Geoff Chappell, Software Analyst
The OBJECT_INFORMATION_CLASS is an enumeration whose values are intended as input to the ZwQueryObject and ZwSetInformationObject functions. Different values select different types of information to query or set.
The user-mode forms of NtQueryObject and ZwQueryObject are original exports from NTDLL and the OBJECT_INFORMATION_CLASS is therefore also original. It, or something exactly like it, is defined in version 3.10 and higher.
Microsoft has kept OBJECT_INFORMATION_CLASS remarkably private. Analogues for information about files, processes, threads, and much else, have all their supported values defined in header files from as far back as the Device Driver Kit (DDK) for Windows NT 3.51. In contrast, Microsoft is not known to have published a C-langauge definition of the information class for objects until Windows 7: in NTIFS.H from the Windows Driver Kit (WDK) and WINTERNL.H from the Software Development Kit (SDK). Even then, the enumeration is of only two values and the corresponding structures for the information are disclosed only in reduced form.
Microsoft’s names for all the OBJECT_INFORMATION_CLASS values have slipped out, of course. They are knowable from type information in public symbol files for the kernel, though again only starting with Windows 7.
Much further back, it turns out that type information for the OBJECT_INFORMATION_CLASS was disclosed in statically linked libraries that Microsoft distributed with early DDKs: a GDISRVL.LIB in the DDK for Windows NT 3.51; and SHELL32.LIB in the DDK for Windows NT 4.0. That the latter is otherwise just an import library for SHELL32.DLL suggests strongly that these disclosures were one-off oversights. Still, published they were.
Some of the OBJECT_INFORMATION_CLASS values can be used successfully only to query or only to set. The present purpose however is not to show which values are implemented non-trivially in which versions, but which values are defined in which versions, as much as can be known. For Windows 7 and higher, the type information in symbol files is surely definitive. The import libraries for versions 3.51 and 4.0 are here taken as definitive also. What names are defined for other versions is something of a guess—yes, based largely on what’s implemented.
|Numeric Value||Symbolic Name||Versions|
|3||ObjectTypesInformation||3.50 and higher|
|4||ObjectHandleFlagInformation||3.50 and higher|
|5||ObjectSessionInformation||5.2 and higher|
|6||ObjectSessionObjectInformation||1703 and higher|
|6 (6.1 to 1607);
Though ObjectTypeInformation is shown above as the original name, all that information class 2 tells of an object in version 3.10 is the name of the object’s type, not the larger information that later versions report of the object’s type. This is not inconsistent with being an early form of what is known for later versions to be the OBJECT_TYPE_INFORMATION produced as output for ObjectTypeInformation, but it’s different enough that the programmers changed the name of the subroutine that does the bulk of the work for querying this information class. Later versions have ObQueryTypeInfo, which would be the obvious name when the information class is ObjectTypeInformation, but version 3.10 has ObQueryTypeNameString (to compare with ObQueryNameString for ObjectNameInformation). That information class 2 in version 3.10 is instead named ObjectTypeNameInformation is at least plausible.
That Microsoft did not originally end the enumeration with MaxObjectInfoClass is known from the statically linked libraries. Precisely when it was added in the versions for which type information is available may never be known.