EPROCESS

The EPROCESS structure (formally _EPROCESS) is the kernel’s representation of a process object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsProcessType, then what the function produces as its pointer to the object is a pointer to an EPROCESS.

Many functions that are exported from the kernel, e.g., for use by drivers, provide for referring to a process object through a pointer to an EPROCESS. The structure itself, however, is meant to be opaque outside the kernel, if not to Microsoft-supplied modules such as WIN32K.SYS, then at least to device drivers.

Documentation Status

The EPROCESS is not formally documented, but headers that Microsoft publishes for device driver programming have always declared the EPROCESS as an opaque type. For instance, NTDDK.H from as far back as the Device Driver Kit (DDK) for Windows NT 3.1 has

typedef struct _EPROCESS *PEPROCESS;

a few lines after a comment “Define types that are not exported”. Documentation for later versions makes increasingly clear what this pointer type points to. For instance, the DDK for Windows NT 3.51 has that IoGetCurrentProcess “returns a pointer to the current process” and the Windows Driver Kit (WDK) for Windows Vista has that the input to PsGetProcessId is “a process object structure”. The WDK for Windows Vista is anyway the first to document that PsProcessType directs ObReferenceObjectByHandle to produce a pointer to an EPROCESS, and it warns very clearly that the structure is “opaque, and drivers cannot access the structure members.”

Access

The EPROCESS exists only in kernel-mode memory. User-mode software has only indirect access through handles.

Variability

Since the EPROCESS structure is internal to the kernel, it should not surprise that the layout changes greatly between Windows versions and even between builds. In the following table of sizes, different builds of the same version are distinguished as early and late because they are known to vary the structure even if they don’t change the size. These descriptions, as early and late, are then used throughout the article as a shorthand.

Version	Size (x86)	Size (x64)
3.10	0x0280
3.50 to 4.0	0x01F8
early 5.0 (before SP3); late 5.0	0x0288
early 5.1 (before SP2)	0x0258
late 5.1	0x0260
early 5.2 (before SP1); late 5.2	0x0278	0x03E0
early 6.0 (before SP1); late 6.0	0x0270	0x03E8
6.1	0x02C0	0x04D0
6.2	0x02E8	0x0660
6.3	0x02F8	0x06B8
10.0	0x0380	0x0798
1511	0x0370	0x0788
1607	0x0388	0x07B0
1703	0x03E0	0x0818
1709	0x03E8	0x0838
1803	0x0400	0x0848
1809	0x0408	0x0850
1903	0x0480	0x0880
2004	0x04C0	0x0A40

Layout

These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s symbol files for the kernel starting with Windows 2000 SP3.

Since symbol files for earlier versions do not contain type information for the EPROCESS, what’s known for these versions is instead inferred from what use the kernel is seen to make of the EPROCESS. Sizes are straightforward, even without symbol files, since ObCreateObject and PsProcessType are exported (and so code that creates an EPROCESS, and thus knows the size, is easily found). Microsoft’s names and types are something of a guess, even with symbol files for later versions. Where use of a member corresponds closely with that of a version for which Microsoft’s symbols are available, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code.

That said, for some members in some early versions, offsets and names (but not types) are known with more or less confidence from the output of debugger extensions: the !processfields command of the KDEXTX86 debugger extension in version 3.51; and, both more comprehensively and plausibly more definitively, the !dso commands of the USEREXTS and USERKDX extensions for versions 4.0 and 5.0, and the !strct command of the KDEX2X86 extension again for versions 4.0 and 5.0.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x00	0x00	KPROCESS Pcb;	all
0x70 (3.10)		KEVENT LockEvent;	3.10 only	next at 0x6C
0x80 (3.10); 0x68 (3.50 to 4.0); 0x6C (5.0)		NTSTATUS ExitStatus;	3.10 to 5.0	next at 0x024C
0x84 (3.10)		unknown KSEMAPHORE	3.10 only
0x6C (3.50 to 4.0); 0x70 (5.0)		KEVENT LockEvent;	3.50 to 5.0	previously at 0x70
0x7C (3.50 to 4.0); 0x80 (5.0)		ULONG LockCount;	3.50 to 5.0
0x6C (5.1 to early 5.2); 0x78 (late 5.2); 0x80 (6.0); 0x98 (6.1); 0xA0 (6.2 to 6.3); 0xA8 (10.0 to 1607); 0xB0 (1703 to 1903); 0xE0	0xB8 (late 5.2); 0xC0 (6.0); 0x0160 (6.1); 0x02C8 (6.2 to 6.3); 0x02D8 (10.0 to 1809); 0x02E0 (1903); 0x0438	EX_PUSH_LOCK ProcessLock;	5.1 and higher
0x98 (3.10); 0x80 (3.50 to 4.0); 0x88 (5.0); 0x70 (5.1 to early 5.2); 0x80 (late 5.2); 0x88 (6.0); 0xA0 (6.1); 0xA8 (6.2 to 6.3)	0xC0 (late 5.2); 0xC8 (6.0); 0x0168 (6.1); 0x02D0 (6.2 to 6.3)	LARGE_INTEGER CreateTime;	3.10 to 6.3	next at 0xC8 and 0x0308
0xA0 (3.10); 0x88 (3.50 to 4.0); 0x90 (5.0); 0x78 (5.1 to early 5.2); 0x88 (late 5.2); 0x90 (6.0); 0xA8 (6.1)	0xC8 (late 5.2); 0xD0 (6.0); 0x0170 (6.1)	LARGE_INTEGER ExitTime;	3.10 to 6.1	next at 0x02B8 and 0x0610
0xA8 (3.10)		unaccounted eight bytes	3.10 only
0x90 (3.50 to 4.0); 0x98 (5.0)		KTHREAD *LockOwner;	3.50 to 5.0
0x80 (5.1 to early 5.2); 0x90 (late 5.2); 0x98 (6.0); 0xB0 (6.2 to 6.3); 0xAC (10.0 to 1607)	0xD0 (late 5.2); 0xD8 (6.0); 0x0178 (6.1); 0x02D8 (6.2 to 6.3); 0x02E0 (10.0 to 1607)	EX_RUNDOWN_REF RundownProtect;	5.1 to 1607	next at 0xC0 and 0x02F8
0xB0 (10.0 to 1607)		PVOID VdmObjects;	10.0 to 1607	previously at 0x0128; next at 0xC4
0xB0 (3.10); 0x94 (3.50 to 4.0); 0x9C (5.0); 0x84 (5.1 to early 5.2); 0x94 (late 5.2); 0x9C (6.0); 0xB4 (6.1 to 1903); 0xE4	0xD8 (late 5.2); 0xE0 (6.0); 0x0180 (6.1); 0x02E0 (6.2 to 6.3); 0x02E8 (10.0 to 1607); 0x02E0 (1703 to 1809); 0x02E8 (1903); 0x0440	PVOID UniqueProcessId;	all
0xB4 (3.10); 0x98 (3.50 to 4.0); 0xA0 (5.0); 0x88 (5.1 to early 5.2); 0x98 (late 5.2); 0xA0 (6.0); 0xB8 (6.1 to 1903); 0xE8	0xE0 (late 5.2); 0xE8 (6.0); 0x0188 (6.1); 0x02E8 (6.2 to 6.3); 0x02F0 (10.0 to 1607); 0x02E8 (1703 to 1809); 0x02F0 (1903); 0x0448	LIST_ENTRY ActiveProcessLinks;	all
0xC0 (1703 to 1903); 0xF0	0x02F8 (1703 to 1809); 0x0300 (1903); 0x0458	EX_RUNDOWN_REF RundownProtect;	1703 and higher	previously at 0xAC and 0x02E0
0xC4 (1703 to 1903); 0xF4		PVOID VdmObjects;	1703 and higher	previously at 0xB0

