CURRENT WORK ITEM - PREVIEW ONLY

EPROCESS

The EPROCESS structure is the kernel’s representation of a process object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsProcessType, then the pointer that the function produces for the object is a pointer to an EPROCESS.

Many functions that are exported from the kernel, e.g., for use by drivers, provide for referring to a process object through a pointer to an EPROCESS. However, the structure itself is meant to be opaque outside the kernel.

Variability

Since the EPROCESS structure is plainly internal to the kernel, it should not surprise that the layout changes greatly between Windows versions and even between builds. In the following table of sizes, different builds of the same version are distinguished as early and late because they are known to vary the structure even if they don’t change the size. These descriptions, as early and late, are then used throughout the article as a shorthand.

Version Size (x86) Size (x64)
3.10 0x0280  
3.50 to 4.0 0x01F8  
5.0 0x0288  
early 5.1 (before Windows XP SP2) 0x0258  
late 5.1 (Windows XP SP2 and higher) 0x0260  
early 5.2 (before Windows Server 2003 SP1);
late 5.2 (Windows Server 2003 SP1 and higher)
0x0278 0x03E0
early 6.0 (before Windows Vista SP1)
late 6.0 (Windows Vista SP1 and higher)
0x0270 0x03E8
6.1 0x02C0 0x04D0
6.2 0x02E8 0x0660
6.3 0x02F8 0x06B8
10.0 0x0380 0x0798
1511 0x0370 0x0788
1607 0x0388 0x07B0
1703 0x03E0 0x0818
1709 0x03E8 0x0838
1803 0x0400 0x0848

Layout

These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s symbol files for the kernel starting with Windows 2000 SP3. Since symbol files for earlier versions do not contain type information for the EPROCESS, what’s known for them is instead inferred from what use the kernel is seen to make of the EPROCESS. Sizes are straightforward, even without symbol files, since ObCreateObject and PsProcessType are exported. What’s known of Microsoft’s names and types is something of a guess. Where use of a member corresponds closely with that of a version for which Microsoft’s symbols are available, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 0x00
KPROCESS Pcb;
all  
0x70 (3.10)  
KEVENT LockEvent;
3.10 only next at 0x6C
0x80 (3.10);
0x68 (3.50 to 4.0);
0x6C (5.0)
 
LONG ExitStatus;
3.10 to 5.0 next at 0x024C
0x84 (3.10)   unknown KSEMAPHORE 3.10 only  
0x6C (3.50 to 4.0);
0x70 (5.0)
 
KEVENT LockEvent;
3.50 to 5.0 previously at 0x70
0x7C (3.50 to 4.0);
0x80 (5.0)
 
ULONG LockCount;
3.50 to 5.0  
0x6C (5.1 to early 5.2);
0x78 (late 5.2);
0x80 (6.0);
0x98 (6.1);
0xA0 (6.2 to 6.3);
0xA8
0xB8 (late 5.2);
0xC0 (6.0);
0x0160 (6.1);
0x02C8 (6.2 to 6.3);
0x02D8
EX_PUSH_LOCK ProcessLock;
5.1 and higher  
0x98 (3.10);
0x80 (3.50 to 4.0);
0x88 (5.0);
0x70 (5.1 to early 5.2);
0x80 (late 5.2);
0x88 (6.0);
0xA0 (6.1);
0xA8 (6.2 to 6.3)
0xC0 (late 5.2);
0xC8 (6.0);
0x0168 (6.1);
0x02D0 (6.2 to 6.3)
LARGE_INTEGER CreateTime;
3.10 to 6.3 next at 0xC8 and 0x0308
0xA0 (3.10);
0x88 (3.50 to 4.0);
0x90 (5.0);
0x78 (5.1 to early 5.2);
0x88 (late 5.2);
0x90 (6.0);
0xA8 (6.1)
0xC8 (late 5.2);
0xD0 (6.0);
0x0170 (6.1)
LARGE_INTEGER ExitTime;
3.10 to 6.1 next at 0x02B8 and 0x0610
0xA8 (3.10)   unaccounted eight bytes 3.10 only  
0x90 (3.50 to 4.0);
0x98 (5.0)
 
KTHREAD *LockOwner;
3.50 to 5.0  
0x80 (5.1 to early 5.2);
0x90 (late 5.2);
0x98 (6.0);
0xB0 (6.2 to 6.3);
0xAC (10.0 to 1607)
0xD0 (late 5.2);
0xD8 (6.0);
0x0178 (6.1);
0x02D8 (6.2 to 6.3);
0x02E0 (10.0 to 1607)
EX_RUNDOWN_REF RundownProtect;
5.1 to 1607 next at 0xC0 and 0x02F8
0xB0 (10.0 to 1607)  
PVOID VdmObjects;
10.0 to 1607 previously at 0x0128;
next at 0xC4
0xB0 (3.10);
0x94 (3.50 to 4.0);
0x9C (5.0);
0x84 (5.1 to early 5.2);
0x94 (late 5.2);
0x9C (6.0);
0xB4
0xD8 (late 5.2);
0xE0 (6.0);
0x0180 (6.1);
0x02E0 (6.2 to 6.3);
0x02E8 (10.0 to 1607);
0x02E0
PVOID UniqueProcessId;
all  
0xB4 (3.10);
0x98 (3.50 to 4.0);
0xA0 (5.0);
0x88 (5.1 to early 5.2);
0x98 (late 5.2);
0xA0 (6.0);
0xB8
0xE0 (late 5.2);
0xE8 (6.0);
0x0188 (6.1);
0x02E8 (6.2 to 6.3);
0x02F0 (10.0 to 1607);
0x02E8
LIST_ENTRY ActiveProcessLinks;
all  
0xC0 0x02F8
EX_RUNDOWN_REF RundownProtect;
1703 and higher previously at 0xAC and 0x02E0
0xC4  
PVOID VdmObjects;
1703 and higher previously at 0xB0

Two sets of bit fields, in union with Flags and Flags2, that Windows XP and Windows Vista introduced towards what was then the end of the structure were moved near to the front for Windows 8. Perhaps not coincidentally, Windows 8 is the version that brings all 64 bits into use. More flags were added soon, as Flags3, but again near the end of the structure.

Offset (x86) Offset (x64) Definition Versions Remarks
0xC0 (6.2 to 1607);
0xC8
0x02F8 (6.2 to 6.3);
0x0300
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher previously at 0x026C and 0x043C
0xC4 (6.2 to 1607);
0xCC
0x02FC (6.2 to 6.3);
0x0304
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher previously at 0x0270 and 0x0440
0xC8 (10.0 to 1607);
0xD0
0x0308
LARGE_INTEGER CreateTime;
10.0 and higher previously 0xA8 and 0x02D0

There now comes a set of members that track the process’s use of memory from the pools and the paging file. These resources are subject to quotas, but the limits apply to all processes that share a quota block. An EPROCESS_QUOTA_BLOCK has the limits and tracks the use, both current and peak, by all the applicable processes. The corresponding members here in the EPROCESS track just the current and peak use by just the one process. For no reason yet known, the process’s pointer to its quota block, i.e., the QuotaBlock member, is in almost all versions placed further into the structure.

Each quota block has a spin lock, named QuotaLock, that guards both the quota block’s members and these members here in the EPROCESS. All versions except 3.10 have a default quota block in the kernel’s data. Its spin lock also guards the process’s QuotaBlock pointer. Version 3.10 instead provides its own spin lock in the EPROCESS. Microsoft’s name for it is not known, but the sharing of names such as QuotaPoolUsage between the EPROCESS and the EPROCESS_QUOTA_BLOCK speaks strongly for QuotaLock.

Offset (x86) Offset (x64) Definition Versions Remarks
0xBC (3.10)  
KSPIN_LOCK QuotaLock;
3.10 only  
0xC0 (3.10)   unknown KSPIN_LOCK 3.10 only  
0xC4 (3.10);
0xA0 (3.50 to 4.0);
0xA8 (5.0)
ULONG QuotaPeakPoolUsage [2];
3.10 to 5.0 next as QuotaPeak
0xCC (3.10);
0xA8 (3.50 to 4.0);
0xB0 (5.0)
0x90 (5.1 to early 5.2);
0xA0 (late 5.2);
0xA8 (6.0);
0xC0 (6.1);
0xC8 (6.2 to 6.3);
0xD0 (10.0 to 1607);
0xD8
 
ULONG QuotaPoolUsage [2];
3.10 to 5.0  
0xF0 (late 5.2);
0xF8 (6.0);
0x0198 (6.1);
0x0300 (6.2 to 6.3);
0x0310
ULONG_PTR QuotaUsage [3];
5.1 to 6.0  
ULONG_PTR ProcessQuotaUsage [2];
6.1 and higher  
0x9C (5.1 to early 5.2);
0xAC (late 5.2);
0xB4 (6.0);
0xC8 (6.1);
0xD0 (6.2 to 6.3);
0xD8 (10.0 to 1607);
0xE0
0x0108 (late 5.2);
0x0110 (6.0); 
0x01A8 (6.1);
0x0310 (6.2 to 6.3);
0x0320
ULONG_PTR QuotaPeak [3];
5.1 to 6.0 previously QuotaPeakPoolUsage
ULONG_PTR ProcessQuotaPeak [2];
6.1 and higher  
0xD4 (3.10);
0xB0 (3.50 to 4.0);
0xB8 (5.0)
 
ULONG PagefileUsage;
3.10 to 5.0 next in QuotaPeak
0xD8 (3.10);
0xB4 (3.50 to 4.0);
0xBC (5.0);
0xA8 (5.1 to early 5.2);
0xB8 (late 5.2);
0xC0 (6.0);
0xD0 (6.1)
0x0120 (late 5.2);
0x0128 (6.0);
0x01B8 (6.1)
ULONG_PTR CommitCharge;
3.10 to 5.2  
ULONG_PTR volatile CommitCharge;
6.0 to 6.1 next at 0x01EC and 0x04D8
0xDC (3.10);
0xB8 (3.50 to 4.0);
0xC0 (5.0)
 
ULONG PeakPagefileUsage;
3.10 to 5.0 next in QuotaUsage
0xD4 (6.1) 0x01C0 (6.1)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.1 only previously at 0x0118 and 0x01D8;
next at 0x014C and 0x0400
0xD8 (6.1) 0x01C8 (6.1)
PS_CPU_QUOTA_BLOCK *CpuQuotaBlock;
6.1 only  

The PagefileUsage, CommitCharge and PeakPagefileUsage members count pages. The others count bytes.

