SYSTEM_OBJECT_INFORMATION

The SYSTEM_OBJECT_INFORMATION structure is an irregularly recurring element in what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemObjectInformation (0x11). The output begins with a SYSTEM_OBJECTTYPE_INFORMATION. There can be, and typically are, more of these throughout the buffer, but irregularly because each can be followed by any number of SYSTEM_OBJECT_INFORMATION structures. These too are irregularly spaced because although each is fixed in size, each has a pointer to a variable-size name.

Documentation Status

The SYSTEM_OBJECT_INFORMATION structure is not documented.

Layout

The SYSTEM_OBJECT_INFORMATION is 0x30 or 0x50 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
ULONG NextEntryOffset;
0x04 0x08
PVOID Object;
0x08 0x10
PVOID CreatorUniqueProcess;
0x0C 0x18
USHORT CreatorBackTraceIndex;
0x0E 0x1A
USHORT Flags;
0x10 0x1C
LONG PointerCount;
0x14 0x20
LONG HandleCount;
0x18 0x24
ULONG PagedPoolCharge;
0x1C 0x28
ULONG NonPagedPoolCharge;
0x20 0x30
PVOID ExclusiveProcessId;
0x24 0x38
PVOID SecurityDescriptor;
0x28 0x40
OBJECT_NAME_INFORMATION NameInfo;