Two sets of bit fields, in union with Flags and Flags2, that Windows XP and Windows Vista introduced towards what was then the end of the structure were moved near to the front for Windows 8. Perhaps not coincidentally, Windows 8 is the version that brings all 64 bits into use. More flags were added soon, as Flags3, but again near the end of the structure.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0xC0 (6.2 to 1607); 0xC8 (1703 to 1903); 0xF8	0x02F8 (6.2 to 6.3); 0x0300 (10.0 to 1809); 0x0308 (1903); 0x0460	union { ULONG Flags2; struct { /* bit fields, follow link */ }; };	6.2 and higher	previously at 0x026C and 0x043C
0xC4 (6.2 to 1607); 0xCC (1703 to 1903); 0xFC	0x02FC (6.2 to 6.3); 0x0304 (10.0 to 1809); 0x030C (1903); 0x0464	union { ULONG Flags; struct { /* bit fields, follow link */ }; };	6.2 and higher	previously at 0x0270 and 0x0440
0xC8 (10.0 to 1607); 0xD0 (1703 to 1903); 0x0100	0x0308 (10.0 to 1809); 0x0310 (1903); 0x0468	LARGE_INTEGER CreateTime;	10.0 and higher	previously 0xA8 and 0x02D0

There now comes a set of members that track the process’s use of memory from the pools and the paging file. These resources are subject to quotas, but the limits apply to all processes that share a quota block. An EPROCESS_QUOTA_BLOCK has the limits and tracks the use, both current and peak, by all the applicable processes. The corresponding members here in the EPROCESS track the current and peak use by just the one process. For no reason yet known, the process’s pointer to its quota block, i.e., the QuotaBlock member, is in almost all versions placed further into the structure.

Each quota block has a spin lock, named QuotaLock, that guards both the quota block’s members and these members here in the EPROCESS. All versions except 3.10 have a default quota block in the kernel’s data. Its spin lock also guards the process’s QuotaBlock pointer. Version 3.10 instead provides its own spin lock in the EPROCESS. Microsoft’s name for it is not known, but the sharing of names such as QuotaPoolUsage between the EPROCESS and the EPROCESS_QUOTA_BLOCK speaks strongly for QuotaLock.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0xBC (3.10)		KSPIN_LOCK QuotaLock;	3.10 only
0xC0 (3.10)		unknown KSPIN_LOCK	3.10 only
0xC4 (3.10); 0xA0 (3.50 to 4.0); 0xA8 (5.0)		ULONG QuotaPeakPoolUsage [2];	3.10 to 5.0	next as QuotaPeak
0xCC (3.10); 0xA8 (3.50 to 4.0); 0xB0 (5.0) 0x90 (5.1 to early 5.2); 0xA0 (late 5.2); 0xA8 (6.0); 0xC0 (6.1); 0xC8 (6.2 to 6.3); 0xD0 (10.0 to 1607); 0xD8 (1703 to 1903); 0x0108		ULONG QuotaPoolUsage [2];	3.10 to 5.0
	0xF0 (late 5.2); 0xF8 (6.0); 0x0198 (6.1); 0x0300 (6.2 to 6.3); 0x0310 (10.0 to 1809); 0x0318 (1903); 0x0470	ULONG_PTR QuotaUsage [3];	5.1 to 6.0
		ULONG_PTR ProcessQuotaUsage [2];	6.1 and higher
0x9C (5.1 to early 5.2); 0xAC (late 5.2); 0xB4 (6.0); 0xC8 (6.1); 0xD0 (6.2 to 6.3); 0xD8 (10.0 to 1607); 0xE0 (1703 to 1903); 0x0110	0x0108 (late 5.2); 0x0110 (6.0); 0x01A8 (6.1); 0x0310 (6.2 to 6.3); 0x0320 (10.0 to 1809); 0x0328 (1903); 0x0480	ULONG_PTR QuotaPeak [3];	5.1 to 6.0	previously QuotaPeakPoolUsage
		ULONG_PTR ProcessQuotaPeak [2];	6.1 and higher
0xD4 (3.10); 0xB0 (3.50 to 4.0); 0xB8 (5.0)		ULONG PagefileUsage;	3.10 to 5.0	next in QuotaPeak
0xD8 (3.10); 0xB4 (3.50 to 4.0); 0xBC (5.0); 0xA8 (5.1 to early 5.2); 0xB8 (late 5.2); 0xC0 (6.0); 0xD0 (6.1)	0x0120 (late 5.2); 0x0128 (6.0); 0x01B8 (6.1)	ULONG_PTR CommitCharge;	3.10 to 5.2
	0x0120 (late 5.2); 0x0128 (6.0); 0x01B8 (6.1)	ULONG_PTR volatile CommitCharge;	6.0 to 6.1	next at 0x01EC and 0x04D8
0xDC (3.10); 0xB8 (3.50 to 4.0); 0xC0 (5.0)		ULONG PeakPagefileUsage;	3.10 to 5.0	next in QuotaUsage
0xD4 (6.1)	0x01C0 (6.1)	EPROCESS_QUOTA_BLOCK *QuotaBlock;	6.1 only	previously at 0x0118 and 0x01D8; next at 0x014C and 0x0400
0xD8 (6.1)	0x01C8 (6.1)	PS_CPU_QUOTA_BLOCK *CpuQuotaBlock;	6.1 only

The PagefileUsage, CommitCharge and PeakPagefileUsage members count pages. The others count bytes.

