PEB (Process Environment Block)
Header via https://ntdoc.m417z.com/peb
#include <Windows.h>
#define RTL_MAX_DRIVE_LETTERS 32
#define MAXIMUM_LEADBYTES 12
typedef _Function_class_(FN_DISPATCH) NTSTATUS NTAPI FN_DISPATCH( _In_opt_ PVOID Context);
typedef FN_DISPATCH* PFN_DISPATCH;
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
typedef _Function_class_(PS_POST_PROCESS_INIT_ROUTINE)VOID NTAPI PS_POST_PROCESS_INIT_ROUTINE(VOID);
typedef PS_POST_PROCESS_INIT_ROUTINE* PPS_POST_PROCESS_INIT_ROUTINE;
typedef struct _LEAP_SECOND_DATA* PLEAP_SECOND_DATA;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, * PLDR_MODULE;
typedef struct _PEB_LDR_DATA {
ULONG Length;
ULONG Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _CURDIR {
UNICODE_STRING DosPath;
PVOID Handle;
}CURDIR, * PCURDIR;
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} ANSI_STRING, * PANSI_STRING;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
WORD Flags;
WORD Length;
ULONG TimeStamp;
ANSI_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
UNICODE_STRING RedirectionDllName;
UNICODE_STRING HeapPartitionName;
PULONGLONG DefaultThreadpoolCpuSetMasks;
ULONG DefaultThreadpoolCpuSetMaskCount;
ULONG DefaultThreadpoolThreadMaximum;
ULONG HeapMemoryTypeMask;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _KERNEL_CALLBACK_TABLE{
PFN_DISPATCH __fnCOPYDATA;
PFN_DISPATCH __fnCOPYGLOBALDATA;
PFN_DISPATCH __fnEMPTY1;
PFN_DISPATCH __fnNCDESTROY;
PFN_DISPATCH __fnDWORDOPTINLPMSG;
PFN_DISPATCH __fnINOUTDRAG;
PFN_DISPATCH __fnGETTEXTLENGTHS1;
PFN_DISPATCH __fnINCNTOUTSTRING;
PFN_DISPATCH __fnINCNTOUTSTRINGNULL;
PFN_DISPATCH __fnINLPCOMPAREITEMSTRUCT;
PFN_DISPATCH __fnINLPCREATESTRUCT;
PFN_DISPATCH __fnINLPDELETEITEMSTRUCT;
PFN_DISPATCH __fnINLPDRAWITEMSTRUCT;
PFN_DISPATCH __fnPOPTINLPUINT1;
PFN_DISPATCH __fnPOPTINLPUINT2;
PFN_DISPATCH __fnINLPMDICREATESTRUCT;
PFN_DISPATCH __fnINOUTLPMEASUREITEMSTRUCT;
PFN_DISPATCH __fnINLPWINDOWPOS;
PFN_DISPATCH __fnINOUTLPPOINT51;
PFN_DISPATCH __fnINOUTLPSCROLLINFO;
PFN_DISPATCH __fnINOUTLPRECT;
PFN_DISPATCH __fnINOUTNCCALCSIZE;
PFN_DISPATCH __fnINOUTLPPOINT52;
PFN_DISPATCH __fnINPAINTCLIPBRD;
PFN_DISPATCH __fnINSIZECLIPBRD;
PFN_DISPATCH __fnINDESTROYCLIPBRD;
PFN_DISPATCH __fnINSTRINGNULL1;
PFN_DISPATCH __fnINSTRINGNULL2;
PFN_DISPATCH __fnINDEVICECHANGE;
PFN_DISPATCH __fnPOWERBROADCAST;
PFN_DISPATCH __fnINLPUAHDRAWMENU1;
PFN_DISPATCH __fnOPTOUTLPDWORDOPTOUTLPDWORD1;
PFN_DISPATCH __fnOPTOUTLPDWORDOPTOUTLPDWORD2;
PFN_DISPATCH __fnOUTDWORDINDWORD;
PFN_DISPATCH __fnOUTLPRECT;
PFN_DISPATCH __fnOUTSTRING;
