CURRENT WORK ITEM - PREVIEW ONLY

EPROCESS

The EPROCESS structure is the kernel’s representation of a process object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsProcessType, then the pointer that the function produces for the object is a pointer to an EPROCESS.

Many functions that are exported from the kernel, e.g., for use by drivers, provide for referring to a process object through a pointer to an EPROCESS. However, the structure itself is meant to be opaque outside the kernel.

Variability

Since the EPROCESS structure is plainly internal to the kernel, it should not surprise that the layout changes greatly between Windows versions and even between builds. In the following table of sizes, different builds of the same version are distinguished as early and late because they are known to vary the structure even if they don’t change the size. These descriptions, as early and late, are then used throughout the article as a shorthand.

Version Size (x86) Size (x64)
3.10 0x0280  
3.50 to 4.0 0x01F8  
5.0 0x0288  
early 5.1 (before Windows XP SP2) 0x0258  
late 5.1 (Windows XP SP2 and higher) 0x0260  
early 5.2 (before Windows Server 2003 SP1);
late 5.2 (Windows Server 2003 SP1 and higher)
0x0278 0x03E0
early 6.0 (before Windows Vista SP1)
late 6.0 (Windows Vista SP1 and higher)
0x0270 0x03E8
6.1 0x02C0 0x04D0
6.2 0x02E8 0x0660
6.3 0x02F8 0x06B8
10.0 0x0380 0x0798

Layout

These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s symbol files for the kernel starting with Windows 2000 SP3. Since symbol files for earlier versions do not contain type information for the EPROCESS, what’s known for them is instead inferred from what use the kernel is seen to make of the EPROCESS. Sizes are straightforward, even without symbol files, since ObCreateObject and PsProcessType are exported. What’s known of Microsoft’s names and types is something of a guess. Where use of a member corresponds closely with that of a version for which Microsoft’s symbols are available, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 0x00
KPROCESS Pcb;
all  
0x70 (3.10)  
KEVENT LockEvent;
3.10 only next at 0x6C
0x80 (3.10);
0x68 (3.50 to 4.0);
0x6C (5.0)
 
LONG ExitStatus;
3.10 to 5.0 next at 0x024C
0x84 (3.10)   unknown KSEMAPHORE 3.10 only  
0x6C (3.50 to 4.0);
0x70 (5.0)
 
KEVENT LockEvent;
3.50 to 5.0 previously at 0x70
0x7C (3.50 to 4.0);
0x80 (5.0)
 
ULONG LockCount;
3.50 to 5.0  
0x6C (5.1 to early 5.2);
0x78 (late 5.2);
0x80 (6.0);
0x98 (6.1);
0xA0 (6.2 to 6.3);
0xA8
0xB8 (late 5.2);
0xC0 (6.0);
0x0160 (6.1);
0x02C8 (6.2 to 6.3);
0x02D8
EX_PUSH_LOCK ProcessLock;
5.1 and higher  
0x98 (3.10);
0x80 (3.50 to 4.0);
0x88 (5.0);
0x70 (5.1 to early 5.2);
0x80 (late 5.2);
0x88 (6.0);
0xA0 (6.1);
0xA8 (6.2 to 6.3)
0xC0 (late 5.2);
0xC8 (6.0);
0x0168 (6.1);
0x02D0 (6.2 to 6.3)
LARGE_INTEGER CreateTime;
3.10 to 6.3 next at 0xC8 and 0x0308
0xA0 (3.10);
0x88 (3.50 to 4.0);
0x90 (5.0);
0x78 (5.1 to early 5.2);
0x88 (late 5.2);
0x90 (6.0);
0xA8 (6.1)
0xC8 (late 5.2);
0xD0 (6.0);
0x0170 (6.1)
LARGE_INTEGER ExitTime;
3.10 to 6.1 next at 0x02B8 and 0x0610
0xA8 (3.10)   unaccounted eight bytes 3.10 only  
0x90 (3.50 to 4.0);
0x98 (5.0)
 
KTHREAD *LockOwner;
3.50 to 5.0  
0x80 (5.1 to early 5.2);
0x90 (late 5.2);
0x98 (6.0);
0xB0 (6.2 to 6.3);
0xAC
0xD0 (late 5.2);
0xD8 (6.0);
0x0178 (6.1);
0x02D8 (6.2 to 6.3);
0x02E0
EX_RUNDOWN_REF RundownProtect;
5.1 and higher  
0xB0  
PVOID VdmObjects;
10.0 and higher  
0xB0 (3.10);
0x94 (3.50 to 4.0);
0x9C (5.0);
0x84 (5.1 to early 5.2);
0x94 (late 5.2);
0x9C (6.0);
0xB4
0xD8 (late 5.2);
0xE0 (6.0);
0x0180 (6.1);
0x02E0 (6.2 to 6.3);
0x02E8
PVOID UniqueProcessId;
all  
0xB4 (3.10);
0x98 (3.50 to 4.0);
0xA0 (5.0);
0x88 (5.1 to early 5.2);
0x98 (late 5.2);
0xA0 (6.0);
0xB8
0xE0 (late 5.2);
0xE8 (6.0);
0x0188 (6.1);
0x02E8 (6.2 to 6.3);
0x02F0
LIST_ENTRY ActiveProcessLinks;
all  

Two sets of bit fields that Windows XP and Windows Vista introduced towards what was then the end of the structure were moved near to the front for Windows 8. Perhaps not coincidentally, Windows 8 is the version that brings all 64 bits into use. More flags were added soon, but again near the end of the structure.

Offset (x86) Offset (x64) Definition Versions Remarks
0xC0 0x02F8 (6.2 to 6.3);
0x0300
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher previously at 0x026C and 0x043C
0xC4 0x02FC (6.2 to 6.3);
0x0304
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher previously at 0x0270 and 0x0440
0xC8 0x0308
LARGE_INTEGER CreateTime;
10.0 and higher previously 0xA8 and 0x02D0

There now comes a set of members that track the process’s use of memory from the pools and the paging file. These resources are subject to quotas, but the limits apply to all processes that share a quota block. An EPROCESS_QUOTA_BLOCK has the limits and tracks the use, both current and peak, by all the applicable processes. The corresponding members here in the EPROCESS track just the current and peak use by just the one process. For no reason yet known, the process’s pointer to its quota block, i.e., the QuotaBlock member, is in almost all versions placed further into the structure.

Each quota block has a spin lock, named QuotaLock, that guards both the quota block’s members and these members here in the EPROCESS. All versions except 3.10 have a default quota block in the kernel’s data. Its spin lock also guards the process’s QuotaBlock pointer. Version 3.10 instead provides its own spin lock in the EPROCESS. Microsoft’s name for it is not known, but the sharing of names such as QuotaPoolUsage between the EPROCESS and the EPROCESS_QUOTA_BLOCK speaks strongly for QuotaLock.