The precise arrangement of the various members for current and peak use of the non-paged and pages pools and of the pagefile has varied with the EPROCESS_QUOTA_BLOCK implementation. Version 5.1 brought the pools and pagefile together into a PS_QUOTA_TYPE enumeration that indexes the QuotaUsage and QuotaPeak arrays, which thus absorb what had been PagefileUsage and PeakPagefileUsage.

All the statistical members in the preceding set are retrievable through either or both of two native API functions in all versions: as members of VM_COUNTERS, as filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function; and as members of SYSTEM_PROCESS_INFORMATION, as filled by the SystemProcessInformation (0x05) case of the NtQuerySystemInformation function. For the latter, what is here called the CommitCharge is there called the PrivatePageCount—and in the VM_COUNTERS_EX, which is supported in version 5.1 and higher, it is named PrivateUsage.

This area of statistical members also has the original counters of I/O operations and the bytes that these transferred. Presumably, this is because they were also retrievable in the SYSTEM_PROCESS_INFORMATION.

Offset (x86)	Definition	Versions	Remarks
0xE0 (3.10)	LARGE_INTEGER ReadTransferCount;	3.10 only	next at 0x0250 (5.0)
0xE8 (3.10)	LARGE_INTEGER WriteTransferCount;	3.10 only	next at 0x0258 (5.0)
0xF0 (3.10)	LARGE_INTEGER OtherTransferCount;	3.10 only	next at 0x0260 (5.0)
0xF8 (3.10)	ULONG ReadOperationCount;	3.10 only	next as LARGE_INTEGER at 0x0238 (5.0)
0xFC (3.10)	ULONG WriteOperationCount;	3.10 only	next as LARGE_INTEGER at 0x0240 (5.0)
0x0100 (3.10)	ULONG OtherOperationCount;	3.10 only	next as LARGE_INTEGER at 0x0248 (5.0)

The original implementation’s allowance of only 32 bits for counting the operations soon became problematic. Indeed, these counters disappear from the EPROCESS until version 5.0 brings them back, all 64 bits wide, but near to what was then the end of the structure.

In version 3.10, these I/O counters are retrievable through either or both of two native API functions: as members of IO_COUNTERS, as filled by the ProcessIoCounters (0x02) case of the NtQueryInformationProcess function; and as members of SYSTEM_PROCESS_INFORMATION. They are in version 5.0 and higher, too. In the intervening versions, the corresponding members of the SYSTEM_PROCESS_INFORMATION are unused or repurposed, and the ProcessIoCounters case is failed immediately as being not implemented. The NTDDK.H from the DDK for both Windows NT 3.51 and 4.0 presents a C-language definition of the original IO_COUNTERS structure, with 32-bit operation counts, as output from ProcessIoCounters, though trying to get that output can only have been a waste of time.

Offset (x86)	Offset (x64)	Definition	Versions
0x0104 (3.10); 0xBC (3.50 to 4.0); 0xC4 (5.0); 0xAC (5.1 to early 5.2); 0xBC (late 5.2); 0xC4 (6.0); 0xDC (6.1); 0xD8 (6.2 to 6.3); 0xE0 (10.0 to 1607); 0xE8 (1703 to 1903); 0x0118	0x0128 (late 5.2); 0x0130 (6.0); 0x01D0 (6.1); 0x0320 (6.2 to 6.3); 0x0330 (10.0 to 1809); 0x0338 (1903); 0x0490	ULONG_PTR PeakVirtualSize;	all
0x0108 (3.10); 0xC0 (3.50 to 4.0); 0xC8 (5.0); 0xB0 (5.1 to early 5.2); 0xC0 (late 5.2); 0xC8 (6.0); 0xE0 (6.1); 0xDC (6.2 to 6.3); 0xE4 (10.0 to 1607); 0xEC (1703 to 1903); 0x011C	0x0130 (late 5.2); 0x0138 (6.0); 0x01D8 (6.1); 0x0328 (6.2 to 6.3); 0x0338 (10.0 to 1809); 0x0340 (1903); 0x0498	ULONG_PTR VirtualSize;	all

The PeakVirtualSize and VirtualSize count pages. In all versions, conversions to bytes are retrievable as identically named members of the VM_COUNTERS structure that is filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function.

All versions 3.10 to 5.0 have four bytes of unused alignment space before the next member (which has 8-byte alignment before version 6.0).

