Geoff Chappell - Software Analyst
CURRENT WORK ITEM - PREVIEW ONLY
This function sets a wide range of system properties and behaviour.
NTSTATUS
ZwSetSystemInformation (
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength);
The SystemInformationClass argument tells what sort of information to set. There are very many supported values.
The SystemInformation and SystemInformationLength arguments are respectively the address and size (in bytes) of a buffer that provides the information. The SystemInformationLength can be zero to indicate that no information is provided. Interpretation of whatever information is provided depends on the information class. The function treats the buffer as read-only for most information classes but not all.
The function returns STATUS_SUCCESS if successful, else a negative error code or, unusually, a positive status or warning.
The ZwSetSystemInformation and NtSetSystemInformation functions are exported by name from NTDLL in version 3.50 and higher. In user mode, the functions are aliases for a stub that transfers execution to the NtSetSystemInformation implementation in kernel mode such that the execution is recognised as originating in user mode.
The ZwSetSystemInformation function is equally ancient as an export from the kernel. It too is a stub that transfers execution to NtSetSystemInformation but such that the execution is recognised as originating in kernel mode. In all versions, the kernel-mode NtSetSystemInformation is just as an internal routine.
Under any name, this function is not documented. As ZwSetSystemInformation only, it is declared in the ZWAPI.H that Microsoft published, possibly by oversight, in the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 Version 1511.
The SYSTEM_INFORMATION_CLASS enumeration has a C-language definition in WINTERNL.H from the Software Development Kit (SDK), for use with the NtQuerySystemInformation function (which is documented as an NTDLL export). The definition given there is plainly not what Microsoft itself uses but is instead a contrivance for the relative handful of cases that Microsoft discloses. One of those cases, however, is acceptable to NtSetSystemInformation.
The following implementation notes are primarily from inspection of the kernel from the original release of Windows 10. They may some day be treated to systematic revision to account for earlier versions. Meanwhile, where anything is added about earlier versions, take it as a bonus from my being unable to resist at least a quick look into the history, not as an attempt at comprehensiveness. Really, for a function such as this with so many cases, these notes can’t ever be anything but a work in progress.
If executing for a user-mode request, the function has some general defensiveness about addresses passed as arguments. Failure at any of these defences is failure for the function, which typically returns STATUS_DATATYPE_MISALIGNMENT or STATUS_ACCESS_VIOLATION (showing in kernel mode as a raised but handled exception).
If an information buffer is given, meaning here that SystemInformationLength is non-zero, then its address SystemInformation must be dword-aligned ordinarily but word-aligned for information class SystemErrorPortInformation (0x59), and the whole of it must be in user-mode address space.
Except if noted explicitly below, the function never accesses the SystemInformation without preparing for exceptions. If executing for a user-mode request, the occurrence of an exception during such access is fatal for the function, which returns the exception code as its own result. If executing for a kernel-mode request, exceptions are handled only to continue as if unhandled, which will typically be fatal to Windows.
The large table below lists the information classes that ZwSetSystemInformation does not dismiss as invalid (after the preceding defences). For all others, the function fails, returning STATUS_INVALID_INFO_CLASS.
Names of the information classes and of the related structures and of their members are from type information in public symbol files for various high-level user-mode modules such as URLMON.DLL starting with Windows 8 and in statically linked libraries from early editions of the Device Driver Kit (DDK). No symbol files for the kernel or NTDLL have relevant type information in any known Windows release.