The precise arrangement of the various members for current and peak use of the non-paged and pages pools and of the pagefile has varied with the EPROCESS_QUOTA_BLOCK implementation. Version 5.1 brought the pools and pagefile together into a PS_QUOTA_TYPE enumeration that indexes the QuotaUsage and QuotaPeak arrays, which thus absorb what had been PagefileUsage and PeakPagefileUsage.

All the statistical members in the preceding set are retrievable through either or both of two native API functions in all versions: as members of VM_COUNTERS, as filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function; as members of SYSTEM_PROCESS_INFORMATION, as filled by the SystemProcessInformation (0x05) case of the NtQuerySystemInformation function. For the latter, what is here called the CommitCharge is there called the PrivatePageCount—and in the VM_COUNTERS_EX, which is supported in version 5.1 and higher, it is named PrivateUsage.

Offset (x86) Definition Versions Remarks
0xE0 (3.10)
LARGE_INTEGER ReadTransferCount;
3.10 only next at 0x0250 (5.0)
0xE8 (3.10)
LARGE_INTEGER WriteTransferCount;
3.10 only next at 0x0258 (5.0)
0xF0 (3.10)
LARGE_INTEGER OtherTransferCount;
3.10 only next at 0x0260 (5.0)
0xF8 (3.10)
ULONG ReadOperationCount;
3.10 only next as LARGE_INTEGER at 0x0238 (5.0)
0xFC (3.10)
ULONG WriteOperationCount;
3.10 only next as LARGE_INTEGER at 0x0240 (5.0)
0x0100 (3.10)
ULONG OtherOperationCount;
3.10 only next as LARGE_INTEGER at 0x0248 (5.0)

Perhaps because they are also retrievable in the SYSTEM_PROCESS_INFORMATION, this area of statistical members also has the original counters of I/O operations and the bytes these transferred. The original implementation’s allowance of only 32 bits for counting the operations soon became problematic. Indeed, these counters disappear from the EPROCESS until version 5.0 brings them back, all 64 bits wide.

In version 3.10, these I/O counters are retrievable through either or both of two native API functions: as members of IO_COUNTERS, as filled by the ProcessIoCounters (0x02) case of the NtQueryInformationProcess function; and as members of SYSTEM_PROCESS_INFORMATION. They are in version 5.0 and higher, too. In the intervening versions, the corresponding members of the SYSTEM_PROCESS_INFORMATION are unused or repurposed, and the ProcessIoCounters case is failed immediately as being not implemented. The NTDDK.H from the DDK for both Windows NT 3.51 and 4.0 presents a C-language definition of the original IO_COUNTERS structure, with 32-bit operation counts, as output from ProcessIoCounters, though trying to get that output can only have been a waste of time.

Offset (x86) Offset (x64) Definition Versions
0x0104 (3.10);
0xBC (3.50 to 4.0);
0xC4 (5.0);
0xAC (5.1 to early 5.2);
0xBC (late 5.2);
0xC4 (6.0);
0xDC (6.1);
0xD8 (6.2 to 6.3);
0xE0 (10.0 to 1607);
0xE8
0x0128 (late 5.2);
0x0130 (6.0);
0x01D0 (6.1);
0x0320 (6.2 to 6.3);
0x0330
ULONG_PTR PeakVirtualSize;
all
0x0108 (3.10);
0xC0 (3.50 to 4.0);
0xC8 (5.0);
0xB0 (5.1 to early 5.2);
0xC0 (late 5.2);
0xC8 (6.0);
0xE0 (6.1);
0xDC (6.2 to 6.3);
0xE4 (10.0 to 1607);
0xEC
0x0130 (late 5.2);
0x0138 (6.0);
0x01D8 (6.1);
0x0328 (6.2 to 6.3);
0x0338
ULONG_PTR VirtualSize;
all

The PeakVirtualSize and VirtualSize count pages. In all versions, conversions to bytes are retrievable as identically named members of the VM_COUNTERS structure that is filled by the ProcessVmCounters (0x03) case of the NtQueryInformationProcess function.

All versions 3.10 to 5.0 have four bytes of unused alignment space before the next member, which has 8-byte alignment before version 6.0.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0110 (3.10);
0xC8 (3.50 to 4.0);
0xD0 (5.0)
 
MMSUPPORT Vm;
3.10 to 5.0 next at 0x01F8
0x0140 (3.10);
0xF8 (3.50 to 4.0)
 
<unknown-type> LastProtoPteFault;
3.10 to 4.0  
0x0118 (5.0);
0xB4 (5.1 to early 5.2);
0xC4 (late 5.2);
0xCC (6.0);
0xE4 (6.1);
0xE0 (6.2 to 6.3);
0xE8 (10.0 to 1607);
0xF0
0x0138 (late 5.2);
0x0140 (6.0);
0x01E0 (6.1);
0x0330 (6.2 to 6.3);
0x0340
LIST_ENTRY SessionProcessLinks;
5.0 and higher  
0x0144 (3.10);
0xFC (3.50 to 4.0);
0x0120 (5.0);
0xBC (5.1 to early 5.2);
0xCC (late 5.2);
0xD4 (6.0);
0xEC (6.1)
0x0148 (late 5.2);
0x0150 (6.0);
0x01F0 (6.1)
PVOID DebugPort;
3.10 to 6.1 next at 0x0154 and 0x0410
0x0148 (3.10);
0x0100 (3.50 to 4.0);
0x0124 (5.0);
0xC0 (5.1 to early 5.2);
0xD0 (late 5.2);
0xD8 (6.0);
0xF0 (6.1);
0xE8 (6.2 to 6.3);
0xF0 (10.0 to 1607);
0xF8
0x0150 (late 5.2);
0x0158 (6.0);
0x01F8 (6.1);
0x0340 (6.2 to 6.3);
0x0350
PVOID ExceptionPort;
3.10 to 5.2  
union {
    PVOID ExceptionPortData;
    ULONG_PTR ExceptionPortValue;
    ULONG_PTR ExceptionPortState : 3;
};
6.0 and higher  
0x014C (3.10);
0x0104 (3.50 to 4.0);
0x0128 (5.0);
0xC4 (5.1 to early 5.2);
0xD4 (late 5.2);
0xDC (6.0);
0xF4 (6.1)
0x0158 (late 5.2);
0x0160 (6.0);
0x0200 (6.1)
HANDLE_TABLE *ObjectTable;
3.10 to 6.1 next at 0x0150 and 0x0408
0x0150 (3.10);
0x0108 (3.50 to 4.0);
0x012C (5.0);
0xC8 (5.1 to early 5.2);
0xD8 (late 5.2);
0xE0 (6.0);
0xF8 (6.1);
0xEC (6.2 to 6.3);
0xF4 (10.0 to 1607);
0xFC
0x0160 (late 5.2);
0x0168 (6.0);
0x0208 (6.1);
0x0348 (6.2 to 6.3);
0x0358
PVOID Token;
3.10 to 5.0  
EX_FAST_REF Token;
5.1 and higher  
0x0154 (3.10);
0x010C (3.50 to 4.0);
0x0130 (5.0);
0xCC (5.1)
 
KMUTANT WorkingSetLock;
3.10 only  
FAST_MUTEX WorkingSetLock;
3.50 to 5.1  
0x0174 (3.10);
0x012C (3.50 to 4.0);
0x0150 (5.0);
0xEC (5.1);
0xCC (early 5.2);
0xDC (late 5.2);
0xE4 (6.0);
0xFC (6.1);
0xF0 (6.2 to 6.3);
0xF8 (10.0 to 1607);
0x0100
0x0168 (late 5.2);
0x0170 (6.0);
0x0210 (6.1);
0x0350 (6.2 to 6.3);
0x0360
ULONG_PTR WorkingSetPage;
3.10 to 1607  
ULONG MmReserved;
1703 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0178 (3.10);
0x0130 (3.50 to 4.0);
0x0154 (5.0)
 
BOOLEAN ProcessOutswapEnabled;
3.10 to 5.0 next as OutswapEnabled in Flags
0x0179 (3.10);
0x0131 (3.50 to 4.0);
0x0155 (5.0)
 
BOOLEAN ProcessOutswapped;
3.10 to 5.0 next as Outswapped in Flags
0x017A (3.10);
0x0132 (3.50 to 4.0);
0x0156 (5.0)
 
BOOLEAN AddressSpaceInitialized;
3.10 to 5.0  
0x017B (3.10);
0x0133 (3.50 to 4.0);
0x0157 (5.0)
 
BOOLEAN AddressSpaceDeleted;
3.10 to 5.0  
0x017C (3.10);
0x0134 (3.50 to 4.0);
0x0158 (5.0);
0xF0 (5.1);
0xD0 (early 5.2);
0xE0 (late 5.2);
0xE8 (6.0);
0x0100 (6.1);
0xF4 (6.2 to 6.3);
0xFC (10.0 to 1607);
0x0104
 
