed 4 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill5 [sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, SpareLong)];
    /*  reclaimed 4 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill6 [2 * sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, SpareLong)];
    /*  reclaimed 4 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill7 [3 * sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, SpareLong)];
    /*  reclaimed 4 bytes, see below  */
};
#endif
struct {
    UCHAR WaitBlockFill8 [FIELD_OFFSET (KWAIT_BLOCK, SparePtr)];
    /*  reclaimed 4 or 8 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill9 [sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, SparePtr)];
    /*  reclaimed 4 or 8 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill10 [2 * sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, SparePtr)];
    /*  reclaimed 4 or 8 bytes, see below  */
};
struct {
    UCHAR WaitBlockFill11 [3 * sizeof (KWAIT_BLOCK) + FIELD_OFFSET (KWAIT_BLOCK, Object)];
    /*  reclaimed 8 or 16 bytes, see below  */
;

The KWAIT_BLOCK structure changed for version 6.2. The x86 builds had an explicitly spare byte and the x64 builds had both this and an explicitly spare long. In version 6.2 and higher, both have an explicitly spare pointer and the x64 builds still have the spare long too. With the KTHREAD having four of these structures, packing members into these spares is certainly worthwhile, even if it’s beyond messy. Moroever, for the particular use that the KTHREAD makes of the last KWAIT_BLOCK in the array, the Object member is known to be irrelevant and is therefore also available for reuse.

Disregard all this scaffolding and here are the members that get squeezed in with the WaitBlock array:

ULONG ContextSwitches;

KTHREAD_COUNTERS *ThreadCounters;

UCHAR volatile State;

CHAR NpxState;

CHAR Spare13;

KIRQL WaitIrql;

KPROCESSOR_MODE WaitMode;

XSTATE_SAVE *XStateSave;

ULONG WaitTime;

PVOID volatile Win32Thread;

union {
    struct {
        SHORT KernelApcDisable;
        SHORT SpecialApcDisable;
    };
    ULONG CombinedApcDisable;
};

ULONG WaitTime;

UMS_CONTROL_BLOCK *Ucb;

KUMS_CONTEXT_HEADER *Uch;

Note that WaitTime is listed twice above. Because it is packed with the spare Object in 32-bit builds but the SpareLong in 64-bit builds, it is ordered differently with respect to Win32Thread. The union of members that count the depth of requests to disable APC delivery is another example that is packed into spare space in the x64 builds (above) but not in the x86 builds (immediately below):

union {
    struct {
        SHORT KernelApcDisable;
        SHORT SpecialApcDisable;
    };
    ULONG CombinedApcDisable;
};

union {
    LONG volatile ThreadFlags2;
    struct {
        /*  bit fields, follow link  */
    };
};

PVOID TebMappedLowVa;

PVOID Spare21;

ULONG Spare21;

LIST_ENTRY QueueListEntry;

ULONG volatile NextProcessor;

union {
    ULONG volatile NextProcessor;
    struct {
        ULONG NextProcessorNumber : 31;
        ULONG SharedReadyQueue : 1;
    };
};

ULONG volatile DeferredProcessor;

LONG QueuePriority;

KPROCESS *Process;

union {
    GROUP_AFFINITY volatile UserAffinity;
    /*  overlay, see below  */
};

Version 6.1, with its support for potentially many more processors, changed UserAffinity and Affinity from KAFFINITY to GROUP_AFFINITY. The latter has six bytes explicitly labelled as Reserved. Version 6.1 doesn’t pack anything into them, but version 6.2 goes all the way. Overlaying UserAffinity is:

struct {
    UCHAR UserAffinityFill [FIELD_OFFSET (GROUP_AFFINITY, Reserved)];
    /*  reclaimed 6 bytes, see below  */
};

Reclaimed from UserAffinity:

KPROCESSOR_MODE PreviousMode;

CHAR BasePriority;

union {
    CHAR PriorityDecrement;
    struct {
        UCHAR ForegroundBoost : 4;
        UCHAR UnusualBoost : 4;
    };
};

BOOLEAN Preempted;

UCHAR AdjustReason;

CHAR AdjustIncrement;

Insertion of the AffinityVersion for Windows 10 produces the first change of offset for any KTHREAD member since Windows 8.

ULONG_PTR AffinityVersion;

union {
    GROUP_AFFINITY volatile Affinity;
    /*  overlay, see below  */
};

Overlaying Affinity:

struct {
    UCHAR AffinityFill [FIELD_OFFSET (GROUP_AFFINITY, Reserved)];
    /*  reclaimed 6 bytes, see below  */
};

Reclaimed from Affinity:

UCHAR ApcStateIndex;

UCHAR WaitBlockCount;

ULONG IdealProcessor;

The KTHREAD keeps two KAPC_STATE structures, the second to support the KeStackAttachProcess function. From as far back as version 3.51, the KTHREAD has initialised its ApcStatePointer array with the addresses of these two structures and then left them there, unchanging, with the (8-bit) ApcStateIndex to select which pointer to use. This always was an extravagance for an implementation that’s supposedly so concerned about space that it fits small members into otherwise unused space in larger members. Windows 10 does away with it.