Note that the versions that are shown below for each information class are those for which the function does not fail trivially as invalid. More than a few are failed as trivially, but to return some other error code such as STATUS_NOT_IMPLEMENTED or STATUS_NOT_SUPPORTED. The following shorthands are used for changes within versions:
| Numeric Value | Symbolic Name | Versions |
|---|---|---|
| 0x09 | SystemFlagsInformation | 3.51 and higher |
| 0x15 | SystemFileCacheInformation | 4.0 and higher |
| 0x18 | SystemDpcBehaviorInformation | 3.51 and higher |
| 0x1A | SystemLoadGdiDriverInformation | 3.51 and higher |
| 0x1B | SystemUnloadGdiDriverInformation | 3.51 and higher |
| 0x1C | SystemTimeAdjustmentInformation | 3.50 and higher |
| 0x1E | SystemMirrorMemoryInformation | 5.1 and higher |
| 0x1F | SystemPerformanceTraceInformation | 6.0 and higher |
| 0x22 | SystemCrashDumpStateInformation | 5.0 and higher |
| 0x25 | SystemRegistryQuotaInformation | 3.51 and higher |
| 0x26 | SystemExtendServiceTableInformation | 3.51 and higher |
| 0x27 | SystemPrioritySeparation | 3.51 and higher |
| 0x28 | SystemVerifierAddDriverInformation | 5.1 and higher |
| 0x29 | SystemVerifierRemoveDriverInformation | 5.1 and higher |
| 0x2E | SystemTimeSlipNotification | 5.0 and higher |
| 0x2F | SystemSessionCreate | 5.0 and higher |
| 0x30 | SystemSessionDetach | 5.0 and higher |
| 0x33 | SystemVerifierInformation | 5.0 and higher |
| 0x34 | SystemVerifierThunkExtend | 5.0 and higher |
| 0x36 | SystemLoadGdiDriverInSystemSpace | 5.1 and higher |
| 0x38 | SystemPrefetcherInformation | 5.1 and higher |
| 0x3B | SystemComPlusPackage | 5.1 and higher |
| 0x45 | SystemHotpatchInformation | late 5.1 and higher |
| 0x47 | SystemWatchdogTimerHandler | 5.2 and higher |
| 0x48 | SystemWatchdogTimerInformation | 5.2 and higher |
| 0x4A | SystemWow64SharedInformationObsolete | late 5.2 and higher |
| 0x4B | SystemRegisterFirmwareTableInformationHandler | late 5.2 and higher |
| 0x4F | SystemSuperfetchInformation | 6.0 and higher |
| 0x50 | SystemMemoryListInformation | 6.0 and higher |
| 0x51 | SystemFileCacheInformationEx | late 5.2 and higher |
| 0x52 | SystemThreadPriorityClientIdInformation | 6.0 and higher |
| 0x54 | SystemVerifierCancellationInformation | 6.0 only |
| 0x56 | SystemRefTraceInformation | 6.0 and higher |
| 0x57 | SystemSpecialPoolInformation | 6.0 and higher |
| 0x59 | SystemErrorPortInformation | 6.0 and higher |
| 0x5B | SystemHypervisorInformation | 6.0 and higher |
| 0x5C | SystemVerifierInformationEx | 6.0 and higher |
| 0x5D | SystemTimeZoneInformation | 6.0 and higher |
| 0x5E | SystemImageFileExecutionOptionsInformation | 6.0 and higher |
| 0x5F | SystemCoverageInformation | 6.0 and higher |
| 0x61 | SystemVerifierFaultsInformation | 6.0 and higher |
| 0x66 | SystemDynamicTimeZoneInformation | 6.0 and higher |
| 0x68 | SystemProcessorMicrocodeUpdateInformation | 6.0 and higher |
| 0x6A | SystemVirtualAddressInformation | late 6.0 and higher |
| 0x6D | SystemStoreInformation | 6.1 and higher |
| 0x6E | SystemRegistryAppendString | 6.1 and higher |
| 0x6F | SystemAitSamplingValue | 6.1 and higher |
| 0x71 | SystemCpuQuotaInformation | 6.1 and higher |
| 0x7F | SystemScrubPhysicalMemoryInformation | 6.2 and higher |
| 0x81 | SystemProcessorProfileControlArea | 6.2 and higher |
| 0x82 | SystemCombinePhysicalMemoryInformation | 6.2 and higher |
| 0x83 | SystemEntropyInterruptTimingInformation | 6.2 and higher |
| 0x84 | SystemConsoleInformation | 6.2 and higher |
| 0x86 | SystemThrottleNotificationInformation | 6.2 only |
| SystemPolicyInformation | 6.3 and higher | |
| 0x8E | SystemCriticalProcessErrorLogInformation | 1607 and higher |
| 0x96 | SystemBootMetadataInformation | 6.3 and higher |
| 0x97 | SystemSoftRebootInformation | 6.3 and higher |
| 0x98 | SystemElamCertificateInformation | 6.3 and higher |