PFN_DISPATCH __fnPOPTINLPUINT3;
PFN_DISPATCH __fnPOUTLPINT;
PFN_DISPATCH __fnSENTDDEMSG;
PFN_DISPATCH __fnINOUTSTYLECHANGE1;
PFN_DISPATCH __fnHkINDWORD;
PFN_DISPATCH __fnHkINLPCBTACTIVATESTRUCT;
PFN_DISPATCH __fnHkINLPCBTCREATESTRUCT;
PFN_DISPATCH __fnHkINLPDEBUGHOOKSTRUCT;
PFN_DISPATCH __fnHkINLPMOUSEHOOKSTRUCTEX1;
PFN_DISPATCH __fnHkINLPKBDLLHOOKSTRUCT;
PFN_DISPATCH __fnHkINLPMSLLHOOKSTRUCT;
PFN_DISPATCH __fnHkINLPMSG;
PFN_DISPATCH __fnHkINLPRECT;
PFN_DISPATCH __fnHkOPTINLPEVENTMSG;
PFN_DISPATCH __xxxClientCallDelegateThread;
PFN_DISPATCH __ClientCallDummyCallback1;
PFN_DISPATCH __ClientCallDummyCallback2;
PFN_DISPATCH __fnSHELLWINDOWMANAGEMENTCALLOUT;
PFN_DISPATCH __fnSHELLWINDOWMANAGEMENTNOTIFY;
PFN_DISPATCH __ClientCallDummyCallback3;
PFN_DISPATCH __xxxClientCallDitThread;
PFN_DISPATCH __xxxClientEnableMMCSS;
PFN_DISPATCH __xxxClientUpdateDpi;
PFN_DISPATCH __xxxClientExpandStringW;
PFN_DISPATCH __ClientCopyDDEIn1;
PFN_DISPATCH __ClientCopyDDEIn2;
PFN_DISPATCH __ClientCopyDDEOut1;
PFN_DISPATCH __ClientCopyDDEOut2;
PFN_DISPATCH __ClientCopyImage;
PFN_DISPATCH __ClientEventCallback;
PFN_DISPATCH __ClientFindMnemChar;
PFN_DISPATCH __ClientFreeDDEHandle;
PFN_DISPATCH __ClientFreeLibrary;
PFN_DISPATCH __ClientGetCharsetInfo;
PFN_DISPATCH __ClientGetDDEFlags;
PFN_DISPATCH __ClientGetDDEHookData;
PFN_DISPATCH __ClientGetListboxString;
PFN_DISPATCH __ClientGetMessageMPH;
PFN_DISPATCH __ClientLoadImage;
PFN_DISPATCH __ClientLoadLibrary;
PFN_DISPATCH __ClientLoadMenu;
PFN_DISPATCH __ClientLoadLocalT1Fonts;
PFN_DISPATCH __ClientPSMTextOut;
PFN_DISPATCH __ClientLpkDrawTextEx;
PFN_DISPATCH __ClientExtTextOutW;
PFN_DISPATCH __ClientGetTextExtentPointW;
PFN_DISPATCH __ClientCharToWchar;
PFN_DISPATCH __ClientAddFontResourceW;
PFN_DISPATCH __ClientThreadSetup;
PFN_DISPATCH __ClientDeliverUserApc;
PFN_DISPATCH __ClientNoMemoryPopup;
PFN_DISPATCH __ClientMonitorEnumProc;
PFN_DISPATCH __ClientCallWinEventProc;
PFN_DISPATCH __ClientWaitMessageExMPH;
PFN_DISPATCH __ClientCallDummyCallback4;
PFN_DISPATCH __ClientCallDummyCallback5;
PFN_DISPATCH __ClientImmLoadLayout;
PFN_DISPATCH __ClientImmProcessKey;
PFN_DISPATCH __fnIMECONTROL;
PFN_DISPATCH __fnINWPARAMDBCSCHAR;
PFN_DISPATCH __fnGETTEXTLENGTHS2;
PFN_DISPATCH __ClientCallDummyCallback6;
PFN_DISPATCH __ClientLoadStringW;
PFN_DISPATCH __ClientLoadOLE;
PFN_DISPATCH __ClientRegisterDragDrop;
PFN_DISPATCH __ClientRevokeDragDrop;
PFN_DISPATCH __fnINOUTMENUGETOBJECT;
PFN_DISPATCH __ClientPrinterThunk;
PFN_DISPATCH __fnOUTLPCOMBOBOXINFO;