KAPC_STATE *ApcStatePointer [2];

ULONGLONG NpxState;

ULONG Spare15 [1];

See that Windows 10 inserts members with the effect, if not the intention, of restoring continuity of offsets for the second KAPC_STATE structure and beyond.

union {
    KAPC_STATE SavedApcState;
    /*  overlay, see below  */
};

Overlaying the SavedApcState:

struct {
    UCHAR SavedApcStateFill [KAPC_STATE_ACTUAL_LENGTH];
    /*  reclaimed, see below  */
};

Reclaimed from the SavedApcState:

UCHAR WaitReason;

CHAR SuspendCount;

CHAR Saturation;

USHORT SListFaultCount;

What had been the SuspendApc (previously at offsets 0x0194 and 0x0280) is renamed to SchedulerApc.

union {
    KAPC SchedulerApc;
    /*  overlay, see below  */
};

Overlaying the SchedulerApc:

 struct {
    UCHAR SchedulerApcFill0 [KAPC_OFFSET_TO_SPARE_BYTE0];
    /*  reclaimed byte, see below  */
};
struct {
    UCHAR SchedulerApcFill1 [KAPC_OFFSET_TO_SPARE_BYTE1];
    /*  reclaimed byte, see below  */
};
struct {
    UCHAR SchedulerApcFill2 [KAPC_OFFSET_TO_SPARE_LONG];
    /*  reclaimed four bytes, see below  */
};
struct {
    UCHAR SchedulerApcFill3 [KAPC_OFFSET_TO_SYSTEMARGUMENT1];
    /*  reclaimed 4 or 8 bytes, see below  */
};
struct {
    UCHAR SchedulerApcFill4 [KAPC_OFFSET_TO_SYSTEMARGUMENT2];
    /*  reclaimed 4 or 8 bytes, see below  */
};
struct {
    UCHAR SchedulerApcFill5 [KAPC_ACTUAL_LENGTH];
    /*  reclaimed 1 or 5 bytes, see below)  */
};

Whatever its name, its sprinkling of other members in spare space barely changes:

UCHAR ResourceIndex;

UCHAR QuantumReset;

ULONG KernelTime;

KPRCB * volatile WaitPrcb;

PVOID LegoData;

UCHAR CallbackNestingLevel;

ULONG UserTime;

That’s the end of the contrivances over packing members into space that’s left unused in other members.

KEVENT SuspendEvent;

LIST_ENTRY ThreadListEntry;

LIST_ENTRY MutantListHead;

SINGLE_LIST_ENTRY LockEntriesFreeList;

UCHAR AbEntrySummary;

UCHAR AbWaitEntryCount;

UCHAR AbAllocationRegionCount;

USHORT Spare20;

UCHAR Spare20;

CHAR SystemPriority;

ULONG SecureThreadCookie;

KLOCK_ENTRY LockEntries [6];

KLOCK_ENTRY *LockEntries;

SINGLE_LIST_ENTRY PropagateBoostsEntry;

SINGLE_LIST_ENTRY IoSelfBoostsEntry;

UCHAR PriorityFloorCounts [0x10];

UCHAR PriorityFloorCountsReserved [0x10];

ULONG PriorityFloorSummary;

LONG volatile AbCompletedIoBoostCount;

LONG volatile AbCompletedIoQosBoostCount;

SHORT volatile AbReferenceCount;

SHORT volatile KeReferenceCount;

UCHAR AbFreeEntryCount;

UCHAR AbOrphanedEntrySummary;

UCHAR AbWaitEntryCount;

UCHAR AbOwnedEntryCount;

ULONG ForegroundLossTime;

union {
    LIST_ENTRY GlobalForegroundListEntry;
    struct {
        SINGLE_LIST_ENTRY ForegroundDpcStackListEntry;
        ULONG InGlobalForegroundList;
    };
};

LONGLONG ReadOperationCount;

LONGLONG WriteOperationCount;

LONGLONG OtherOperationCount;

LONGLONG ReadTransferCount;

LONGLONG WriteTransferCount;

LONGLONG OtherTransferCount;

Appended for Windows 10

KSCB *QueuedScb;

ULONGLONG NpxState;

ULONG volatile ThreadTimerDelay;

LONG Spare22;

union {
    LONG volatile ThreadFlags2;
    struct {
        /*  bit fields, follow link  */
    };
};

union {
    LONG volatile ThreadFlags3;
    struct {
        /*  bit fields, follow link  */
    };
};

ULONGLONG TracingPrivate [1];

PVOID SchedulerAssist;

PVOID volatile AbWaitObject;

ULONG ReservedPreviouslyReadyTimeValue;

ULONGLONG KernelWaitTime;

ULONGLONG UserWaitTime;

union {
    LIST_ENTRY GlobalUpdateVpThreadPriorityListEntry;
    struct {
        SINGLE_LIST_ENTRY UpdateVpThreadPriorityDpcStackListEntry;
        ULONGLONG InGlobalUpdateVpThreadPriorityList;
    };
};

LONG SchedulerAssistPriorityFloor;

ULONG Spare28;

ULONG Spare29 [3];

ULONG_PTR EndPadding [5];