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x0110 (3.10); 0xC8 (3.50 to 4.0); 0xD0 (5.0)		MMSUPPORT Vm;	3.10 to 5.0	next at 0x01F8
0x0140 (3.10); 0xF8 (3.50 to 4.0)		PVOID LastProtoPteFault;	3.10 to 4.0
0x0118 (5.0); 0xB4 (5.1 to early 5.2); 0xC4 (late 5.2); 0xCC (6.0); 0xE4 (6.1); 0xE0 (6.2 to 6.3); 0xE8 (10.0 to 1607); 0xF0 (1703 to 1903); 0x0120	0x0138 (late 5.2); 0x0140 (6.0); 0x01E0 (6.1); 0x0330 (6.2 to 6.3); 0x0340 (10.0 to 1809); 0x0348 (1903); 0x04A0	LIST_ENTRY SessionProcessLinks;	5.0 and higher
0x0144 (3.10); 0xFC (3.50 to 4.0); 0x0120 (5.0); 0xBC (5.1 to early 5.2); 0xCC (late 5.2); 0xD4 (6.0); 0xEC (6.1)	0x0148 (late 5.2); 0x0150 (6.0); 0x01F0 (6.1)	PVOID DebugPort;	3.10 to 6.1	next at 0x0154 and 0x0410
0x0148 (3.10); 0x0100 (3.50 to 4.0); 0x0124 (5.0); 0xC0 (5.1 to early 5.2); 0xD0 (late 5.2); 0xD8 (6.0); 0xF0 (6.1); 0xE8 (6.2 to 6.3); 0xF0 (10.0 to 1607); 0xF8 (1703 to 1903); 0x0128	0x0150 (late 5.2); 0x0158 (6.0); 0x01F8 (6.1); 0x0340 (6.2 to 6.3); 0x0350 (10.0 to 1809); 0x0358 (1903); 0x04B0	PVOID ExceptionPort;	3.10 to 5.2
		union { PVOID ExceptionPortData; ULONG_PTR ExceptionPortValue; ULONG_PTR ExceptionPortState : 3; };	6.0 and higher
0x014C (3.10); 0x0104 (3.50 to 4.0); 0x0128 (5.0); 0xC4 (5.1 to early 5.2); 0xD4 (late 5.2); 0xDC (6.0); 0xF4 (6.1)	0x0158 (late 5.2); 0x0160 (6.0); 0x0200 (6.1)	HANDLE_TABLE *ObjectTable;	3.10 to 6.1	next at 0x0150 and 0x0408
0x0150 (3.10); 0x0108 (3.50 to 4.0); 0x012C (5.0); 0xC8 (5.1 to early 5.2); 0xD8 (late 5.2); 0xE0 (6.0); 0xF8 (6.1); 0xEC (6.2 to 6.3); 0xF4 (10.0 to 1607); 0xFC (1703 to 1903); 0x012C	0x0160 (late 5.2); 0x0168 (6.0); 0x0208 (6.1); 0x0348 (6.2 to 6.3); 0x0358 (10.0 to 1809); 0x0360 (1903); 0x04B8	PVOID Token;	3.10 to 5.0
		EX_FAST_REF Token;	5.1 and higher
0x0154 (3.10); 0x010C (3.50 to 4.0); 0x0130 (5.0); 0xCC (5.1)		KMUTANT WorkingSetLock;	3.10 only
		FAST_MUTEX WorkingSetLock;	3.50 to 5.1
0x0174 (3.10); 0x012C (3.50 to 4.0); 0x0150 (5.0); 0xEC (5.1); 0xCC (early 5.2); 0xDC (late 5.2); 0xE4 (6.0); 0xFC (6.1); 0xF0 (6.2 to 6.3); 0xF8 (10.0 to 1607); 0x0100 (1703 to 1903); 0x0130	0x0168 (late 5.2); 0x0170 (6.0); 0x0210 (6.1); 0x0350 (6.2 to 6.3); 0x0360 (10.0 to 1809); 0x0368 (1903); 0x04C0	ULONG_PTR WorkingSetPage;	3.10 to 1607
		ULONG MmReserved;	1703 and higher
0x0178 (3.10); 0x0130 (3.50 to 4.0); 0x0154 (5.0)		BOOLEAN ProcessOutswapEnabled;	3.10 to 5.0	next as OutswapEnabled in Flags
0x0179 (3.10); 0x0131 (3.50 to 4.0); 0x0155 (5.0)		BOOLEAN ProcessOutswapped;	3.10 to 5.0	next as Outswapped in Flags
0x017A (3.10); 0x0132 (3.50 to 4.0); 0x0156 (5.0)		BOOLEAN AddressSpaceInitialized;	3.10 to 5.0
0x017B (3.10); 0x0133 (3.50 to 4.0); 0x0157 (5.0)		BOOLEAN AddressSpaceDeleted;	3.10 to 5.0
0x017C (3.10); 0x0134 (3.50 to 4.0); 0x0158 (5.0); 0xF0 (5.1); 0xD0 (early 5.2); 0xE0 (late 5.2); 0xE8 (6.0); 0x0100 (6.1); 0xF4 (6.2 to 6.3); 0xFC (10.0 to 1607); 0x0104 (1703 to 1903); 0x0134		KEVENT AddressCreationLock;	3.10 only
		FAST_MUTEX AddressCreationLock;	3.50 to 5.1
	0x0170 (late 5.2); 0x0178 (6.0); 0x0218 (6.1); 0x0358 (6.2 to 6.3); 0x0368 (10.0 to 1809); 0x0370 (1903); 0x04C8	KGUARDED_MUTEX AddressCreationLock;	5.2 only
		EX_PUSH_LOCK AddressCreationLock;	6.0 and higher
0x0154 (3.50 to 4.0); 0x0178 (5.0); 0x0110 (5.1); 0xF0 (early 5.2); 0x0100 (late 5.2)	0x01A8 (late 5.2)	KSPIN_LOCK HyperSpaceLock;	3.50 to 5.2