PFN_DISPATCH __fnOUTLPSCROLLBARINFO;
PFN_DISPATCH __fnINLPUAHDRAWMENU2;
PFN_DISPATCH __fnINLPUAHDRAWMENUITEM;
PFN_DISPATCH __fnINLPUAHDRAWMENU3;
PFN_DISPATCH __fnINOUTLPUAHMEASUREMENUITEM;
PFN_DISPATCH __fnINLPUAHDRAWMENU4;
PFN_DISPATCH __fnOUTLPTITLEBARINFOEX;
PFN_DISPATCH __fnTOUCH;
PFN_DISPATCH __fnGESTURE;
PFN_DISPATCH __fnPOPTINLPUINT4;
PFN_DISPATCH __fnPOPTINLPUINT5;
PFN_DISPATCH __xxxClientCallDefaultInputHandler;
PFN_DISPATCH __fnEMPTY2;
PFN_DISPATCH __ClientRimDevCallback;
PFN_DISPATCH __xxxClientCallMinTouchHitTestingCallback;
PFN_DISPATCH __ClientCallLocalMouseHooks;
PFN_DISPATCH __xxxClientBroadcastThemeChange;
PFN_DISPATCH __xxxClientCallDevCallbackSimple;
PFN_DISPATCH __xxxClientAllocWindowClassExtraBytes;
PFN_DISPATCH __xxxClientFreeWindowClassExtraBytes;
PFN_DISPATCH __fnGETWINDOWDATA;
PFN_DISPATCH __fnINOUTSTYLECHANGE2;
PFN_DISPATCH __fnHkINLPMOUSEHOOKSTRUCTEX2;
PFN_DISPATCH __xxxClientCallDefWindowProc;
PFN_DISPATCH __fnSHELLSYNCDISPLAYCHANGED;
PFN_DISPATCH __fnHkINLPCHARHOOKSTRUCT;
PFN_DISPATCH __fnINTERCEPTEDWINDOWACTION;
PFN_DISPATCH __xxxTooltipCallback;
PFN_DISPATCH __xxxClientInitPSBInfo;
PFN_DISPATCH __xxxClientDoScrollMenu;
PFN_DISPATCH __xxxClientEndScroll;
PFN_DISPATCH __xxxClientDrawSize;
PFN_DISPATCH __xxxClientDrawScrollBar;
PFN_DISPATCH __xxxClientHitTestScrollBar;
PFN_DISPATCH __xxxClientTrackInit;
} KERNEL_CALLBACK_TABLE, * PKERNEL_CALLBACK_TABLE;
typedef struct _API_SET_NAMESPACE{
ULONG Version;
ULONG Size;
ULONG Flags;
ULONG Count;
ULONG EntryOffset;
ULONG HashOffset;
ULONG HashFactor;
} API_SET_NAMESPACE, * PAPI_SET_NAMESPACE;
typedef struct _RTL_BITMAP{
ULONG SizeOfBitMap;
PULONG Buffer;
} RTL_BITMAP, * PRTL_BITMAP;
typedef enum _NT_PRODUCT_TYPE
{
NtProductWinNt = 1,
NtProductLanManNt,
NtProductServer
} NT_PRODUCT_TYPE, * PNT_PRODUCT_TYPE;
typedef struct _KSYSTEM_TIME
{
ULONG LowPart;
LONG High1Time;
LONG High2Time;
} KSYSTEM_TIME, * PKSYSTEM_TIME;
typedef struct _SILO_USER_SHARED_DATA
{
ULONG ServiceSessionId;
ULONG ActiveConsoleId;
LONGLONG ConsoleSessionForegroundProcessId;
NT_PRODUCT_TYPE NtProductType;
ULONG SuiteMask;
ULONG SharedUserSessionId;
BOOLEAN IsMultiSessionSku;
BOOLEAN IsStateSeparationEnabled;
WCHAR NtSystemRoot[260];
USHORT UserModeGlobalLogger[16];
ULONG TimeZoneId;
LONG TimeZoneBiasStamp;
KSYSTEM_TIME TimeZoneBias;
LARGE_INTEGER TimeZoneBiasEffectiveStart;
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
} SILO_USER_SHARED_DATA, * PSILO_USER_SHARED_DATA;
typedef struct _CPTABLEINFO
{
USHORT CodePage; // Specifies the code page number.
