Well first make sure about the process and let the EPROCESSstructure. The massive structure is to have as much information as.

Ahead of the baby, but I am trying to memorize all the details, let’s not. In the analysis of the important points to understand the flow and the station can be called.

You can make it through EPROCESSinformation is considerable. This is the process of the operating system, will likely win a space in advance for. This is necessary, as long as each wanted their own processes, the operating system can properly distribute, by setting the above we need the environment will be configured. Then the information contained in the EPROCESSand find out about the.


KPROCESS (Kernel process) block:

The Dispatcher object is more common and process page directory pointer, quantum, the default priority is to have the information, such as on the fifties( Learn more about the struct EPROCESS will subsequently.)

Process identification:

The unique process IDand the parent process information, etc.

Get a block of quartz:

Non-page, the paged pool limit set in Winlogongave such as interoperability session quota

VAD information:

Virtual memory data structure information

Working set information:

List of pointers to the current working set, minimum, maximum size information

Virtual memory information:

Currently, the size of virtual memory that can be used at a sudden situation, other information, such as a process page directory entry

LPC port exceptions:

Exception is used in the event of a channel

LPC debug port:

The channel that is used for debugging

Access token:

County of process security profile

Handle table:

Handle of the process table(the County handle the table has a per-process basis,)

Device map:

See object directory addresses the device name information

PEB(Process environment block):

Image information, process heap information, provides information accessible in user mode

Win32 subsystem process block:

The process required in the Win32 subsystem of the kernel-mode component


Windows 7 64-bit, check out the entire structure of EPROCESS.


kd> dt _EPROCESS

+0x000 Pcb : _KPROCESS // PCB,
In other words, points to KPROCESS. Immediately after the deal.

+0x160 ProcessLock : _EX_PUSH_LOCK

+ 0x168 CreateTime: _LARGE_INTEGER// process creation time

+ 0x170 ExitTime: _LARGE_INTEGER// process end time

+0x178 RundownProtect : _EX_RUNDOWN_REF

+ Ptr64 UniqueProcessId: Void//0x180 process ID

+0x188 ActiveProcessLinks : _LIST_ENTRY //
All the processes used to manage LIST_ENTRY

+0x198 ProcessQuotaUsage : [2] Uint8B

+0x1a8 ProcessQuotaPeak : [2] Uint8B

+ 0x1b8 CommitCharge: Uint8B// process using physical memory space, -chapter can be found in the working set of memory.

+0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK

+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK

+ 0x1d0 PeakVirtualSize: Uint8B//the maximum amount of memory the process is using the memory of walking, -can be found in chapter three of.

+ 0x1d8 VirtualSize: Uint8B//process the amount of memory used by the memory of walking, -can be found in chapter three of.

+ 0x1e0 SessionProcessLinks: _LIST_ENTRY// can be used to manage the process within a session LIST_ENTRY

+ 0x1f0 DebugPort: Void Ptr64// is used for debugging and exception handling: LPC port, -chapter deals in exception handling.

+0x1f8 ExceptionPortData : Ptr64 Void

+0x1f8 ExceptionPortValue : Uint8B

+0x1f8 ExceptionPortState : Pos 0, 3 Bits

+0x200 ObjectTable : Ptr64 _HANDLE_TABLE //
Process handle(Handle) points to a pointer to the table.

+0x208 Token : _EX_FAST_REF //
Process token information, 1was in progress in the Department.

+ 0x210 WorkingSetPage: Uint8B//the number of pages in the working set

+0x218 AddressCreationLock : _EX_PUSH_LOCK

+0x220 RotateInProgress : Ptr64 _ETHREAD

+0x228 ForkInProgress : Ptr64 _ETHREAD

+0x230 HardwareTrigger : Uint8B

+0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE

+0x240 CloneRoot : Ptr64 Void

+0x248 NumberOfPrivatePages : Uint8B

+0x250 NumberOfLockedPages : Uint8B

+0x258 Win32Process : Ptr64 Void

+0x260 Job : Ptr64 _EJOB

+0x268 SectionObject : Ptr64 Void

+ 0x270 SectionBaseAddress: Void Ptr64// session base address

+ 0x278 Cookie: Uint4B// the value of the current time, as well as generate a unique value through the operation.

+0x27c Spare8 : Uint4B

+0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY

+ 0x288 Win32WindowStation: Void Ptr64//Windows Station ID,-chapter features the desktop heap.

+0x290 InheritedFromUniqueProcessId : Ptr64 Void

+0x298 LdtInformation : Ptr64 Void

+0x2a0 Spare : Ptr64 Void

+0x2a8 ConsoleHostProcess : Uint8B

+0x2b0 DeviceMap : Ptr64 Void

+0x2b8 EtwDataSource : Ptr64 Void

+0x2c0 FreeTebHint : Ptr64 Void

+0x2c8 PageDirectoryPte : _HARDWARE_PTE

+0x2c8 Filler : Uint8B

+ 0x2d0 Session: Void Ptr64// and use it as a terminal connection session ID.