KEVENT AddressCreationLock;
3.10 only  
 
FAST_MUTEX AddressCreationLock;
3.50 to 5.1  
0x0170 (late 5.2);
0x0178 (6.0);
0x0218 (6.1);
0x0358 (6.2 to 6.3);
0x0368
KGUARDED_MUTEX AddressCreationLock;
5.2 only  
EX_PUSH_LOCK AddressCreationLock;
6.0 and higher  
0x0154 (3.51 to 4.0);
0x0178 (5.0);
0x0110 (5.1);
0xF0 (early 5.2);
0x0100 (late 5.2)
0x01A8 (late 5.2)
KSPIN_LOCK HyperSpaceLock;
3.51 to 5.2  
0xF8 (6.3);
0x0100 (10.0 to 1607);
0x0108
0x0360 (6.2 to 6.3);
0x0370
EX_PUSH_LOCK PageTableCommitmentLock;
6.3 and higher  
0xEC (6.0);
0x0104 (6.1);
0xF8 (6.2);
0xFC (6.3);
0x0104 (10.0 to 1607);
0x010C
0x0180 (6.0);
0x0220 (6.1);
0x0360 (6.2);
0x0368 (6.2 to 6.3);
0x0378
ETHREAD *RotateInProgress;
6.0 and higher  
0x018C (3.10);
0x0158 (4.0);
0x017C (5.0);
0x0114 (5.1);
0xF4 (early 5.2);
0x0104 (late 5.2);
0xF0 (6.0);
0x0108 (6.1);
0xFC (6.2);
0x0100 (6.3);
0x0108 (10.0 to 1607);
0x0110
0x01B0 (late 5.2);
0x0188 (6.0);
0x0228 (6.1);
0x0368 (6.2);
0x0370 (6.2 to 6.3);
0x0380
ETHREAD *ForkInProgress;
all  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x015C (4.0);
0x0180 (5.0)
 
USHORT VmOperation;
4.0 to 5.0  
0x015E (4.0);
0x0182 (5.0)
 
BOOLEAN ForkWasSuccessful;
4.0 to 5.0  
0x015F (4.0);
0x0183 (5.0)
 
UCHAR MmAgressiveWsTrimMask;
4.0 to 5.0  
0x0160 (4.0);
0x0184 (5.0)
 
KEVENT *VmOperationEvent;
4.0 to 5.0  
0x0198 (3.10);
0x0164 (3.50 to 4.0)
 
PVOID PageDirectoryPte;
3.10 to 4.0 next as multiple types at 0x01F0
0x0188 (5.0)  
PVOID PaeTop;
5.0 only next at 0x019C
0x0168 (4.0);
0x018C (5.0)
 
ULONG LastFaultCount;
4.0 to 5.0 next at 0x0238
0x01A0 (3.10);
0x016C (4.0);
0x0190 (5.0)
 
ULONG ModifiedPageCount;
3.10 to 5.0 next at 0x023C

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0118 (5.1);
0xF8 (early 5.2);
0x0108 (late 5.2);
0xF4 (6.0);
0x010C (6.1);
0x0100 (6.2)
0x01B8 (late 5.2);
0x0190 (6.0);
0x0230 (6.1);
0x0370 (6.2)
ULONG_PTR HardwareTrigger;
5.1 to 6.2  
0x01A4 (3.10);
0x0170 (3.50 to 4.0);
0x0194 (5.0);
0x011C (5.1)
 
PVOID VadRoot;
3.10 to 5.1
next at 0x0258
0x0174 (4.0);
0x0198 (5.0);
0x0120 (5.1)
 
PVOID VadHint;
4.0 to 5.1  
0xFC (early 5.2);
0x010C (late 5.2);
0xF8 (6.0);
0x0110 (6.1)
0x01C0 (late 5.2);
0x0198 (6.0);
0x0238 (6.1)
MM_AVL_TABLE *PhysicalVadRoot;
5.2 to 6.1  
0x0104 (6.2 to 6.3);
0x010C (10.0 to 1607);
0x0114
0x0378 (6.2 to 6.3);
0x0388
EJOB *CommitChargeJob;
6.2 and higher  
0x0178 (4.0);
0x019C (5.0);
0x0124 (5.1);
0x0100 (early 5.2);
0x0110 (late 5.2);
0xFC (6.0);
0x0114 (6.1);
0x0108 (6.2 to 6.3);
0x0110 (10.0 to 1607);
0x0118
0x01C8 (late 5.2);
0x01A0 (6.0);
0x0240 (6.1);
0x0380 (6.2 to 6.3);
0x0390
PVOID CloneRoot;
4.0 to 6.2  
RTL_AVL_TREE CloneRoot;
6.3 and higher  
0x01B0 (3.10);
0x017C (4.0);
0x01A0 (5.0);
0x0128 (5.1);
0x0104 (early 5.2);
0x0114 (late 5.2);
0x0100 (6.0);
0x0118 (6.1);
0x010C (6.2 to 6.3);
0x0114 (10.0 to 1607);
0x011C
0x01D0 (late 5.2);
0x01A8 (6.0);
0x0248 (6.1);
0x0388 (6.2 to 6.3);
0x0398
ULONG_PTR NumberOfPrivatePages;
3.10 to 5.2  
ULONG_PTR volatile NumberOfPrivatePages;
6.0 and higher  
0x0180 (4.0);
0x01A4 (5.0);
0x012C (5.1);
0x0108 (early 5.2);
0x0118 (late 5.2);
0x0104 (6.0);
0x011C (6.1);
0x0110 (6.2 to 6.3);
0x0118 (10.0 to 1607);
0x0120
0x01D8 (late 5.2);
0x01B0 (6.0);
0x0250 (6.1);
0x0390 (6.2 to 6.3);
0x03A0
ULONG_PTR NumberOfLockedPages;
4.0 to 5.2  
ULONG_PTR volatile NumberOfLockedPages;
6.0 and higher  
0x0185 (3.50);
0x0184 (3.51 to 4.0);
0x01A8 (5.0)
 
UCHAR NextPageColor;
3.50 only  
USHORT NextPageColor;
3.51 to 5.0 next at 0x0250
0x0186 (4.0);
0x01AA (5.0)
 
BOOLEAN ExitProcessCalled;
4.0 to 5.0  
0x01BB (3.10);
0x0187 (3.50 to 4.0);
0x01AB (5.0)
 
BOOLEAN CreateProcessReported;
3.10 to 5.0 next as CreateReported in Flags
0x0130 (5.1);
0x010C (early 5.2);
0x011C (late 5.2);
0x0108 (6.0);
0x0120 (6.1);
0x0114 (6.2 to 6.3);
0x011C (10.0 to 1607);
0x0124
0x01E0 (late 5.2);
0x01B8 (6.0);
0x0258 (6.1);
0x0398 (6.2 to 6.3);
0x03A8
PVOID Win32Process;
5.1 and higher previously at 0x0214
0x0134 (5.1);
0x0110 (early 5.2);
0x0120 (late 5.2);
0x010C (6.0);
0x0124 (6.1);
0x0118 (6.2 to 6.3);
0x0120 (10.0 to 1607);
0x0128
0x01E8 (late 5.2);
0x01C0 (6.0);
0x0260 (6.1);
0x03A0 (6.2 to 6.3);
0x03B0
EJOB *Job;
5.1 and higher
previously at 0x0218
0x01BC (3.10);
0x0188 (3.50 to 4.0);
0x01AC (5.0);
0x0138 (5.1);
0x0114 (early 5.2);
0x0124 (late 5.2);
0x0110 (6.0);
0x0128 (6.1);
0x011C (6.2 to 6.3);
0x0124 (10.0 to 1607);
0x012C
0x01F0 (late 5.2);
0x01C8 (6.0);
0x0268 (6.1);
0x03A8 (6.2 to 6.3);
0x03B8
HANDLE SectionHandle;
3.10 to 5.0  
PVOID SectionObject;
5.1 and higher  
0x01C0 (3.10);
0x018C (3.50 to 4.0);
0x01B0 (5.0)
 
PEB *Peb;
3.10 to 5.0 next at 0x01B0
0x01C4 (3.10);
0x0190 (3.50 to 4.0);
0x01B4 (5.0);
0x013C (5.1);
0x0118 (early 5.2);
0x0128 (late 5.2);
0x0114 (6.0);
0x012C (6.1);
0x0120 (6.2 to 6.3);
0x0128 (10.0 to 1607);
0x0130
0x01F8 (late 5.2);
0x01D0 (6.0);
0x0270 (6.1);
0x03B0 (6.2 to 6.3);
0x03C0
PVOID SectionBaseAddress;
3.10 and higher  
0x01E0 (3.10);
0x0194 (3.50 to 4.0);
0x01B8 (5.0);
0x0140 (5.1);
0x011C (early 5.2);
0x012C (late 5.2);
0x0118 (6.0)
0x0200 (late 5.2);
0x01D8 (6.0)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
3.10 to 6.0 next at 0xD4 and 0x01C0
0x0130 (6.1);
0x0124 (6.2 to 6.3);
0x012C (10.0 to 1607);
0x0134
0x0278 (6.1);
0x03B8 (6.2 to 6.3);
0x03C8
ULONG Cookie;
6.1 and higher previously at 0x0258 and 0x03C0
0x0134 (6.1) 0x027C (6.1)
ULONG Spare8;
6.1 only (x86)  
ULONG UmsScheduledThreads;
6.1 only (x64)  
0x0128 (6.2 to 6.3)  
PVOID VdmObjects;
6.2 to 6.3 previously at 0x0148;
next at 0xB0
0x0198 (4.0);
0x01BC (5.0)
 
