Geoff Chappell - Software Analyst
Version 5.1 of the EPROCESS collected various one-byte booleans into ULONG bit fields that can be accessed together as the Flags. Later versions not only add but reassign:
| Mask | Definition | Versions | Remarks |
|---|---|---|---|
| Mask | Definition | Versions | Remarks |
| 0x00000001 |
ULONG CreateReported : 1; |
5.1 and higher | previously CreateProcessReported as BOOLEAN |
| 0x00000002 |
ULONG NoDebugInherit : 1; |
5.1 and higher | |
| 0x00000004 |
ULONG ProcessExiting : 1; |
5.1 and higher | |
| 0x00000008 |
ULONG ProcessDelete : 1; |
5.1 and higher | |
| 0x00000010 |
ULONG Wow64SplitPages : 1; |
5.1 to 6.2 | |
ULONG ControlFlowGuardEnabled : 1; |
6.3 to 1703 | next in MitigationFlags | |
ULONG ManageExecutableMemoryWrites : 1; |
1709 and higher | ||
| 0x00000020 |
ULONG VmDeleted : 1; |
5.1 and higher | |
| 0x00000040 |
ULONG OutswapEnabled : 1; |
5.1 and higher | previously ProcessOutswapEnabled as BOOLEAN |
| 0x00000080 |
ULONG Outswapped : 1; |
5.1 and higher | previously ProcessOutswapped as BOOLEAN |
| 0x00000100 |
ULONG ForkFailed : 1; |
5.1 to 6.3 | |
ULONG FailFastOnCommitFail : 1; |
10.0 and higher | ||
| 0x00000200 |
ULONG HasPhysicalVad : 1; |
5.1 only | |
ULONG Wow64VaSpace4Gb : 1; |
5.2 and higher | ||
| 0x00000C00 |
ULONG AddressSpaceInitialized : 2; |
5.1 and higher | |
| 0x00001000 |
ULONG SetTimerResolution : 1; |
5.1 and higher | previously BOOLEAN |
| 0x00002000 |
ULONG BreakOnTermination : 1; |
5.1 and higher | |
| 0x00004000 |
ULONG SessionCreationUnderway : 1; |
5.1 to 5.2 | |
ULONG DeprioritizeViews : 1; |
6.0 and higher | ||
| 0x00008000 |
ULONG WriteWatch : 1; |
5.1 and higher | |
| 0x00010000 |
ULONG ProcessInSession : 1; |
5.1 and higher | |
| 0x00020000 |
ULONG OverrideAddressSpace : 1; |
5.1 and higher | |
| 0x00040000 |
ULONG HasAddressSpace : 1; |
5.1 and higher | |
| 0x00080000 |
ULONG LaunchPrefetched : 1; |
5.1 and higher | |
| 0x00100000 |
ULONG InjectInpageErrors : 1; |
5.1 to 6.1 | |
ULONG Background : 1; |
6.2 and higher | ||
| 0x00200000 |
ULONG VmTopDown : 1; |
late 5.1 and higher | |
| 0x00400000 |
ULONG Unused3 : 1; |
late 5.1 only | |
ULONG ImageNotifyDone : 1; |
5.2 and higher | ||
| 0x00800000 |
ULONG Unused4 : 1; |
late 5.1 and higher | |
ULONG PdeUpdateNeeded : 1; |
5.2 and higher | ||
| 0x01000000 |
ULONG VdmAllowed : 1; |
late 5.1 and higher | |
| 0x02000000 |
ULONG SmapAllowed : 1; |
late 5.2 to 6.0 | |
ULONG CrossSessionCreate : 1; |
6.1 to 6.2 | ||
ULONG ProcessRundown : 1; |
6.3 and higher | ||
| 0x04000000 |
ULONG CreateFailed : 1; |
late 5.2 only | |
ULONG ProcessInserted : 1; |
6.0 and higher | ||
| 0x38000000 |
ULONG DefaultIoPriority : 3; |
late 5.2 and higher | |
| 0x40000000 |
ULONG ProcessSelfDelete : 1; |
late 6.0 and higher | |
| 0x80000000 |
ULONG SetTimerResolutionLink : 1; |
6.1 and higher | |
ULONG Spare : 11; |
early 5.1 only | ||
ULONG Unused : 5; ULONG Unused1 : 1; ULONG Unused2 : 1; |
late 5.1 only | ||
ULONG Unused : 7; |
early 5.2 only | ||
ULONG Spare1 : 1; ULONG Spare2 : 1; |
late 5.2 only | ||
ULONG SparePsFlags1 : 2; |
early 6.0 only | ||
ULONG SpareProcessFlags : 1; |
late 6.0 only |