+ 0x2d8 ImageFileName: [15] UChar// process name

+ 0x2e7 PriorityClass: UChar// this process priority rating

+0x2e8 JobLinks : _LIST_ENTRY

+0x2f8 LockedPagesList : Ptr64 Void

+0x300 ThreadListHead : _LIST_ENTRY

+0x310 SecurityPort : Ptr64 Void

+0x318 Wow64Process : Ptr64 Void

+0x320 ActiveThreads : Uint4B

+0x324 ImagePathHash : Uint4B

+0x328 DefaultHardErrorProcessing : Uint4B

+0x32c LastThreadExitStatus : Int4B

+0x330 Peb : Ptr64 _PEB // Process Environment Block
A pointer pointing to

+0x338 PrefetchTrace : _EX_FAST_REF

+ 0x340 ReadOperationCount: _LARGE_INTEGER// here are the values to perform the I/O Raedcount was dealt with in, Xperf.

+ 0x348 WriteOperationCount: _LARGE_INTEGER// here are the values to perform the I/O Writecount

+0x350 OtherOperationCount : _LARGE_INTEGER

+0x358 ReadTransferCount : _LARGE_INTEGER

+0x360 WriteTransferCount : _LARGE_INTEGER

+0x368 OtherTransferCount : _LARGE_INTEGER

+ 0x370 CommitChargeLimit: Uint8B// maximum available memory

+ 0x378 CommitChargePeak: Uint8B// amount of memory used

+0x380 AweInfo : Ptr64 Void

+0x388 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INF

+0x390 Vm : _MMSUPPORT

+0x418 MmProcessLinks : _LIST_ENTRY

+0x428 HighestUserAddress : Ptr64 Void

+0x430 ModifiedPageCount : Uint4B

+0x434 Flags2 : Uint4B

+0x434 JobNotReallyActive : Pos 0, 1 Bit

+0x434 AccountingFolded : Pos 1, 1 Bit

+0x434 NewProcessReported : Pos 2, 1 Bit

+0x434 ExitProcessReported : Pos 3, 1 Bit

+0x434 ReportCommitChanges : Pos 4, 1 Bit

+0x434 LastReportMemory : Pos 5, 1 Bit

+0x434 ReportPhysicalPageChanges : Pos 6, 1 Bit

+0x434 HandleTableRundown : Pos 7, 1 Bit

+0x434 NeedsHandleRundown : Pos 8, 1 Bit

+0x434 RefTraceEnabled : Pos 9, 1 Bit

+0x434 NumaAware : Pos 10, 1 Bit

+0x434 ProtectedProcess : Pos 11, 1 Bit

+0x434 DefaultPagePriority : Pos 12, 3 Bits

+0x434 PrimaryTokenFrozen : Pos 15, 1 Bit

+0x434 ProcessVerifierTarget : Pos 16, 1 Bit

+0x434 StackRandomizationDisabled : Pos 17, 1 Bit

+0x434 AffinityPermanent : Pos 18, 1 Bit

+0x434 AffinityUpdateEnable : Pos 19, 1 Bit

+0x434 PropagateNode : Pos 20, 1 Bit

+0x434 ExplicitAffinity : Pos 21, 1 Bit

+0x438 Flags : Uint4B

+0x438 CreateReported : Pos 0, 1 Bit

+0x438 NoDebugInherit : Pos 1, 1 Bit

+0x438 ProcessExiting : Pos 2, 1 Bit

+0x438 ProcessDelete : Pos 3, 1 Bit

+0x438 Wow64SplitPages : Pos 4, 1 Bit

+0x438 VmDeleted : Pos 5, 1 Bit

+0x438 OutswapEnabled : Pos 6, 1 Bit

+0x438 Outswapped : Pos 7, 1 Bit

+0x438 ForkFailed : Pos 8, 1 Bit

+0x438 Wow64VaSpace4Gb : Pos 9, 1 Bit

+0x438 AddressSpaceInitialized : Pos 10, 2 Bits

+0x438 SetTimerResolution : Pos 12, 1 Bit

+0x438 BreakOnTermination : Pos 13, 1 Bit

+0x438 DeprioritizeViews : Pos 14, 1 Bit

+0x438 WriteWatch : Pos 15, 1 Bit

+0x438 ProcessInSession : Pos 16, 1 Bit

+0x438 OverrideAddressSpace : Pos 17, 1 Bit

+0x438 HasAddressSpace : Pos 18, 1 Bit

+0x438 LaunchPrefetched : Pos 19, 1 Bit

+0x438 InjectInpageErrors : Pos 20, 1 Bit

+0x438 VmTopDown : Pos 21, 1 Bit

+0x438 ImageNotifyDone : Pos 22, 1 Bit

+0x438 PdeUpdateNeeded : Pos 23, 1 Bit

+0x438 VdmAllowed : Pos 24, 1 Bit

+0x438 CrossSessionCreate : Pos 25, 1 Bit

+0x438 ProcessInserted : Pos 26, 1 Bit

+//I/O DefaultIoPriority: Pos 27, 3 Bits 0x438 priority default rating

+0x438 ProcessSelfDelete : Pos 30, 1 Bit

+0x438 SetTimerResolutionLink : Pos 31, 1 Bit