HyperSpace is a per-process region of kernel-mode address space. In these versions that have a HyperSpaceLock, the x86, PAE and x64 builds have hyperspace at the pre-set addresses 0xC0400000, 0xC0800000 and 0xFFFFF700`00000000, respectively. The HyperSpaceLock is for a particular use of a relatively small part of hyperspace that provides temporary linear addresses for the kernel’s own preparation of physical memory that is otherwise not (yet) accessible. Speed is of the essence. Version 3.10 simply rotates through a pool of 0x80 pages of linear address space and risks that threads in the process don’t map into hyperspace in such a rush that one gets an address that another is still using. Version 3.50 continues the rotating allocation but protects with a spin lock: only one thread can have a hyperspace mapping at any one time; releasing the lock releases the mapping. Though this surely meant that one page of linear address space could serve all threads, version 3.51 increases the pool to 0x0100 pages. For the PAE builds, starting in version 5.0, the pool is 0x7F pages. Version 6.0 speeds the mapping into hyperspace by mapping to a per-processor region instead. Since threads on different processors map from different regions, the only “lock” that is now needed for mapping to “hyperspace” is to raise the IRQL: the HyperSpaceLock is needed no more.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0xF8 (6.3); 0x0100 (10.0 to 1607); 0x0108 (1703 to 1903); 0x0138	0x0360 (6.2 to 6.3); 0x0370 (10.0 to 1809); 0x0378 (1903); 0x04D0	EX_PUSH_LOCK PageTableCommitmentLock;	6.3 and higher
0xEC (6.0); 0x0104 (6.1); 0xF8 (6.2); 0xFC (6.3); 0x0104 (10.0 to 1607); 0x010C (1703 to 1903); 0x013C	0x0180 (6.0); 0x0220 (6.1); 0x0360 (6.2); 0x0368 (6.2 to 6.3); 0x0378 (10.0 to 1809); 0x0380 (1903); 0x04D8	ETHREAD *RotateInProgress;	6.0 and higher
0x018C (3.10); 0x0158 (3.50 to 4.0); 0x017C (5.0); 0x0114 (5.1); 0xF4 (early 5.2); 0x0104 (late 5.2); 0xF0 (6.0); 0x0108 (6.1); 0xFC (6.2); 0x0100 (6.3); 0x0108 (10.0 to 1607); 0x0110 (1703 to 1903); 0x0140	0x01B0 (late 5.2); 0x0188 (6.0); 0x0228 (6.1); 0x0368 (6.2); 0x0370 (6.2 to 6.3); 0x0380 (10.0 to 1809); 0x0388 (1903); 0x04E0	ETHREAD *ForkInProgress;	all
0x0190 (3.10); 0x015C (3.50 to 4.0); 0x0180 (5.0)		ULONG VmOperation;	3.10 to 3.50
0x0190 (3.10); 0x015C (3.50 to 4.0); 0x0180 (5.0)		USHORT VmOperation;	3.51 to 5.0
0x015E (3.51 to 4.0); 0x0182 (5.0)		BOOLEAN ForkWasSuccessful;	3.51 to 5.0	previously at 0x0184
0x015F (4.0); 0x0183 (5.0)		UCHAR MmAgressiveWsTrimMask;	4.0 to 5.0
0x0194 (3.10); 0x0160 (3.50 to 4.0); 0x0184 (5.0)		KEVENT *VmOperationEvent;	3.10 to 5.0
0x0198 (3.10); 0x0164 (3.50 to 4.0)		HARDWARE_PTE PageDirectoryPte;	3.10 to 4.0	next at 0x01F0
0x0188 (5.0)		PVOID PaeTop;	5.0 only	next at 0x019C
0x019C (3.10); 0x0168 (3.50 to 4.0); 0x018C (5.0)		ULONG LastFaultCount;	3.10 to 5.0	next at 0x0238
0x01A0 (3.10); 0x016C (3.50 to 4.0); 0x0190 (5.0)		ULONG ModifiedPageCount;	3.10 to 5.0	next at 0x023C

