OutputFlags in PS_CREATE_INFO

In a PS_CREATE_INFO structure on output from NtCreateUserProcess, the State member may be PsCreateSuccess (6). The remainder of the structure is then interpreted as the SuccessState branch of an unnamed union. Within the SuccessState is a set of flags in union with a ULONG named OutputFlags. The flags themselves are a mixture of UCHAR and USHORT bit fields.

Microsoft’s names and types in the following tabulation of these flags are known from a smattering of private symbol files that Microsoft included in packages of public symbol files starting with Windows 8.

Offset / Mask Definition Versions
0x00 / 0x01
UCHAR ProtectedProcess : 1;
6.0 and higher
0x00 / 0x02
UCHAR AddressSpaceOverride : 1;
6.0 and higher
0x00 / 0x04
UCHAR DevOverrideEnabled : 1;
6.0 and higher
0x00 / 0x08
UCHAR ManifestDetected : 1;
6.0 and higher
0x00 / 0x10
UCHAR ProtectedProcessLight : 1;
6.3 and higher
UCHAR SpareBits1 : 4;
6.0 to 6.2
UCHAR SpareBits1 : 3;
6.3 and higher
UCHAR SpareBits2 : 8;
6.0 and higher
USHORT SpareBits3 : 16;
6.0 and higher

No use of the second byte or high word is known in any version.