USHORT MaximumCharacterSize; // Specifies the maximum length in bytes of a character.
USHORT DefaultChar; // Specifies the default character (MB).
USHORT UniDefaultChar; // Specifies the default character (Unicode).
USHORT TransDefaultChar; // Specifies the translation of the default character (Unicode).
USHORT TransUniDefaultChar; // Specifies the translation of the Unicode default character (MB).
USHORT DBCSCodePage; // Specifies non-zero for DBCS code pages.
UCHAR LeadByte[MAXIMUM_LEADBYTES]; // Specifies the lead byte ranges.
PUSHORT MultiByteTable; // Specifies a pointer to a MB translation table.
PVOID WideCharTable; // Specifies a pointer to a WC translation table.
PUSHORT DBCSRanges; // Specifies a pointer to DBCS ranges.
PUSHORT DBCSOffsets; // Specifies a pointer to DBCS offsets.
} CPTABLEINFO, * PCPTABLEINFO;
typedef struct _NLSTABLEINFO
{
CPTABLEINFO OemTableInfo; // Specifies OEM table.
CPTABLEINFO AnsiTableInfo; // Specifies an ANSI table.
PUSHORT UpperCaseTable; // Specifies an 844 format uppercase table.
PUSHORT LowerCaseTable; // Specifies an 844 format lowercase table.
} NLSTABLEINFO, * PNLSTABLEINFO;
typedef struct tagSDBQUERYRESULT
{
ULONG Exes[16];
ULONG ExeFlags[16];
ULONG Layers[8];
ULONG LayerFlags;
ULONG AppHelp;
ULONG ExeCount;
ULONG LayerCount;
GUID ID;
ULONG ExtraFlags;
ULONG CustomSDBMap;
GUID DB[16];
} SDBQUERYRESULT, * PSDBQUERYRESULT;
typedef struct tagSWITCH_CONTEXT_ATTRIBUTE
{
ULONG_PTR ContextUpdateCounter;
BOOL AllowContextUpdate;
BOOL EnableTrace;
HANDLE EtwHandle;
} SWITCH_CONTEXT_ATTRIBUTE, * PSWITCH_CONTEXT_ATTRIBUTE;
typedef struct tagSWITCH_CONTEXT_DATA
{
ULONGLONG OsMaxVersionTested;
ULONG TargetPlatform;
ULONGLONG ContextMinimum;
GUID Platform;
GUID MinPlatform;
ULONG ContextSource;
ULONG ElementCount;
GUID Elements[48];
} SWITCH_CONTEXT_DATA, * PSWITCH_CONTEXT_DATA;
typedef struct tagSWITCH_CONTEXT
{
SWITCH_CONTEXT_ATTRIBUTE Attribute;
SWITCH_CONTEXT_DATA Data;
} SWITCH_CONTEXT, * PSWITCH_CONTEXT;
typedef struct _SDB_CSTRUCT_COBALT_PROCFLAG
{
KAFFINITY AffinityMask;
ULONG CPUIDEcxOverride;
ULONG CPUIDEdxOverride;
USHORT ProcessorGroup;
USHORT FastSelfModThreshold;
USHORT Reserved1;
UCHAR Reserved2;
UCHAR BackgroundWork : 5;
UCHAR CPUIDBrand : 4;
UCHAR Reserved3 : 4;
UCHAR RdtscScaling : 3;
UCHAR Reserved4 : 2;
UCHAR UnalignedAtomicApproach : 2;
UCHAR Win11Atomics : 2;
UCHAR RunOnSingleCore : 1;
UCHAR X64CPUID : 1;
UCHAR PatchUnaligned : 1;
UCHAR InterpreterOrJitter : 1;
