Same-Thread APC Flags in the ETHREAD

Windows XP gave the ETHREAD three sets of bit fields. The set that is overlaid by the SameThreadApcFlags member, which is a ULONG for simultaneous access to all the bits described below, started with just three bits, two of which had been booleans. The set has moved around a little.

Version Offset (x86) Offset (x64)
5.1 0x0250  
early 5.2 (before Windows Server 2003 SP1) 0x0258  
late 5.2 (Windows Server 2003 SP1) 0x0248 0x041C
very late 5.2 (Windows Server 2003 SP2) 0x0248 0x0404
early 6.0 (before Windows Vista SP1);
late 6.0 (Windows Vista SP1 and higher)
0x0268 0x0420
6.1 0x0288 0x0450
6.2 0x0270 0x0434
6.3 0x03C0 0x06BC
10.0 0x03D0 0x06C4

Bit Fields

Though a ULONG is overlaid, the bit fields themselves are defined as UCHAR, and in one case with volatile as well.

Before Windows 10

The whole was so greatly simplified for Windows 10 that separate presentation (at the end) seems better.

First Byte

Mask Definition Versions History
0x01
UCHAR LpcReceivedMsgIdValid : 1;
5.1 to 5.2 previously as BOOLEAN
UCHAR Spare : 1;
6.0 to 6.2  
UCHAR HardFaultBehavior : 1;
6.3 next as 0x04 (see end)
0x02
UCHAR LpcExitThreadCalled : 1;
5.1 to 5.2 previously as BOOLEAN
UCHAR volatile StartAddressInvalid : 1;
6.0 to 6.3 next as 0x08 (see end)
0x04
UCHAR AddressSpaceOwner : 1;
5.1 to 5.2  
UCHAR EtwPageFaultCalloutActive : 1;
6.0 to 6.1  
UCHAR EtwCalloutActive : 1;
6.2 to 6.3 next as 0x10 (see end)
0x08
UCHAR OwnsProcessWorkingSetExclusive : 1;
late 5.2 to 6.3  
0x10
UCHAR OwnsProcessWorkingSetShared : 1;
late 5.2 to 6.3  
0x20
UCHAR OwnsSystemWorkingSetExclusive : 1;
late 5.2 to 6.0  
UCHAR OwnsSystemCacheWorkingSetExclusive : 1;
6.1 to 6.3  
0x40
UCHAR OwnsSystemWorkingSetShared : 1;
late 5.2 to 6.0  
UCHAR OwnsSystemCacheWorkingSetShared : 1;
6.1 to 6.3  
0x80
UCHAR OwnsSessionWorkingSetExclusive : 1;
late 5.2 to 6.3  

Second Byte

Mask Definition Versions History
0x01
UCHAR OwnsSessionWorkingSetShared : 1;
late 5.2 to 6.3  
0x02
UCHAR ApcNeeded : 1;
late 5.2 to v. late 5.2 previously in union with CreateTime
UCHAR OwnsProcessAddressSpaceExclusive: 1;
6.0 to 6.3 next as 0x01 in first byte (see end)
0x04
UCHAR OwnsProcessAddressSpaceShared : 1;
6.0 to 6.3 next as 0x02 in first byte (see end)
0x08
UCHAR SuppressSymbolLoad : 1;
6.0 to 6.3 next as 0x20 in first byte (see end)
0x10
UCHAR Prefetching : 1;
6.0 to 6.3 next as 0x40 in first byte (see end)
0x20
UCHAR OwnsDynamicMemoryShared : 1;
6.0 to 6.1  
UCHAR OwnsVadExclusive : 1;
6.2 to 6.3 next as 0x80 in first byte (see end)
0x40
UCHAR OwnsChangeControlAreaExclusive : 1;
6.0 to 6.3  
0x80
UCHAR OwnsChangeControlAreaShared : 1;
6.0 to 6.3  

Third Byte

Mask Definition Versions History
0x0F
UCHAR PriorityRegionActive : 4;
early 6.0 only becomes fourth byte
0x01
UCHAR OwnsPagedPoolWorkingSetExclusive : 1;
6.1 to 6.3  
0x02
UCHAR OwnsPagedPoolWorkingSetShared : 1;
6.1 to 6.3  
0x04
UCHAR OwnsSystemPtesWorkingSetExclusive : 1;
6.1 to 6.3  
0x08
UCHAR OwnsSystemPtesWorkingSetShared : 1;
6.1 to 6.3  
0x30
UCHAR TrimTrigger : 2;
6.1 to 6.3  
 
UCHAR Spare1 : 8;
late 6.0 only  
UCHAR Spare1 : 2;
6.1 only  
UCHAR Spare2 : 2;
6.3  

Fourth Byte

In the build of version 6.0 for Windows Vista SP1, i.e., Windows Server 2008, PriorityRegionActive is no longer a bit field but becomes the whole of the fourth byte until it gets reworked for Windows 8.1.

Mask Definition Versions History
0xFF
UCHAR PriorityRegionActive;
late 6.0 to 6.2 previously as 0x0F in third byte
0x01
UCHAR SystemPagePriorityActive : 1;
6.3 only next in second byte (see below)
0x0E
UCHAR SystemPagePriority : 3;
6.3 only next in second byte (see below)
 
UCHAR Spare3 : 4;
6.3 only  

Windows 10

Most of the bit fields disappear for Windows 10. Three are retained from the first byte, five from the second, and the two fields that had only just been defined for the fourth byte become the new second byte.

First Byte

Mask Definition Versions History
0x01
UCHAR OwnsProcessAddressSpaceExclusive : 1;
10.0 and higher previously 0x02 in second byte
0x02
UCHAR OwnsProcessAddressSpaceShared : 1;
10.0 and higher previously 0x04 in second byte
0x04
UCHAR HardFaultBehavior : 1;
10.0 and higher previously 0x01 in first byte
0x08
UCHAR volatile StartAddressInvalid : 1;
10.0 and higher previously 0x02 in first byte
0x10
UCHAR EtwCalloutActive : 1;
10.0 and higher previously 0x04 in first byte
0x20
UCHAR SuppressSymbolLoad : 1;
10.0 and higher previously 0x08 in second byte
0x40
UCHAR Prefetching : 1;
10.0 and higher previously 0x10 in second byte
0x80
UCHAR OwnsVadExclusive : 1;
10.0 and higher preivously 0x20 in second byte

Second Byte

Mask Definition Versions History
0x01
UCHAR SystemPagePriorityActive : 1;
10.0 and higher previously in fourth byte
0x0E
UCHAR SystemPagePriority : 3;
10.0 and higher previously in fourth byte