Geoff Chappell - Software Analyst
The KPRCBFLAG union (formally _KPRCBFLAG) is thought to be used only as the PrcbFlags member of a KPRCB. For all practical effect, this member is a set of bit fields that were introduced for the 1803 edition of Windows 10. Typical practice for structures other than the KPRCB might have left them as an unnamed structure of bit fields in an unnamed union with PrcbFlags as an integer for accessing all the bits together. The KPRCB does have examples of this, but the KPRCB has the complication of being so specific to the processor architecture that Microsoft keeps separate definitions of the x86 KPRCB and x64 KPRCB in separate headers (known from symbol files to be i386_x.h and amd64_x.h). Typical practice, then, would require two definitions of the bit fields. Whether someone actually did think that the bit fields are to be the same for all architectures and might better be defined in just one place (ntosdef.h) is not known, but it would be reason enough to package the bit fields into a named union:
typedef union _KPRCBFLAG {
LONG volatile PrcbFlags;
struct {
/* changing members, see below */
};
} KPRCBFLAG;
Though much of the point to naming the union would go away if the bit fields differ in the x86 and x64 builds, it’s not strictly necessary that they be defined identically, but so far they are:
| Mask | Definition | Versions |
|---|---|---|
| 0x00000003 (1803 to 1903); 0x000000FF |
ULONG BamQosLevel : 2; |
1803 to 1903 |
ULONG BamQosLevel : 8; |
2004 and higher | |
| 0x0000000C (1803 to 1903); 0x00000300 |
ULONG PendingQosUpdate : 2; |
1803 and higher |
| 0x00000010 (1803 to 1903); 0x00000400 |
ULONG CacheIsolationEnabled : 1; |
1803 and higher |
| 0x00000800 |
ULONG TracepointActive : 1; |
2004 and higher |
ULONG PrcbFlagsReserved : 27; |
1803 to 1903 | |
ULONG PrcbFlagsReserved : 20; |
2004 and higher |
The BamQosLevel and PendingQosUpdate have earlier history in the x64 KPRCB as bit fields in union with a member named BamFlags.