Trace Flags in the OBJECT_HEADER

Windows XP brought some significant new debugging support to the problem of resource leakage for objects. Refinement for Windows Vista introduced two bit flags into the OBJECT_HEADER. At first, these were squeezed in to the QuotaInfoOffset (whose low bits must otherwise be clear). Windows 7 turned them into a second byte of flags. That these are named TraceFlags in Windows 7 is known from type information in public symbol files for that version’s kernel. Symbol files for the next version show that Windows 8 formalises the flags as a structure of UCHAR bit fields in union with the TraceFlags byte, which is retained for conveniently accessing multiple bits together:

Mask Definition Versions
0x01
UCHAR DbgRefTrace : 1;
6.2 and higher
0x02
UCHAR DbgTracePermanent : 1;
6.2 and higher

For Windows Vista and Windows 7, then, Microsoft’s programmers will have accessed the bits through macro definitions. These are known from public disclosure of NTOSP.H in the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 Version 1511:

Mask Symbol Versions
0x01 OB_OBJECT_REF_TRACE 6.0 and higher
0x02 OB_OBJECT_TRACE_PERMANENT 6.0 and higher