LONG LastThreadExitStatus;
4.0 to 5.0 next at 0x01AC

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x01E8 (3.10);
0x019C (3.50 to 4.0);
0x01C0 (5.0);
0x0144 (5.1);
0x0120 (early 5.2);
0x0130 (late 5.2);
0x011C (6.0);
0x0138 (6.1);
0x012C (6.2 to 6.3);
0x0130 (10.0 to 1607);
0x0138
0x0208 (late 5.2);
0x01E0 (6.0);
0x0280 (6.1);
0x03C0 (6.2 to 6.3);
0x03D0
PAGEFAULT_HISTORY *WorkingSetWatch;
all  
0x01A0 (4.0);
0x01C4 (5.0);
0x0148 (5.1);
0x0124 (early 5.2);
0x0134 (late 5.2);
0x0120 (6.0);
0x013C (6.1);
0x0130 (6.2 to 6.3);
0x0134 (10.0 to 1607);
0x013C
0x0210 (late 5.2);
0x01E8 (6.0);
0x0288 (6.1);
0x03C8 (6.2 to 6.3);
0x03D8
PVOID Win32WindowStation;
4.0 and higher  
0x01F0 (3.10);
0x01A4 (3.50 to 4.0);
0x01C8 (5.0);
0x014C (5.1);
0x0128 (early 5.2);
0x0138 (late 5.2);
0x0124 (6.0);
0x0140 (6.1);
0x0134 (6.2 to 6.3);
0x0138 (10.0 to 1607);
0x0140
0x0218 (late 5.2);
0x01F0 (6.0);
0x0290 (6.1);
0x03D0 (6.2 to 6.3);
0x03E0
PVOID InheritedFromUniqueProcessId;
all  
0x01F4 (3.10);
0x01A8 (3.51 to 4.0);
0x01CC (5.0)
 
ULONG GrantedAccess;
3.10 to 5.0 next at 0x01A4
0x01F8 (3.10);
0x01AC (3.50 to 4.0);
0x01D0 (5.0)
 
ULONG DefaultHardErrorProcessing;
3.10 to 5.0 next at 0x01A8
0x01FC (3.10);
0x01B0 (3.50 to 4.0);
0x01D4 (5.0);
0x0150 (5.1);
0x012C (early 5.2);
0x013C (late 5.2);
0x0128 (6.0);
0x0144 (6.1);
0x0138 (6.2 to 6.3);
0x013C (10.0 to 1607);
0x0144
0x0220 (late 5.2);
0x01F8 (6.0);
0x0298 (6.1);
0x03D8 (6.2 to 6.3);
0x03E8
PVOID LdtInformation;
all  
0x01B4 (4.0);
0x01D8 (5.0);
0x0154 (5.1);
0x0130 (early 5.2);
0x0140 (late 5.2);
0x012C (6.0)
0x0228 (late 5.2);
0x0200 (6.0)
PVOID VadFreeHint;
4.0 to early 6.0  
PVOID Spare;
late 6.0 only  
0x0204 (3.10);
0x01B8 (3.50 to 4.0);
0x01DC (5.0);
0x0158 (5.1);
0x0x134 (early 5.2);
0x0144 (late 5.2);
0x0130 (6.0);
0x0148 (6.1)
0x0230 (late 5.2);
0x0208 (6.0);
0x02A0 (6.1)
PVOID VdmObjects;
3.10 to 6.1 (x86);
5.2 to 6.0 (x64)
next at 0x0128
PVOID Spare;
6.1 only (x64)  
0x0208 (3.10);
0x01BC (3.50 to 4.0)
 
KMUTANT ProcessMutant;
3.10 to 4.0  
0x014C (6.1);
0x013C (6.2 to 6.3);
0x0140 (10.0 to 1607);
0x0148
0x02A8 (6.1);
0x03E0 (6.2 to 6.3);
0x03F0
ULONG_PTR ConsoleHostProcess;
6.1 only  
union {
    EPROCESS *CreatorProcess;
    ULONG_PTR ConsoleHostProcess;
};
6.2 only  
ULONG_PTR volatile OwnerProcessId;
6.3 and higher  
0x0140 (6.2 to 6.3);
0x0144 (10.0 to 1607);
0x014C
0x03E8 (6.2 to 6.3);
0x03F8
PEB *Peb;
6.2 and higher previously at 0x01A8 and 0x0338
0x0144 (6.2 to 6.3);
0x0148 (10.0 to 1607);
0x0150
0x03F0 (6.2 to 6.3);
0x0400
PVOID Session;
6.2 and higher previously at 0x0168 and 0x02D8
0x0148 (6.2 to 6.3);
0x014C (10.0 to 1607);
0x0154
0x03F8 (6.2 to 6.3);
0x0400
PVOID AweInfo;
6.2 and higher previously at 0x01E8 and 0x0388
0x014C (6.2 to 6.3);
0x0150 (10.0 to 1607);
0x0158
0x0400 (6.2 to 6.3);
0x0410
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.2 and higher previously at 0xD4 and 0x01C0
0x0150 (6.2 to 6.3);
0x0154 (10.0 to 1607);
0x015C
0x0408 (6.2 to 6.3);
0x0418
HANDLE_TABLE *ObjectTable;
6.2 and higher previously at 0x0F4 and 0x0200
0x0154 (6.2 to 6.3);
0x0158 (10.0 to 1607);
0x0160
0x0410 (6.2 to 6.3);
0x0420
PVOID DebugPort;
6.2 and higher previously at 0xEC and 0x01F0
0x0158 (6.2 to 6.3);
0x015C (10.0 to 1607);
0x0164
 
PVOID PaeTop;
6.2 and higher previously at 0x0194
  0x0418 (6.2 to 6.3);
0x0428
PVOID Wow64Process;
6.2 and higher previously as WOW64_PROCESS * at 0x0320
0x01E0 (5.0);
0x015C (5.1);
0x0138 (early 5.2);
0x0148 (late 5.2);
0x0134 (6.0);
0x0150 (6.1);
0x015C (6.2 to 6.3);
0x0160 (10.0 to 1607);
0x0168
0x0238 (late 5.2);
0x0210 (6.0);
0x02B0 (6.1);
0x0420 (6.2 to 6.3);
0x0430
PVOID DeviceMap;
5.0 and higher  
0x01E4 (5.0)  
ULONG SessionId;
5.0 only  
0x01E8 (5.0);
0x0160 (5.1);
0x013C (early 5.2);
0x014C (late 5.2)
 
LIST_ENTRY PhysicalVadList;
5.0 to 5.1  
0x0240 (late 5.2)
PVOID Spare0 [3];
5.2 only  
0x0138 (6.0);
0x0154 (6.1);
0x0160 (6.2 to 6.3);
0x0164 (10.0 to 1607);
0x016C
0x0218 (6.0);
0x02B8 (6.1);
0x0428 (6.2 to 6.3);
0x0438
PVOID EtwDataSource;
6.0 and higher  
0x013C (6.0);
0x0158 (6.1)
0x0220 (6.0);
0x02C0 (6.1)
PVOID FreeTebHint;
6.0 to 6.1  
  0x02C8 (6.1)
PVOID FreeUmsTebHint;
6.1 only  
0x01F0 (5.0);
0x0168 (5.1);
0x0148 (early 5.2);
0x0158 (late 5.2);
0x0140 (6.0);
0x0160 (6.1);
0x0168 (10.0 to 1607);
0x0170
0x0258 (late 5.2);
0x0228 (6.0);
0x02D0 (6.1);
0x0430 (6.2 to 6.3);
0x0440
union {
    #ifdef _WIN64
    HARDWARE_PTE PageDirectoryPte;
    #else
    HARDWARE_PTE_X86PAE PageDirectoryPte;
    #endif
    ULONGLONG Filler;
};
5.0 to 6.1 previously as PVOID at 0x0164
ULONGLONG PageDirectoryPte;
6.2 and higher  
0x01F8 (5.0)  
ULONG PaePageDirectoryPage;
5.0 only  
0x0170 (5.1);
0x0150 (early 5.2);
0x0160 (late 5.2);
0x0148 (6.0);
0x0168 (6.1)
0x0260 (late 5.2);
0x0230 (6.0);
0x02D8 (6.1)
PVOID Session;
5.1 to 6.1 next at 0x0144 and 0x03F0
0x0170 (1511 to 1607);
0x0178
0x0448
FILE_OBJECT *ImageFilePointer;
1511 and higher  
0x0228 (3.10);
0x01DC (3.50 to 4.0);
0x01FC (5.0);
0x0174 (5.1);
0x0154 (early 5.2);
0x0164 (late 5.2);
0x014C (6.0);
0x016C (6.1);
0x0170 (6.2 to 10.0);
0x0174 (1511 to 1607);
0x017C
0x0268 (late 5.2);
0x0238 (6.0);
0x02E0 (6.1);
0x0438 (6.2 to 6.3);
0x0448 (10.0);
0x0450
UCHAR ImageFileName [0x20];
3.10 only  
UCHAR ImageFileName [0x10];
3.50 to 6.0  
UCHAR ImageFileName [0x0F];
6.1 and higher  
0x017B (6.1);
0x017F (6.2 to 10.0);
0x0183 (1511 to 1607);
0x018B
0x02EF (6.1);
0x0447 (6.2 to 6.3);
0x0457 (10.0);
0x045F
UCHAR PriorityClass;
6.1 and higher previously at 0x0234 and 0x037C

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0248 (3.10);
0x01EC (3.50 to 4.0);
0x020C (5.0)
 
ULONG VmTrimFaultValue;
3.10 to 5.0  
0x01F0 (4.0);
0x0210 (5.0)
 
BOOLEAN SetTimerResolution;
4.0 to 5.0  
0x01F1 (4.0);
0x0211 (5.0)
 
