SYSTEM_HANDLE_TABLE_ENTRY_INFO

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is a recurring element in the SYSTEM_HANDLE_INFORMATION that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemHandleInformation (0x10).

Documentation Status

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_HANDLE_TABLE_ENTRY_INFO structure is 0x10 or 0x18 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
USHORT UniqueProcessId;
0x02 0x02
USHORT CreatorBackTraceIndex;
0x04 0x04
UCHAR ObjectTypeIndex;
0x05 0x05
UCHAR HandleAttributes;
0x06 0x06
USHORT HandleValue;
0x08 0x08
PVOID Object;
0x0C 0x10
ULONG GrantedAccess;