Geoff Chappell - Software Analyst
The EJOB structure (formally _EJOB) is the kernel’s representation of a job object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsJobObject, then what the function produces as its point to the object is a pointer to an EJOB structure.
A job is a collection of processes that act with some common purpose. There is no particular definition of the purpose or even of how the processes act together, just that there be enough commonality that the processes are usefully managed collectively.
Jobs were arguably a little obscure until some of the features that had been developed for managing them as a collection of processes came to attention as being useful for security. Various restrictions that might be desired for a process but which cannot be applied directly to a process can instead be applied indirectly by putting the process into a suitably configured job, even if the job only ever has the one process.
Windows 10 brought new use to the job to support containers of the sort that Microsoft calls silos. It does not seem to have got much attention at first, but the original Windows 10 has a separate ESILO structure for a silo object. The connection with jobs is that the only way to create a silo object is through the JobObjectCreateSilo information class of the NtSetInformationJobObject function. This sets the created silo into the given job as the latter’s Container. That containers and silos were tightly integrated with jobs was therefore plain enough from the start (if only to those who look beyond what Microsoft documents). A heavy reworking of both the implementation and its interface (even of exported functions) as soon as Version 1511 kept something very like the ESILO but no longer as an object and now renamed as a SILO_CONTEXT. In this version, a silo object is already a job object but specifically one that has a SILO_CONTEXT. Further reworking for Version 1607 merged the SILO_CONTEXT into the EJOB. Ever since, a silo is a special type of job, distinguished by a set Silo bit in the JobFlags. The JobObjectCreateSilo information class now turns the given job into a silo. Call a function such as PsGetProcessSilo and what you get back nowadays is a pointer to an EJOB. It’s not fanciful that many security researchers are most familiar with the EJOB not directly from looking at processes in jobs but from their studies of breaking out of silos.
The EJOB is not documented. Before Windows 10, no header from a Device Driver Kit (DDK) or Windows Driver Kit (WDK) even declares the EJOB as an opaque type. This had to wait for NTOSP.H in the “minwin” subdirectory of headers in early editions of the WDK for Windows 10, specifically for the original release and for Version 1511. Since this subdirectory is in turn in a subdirectory named “um”, as if for user-mode programming, this header’s publication was presumably an oversight (which is not known to have been repeated). The reworking of silos as jobs for Version 1607 brought with it that NTDDK.H now defines both PEJOB and PESILO as pointers to an opaque _EJOB.
