Geoff Chappell, Software Analyst
The SYSTEM_BASIC_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information classes SystemBasicInformation (0x00), SystemEmulationBasicInformation (0x3E) or SystemNativeBasicInformation (0x72).
The primary use of the SystemBasicInformation case of NtQuerySystemInformation is to support the KERNEL32 function GetSystemInfo, specifically to obtain values for the following members of that function’s SYSTEM_INFO structure:
If these are all that is wanted, then use GetSystemInfo instead.
The SYSTEM_BASIC_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there provides only for NumberOfProcessors, with padding to put it at the right offset. Documentation of NtQuerySystemInformation describes the SystemBasicInformation case as returning the number of processors in the system, and directs that GetSystemInfo be used instead.
Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.
Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_BASIC_INFORMATION is 0x2C or 0x40 bytes in 32-bit and 64-bit Windows, respectively.
|Offset (x86)||Offset (x64)||Definition|
In 32-bit Windows, the structure is filled exactly the same for all three information classes. The x64 builds treat SystemEmulationBasicInformation differently. This allows WOW64.DLL, executing 64-bit code in a 32-bit process, to get basic information that’s suited to the 32-bit caller.
The Reserved member is not so much reserved as obsolete. It is originally the source of the dwOemId member of the user-mode SYSTEM_INFO. That said, the kernel sets it to zero even in version 3.10.
The MaximumUserModeAddress is ordinarily from the exported variable MmHighestUserAddress. For the 64-bit SystemEmulationBasicInformation, however, it is one byte less than the HighestUserAddress in the current process’s EPROCESS.
The ActiveProcessorsAffinityMask is only of the active processors in the current processor group and NumberOfProcessors counts only those active processors. The precise intention to the different handling for the 64-bit SystemEmulationBasicInformation is not presently clear.