| 0x9B | SystemRegistryReconciliationInformation | 6.3 and higher |
| 0x9F | SystemHypervisorDetailInformation | 10.0 and higher |
| 0xA1 | SystemVmGenerationCountInformation | 10.0 and higher |
| 0xA4 | SystemCodeIntegrityPolicyInformation | 1709 and higher |
| 0xA8 | SystemAllowedCpuSetsInformation | 10.0 and higher |
| 0xAA | SystemInterruptCpuSetsInformation | 10.0 and higher |
| 0xB0 | SystemCpuSetTagInformation | 10.0 and higher |
| 0xB1 | SystemWin32WerStartCallout | 1511 and higher |
| 0xBB | SystemActivityModerationExeState | 1703 and higher |
| 0xBE | SystemCodeIntegrityUnlockInformation | 1703 and higher |
| 0xBF | SystemIntegrityQuotaInformation | 1703 and higher |
| 0xC2 | SystemSecureDumpEncryptionInformation | 1709 and higher |
| 0xC7 | SystemCodeIntegrityVerificationInformation | 1803 and higher |
All remaining behaviour varies with the information class.
The information buffer must provide exactly a SYSTEM_FLAGS_INFORMATION structure. There is just the one member, a ULONG named Flags. It updates the kernel’s NtGlobalFlag variable. Since this variable is exported from all known kernel versions (and is declared in NTDDK.H, originally), SystemFlagsInformation has little or no reason to exist except to help user-mode callers.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
Not all bits in the given Flags get updated in NtGlobalFlag. The handling, not just the interpretation, varies greatly between versions. For details, follow the link.
The information buffer must provide at least a SYSTEM_FILECACHE_INFORMATION structure.
If executing for a user-mode request, the caller must have SeIncreaseQuotaPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_DPC_BEHAVIOR_INFORMATION structure.
If executing for a user-mode request, the caller must have SeLoadDriverPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_GDI_DRIVER_INFORMATION structure.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The DriverName member provides the only input, specifically to name the driver that the function is to load. If the function cannot load this driver as a per-session system image, it fails. Otherwise, it fills in the other members of the structure with a description of the loaded driver.
The information buffer must provide exactly one pointer. This is to be the address of the driver that the function is to unload. The caller presumably knows it from what was put in the ImageAddress member when SystemLoadGdiDriverInformation was used to load the driver.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_SET_TIME_ADJUST_INFORMATION structure.
If executing for a user-mode request, the caller must have SeSystemtimePrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
If Enable is FALSE, the TimeAdjustment must be between 0 and 10,000,000 (representing 1 second). Otherwise, the function fails, returning STATUS_INVALID_PARAMETER.
The information buffer is ignored.
Memory mirroring is a high-end feature that Microsoft enables only in high-end server editions of Windows. If the license value Kernel-MemoryMirroringSupported does not evaluate to TRUE, the function fails, returning STATUS_LICENSE_VIOLATION. If executing for a user-mode request, the caller must have SeShutdownPrivilege, else the function fails, returning STATUS_PRIVILEGE_NOT_HELD. The function fails, returning STATUS_NOT_SUPPORTED, unless mirroring is enabled in the registry.
TO BE DONE
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
Ideally, the information buffer provides exactly a SYSTEM_CRASH_DUMP_STATE_INFORMATION structure whose one member tells what configuration is wanted:
The structure is not required, however. If SystemInformationLength is incorrect, the function defaults to SystemCrashDumpReconfigure. If the structure is given but with an invalid configuration, the function fails, returning STATUS_INVALID_PARAMETER.