The EJOB exists only in kernel-mode memory. User-mode software has only indirect access through handles. Kernel-mode software has direct access through several undocumented kernel exports. For instance, PsGetProcessJob returns a pointer to the EJOB, if any, for the given EPROCESS. It seems a fair bet that even this kernel-mode software is supposed to treat the structure as opaque.
Inasmuch as the EJOB is internal to the kernel, it is free to vary widely between versions and even between builds. That said, its development over two decades has been relatively orderly. There have been insertions and deletions, and even a few rearrangements, but not nearly as many as for other Process Structure structures that are similarly internal and similarly sized. New members tend to be appended.
| Versions | Size (x86) | Size (x64) |
|---|---|---|
| 5.0 | 0x0170 | |
| 5.1 to 5.2 | 0x0180 | 0x0220 |
| 6.0 | 0x0128 | 0x01B0 |
| 6.1 | 0x0138 | 0x01C8 |
| 6.2 | 0x02B8 | 0x04A8 |
| 6.3 | 0x02C0 | 0x04B0 |
| 10.0 to 1511 | 0x02F8 | 0x0528 |
| 1607 | 0x0358 | 0x05C8 |
| 1703 | 0x0398 | 0x0610 |
| 1709 to 1903 | 0x03A0 | 0x0620 |
| 2004 | 0x03C0 | 0x0640 |
These sizes, and the offsets, types and names in the table below, are from Microsoft’s public symbol files for the kernel starting with Windows 2000 SP3. The structure is not known to differ between the original Windows 2000 and the later service packs that have type information in the public symbol files. See anyway that the !strct and !dso commands of debugger extensions from the Windows 2000 DDK both list the EJOB with something like the certainty of the missing type information.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
KEVENT Event; |
5.0 and higher | |
| 0x10 | 0x18 |
LIST_ENTRY JobLinks; |
5.0 and higher | |
| 0x18 | 0x28 |
LIST_ENTRY ProcessListHead; |
5.0 and higher | |
| 0x20 | 0x38 |
ERESOURCE JobLock; |
5.0 and higher | |
| 0x58 | 0xA0 |
LARGE_INTEGER TotalUserTime; |
5.0 and higher | |
| 0x60 | 0xA8 |
LARGE_INTEGER TotalKernelTime; |
5.0 and higher | |
| 0x68 | 0xB0 |
LARGE_INTEGER TotalCycleTime; |
6.2 and higher | |
| 0x68 (5.0 to 6.1); 0x70 |
0xB0 (5.0 to 6.1); 0xB8 |
LARGE_INTEGER ThisPeriodTotalUserTime; |
5.0 and higher | |
| 0x70 (5.0 to 6.1); 0x78 |
0xB8 (5.0 to 6.1); 0xC0 |
LARGE_INTEGER ThisPeriodTotalKernelTime; |
5.0 and higher | |
| 0x80 | 0xC8 |
ULONGLONG TotalContextSwitch; |
6.2 and higher | |
| 0x78 (5.0 to 6.1); 0x88 |
0xC0 (5.0 to 6.1); 0xD0 |
ULONG TotalPageFaultCount; |
5.0 and higher | |
| 0x7C (5.0 to 6.1); 0x8C |
0xC4 (5.0 to 6.1); 0xD4 |
ULONG TotalProcesses; |
5.0 and higher | |
| 0x80 (5.0 to 6.1); 0x90 |
0xC8 (5.0 to 6.1); 0xD8 |
ULONG ActiveProcesses; |
5.0 and higher | |
| 0x84 (5.0 to 6.1); 0x94 |
0xCC (5.0 to 6.1); 0xDC |
ULONG TotalTerminatedProcesses; |
5.0 and higher | |
| 0x88 (5.0 to 6.1); 0x98 |
0xD0 (5.0 to 6.1); 0xE0 |
LARGE_INTEGER PerProcessUserTimeLimit; |
5.0 and higher | |
| 0x90 (5.0 to 6.1); 0xA0 |
0xD8 (5.0 to 6.1); 0xE8 |
LARGE_INTEGER PerJobUserTimeLimit; |
5.0 and higher | |
| 0x98 (5.0 to 6.0) | 0xE0 (late 5.2 to 6.0) |
