Geoff Chappell - Software Analyst
The OBJECT_INFORMATION_CLASS is an enumeration whose values are intended as input to the ZwQueryObject and ZwSetInformationObject functions. Different values select different types of information to query or set.
The user-mode forms of NtQueryObject and ZwQueryObject are original exports from NTDLL and the OBJECT_INFORMATION_CLASS is therefore also original. It, or something exactly like it, is defined in version 3.10 and higher.
Microsoft has kept OBJECT_INFORMATION_CLASS remarkably private. Analogues for information about files, processes, threads, and much else, have all their supported values defined in header files from as far back as the Device Driver Kit (DDK) for Windows NT 3.51. In contrast, Microsoft is not known to have published a C-langauge definition of the information class for objects until Windows 7: in NTIFS.H from the Windows Driver Kit (WDK) and WINTERNL.H from the Software Development Kit (SDK). Even then, the enumeration is of only two values and the corresponding structures for the information are disclosed only in reduced form.
Microsoft’s names for all the OBJECT_INFORMATION_CLASS values have slipped out, of course. They are knowable from type information in public symbol files for the kernel, though again only starting with Windows 7.
Do not miss, though, that this same type information is in symbol files that Microsoft has published for URLMON.DLL and other user-mode modules, starting from Windows 8. By any reckoning, including Microsoft’s own once upon a time, URLMON.DLL is a component of Internet Explorer. Its versions from Windows up to but not including the 1803 release of Windows 10 plainly were built with a full definition of OBJECT_INFORMATION_CLASS from the same otherwise unpublished header NTOBAPI_X.H as the kernel’s full definition. This sort of privileged access to the Windows source code was the essence of a large part of the anti-trust case against Microsoft whose settlement prompted the development of WINTERNL.H for the SDK in 2002. Yet the access that Internet Explorer’s programmers had to the OBJECT_INFORMATION_CLASS definition was somehow missed from WINTERNL.H until 2009 and even then was disclosed only grudgingly. There’s a lesson here for any government’s contemplation of anti-trust action against software companies: they will run rings around you.
Much further back, it turns out that type information for the OBJECT_INFORMATION_CLASS was disclosed in statically linked libraries that Microsoft distributed with early DDKs: a GDISRVL.LIB in the DDK for Windows NT 3.51; and SHELL32.LIB in the DDK for Windows NT 4.0. That the latter is otherwise just an import library for SHELL32.DLL suggests strongly that these disclosures were one-off oversights. Still, published they were.
Some of the OBJECT_INFORMATION_CLASS values can be used successfully only to query or only to set. The present purpose however is not to show which values are implemented non-trivially in which versions, but which values are defined in which versions, as much as can be known. For Windows 7 and higher, the type information in symbol files is surely definitive. The import libraries for versions 3.51 and 4.0 are here taken as definitive also. What names are defined for other versions is something of a guess based largely on what’s implemented.
|3||ObjectTypesInformation||3.50 and higher|
|4||ObjectHandleFlagInformation||3.50 and higher|
|5||ObjectSessionInformation||5.2 and higher|
|6||ObjectSessionObjectInformation||1703 and higher|
|6 (6.1 to 1607);
Though ObjectTypeInformation is shown above as the original name, all that information class 2 tells of an object in version 3.10 is the name of the object’s type, not the larger information that later versions report of the object’s type. This is not inconsistent with being an early form of what is known for later versions to be the OBJECT_TYPE_INFORMATION produced as output for ObjectTypeInformation, but it’s different enough that the programmers changed the name of the subroutine that does the bulk of the work for querying this information class. Later versions have ObQueryTypeInfo, which would be an obvious name when the information class is ObjectTypeInformation, but version 3.10 has ObQueryTypeNameString (to compare with ObQueryNameString for ObjectNameInformation). That information class 2 in version 3.10 is instead named ObjectTypeNameInformation is at least plausible.
That Microsoft did not originally end the enumeration with MaxObjectInfoClass is known from the statically linked libraries. Precisely when it was added in versions 5.0 to 6.0, for which type information is unavailable, may never be known.