OBJECT_HANDLE_COUNT_ENTRY

An OBJECT_HANDLE_COUNT_DATABASE for an object has one OBJECT_HANDLE_COUNT_ENTRY structure (formally _OBJECT_HANDLE_COUNT_ENTRY) for each process that has any open handle to the object. The entry tells how many handles the process has open. When only one process has any open handle to the object, keeping an OBJECT_HANDLE_COUNT_DATABASE is wasteful and the OBJECT_HANDLE_COUNT_ENTRY can instead be the whole of the OBJECT_HEADER_HANDLE_INFO.

Layout

The OBJECT_HANDLE_COUNT_ENTRY is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively. Microsoft’s names and types are known from type information in public symbol files for the kernel, starting with Windows 2003 SP1. That these names apply at least as far back as version 4.0 is known with slightly less certainty from the output of the !dso command as implemented by the debugger extension USEREXTS.DLL from the Windows NT 4.0 Device Driver Kit (DDK).

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
EPROCESS *Process;
 all
0x04 0x08 
ULONG HandleCount;
 3.10 to 5.2 
struct {
    ULONG HandleCount : 24;
    ULONG LockCount : 8;
};
 6.0 and higher

This page was created on 23rd August 2022 from material first published on 30th June 2020. It was last modified on 31st August 2022.

Copyright © 2020-2022. Geoff Chappell. All rights reserved. Conditions apply.