ULONG LimitFlags; |
5.0 to 6.0 | next at 0xA0 and 0xF0 |
| 0x9C (5.0 to 6.0); 0x98 (6.1); 0xA8 |
0xE8 (late 5.2 to 6.0); 0xE0 (6.1); 0xF0 |
SIZE_T MinimumWorkingSetSize; |
5.0 and higher | |
| 0xA0 (5.0 to 6.0); 0x9C (6.1); 0xAC |
0xF0 (late 5.2 to 6.0); 0xE8 (6.1); 0xF8 |
SIZE_T MaximumWorkingSetSize; |
5.0 and higher | |
| 0xA0 (6.1); 0xB0 |
0xF0 (6.1); 0x0100 |
ULONG LimitFlags; |
6.1 and higher | previously at 0x98 and 0xE0 |
| 0xA4 (5.0 to 6.1); 0xB4 |
0xF8 (late 5.2 to 6.0); 0xF4 (6.1); 0x0104 |
ULONG ActiveProcessLimit; |
5.0 and higher | |
| 0xA8 (5.0 to 6.1); 0xB8 |
0x0100 (late 5.2 to 6.0); 0xF8 (6.1); 0x0108 |
KAFFINITY Affinity; |
5.0 to 6.0 | |
KAFFINITY_EX Affinity; |
6.1 and higher | |||
| 0xAC (5.0 to 6.0); 0xB4 (6.1) |
0x0108 (late 5.2 to 6.0); 0x0120 |
UCHAR PriorityClass; |
5.0 to 6.1 | next at 0x019D and 0x0351 |
| 0xB0 (5.0 to 6.0); 0xB8 (6.1); 0xC4 |
0x0110 (6.0); 0x0128 (6.1); 0x01B0 |
JOB_ACCESS_STATE *AccessState; |
6.0 and higher | |
| 0xC8 | 0x01B8 |
PVOID AccessStateQuotaReference; |
6.2 and higher | |
| 0xB0 (5.0 to 5.2); 0xB4 (6.0); 0xBC (6.1); 0xCC |
0x010C (late 5.2); 0x0118 (6.0); 0x0130 (6.1); 0x01C0 |
ULONG UIRestrictionsClass; |
5.0 and higher | |
| 0xB4 (5.0 to 5.2) | 0x0110 (late 5.2) |
ULONG SecurityLimitFlags; |
5.0 to 5.2 | |
| 0xB8 (5.0 to 5.2) | 0x0118 (late 5.2) |
PVOID Token; |
5.0 to 5.2 | |
| 0xBC (5.0 to 5.2) | 0x0120 (late 5.2) |
PS_JOB_TOKEN_FILTER *Filter; |
5.0 to 5.2 | |
| 0xC0 (5.0 to 5.2); 0xB8 (6.0); 0xC0 (6.1); 0xD0 |
0x0128 (late 5.2); 0x011C (6.0); 0x0134 (6.1); 0x01C4 |
ULONG EndOfJobTimeAction; |
5.0 and higher | |
| 0xC4 (5.0 to 5.2); 0xBC (6.0); 0xC4 (6.1); 0xD4 |
0x0130 (late 5.2); 0x0120 (6.0); 0x0138 (6.1); 0x01C8 |
PVOID CompletionPort; |
5.0 and higher | |
| 0xC8 (5.0 to 5.2); 0xC0 (6.0); 0xC8 (6.1); 0xD8 |
0x0138 (late 5.2); 0x0128 (6.0); 0x0140 (6.1); 0x01D0 |
PVOID CompletionKey; |
5.0 and higher | |
| 0xE0 | 0x01D8 |
ULONGLONG CompletionCount; |
6.2 and higher | |
| 0xCC (5.0 to 5.2); 0xC4 (6.0); 0xCC (6.1); 0xE8 |
0x0140 (late 5.2); 0x0130 (6.0); 0x0148 (6.1); 0x01E0 |
ULONG SessionId; |
5.0 and higher | |
| 0xD0 (5.0 to 5.2); 0xC8 (6.0); 0xD0 (6.1); 0xEC |
0x0144 (late 5.2); 0x0134 (6.0); 0x014C (6.1); 0x01E4 |
ULONG SchedulingClass; |
5.0 and higher | |
| 0xD8 (5.0 to 5.2); 0xD0 (6.0); 0xD8 (6.1); 0xF0 |
0x0148 (late 5.2); 0x0138 (6.0); 0x0150 (6.1); 0x01E8 |
ULONGLONG ReadOperationCount; |
5.0 and higher | |
| 0xE0 (5.0 to 5.2); 0xD8 (6.0); 0xE0 (6.1); 0xF8 |
0x0150 (late 5.2); 0x0140 (6.0); 0x0158 (6.1); 0x01F0 |
ULONGLONG WriteOperationCount; |
5.0 and higher | |
| 0xE8 (5.0 to 5.2); 0xE0 (6.0); 0xE8 (6.1); 0x0100 |
0x0158 (late 5.2); 0x0148 (6.0); 0x0160 (6.1); 0x01F8 |
ULONGLONG OtherOperationCount; |
5.0 and higher | |
| 0xF0 (5.0 to 5.2); 0xE8 (6.0); 0xF0 (6.1); 0x0108 |
0x0160 (late 5.2); 0x0150 (6.0); 0x0168 (6.1); 0x0200 |
ULONGLONG ReadTransferCount; |
5.0 and higher | |
| 0xF8 (5.0 to 5.2); 0xF0 (6.0); 0xF8 (6.1); 0x0110 |
0x0168 (late 5.2); 0x0158 (6.0); 0x0170 (6.1); 0x0208 |
ULONGLONG WriteTransferCount; |
5.0 and higher | |
| 0x0100 (5.0 to 5.2); 0xF8 (6.0); 0x0100 (6.1); 0x0118 |