That the LastFaultCount has earlier history than is known from type information in symbol files for version 5.0 is confirmed by debugger extensions. It is here assumed to have been defined all along, but beware that no use is yet known in any of these early versions.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x0118 (5.1); 0xF8 (early 5.2); 0x0108 (late 5.2); 0xF4 (6.0); 0x010C (6.1); 0x0100 (6.2)	0x01B8 (late 5.2); 0x0190 (6.0); 0x0230 (6.1); 0x0370 (6.2)	ULONG_PTR HardwareTrigger;	5.1 to 6.2
0x01A4 (3.10); 0x0170 (3.50 to 4.0); 0x0194 (5.0); 0x011C (5.1)		PVOID VadRoot;	3.10 to 5.1	next at 0x0258
0x01A8 (3.10); 0x0174 (3.50 to 4.0); 0x0198 (5.0); 0x0120 (5.1)		PVOID VadHint;	3.10 to 5.1
0xFC (early 5.2); 0x010C (late 5.2); 0xF8 (6.0); 0x0110 (6.1)	0x01C0 (late 5.2); 0x0198 (6.0); 0x0238 (6.1)	MM_AVL_TABLE *PhysicalVadRoot;	5.2 to 6.1
0x0104 (6.2 to 6.3); 0x010C (10.0 to 1607); 0x0114 (1703 to 1903); 0x0144	0x0378 (6.2 to 6.3); 0x0388 (10.0 to 1809); 0x0390 (1903); 0x04E8	EJOB *CommitChargeJob;	6.2 and higher
0x01AC (3.10); 0x0178 (3.50 to 4.0); 0x019C (5.0); 0x0124 (5.1); 0x0100 (early 5.2); 0x0110 (late 5.2); 0xFC (6.0); 0x0114 (6.1); 0x0108 (6.2 to 6.3); 0x0110 (10.0 to 1607); 0x0118 (1703 to 1903); 0x0148	0x01C8 (late 5.2); 0x01A0 (6.0); 0x0240 (6.1); 0x0380 (6.2 to 6.3); 0x0390 (10.0 to 1809); 0x0398 (1903); 0x04F0	PVOID CloneRoot;	3.10 to 6.2
		RTL_AVL_TREE CloneRoot;	6.3 and higher
0x01B0 (3.10); 0x017C (3.50 to 4.0); 0x01A0 (5.0); 0x0128 (5.1); 0x0104 (early 5.2); 0x0114 (late 5.2); 0x0100 (6.0); 0x0118 (6.1); 0x010C (6.2 to 6.3); 0x0114 (10.0 to 1607); 0x011C (1703 to 1903); 0x014C	0x01D0 (late 5.2); 0x01A8 (6.0); 0x0248 (6.1); 0x0388 (6.2 to 6.3); 0x0398 (10.0 to 1809); 0x03A0 (1903); 0x04F8	ULONG_PTR NumberOfPrivatePages;	3.10 to 5.2
		ULONG_PTR volatile NumberOfPrivatePages;	6.0 and higher
0x01B4 (3.10); 0x0180 (3.50 to 4.0); 0x01A4 (5.0); 0x012C (5.1); 0x0108 (early 5.2); 0x0118 (late 5.2); 0x0104 (6.0); 0x011C (6.1); 0x0110 (6.2 to 6.3); 0x0118 (10.0 to 1607); 0x0120 (1703 to 1903); 0x0150	0x01D8 (late 5.2); 0x01B0 (6.0); 0x0250 (6.1); 0x0390 (6.2 to 6.3); 0x03A0 (10.0 to 1809); 0x03A8 (1903); 0x0500	ULONG_PTR NumberOfLockedPages;	3.10 to 5.2
		ULONG_PTR volatile NumberOfLockedPages;	6.0 and higher
0x01B8 (3.10); 0x0184 (3.50)		BOOLEAN ForkWasSuccessful;	3.10 to 3.50	next at 0x015E
0x01B9 (3.10)		unaccounted two bytes	3.10 only
0x0185 (3.50); 0x0184 (3.51 to 4.0); 0x01A8 (5.0)		UCHAR NextPageColor;	3.50 only
0x0185 (3.50); 0x0184 (3.51 to 4.0); 0x01A8 (5.0)		USHORT NextPageColor;	3.51 to 5.0	next at 0x0250
0x0186 (3.50 to 4.0); 0x01AA (5.0)		BOOLEAN ExitProcessCalled;	3.50 to 5.0
0x01BB (3.10); 0x0187 (3.50 to 4.0); 0x01AB (5.0)		BOOLEAN CreateProcessReported;	3.10 to 5.0	next as CreateReported in Flags
0x0130 (5.1); 0x010C (early 5.2); 0x011C (late 5.2); 0x0108 (6.0); 0x0120 (6.1); 0x0114 (6.2 to 6.3); 0x011C (10.0 to 1607); 0x0124 (1703 to 1903); 0x0154	0x01E0 (late 5.2); 0x01B8 (6.0); 0x0258 (6.1); 0x0398 (6.2 to 6.3); 0x03A8 (10.0 to 1809); 0x03B0 (1903); 0x0508	PVOID Win32Process;	5.1 and higher	previously at 0x0214
0x0134 (5.1); 0x0110 (early 5.2); 0x0120 (late 5.2); 0x010C (6.0); 0x0124 (6.1); 0x0118 (6.2 to 6.3); 0x0120 (10.0 to 1607); 0x0128 (1703 to 1903); 0x0158	0x01E8 (late 5.2); 0x01C0 (6.0); 0x0260 (6.1); 0x03A0 (6.2 to 6.3); 0x03B0 (10.0 to 1809); 0x03B8 (1903); 0x0510	EJOB *Job;	5.1 and higher	previously at 0x0218
0x01BC (3.10); 0x0188 (3.50 to 4.0); 0x01AC (5.0); 0x0138 (5.1); 0x0114 (early 5.2); 0x0124 (late 5.2); 0x0110 (6.0); 0x0128 (6.1); 0x011C (6.2 to 6.3); 0x0124 (10.0 to 1607); 0x012C (1703 to 1903); 0x015C	0x01F0 (late 5.2); 0x01C8 (6.0); 0x0268 (6.1); 0x03A8 (6.2 to 6.3); 0x03B8 (10.0 to 1809); 0x03C0 (1903); 0x0518	HANDLE SectionHandle;	3.10 to 5.0
		PVOID SectionObject;	5.1 and higher
0x01C0 (3.10); 0x018C (3.50 to 4.0); 0x01B0 (5.0)		PEB *Peb;	3.10 to 5.0	next at 0x01B0
0x01C4 (3.10); 0x0190 (3.50 to 4.0); 0x01B4 (5.0); 0x013C (5.1); 0x0118 (early 5.2); 0x0128 (late 5.2); 0x0114 (6.0); 0x012C (6.1); 0x0120 (6.2 to 6.3); 0x0128 (10.0 to 1607); 0x0130 (1703 to 1903); 0x0160	0x01F8 (late 5.2); 0x01D0 (6.0); 0x0270 (6.1); 0x03B0 (6.2 to 6.3); 0x03C0 (10.0 to 1809); 0x03C8 (1903); 0x0520	PVOID SectionBaseAddress;	all
0x01C8		unaccounted 0x18 bytes	3.10 only
0x01E0 (3.10); 0x0194 (3.50 to 4.0); 0x01B8 (5.0); 0x0140 (5.1); 0x011C (early 5.2); 0x012C (late 5.2); 0x0118 (6.0)	0x0200 (late 5.2); 0x01D8 (6.0)	EPROCESS_QUOTA_BLOCK *QuotaBlock;	3.10 to 6.0	next at 0xD4 and 0x01C0
0x0130 (6.1); 0x0124 (6.2 to 6.3); 0x012C (10.0 to 1607); 0x0134 (1703 to 1903); 0x0164	0x0278 (6.1); 0x03B8 (6.2 to 6.3); 0x03C8 (10.0 to 1809); 0x03D0 (1903); 0x0528	ULONG Cookie;	6.1 and higher	previously at 0x0258 and 0x03C0
0x0134 (6.1)	0x027C (6.1)	ULONG Spare8;	6.1 only (x86)
0x0134 (6.1)	0x027C (6.1)	ULONG UmsScheduledThreads;	6.1 only (x64)
0x0128 (6.2 to 6.3)		PVOID VdmObjects;	6.2 to 6.3	previously at 0x0148; next at 0xB0
0x01E4 (3.10); 0x0198 (3.50 to 4.0); 0x01BC (5.0)		LONG LastThreadExitStatus;	3.10 to 5.0	next at 0x01AC
0x01E8 (3.10); 0x019C (3.50 to 4.0); 0x01C0 (5.0); 0x0144 (5.1); 0x0120 (early 5.2); 0x0130 (late 5.2); 0x011C (6.0); 0x0138 (6.1); 0x012C (6.2 to 6.3); 0x0130 (10.0 to 1607); 0x0138 (1703 to 1903); 0x0168	0x0208 (late 5.2); 0x01E0 (6.0); 0x0280 (6.1); 0x03C0 (6.2 to 6.3); 0x03D0 (10.0 to 1809); 0x03D8 (1903); 0x0530	PAGEFAULT_HISTORY *WorkingSetWatch;	all
0x01EC (3.10); 0x01A0 (3.50 to 4.0); 0x01C4 (5.0); 0x0148 (5.1); 0x0124 (early 5.2); 0x0134 (late 5.2); 0x0120 (6.0); 0x013C (6.1); 0x0130 (6.2 to 6.3); 0x0134 (10.0 to 1607); 0x013C (1703 to 1903); 0x016C	0x0210 (late 5.2); 0x01E8 (6.0); 0x0288 (6.1); 0x03C8 (6.2 to 6.3); 0x03D8 (10.0 to 1809); 0x03E0 (1903); 0x0538	PVOID LpcPort;	3.10 to 3.51
		PVOID Win32WindowStation;	4.0 and higher

