Geoff Chappell - Software Analyst
The KTHREAD has a set of bit flags in union with an integer type named ThreadFlags since Windows Server 2003 SP1. Some time in the progression from the 1703 to the 1709 edition of Windows 10, push came to shove and ThreadFlags2 was born.
This new set of flags is initially at the end of the KTHREAD, but whatever is going on is still in flux. The only new meaningful bit field in ThreadFlags2, presumably the one that didn’t fit, moves to a ThreadFlags3 as soon as the 2004 edition and ThreadFlags2 then disappears from the x86 KTHREAD. Meanwhile, ThreadFlags2 is retained for the x64 and picks up a bit field that is now too wide for ThreadFlags but which the x86 also moves to ThreadFlags3. The x64 ThreadFlags2 also shifts within the KTHREAD to use some of the space that had previously been a spare pointer. A few more Windows 10 editions may be needed for a clear picture to emerge.
The ThreadFlags2 itself is a LONG volatile in union with an anonymous structure of ULONG bit fields:
ULONG PpmPolicy : 2;
|1709 to 1903||next in ThreadFlags3|
ULONG BamQosOffset : 8;
|2004 and higher (x64)||previously 2 bits in ThreadFlags;
x86 in ThreadFlags3
ULONG ThreadFlags2Reserved : 30;
|1709 to 1903|
ULONG ThreadFlags2Reserved : 24;
|2004 and higher (x64)|