0x0170 (late 5.2); 0x0160 (6.0); 0x0178 (6.1); 0x0210 |
ULONGLONG OtherTransferCount; |
5.0 and higher | |
| 0x0108 (5.0 to 5.2) | 0x0178 (late 5.2) |
IO_COUNTERS IoInfo; |
5.0 to 5.2 | |
| 0x0120 | 0x0218 |
PROCESS_DISK_COUNTERS *DiskIoInfo; |
6.2 and higher | |
| 0x0138 (5.0 to 5.2); 0x0100 (6.0); 0x0108 (6.1); 0x0148 |
0x01A8 (late 5.2); 0x0168 (6.0); 0x0180 (6.1); 0x0240 |
SIZE_T ProcessMemoryLimit; |
5.0 and higher | |
| 0x013C (5.0 to 5.2); 0x0104 (6.0); 0x010C (6.1); 0x014C |
0x01B0 (late 5.2); 0x0170 (6.0); 0x0188 (6.1); 0x0248 |
SIZE_T JobMemoryLimit; |
5.0 and higher | |
| 0x0150 | 0x0250 |
SIZE_T JobTotalMemoryLimit; |
10.0 and higher | |
| 0x0140 (5.0 to 5.2); 0x0108 (6.0); 0x0110 (6.1); 0x0150 (6.2 to 6.3); 0x0154 |
0x01B8 (late 5.2); 0x0178 (6.0); 0x0190 (6.1); 0x0250 (6.2 to 6.3); 0x0258 |
SIZE_T PeakProcessMemoryUsed; |
5.0 and higher | |
| 0x0144 (5.0 to 5.2); 0x010C (6.0); 0x0114 (6.1); 0x0154 (6.2 to 6.3); 0x0158 |
0x01C0 (late 5.2); 0x0180 (6.0); 0x0198 (6.1); 0x0258 (6.2 to 6.3); 0x0260 |
SIZE_T PeakJobMemoryUsed; |
5.0 and higher | |
| 0x0158 (6.2 to 6.3); 0x015C |
0x0260 (6.2 to 6.3); 0x0268 |
KAFFINITY_EX EffectiveAffinity; |
6.2 and higher | |
| 0x0168 | 0x0308 (6.2 to 6.3); 0x0310 |
LARGE_INTEGER EffectivePerProcessUserTimeLimit; |
6.2 and higher | |
| 0x0170 | 0x0310 (6.2 to 6.3); 0x0318 |
SIZE_T EffectiveMinimumWorkingSetSize; |
6.2 and higher | |
| 0x0174 | 0x0318 (6.2 to 6.3); 0x0320 |
SIZE_T EffectiveMaximumWorkingSetSize; |
6.2 and higher | |
| 0x0178 | 0x0320 (6.2 to 6.3); 0x0328 |
SIZE_T EffectiveProcessMemoryLimit; |
6.2 and higher | |
| 0x017C | 0x0328 (6.2 to 6.3); 0x0330 |
EJOB *EffectiveProcessMemoryLimitJob; |
6.2 and higher | |
| 0x0180 | 0x0330 (6.2 to 6.3); 0x0338 |
EJOB *EffectivePerProcessUserTimeLimitJob; |
6.2 and higher | |
| 0x0184 (10.0 to 1511) | 0x0340 (10.0 to 1511) |
EJOB *EffectiveDiskIoRateLimitJob; |
10.0 to 1511 | |
| 0x0188 (10.0 to 1511); 0x0184 |
0x0348 (10.0 to 1511); 0x0340 |
EJOB *EffectiveNetIoRateLimitJob; |
10.0 and higher | |
| 0x018C (10.0 to 1511); 0x0188 |
0x0350 (10.0 to 1511); 0x0348 |
EJOB *EffectiveHeapAttributionJob; |
10.0 and higher | |
| 0x0184 (6.2 to 6.3); 0x0190 (10.0 to 1511); 0x018C |
0x0338 (6.2 to 6.3); 0x0358 (10.0 to 1511); 0x0350 |
ULONG EffectiveLimitFlags; |
6.2 and higher | |
| 0x0188 (6.2 to 6.3); 0x0194 (10.0 to 1511); 0x0190 |
0x033C (6.2 to 6.3); 0x035C (10.0 to 1511); 0x0354 |
ULONG EffectiveSchedulingClass; |
6.2 and higher | |
| 0x018C (6.2 to 6.3); 0x0198 (10.0 to 1511); 0x0194 |
0x0340 (6.2 to 6.3); 0x0360 (10.0 to 1511); 0x0358 |
ULONG EffectiveFreezeCount; |
6.2 and higher | |
| 0x0190 (6.2 to 6.3); 0x019C (10.0 to 1511); 0x0198 |
0x0344 (6.2 to 6.3); 0x0364 (10.0 to 1511); 0x035C |
ULONG EffectiveBackgroundCount; |
6.2 and higher | |
| 0x0194 (6.2 to 6.3); 0x01A0 (10.0 to 1511); 0x019C |
0x0348 (6.2 to 6.3); 0x0368 (10.0 to 1511); 0x0360 |
ULONG EffectiveSwapCount; |
6.2 and higher | |
| 0x0198 (6.2 to 6.3); 0x01A4 (10.0 to 1511); 0x01A0 |
0x034C (6.2 to 6.3); 0x036C (10.0 to 1511); 0x0364 |