The Win32WindowStation is an example of an EPROCESS member that is known outside the kernel, specifically to WIN32K.SYS in versions 4.0 and 5.0. Indeed, the kernel itself is not known to use this member until version 5.1 introduces the exported functions PsGetProcessWin32WindowStation. and PsSetProcessWindowStation. The KDEXTX86 debugger extension for version 3.51 reports the corresponding offset as holding the LpcPort. Continuity is here assumed from the beginning, but no use is yet known in any version before 4.0.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x01F0 (3.10); 0x01A4 (3.50 to 4.0); 0x01C8 (5.0); 0x014C (5.1); 0x0128 (early 5.2); 0x0138 (late 5.2); 0x0124 (6.0); 0x0140 (6.1); 0x0134 (6.2 to 6.3); 0x0138 (10.0 to 1607); 0x0140 (1703 to 1903); 0x0170	0x0218 (late 5.2); 0x01F0 (6.0); 0x0290 (6.1); 0x03D0 (6.2 to 6.3); 0x03E0 (10.0 to 1809); 0x03E8 (1903); 0x0540	PVOID InheritedFromUniqueProcessId;	all
0x01F4 (3.10); 0x01A8 (3.51 to 4.0); 0x01CC (5.0)		ACCESS_MASK GrantedAccess;	3.10 to 5.0	next at 0x01A4
0x01F8 (3.10); 0x01AC (3.50 to 4.0); 0x01D0 (5.0)		ULONG DefaultHardErrorProcessing;	3.10 to 5.0	next at 0x01A8
0x01FC (3.10); 0x01B0 (3.50 to 4.0); 0x01D4 (5.0); 0x0150 (5.1); 0x012C (early 5.2); 0x013C (late 5.2); 0x0128 (6.0); 0x0144 (6.1); 0x0138 (6.2 to 6.3); 0x013C (10.0 to 1607); 0x0144 (1703 to 1903); 0x0174	0x0220 (late 5.2); 0x01F8 (6.0); 0x0298 (6.1); 0x03D8 (6.2 to 6.3); 0x03E8 (10.0 to 1809)	PVOID LdtInformation;	all (x86); 5.2 to 1803 (x64)
		PVOID Spare0;	1809 only (x64)
0x0200 (3.10); 0x01B4 (3.50 to 4.0); 0x01D8 (5.0); 0x0154 (5.1); 0x0130 (early 5.2); 0x0140 (late 5.2); 0x012C (6.0)	0x0228 (late 5.2); 0x0200 (6.0)	PVOID VadFreeHint;	3.10 to early 6.0
	0x0228 (late 5.2); 0x0200 (6.0)	PVOID Spare;	late 6.0 only
0x0204 (3.10); 0x01B8 (3.50 to 4.0); 0x01DC (5.0); 0x0158 (5.1); 0x0x134 (early 5.2); 0x0144 (late 5.2); 0x0130 (6.0); 0x0148 (6.1)	0x0230 (late 5.2); 0x0208 (6.0); 0x02A0 (6.1)	PVOID VdmObjects;	3.10 to 6.1 (x86); 5.2 to 6.0 (x64)	next at 0x0128
	0x0230 (late 5.2); 0x0208 (6.0); 0x02A0 (6.1)	PVOID Spare;	6.1 only (x64)
0x0208 (3.10); 0x01BC (3.50 to 4.0)		KMUTANT ProcessMutant;	3.10 to 4.0
0x014C (6.1); 0x013C (6.2 to 6.3); 0x0140 (10.0 to 1607); 0x0148 (1703 to 1903); 0x0178	0x02A8 (6.1); 0x03E0 (6.2 to 6.3); 0x03F0 (10.0 to 1903); 0x0548	ULONG_PTR ConsoleHostProcess;	6.1 only
		union { EPROCESS *CreatorProcess; ULONG_PTR ConsoleHostProcess; };	6.2 only
		ULONG_PTR volatile OwnerProcessId;	6.3 and higher
0x0140 (6.2 to 6.3); 0x0144 (10.0 to 1607); 0x014C (1703 to 1903); 0x017C	0x03E8 (6.2 to 6.3); 0x03F8 (10.0 to 1903); 0x0550	PEB *Peb;	6.2 and higher	previously at 0x01A8 and 0x0338
0x0144 (6.2 to 6.3); 0x0148 (10.0 to 1607); 0x0150 (1703 to 1903); 0x0180	0x03F0 (6.2 to 6.3); 0x0400 (10.0 to 1903); 0x0558	PVOID Session;	6.2 and higher	previously at 0x0168 and 0x02D8
0x0148 (6.2 to 6.3); 0x014C (10.0 to 1607); 0x0154 (1703 to 1903); 0x0184	0x03F8 (6.2 to 6.3); 0x0408 (10.0 to 1903); 0x0560	PVOID AweInfo;	6.2 to 1803	previously at 0x01E8 and 0x0388
	0x03F8 (6.2 to 6.3); 0x0408 (10.0 to 1903); 0x0560	PVOID Spare1;	1809 and higher
0x014C (6.2 to 6.3); 0x0150 (10.0 to 1607); 0x0158 (1703 to 1903); 0x0188	0x0400 (6.2 to 6.3); 0x0410 (10.0 to 1903); 0x0568	EPROCESS_QUOTA_BLOCK *QuotaBlock;	6.2 and higher	previously at 0xD4 and 0x01C0
0x0150 (6.2 to 6.3); 0x0154 (10.0 to 1607); 0x015C (1703 to 1903); 0x018C	0x0408 (6.2 to 6.3); 0x0418 (10.0 to 1903); 0x0570	HANDLE_TABLE *ObjectTable;	6.2 and higher	previously at 0x0F4 and 0x0200
0x0154 (6.2 to 6.3); 0x0158 (10.0 to 1607); 0x0160 (1703 to 1903); 0x0190	0x0410 (6.2 to 6.3); 0x0420 (10.0 to 1903); 0x0578	PVOID DebugPort;	6.2 and higher	previously at 0xEC and 0x01F0
0x0158 (6.2 to 6.3); 0x015C (10.0 to 1607); 0x0164 (1703 to 1903); 0x0194		PVOID PaeTop;	6.2 and higher	previously at 0x0194
	0x0418 (6.2 to 6.3); 0x0428 (10.0 to 1903); 0x0580	PVOID Wow64Process;	6.2 to 10.0	previously at 0x0320
	0x0418 (6.2 to 6.3); 0x0428 (10.0 to 1903); 0x0580	EWOW64PROCESS *Wow64Process;	1511 and higher
0x01E0 (5.0); 0x015C (5.1); 0x0138 (early 5.2); 0x0148 (late 5.2); 0x0134 (6.0); 0x0150 (6.1); 0x015C (6.2 to 6.3); 0x0160 (10.0 to 1607); 0x0168 (1703 to 1903); 0x0198	0x0238 (late 5.2); 0x0210 (6.0); 0x02B0 (6.1); 0x0420 (6.2 to 6.3); 0x0430 (10.0 to 1903); 0x0588	PVOID DeviceMap;	5.0 and higher
0x01E4 (5.0)		ULONG SessionId;	5.0 only
0x01E8 (5.0); 0x0160 (5.1); 0x013C (early 5.2); 0x014C (late 5.2)		LIST_ENTRY PhysicalVadList;	5.0 to 5.1
	0x0240 (late 5.2)	PVOID Spare0 [3];	5.2 only
0x0138 (6.0); 0x0154 (6.1); 0x0160 (6.2 to 6.3); 0x0164 (10.0 to 1607); 0x016C (1703 to 1903); 0x019C	0x0218 (6.0); 0x02B8 (6.1); 0x0428 (6.2 to 6.3); 0x0438 (10.0 to 1903); 0x0590	PVOID EtwDataSource;	6.0 and higher
0x013C (6.0); 0x0158 (6.1)	0x0220 (6.0); 0x02C0 (6.1)	PVOID FreeTebHint;	6.0 to 6.1
	0x02C8 (6.1)	PVOID FreeUmsTebHint;	6.1 only