UCHAR ForceSegmentHeap : 1;
UCHAR Reserved5 : 1;
UCHAR Reserved6 : 1;
union
{
ULONGLONG Group1AsUINT64;
struct _SDB_CSTRUCT_COBALT_PROCFLAG* Specified;
};
} SDB_CSTRUCT_COBALT_PROCFLAG, * PSDB_CSTRUCT_COBALT_PROCFLAG;
typedef struct _APPCOMPAT_EXE_DATA
{
ULONG_PTR Reserved[65];
ULONG Size;
ULONG Magic;
BOOL LoadShimEngine;
USHORT ExeType;
SDBQUERYRESULT SdbQueryResult;
ULONG_PTR DbgLogChannels[128];
SWITCH_CONTEXT SwitchContext;
ULONG ParentProcessId;
WCHAR ParentImageName[260];
WCHAR ParentCompatLayers[256];
WCHAR ActiveCompatLayers[256];
ULONG ImageFileSize;
ULONG ImageCheckSum;
BOOL LatestOs;
BOOL PackageId;
BOOL SwitchBackManifest;
BOOL UacManifest;
BOOL LegacyInstaller;
ULONG RunLevel;
ULONG_PTR WinRTFlags;
PVOID HookCOM;
PVOID ComponentOnDemandEvent;
PVOID Quirks;
ULONG QuirksSize;
SDB_CSTRUCT_COBALT_PROCFLAG CobaltProcFlags;
ULONG FullMatchDbSizeCb;
ULONG FullMatchDbOffset;
} APPCOMPAT_EXE_DATA, *PAPPCOMPAT_EXE_DATA;
typedef struct _GDI_HANDLE_ENTRY
{
union
{
PVOID Object;
PVOID NextFree;
};
union
{
struct
{
USHORT ProcessId;
USHORT Lock : 1;
USHORT Count : 15;
};
ULONG Value;
} Owner;
USHORT Unique;
UCHAR Type;
UCHAR Flags;
PVOID UserPointer;
} GDI_HANDLE_ENTRY, * PGDI_HANDLE_ENTRY;
typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY
{
ULONG Flags;
UNICODE_STRING DosPath;
HANDLE Handle;
} ASSEMBLY_STORAGE_MAP_ENTRY, * PASSEMBLY_STORAGE_MAP_ENTRY;
typedef struct _ACTIVATION_CONTEXT_DATA
{
ULONG Magic;
ULONG HeaderSize;
ULONG FormatVersion;
ULONG TotalSize;
ULONG DefaultTocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER
ULONG ExtendedTocOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER
ULONG AssemblyRosterOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER
ULONG Flags; // ACTIVATION_CONTEXT_FLAG_*
} ACTIVATION_CONTEXT_DATA, * PACTIVATION_CONTEXT_DATA;
typedef struct _ASSEMBLY_STORAGE_MAP
{
ULONG Flags;
ULONG AssemblyCount;
PASSEMBLY_STORAGE_MAP_ENTRY* AssemblyArray;
} ASSEMBLY_STORAGE_MAP, * PASSEMBLY_STORAGE_MAP;
typedef struct _WER_RECOVERY_INFO
{
ULONG Length;
PVOID Callback;
PVOID Parameter;
HANDLE Started;
HANDLE Finished;
HANDLE InProgress;
LONG LastError;
BOOL Successful;
ULONG PingInterval;
ULONG Flags;
} WER_RECOVERY_INFO, * PWER_RECOVERY_INFO;
typedef struct _WER_FILE
{
USHORT Flags;
WCHAR Path[MAX_PATH];
} WER_FILE, * PWER_FILE;
typedef struct _WER_MEMORY
{
PVOID Address;
ULONG Size;
} WER_MEMORY, * PWER_MEMORY;
typedef struct _WER_GATHER
{
PVOID Next;
USHORT Flags;