+0x43c ExitStatus : Int4B

+0x440 VadRoot : _MM_AVL_TABLE //
In this process, all users are assigned to a pointer to a memory area

+0x480 AlpcContext : _ALPC_PROCESS_CONTEXT

+0x4a0 TimerResolutionLink : _LIST_ENTRY

+0x4b0 RequestedTimerResolution : Uint4B

+0x4b4 ActiveThreadsHighWatermark : Uint4B

+0x4b8 SmallestTimerResolution : Uint4B

+0x4c0 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD

[The content] Windbg EPROCESS structure


KPROCESS, i.e., PCB (Kernel process block), the kernel enters the information needed for thread scheduling. KPROCESSof the structure as a whole is like the content below.


kd> dt _KPROCESS


+ 0x000 Header: _DISPATCHER_HEADER//write a header with each object dispatcher, synchronization, priority processing is used for atmospheric conditions allow, such as.

+0x018 ProfileListHead : _LIST_ENTRY

+ 0x028 DirectoryTableBase: Uint8B//process is managed by CR3register of virtual memory and store the value of the: –chapter deals in PTE.

+ 0x030 ThreadListHead: _LIST_ENTRY//points to the list of threads in the process have.

+ 0x040 ProcessLock: Uint8B//EPROCESS will be used for synchronization access object

+ 0x048 Affinity: _KAFFINITY_EX//thermal-this process can be enjoyed from the processor, it is critical to use the preferred processor

+ 0x070 ReadyListHead: _LIST_ENTRY//ready state thread list now

+ 0x080 SwapListEntry: _SINGLE_LIST_ENTRY//list of threads that are being currently swapping

+ 0x088 ActiveProcessors: _KAFFINITY_EX//the number of processors that are currently active

+0x0b0 AutoAlignment : Pos 0, 1 Bit

+0x0b0 DisableBoost : Pos 1, 1 Bit

+0x0b0 DisableQuantum : Pos 2, 1 Bit

+0x0b0 ActiveGroupsMask : Pos 3, 4 Bits

+0x0b0 ReservedFlags : Pos 7, 25 Bits

+0x0b0 ProcessFlags : Int4B

+ 0x0b4 BasePriority: Char//the default priority, -chapter deals in thread scheduling.

+ 0x0b5 QuantumReset: Char//basic quantum value, -chapter deals with quantum.

+0x0b6 Visited : UChar

+0x0b7 Unused3 : UChar

+0x0b8 ThreadSeed : [4] Uint4B

+0x0c8 IdealNode : [4] Uint2B

+0x0d0 IdealGlobalNode : Uint2B

+0x0d2 Flags : _KEXECUTE_OPTIONS

+0x0d3 Unused1 : UChar

+0x0d4 Unused2 : Uint4B

+0x0d8 Unused4 : Uint4B

+0x0dc StackCount : _KSTACK_COUNT

+0x0e0 ProcessListEntry : _LIST_ENTRY

+0x0f0 CycleTime : Uint8B

+ 0x0f8 KernelTime: Uint4B//process the kernel level used time

+ 0x0fc UserTime: Uint4B//process the amount of time a user-level evaluation

+0x100 InstrumentationCallback : Ptr64 Void

+0x108 LdtSystemDescriptor : _KGDTENTRY64

+0x118 LdtBaseAddress : Ptr64 Void

+0x120 LdtProcessLock : _KGUARDED_MUTEX

+0x158 LdtFreeSelectorHint : Uint2B

+0x15a LdtTableLength : Uint2B

[The content] Windbg KPROCESS structure




Specify processor affinity

We are ahead of the KPROCESS, through to determine the preferred processor could see that. So how can I specify the preferred processor?

This follows easily from the Task Manager, you can specify.

As shown below, run Task Manager and then select the process to store the preference, then, can enter the affinity settings.

If you specify a preferred processor ↓, is carried out by using the corresponding processor

[Figure] specify a preferred processor



Facebook Comments

2 comments on “Process – EPROCESS, KPROCESS”

Leave a Reply to fitria fertha agustina Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.