ULONG EffectiveNotificationLimitCount; |
6.2 and higher | |
| 0x019C (6.2 to 6.3); 0x01A8 (10.0 to 1511); 0x01A4 |
0x0350 (6.2 to 6.3); 0x0370 (10.0 to 1511); 0x0368 |
UCHAR EffectivePriorityClass; |
6.2 and higher | |
| 0x019D (6.2 to 6.3); 0x01A9 (10.0 to 1511); 0x01A5 |
0x0351 (6.2 to 6.3); 0x0371 (10.0 to 1511); 0x0369 |
UCHAR PriorityClass; |
6.2 and higher | previously at 0xB4 and 0x0120 |
| 0x01AA (10.0 to 1511); 0x01A6 |
0x0372 (10.0 to 1511); 0x036A |
UCHAR NestingDepth; |
10.0 and higher | |
| 0x019E (6.2 to 6.3); 0x01AB (10.0 to 1511); 0x01A7 |
0x0352 (6.2 to 6.3); 0x0373 (10.0 to 1511); 0x036B |
UCHAR Reserved1 [2]; |
6.2 to 6.3 | |
UCHAR Reserved1 [1]; |
10.0 and higher | |||
| 0x01A0 (6.2 to 6.3); 0x01AC (10.0 to 1511); 0x01A8 |
0x0354 (6.2 to 6.3); 0x0374 (10.0 to 1511); 0x036C |
ULONG CompletionFilter; |
6.2 and higher | |
| 0x01A8 (6.2 to 6.3); 0x01B0 |
0x0358 (6.2 to 6.3); 0x0378 (10.0 to 1511); 0x0370 |
union {
WNF_STATE_NAME WakeChannel;
PS_WAKE_INFORMATION WakeInfo;
};
|
6.2 and higher | |
| 0x01F0 (6.2); 0x01E0 (6.3); 0x01E8 (10.0 to 1607); 0x01F8 |
0x03A0 (6.2); 0x0390 (6.3); 0x03B0 (10.0 to 1511); 0x03A8 (1607); 0x03B8 |
JOBOBJECT_WAKE_FILTER WakeFilter; |
6.2 and higher | |
| 0x01F8 (6.2); 0x01E8 (6.3); 0x01F0 (10.0 to 1607); 0x0200 |
0x03A8 (6.2); 0x0398 (6.3); 0x03B8 (10.0 to 1511); 0x03B0 (1607); 0x03C0 |
ULONG LowEdgeLatchFilter; |
6.2 and higher | |
| 0x01FC (6.2); 0x01EC (6.3); 0x01F4 (10.0 to 1607) |
0x03AC (6.2); 0x039C (6.3); 0x03BC (10.0 to 1511); 0x03B4 (1607) |
ULONG OwnedHighEdgeFilters; |
6.2 to 1607 | |
| 0x0200 (6.2); 0x01F0 (6.3); 0x01F8 (10.0 to 1607); 0x0204 |
0x03B0 (6.2); 0x03A0 (6.3); 0x03C0 (10.0 to 1511); 0x03B8 (1607); 0x03C8 |
EJOB *NotificationLink; |
6.2 and higher | |
| 0x0148 (5.0 to 5.2); 0x0110 (6.0); 0x0118 (6.1); 0x0208 (6.2); 0x01F8 (6.3); 0x0200 (10.0 to 1607); 0x0208 |
0x01C8 (late 5.2); 0x0188 (6.0); 0x01A0 (6.1); 0x03B8 (6.2); 0x03A8 (6.3); 0x03C8 (10.0 to 1511); 0x03C0 (1607); 0x03D0 |
SIZE_T CurrentJobMemoryUsed; |
5.0 to 6.0 | |
ULONGLONG CurrentJobMemoryUsed; |
6.1 and higher | |||
| 0x0210 (6.2); 0x0200 (6.3); 0x0208 (10.0 to 1607); 0x0210 |
0x03C0 (6.2); 0x03B0 (6.3); 0x03D0 (10.0 to 1511); 0x03C8 (1607); 0x03D8 |
JOB_NOTIFICATION_INFO *NotificationInfo; |
6.2 and higher | |
| 0x0214 (6.2); 0x0204 (6.3); 0x020C (10.0 to 1607); 0x0214 |
0x03C8 (6.2); 0x03B8 (6.3); 0x03D8 (10.0 to 1511); 0x03D0 (1607); 0x03E0 |
PVOID NotificationInfoQuotaReference; |
6.2 and higher | |
| 0x0218 (6.2); 0x0208 (6.3); 0x0210 (10.0 to 1607); 0x0218 |
0x03D0 (6.2); 0x03C0 (6.3); 0x03E0 (10.0 to 1511); 0x03D8 (1607); 0x03E8 |
IO_MINI_COMPLETION_PACKET_USER *NotificationPacket; |
6.2 and higher | |
| 0x021C (6.2); 0x020C (6.3); 0x0214 (10.0 to 1607); 0x021C |
0x03D8 (6.2); 0x03C8 (6.3); 0x03E8 (10.0 to 1511); 0x03E0 (1607); 0x03F0 |
JOB_CPU_RATE_CONTROL *CpuRateControl; |
6.2 and higher | |
| 0x0220 (6.2); 0x0210 (6.3); 0x0218 (10.0 to 1607); 0x0220 |
0x03E0 (6.2); 0x03D0 (6.3); 0x03F0 (10.0 to 1511); 0x03E8 (1607); 0x03F8 |
PVOID EffectiveSchedulingGroup; |
6.2 and higher | |
| 0x0218 (6.3); 0x0220 (10.0 to 1607); 0x0228 |
