DebugActive

For Thread objects, a boolean DebugActive is defined at offset 0x03 in the DISPATCHER_HEADER from as far back as Windows Server 2003, having previously been deeper into the KTHREAD. Windows 7 made bit fields of it, though later versions have kept them only for the x64 builds:

Mask Definition Versions (x86) Versions (x64)
0x01 
BOOLEAN ActiveDR7 : 1;
 6.1 only 6.1 and higher
0x02 
BOOLEAN Instrumented : 1;
 6.1 only 6.1 and higher
0x04 
BOOLEAN Minimal : 1;
   6.3 and higher
0x08 
BOOLEAN AltSysCall : 1;
   2004 and higher
  
BOOLEAN Reserved2 : 4;
 6.1 only 6.1 to 6.2 
BOOLEAN Reserved : 3;
   6.3 only 
BOOLEAN Reserved4 : 3;
   10.0 to 1903 
BOOLEAN Reserved4 : 2;
   2004 and higher
0x40 
BOOLEAN UmsScheduled : 1;
 6.1 only
6.1 and higher
0x80 
BOOLEAN UmsPrimary : 1;
 6.1 only
6.1 and higher

This page was created on 7th October 2017 from material that was first published on 20th June 2016. It was last modified on 9th October 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.