OBJECT_HEADER_PROCESS_INFO

The OBJECT_HEADER_PROCESS_INFO structure is one of several structures that may precede an OBJECT_HEADER in a memory block that contains an Object Manager object. Its one purpose is to tell which process, if any, has the exclusive use of the object. If the object is not created for exclusive access, then the OBJECT_HEADER_PROCESS_INFO is not needed and is not present.

To get exclusive use of an object, a process specifies the OBJ_EXCLUSIVE attribute among the Attributes in the OBJECT_ATTRIBUTES when creating the object. This has ancient support, but only in version 6.1 and higher is it recorded in the OBJECT_HEADER_PROCESS_INFO specifically. Versions 3.50 to 6.0 keep the information as a member of the OBJECT_HEADER_QUOTA_INFO. Version 3.10 has it in the OBJECT_CREATE_INFORMATION.

That an OBJECT_HEADER_PROCESS_INFO is present for a given object is indicated by a set 0x10 bit in the InfoMask in the OBJECT_HEADER. How far the one precedes the other depends on which other headers are present, which is in turn indicated by other bits in the InfoMask.

Layout

The OBJECT_PROCESS_CREATOR_INFO structure is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively. Microsoft’s names and types are known from type information in public symbol files for the kernel in the applicable versions.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
EPROCESS *ExclusiveProcess;
 6.1 and higher
0x04 0x08 
ULONG_PTR Reserved;
 6.1 and higher

This page was created on 17th June 2020 but was not published until 30th June 2020.

Copyright © 2020. Geoff Chappell. All rights reserved. Conditions apply.