Geoff Chappell, Software Analyst
The CSR_API_CONNECTINFO structure is the connection information that a client process of the CSRSS.EXE server supplies to the NtConnectPort function when hoping to connect to the server. CSRSRV.DLL in the CSRSS.EXE process receives this data as the ConnectionRequest in a CSR_API_MSG whose PORT_MESSAGE header has LPC_CONNECTION_REQUEST (0x000A) as its Type.
The CSR_API_CONNECTINFO structure is not documented. Neither is Microsoft known to have disclosed a C-language definition in any header from any publicly available kit for any sort of software development. Type information for the CSR_API_CONNECTINFO is in public symbol files for CSRSS.EXE in Windows Vista only. Earlier type information is known in a statically linked library, named GDISRVL.LIB, which Microsoft published with the Device Driver Kit (DDK) for Windows NT 3.51.
The following changes of size are known:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 3.10 to 5.0 | 0x28 | |
| 5.1 | 0x2C | |
| 5.2 | 0x24 | 0x38 |
| 6.0 to 6.1 | 0x20 | 0x30 |
| 6.2 to 10.0 | 0x1C | 0x30 |
These sizes and the names and types in the table that follows are from type information in public symbol files (or such as would ordinarily be in public symbol files) for versions 3.51 and 6.0. What’s known of Microsoft’s names and types for other versions is something of a guess, being inferred from what use CSRSRV is seen to make of the structure. Where use of a member corresponds closely with that of a version for which Microsoft’s symbols are available, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 (3.10 to 5.1) |
ULONG ExpectedVersion; |
3.10 to 5.1 | input | |
| 0x04 (3.10 to 5.1) |
ULONG CurrentVersion; |
3.10 to 5.1 | ||
| 0x08 (3.10 to 5.1); 0x00 (5.2 to 6.1) |
0x00 (before 6.2) |
HANDLE ObjectDirectory; |
3.10 to 6.1 | output |
| 0x0C (3.10 to 5.1); 0x04 (5.2 to 6.1); 0x00 |
0x08 (before 6.2); 0x00 |
PVOID SharedSectionBase; |
all | output |
| 0x10 (3.10 to 5.1); 0x08 (5.2 to 6.1); 0x04 |
0x10 (before 6.2); 0x08 |
PVOID SharedStaticServerData; |
all | output |
| 0x14 (3.10 to 5.1); 0x0C (5.2) |
0x18 (late 5.2) |
PVOID SharedSectionHeap; |
3.10 to 5.2 | output |
| 0x18 (3.10 to 5.1); 0x10 (5.2); 0x0C (6.0 to 6.1) |
0x20 (late5.2); 0x18 (6.0 to 6.1) |
ULONG DebugFlags; |
3.10 to 6.1 | |
| 0x1C (3.10 to 5.1); 0x14 (5.2); 0x10 (6.0 to 6.1) |
0x24 (late 5.2); 0x1C (6.0 to 6.1) |
ULONG SizeOfPebData; |
3.10 to 6.1 | |
| 0x20 (3.10 to 5.1); 0x18 (5.2); 0x14 (6.0 to 6.1) |
0x28 (late 5.2); 0x20 (6.0 to 6.1) |
ULONG SizeOfTebData; |
3.10 to 6.1 | |
| 0x24 (3.10 to 5.1); 0x1C (5.2); 0x18 (6.0 to 6.1) |
0x2C (late 5.2); 0x24 (6.0 to 6.1) |
ULONG NumberOfServerDllNames; |
3.10 to 6.1 | |
| 0x28 (5.1); 0x20 (5.2); 0x1C (6.0 to 6.1); 0x08 |
0x30 (late 5.2); 0x28 (6.0 to 6.1); 0x10 |
PVOID ServerProcessId; |
5.1 and higher | output |
| 0x0C | 0x18 | unaccounted 4 or 8 bytes | 6.2 and higher | |
| 0x10 | 0x20 | unknown dword | 6.2 and higher | input |
| 0x14 | 0x24 | unknown dword | 6.2 and higher | input output |
| 0x18 | 0x28 | unknown 4 or 8 bytes | 6.2 and higher | input |