SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

RTL_USER_PROCESS_INFORMATION

The RTL_USER_PROCESS_INFORMATION structure (formally _RTL_USER_PROCESS_INFORMATION) is known only as output from the RtlCreateUserProcess function.

The RTL_USER_PROCESS_INFORMATION structure is not documented. Neither is a C-language definition known to have been published by Microsoft in any development kit for Windows programming. That said, Microsoft’s name for the structure and even the types and names of its members were disclosed by Microsoft as long ago as the mid-1990s as type information that somehow survived in import libraries for GDISRVL.LIB and SHELL32.LIB which Microsoft included with the Device Driver Kit (DDK) for Windows NT 3.51 and 4.0, respectively. Offsets and names (but not types) are also known with very high confidence for Windows 2000 from the output of the !dso command of the USERKDX debugger extension for Windows 2000.

The RTL_USER_PROCESS_INFORMATION is 0x44 or 0x58 bytes in 32-bit and 64-bit Windows, respectively, in all known Windows versions.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
ULONG Length;
 all
0x04 0x08 
HANDLE Process;
 all
0x08 0x10 
HANDLE Thread;
 all
0x0C 0x18 
CLIENT_ID ClientId;
 all
0x14 0x28 
SECTION_IMAGE_INFORMATION ImageInformation;
 all

This page was created on 4th August 2022.

Copyright © 2022. Geoff Chappell. All rights reserved. Conditions apply.