SYSTEM_OBJECTTYPE_INFORMATION

The SYSTEM_OBJECTTYPE_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces at the start of its output buffer when given the information class SystemObjectInformation (0x11). The output can, and typically does, continue with multiple structures but at irregular positions since each can be followed by any number of SYSTEM_OBJECT_INFORMATION structures.

Documentation Status

The SYSTEM_OBJECTTYPE_INFORMATION structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_OBJECTTYPE_INFORMATION is 0x38 or 0x40 bytes in 32-bit and 64-bit Windows, respectively, except that it is only 0x34 bytes in version 3.10.

Offset Definition Versions
0x00
ULONG NextEntryOffset;
all
0x04
ULONG NumberOfObjects;
all
0x08
ULONG NumberOfHandles;
3.50 and higher
0x08 (3.10);
0x0C
ULONG TypeIndex;
all
0x0C (3.10);
0x10
ULONG InvalidAttributes;
all
0x10 (3.10);
0x14
GENERIC_MAPPING GenericMapping;
all
0x20 (3.10);
0x24
ULONG ValidAccessMask;
all
0x24 (3.10);
0x28
ULONG PoolType;
all
0x28 (3.10);
0x2C
BOOLEAN SecurityRequired;
all
0x29 (3.10);
0x2D
BOOLEAN WaitableObject;
all
0x2C (3.10);
0x30
UNICODE_STRING TypeName;
all

Though WaitableObject is known to be defined at least as far back as version 4.0, it is not known to be set except in version 3.10.