InitFlags in PS_CREATE_INFO

In a PS_CREATE_INFO structure as input to NtCreateUserProcess, the State member is necessarily PsCreateInitialState (0) and the remainder of the structure is interpreted as the InitState branch of an unnamed union. Within the InitState is a set of flags in union with a ULONG named InitFlags. The flags themselves are a mixture of UCHAR and USHORT bit fields.

Microsoft’s names and types in the following tabulation of these flags are known from a smattering of private symbol files that Microsoft included in packages of public symbol files starting with Windows 8.

Offset / Mask Definition Versions
0x00 / 0x01
UCHAR WriteOutputOnExit : 1;
6.0 and higher
0x00 / 0x02
UCHAR DetectManifest : 1;
6.0 and higher
0x00 / 0x04
UCHAR IFEOSkipDebugger : 1;
6.2 and higher
0x00 / 0x08
UCHAR IFEODoNotPropagateKeyState : 1;
6.2 and higher
 
UCHAR SpareBits1 : 6;
6.0 to 6.1
UCHAR SpareBits1 : 4;
6.2 and higher
0x01 / 0x03 (6.0 to 6.1) unknown two-bit member (see below) 6.0 to 6.1
 
UCHAR SpareBits2 : 6;
6.0 to 6.1
UCHAR SpareBits2 : 8;
6.2 and higher
0x02 / 0xFFFF
USHORT ProhibitedImageCharacteristics : 16;
6.0 and higher

Microsoft’s name for the second byte’s 2-bit field in the original layout is not known. The value 3 is explicitly invalid. The cases 0, 1 and 2 were later separated into combinations of new bits in the first byte:

This reworking of the two-bit field for Windows 8 created the oddity that the second byte has all eight bits explicitly spare.