union
{
WER_FILE File;
WER_MEMORY Memory;
} v;
} WER_GATHER, * PWER_GATHER;
typedef struct _WER_METADATA
{
PVOID Next;
WCHAR Key[64];
WCHAR Value[128];
} WER_METADATA, * PWER_METADATA;
typedef struct _WER_RUNTIME_DLL
{
PVOID Next;
ULONG Length;
PVOID Context;
WCHAR CallbackDllPath[MAX_PATH];
} WER_RUNTIME_DLL, * PWER_RUNTIME_DLL;
typedef struct _WER_DUMP_COLLECTION
{
PVOID Next;
ULONG ProcessId;
ULONG ThreadId;
} WER_DUMP_COLLECTION, * PWER_DUMP_COLLECTION;
typedef struct _WER_HEAP_MAIN_HEADER
{
WCHAR Signature[16];
LIST_ENTRY Links;
HANDLE Mutex;
PVOID FreeHeap;
ULONG FreeCount;
} WER_HEAP_MAIN_HEADER, * PWER_HEAP_MAIN_HEADER;
typedef struct _WER_PEB_HEADER_BLOCK
{
LONG Length;
WCHAR Signature[16];
WCHAR AppDataRelativePath[64];
WCHAR RestartCommandLine[RESTART_MAX_CMD_LINE];
WER_RECOVERY_INFO RecoveryInfo;
PWER_GATHER Gather;
PWER_METADATA MetaData;
PWER_RUNTIME_DLL RuntimeDll;
PWER_DUMP_COLLECTION DumpCollection;
LONG GatherCount;
LONG MetaDataCount;
LONG DumpCount;
LONG Flags;
WER_HEAP_MAIN_HEADER MainHeader;
PVOID Reserved;
} WER_PEB_HEADER_BLOCK, * PWER_PEB_HEADER_BLOCK;
typedef struct _TELEMETRY_COVERAGE_HEADER
{
UCHAR MajorVersion;
UCHAR MinorVersion;
struct
{
USHORT TracingEnabled : 1;
USHORT Reserved1 : 15;
};
ULONG HashTableEntries;
ULONG HashIndexMask;
ULONG TableUpdateVersion;
ULONG TableSizeInBytes;
ULONG LastResetTick;
ULONG ResetRound;
ULONG Reserved2;
ULONG RecordedCount;
ULONG Reserved3[4];
ULONG HashTable[ANYSIZE_ARRAY];
} TELEMETRY_COVERAGE_HEADER, * PTELEMETRY_COVERAGE_HEADER;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1; // The process uses large image regions (4 MB).
BOOLEAN IsProtectedProcess : 1; // The process is a protected process.
BOOLEAN IsImageDynamicallyRelocated : 1; // The process image base address was relocated.
BOOLEAN SkipPatchingUser32Forwarders : 1; // The process skipped forwarders for User32.dll functions. 1 for 64-bit, 0 for 32-bit.
BOOLEAN IsPackagedProcess : 1; // The process is a packaged store process (APPX/MSIX).
BOOLEAN IsAppContainerProcess : 1; // The process has an AppContainer token.
BOOLEAN IsProtectedProcessLight : 1; // The process is a protected process (light).
BOOLEAN IsLongPathAwareProcess : 1; // The process is long path aware.
};
};
HANDLE Mutant;
PVOID ImageBase;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PSLIST_HEADER AtlThunkSListPtr;
HANDLE IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1; // The process is part of a job.
