Geoff Chappell, Software Analyst
The RTL_PROCESS_BACKTRACE_INFORMATION structure is a recurring element in the RTL_PROCESS_BACKTRACES structure that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces at the start of its output buffer when given the information class SystemStackTraceInformation (0x0D).
The RTL_PROCESS_BACKTRACE_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.
Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The RTL_PROCESS_BACKTRACE_INFORMATION is 0x8C or 0x0110 bytes in 32-bit and 64-bit Windows 10, respectively.
|Offset (x86)||Offset (x64)||Definition||Versions|
PVOID BackTrace [0x10];
|from GDISRVL.LIB in 3.51;
from SHELL32.LIB in 4.0
PVOID BackTrace [0x20];
This is the structure for Windows 10. Earlier versions are known which allow for fewer back traces.