Geoff Chappell - Software Analyst
From the very beginning of Windows, each process has a one-byte summary of its state. The KPROCESS keeps this as its State member. This is originally a self-standing UCHAR but Windows 7 truncated it to the low 3 bits, now as a UCHAR bit field still named State, of a KSTACK_COUNT named StackCount. However its packaged, it takes its values from the KPROCESS_STATE enumeration.
Microsoft does not document the KPROCESS_STATE but Microsoft’s names and values are known from public symbol files for the kernel, starting with Windows 7.
|0x03||ProcessOutTransition||5.1 and higher|
|0x04||ProcessInSwap||5.1 and higher|
|0x05||ProcessOutSwap||5.1 and higher|
|0x06||ProcessRetryOutSwap||10.0 and higher|
|0x06 (6.1 to 6.3);
|ProcessAllSwapStates||6.1 and higher|