The information buffer must provide exactly a SYSTEM_REGISTRY_QUOTA_INFORMATION structure.
If executing for a user-mode request, the caller must have SeIncreaseQuotaPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a UNICODE_STRING structure. This is to name a driver to load as a per-session system image and to initialise as the session driver.
If executing for a user-mode request, the permitted circumstances and the freedom to name the driver are greatly restricted. Failure on any count causes the function to return STATUS_PRIVILEGE_NOT_HELD. First, the current process must be the session master. Second, the caller must have SeLoadDriverPrivilege. Third, the name can only be \SystemRoot\System32\win32k.sys, as 0x3E bytes in this particular mixture of case. With these requirements all met, the function reissues itself as a kernel-mode ZwSetSystemInformation.
The information buffer must provide exactly a dword.
If executing for a user-mode request, the caller must have SeTcbPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a UNICODE_STRING structure. This is to name a driver whose operations are to be verified.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a UNICODE_STRING structure. This is to name a driver whose operations are being verified but which need not be.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a HANDLE. The intention is that the handle refer to an event that the kernel is to signal when resuming execution after kernel-mode debugging. The handle can be NULL to direct that no signal is wanted.
If executing for a user-mode request, the caller must have SeSystemtimePrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
Unless the given handle is NULL, it must be specifically a handle to an event object and have the EVENT_MODIFY_ACCESS permission. If the function cannot reference the event object for modification, it fails.
This information class is only trivially valid. The function returns STATUS_NOT_IMPLEMENTED.
This information class is only trivially valid. The function returns STATUS_NOT_IMPLEMENTED.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least a dword of bit flags to adopt as Verifier options.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_GDI_DRIVER_INFORMATION structure.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The DriverName member provides the only input, specifically to name the driver that the function is to load. If the function cannot load this driver as a system image, it fails. Otherwise, it fills in the other members of the structure with a description of the loaded driver.
The information buffer must provide exactly a SUPERFETCH_INFORMATION structure as input. This is not certainly Microsoft’s name for the structure as expected for this information class. It is, however, Microsoft’s name for a structure that has the same layout and which is known to be correct for the information class SystemSuperfetchInformation.
The first dword must be 0x01 and the second 0x6B756843, else the function fails, returning STATUS_INVALID_PARAMETER. If the third dword is not a valid Prefetcher information class, the function fails, returning STATUS_INVALID_INFO_CLASS. The four valid cases are beyond the present scope of this review.
The information buffer is to provide exactly a ULONG that is to be set into registry, specifically in the Enable64Bit value in HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, and become the ComPlusPackage in the KUSER_SHARED_DATA.
This information class is only trivially valid. The function returns STATUS_NOT_SUPPORTED.
This information class is only trivially valid. The function returns STATUS_NOT_SUPPORTED.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_INVALID_PARAMETER.
The information buffer must provide exactly a SYSTEM_WATCHDOG_TIMER_INFORMATION structure. Otherwise, the function fails, returning STATUS_INVALID_PARAMETER. The function also returns STATUS_INVALID_PARAMETER if the WdInfoClass in the structure is invalid. Of the defined Watchdog information classes, WdInfoState (5) is invalid, and WdInfoTimeoutValue (0) and WdInfoTriggerAction (4) are valid but unsupported, i.e., they case the function to return STATUS_NOT_SUPPORTED.
The supported Watchdog information classes are handled by routines in the HalPrivateDispatchTable. This jump table is exported, such that its routines can be diverted by anyone who knows the HAL_PRIVATE_DISPATCH type.
This information class is only trivially valid. The function returns STATUS_NOT_IMPLEMENTED.
This information class, which would register a callback routine to execute, is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least a SYSTEM_FIRMWARE_TABLE_HANDLER. (This structure is defined in NTDDK.H, though one might wonder why, given that the only way to register a firmware table handler is through this information class of this undocumented function.)