Offset (x86) Offset (x64) Definition Versions Remarks
0xBC (3.10)  
KSPIN_LOCK QuotaLock;
3.10 only  
0xC0 (3.10)   unknown KSPIN_LOCK 3.10 only  
0xC4 (3.10);
0xA0 (3.50 to 4.0);
0xA8 (5.0)
ULONG QuotaPeakPoolUsage [2];
3.10 to 5.0 next as QuotaPeak at 0x9C
0xCC (3.10);
0xA8 (3.50 to 4.0);
0xB0 (5.0)
0x90 (5.1 to early 5.2);
0xA0 (late 5.2);
0xA8 (6.0);
0xC0 (6.1);
0xC8 (6.2 to 6.3);
0xD0
 
ULONG QuotaPoolUsage [2];
3.10 to 5.0  
0xF0 (late 5.2);
0xF8 (6.0);
0x0198 (6.1);
0x0300 (6.2 to 6.3);
0x0310
ULONG_PTR QuotaUsage [3];
5.1 to 6.0  
ULONG_PTR ProcessQuotaUsage [2];
6.1 and higher  
0x9C (5.1 to early 5.2);
0xAC (late 5.2);
0xB4 (6.0);
0xC8 (6.1);
0xD0 (6.2 to 6.3);
0xD8
0x0108 (late 5.2);
0x0110 (6.0); 
0x01A8 (6.1);
0x0310 (6.2 to 6.3);
0x0320
ULONG_PTR QuotaPeak [3];
5.1 to 6.0 previously QuotaPeakPoolUsage at 0xA8
ULONG_PTR ProcessQuotaPeak [2];
6.1 and higher  
0xD4 (3.10);
0xB0 (3.50 to 4.0);
0xB8 (5.0)
 
ULONG PagefileUsage;
3.10 to 5.0 next in QuotaPeak at 0x9C
0xD8 (3.10);
0xB4 (3.50 to 4.0);
0xBC (5.0);
0xA8 (5.1 to early 5.2);
0xB8 (late 5.2);
0xC0 (6.0);
0xD0 (6.1)
0x0120 (late 5.2);
0x0128 (6.0);
0x01B8 (6.1)
ULONG_PTR CommitCharge;
3.10 to 5.2  
ULONG_PTR volatile CommitCharge;
6.0 to 6.1  
0xDC (3.10);
0xB8 (3.50 to 4.0);
0xC0 (5.0)
 
ULONG PeakPagefileUsage;
3.10 to 5.0 next in QuotaUsage at 0x90
0xD4 (6.1) 0x01C0 (6.1)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.1 only  
0xD8 (6.1) 0x01C8 (6.1)
PS_CPU_QUOTA_BLOCK *CpuQuotaBlock;
6.1 only  

The PagefileUsage, CommitCharge and PeakPagefileUsage members count pages. The others count bytes.

The precise arrangement of the various members for current and peak use of the non-paged and pages pools and of the pagefile has varied with the EPROCESS_QUOTA_BLOCK implementation. Version 5.1 brought the pools and pagefile together into a PS_QUOTA_TYPE enumeration that indexes the QuotaUsage and QuotaPeak arrays, which thus absorb what had been PagefileUsage and PeakPagefileUsage.

All the statistical members in the preceding set are retrievable through either or both of two native API functions in all versions: as members of VM_COUNTERS, as filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function; as members of SYSTEM_PROCESS_INFORMATION, as filled by the SystemProcessInformation (0x05) case of the NtQuerySystemInformation function. For the latter, what is here called the CommitCharge is there called the PrivatePageCount—and in the VM_COUNTERS_EX, which is supported in version 5.1 and higher, it is named PrivateUsage.

Offset (x86) Definition Versions Remarks
0xE0 (3.10)
LARGE_INTEGER ReadTransferCount;
3.10 only next at 0x0250 (5.0)
0xE8 (3.10)
LARGE_INTEGER WriteTransferCount;
3.10 only next at 0x0258 (5.0)
0xF0 (3.10)
LARGE_INTEGER OtherTransferCount;
3.10 only next at 0x0260 (5.0)
0xF8 (3.10)
ULONG ReadOperationCount;
3.10 only next as LARGE_INTEGER at 0x0238 (5.0)
0xFC (3.10)
ULONG WriteOperationCount;
3.10 only next as LARGE_INTEGER at 0x0240 (5.0)
0x0100 (3.10)
ULONG OtherOperationCount;
3.10 only next as LARGE_INTEGER at 0x0248 (5.0)

Perhaps because they are also retrievable in the SYSTEM_PROCESS_INFORMATION, this area of statistical members also has the original counters of I/O operations and the bytes these transferred. The original implementation’s allowance of only 32 bits for counting the operations soon became problematic. Indeed, these counters disappear from the EPROCESS until version 5.0 brings them back, all 64 bits wide.

In version 3.10, these I/O counters are retrievable through either or both of two native API functions: as members of IO_COUNTERS, as filled by the ProcessIoCounters (0x02) case of the NtQueryInformationProcess function; and as members of SYSTEM_PROCESS_INFORMATION. They are in version 5.0 and higher, too. In the intervening versions, the corresponding members of the SYSTEM_PROCESS_INFORMATION are unused or repurposed, and the ProcessIoCounters case is failed immediately as being not implemented. The NTDDK.H from the DDK for both Windows NT 3.51 and 4.0 presents a C-language definition of the original IO_COUNTERS structure, with 32-bit operation counts, as output from ProcessIoCounters, though trying to get that output can only have been a waste of time.

Offset (x86) Offset (x64) Definition Versions
0x0104 (3.10);
0xBC (3.50 to 4.0);
0xC4 (5.0);
0xAC (5.1 to early 5.2);
0xBC (late 5.2);
0xC4 (6.0);
0xDC (6.1);
0xD8 (6.2 to 6.3);
0xE0
0x0128 (late 5.2);
0x0130 (6.0);
0x01D0 (6.1);
0x0320 (6.2 to 6.3);
0x0330
ULONG_PTR PeakVirtualSize;
all
0x0108 (3.10);
0xC0 (3.50 to 4.0);
0xC8 (5.0);
0xB0 (5.1 to early 5.2);
0xC0 (late 5.2);
0xC8 (6.0);
0xE0 (6.1);
0xDC (6.2 to 6.3);
0xE4
0x0130 (late 5.2);
0x0138 (6.0);
0x01D8 (6.1);
0x0328 (6.2 to 6.3);
0x0338
ULONG_PTR VirtualSize;
all

The PeakVirtualSize and VirtualSize count pages. In all versions, conversions to bytes are retrievable as identically named members of the VM_COUNTERS structure that is filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function.

All versions 3.10 to 5.0 have four bytes of unused alignment space before the next member, which has 8-byte alignment before version 6.0.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0110 (3.10);
0xC8 (3.50 to 4.0);
0xD0 (5.0)
 
MMSUPPORT Vm;
3.10 to 5.0 next at 0x01F8
0x0140 (3.10);
0xF8 (3.50 to 4.0)
 
