Geoff Chappell - Software Analyst
Reorganisation of the KTHREAD for the build of version 5.2 from Windows Server 2003 SP1, presumably in anticipation of 64-bit Windows, seems to have been very concerned about economy of space. A notable feature of that build is that it moves numerous small KTHREAD members into “spare” space in larger members. Perhaps as part of this exercise, this build also made bit fields of what had been two booleans. Later versions brought more booleans from the KTHREAD, and even a ULONG, and also moved bits to and from another set of flags.
The ThreadFlags member, which is an integral type for simultaneous access to all the bits described below, was first placed within the Timer member, using space that the KTIMER structure left undefined because of its 8-byte alignment in 64-bit builds. A reworking of the KTIMER for version 6.1 removed the saving and the ThreadFlags merely followed the Timer. Version 6.2 moved the ThreadFlags forward in the KTHREAD, and they have remained there since.
| Type | Version | Offset (x86) | Offset (x64) |
|---|---|---|---|
| LONG | late 5.2 and higher | 0xA0 | 0xF4 |
| LONG volatile | 6.0 | 0xB0 | 0xF4 |
| 6.1 | 0xB8 | 0x0100 | |
| 6.2 and higher | 0x5C | 0x78 |
Note that the ThreadFlags, as the integral type, are volatile in version 6.0 and higher. Versions 6.0 and 6.1 have the individual bit fields as volatile too.
| Mask | Definition | Versions | Remarks |
|---|---|---|---|
| 0x00000003 |
ULONG BamQosLevel : 2; |
1709 to 1903 | next as 8 bits in ThreadFlags3
(x86); next as 8 bits in ThreadFlags2 (x64) |
ULONG ThreadFlagsSpare : 2; |
2004 and higher | ||
| 0x00000001 (late 5.2 to 1703); 0x00000004 |
LONG AutoAlignment : 1; |
late 5.2 only | previously BOOLEAN |
ULONG AutoAlignment : 1; |
v. late 5.2 only | ||
ULONG volatile AutoAlignment : 1; |
6.0 to 6.1 | ||
ULONG AutoAlignment : 1; |
6.2 and higher | ||
| 0x00000002 (late 5.2 to 1703); 0x00000008 |
LONG DisableBoost : 1; |
late 5.2 only | previously BOOLEAN |
ULONG DisableBoost : 1; |
v. late 5.2 only | ||
ULONG volatile DisableBoost : 1; |
6.0 to 6.1 | ||
ULONG DisableBoost : 1; |
6.2 and higher | ||
| 0x00000004 (6.0 to 1703) |
ULONG volatile EtwStackTraceApc1Inserted : 1; |
6.0 to 6.1 | widened, see below |
ULONG UserAffinitySet : 1; |
6.2 to 6.3 | ||
ULONG ThreadFlagsSpare0 : 1; |
10.0 to 1607 | ||
ULONG BamEppImportant : 1; |
1703 only | ||
| 0x00000008 (6.0 to 1703); 0x00000010 |
ULONG volatile EtwStackTraceApc2Inserted : 1; |
6.0 to 6.1 | widened, see below |
ULONG AlertedByThreadId : 1; |
6.2 and higher | ||
| 0x00000010 (6.0) |
ULONG volatile CycleChargePending : 1; |
6.0 only | |
| 0x00000020 (6.0); 0x00000010 (6.1 to 1703); 0x00000020 |
ULONG volatile CalloutActive : 1; |
6.0 to 6.1 | previously BOOLEAN; next in MiscFlags |
ULONG QuantumDonation : 1; |
6.2 and higher | ||