The kernel keeps a linked list of registered firmware table handlers. These are distinguished by the ProviderSignature. If a handler is already registered for the same provider, then the function interprets FALSE for Registered as a request to unregister the handler whose address is given in FirmwareTableHandler. If this is not the registered handler for that provider, the function fails, returning STATUS_INVALID_PARAMETER. A registered handler can only be changed by un-registering and re-registering. If Registered is non-zero, then whatever is given in FirmwareTableHandler is ignored, and the function returns the warning STATUS_OBJECT_NAME_EXISTS.
If no handler is already registered for the same provider but Registered is FALSE, there is nothing to unregister, and the function fails, returning STATUS_INVALID_PARAMETER. Otherwise, the function adds the provider and its handler to the list. If only in theory, this can fail for lack of memory, shown by returning STATUS_INSUFFICIENT_RESOURCES.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly a SUPERFETCH_INFORMATION structure.
The first dword must be 0x2D and the second 0x6B756843, else the function fails, returning STATUS_INVALID_PARAMETER. If the third dword is not a valid Superfetch information class, the function fails, returning STATUS_INVALID_INFO_CLASS. There are many cases, presently all beyond the scope of this review.
The information buffer must provide at least a SYSTEM_MEMORY_LIST_COMMAND. The following are valid:
Given anything else, the function fails, returning STATUS_INVALID_PARAMETER. If executing for a user-mode request, commands other than MemoryFlushModifiedList require SeProfileSingleProcessPrivilege, else the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least a SYSTEM_FILECACHE_INFORMATION structure.
If executing for a user-mode request, the caller must have SeIncreaseQuotaPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least a SYSTEM_THREAD_CID_PRIORITY_INFORMATION structure.
If executing for a user-mode request, the caller must have SeIncreaseBasePriorityPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The wanted Priority must be greater than LOW_PRIORITY (0) and no greater than HIGH_PRIORITY (31). Otherwise, the function fails, returning STATUS_INVALID_PARAMETER. If the ClientId does not correspond to any combination of process and thread, the function fails, returning STATUS_INVALID_CID. If the identified thread is signalled, the function fails, returning STATUS_THREAD_IS_TERMINATING.
After setting the given thread’s base priority, the function returns STATUS_PENDING.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide at least a SYSTEM_REF_TRACE_INFORMATION structure, else the function returns STATUS_INVALID_PARAMETER.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly a SYSTEM_SPECIAL_POOL_INFORMATION structure.
This information class exists only for user-mode callers. If executing for a kernel-mode request, the function fails, returning STATUS_NOT_SUPPORTED. The user-mode caller must have SeTcbPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer is not wanted. If SystemInformationLength is not zero, the function fails, returning STATUS_INVALID_PARAMETER_2. In fact, for this information class, the function sets nothing. The kernel simply returns STATUS_SUCCESS or STATUS_HV_NOT_PRESENT according to whether it knows a hypervisor is or is not present.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_VERIFIER_INFORMATION_EX structure.
The information buffer must provide exactly an RTL_TIME_ZONE_INFORMATION structure.
If executing for a user-mode request, the caller must have SeTimeZonePrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
If executing for a user-mode request, the caller must have SeTcbPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly a SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION structure. There are just the two members. The FlagsToEnable are bits to set in the ImageFileExecutionOptions in the KUSER_SHARED_DATA, and then the FlagsToDisable are bits to clear.
This information class exists only for user-mode callers. If executing for a kernel-mode request, the function fails, returning STATUS_ACCESS_DENIED. The user-mode caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide at least a COVERAGE_MODULE_REQUEST.
The information buffer must provide exactly a SYSTEM_VERIFIER_FAULTS_INFORMATION structure.
If executing for a user-mode request, the caller must have SeDebugPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly an RTL_DYNAMIC_TIME_ZONE_INFORMATION structure.
If executing for a user-mode request, the caller must have SeTimeZonePrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least a SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION structure. There is just the one member, Operation, which can be 1 to load or 2 to unload. Anything else is rejected, as STATUS_INVALID_PARAMETER.