<unknown-type> LastProtoPteFault;
3.10 to 4.0  
0x0118 (5.0);
0xB4 (5.1 to early 5.2);
0xC4 (late 5.2);
0xCC (6.0);
0xE4 (6.1);
0xE0 (6.2 to 6.3);
0xE8
0x0138 (late 5.2);
0x0140 (6.0);
0x01E0 (6.1);
0x0330 (6.2 to 6.3);
0x0340
LIST_ENTRY SessionProcessLinks;
5.0 and higher  
0x0144 (3.10);
0xFC (3.50 to 4.0);
0x0120 (5.0);
0xBC (5.1 to early 5.2);
0xCC (late 5.2);
0xD4 (6.0);
0xEC (6.1)
0x0148 (late 5.2);
0x0150 (6.0);
0x01F0 (6.1)
PVOID DebugPort;
3.10 to 6.1  
0x0148 (3.10);
0x0100 (3.50 to 4.0);
0x0124 (5.0);
0xC0 (5.1 to early 5.2);
0xD0 (late 5.2);
0xD8 (6.0);
0xF0 (6.1);
0xE8 (6.2 to 6.3);
0xF0
0x0150 (late 5.2);
0x0158 (6.0);
0x01F8 (6.1);
0x0340 (6.2 to 6.3);
0x0350
PVOID ExceptionPort;
3.10 to 5.2  
union {
    PVOID ExceptionPortData;
    ULONG_PTR ExceptionPortValue;
    ULONG_PTR ExceptionPortState : 3;
};
6.0 and higher  
0x014C (3.10);
0x0104 (3.50 to 4.0);
0x0128 (5.0);
0xC4 (5.1 to early 5.2);
0xD4 (late 5.2);
0xDC (6.0);
0xF4 (6.1)
0x0158 (late 5.2);
0x0160 (6.0);
0x0200 (6.1)
HANDLE_TABLE *ObjectTable;
3.10 to 6.1  
0x0150 (3.10);
0x0108 (3.50 to 4.0);
0x012C (5.0);
0xC8 (5.1 to early 5.2);
0xD8 (late 5.2);
0xE0 (6.0);
0xF8 (6.1);
0xEC (6.2 to 6.3);
0xF4
0x0160 (late 5.2);
0x0168 (6.0);
0x0208 (6.1);
0x0348 (6.2 to 6.3);
0x0358
PVOID Token;
3.10 to 5.0  
EX_FAST_REF Token;
5.1 and higher  
0x0154 (3.10);
0x010C (3.50 to 4.0);
0x0130 (5.0);
0xCC (5.1)
 
KMUTANT WorkingSetLock;
3.10 only  
FAST_MUTEX WorkingSetLock;
3.50 to 5.1  
0x0174 (3.10);
0x012C (3.50 to 4.0);
0x0150 (5.0);
0xEC (5.1);
0xCC (early 5.2);
0xDC (late 5.2);
0xE4 (6.0);
0xFC (6.1);
0xF0 (6.2 to 6.3);
0xF8
0x0168 (late 5.2);
0x0170 (6.0);
0x0210 (6.1);
0x0350 (6.2 to 6.3);
0x0360
ULONG_PTR WorkingSetPage;
3.10 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0178 (3.10);
0x0130 (3.50 to 4.0);
0x0154 (5.0)
 
BOOLEAN ProcessOutswapEnabled;
3.10 to 5.0
0x0179 (3.10);
0x0131 (3.50 to 4.0);
0x0155 (5.0)
 
BOOLEAN ProcessOutswapped;
3.10 to 5.0
0x017A (3.10);
0x0132 (3.50 to 4.0);
0x0156 (5.0)
 
BOOLEAN AddressSpaceInitialized;
3.10 to 5.0
0x017B (3.10);
0x0133 (3.50 to 4.0);
0x0157 (5.0)
 
BOOLEAN AddressSpaceDeleted;
3.10 to 5.0
0x017C (3.10);
0x0134 (3.50 to 4.0);
0x0158 (5.0);
0xF0 (5.1);
0xD0 (early 5.2);
0xE0 (late 5.2);
0xE8 (6.0);
0x0100 (6.1);
0xF4 (6.2 to 6.3);
0xFC
 
KEVENT AddressCreationLock;
3.10 only
 
FAST_MUTEX AddressCreationLock;
3.50 to 5.1
0x0170 (late 5.2);
0x0178 (6.0);
0x0218 (6.1);
0x0358 (6.2 to 6.3);
0x0368
KGUARDED_MUTEX AddressCreationLock;
5.2 only
EX_PUSH_LOCK AddressCreationLock;
6.0 and higher
0x0154 (3.51 to 4.0);
0x0178 (5.0);
0x0110 (5.1);
0xF0 (early 5.2);
0x0100 (late 5.2)
0x01A8 (late 5.2)
KSPIN_LOCK HyperSpaceLock;
3.51 to 5.2
0xF8 (6.3);
0x0100
0x0360 (6.2 to 6.3);
0x0370
EX_PUSH_LOCK PageTableCommitmentLock;
6.3 and higher
0xEC (6.0);
0x0104 (6.1);
0xF8 (6.2);
0xFC (6.3);
0x0104
0x0180 (6.0);
0x0220 (6.1);
0x0360 (6.2);
0x0368 (6.2 to 6.3);
0x0378
ETHREAD *RotateInProgress;
6.0 and higher
0x018C (3.10);
0x0158 (4.0);
0x017C (5.0);
0x0114 (5.1);
0xF4 (early 5.2);
0x0104 (late 5.2);
0xF0 (6.0);
0x0108 (6.1);
0xFC (6.2);
0x0100 (6.3);
0x0108
0x01B0 (late 5.2);
0x0188 (6.0);
0x0228 (6.1);
0x0368 (6.2);
0x0370 (6.2 to 6.3);
0x0380
ETHREAD *ForkInProgress;
all

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x015C (4.0);
0x0180 (5.0)
 
USHORT VmOperation;
4.0 to 5.0  
0x015E (4.0);
0x0182 (5.0)
 
BOOLEAN ForkWasSuccessful;
4.0 to 5.0  
0x015F (4.0);
0x0183 (5.0)
 
UCHAR MmAgressiveWsTrimMask;
4.0 to 5.0  
0x0160 (4.0);
0x0184 (5.0)
 
KEVENT *VmOperationEvent;
4.0 to 5.0  
0x0198 (3.10);
0x0164 (3.50 to 4.0)
 
PVOID PageDirectoryPte;
3.10 to 4.0 next at 0x01F0
0x0188 (5.0)  
PVOID PaeTop;
5.0 only  
0x0168 (4.0);
0x018C (5.0)
 
ULONG LastFaultCount;
4.0 to 5.0  
0x01A0 (3.10);
0x016C (4.0);
0x0190 (5.0)
 
ULONG ModifiedPageCount;
3.10 to 5.0  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0118 (5.1);
0xF8 (early 5.2);
0x0108 (late 5.2);
0xF4 (6.0);
0x010C (6.1);
0x0100 (6.2)
0x01B8 (late 5.2);
0x0190 (6.0);
0x0230 (6.1);
0x0370 (6.2)
ULONG_PTR HardwareTrigger;
5.1 to 6.2
0x01A4 (3.10);
0x0170 (3.50 to 4.0);
0x0194 (5.0);
0x011C (5.1)
 
PVOID VadRoot;
3.10 to 5.1
0x0174 (4.0);
0x0198 (5.0);
0x0120 (5.1)
 