UCHAR PriorityClass;
4.0 to 5.0 next at 0x0254
0x01F2 (3.51 to 4.0);
0x0212 (5.0)
 
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
3.51 to 5.0 next at 0x0252
0x01F4 (3.51 to 4.0);
0x0214 (5.0)
 
PVOID Win32Process;
3.51 to 5.0 next at 0x0130;
last member in 3.51 to 4.0
0x0218 (5.0)  
EJOB *Job;
5.0 only
next at 0x0134
0x021C (5.0)  
ULONG JobStatus;
5.0 only
next at 0x0244

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0180 (6.2 to 10.0);
0x0184 (1511 to 1607);
0x018C
0x0448 (6.2 to 6.3);
0x0458 (10.0);
0x0460
PVOID SecurityPort;
6.2 and higher previously at 0x0190 and 0x0318
0x0184 (6.2 to 10.0);
0x0188 (1511 to 1607);
0x0190
0x0450 (6.2 to 6.3);
0x0460 (10.0);
0x0468
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
6.2 and higher previously at 0x01EC and 0x0390
0x0220 (5.0);
0x0184 (5.1);
0x0164 (early 5.2);
0x0174 (late 5.2);
0x015C (6.0);
0x017C (6.1);
0x0188 (6.2 to 10.0);
0x018C (1511 to 1607);
0x0194
0x0278 (late 5.2);
0x0248 (6.0);
0x02F0 (6.1);
0x0458 (6.2 to 6.3);
0x0468 (10.0);
0x0470
LIST_ENTRY JobLinks;
5.0 and higher  
0x0228 (5.0);
0x018C (5.1);
0x016C (early 5.2);
0x017C (late 5.2);
0x0164 (6.0);
0x0184 (6.1)
0x0288 (late 5.2);
0x0258 (6.0);
0x0300 (6.1)
PVOID LockedPagesList;
5.0 to 6.1 next as MM_AVL_TABLE * at 0x01B0 and 0x0498
0x0190 (6.2 to 10.0);
0x0194 (1511 to 1607);
0x019C
0x0468 (6.2 to 6.3);
0x0478 (10.0);
0x0480
PVOID HighestUserAddress;
6.2 and higher previously at 0x0264 and 0x0430
0x0190 (5.1);
0x0170 (early 5.2);
0x0180 (late 5.2);
0x0168 (6.0);
0x0188 (6.1);
0x0194 (6.2 to 10.0);
0x0198 (1511 to 1607);
0x01A0
0x0290 (late 5.2);
0x0260 (6.0);
0x0308 (6.1);
0x0470 (6.2 to 6.3);
0x0480 (10.0);
0x0488
LIST_ENTRY ThreadListHead;
5.1 and higher
previously at 0x0270

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x022C (5.0);
0x0198 (5.1);
0x0178 (early 5.2);
0x0188 (late 5.2);
0x0170 (6.0);
0x0190 (6.1)
0x02A0 (late 5.2);
0x0270 (6.0);
0x0318 (6.1)
PVOID SecurityPort;
5.0 to 6.1 next at 0x0180 and 0x0448
0x0230 (5.0) 0x02A8 (late 5.2);
0x0278 (6.0);
0x0320 (6.1)
WOW64_PROCESS *Wow64Process;
5.0 only (x86);
late 5.2 to 6.1 (x64)
next as PVOID at 0x0418
0x019C (5.1);
0x017C (early 5.2);
0x018C (late 5.2);
0x0174 (6.0);
0x0194 (6.1)
 
PVOID PaeTop;
5.1 to 6.1 previously at 0x0188;
next at 0x0158

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x01A0 (5.1);
0x0180 (early 5.2);
0x0190 (late 5.2);
0x0178 (6.0);
0x0198 (6.1);
0x019C (6.2 to 10.0);
0x01A0 (1511 to 1607);
0x01A8
0x02B0 (late 5.2);
0x0280 (6.0);
0x0328 (6.1);
0x0480 (6.2 to 6.3);
0x0490 (10.0);
0x0498
ULONG ActiveThreads;
5.1 to 5.2  
ULONG volatile ActiveThreads;
6.0 and higher  
0x017C (6.0);
0x019C (6.1);
0x01A0 (6.2 to 10.0);
0x01A4 (1511 to 1607);
0x01AC
0x0284 (6.0);
0x032C (6.1);
0x0484 (6.2 to 6.3);
0x0494 (10.0);
0x049C
ULONG ImagePathHash;
6.0 and higher  
0x01A4 (5.1);
0x0184 (early 5.2);
0x0194 (late 5.2)
0x02B0 (late 5.2)
ULONG GrantedAccess;
5.1 to 5.2 previously at 0x01CC
0x01A8 (5.1);
0x0188 (early 5.2);
0x0198 (late 5.2);
0x0180 (6.0);
0x01A0 (6.1);
0x01A4 (6.2 to 10.0);
0x01A8 (1511 to 1607);
0x01B0
0x02B8 (late 5.2);
0x0288 (6.0);
0x0330 (6.1);
0x0488 (6.2 to 6.3);
0x0498 (10.0);
0x04A0
ULONG DefaultHardErrorProcessing;
5.1 and higher
previously at 0x01D0
0x01AC (5.1);
0x018C (early 5.2);
0x019C (late 5.2);
0x0184 (6.0);
0x01A4 (6.1);
0x01A8 (6.2 to 10.0);
0x01AC (1511 to 1607);
0x01B4
0x02BC (late 5.2);
0x028C (6.0);
0x0334 (6.1);
0x048C (6.2 to 6.3);
0x049C (10.0);
0x04A4
LONG LastThreadExitStatus;
5.1 and higher
previously at 0x01BC
0x01B0 (5.1);
0x0190 (early 5.2);
0x01A0 (late 5.2);
0x0188 (6.0);
0x01A8 (6.1)
0x02C0 (late 5.2);
0x0290 (6.0);
0x0338 (6.1)
PEB *Peb;
5.1 to 6.1 previously at 0x01B0;
next at 0x0140 and 0x03E8
0x01B4 (5.1);
0x0194 (early 5.2);
0x01A4 (late 5.2);
0x018C (6.0);
0x01AC (6.1 to 10.0);
0x01B0 (1511 to 1607);
0x01B8
0x02C8 (late 5.2);
0x0298 (6.0);
0x0340 (6.1);
0x0490 (6.2 to 6.3);
0x04A0 (10.0);
0x04A8
EX_FAST_REF PrefetchTrace;
5.1 and higher  
0x01B0 (6.2 to 10.0);
0x01B4 (1511 to 1607);
0x01BC
0x0498 (6.2 to 6.3);
0x04A8 (10.0);
0x04B0
MM_AVL_TABLE *LockedPagesList;
6.2 only previously as PVOID at 0x0184 and 0x0300
PVOID LockedPagesList;
6.3 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0238 (5.0);
0x01B8 (5.1);
0x0198 (early 5.2);
0x01A8 (late 5.2);
0x0190 (6.0);
0x01B0 (6.1);
0x01B8 (6.2 to 1607);
0x01C0
0x02D0 (late 5.2);
0x02A0 (6.0);
0x0348 (6.1);
0x04A0 (6.2 to 6.3);
0x04B0 (10.0);
0x04B8
LARGE_INTEGER ReadOperationCount;
5.0 and higher previously ULONG at 0xF8 (3.10)
0x0240 (5.0);
0x01C0 (5.1);
0x01A0 (early 5.2);
0x01B0 (late 5.2);
0x0198 (6.0);
0x01B8 (6.1);
0x01C0 (6.2 to 1607);
0x01C8
0x02D8 (late 5.2);
0x02A8 (6.0);
0x0350 (6.1);
0x04A8 (6.2 to 6.3);
0x04B8 (10.0);
0x04C0
LARGE_INTEGER WriteOperationCount;
5.0 and higher previously ULONG at 0xFC (3.10)
0x0248 (5.0);
0x01C8 (5.1);
0x01A8 (early 5.2);
0x01B8 (late 5.2);
0x01A0 (6.0);
0x01C0 (6.1);
0x01C8 (6.2 to 1607);
0x01D0
0x02E0 (late 5.2);
0x02B0 (6.0);
0x0358 (6.1);
0x04B0 (6.2 to 6.3);
0x04C0 (10.0);
0x04C8
LARGE_INTEGER OtherOperationCount;
5.0 and higher previously ULONG at 0x0100 (3.10)
0x0250 (5.0);
0x01D0 (5.1);
0x01B0 (early 5.2);
0x01C0 (late 5.2);
0x01A8 (6.0);
0x01C8 (6.1);
0x01D0 (6.2 to 1607);
0x01D8
0x02E8 (late 5.2);
0x02B8 (6.0);
0x0360 (6.1);
0x04B8 (6.2 to 6.3);
0x04C8 (10.0);
0x04D0
LARGE_INTEGER ReadTransferCount;
5.0 and higher previously 0xE0 (3.10)
0x0258 (5.0);
0x01D8 (5.1);
0x01B8 (early 5.2);
0x01C8 (late 5.2);
0x01B0 (6.0);
0x01D0 (6.1);
0x01D8 (6.2 to 1607);
0x01E0
0x02F0 (late 5.2);
0x02C0 (6.0);
0x0368 (6.1);
0x04C0 (6.2 to 6.3);
0x04D0 (10.0);
0x04D8
LARGE_INTEGER WriteTransferCount;
5.0 and higher previously 0xE8 (3.10)
0x0260 (5.0);
0x01E0 (5.1);
0x01C0 (early 5.2);
0x01D0 (late 5.2);
0x01B8 (6.0);
0x01D8 (6.1);
0x01E0 (6.2 to 1607);
0x01E8
0x02F8 (late 5.2);
0x02C8 (6.0);
0x0370 (6.1);
0x04C8 (6.2 to 6.3);
0x04D8 (10.0);
0x04E0
LARGE_INTEGER OtherTransferCount;
5.0 and higher previously 0xF0 (3.10)
0x0268 (5.0);
0x01E8 (5.1);
0x01C8 (early 5.2);
0x01D8 (late 5.2);
0x01C0 (6.0);
0x01E0 (6.1);
0x01E8 (6.2 to 1607);
0x01F0
0x0300 (late 5.2);
0x02D0 (6.0);
0x0378 (6.1);
0x04D0 (6.2 to 6.3);
0x04E0 (10.0);
0x04E8
ULONG_PTR CommitChargeLimit;
5.0 and higher  
0x01EC (6.2 to 1607);
0x01F4
0x04D8 (6.2 to 6.3);
0x04E8 (10.0);
0x04F0
ULONG_PTR volatile CommitCharge;
6.2 and higher previously at 0xD0 and 0x01B8
0x026C (5.0);
0x01EC (5.1);
0x01CC (early 5.2);
0x01DC (late 5.2);
0x01C4 (6.0);
0x01E4 (6.1);
0x01F0 (6.2 to 1607);
0x01F8
0x0308 (late 5.2);
0x02D8 (6.0);
0x0380 (6.1);
0x04E0 (6.2 to 6.3);
0x04F0 (10.0);
0x04F8
ULONG_PTR CommitChargePeak;
5.0 to 5.2  
ULONG_PTR volatile CommitChargePeak;
6.0 and higher  