If executing for a user-mode request, the caller must have SeIncreaseQuotaPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide at least six SYSTEM_VA_LIST_INFORMATION structures as an array, one for each valid SYSTEM_VA_TYPE.
This information class is incompatible with Safe Boot. If Windows started with the SAFEBOOT boot option, then this function returns STATUS_TOO_LATE.
The information buffer must provide exactly a structure whose name in Microsoft’s source code is not known. It is 0x10 or 0x18 bytes in 32-bit and 64-bit Windows, respectively. The first dword must be 1, else the function fails, returning STATUS_INVALID_PARAMETER.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
If the second dword in the structure is not a valid Store information class, the function fails, returning STATUS_INVALID_INFO_CLASS. There are many cases, presently all beyond the scope of this review. Remaining members provide the address and size of additional information.
This information class is only trivially valid. The function returns STATUS_NOT_IMPLEMENTED.
The information buffer must provide exactly one ULONG that is to become the AitSamplingValue in the KUSER_SHARED_DATA.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_ACCESS_DENIED.
This information class depends on DFSS to be enabled by a registry configuration. If it is not, the function fails, returning STATUS_UNSUCCESSFUL.
The information buffer must provide a non-empty array of PS_CPU_QUOTA_SET_INFORMATION structures.
If executing for a user-mode request, the caller must have SeIncreaseQuotaPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a MEMORY_SCRUB_INFORMATION structure for both input and output.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly a SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA structure.
The information buffer must provide exactly a MEMORY_COMBINE_INFORMATION structure for both input and output.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
This information class, which would register a callback routine to execute, is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly a SYSTEM_ENTROPY_TIMING_INFORMATION structure.
The information buffer must provide exactly a SYSTEM_CONSOLE_INFORMATION structure whose one meaningful member, a single bit named DriverLoaded, tells whether the function is to load or unload the console driver, meaning very specifically the driver whose registry key under \Registry\Machine\System\CurrentControlSet\Services is condrv.
If executing for a user-mode request, the caller must have SeLoadDriverPrivilege to unload the driver. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly at SYSTEM_POLICY_INFORMATION structure.
Note that type information from symbol files for Windows 8 would have it that this information class is named SystemThrottleNotificationInformation in version 6.2. Who’s to know what purpose this name may have had during development (or even after release), but the implementation as released for version 6.2 is already consistent with SystemPolicyInformation as known for later versions.
If executing for a user-mode request, the caller must have SeTcbPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer is not wanted. If SystemInformationLength is not zero, the function fails, returning STATUS_INFO_LENGTH_MISMATCH.
If executing for a user-mode request, the caller must have SeProfileSingleProcessPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly one byte.
If the one byte of input is non-zero and the function is executing for a user-mode request, the caller must have SeTcbPrivilege, else the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide exactly a SYSTEM_ELAM_CERTIFICATE_INFORMATION structure.
This information class exists only for user-mode callers. If executing for a kernel-mode request, the function fails, returning STATUS_INVALID_PARAMETER.
The information buffer is ignored.
This information class is only trivially valid. The function returns STATUS_NOT_SUPPORTED.
This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_ACCESS_DENIED.
The information buffer must provide exactly 8 bytes of input.
The information buffer must provide exactly a ULONGLONG for each CPU set that is to be allowed, up to the maximum that the platform supports, i.e., 1 or 20 for 32-bit and 64-bit Windows 10, respectively.
The information buffer must provide exactly a SYSTEM_INTERRUPT_CPU_SET_INFORMATION structure.
If executing for a user-mode request, the caller must have SeIncreaseBasePriorityPrivilege. Without it, the function fails, returning STATUS_PRIVILEGE_NOT_HELD.
The information buffer must provide for a SYSTEM_CPU_SET_TAG_INFORMATION structure whose unsized CpuSets array has exactly a ULONGLONG for each CPU set that is to be allowed, up to the maximum that the platform supports, i.e., 1 or 20 for 32-bit and 64-bit Windows 10, respectively.