SYSTEM_EXTENDED_THREAD_INFORMATION

The SYSTEM_EXTENDED_THREAD_INFORMATION structure is an irregularly recurring element in what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemExtendedProcessInformation (0x39) or SystemFullProcessInformation (0x94).

These information classes produce descriptions not just of the running processes but also of those processes’ threads. A quick summary is that the information for each process is a fixed-size SYSTEM_PROCESS_INFORMATION structure and the following variable-size data:

an array of SYSTEM_EXTENDED_THREAD_INFORMATION structures, one per thread;
a SYSTEM_PROCESS_INFORMATION_EXTENSION if the information class is SystemFullProcessInformation;
and a null-terminated Unicode string for the process’s name.

The totality of the output for all processes is a sequence of these sets, one per process. In each set, the NextEntryOffset member at the beginning of the SYSTEM_PROCESS_INFORMATION tells how many bytes to advance from that SYSTEM_PROCESS_INFORMATION to the next, or is zero in the last. The NumberOfThreads member in a SYSTEM_PROCESS_INFORMATION tells how many SYSTEM_EXTENDED_THREAD_INFORMATION structures are in the array that immediately follows the SYSTEM_PROCESS_INFORMATION.

Documentation Status

The SYSTEM_EXTENDED_THREAD_INFORMATION structure is not documented.

Layout

The SYSTEM_EXTENDED_THREAD_INFORMATION is 0x60 or 0x88 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86)	Offset (x64)	Definition
0x00	0x00	SYSTEM_THREAD_INFORMATION ThreadInfo;
0x40	0x50	PVOID StackBase;
0x44	0x58	PVOID StackLimit;
0x48	0x60	PVOID Win32StartAddress;
0x4C	0x68	PVOID TebBase;
0x50	0x70	ULONG_PTR Reserved2;
0x54	0x78	ULONG_PTR Reserved3;
0x58	0x80	ULONG_PTR Reserved4;