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0270 (5.0)  
LIST_ENTRY ThreadListHead;
5.0 only
next at 0x0190
0x0278 (5.0)  
RTL_BITMAP *VadPhysicalPagesBitMap;
5.0 only  
0x027C (5.0)  
ULONG VadPhysicalPages;
5.0 only  
0x0280 (5.0)  
ULONG AweLock;
5.0 only  
0x0284 (5.0)  
UNICODE_STRING *pImageFileName;
5.0 only last member in 5.0

Appended for Windows XP and Windows Server 2003

Offset (x86) Offset (x64) Definition Versions Remarks
0x01F0 (5.1);
0x01D0 (early 5.2);
0x01E0 (late 5.2);
0x01C8 (6.0);
0x01E8 (6.1)
0x0310 (late 5.2);
0x02E0 (6.0);
0x0388 (6.1)
PVOID AweInfo;
5.1 to 6.1 next at 0x0148 and 0x03F8
0x01F4 (5.1);
0x01D4 (early 5.2);
0x01E4 (late 5.2);
0x01CC (6.0);
0x01EC (6.1)
0x0318 (late 5.2);
0x02E8 (6.0);
0x0390 (6.1)
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
5.1 to 6.1 next at 0x0184 and 0x0450
0x01F8 (5.1);
0x01D8 (early 5.2);
0x01E8 (late 5.2);
0x01D0 (6.0);
0x01F0 (6.1);
0x01F4 (6.2 to 1607);
0x01FC
0x0320 (late 5.2);
0x02F0 (6.0);
0x0398 (6.1);
0x04E8 (6.2 to 6.3);
0x04F8 (10.0);
0x0500
MMSUPPORT Vm;
5.1 and higher
previously at 0xD0
0x0238 (early 5.2);
0x0230 (late 5.2);
0x0218 (6.0);
0x025C (6.1);
0x0264 (6.2 to 6.3);
0x0274 (10.0 to 1511);
0x027C (1607);
0x0288 (1703 to 1709);
0x028C
0x0358 (6.0);
0x0420 (6.1);
0x0578 (6.2);
0x05C0 (6.3);
0x05F0 (10.0);
0x05F8 (1511);
0x0608 (1607);
0x0610
LIST_ENTRY MmProcessLinks;
5.2 and higher (x86);
6.0 and higher (x64)
 
  0x0378 (late 5.2)
ULONG Spares [2];
late 5.2 only  
0x0264 (6.1) 0x0430 (6.1)
PVOID HighestUserAddress;
6.1 only next at 0x0190 and 0x0468
0x0238 (5.1)  
ULONG LastFaultCount;
5.1 only
previously at 0x018C
0x023C (5.1);
0x0240 (early 5.2);
0x0238 (late 5.2);
0x0220 (6.0);
0x0268 (6.1);
0x026C (6.2 to 6.3);
0x027C (10.0 to 1511);
0x0284 (1607);
0x0290 (1703 to 1709);
0x0294
0x0380 (late 5.2);
0x0368 (6.0);
0x0438 (6.1);
0x0588 (6.2);
0x05D0 (6.3);
0x0600 (10.0);
0x0608 (1511);
0x0618 (1607);
0x0620
ULONG ModifiedPageCount;
5.1 and higher
previously at 0x0190
0x0240 (5.1)  
ULONG NumberOfVads;
5.1 only  
0x0244 (5.1 to early 5.2);
0x023C (late 5.2)
0x0384 (late 5.2)
ULONG JobStatus;
5.1 to 5.2 previously at 0x021C
0x0224 (6.0);
0x026C (6.1)
0x036C (6.0);
0x043C (6.1)
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.0 to 6.1 next at 0xC0 and 0x02F8
0x0248 (5.1 to early 5.2);
0x0240 (late 5.2);
0x0228 (6.0);
0x0270 (6.1)
0x0388 (late 5.2);
0x0370 (6.0);
0x0440 (6.1)
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
5.1 to 6.1 next at 0xC4 and 0x02FC
0x024C (5.1 to early 5.2);
0x0244 (late 5.2);
0x022C (6.0);
0x0274 (6.1);
0x0270 (6.2 to 6.3);
0x0280 (10.0 to 1511);
0x0288 (1607);
0x0294 (1703 to 1709);
0x0298
0x038C (late 5.2);
0x0374 (6.0);
0x0444 (6.1);
0x058C (6.2);
0x05D4 (6.3);
0x0604 (10.0);
0x060C (1511);
0x061C (1607);
0x0624
LONG ExitStatus;
5.1 and higher previously at 0x6C
0x0250 (5.1 to early 5.2);
0x0248 (late 5.2);
0x0230 (6.0)
0x0390 (late 5.2);
0x0378 (6.0)
USHORT NextPageColor;
5.1 to 5.2 previously at 0x01A8
USHORT Spare7;
6.0 only  
0x0252 (5.1 to early 5.2);
0x024A (late 5.2);
0x0232 (6.0)
0x0392 (late 5.2);
0x037A (6.0)
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
5.1 to 6.0 previously at 0x0212
0x0254 (5.1 to early 5.2);
0x024C (late 5.2);
0x0234 (6.0)
0x0394 (late 5.2);
0x037C (6.0)
UCHAR PriorityClass;
5.1 to 6.0 previously at 0x0211;
next at 0x017B and 0x02EF
0x0255 (5.1)  
BOOLEAN WorkingSetAcquiredUnsafe;
5.1 only last member in early 5.1
0x0258 (early 5.2);
0x0250 (late 5.2);
0x0238 (6.0);
0x0278 (6.1);
0x0274 (6.2 to 6.3);
0x0284 (10.0 to 1511);
0x028C (1607);
0x0298 (1703 to 1709);
0x029C
0x0398 (late 5.2);
0x0380 (6.0);
0x0448 (6.1);
0x0590 (6.2);
0x05D8 (6.3);
0x0608 (10.0);
0x0610 (1511);
0x0620 (1607);
0x0628
MM_AVL_TABLE VadRoot;
5.2 to 6.2
previously at 0x011C;
last member in early 5.2
RTL_AVL_TREE VadRoot;
6.3 and higher  
0x0278 (6.3);
0x0288 (10.0 to 1511);
0x0290 (1607);
0x029C (1703 to 1709);
0x02A0
0x05E0 (6.3);
0x0610 (10.0);
0x0618 (1511);
0x0628 (1607);
0x0630
PVOID VadHint;
6.3 and higher  
0x027C (6.3);
0x028C (10.0 to 1511);
0x0294 (1607);
0x02A0 (1703 to 1709);
0x02A4
0x05E8 (6.3);
0x0618 (10.0);
0x0620 (1511);
0x0630 (1607);
0x0638
ULONG_PTR VadCount;
6.3 and higher  
0x028C (6.2);
0x0280 (6.3);
0x0290 (10.0 to 1511);
0x0298 (1607);
0x02A4 (1703 to 1709);
0x02A8
0x05C0 (6.2);
0x05F0 (6.3);
0x0620 (10.0);
0x0628 (1511);
0x0638 (1607);
0x0640
ULONG_PTR volatile VadPhysicalPages;
6.2 and higher  
0x0290 (6.2);
0x0284 (6.3);
0x0294 (10.0 to 1511);
0x029C (1607);
0x02A8 (1703 to 1709);
0x02AC
0x05C8 (6.2);
0x05F8 (6.3);
0x0628 (10.0);
0x0630 (1511);
0x0640 (1607);
0x0648
UULONG_PTR VadPhysicalPagesLimit;
6.2 and higher  
0x0258 (late 5.1)  
ULONG Cookie;
late 5.1 only last member in late 5.1
0x0270 (late 5.2);
0x0258 (6.0)
0x03D8 (late 5.2);
0x03C0 (6.0)
ULONG Cookie;
late 5.2 to 6.0 next at 0x0130 and 0x0278;
last member in late 5.2