PVOID VadHint;
4.0 to 5.1
0xFC (early 5.2);
0x010C (late 5.2);
0xF8 (6.0);
0x0110 (6.1)
0x01C0 (late 5.2);
0x0198 (6.0);
0x0238 (6.1)
MM_AVL_TABLE *PhysicalVadRoot;
5.2 to 6.1
0x0104 (6.2 to 6.3);
0x010C
0x0378 (6.2 to 6.3);
0x0388
EJOB *CommitChargeJob;
6.2 and higher
0x0178 (4.0);
0x019C (5.0);
0x0124 (5.1);
0x0100 (early 5.2);
0x0110 (late 5.2);
0xFC (6.0);
0x0114 (6.1);
0x0108 (6.2 to 6.3);
0x0110
0x01C8 (late 5.2);
0x01A0 (6.0);
0x0240 (6.1);
0x0380 (6.2 to 6.3);
0x0390
PVOID CloneRoot;
4.0 to 6.2
RTL_AVL_TREE CloneRoot;
6.3 and higher
0x01B0 (3.10);
0x017C (4.0);
0x01A0 (5.0);
0x0128 (5.1);
0x0104 (early 5.2);
0x0114 (late 5.2);
0x0100 (6.0);
0x0118 (6.1);
0x010C (6.2 to 6.3);
0x0114
0x01D0 (late 5.2);
0x01A8 (6.0);
0x0248 (6.1);
0x0388 (6.2 to 6.3);
0x0398
ULONG_PTR NumberOfPrivatePages;
3.10 to 5.2
ULONG_PTR volatile NumberOfPrivatePages;
6.0 and higher
0x0180 (4.0);
0x01A4 (5.0);
0x012C (5.1);
0x0108 (early 5.2);
0x0118 (late 5.2);
0x0104 (6.0);
0x011C (6.1);
0x0110 (6.2 to 6.3);
0x0118
0x01D8 (late 5.2);
0x01B0 (6.0);
0x0250 (6.1);
0x0390 (6.2 to 6.3);
0x03A0
ULONG_PTR NumberOfLockedPages;
4.0 to 5.2
ULONG_PTR volatile NumberOfLockedPages;
6.0 and higher
0x0184 (3.51 to 4.0);
0x01A8 (5.0)
 
USHORT NextPageColor;
3.51 to 5.0
0x0185 (3.50)  
UCHAR NextPageColor;
3.50 only
0x0186 (4.0);
0x01AA (5.0)
 
BOOLEAN ExitProcessCalled;
4.0 to 5.0
0x01BB (3.10);
0x0187 (3.50 to 4.0);
0x01AB (5.0)
 
BOOLEAN CreateProcessReported;
3.10 to 5.0
0x0130 (5.1);
0x010C (early 5.2);
0x011C (late 5.2);
0x0108 (6.0);
0x0120 (6.1);
0x0114 (6.2 to 6.3);
0x011C
0x01E0 (late 5.2);
0x01B8 (6.0);
0x0258 (6.1);
0x0398 (6.2 to 6.3);
0x03A8
PVOID Win32Process;
5.1 and higher
0x0134 (5.1);
0x0110 (early 5.2);
0x0120 (late 5.2);
0x010C (6.0);
0x0124 (6.1);
0x0118 (6.2 to 6.3);
0x0120
0x01E8 (late 5.2);
0x01C0 (6.0);
0x0260 (6.1);
0x03A0 (6.2 to 6.3);
0x03B0
EJOB *Job;
5.1 and higher
0x01BC (3.10);
0x0188 (3.50 to 4.0);
0x01AC (5.0);
0x0138 (5.1);
0x0114 (early 5.2);
0x0124 (late 5.2);
0x0110 (6.0);
0x0128 (6.1);
0x011C (6.2 to 6.3);
0x0124
0x01F0 (late 5.2);
0x01C8 (6.0);
0x0268 (6.1);
0x03A8 (6.2 to 6.3);
0x03B8
HANDLE SectionHandle;
3.10 to 5.0
PVOID SectionObject;
5.1 and higher
0x01C0 (3.10);
0x018C (3.50 to 4.0);
0x01B0 (5.0)
 
PEB *Peb;
3.10 to 5.0
0x01C4 (3.10);
0x0190 (3.50 to 4.0);
0x01B4 (5.0);
0x013C (5.1);
0x0118 (early 5.2);
0x0128 (late 5.2);
0x0114 (6.0);
0x012C (6.1);
0x0120 (6.2 to 6.3);
0x0128
0x01F8 (late 5.2);
0x01D0 (6.0);
0x0270 (6.1);
0x03B0 (6.2 to 6.3);
0x03C0
PVOID SectionBaseAddress;
3.10 and higher
0x01E0 (3.10);
0x0194 (3.50 to 4.0);
0x01B8 (5.0);
0x0140 (5.1);
0x011C (early 5.2);
0x012C (late 5.2);
0x0118 (6.0)
0x0200 (late 5.2);
0x01D8 (6.0)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
3.10 to 6.0
0x0130 (6.1);
0x0124 (6.2 to 6.3);
0x012C
0x0278 (6.1);
0x03B8 (6.2 to 6.3);
0x03C8
ULONG Cookie;
6.1 and higher
0x0134 (6.1) 0x027C (6.1)
ULONG Spare8;
6.1 only (x86)
ULONG UmsScheduledThreads;
6.1 only (x64)
0x0128 (6.2 to 6.3)  
PVOID VdmObjects;
6.2 to 6.3
0x0198 (4.0);
0x01BC (5.0)
 
LONG LastThreadExitStatus;
4.0 to 5.0

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x01E8 (3.10);
0x019C (3.50 to 4.0);
0x01C0 (5.0);
0x0144 (5.1);
0x0120 (early 5.2);
0x0130 (late 5.2);
0x011C (6.0);
0x0138 (6.1);
0x012C (6.2 to 6.3);
0x0130
0x0208 (late 5.2);
0x01E0 (6.0);
0x0280 (6.1);
0x03C0 (6.2 to 6.3);
0x03D0
PAGEFAULT_HISTORY *WorkingSetWatch;
3.10 and higher  
0x01A0 (4.0);
0x01C4 (5.0);
0x0148 (5.1);
0x0124 (early 5.2);
0x0134 (late 5.2);
0x0120 (6.0);
0x013C (6.1);
0x0130 (6.2 to 6.3);
0x0134
0x0210 (late 5.2);
0x01E8 (6.0);
0x0288 (6.1);
0x03C8 (6.2 to 6.3);
0x03D8
PVOID Win32WindowStation;
4.0 and higher  
0x01F0 (3.10);
0x01A4 (3.50 to 4.0);
0x01C8 (5.0);
0x014C (5.1);
0x0128 (early 5.2);
0x0138 (late 5.2);
0x0124 (6.0);
0x0140 (6.1);
0x0134 (6.2 to 6.3);
0x0138
0x0218 (late 5.2);
0x01F0 (6.0);
0x0290 (6.1);
0x03D0 (6.2 to 6.3);
0x03E0
PVOID InheritedFromUniqueProcessId;
all  
0x01F4 (3.10);
0x01A8 (3.51 to 4.0);
0x01CC (5.0)
 
ULONG GrantedAccess;
3.10 to 5.0  
0x01F8 (3.10);
0x01AC (3.50 to 4.0);
0x01D0 (5.0)
 
