| Min version | 2003/XP64 SP1 | Vista SP1 | 7 | 8 Pre RTM | 8 | 8.1 | 10 TH2 |
|---|---|---|---|---|---|---|---|
| Max version | 2003/XP64 SP2 | Vista SP2 | 7 SP1 | 10 | |||
| x64 offset offset:bitpos | Field Name | ||||||
| 0x0000 | uint8_t InheritedAddressSpace | ||||||
| 0x0001 | uint8_t ReadImageFileExecOptions | ||||||
| 0x0002 | uint8_t BeingDebugged | ||||||
| 0x0003 | uint8_t BitField | ||||||
| 0x0003:0x00 | uint8_t ImageUsesLargePages | ||||||
| 0x0003:0x01 | uint8_t SpareBits | uint8_t IsProtectedProcess | |||||
| 0x0003:0x02 | uint8_t IsLegacyProcess | uint8_t IsImageDynamicallyRelocated | |||||
| 0x0003:0x03 | uint8_t IsImageDynamicallyRelocated | uint8_t SkipPatchingUser32Forwarders | |||||
| 0x0003:0x04 | uint8_t SkipPatchingUser32Forwarders | uint8_t IsPackagedProcess | |||||
| 0x0003:0x05 | uint8_t SpareBits | uint8_t IsPackagedProcess | uint8_t IsAppContainer | ||||
| 0x0003:0x06 | uint8_t IsAppContainer | uint8_t IsProtectedProcessLight | |||||
| 0x0003:0x07 | uint8_t SpareBits | ||||||
| 0x0004 | uint8_t[4] Padding0 | ||||||
| 0x0008 | void * Mutant | ||||||
| 0x0010 | void * ImageBaseAddress | ||||||
| 0x0018 | struct _PEB_LDR_DATA * Ldr | ||||||
| 0x0020 | struct _RTL_USER_PROCESS_PARAMETERS * ProcessParameters | ||||||
| 0x0028 | void * SubSystemData | ||||||
| 0x0030 | void * ProcessHeap | ||||||
| 0x0038 | struct _RTL_CRITICAL_SECTION * FastPebLock | ||||||
| 0x0040 | void * AtlThunkSListPtr | ||||||
| 0x0048 | void * SparePtr2 | void * IFEOKey | |||||
| 0x0050 | unsigned long EnvironmentUpdateCount | unsigned long CrossProcessFlags | |||||
| 0x0050:0x00 | unsigned long ProcessInJob | ||||||
| 0x0050:0x01 | unsigned long ProcessInitializing | ||||||
| 0x0050:0x02 | unsigned long ProcessUsingVEH | ||||||
| 0x0050:0x03 | unsigned long ProcessUsingVCH | ||||||
| 0x0050:0x04 | unsigned long ReservedBits0 | unsigned long ProcessUsingFTH | |||||
| 0x0050:0x05 | unsigned long ReservedBits0 | ||||||
| 0x0054 | uint8_t[4] Padding1 | ||||||
| 0x0058 | void * KernelCallbackTable | void * KernelCallbackTable | |||||
| 0x0058 | void * UserSharedInfoPtr | ||||||
| 0x0060 | unsigned long[1] SystemReserved | ||||||
| 0x0064 | unsigned long SpareUlong | unsigned long AtlThunkSListPtr32 | |||||
| 0x0068 | struct _PEB_FREE_BLOCK * FreeList | uint64_t SparePebPtr0 | void * ApiSetMap | ||||
| 0x0070 | unsigned long TlsExpansionCounter | ||||||
| 0x0074 | uint8_t[4] Padding2 | ||||||
| 0x0078 | void * TlsBitmap | ||||||
| 0x0080 | unsigned long[2] TlsBitmapBits | ||||||
| 0x0088 | void * ReadOnlySharedMemoryBase | ||||||
| 0x0090 | void * ReadOnlySharedMemoryHeap | void * HotpatchInformation | void * SparePvoid0 | ||||
| 0x0098 | void * * ReadOnlyStaticServerData | ||||||
| 0x00A0 | void * AnsiCodePageData | ||||||
| 0x00A8 | void * OemCodePageData | ||||||
| 0x00B0 | void * UnicodeCaseTableData | ||||||
| 0x00B8 | unsigned long NumberOfProcessors | ||||||
| 0x00BC | unsigned long NtGlobalFlag | ||||||
| 0x00C0 | union _LARGE_INTEGER CriticalSectionTimeout | ||||||
| 0x00C8 | uint64_t HeapSegmentReserve | ||||||
