OBJECT_TYPE_INFORMATION

The OBJECT_TYPE_INFORMATION structure is what a successful call to ZwQueryObject or NtQueryObject produces at the start of its output buffer when given the information class ObjectTypeInformation (2). The information so obtained is about the type of whatever object is referenced by the Handle argument.

The structure is alternatively a recurring element in the output of a successful query for ObjectTypesInformation (3).

Documentation Status

The OBJECT_TYPE_INFORMATION structure is not documented. This is plainly very much by design. A PUBLIC_OBJECT_TYPE_INFORMATION is defined in WINTERNL.H from the Software Development Kit (SDK) and in NTIFS.H from the Windows Driver Kit (WDK). Even then, this availability doesn’t begin until the kits for Windows 7. This public definition—which does, remember, have a different name—provides only for the TypeName plus an array which is commented as being “reserved for internal use”.

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The OBJECT_TYPE_INFORMATION is 0x60 or 0x68 bytes in 32-bit and 64-bit Windows, respectively, in version 3.50 and higher. If the structure is defined for version 3.10, it has only the first member and is only eight bytes.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
UNICODE_STRING TypeName;
all
0x08 0x10
ULONG TotalNumberOfObjects;
3.50 and higher
0x0C 0x14
ULONG TotalNumberOfHandles;
3.50 and higher
0x10 0x18
ULONG TotalPagedPoolUsage;
3.50 and higher
0x14 0x1C
ULONG TotalNonPagedPoolUsage;
3.50 and higher
0x18 0x20
ULONG TotalNamePoolUsage;
3.50 and higher
0x1C 0x24
ULONG TotalHandleTableUsage;
3.50 and higher
0x20 0x28
ULONG HighWaterNumberOfObjects;
3.50 and higher
0x24 0x2C
ULONG HighWaterNumberOfHandles;
3.50 and higher
0x28 0x30
ULONG HighWaterPagedPoolUsage;
3.50 and higher
0x2C 0x34
ULONG HighWaterNonPagedPoolUsage;
3.50 and higher
0x30 0x38
ULONG HighWaterNamePoolUsage;
3.50 and higher
0x34 0x3C
ULONG HighWaterHandleTableUsage;
3.50 and higher
0x38 0x40
ULONG InvalidAttributes;
3.50 and higher
0x3C 0x44
GENERIC_MAPPING GenericMapping;
3.50 and higher
0x4C 0x54
ULONG ValidAccessMask;
3.50 and higher
0x50 0x58
BOOLEAN SecurityRequired;
3.50 and higher
0x51 0x59
BOOLEAN MaintainHandleCount;
3.50 and higher
0x52 0x5A
UCHAR TypeIndex;
6.2 and higher
0x54 0x5C
ULONG PoolType;
3.50 and higher
0x58 0x60
ULONG DefaultPagedPoolCharge;
3.50 and higher
0x5C 0x64
ULONG DefaultNonPagedPoolCharge;
3.50 and higher

The structure is followed by the object type’s name as a null-terminated string of Unicode characters. The size (in bytes, not counting the terminating null) and the address are respectively the Length and Buffer members of the TypeName.

For the ReturnLength argument of ZwQueryObject in version 3.50 and higher, the total size of the structure and name is rounded up for 4 or 8-byte alignment in 32-bit and 64-bit Windows, respectively. This anticipates that the structure and name may be just one description of an object type in a sequence of descriptions of all the object types. The OBJECT_TYPE_INFORMATION in each then has its natural alignment. There is a side-effect, however: the alignment is not allowed for when computing the TypeInfoSize in the OBJECT_BASIC_INFORMATION.