OBJECT_HEADER_HANDLE_INFO

The OBJECT_HEADER_HANDLE_INFO structure is one of several structures that may precede an OBJECT_HEADER in a memory block that contains an Object Manager object.

Layout

The OBJECT_HEADER_HANDLE_INFO structure is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively. Microsoft’s names and types are known from type information in public symbol files for the kernel, starting with Windows 2003 SP1. Names are known with slightly less certainty for version 4.0 from the output of the !dso command as implemented by the debugger extension USEREXTS.DLL from the Windows NT 4.0 Device Driver Kit (DDK).

Though the OBJECT_HEADER_HANDLE_INFO is formally a structure, its one member is an unnamed union. Strip away the scaffolding:

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
OBJECT_HANDLE_COUNT_DATABASE *HandleCountDataBase;
3.50 and higher
0x00 0x00
OBJECT_HANDLE_COUNT_ENTRY SingleEntry;
3.50 and higher

The database tells which processes have opened how many handles to the object. In general, there is one OBJECT_HANDLE_COUNT_ENTRY for each process that opens the object. The database is then a separate memory allocation of a count of processes and an array of entries, one per process.

A frequent particular case, not least for being certain as an initial case, is that the object is opened by just one process. The database has just the one entry and might never need another. This is accommodated efficiently by making that the whole OBJECT_HEADER_HANDLE_INFO is the SingleEntry. This state is indicated by a set OBJ_FLAG_SINGLE_HANDLE_ENTRY (0x40) in the Flags in the OBJECT_HEADER.

Database

The OBJECT_HANDLE_COUNT_DATABASE is 0x0C or 0x18 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
ULONG CountEntries;
3.50 and higher
0x04 0x08
OBJECT_HANDLE_COUNT_ENTRY HandleCountEntries [ANYSIZE_ARRAY];
3.50 and higher

Entry

The OBJECT_HANDLE_COUNT_ENTRY is 0x08 or 0x10 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
EPROCESS *Process;
3.50 and higher
0x04  
ULONG HandleCount;
3.50 to 5.2
0x08
struct {
    ULONG HandleCount : 24;
    ULONG LockCount : 8;
};
6.0 and higher