Geoff Chappell - Software Analyst
An ISRDPCSTATS structure (formally _ISRDPCSTATS ) is nested within the KINTERRUPT structure as the latter’s IsrDpcStats member, starting with version 6.3. It is also what the KPRCB structure’s IsrDpcStats member, defined formally as pointing to void, actually points to.
The only use that is yet known to be made of the statistics that accumulate in an ISRDPCSTATS structure is for the (undocumented) -t switch of the debugger extension command !idt.
The ISRDPCSTATS structure is identical in both 32-bit and 64-bit Windows. It is 0x40 bytes originally, but grows to 0x60 bytes in the 2004 release of Windows 10. Offsets, types and Microsoft’s names are known from type information in public symbol files for the kernel:
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
ULONGLONG IsrTime; |
6.3 and higher |
| 0x08 |
ULONGLONG IsrTimeStart; |
6.3 and higher |
| 0x10 |
ULONGLONG IsrCount; |
6.3 and higher |
| 0x18 |
ULONGLONG DpcTime; |
6.3 and higher |
| 0x20 |
ULONGLONG DpcTimeStart; |
6.3 and higher |
| 0x28 |
ULONGLONG DpcCount; |
6.3 and higher |
| 0x30 |
BOOLEAN IsrActive; |
6.3 and higher |
| 0x31 |
UCHAR Reserved [15]; |
6.3 to 1903 |
UCHAR Reserved [7]; |
2004 and higher | |
| 0x38 |
ISRDPCSTATS_SEQUENCE DpcWatchdog; |
2004 and higher |
When the !idt command reports on an Interrupt Service Routine because the selected IDT entry has at least one KINTERRUPT, it presents four statistics for each KINTERRUPT but unhelpfully gives no heading to say what these statistics represent. The four are in the order: IsrCount, IsrTime, DpcCount and DpcTime.