0x03D8 (6.3); 0x03F8 (10.0 to 1511); 0x03F0 (1607); 0x0400 |
ULONGLONG ReadyTime; |
6.3 and higher | |
| 0x014C (5.0 to 5.2); 0x0114 (6.0); 0x0120 (6.1); 0x0224 (6.2); 0x0220 (6.3); 0x0228 (10.0 to 1607); 0x0230 |
0x01D0 (late 5.2); 0x0190 (6.0); 0x01A8 (6.1); 0x03E8 (6.2); 0x03E0 (6.3); 0x0400 (10.0 to 1511); 0x03F8 (1607); 0x0408 |
FAST_MUTEX MemoryLimitsLock; |
5.0 to 5.2 | last member in 5.0 |
EX_PUSH_LOCK MemoryLimitsLock; |
6.0 and higher | |||
| 0x016C (5.1 to 5.2); 0x0118 (6.0); 0x0124 (6.1) |
0x0208 (late 5.2); 0x0198 (6.0); 0x01B0 (6.1) |
LIST_ENTRY JobSetLinks; |
5.1 to 6.1 | |
| 0x0174 (5.1 to 5.2); 0x0120 (6.0); 0x012C (6.1) |
0x0218 (late 5.2); 0x01A8 (6.0); 0x01C0 (6.1) |
ULONG MemberLevel; |
5.1 to 6.1 | |
| 0x0228 (6.2); 0x0224 (6.3); 0x022C (10.0 to 1607); 0x0234 |
0x03F0 (6.2); 0x03E8 (6.3); 0x0408 (10.0 to 1511); 0x0400 (1607); 0x0410 |
LIST_ENTRY SiblingJobLinks; |
6.2 and higher | |
| 0x0230 (6.2); 0x022C (6.3); 0x0234 (10.0 to 1607); 0x023C |
0x0400 (6.2); 0x03F8 (6.3); 0x0418 (10.0 to 1511); 0x0410 (1607); 0x0420 |
LIST_ENTRY ChildJobListHead; |
6.2 and higher | |
| 0x0238 (6.2); 0x0234 (6.3); 0x023C (10.0 to 1607); 0x0244 |
0x0410 (6.2); 0x0408 (6.3); 0x0428 (10.0 to 1511); 0x0420 (1607); 0x0430 |
EJOB *ParentJob; |
6.2 and higher | |
| 0x0240 (1607) | 0x0428 (1607) |
EJOB *ParentSilo; |
1607 only | previously in SILO_CONTEXT |
| 0x023C (6.2); 0x0238 (6.3); 0x0240 (10.0 to 1511); 0x0244 (1607); 0x0248 |
0x0418 (6.2); 0x0410 (6.3); 0x0430 (10.0 to 1607); 0x0438 |
EJOB * volatile RootJob; |
6.2 and higher | |
| 0x0240 (6.2); 0x023C (6.3); 0x0244 (10.0 to 1511); 0x0248 (1607); 0x024C |
0x0420 (6.2); 0x0418 (6.3); 0x0438 (10.0 to 1607); 0x0440 |
LIST_ENTRY IteratorListHead; |
6.2 and higher | |
| 0x0244 (6.3); 0x024C (10.0 to 1511); 0x0250 (1607); 0x0254 |
0x0428 (6.3); 0x0448 (10.0 to 1607); 0x0450 |
ULONG_PTR AncestorCount; |
6.3 and higher | |
| 0x0248 (6.3); 0x0250 (10.0 to 1511); 0x0254 (1607); 0x0258 |
0x0430 (6.3); 0x0450 (10.0 to 1607); 0x0458 |
EJOB **Ancestors; |
6.3 only | |
union {
EJOB *Ancestors;
PVOID SessionObject;
};
|
10.0 and higher | |||
| 0x0258 (1607) | 0x0458 (1607) |
ULONG_PTR TimerListLock; |
1607 only | previously at 0x02B4 and 0x04B8 |
| 0x025C (1607) | 0x0460 (1607) |
LIST_ENTRY TimerListHead; |
1607 only | previously at 0x02B8 and 0x04C0 |
| 0x0248 (6.2); 0x0250 (6.3); 0x0258 (10.0 to 1511); 0x0268 (1607); 0x0260 |
0x0430 (6.2); 0x0438 (6.3); 0x0458 (10.0 to 1511); 0x0470 (1607); 0x0460 |
EPROCESS_VALUES Accounting; |
6.2 and higher | |
| 0x0298 (6.2); 0x02A0 (6.3); 0x02A8 (10.0 to 1511); 0x02C0 (1607); 0x02B8 (1703 to 1903); 0x02C8 |
0x0480 (6.2); 0x0488 (6.3); 0x04A8 (10.0 to 1511); 0x04C8 (1607); 0x04B8 (1703 to 1903); 0x04C8 |
ULONG ShadowActiveProcessCount; |
6.2 and higher | |
| 0x02AC (10.0 to 1511); 0x02C4 (1607); 0x02BC (1703 to 1903); 0x02CC |
0x04AC (10.0 to 1511); 0x04CC (1607); 0x04BC (1703 to 1903); 0x04CC |
ULONG ActiveAuxiliaryProcessCount; |
10.0 and higher | |
| 0x029C (6.2); 0x02A4 (6.3); 0x02B0 (10.0 to 1511); 0x02C8 (1607); 0x02C0 (1703 to 1903); 0x02D0 |
