SYSTEM_OBJECT_INFORMATION

The SYSTEM_OBJECT_INFORMATION structure (formally _SYSTEM_OBJECT_INFORMATION) is an irregularly recurring element in what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemObjectInformation (0x11). The output begins with a SYSTEM_OBJECTTYPE_INFORMATION. There can be, and typically are, more of these throughout the buffer, but irregularly because each can be followed by any number of SYSTEM_OBJECT_INFORMATION structures. These too are irregularly spaced because although each is fixed in size, each is followed in turn by a variable-size Unicode string.

Documentation Status

The SYSTEM_OBJECT_INFORMATION structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in a handful of private symbol files that Microsoft has included in packages of public symbol files, starting with Windows 8, and continues to make available through Microsoft’s public symbol server. These private symbol files are not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure. They are instead for various higher-level user-mode DLLs such as URLMON.DLL. The latter is here singled out because of its origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use.

Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_OBJECT_INFORMATION is 0x30 or 0x50 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
ULONG NextEntryOffset;
all
0x04 0x08
PVOID Object;
all
0x08 0x10
PVOID CreatorUniqueProcess;
all
0x0C 0x18
USHORT CreatorBackTraceIndex;
3.50 and higher
0x0C (3.10);
0x0E
0x1A
ULONG Flags;
3.10 only
USHORT Flags;
3.50 and higher
0x10 0x1C
LONG PointerCount;
all
0x14 0x20
LONG HandleCount;
all
0x18 0x24
ULONG PagedPoolCharge;
all
0x1C 0x28
ULONG NonPagedPoolCharge;
all
0x20 0x30
PVOID ExclusiveProcessId;
all
0x24 0x38 unknown dword 3.10 only
PVOID SecurityDescriptor;
3.50 and higher
0x28 0x40
OBJECT_NAME_INFORMATION NameInfo;
all