SYSTEM_BASIC_INFORMATION

The SYSTEM_BASIC_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information classes SystemBasicInformation (0x00), SystemEmulationBasicInformation (0x3E) or SystemNativeBasicInformation (0x72).

Usage

The primary use of the SystemBasicInformation case of NtQuerySystemInformation is to support the KERNEL32 function GetSystemInfo, specifically to obtain values for the following members of that function’s SYSTEM_INFO structure:

If these are all that is wanted, then use GetSystemInfo instead.

Documentation Status

The SYSTEM_BASIC_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there provides only for NumberOfProcessors, with padding to put it at the right offset. Documentation of NtQuerySystemInformation describes the SystemBasicInformation case as returning the number of processors in the system, and directs that GetSystemInfo be used instead.

Layout

The SYSTEM_BASIC_INFORMATION is 0x2C or 0x40 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
ULONG Reserved;
0x04 0x04
ULONG TimerResolution;
0x08 0x08
ULONG PageSize;
0x0C 0x0C
ULONG NumberOfPhysicalPages;
0x10 0x10
ULONG LowestPhysicalPageNumber;
0x14 0x14
ULONG HighestPhysicalPageNumber;
0x18 0x18
ULONG AllocationGranularity;
0x1C 0x20
ULONG_PTR MinimumUserModeAddress;
0x20 0x28
ULONG_PTR MaximumUserModeAddress;
0x24 0x30
KAFFINITY ActiveProcessorsAffinityMask;
0x28 0x38
CHAR NumberOfProcessors;

In 32-bit Windows, the structure is filled exactly the same for all three information classes. The x64 builds treat SystemEmulationBasicInformation differently. This allows WOW64.DLL, executing 64-bit code in a 32-bit process, to get basic information that’s suited to the 32-bit caller.

The MaximumUserModeAddress is ordinarily from the exported variable MmHighestUserAddress. For the 64-bit SystemEmulationBasicInformation, however, it is one byte less than the HighestUserAddress in the current process’s EPROCESS.

The ActiveProcessorsAffinityMask is only of the active processors in the current processor group and NumberOfProcessors counts only those active processors. The precise intention to the different handling for the 64-bit SystemEmulationBasicInformation is not presently clear.