0x0484 (6.2); 0x048C (6.3); 0x04B0 (10.0 to 1511); 0x04D0 (1607); 0x04C0 (1703 to 1903); 0x04D0 |
ULONG SequenceNumber; |
6.2 and higher | |
| 0x02A0 (6.2); 0x02A8 (6.3); 0x02B4 (10.0 to 1511) |
0x0488 (6.2); 0x0490 (6.3); 0x04B8 (10.0 to 1511) |
ULONG_PTR TimerListLock; |
6.2 to 1511 | next at 0x0258 and 0x0458 |
| 0x02A4 (6.2); 0x02AC (6.3); 0x02B8 (10.0 to 1511) |
0x0490 (6.2); 0x0498 (6.3); 0x04C0 (10.0 to 1511) |
LIST_ENTRY TimerListHead; |
6.2 to 1511 | next at 0x025C and 0x0460 |
| 0x02CC (1607); 0x02C4 (1703 to 1903); 0x02D4 |
0x04D4 (1607); 0x04C4 (1703 to 1903); 0x04D4 |
ULONG JobId; |
1607 and higher | |
| 0x02C0 (10.0 to 1511); 0x02D0 (1607); 0x02C8 (1703 to 1903); 0x02D8 |
0x04D0 (10.0 to 1511); 0x04D8 (1607); 0x04C8 (1703 to 1903); 0x04D8 |
GUID ContainerId; |
10.0 and higher | |
| 0x02D8 (1703 to 1903); 0x02E8 |
0x04D8 (1703 to 1903); 0x04E8 |
GUID ContainerTelemetryId; |
1703 and higher | |
| 0x02D0 (10.0 to 1511); 0x02E0 (1607); 0x02E8 (1703 to 1903); 0x02F8 |
0x04E0 (10.0 to 1511); 0x04E8 (1607 to 1903); 0x04F8 |
ESILO *Container; |
10.0 only | |
SILO_CONTEXT *Container; |
1511 only | |||
ESERVERSILO_GLOBALS *ServerSiloGlobals; |
1607 and higher | previously in SILO_CONTEXT | ||
| 0x02D4 (10.0 to 1511); 0x02E4 (1607); 0x02EC (1703 to 1903); 0x02FC |
0x04E8 (10.0 to 1511); 0x04F0 (1607 to 1903); 0x0500 |
PS_PROPERTY_SET PropertySet; |
10.0 and higher | |
| 0x02F0 (1607); 0x02F8 (1703 to 1903); 0x0308 |
0x0508 (1607 to 1903); 0x0518 |
PSP_STORAGE *Storage; |
1607 and higher | |
| 0x02E0 (10.0 to 1511); 0x02F4 (1607); 0x02FC (1703 to 1903); 0x030C |
0x0500 (10.0 to 1511); 0x0510 (1607 to 1903); 0x0520 |
JOB_NET_RATE_CONTROL *NetRateControl; |
10.0 and higher | |
| 0x02E4 (10.0 to 1511) | 0x0508 (10.0 to 1511) |
JOB_IO_RATE_CONTROL *IoRateControl; |
10.0 to 1511 | |
| 0x0178 (5.1 to 5.2); 0x0124 (6.0); 0x0130 (6.1); 0x02AC (6.2); 0x02B4 (6.3); 0x02E8 (10.0 to 1511); 0x02F8 (1607); 0x0300 (1703 to 1903); 0x0310 |
0x021C (late 5.2); 0x01AC (6.0); 0x01C4 (6.1); 0x04A0 (6.2); 0x04A8 (6.3); 0x0510 (10.0 to 1511); 0x0518 (1607 to 1903); 0x0528 |
ULONG JobFlags; |
5.1 to 6.1 | last member in 5.1 to 6.1 |
union {
ULONG JobFlags;
struct {
/* changing bit fields, follow link */
};
};
|
6.2 and higher | |||
| 0x0304 (1703 to 1903); 0x0314 |
0x051C (1703 to 1903); 0x052C |
union {
ULONG JobFlags2;
struct {
/* changing bit fields, follow link */
};
};
|
1703 and higher | |
| 0x02B0 (6.2); 0x02B8 (6.3); 0x02EC (10.0 to 1511); 0x02FC (1607) |
0x04A4 (6.2); 0x04AC (6.3); 0x0514 (10.0 to 1511); 0x051C (1607) |
ULONG EffectiveHighEdgeFilters; |
6.2 to 1607 | last member in 6.2 to 6.3 |
| 0x02F0 (10.0 to 1511); 0x0300 (1607); 0x0308 (1703 to 1903); 0x0318 |
0x0518 (10.0 to 1511); 0x0520 (1607 to 1903); 0x0530 |
PROCESS_ENERGY_VALUES *EnergyValues; |
10.0 and higher | |
| 0x02F4 (10.0 to 1511); 0x0304 (1607); 0x030C (1703 to 1903); 0x031C |
0x0520 (10.0 to 1511); 0x0528 (1607 to 1903); 0x0538 |
ULONG_PTR volatile SharedCommitCharge; |
10.0 and higher | last member in 10.0 |
| 0x0308 (1607) | 0x0530 (1607) |
EJOB * volatile WakeRoot; |
