Flags3 in the EPROCESS

With the EPROCESS having all its Flags and Flags2 bits fully in use, Windows 8.1 started a third set:

Mask Definition Versions Remarks
0x00000001 
ULONG Minimal : 1;
 6.3 and higher  
0x00000002 
ULONG ReplacingPageRoot : 1;
 10.0 and higher  
0x00000004 (10.0 to 1703) 
ULONG DisableNonSystemFonts : 1;
 10.0 to 1703 next in MitigationFlags
0x00000008 (10.0 to 1703) 
ULONG AuditNonSystemFontLoading : 1;
 10.0 to 1703 next in MitigationFlags
0x00000010 (10.0 to 1703);
0x00000004 
ULONG Crashed : 1;
 10.0 and higher  
0x00000020 (10.0 to 1703);
0x00000008 
ULONG JobVadsAreTracked : 1;
 10.0 and higher  
0x00000040 (10.0 to 1703);
0x00000010 
ULONG VadTrackingDisabled : 1;
 10.0 and higher  
0x00000080 (10.0 to 1703);
0x00000020 
ULONG AuxiliaryProcess : 1;
 10.0 and higher  
0x00000100 (10.0 to 1703);
0x00000040 
ULONG SubsystemProcess : 1;
 10.0 and higher  
0x00000200 (10.0 to 1703);
0x00000080 
ULONG IndirectCpuSets : 1;
 10.0 and higher  
0x00000400 (10.0 to 1703) 
ULONG InPrivate : 1;
 10.0 to 1703 next in Flags2
0x00000800 (1511 to 1703) 
ULONG ProhibitRemoteImageMap : 1;
 1511 to 1703 next in MitigationFlags
0x00001000 (1511 to 1703) 
ULONG ProhibitLowILImageMap : 1;
 1511 to 1703 next in MitigationFlags
0x00002000 (1511 to 1703) 
ULONG SignatureMitigationOptIn : 1;
 1511 to 1703 next in MitigationFlags
0x00004000 (1607 to 1703) 
ULONG DisableDynamicCodeAllowOptOut : 1;
 1607 to 1703 next in MitigationFlags
0x00008000 (1607 to 1703) 
ULONG EnableFilteredWin32kAPIs : 1;
 1607 to 1703 next in MitigationFlags
0x00010000 (1607 to 1703) 
ULONG AuditFilteredWin32kAPIs : 1;
 1607 to 1703 next in MitigationFlags
0x00020000 (1607 to 1703) 
ULONG PreferSystem32Images : 1;
 1607 to 1703 next in MitigationFlags
0x00040000 (1607 to 1703);
0x00000100 
ULONG RelinquishedCommit : 1;
 1607 and higher  
0x00080000 (1607 to 1703) 
ULONG AutomaticallyOverrideChildProcessPolicy : 1;
 1607 to 1703  
0x00100000 (1607 to 1703);
0x00000200 
ULONG HighGraphicsPriority : 1;
 1607 and higher  
0x00200000 (1607 to 1703);
0x00000400 
ULONG CommitFailLogged : 1;
 1607 and higher  
0x00400000 (1607 to 1703);
0x00000800 
ULONG ReserveFailLogged : 1;
 1607 and higher  
0x00800000 (1703) 
ULONG DisableDynamicCodeAllowRemoteDowngrade : 1;
 1703 only next in MitigationFlags
0x01000000 (1703) 
ULONG LoaderIntegrityContinuityEnabled : 1;
 1703 only next in MitigationFlags
0x02000000 (1703) 
ULONG LoaderIntegrityContinuityAudit : 1;
 1703 only next in MitigationFlags
0x04000000 (1703) 
ULONG ControlFlowGuardExportSuppressionEnabled : 1;
 1703 only next in MitigationFlags
0x08000000 (1703) 
ULONG FatalAccessTerminationRequested : 1;
 1703 only  
0x10000000 (1703) 
ULONG DisableSystemAllowedCpuSet : 1;
 1703 only next in Flags2
0x20000000 (1703) 
ULONG ControlFlowGuardStrict : 1;
 1703 only next in MitigationFlags
0x00001000 
ULONG SystemProcess : 1;
 1709 and higher  
0x00002000 
ULONG HideImageBaseAddresses : 1;
 1709 and higher  
0x00004000 
ULONG AddressPolicyFrozen : 1;
 1803 and higher  
0x00008000 
ULONG ProcessFirstResume : 1;
 1803 and higher  
0x00010000 
ULONG ForegroundExternal : 1;
 1803 and higher  
0x00020000 
ULONG ForegroundSystem : 1;
 1803 and higher  
0x00040000 
ULONG HighMemoryPriority : 1;
 1803 and higher  
0x00080000 
ULONG EnableProcessSuspendResumeLogging : 1;
 1809 and higher  
0x00100000 
ULONG EnableThreadSuspendResumeLogging : 1;
 1809 and higher  
0x00200000 
ULONG SecurityDomainChanged : 1;
 1809 and higher  
0x00400000 
ULONG SecurityFreezeComplete : 1;
 1809 and higher  
0x00800000 
ULONG VmProcessorHost : 1;
 1809 and higher  
0x01000000 
ULONG VmProcessorHostTransition : 1;
 2004 and higher  
0x02000000 
ULONG AltSyscall : 1;
 2004 and higher  
0x04000000 
ULONG TimerResolutionIgnore : 1;
 2004 and higher  

This page was created on 15th June 2016 and was last modified on 23rd October 2020.

Copyright © 2016-2020. Geoff Chappell. All rights reserved. Conditions apply.