ULONG ProcessInitializing : 1; // The process is initializing.
ULONG ProcessUsingVEH : 1; // The process is using VEH.
ULONG ProcessUsingVCH : 1; // The process is using VCH.
ULONG ProcessUsingFTH : 1; // The process is using FTH.
ULONG ProcessPreviouslyThrottled : 1; // The process was previously throttled.
ULONG ProcessCurrentlyThrottled : 1; // The process is currently throttled.
ULONG ProcessImagesHotPatched : 1; // The process images are hot patched. // RS5
ULONG ReservedBits0 : 24;
};
};
union
{
PKERNEL_CALLBACK_TABLE KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PAPI_SET_NAMESPACE ApiSetMap;
ULONG TlsExpansionCounter;
PRTL_BITMAP TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PSILO_USER_SHARED_DATA SharedData;
PVOID* ReadOnlyStaticServerData;
PCPTABLEINFO AnsiCodePageData;
PCPTABLEINFO OemCodePageData;
PNLSTABLEINFO UnicodeCaseTableData;
ULONG NumberOfProcessors;
union
{
ULONG NtGlobalFlag;
struct
{
ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION
ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS
ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND
ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI
ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK
ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK
ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS
ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL
ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER
ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT
ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING
ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING
ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB
ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB
ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST
ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL
ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION
ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG
ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD
ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS
ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS
ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING
ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS
ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING
ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING
ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS
ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX
ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT
ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION
ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN
ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS
ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS
} NtGlobalFlags;
};
LARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID* ProcessHeaps;
PGDI_HANDLE_ENTRY GdiSharedHandleTable;
PVOID ProcessStarterHelper;
ULONG GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
USHORT OSBuildNumber;
USHORT OSCSDVersion;
ULONG OSPlatformId;
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
KAFFINITY ActiveProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
PRTL_BITMAP TlsExpansionBitmap;
ULONG TlsExpansionBitmapBits[32];
ULONG SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PAPPCOMPAT_EXE_DATA AppCompatInfo;
UNICODE_STRING CSDVersion;
PACTIVATION_CONTEXT_DATA ActivationContextData;
PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;
PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;
PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;
SIZE_T MinimumStackCommit;
PVOID SparePointers[2];
PVOID PatchLoaderData;
PVOID ChpeV2ProcessInfo;
ULONG AppModelFeatureState;
ULONG SpareUlongs[2];
USHORT ActiveCodePage;
USHORT OemCodePage;
USHORT UseCaseMapping;
USHORT UnusedNlsField;
PWER_PEB_HEADER_BLOCK WerRegistrationData;
PVOID WerShipAssertPtr;
union
{
PVOID pContextData; // Pointer to the switchback compatibility engine (Windows 7 and below)
PVOID EcCodeBitMap; // Pointer to the EC bitmap on ARM64 (Windows 11 and above) // since WIN11
};
PVOID ImageHeaderHash;
union
{
ULONG TracingFlags;
struct
{
ULONG HeapTracingEnabled : 1; // ETW heap tracing enabled.
ULONG CritSecTracingEnabled : 1; // ETW lock tracing enabled.
ULONG LibLoaderTracingEnabled : 1; // ETW loader tracing enabled.
ULONG SpareTracingBits : 29;
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase;
PRTL_CRITICAL_SECTION TppWorkerpListLock;
LIST_ENTRY TppWorkerpList;
PVOID WaitOnAddressHashTable[128];
PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader;
ULONG CloudFileFlags;
ULONG CloudFileDiagFlags;
CHAR PlaceholderCompatibilityMode;
CHAR PlaceholderCompatibilityModeReserved[7];
PLEAP_SECOND_DATA LeapSecondData;
union
{
ULONG LeapSecondFlags;
struct
{
ULONG SixtySecondEnabled : 1; // Leap seconds enabled.
ULONG Reserved : 31;
};
};
ULONG NtGlobalFlag2;
ULONGLONG ExtendedFeatureDisableMask;
} PEB, * PPEB;Last updated