ULONG DefaultHardErrorProcessing;
3.10 to 5.0  
0x01FC (3.10);
0x01B0 (3.50 to 4.0);
0x01D4 (5.0);
0x0150 (5.1);
0x012C (early 5.2);
0x013C (late 5.2);
0x0128 (6.0);
0x0144 (6.1);
0x0138 (6.2 to 6.3);
0x013C
0x0220 (late 5.2);
0x01F8 (6.0);
0x0298 (6.1);
0x03D8 (6.2 to 6.3);
0x03E8
PVOID LdtInformation;
all  
0x01B4 (4.0);
0x01D8 (5.0);
0x0154 (5.1);
0x0130 (early 5.2);
0x0140 (late 5.2);
0x012C (6.0)
0x0228 (late 5.2);
0x0200 (6.0)
PVOID VadFreeHint;
4.0 to early 6.0  
PVOID Spare;
late 6.0 only  
0x0204 (3.10);
0x01B8 (3.50 to 4.0);
0x01DC (5.0);
0x0158 (5.1);
0x0x134 (early 5.2);
0x0144 (late 5.2);
0x0130 (6.0);
0x0148 (6.1)
0x0230 (late 5.2);
0x0208 (6.0);
0x02A0 (6.1)
PVOID VdmObjects;
3.10 to 6.1 (x86);
5.2 to 6.0 (x64)
 
PVOID Spare;
6.1 only (x64)  
0x0208 (3.10);
0x01BC (3.50 to 4.0)
 
KMUTANT ProcessMutant;
3.10 to 4.0  
0x014C (6.1);
0x013C (6.2 to 6.3);
0x0140
0x02A8 (6.1);
0x03E0 (6.2 to 6.3);
0x03F0
ULONG_PTR ConsoleHostProcess;
6.1 only  
union {
    EPROCESS *CreatorProcess;
    ULONG_PTR ConsoleHostProcess;
};
6.2 only  
ULONG_PTR volatile OwnerProcessId;
6.3 and higher  
0x0140 (6.2 to 6.3);
0x0144
0x03E8 (6.2 to 6.3);
0x03F8
PEB *Peb;
6.2 and higher  
0x0144 (6.2 to 6.3);
0x0148
0x03F0 (6.2 to 6.3);
0x0400
PVOID Session;
6.2 and higher  
0x0148 (6.2 to 6.3);
0x014C
0x03F8 (6.2 to 6.3);
0x0400
PVOID AweInfo;
6.2 and higher  
0x014C (6.2 to 6.3);
0x0150
0x0400 (6.2 to 6.3);
0x0410
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.2 and higher  
0x0150 (6.2 to 6.3);
0x0154
0x0408 (6.2 to 6.3);
0x0418
HANDLE_TABLE *ObjectTable;
6.2 and higher  
0x0154 (6.2 to 6.3);
0x0158
0x0410 (6.2 to 6.3);
0x0420
PVOID DebugPort;
6.2 and higher  
0x0158 (6.2 to 6.3);
0x015C
 
PVOID PaeTop;
6.2 and higher  
  0x0418 (6.2 to 6.3);
0x0428
PVOID Wow64Process;
6.2 and higher  
0x01E0 (5.0);
0x015C (5.1);
0x0138 (early 5.2);
0x0148 (late 5.2);
0x0134 (6.0);
0x0150 (6.1);
0x015C (6.2 to 6.3);
0x0160
0x0238 (late 5.2);
0x0210 (6.0);
0x02B0 (6.1);
0x0420 (6.2 to 6.3);
0x0430
PVOID DeviceMap;
5.0 and higher  
0x01E4 (5.0)  
ULONG SessionId;
5.0 only  
0x01E8 (5.0);
0x0160 (5.1);
0x013C (early 5.2);
0x014C (late 5.2)
 
LIST_ENTRY PhysicalVadList;
5.0 to 5.1  
0x0240 (late 5.2)
PVOID Spare0 [3];
5.2 only  
0x0138 (6.0);
0x0154 (6.1);
0x0160 (6.2 to 6.3);
0x0164
0x0218 (6.0);
0x02B8 (6.1);
0x0428 (6.2 to 6.3);
0x0438
PVOID EtwDataSource;
6.0 and higher  
0x013C (6.0);
0x0158 (6.1)
0x0220 (6.0);
0x02C0 (6.1)
PVOID FreeTebHint;
6.0 to 6.1  
  0x02C8 (6.1)
PVOID FreeUmsTebHint;
6.1 only  
0x01F0 (5.0);
0x0168 (5.1);
0x0148 (early 5.2);
0x0158 (late 5.2);
0x0140 (6.0);
0x0160 (6.1);
0x0168
0x0258 (late 5.2);
0x0228 (6.0);
0x02D0 (6.1);
0x0430 (6.2 to 6.3);
0x0440
union {
    #ifdef _WIN64
    HARDWARE_PTE PageDirectoryPte;
    #else
    HARDWARE_PTE_X86PAE PageDirectoryPte;
    #endif
    ULONGLONG Filler;
};
5.0 to 6.1 previously 0x0164
ULONGLONG PageDirectoryPte;
6.2 and higher  
0x01F8 (5.0)  
ULONG PaePageDirectoryPage;
5.0 only  
0x0170 (5.1);
0x0150 (early 5.2);
0x0160 (late 5.2);
0x0148 (6.0);
0x0168 (6.1)
0x0260 (late 5.2);
0x0230 (6.0);
0x02D8 (6.1)
PVOID Session;
5.1 to 6.1  
0x0228 (3.10);
0x01DC (3.50 to 4.0);
0x01FC (5.0);
0x0174 (5.1);
0x0154 (early 5.2);
0x0164 (late 5.2);
0x014C (6.0);
0x016C (6.1);
0x0170
0x0268 (late 5.2);
0x0238 (6.0);
0x02E0 (6.1);
0x0438 (6.2 to 6.3);
0x0448
UCHAR ImageFileName [0x20];
3.10 only  
UCHAR ImageFileName [0x10];
3.50 to 6.0  
UCHAR ImageFileName [0x0F];
6.1 and higher  
0x017B (6.1);
0x017F
0x02EF (6.1);
0x0447 (6.2 to 6.3);
0x0457
UCHAR PriorityClass;
6.1 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0248 (3.10);
0x01EC (3.50 to 4.0);
0x020C (5.0)
 
ULONG VmTrimFaultValue;
3.10 to 5.0  
0x01F0 (4.0);
0x0210 (5.0)
 
BOOLEAN SetTimerResolution;
4.0 to 5.0  
0x01F1 (4.0);
0x0211 (5.0)
 
UCHAR PriorityClass;
4.0 to 5.0  
0x01F2 (3.51 to 4.0);
0x0212 (5.0)
 
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
3.51 to 5.0  
0x01F4 (3.51 to 4.0);
0x0214 (5.0)
 
PVOID Win32Process;
3.51 to 5.0 last member in 3.51 to 4.0
0x0218 (5.0)  
EJOB *Job;
5.0 only
 
