OBJECT_HEADER_AUDIT_INFO

The OBJECT_HEADER_AUDIT_INFO structure is one of several structures that may precede an OBJECT_HEADER in a memory block that contains an Object Manager object.

That an OBJECT_HEADER_AUDIT_INFO is present for a given object is indicated by a set 0x20 bit in the InfoMask in the OBJECT_HEADER. How far the one precedes the other depends on which other headers are present, which is in turn indicated by other bits in the InfoMask.

Layout

The OBJECT_PROCESS_AUDIT_INFO structure is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively. Microsoft’s names and types are known from type information in public symbol files for the kernel in the applicable versions.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
PVOID SecurityDescriptor;
 6.2 and higher
0x04 0x08 
ULONG_PTR Reserved;
 6.2 and higher

This page was created on 17th June 2020 but was not published until 30th June 2020.

Copyright © 2020. Geoff Chappell. All rights reserved. Conditions apply.