Geoff Chappell, Software Analyst
Each user object begins with the members of the HEAD structure. Only for very few such objects is the first member formally a named HEAD. Most instead have a larger header whose first members reproduce those of the HEAD (presumably by having the HEAD as an unnamed member) but whose next members vary according to the nature of how the object can be owned, e.g., by a process or thread.
| Header | Known Objects |
|---|---|
| HEAD | DEVICEINFO HID_POINTER_DEVICE_INFO KBDFILE KL MONITOR |
| PROCDESKHEAD | CALLPROCDATA MENU |
| PROCMARKHEAD | CURSOR |
| PROCOBJHEAD | ACCELTABLE TIMER |
| THRDESKHEAD | HOOK IMC WND |
| THROBJHEAD | DDECONV EVENTHOOK GESTUREINFO HIDDATA SMWP SVR_INSTANCE_INFO TOUCHINPUTINFO XSTATE |
The HEAD is not documented, but type information for the structure is disclosed in the public symbol files for Windows 7—though not before and not since.
The HEAD is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively, except that it is 0x0C bytes before version 4.0.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
HANDLE h; |
all | |
| 0x04 | 0x08 |
USHORT cLockObj; |
3.10 only | |
ULONG cLockObj; |
3.51 and higher | |||
| 0x06 (3.10); 0x08 (3.51) |
USHORT cLockObjT; |
3.10 only | ||
ULONG cLockObjT; |
3.51 only | |||
| 0x08 (3.10) |
PVOID pOwner; |
3.10 only | next in HANDLEENTRY |
Since version 4.0, the HEAD has just the HANDLE through which the object is accessed by user-mode (or client-side) code and a lock count. The early versions have separate counts for locking the object itself and for locking the object to a thread. The name CLockObjT is known from the output of the USEREXTS.DLL debug extension’s !dhe command.