Geoff Chappell - Software Analyst
Windows Vista started a new series of bit fields in the KTHREAD, presumably to complement the slightly older Thread Flags. Several had been BOOLEAN members of the KTHREAD. Curiously, some of the bit fields that started as Miscellaneous Flags have moved to the Thread Flags, and vice versa.
The MiscFlags member, which is a LONG for simultaneous access to all the bits described below, has moved around a little within the KTHREAD:
| Version | Offset (x86) | Offset (x64) |
|---|---|---|
| early 6.0 (before SP1); late 6.0 (SP1 and higher) |
0x68 | 0x90 |
| 6.1 | 0x3C | 0x4C |
| 6.2 and higher | 0x58 | 0x74 |
Early and late builds of version 6.0 are distinguished above because even though the MiscFlags don’t move between the builds, one new bit gets defined.
| Mask | Definition | Versions | Remarks |
|---|---|---|---|
| 0x00000001 |
ULONG KernelStackResident : 1; |
6.0 to 6.3 | previously as BOOLEAN; next in ThreadFlags |
ULONG AutoBoostActive : 1; |
10.0 and higher | ||
| 0x00000002 |
ULONG ReadyTransition : 1; |
6.0 and higher | |
| 0x00000004 |
ULONG ProcessReadyQueue : 1; |
6.0 to 6.3 | previously as BOOLEAN |
| 0x00000008 (6.0 to 6.3); 0x00000004 |
ULONG WaitNext : 1; |
6.0 and higher | previously as BOOLEAN |
| 0x00000010 (6.0 to 6.3); 0x00000008 |
ULONG SystemAffinityActive : 1; |
6.0 and higher | previously as BOOLEAN |
| 0x00000020 (6.0 to 6.3); 0x00000010 |
ULONG Alertable : 1; |
6.0 and higher | previously as BOOLEAN |
| 0x00000040 |
ULONG GdiFlushActive : 1; |
6.0 to 6.1 | |
ULONG CodePatchInProgress : 1; |
6.2 only | previously as BOOLEAN | |
| 0x00000080 (late 6.0 to 6.2); 0x00000040 (6.3); 0x00000020 |
ULONG UserStackWalkActive : 1; |
late 6.0 and higher | |
| 0x00000100 (6.1 to 6.2); 0x00000080 (6.3); 0x00000040 |
ULONG ApcInterruptRequest : 1; |
6.1 and higher | |
| 0x00000200 (6.1) |
ULONG ForceDeferSchedule : 1; |
6.1 only | next in ThreadFlags |
| 0x00000400 (6.1); 0x00000200 (6.2); 0x00000100 (6.3); 0x00000080 |
ULONG QuantumEndMigrate : 1; |
6.1 and higher | |
| 0x00000800 (6.1); 0x00000400 (6.2); 0x00000200 (6.3); 0x00000100 |
ULONG UmsDirectedSwitchEnable : 1; |
6.1 and higher | |
| 0x00001000 (6.1); 0x00000800 (6.2); 0x00000400 (6.3); 0x00000200 |
ULONG TimerActive : 1; |
6.1 and higher | |
| 0x00001000 (6.2); 0x00000800 (6.3); 0x00000400 |
ULONG SystemThread : 1; |
6.2 and higher | |
| 0x00002000 (6.2); 0x00001000 (6.3); 0x00000800 |
ULONG ProcessDetachActive : 1; |
6.2 and higher | |
| 0x00004000 (6.2); 0x00002000 (6.3); 0x00001000 |
ULONG CalloutActive : 1; |
6.2 and higher | previously in ThreadFlags |
| 0x00008000 (6.2); 0x00004000 (6.3); 0x00002000 |
ULONG ScbReadyQueue : 1; |
6.2 and higher | |
| 0x00010000 (6.2); 0x00008000 (6.3); 0x00004000 |
ULONG ApcQueueable : 1; |
6.2 and higher | previously in ThreadFlags |
| 0x00020000 (6.2); 0x00010000 (6.3); 0x00008000 |
ULONG ReservedStackInUse : 1; |
6.2 and higher | |
| 0x00040000 (6.2); 0x00020000 (6.3); 0x00010000 |
ULONG UmsPerformingSyscall : 1; |
6.2 and higher | previously in ThreadFlags |
| 0x00040000 (6.3); 0x00020000 |
ULONG ApcPendingReload : 1; |
6.3 only | |
ULONG TimerSuspended : 1; |
10.0 and higher | ||
| 0x00040000 |
ULONG SuspendedWaitMode : 1; |
10.0 and higher | |
| 0x00080000 |
ULONG SuspendApcSchedulerWait : 1; |
10.0 and higher | |
| 0x00100000 |
ULONG CetShadowStack : 1; |
1809 only | |
ULONG CetUserShadowStack : 1; |
1903 and higher | ||
| 0x00200000 |
ULONG BypassProcessFreeze : 1; |
1903 and higher | |
ULONG Reserved : 25; |
early 6.0 only | ||
ULONG Reserved : 24; |
late 6.0 only | ||
ULONG Reserved : 19; |
6.1 only | ||
ULONG Reserved : 13; |
6.2 to 6.3 | ||
ULONG Reserved : 12; |
10.0 to 1803 | ||
ULONG Reserved : 11; |
1809 only | ||
ULONG Reserved : 10; |
1903 and higher |