1607 only | |
| 0x030C (1607); 0x0310 (1703 to 1903); 0x0320 |
0x0538 (1607); 0x0530 (1703 to 1903); 0x0540 |
ULONG DiskIoAttributionUserRefCount; |
1607 and higher | |
| 0x0310 (1607); 0x0314 (1703 to 1903); 0x0324 |
0x053C (1607); 0x0534 (1703 to 1903); 0x0544 |
ULONG DiskIoAttributionRefCount; |
1607 and higher | |
| 0x0314 (1607); 0x0318 (1703 to 1903); 0x0328 |
0x0540 (1607); 0x0538 (1703 to 1903); 0x0548 |
union {
PVOID DiskIoAttributionContext;
EJOB *DiskIoAttributionOwnerJob;
};
|
1607 and higher | |
| 0x031C (1703 to 1903); 0x032C |
0x0540 (1703 to 1903); 0x0550 |
JOB_RATE_CONTROL_HEADER IoRateControlHeader; |
1703 and higher | |
| 0x0318 (1607); 0x0330 (1703 to 1903); 0x0340 |
0x0548 (1607); 0x0568 (1703 to 1903); 0x0578 |
PS_IO_CONTROL_ENTRY GlobalIoControl; |
1607 and higher | |
| 0x0334 (1607); 0x034C (1703 to 1903); 0x035C |
0x0580 (1607); 0x05A0 (1703 to 1903); 0x05B0 |
LONG volatile VolumeIoControlLock; |
1607 only | |
LONG volatile IoControlStateLock; |
1703 and higher | |||
| 0x0338 (1607); 0x0350 (1703 to 1903); 0x0360 |
0x0588 (1607); 0x05A8 (1703 to 1903); 0x05B8 |
RTL_RB_TREE VolumeIoControlTree; |
1607 and higher | |
| 0x0358 (1703 to 1903); 0x0368 |
0x05B8 (1703 to 1903); 0x05C8 |
ULONGLONG IoRateOverQuotaHistory; |
1703 and higher | |
| 0x0360 (1703 to 1903); 0x0370 |
0x05C0 (1703 to 1903); 0x05D0 |
ULONG IoRateCurrentGeneration; |
1703 and higher | |
| 0x0364 (1703 to 1903); 0x0374 |
0x05C4 (1703 to 1903); 0x05D4 |
ULONG IoRateLastQueryGeneration; |
1703 and higher | |
| 0x0368 (1703 to 1903); 0x0378 |
0x05C8 (1703 to 1903); 0x05D8 |
ULONG IoRateGenerationLength; |
1703 and higher | |
| 0x036C (1703 to 1903); 0x037C |
0x05CC (1703 to 1903); 0x05DC |
ULONG IoRateOverQuotaNotifySequenceId; |
1703 and higher | |
| 0x0370 (1703 to 1903); 0x0380 |
0x05D0 (1709 to 1903); 0x05E0 |
ULONGLONG LastThrottledIoTime; |
1709 and higher | |
| 0x0340 (1607); 0x0370 (1703); 0x0378 (1709 to 1903); 0x0388 |
0x0598 (1607); 0x05D0 (1703); 0x05D8 (1709 to 1903); 0x05E8 |
EX_PUSH_LOCK IoControlLock; |
1607 and higher | |
| 0x0344 (1607); 0x0374 (1703); 0x037C (1709 to 1903); 0x038C |
0x05A0 (1607); 0x05D8 (1703); 0x05E0 (1709 to 1903); 0x05F0 |
ULONG SiloHardReferenceCount; |
1607 and higher | |
| 0x0348 (1607); 0x0378 (1703); 0x0380 (1709 to 1903); 0x0390 |
0x05A8 (1607); 0x05E0 (1703); 0x05E8 (1709 to 1903); 0x05F8 |
WORK_QUEUE_ITEM RundownWorkItem; |
1607 and higher | last member in 1607 |
| 0x0388 (1703); 0x0390 (1709 to 1903); 0x03A0 |
0x0600 (1703); 0x0608 (1709 to 1903); 0x0618 |
PVOID MemoryPartitionObject; |
1703 only | |
PVOID PartitionObject; |
1709 and higher | |||
| 0x0394 (1709 to 1903); 0x03A4 |
0x0610 (1709 to 1903); 0x0620 |
EJOB *PartitionOwnerJob; |
1709 and higher | |
| 0x0390 (1703); 0x0398 (1709 to 1903); 0x03A8 |
0x0608 (1703); 0x0618 (1709 to 1903); 0x0628 |
JOBOBJECT_ENERGY_TRACKING_STATE EnergyTrackingState; |
1703 and higher | last member in 1703 to 1803 |
| 0x03B0 | 0x0630 |
ULONGLONG KernelWaitTime; |
2004 and higher | |
| 0x03B8 | 0x0638 |
ULONGLONG UserWaitTime; |
2004 and higher | last member in 2004 |