0x021C (5.0)  
ULONG JobStatus;
5.0 only
 

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0180 0x0448 (6.2 to 6.3);
0x0458
PVOID SecurityPort;
6.2 and higher
0x0184 0x0450 (6.2 to 6.3);
0x0460
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
6.2 and higher
0x0220 (5.0);
0x0184 (5.1);
0x0164 (early 5.2);
0x0174 (late 5.2);
0x015C (6.0);
0x017C (6.1);
0x0188
0x0278 (late 5.2);
0x0248 (6.0);
0x02F0 (6.1);
0x0458 (6.2 to 6.3);
0x0468
LIST_ENTRY JobLinks;
5.0 and higher
0x0228 (5.0);
0x018C (5.1);
0x016C (early 5.2);
0x017C (late 5.2);
0x0164 (6.0);
0x0184 (6.1)
0x0288 (late 5.2);
0x0258 (6.0);
0x0300 (6.1)
PVOID LockedPagesList;
5.0 to 6.1
0x0190 0x0468 (6.2 to 6.3);
0x0478
PVOID HighestUserAddress;
6.2 and higher
0x0190 (5.1);
0x0170 (early 5.2);
0x0180 (late 5.2);
0x0168 (6.0);
0x0188 (6.1);
0x0194
0x0290 (late 5.2);
0x0260 (6.0);
0x0308 (6.1);
0x0470 (6.2 to 6.3);
0x0480
LIST_ENTRY ThreadListHead;
5.1 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x022C (5.0);
0x0198 (5.1);
0x0178 (early 5.2);
0x0188 (late 5.2);
0x0170 (6.0);
0x0190 (6.1)
0x02A0 (late 5.2);
0x0270 (6.0);
0x0318 (6.1)
PVOID SecurityPort;
5.0 to 6.1
0x0230 (5.0) 0x02A8 (late 5.2);
0x0278 (6.0);
0x0320 (6.1)
WOW64_PROCESS *Wow64Process;
5.0 only (x86);
late 5.2 to 6.1 (x64)
0x019C (5.1);
0x017C (early 5.2);
0x018C (late 5.2);
0x0174 (6.0);
0x0194 (6.1)
 
PVOID PaeTop;
5.1 to 6.1

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x01A0 (5.1);
0x0180 (early 5.2);
0x0190 (late 5.2);
0x0178 (6.0);
0x0198 (6.1);
0x019C
0x02B0 (late 5.2);
0x0280 (6.0);
0x0328 (6.1);
0x0480 (6.2 to 6.3);
0x0490
ULONG ActiveThreads;
5.1 to 5.2
ULONG volatile ActiveThreads;
6.0 and higher
0x01A4 (5.1);
0x0184 (early 5.2);
0x0194 (late 5.2)
0x02B0 (late 5.2)
ULONG GrantedAccess;
5.1 to 5.2
0x017C (6.0);
0x019C (6.1);
0x01A0
0x0284 (6.0);
0x032C (6.1);
0x0484 (6.2 to 6.3);
0x0494
ULONG ImagePathHash;
6.0 and higher
0x01A8 (5.1);
0x0188 (early 5.2);
0x0198 (late 5.2);
0x0180 (6.0);
0x01A0 (6.1);
0x01A4
0x02B8 (late 5.2);
0x0288 (6.0);
0x0330 (6.1);
0x0488 (6.2 to 6.3);
0x0498
ULONG DefaultHardErrorProcessing;
5.1 and higher
0x01AC (5.1);
0x018C (early 5.2);
0x019C (late 5.2);
0x0184 (6.0);
0x01A4 (6.1);
0x01A8
0x02BC (late 5.2);
0x028C (6.0);
0x0334 (6.1);
0x048C (6.2 to 6.3);
0x049C
LONG LastThreadExitStatus;
5.1 and higher
0x01B0 (5.1);
0x0190 (early 5.2);
0x01A0 (late 5.2);
0x0188 (6.0);
0x01A8 (6.1)
0x02C0 (late 5.2);
0x0290 (6.0);
0x0338 (6.1)
PEB *Peb;
5.1 to 6.1
0x01B4 (5.1);
0x0194 (early 5.2);
0x01A4 (late 5.2);
0x018C (6.0);
0x01AC
0x02C8 (late 5.2);
0x0298 (6.0);
0x0340 (6.1);
0x0490 (6.2 to 6.3);
0x04A0
EX_FAST_REF PrefetchTrace;
5.1 and higher
0x01B0 0x0498 (6.2 to 6.3);
0x04A8
MM_AVL_TABLE *LockedPagesList;
6.2 only
PVOID LockedPagesList;
6.3 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0238 (5.0);
0x01B8 (5.1);
0x0198 (early 5.2);
0x01A8 (late 5.2);
0x0190 (6.0);
0x01B0 (6.1);
0x01B8
0x02D0 (late 5.2);
0x02A0 (6.0);
0x0348 (6.1);
0x04A0 (6.2 to 6.3);
0x04B0
LARGE_INTEGER ReadOperationCount;
5.0 and higher previously ULONG at 0xF8 (3.10)
0x0240 (5.0);
0x01C0 (5.1);
0x01A0 (early 5.2);
0x01B0 (late 5.2);
0x0198 (6.0);
0x01B8 (6.1);
0x01C0
0x02D8 (late 5.2);
0x02A8 (6.0);
0x0350 (6.1);
0x04A8 (6.2 to 6.3);
0x04B8
LARGE_INTEGER WriteOperationCount;
5.0 and higher previously ULONG at 0xFC (3.10)
0x0248 (5.0);
0x01C8 (5.1);
0x01A8 (early 5.2);
0x01B8 (late 5.2);
0x01A0 (6.0);
0x01C0 (6.1);
0x01C8
0x02E0 (late 5.2);
0x02B0 (6.0);
0x0358 (6.1);
0x04B0 (6.2 to 6.3);
0x04C0
LARGE_INTEGER OtherOperationCount;
5.0 and higher previously ULONG at 0x0100 (3.10)
0x0250 (5.0);
0x01D0 (5.1);
0x01B0 (early 5.2);
0x01C0 (late 5.2);
0x01A8 (6.0);
0x01C8 (6.1);
0x01D0
0x02E8 (late 5.2);
0x02B8 (6.0);
0x0360 (6.1);
0x04B8 (6.2 to 6.3);
0x04C8
LARGE_INTEGER ReadTransferCount;
5.0 and higher previously 0xE0 (3.10)
0x0258 (5.0);
0x01D8 (5.1);
0x01B8 (early 5.2);
0x01C8 (late 5.2);
0x01B0 (6.0);
0x01D0 (6.1);
0x01D8
0x02F0 (late 5.2);
0x02C0 (6.0);
0x0368 (6.1);
0x04C0 (6.2 to 6.3);
0x04D0
LARGE_INTEGER WriteTransferCount;
5.0 and higher previously 0xE8 (3.10)
0x0260 (5.0);
0x01E0 (5.1);
0x01C0 (early 5.2);
0x01D0 (late 5.2);
0x01B8 (6.0);
0x01D8 (6.1);
0x01E0
0x02F8 (late 5.2);
0x02C8 (6.0);
0x0370 (6.1);
0x04C8 (6.2 to 6.3);
0x04D8
LARGE_INTEGER OtherTransferCount;
5.0 and higher previously 0xF0 (3.10)
0x0268 (5.0);
0x01E8 (5.1);
0x01C8 (early 5.2);
0x01D8 (late 5.2);
0x01C0 (6.0);
0x01E0 (6.1);
0x01E8
0x0300 (late 5.2);
0x02D0 (6.0);
0x0378 (6.1);
0x04D0 (6.2 to 6.3);
0x04E0
ULONG_PTR CommitChargeLimit;
5.0 and higher  
0x01EC 0x04D8 (6.2 to 6.3);
0x04E8
ULONG_PTR volatile CommitCharge;
6.2 and higher  
0x026C (5.0);
0x01EC (5.1);
0x01CC (early 5.2);
0x01DC (late 5.2);
0x01C4 (6.0);
0x01E4 (6.1);
0x01F0
0x0308 (late 5.2);
0x02D8 (6.0);
0x0380 (6.1);
0x04E0 (6.2 to 6.3);
0x04F0
ULONG_PTR CommitChargePeak;
5.0 to 5.2  
ULONG_PTR volatile CommitChargePeak;
6.0 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0270 (5.0)  
LIST_ENTRY ThreadListHead;
5.0 only
 