Appended for Windows Vista

Offset (x86) Offset (x64) Definition Versions Remarks
0x025C (6.0);
0x0298 (6.1);
0x0294 (6.2);
0x0288 (6.3);
0x0298 (10.0 to 1511);
0x02A0 (1607);
0x02AC (1703 to 1709);
0x02B0
0x03C8 (6.0);
0x0488 (6.1);
0x05D0 (6.2);
0x0600 (6.3);
0x0630 (10.0);
0x0638 (1511);
0x0648 (1607);
0x0650
ALPC_PROCESS_CONTEXT AlpcContext;
6.0 and higher last member in 6.0

Appended for Windows 7

Offset (x86) Offset (x64) Definition Versions Remarks
0x02A8 (6.1);
0x02A4 (6.2);
0x0298 (6.3);
0x02A8 (10.0 to 1511);
0x02B0 (1607);
0x02BC (1703 to 1709);
0x02C0
0x04A8 (6.1);
0x05F0 (6.2);
0x0620 (6.3);
0x0650 (10.0);
0x0658 (1511);
0x0668 (1607);
0x0670
LIST_ENTRY TimerResolutionLink;
6.1 and higher  
0x02B0 (6.1) 0x04B8 (6.1)
ULONG RequestedTimerResolution;
6.1 only next at 0x02B0 and 0x0608
0x02B4 (6.1) 0x04BC (6.1)
ULONG ActiveThreadsHighWatermark;
6.1 only next at 0x02C0 and 0x0628
0x02B8 (6.1) 0x04C0 (6.1)
ULONG SmallestTimerResolution;
6.1 only next at 0x02B4 and 0x060C
0x02BC (6.1);
0x02AC (6.2);
0x02A0 (6.3);
0x02B0 (10.0 to 1511);
0x02B8 (1607);
0x02C4 (1703 to 1709);
0x02C8
0x04C8 (6.1);
0x0600 (6.2);
0x0630 (6.3);
0x0660 (10.0);
0x0668 (1511);
0x0678 (1607);
0x0680
PO_DIAG_STACK_RECORD *TimerResolutionStackRecord;
6.1 and higher last member in 6.1

Appended for Windows 8

Offset (x86) Offset (x64) Definition Versions Remarks
0x02B0 (6.2);
0x02A4 (6.3);
0x02B4 (10.0 to 1511);
0x02BC (1607);
0x02C8 (1703 to 1709);
0x02CC
0x0608 (6.2);
0x0638 (6.3);
0x0668 (10.0);
0x0670 (1511);
0x0680 (1607);
0x0688
ULONG RequestedTimerResolution;
6.2 and higher previously at 0x02B0 and 0x04B8
0x02B4 (6.2);
0x02A8 (6.3);
0x02B8 (10.0 to 1511);
0x02C0 (1607);
0x02CC (1703 to 1709);
0x02D0
0x060C (6.2);
0x063C (6.3);
0x066C (10.0);
0x0674 (1511);
0x0684 (1607);
0x068C
ULONG SmallestTimerResolution;
6.2 and higher previously at 0x02B8 and 0x04C0
0x02B8 (6.2);
0x02B0 (6.3);
0x02C0 (10.0 to 1511);
0x02C8 (1607);
0x02D0 (1703 to 1709);
0x02D8
0x0610 (6.2);
0x0640 (6.3);
0x0670 (10.0);
0x0678 (1511);
0x0688 (1607);
0x0690
LARGE_INTEGER ExitTime;
6.2 and higher previously 0xA8 and 0x0170
  0x0618 (6.2);
0x0648 (6.3);
0x0678 (10.0);
0x0680 (1511);
0x0690 (1607);
0x0698
INVERTED_FUNCTION_TABLE *InvertedFunctionTable;
6.2 and higher  
  0x0620 (6.2);
0x0650 (6.3);
0x0680 (10.0);
0x0688 (1511);
0x0698 (1607);
0x06A0
EX_PUSH_LOCK InvertedFunctionTableLock;
6.2 and higher  
0x02C0 (6.2);
0x02B8 (6.3);
0x02C8 (10.0 to 1511);
0x02D0 (1607);
0x02D8 (1703 to 1709);
0x02E0
0x0628 (6.2);
0x0658 (6.3);
0x0688 (10.0);
0x0690 (1511);
0x06A0 (1607);
0x06A8
ULONG ActiveThreadsHighWatermark;
6.2 and higher previously at 0x02B4 and 0x04BC
0x02C4 (6.2);
0x02BC (6.3);
0x02CC (10.0 to 1511);
0x02D4 (1607);
0x02DC (1703 to 1709);
0x02E4
0x062C (6.2);
0x065C (6.3);
0x068C (10.0);
0x0694 (1511);
0x06A4 (1607);
0x06AC
ULONG LargePrivateVadCount;
6.2 and higher  
0x02C8 (6.2);
0x02C0 (6.3);
0x02D0 (10.0 to 1511);
0x02D8 (1607);
0x02E0 (1703 to 1709);
0x02E8
0x0630 (6.2);
0x0660 (6.3);
0x0690 (10.0);
0x0698 (1511);
0x06A8 (1607);
0x06B0
EX_PUSH_LOCK ThreadListLock;
6.2 and higher  
0x02CC (6.2);
0x02C4 (6.3);
0x02D4 (10.0 to 1511);
0x02DC (1607);
0x02E4 (1703 to 1709);
0x02EC
0x0638 (6.2);
0x0668 (6.3);
0x0698 (10.0);
0x06A0 (1511);
0x06B0 (1607);
0x06B8
PVOID WnfContext;
6.2 and higher  
0x02D0 (6.2);
0x02C8 (6.3);
0x02D8 (10.0 to 1511);
0x02E0 (1607);
0x02E8 (1703 to 1709);
0x02F0
0x0640 (6.2);
0x0670 (6.3);
0x06A0 (10.0);
0x06A8 (1511);
0x06B8 (1607);
0x06C0
ULONG_PTR SectionMappingSize;
6.2 only  
ULONG_PTR Spare0;
6.3 to 1607  
EJOB *ServerSilo;
1703 and higher  
0x02D4 (6.2);
0x02CC (6.3);
0x02DC (10.0 to 1511);
0x02E4 (1607);
0x02EC (1703 to 1709);
0x02F4
0x0648 (6.2);
0x0678 (6.3);
0x06A8 (10.0);
0x06B0 (1511);
0x06C0 (1607);
0x06C8
UCHAR SignatureLevel;
6.2 and higher  
0x02D5 (6.2);
0x02CD (6.3);
0x02DD (10.0 to 1511);
0x02E5 (1607);
0x02ED (1703 to 1709);
0x02F5
0x0649 (6.2);
0x0679 (6.3);
0x06A9 (10.0);
0x06B1 (1511);
0x06C1 (1607);
0x06C9
UCHAR SectionSignatureLevel;
6.2 and higher  
0x02CE (6.3);
0x02DE (10.0 to 1511);
0x02E6 (1607);
0x02EE (1703 to 1709);
0x02F6
0x067A (6.3);
0x06AA (10.0);
0x06B2 (1511);
0x06C2 (1607);
0x06CA
PS_PROTECTION Protection;
6.3 and higher  
0x02DF (10.0 to 1511);
0x02E7 (1607);
0x02EF (1703 to 1709);
0x02F7
0x06AB (10.0);
0x06B3 (1511);
0x06C3 (1607);
0x06CB
UCHAR HangCount;
10.0 to 1703  
UCHAR HangCount : 4;
UCHAR GhostCount : 4;
1709 and higher  
0x02D6 (6.2);
0x02CF (6.3)
0x064A (6.2);
0x067B (6.3)
UCHAR SpareByte20 [2];
6.2 only  
UCHAR SpareByte20 [1];
6.3 only  
0x02D0 (6.3);
0x02E0 (10.0 to 1511);
0x02E8 (1607);
0x02F0 (1703 to 1709);
0x02F8
0x067C (6.3);
0x06AC (10.0);
0x06B4 (1511);
0x06C4 (1607);
0x06CC
union {
    ULONG Flags3;
    struct {
        /*  bit fields, follow link  */
    };
};
6.3 and higher  
0x02E4 (10.0 to 1511);
0x02EC (1607);
0x02F4 (1703 to 1709);
0x02FC
0x06B0 (10.0);
0x06B8 (1511);
0x06C8 (1607);
0x06D0
LONG DeviceAsid;
10.0 and higher  
0x02D4 (6.3) 0x0680 (6.3)
LONG SvmReserved;
6.3 only  
0x02D8 (6.3);
0x02E8 (10.0 to 1511);
0x02F0 (1607);
0x02F8 (1703 to 1709);
0x0300
0x0688 (6.3);
0x06B8 (10.0);
0x06C0 (1511);
0x06D0 (1607);
0x06D8
PVOID SvmReserved1;
6.3 and higher  
PVOID SvmData;
10.0 and higher  
0x02DC (6.3);
0x02EC (10.0 to 1511);
0x02F4 (1607);
0x02FC (1703 to 1709);
0x0304
0x0690 (6.3);
0x06C0 (10.0);
0x06C8 (1511);
0x06D8 (1607);
0x06E0
ULONG_PTR SvmReserved2;
6.3 only  
EX_PUSH_LOCK SvmProcessLock;
10.0 and higher  
0x02F0 (10.0 to 1511);
0x02F8 (1607);
0x0300 (1703 to 1709);
0x0308
0x06C8 (10.0);
0x06D0 (1511);
0x06E0 (1607);
0x06E8
ULONG_PTR SvmLock;
10.0 and higher  
0x02F4 (10.0 to 1511);
0x02FC (1607);
0x0304 (1703 to 1709);
0x030C
0x06D0 (10.0);
0x06D8 (1511);
0x06E8 (1607);
0x06F0
LIST_ENTRY SvmProcessDeviceListHead;
10.0 and higher  
0x02D8 (6.2) 0x064C (6.2)
ULONG KeepAliveCounter;
6.2 and higher next at 0x02EC and 0x06B0
0x02DC (6.2) 0x0650 (6.2)
PROCESS_DISK_COUNTERS *DiskCounters;
6.2 only next at 0x02E8 and 0x06A0
0x02E0 (6.2 to 6.3);
0x0300 (10.0 to 1511);
0x0308 (1607);
0x0310 (1703 to 1709);
0x0318
0x0658 (6.2);
0x0698 (6.3);
0x06E0 (10.0);
0x06E8 (1511);
0x06F8 (1607);
0x0700
ULONGLONG LastFreezeInterruptTime;
6.2 and higher last member in 6.2