| 0x00D0 | uint64_t HeapSegmentCommit | ||||||
| 0x00D8 | uint64_t HeapDeCommitTotalFreeThreshold | ||||||
| 0x00E0 | uint64_t HeapDeCommitFreeBlockThreshold | ||||||
| 0x00E8 | unsigned long NumberOfHeaps | ||||||
| 0x00EC | unsigned long MaximumNumberOfHeaps | ||||||
| 0x00F0 | void * * ProcessHeaps | ||||||
| 0x00F8 | void * GdiSharedHandleTable | ||||||
| 0x0100 | void * ProcessStarterHelper | ||||||
| 0x0108 | unsigned long GdiDCAttributeList | ||||||
| 0x010C | uint8_t[4] Padding3 | ||||||
| 0x0110 | struct _RTL_CRITICAL_SECTION * LoaderLock | ||||||
| 0x0118 | unsigned long OSMajorVersion | ||||||
| 0x011C | unsigned long OSMinorVersion | ||||||
| 0x0120 | uint16_t OSBuildNumber | ||||||
| 0x0122 | uint16_t OSCSDVersion | ||||||
| 0x0124 | unsigned long OSPlatformId | ||||||
| 0x0128 | unsigned long ImageSubsystem | ||||||
| 0x012C | unsigned long ImageSubsystemMajorVersion | ||||||
| 0x0130 | unsigned long ImageSubsystemMinorVersion | ||||||
| 0x0134 | uint8_t[4] Padding4 | ||||||
| 0x0138 | uint64_t ImageProcessAffinityMask | uint64_t ActiveProcessAffinityMask | |||||
| 0x0140 | unsigned long[60] GdiHandleBuffer | ||||||
| 0x0230 | function * PostProcessInitRoutine | ||||||
| 0x0238 | void * TlsExpansionBitmap | ||||||
| 0x0240 | unsigned long[32] TlsExpansionBitmapBits | ||||||
| 0x02C0 | unsigned long SessionId | ||||||
| 0x02C4 | uint8_t[4] Padding5 | ||||||
| 0x02C8 | union _ULARGE_INTEGER AppCompatFlags | ||||||
| 0x02D0 | union _ULARGE_INTEGER AppCompatFlagsUser | ||||||
| 0x02D8 | void * pShimData | ||||||
| 0x02E0 | void * AppCompatInfo | ||||||
| 0x02E8 | struct _UNICODE_STRING CSDVersion | ||||||
| 0x02F8 | const struct _ACTIVATION_CONTEXT_DATA * ActivationContextData | ||||||
| 0x0300 | struct _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap | ||||||
| 0x0308 | const struct _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData | ||||||
| 0x0310 | struct _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap | ||||||
| 0x0318 | uint64_t MinimumStackCommit | ||||||
| 0x0320 | void * * FlsCallback | struct _FLS_CALLBACK_INFO * FlsCallback | |||||
| 0x0328 | struct _LIST_ENTRY FlsListHead | ||||||
| 0x0338 | void * FlsBitmap | ||||||
| 0x0340 | unsigned long[4] FlsBitmapBits | ||||||
| 0x0350 | unsigned long FlsHighIndex | ||||||
| 0x0358 | void * WerRegistrationData | ||||||
| 0x0360 | void * WerShipAssertPtr | ||||||
| 0x0368 | void * pContextData | void * pUnused | |||||
| 0x0370 | void * pImageHeaderHash | ||||||
| 0x0378 | unsigned long TracingFlags | ||||||
| 0x0378:0x00 | unsigned long HeapTracingEnabled | ||||||
| 0x0378:0x01 | unsigned long CritSecTracingEnabled | ||||||
| 0x0378:0x02 | unsigned long SpareTracingBits | unsigned long LibLoaderTracingEnabled | |||||
| 0x0378:0x03 | unsigned long SpareTracingBits | ||||||
| 0x037C | uint8_t[4] Padding6 | ||||||
| 0x0380 | uint64_t CsrServerReadOnlySharedMemoryBase | ||||||
| 0x0388 | uint64_t TppWorkerpListLock | ||||||
| 0x0390 | struct _LIST_ENTRY TppWorkerpList | ||||||
| 0x03A0 | void *[128] WaitOnAddressHashTable | ||||||