0x0278 (5.0)  
RTL_BITMAP *VadPhysicalPagesBitMap;
5.0 only  
0x027C (5.0)  
ULONG VadPhysicalPages;
5.0 only  
0x0280 (5.0)  
ULONG AweLock;
5.0 only  
0x0284 (5.0)  
UNICODE_STRING *pImageFileName;
5.0 only last member in 5.0

Appended for Windows XP

Offset (x86) Offset (x64) Definition Versions Remarks
0x01F0 (5.1);
0x01D0 (early 5.2);
0x01E0 (late 5.2);
0x01C8 (6.0);
0x01E8 (6.1)
0x0310 (late 5.2);
0x02E0 (6.0);
0x0388 (6.1)
PVOID AweInfo;
5.1 to 6.1  
0x01F4 (5.1);
0x01D4 (early 5.2);
0x01E4 (late 5.2);
0x01CC (6.0);
0x01EC (6.1)
0x0318 (late 5.2);
0x02E8 (6.0);
0x0390 (6.1)
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
5.1 to 6.1  
0x01F8 (5.1);
0x01D8 (early 5.2);
0x01E8 (late 5.2);
0x01D0 (6.0);
0x01F0 (6.1);
0x01F4
0x0320 (late 5.2);
0x02F0 (6.0);
0x0398 (6.1);
0x04E8 (6.2 to 6.3);
0x04F8
MMSUPPORT Vm;
5.1 and higher
previously at 0xD0
0x0238 (5.1)  
ULONG LastFaultCount;
5.1 only
 
  0x0378 (late 5.2)
ULONG Spares [2];
late 5.2 only  
0x0238 (early 5.2);
0x0230 (late 5.2);
0x0218 (6.0);
0x025C (6.1);
0x0264 (6.2 to 6.3);
0x0274
0x0358 (6.0);
0x0420 (6.1);
0x0578 (6.2);
0x05C0 (6.3);
0x05F0
LIST_ENTRY MmProcessLinks;
5.2 and higher (x86);
6.0 and higher (x64)
 
0x0264 (6.1) 0x0430 (6.1)
PVOID HighestUserAddress;
6.1 only  
0x023C (5.1);
0x0240 (early 5.2);
0x0238 (late 5.2);
0x0220 (6.0);
0x0268 (6.1);
0x026C (6.2 to 6.3);
0x027C
0x0380 (late 5.2);
0x0368 (6.0);
0x0438 (6.1);
0x0588 (6.2);
0x05D0 (6.3);
0x0600
ULONG ModifiedPageCount;
5.1 and higher
 
0x0240 (5.1)  
ULONG NumberOfVads;
5.1 only  
0x0244 (5.1 to early 5.2);
0x023C (late 5.2)
0x0384 (late 5.2)
ULONG JobStatus;
5.1 to 5.2  
0x0224 (6.0);
0x026C (6.1)
0x036C (6.0);
0x043C (6.1)
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.0 to 6.1 next at 0xC0 and 0x02F8
0x0248 (5.1 to early 5.2);
0x0240 (late 5.2);
0x0228 (6.0);
0x0270 (6.1)
0x0388 (late 5.2);
0x0370 (6.0);
0x0440 (6.1)
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
5.1 to 6.1 next at 0xC4 and 0x02FC
0x024C (5.1 to early 5.2);
0x0244 (late 5.2);
0x022C (6.0);
0x0274 (6.1);
0x0270 (6.2 to 6.3);
0x0280
0x038C (late 5.2);
0x0374 (6.0);
0x0444 (6.1);
0x058C (6.2);
0x05D4 (6.3);
0x0604
LONG ExitStatus;
5.1 and higher previously at 0x6C
0x0250 (5.1 to early 5.2);
0x0248 (late 5.2);
0x0230 (6.0)
0x0390 (late 5.2);
0x0378 (6.0)
USHORT NextPageColor;
5.1 to 5.2  
USHORT Spare7;
6.0 only  
0x0252 (5.1 to early 5.2);
0x024A (late 5.2);
0x0232 (6.0)
0x0392 (late 5.2);
0x037A (6.0)
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
5.1 to 6.0  
0x0254 (5.1 to early 5.2);
0x024C (late 5.2);
0x0234 (6.0)
0x0394 (late 5.2);
0x037C (6.0)
UCHAR PriorityClass;
5.1 to 6.0  
0x0255 (5.1)  
BOOLEAN WorkingSetAcquiredUnsafe;
5.1 only last member in early 5.1
0x0258 (late 5.1)  
ULONG Cookie;
late 5.1 only last member in late 5.1

Appended for Windows Server 2003

Offset (x86) Offset (x64) Definition Versions Remarks
0x0258 (early 5.2);
0x0250 (late 5.2);
0x0238 (6.0);
0x0278 (6.1);
0x0274 (6.2 to 6.3);
0x0284
0x0398 (late 5.2);
0x0380 (6.0);
0x0448 (6.1);
0x0590 (6.2);
0x05D8 (6.3);
0x0608
MM_AVL_TABLE VadRoot;
5.2 to 6.2
last member in early 5.2
RTL_AVL_TREE VadRoot;
6.3 and higher  
0x0278 (6.3);
0x0288
0x05E0 (6.3);
0x0610
PVOID VadHint;
6.3 and higher  
0x027C (6.3);
0x028C
0x05E8 (6.3);
0x0618
ULONG_PTR VadCount;
6.3 and higher  
0x028C (6.2);
0x0280 (6.3);
0x0290
0x05C0 (6.2);
0x05F0 (6.3);
0x0620
ULONG_PTR volatile VadPhysicalPages;
6.2 and higher  
0x0290 (6.2);
0x0284 (6.3);
0x0294
0x05C8 (6.2);
0x05F8 (6.3);
0x0628
UULONG_PTR VadPhysicalPagesLimit;
6.2 and higher  
0x0270 (late 5.2);
0x0258 (6.0)
0x03D8 (late 5.2);
0x03C0 (6.0)
ULONG Cookie;
late 5.2 to 6.0 last member in late 5.2

Appended for Windows Vista

Offset (x86) Offset (x64) Definition Versions Remarks
0x025C (6.0);
0x0298 (6.1);
0x0294 (6.2);
0x0288 (6.3);
0x0298
0x03C8 (6.0);
0x0488 (6.1);
0x05D0 (6.2);
0x0600 (6.3);
0x0630
ALPC_PROCESS_CONTEXT AlpcContext;
6.0 and higher last member in 6.0

Appended for Windows 7

Offset (x86) Offset (x64) Definition Versions Remarks
0x02A8 (6.1);
0x02A4 (6.2);
0x0298 (6.3);
0x02A8
0x04A8 (6.1);
0x05F0 (6.2);
0x0620 (6.3);
0x0650
LIST_ENTRY TimerResolutionLink;
6.1 and higher  
0x02B0 (6.1) 0x04B8 (6.1)
ULONG RequestedTimerResolution;
6.1 only  
0x02B4 (6.1) 0x04BC (6.1)
ULONG ActiveThreadsHighWatermark;
6.1 only  
0x02B8 (6.1) 0x04C0 (6.1)
ULONG SmallestTimerResolution;
6.1 only  
0x02BC (6.1);
0x02AC (6.2);
0x02A0 (6.3);
0x02B0
0x04C8 (6.1);
0x0600 (6.2);
0x0630 (6.3);
0x0660
PO_DIAG_STACK_RECORD *TimerResolutionStackRecord;
6.1 and higher last member in 6.1