Appended for Windows 8.1

Offset (x86) Offset (x64) Definition Versions Remarks
0x02E8 (6.3);
0x0308 (10.0 to 1511);
0x0310 (1607);
0x0318 (1703 to 1709);
0x0320
0x06A0 (6.3);
0x06E8 (10.0);
0x06F0 (1511);
0x0700 (1607);
0x0708
PROCESS_DISK_COUNTERS *DiskCounters;
6.3 and higher previously at 0x02DC and 0x0650
0x030C (10.0 to 1511);
0x0314 (1607);
0x031C (1703 to 1709);
0x0324
0x06A8 (6.3);
0x06F0 (10.0);
0x06F8 (1511);
0x0708 (1607);
0x0710
PVOID PicoContext;
6.3 and higher (x64);
10.0 and higher (x86)
 
  0x06F8 (10.0);
0x0700 (1511);
0x0710 (1607);
0x0718
ULONGLONG TrustletIdentity;
10.0 and higher  
  0x0720
PVOID EnclaveTable;
1709 and higher  
  0x0728
ULONGLONG EnclaveNumber;
1709 and higher  
  0x0730
EX_PUSH_LOCK EnclaveLock;
1709 and higher  
0x02EC (6.3);
0x0310 (10.0 to 1511);
0x0318 (1607)
0x06B0 (6.3);
0x0700 (10.0);
0x0708 (1511);
0x0718 (1607)
ULONG KeepAliveCounter;
6.3 to 1607 previously at 0x02D8 and 0x064C
0x02F0 (6.3);
0x0314 (10.0 to 1511);
0x031C (1607)
0x06B4 (6.3);
0x0704 (10.0);
0x070C (1511);
0x071C (1607)
ULONG NoWakeKeepAliveCounter;
6.3 to 1607 last member in 6.3

Appended for Windows 10

Offset (x86) Offset (x64) Definition Versions Remarks
0x0318 (10.0 to 1511);
0x0320 (1607 to 1709);
0x0328
0x0708 (10.0);
0x0710 (1511);
0x0720 (1607 to 1703);
0x0738
ULONG HighPriorityFaultsAllowed;
10.0 and higher  
0x031C (10.0 to 1511);
0x0324 (1607 to 1709);
0x032C
 
PVOID InstrumentationCallback;
10.0 and higher  
0x0320 (10.0 to 1511);
0x0328 (1607 to 1709);
0x0330
0x0710 (10.0);
0x0718 (1511);
0x0728 (1607 to 1703);
0x0740
PROCESS_ENERGY_VALUES *EnergyValues;
10.0 to 1607  
PO_PROCESS_ENERGE_CONTEXT *EnergyContext;
1703 and higher  
0x0324 (10.0 to 1511);
0x032C (1607 to 1709);
0x0334
0x0718 (10.0);
0x0720 (1511);
0x0730 (1607 to 1703);
0x0748
PVOID VmContext;
10.0 and higher  
0x0328 (10.0) 0x0720 (10.0)
ESILO *Silo;
10.0 only  
0x032C (10.0) 0x0728 (10.0)
LIST_ENTRY SiloEntry;
10.0 only  
0x0338 (10.0);
0x0328 (1511);
0x0330 (1607 to 1709);
0x0338
0x0738 (10.0);
0x0728 (1511);
0x0738 (1607 to 1703);
0x0750
ULONGLONG SequenceNumber;
10.0 and higher  
0x0340 (10.0);
0x0330 (1511);
0x0338 (1607 to 1709);
0x0340
0x0740 (10.0);
0x0730 (1511);
0x0740 (1607 to 1703);
0x0758
ULONGLONG CreateInterruptTime;
10.0 and higher  
0x0348 (10.0);
0x0338 (1511);
0x0340 (1607 to 1709);
0x0348
0x0748 (10.0);
0x0738 (1511);
0x0748 (1607 to 1703);
0x0760
ULONGLONG CreateUnbiasedInterruptTime;
10.0 and higher  
0x0350 (10.0);
0x0340 (1511);
0x0348 (1607 to 1709);
0x0350
0x0750 (10.0);
0x0740 (1511);
0x0750 (1607 to 1703);
0x0768
ULONGLONG TotalUnbiasedFrozenTime;
10.0 and higher  
0x0358 (10.0);
0x0348 (1511);
0x0350 (1607 to 1709);
0x0358
0x0758 (10.0);
0x0748 (1511);
0x0758 (1607 to 1703);
0x0770
ULONGLONG LastAppStateUpdateTime;
10.0 and higher  
0x0360 (10.0);
0x0350 (1511);
0x0358 (1607 to 1709);
0x0360
0x0760 (10.0);
0x0750 (1511);
0x0760 (1607 to 1703);
0x0778
ULONGLONG LastAppStateUptime : 61;
ULONGLONG LastAppState : 3;
10.0 and higher  
0x0368 (10.0);
0x0358 (1511);
0x0360 (1607 to 1709);
0x0368
0x0768 (10.0);
0x0758 (1511);
0x0768 (1607 to 1703);
0x0780
ULONG_PTR volatile SharedCommitCharge;
10.0 and higher  
0x036C (10.0);
0x035C (1511);
0x0364 (1607 to 1709);
0x036C
0x0770 (10.0);
0x0760 (1511);
0x0770 (1607 to 1703);
0x0788
EX_PUSH_LOCK SharedCommitLock;
10.0 and higher  
0x0370 (10.0);
0x0360 (1511);
0x0368 (1607 to 1709);
0x0370
0x0778 (10.0);
0x0768 (1511);
0x0778 (1607 to 1703);
0x0790
LIST_ENTRY SharedCommitLinks;
10.0 and higher  
0x0378 (10.0);
0x0368 (1511);
0x0370 (1607 to 1709);
0x0378
0x0788 (10.0);
0x0778 (1511);
0x0788 (1607 to 1703);
0x07A0
union {
    struct {
        ULONG_PTR AllowedCpuSets;
        ULONG_PTR DefaultCpuSets;
    };
    struct {
        ULONG_PTR *AllowedCpuSetsIndirect;
        ULONG_PTR *DefaultCpuSetsIndirect;
    };
};
10.0 and higher last member in 10.0 to 1511
0x0378 (1607 to 1709);
0x0380
0x0798 (1607 to 1703);
0x07B0
PVOID DiskIoAttribution;
1607 and higher  
0x037C (1607) 0x07A0 (1607)
ULONG ReadyTime;
1607 only  
0x0380 (1607);
0x037C (1703 to 1709);
0x0384
0x07A8 (1607);
0x07A0 (1607 to 1703);
0x07B8
PVOID DxgProcess;
1607 and higher last member in 1607
0x0380 (1703 to 1709);
0x0388
0x07A8 (1607 to 1703);
0x07C0
ULONG Win32KFilterSet;
1703 and higher  
0x0388 (1703 to 1709);
0x0390
0x07B0 (1607 to 1703);
0x07C8
PS_INTERLOCKED_TIMER_DELAY_VALUES volatile ProcessTimerDelay;
1703 and higher  
0x0390 (1703 to 1709);
0x0398
0x07B8 (1607 to 1703);
0x07D0
ULONG volatile KTimerSets;
1703 and higher  
0x0394 (1703 to 1709);
0x039C
0x07BC (1607 to 1703);
0x07D4
ULONG volatile KTimer2Sets;
1703 and higher  
0x0398 (1703 to 1709);
0x03A0
0x07C0 (1607 to 1703);
0x07D8
ULONG volatile ThreadTimerSets;
1703 and higher  
0x039C (1703 to 1709);
0x03A4
0x07C8 (1607 to 1703);
0x07E0
ULONG_PTR VirtualTimerListLock;
1703 and higher  
0x03A0 (1703 to 1709);
0x03A8
0x07D0 (1607 to 1703);
0x07E8
LIST_ENTRY VirtualTimerListHead;
1703 and higher  
0x03A8 (1703 to 1709);
0x03B0
0x07E0 (1607 to 1703);
0x07F8
union {
    WNF_STATE_NAME WakeChannel;
    PS_PROCESS_WAKE_INFORMATION WakeInfo;
};
1703 and higher  
0x03D8 (1703) 0x0810 (1703)
union {
    ULONG Flags4;
    struct {
        ULONG PicoCreated : 1;
        ULONG RestrictSetThreadContext : 1;
    };
};
1703 only next in Flags2;
last member in 1703
0x03D8 (1709);
0x03E0
0x0828
union {
    ULONG MitigationFlags;
    struct {
        /*  bit fields, follow link  */
    } MitigationFlagsValues;
};
1709 and higher  
0x03DC (1709);
0x03E4
0x082C
union {
    ULONG MitigationFlags2;
    struct {
        /*  bit flags, follow link  */
    } MitigationFlags2Values;
};
1709 and higher  
0x03E0 (1709);
0x03E8
0x0830
PVOID PartitionObject;
1709 and higher last member in 1709
0x03F0 0x0838
ULONGLONG SecurityDomain;
1803 and higher  
0x03F8 0x0840
PVOID CoverageSamplerContext;
1803 and higher last member in 1803