| 0x00000040 (6.0); 0x00000020 (6.1) |
ULONG volatile ApcQueueable : 1; |
6.0 to 6.1 | previously BOOLEAN; next in MiscFlags |
| 0x00000080 (6.0); 0x00000040 (6.1); 0x00000020 (6.2 to 1703); 0x00000040 |
ULONG volatile EnableStackSwap : 1; |
6.0 to 6.1 | previously BOOLEAN |
ULONG EnableStackSwap : 1; |
6.2 and higher | ||
| 0x00000004 (v. late 5.2); 0x00000100 (6.0); 0x00000080 (6.1); 0x00000040 (6.2 to 1703); 0x00000080 |
ULONG GuiThread : 1; |
v. late 5.2 only | |
ULONG volatile GuiThread : 1; |
6.0 to 6.1 | ||
ULONG GuiThread : 1; |
6.2 and higher | ||
| 0x00000100 (6.1) |
ULONG volatile UmsPerformingSyscall : 1; |
6.1 only | next in MiscFlags |
| 0x00000080 (6.2 to 1703); 0x00000100 |
ULONG DisableQuantum : 1; |
6.2 and higher | |
| 0x00000100 (6.2 to 1703); 0x00000200 |
ULONG ChargeOnlyGroup : 1; |
6.2 only | |
ULONG ChargeOnlySchedulingGroup : 1; |
6.3 and higher | ||
| 0x00000200 (6.2 to 1703); 0x00000400 |
ULONG DeferPreemption : 1; |
6.2 and higher | |
| 0x00000400 (6.2 to 1703); 0x00000800 |
ULONG QueueDeferPreemption : 1; |
6.2 and higher | |
| 0x00000800 (6.2 to 1703); 0x00001000 |
ULONG ForceDeferSchedule : 1; |
6.2 and higher | previously in MiscFlags |
| 0x00001000 (6.2 to 1703); 0x00002000 |
ULONG ExplicitIdealProcessor : 1; |
6.2 only | |
ULONG SharedReadyQueueAffinity : 1; |
6.3 and higher | ||
| 0x00002000 (6.2 to 1703); 0x000040000 |
ULONG FreezeCount : 1; |
6.2 and higher | previously ULONG |
| 0x00004000 (6.3 to 1703); 0x00008000 |
ULONG TerminationApcRequest : 1; |
6.3 and higher | |
| 0x00008000 (6.3 to 1703); 0x00010000 |
ULONG AutoBoostEntriesExhausted : 1; |
6.3 and higher | |
| 0x00010000 (10.0 to 1703); 0x00020000 |
ULONG KernelStackResident : 1; |
10.0 and higher | previously in MiscFlags |
| 0x00020000 (10.0 to 1607); 0x00060000 (1703); 0x000C0000 |
ULONG CommitFailTerminateRequest : 1; |
10.0 to 1607 | |
ULONG TerminateRequestReason : 2; |
1703 and higher | ||
| 0x00040000 (10.0 to 1607); 0x00080000 (1703); 0x00100000 |
ULONG ProcessStackCountDecremented : 1; |
10.0 and higher | |
| 0x00080000 (1607); 0x00100000 (1703); 0x00200000 |
ULONG RestrictedGuiThread : 1; |
1607 and higher | |
| 0x00400000 |
ULONG VpBackingThread : 1; |
1709 and higher | |
ULONG ThreadFlagsSpare : 5; |
10.0 to 1511 | ||
ULONG ThreadFlagsSpare : 4; |
1607 only | ||
ULONG ThreadFlagsSpare : 3; |
1703 only | ||
ULONG ThreadFlagsSpare : 1; |
1709 to 1903 | ||
ULONG ThreadFlagsSpare2 : 1; |
2004 and higher | ||
| 0x003FC000 (6.2); 0x00FF0000 (6.3); 0xFF000000 |
ULONG EtwStackTraceApcInserted : 8; |
6.2 and higher | collected from two single bits, see above |
LONG ReservedFlags : 30; |
late 5.2 only | ||
ULONG ReservedFlags : 29; |
v. late 5.2 only | ||
ULONG volatile ReservedFlags : 23; |
6.0 to 6.1 | ||
ULONG ReservedFlags : 10; |
6.2 only | ||
ULONG ReservedFlags : 8; |
6.3 only |