Appended for Windows 8

Offset (x86) Offset (x64) Definition Versions Remarks
0x02B0 (6.2);
0x02A4 (6.3);
0x02B4
0x0608 (6.2);
0x0638 (6.3);
0x0668
ULONG RequestedTimerResolution;
6.2 and higher  
0x02B4 (6.2);
0x02A8 (6.3);
0x02B8
0x060C (6.2);
0x063C (6.3);
0x066C
ULONG SmallestTimerResolution;
6.2 and higher  
0x02B8 (6.2);
0x02B0 (6.3);
0x02C0
0x0610 (6.2);
0x0640 (6.3);
0x0670
LARGE_INTEGER ExitTime;
6.2 and higher previously 0xA8 and 0x0170
  0x0618 (6.2);
0x0648 (6.3);
0x0678
INVERTED_FUNCTION_TABLE *InvertedFunctionTable;
6.2 and higher  
  0x0620 (6.2);
0x0650 (6.3);
0x0680
EX_PUSH_LOCK InvertedFunctionTableLock;
6.2 and higher  
0x02C0 (6.2);
0x02B8 (6.3);
0x02C8
0x0628 (6.2);
0x0658 (6.3);
0x0688
ULONG ActiveThreadsHighWatermark;
6.2 and higher  
0x02C4 (6.2);
0x02BC (6.3);
0x02CC
0x062C (6.2);
0x065C (6.3);
0x068C
ULONG LargePrivateVadCount;
6.2 and higher  
0x02C8 (6.2);
0x02C0 (6.3);
0x02D0
0x0630 (6.2);
0x0660 (6.3);
0x0690
EX_PUSH_LOCK ThreadListLock;
6.2 and higher  
0x02CC (6.2);
0x02C4 (6.3);
0x02D4
0x0638 (6.2);
0x0668 (6.3);
0x0698
PVOID WnfContext;
6.2 and higher  
0x02D0 (6.2);
0x02C8 (6.3);
0x02D8
0x0640 (6.2);
0x0670 (6.3);
0x06A0
ULONG_PTR SectionMappingSize;
6.2 only  
ULONG_PTR Spare0;
6.3 and higher  
0x02D4 (6.2);
0x02CC (6.3);
0x02DC
0x0648 (6.2);
0x0678 (6.3);
0x06A8
UCHAR SignatureLevel;
6.2 and higher  
0x02D5 (6.2);
0x02CD (6.3);
0x02DD
0x0649 (6.2);
0x0679 (6.3);
0x06A9
UCHAR SectionSignatureLevel;
6.2 and higher  
0x02D6 (6.2);
0x02CE (6.3);
0x02DE
0x064A (6.2);
0x067A (6.3);
0x06AA
UCHAR SpareByte20 [2];
6.2 only  
PS_PROTECTION Protection;
6.3 and higher  
0x02CF (6.3);
0x02DF
0x067B (6.3);
0x06AB
UCHAR SpareByte20 [1];
6.3 only  
UCHAR HangCount;
10.0 and higher  
0x02D0 (6.3);
0x02E0
0x067C (6.3);
0x06AC
union {
    ULONG Flags3;
    struct {
        /*  bit fields, follow link  */
    };
};
6.3 and higher  
0x02E4 0x06B0
LONG DeviceAsid;
10.0 and higher  
0x02D4 (6.3) 0x0680 (6.3)
LONG SvmReserved;
6.3 only  
0x02D8 (6.3);
0x02E8
0x0688 (6.3);
0x06B8
PVOID SvmReserved1;
6.3 and higher  
PVOID SvmData;
10.0 and higher  
0x02DC (6.3);
0x02EC
0x0690 (6.3);
0x06C0
ULONG_PTR SvmReserved2;
6.3 only  
EX_PUSH_LOCK SvmProcessLock;
10.0 and higher  
0x02F0 0x06C8
ULONG_PTR SvmLock;
10.0 and higher  
0x02F4 0x06D0
LIST_ENTRY SvmProcessDeviceListHead;
10.0 and higher  
0x02D8 (6.2) 0x064C (6.2)
ULONG KeepAliveCounter;
6.2 and higher  
0x02DC (6.2) 0x0650 (6.2)
PROCESS_DISK_COUNTERS *DiskCounters;
6.2 only  
0x02E0 (6.2 to 6.3);
0x0300
0x0658 (6.2);
0x0698 (6.3);
0x06E0
ULONGLONG LastFreezeInterruptTime;
6.2 and higher last member in 6.2
0x02E8 (6.3);
0x0308
0x06A0 (6.3);
0x06E8
PROCESS_DISK_COUNTERS *DiskCounters;
6.3 and higher  
0x030C 0x06A8 (6.3);
0x06F0
PVOID PicoContext;
6.3 and higher (x64);
10.0 and higher (x86)
 
  0x06F8
ULONGLONG TrustletIdentity;
10.0 and higher  
0x02EC (6.3);
0x0310
0x06B0 (6.3);
0x0700
ULONG KeepAliveCounter;
6.3 and higher  
0x02F0 (6.3);
0x0314
0x06B4 (6.3);
0x0704
ULONG NoWakeKeepAliveCounter;
6.3 and higher last member in 6.3

Appended for Windows 10

Offset (x86) Offset (x64) Definition Versions Remarks
0x0318 0x0708
ULONG HighPriorityFaultsAllowed;
10.0 and higher  
0x031C  
PVOID InstrumentationCallback;
10.0 and higher  
0x0320 0x0710
PROCESS_ENERGY_VALUES *EnergyValues;
10.0 and higher  
0x0324 0x0718
PVOID VmContext;
10.0 and higher  
0x0328 0x0720
ESILO *Silo;
10.0 and higher  
0x032C 0x0728
LIST_ENTRY SiloEntry;
10.0 and higher  
0x0338 0x0738
ULONGLONG SequenceNumber;
10.0 and higher  
0x0340 0x0740
ULONGLONG CreateInterruptTime;
10.0 and higher  
0x0348 0x0748
ULONGLONG CreateUnbiasedInterruptTime;
10.0 and higher  
0x0350 0x0750
ULONGLONG TotalUnbiasedFrozenTime;
10.0 and higher  
0x0358 0x0758
ULONGLONG LastAppStateUpdateTime;
10.0 and higher  
0x0360 0x0760
ULONGLONG LastAppStateUptime : 61;
ULONGLONG LastAppState : 3;
10.0 and higher  
0x0368 0x0768
ULONG_PTR volatile SharedCommitCharge;
10.0 and higher  
0x036C 0x0770
EX_PUSH_LOCK SharedCommitLock;
10.0 and higher  
0x0370 0x0778
LIST_ENTRY SharedCommitLinks;
10.0 and higher  
0x0378 0x0788
union {
    struct {
        ULONG_PTR AllowedCpuSets;
        ULONG_PTR DefaultCpuSets;
    };
    struct {
        ULONG_PTR *AllowedCpuSetsIndirect;
        ULONG_PTR *DefaultCpuSetsIndirect;
    };
};
10.0 and higher last member in 10.0