The EtwDataSource, when it is not NULL, is historically the address of an ETW_DATA_SOURCE structure which supports inter-process communication by Event Tracing for Windows (ETW). Starting with version 6.3, it is different things at different times. A process that intends to receive notifications but has not yet sent any can supply an event that the kernel is to signal whenever notifications are ready for receipt. The EtwDataSource then holds the address of the event object but with the low bit set. If the process then sends any notifications, the EtwDataSource is changed to be the address of the supporting structure, and the event object’s address is transferred to this structure.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x01F0 (5.0); 0x0168 (5.1); 0x0148 (early 5.2); 0x0158 (late 5.2); 0x0140 (6.0); 0x0160 (6.1); 0x0168 (10.0 to 1607); 0x0170 (1703 to 1903); 0x01A0	0x0258 (late 5.2); 0x0228 (6.0); 0x02D0 (6.1); 0x0430 (6.2 to 6.3); 0x0440 (10.0 to 1903); 0x0598	union { HARDWARE_PTE PageDirectoryPte; ULONGLONG Filler; };	5.0 to 6.1	previously at 0x0164
		ULONGLONG PageDirectoryPte;	6.2 and higher
0x01F8 (5.0)		ULONG PaePageDirectoryPage;	5.0 only

Versions 5.0 to 6.1 of the 32-bit kernel exist in two forms. One has the processor translate 32-bit linear addresses to 32-bit physical addresses. The other uses Physical Address Extension (PAE) to support a larger physical address space. For the former, each Page Table Entry (PTE) is four bytes. With PAE, each PTE is eight bytes. Not shown above is that Microsoft at first separated the original HARDWARE_PTE into separately named structures, HARDWARE_PTE_X86 and HARDWARE_PTE_X86PAE. The version 5.1 from Windows XP SP1 returned to the simplicity of having the one HARDWARE_PTE, now defined differently according to whether the kernel does or does not use PAE (or is for 64-bit Windows). Version 6.2 discontinued the 32-bit kernel that does not use PAE, and so the Filler lost its reason for existence.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x0170 (5.1); 0x0150 (early 5.2); 0x0160 (late 5.2); 0x0148 (6.0); 0x0168 (6.1)	0x0260 (late 5.2); 0x0230 (6.0); 0x02D8 (6.1)	PVOID Session;	5.1 to 6.1	next at 0x0144 and 0x03F0
0x0170 (1511 to 1607); 0x0178 (1703 to 1903); 0x01A8	0x0448 (1511 to 1903); 0x05A0	FILE_OBJECT *ImageFilePointer;	1511 and higher
0x0228 (3.10); 0x01DC (3.50 to 4.0); 0x01FC (5.0); 0x0174 (5.1); 0x0154 (early 5.2); 0x0164 (late 5.2); 0x014C (6.0); 0x016C (6.1); 0x0170 (6.2 to 10.0); 0x0174 (1511 to 1607); 0x017C (1703 to 1903); 0x01AC	0x0268 (late 5.2); 0x0238 (6.0); 0x02E0 (6.1); 0x0438 (6.2 to 6.3); 0x0448 (10.0); 0x0450 (1511 to 1903); 0x05A8	UCHAR ImageFileName [0x20];	3.10 only
		UCHAR ImageFileName [0x10];	3.50 to 6.0
		UCHAR ImageFileName [0x0F];	6.1 and higher
0x017B (6.1); 0x017F (6.2 to 10.0); 0x0183 (1511 to 1607); 0x018B (1703 to 1903); 0x01BB	0x02EF (6.1); 0x0447 (6.2 to 6.3); 0x0457 (10.0); 0x045F (1511 to 1903); 0x05B7	UCHAR PriorityClass;	6.1 and higher	previously at 0x0234 and 0x037C