Geoff Chappell - Software Analyst
Windows XP brought some significant new debugging support to the problem of resource leakage for objects. Refinement for Windows Vista introduced two bit flags into the OBJECT_HEADER. At first, these were squeezed in to the QuotaInfoOffset (whose low bits must otherwise be clear). Windows 7 turned them into a second byte of flags. That these are named TraceFlags in Windows 7 is known from type information in public symbol files for that version’s kernel. Symbol files for the next version show that Windows 8 formalises the flags as a structure of UCHAR bit fields in union with the TraceFlags byte, which is retained for conveniently accessing multiple bits together:
| Mask | Definition | Versions |
|---|---|---|
| 0x01 |
UCHAR DbgRefTrace : 1; |
6.2 and higher |
| 0x02 |
UCHAR DbgTracePermanent : 1; |
6.2 and higher |
For Windows Vista and Windows 7, then, Microsoft’s programmers will have accessed the bits through macro definitions. These are known from public disclosure of NTOSP.H in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10:
| Mask | Name | Versions |
|---|---|---|
| 0x01 | OB_OBJECT_REF_TRACE | 6.0 and higher |
| 0x02 | OB_OBJECT_TRACE_PERMANENT | 6.0 and higher |