Object Header Flags

From as long ago as Windows NT 3.50, the OBJECT_HEADER has a byte that’s interpreted as bit flags. From type information in public symbol files for the kernel, it is known that Windows 8.1 formalises these flags as a structure of UCHAR bit fields in union with the Flags byte for conveniently accessing multiple bits together:

Mask Definition Versions
UCHAR NewObject : 1;
6.3 and higher
UCHAR KernelObject : 1;
6.3 and higher
UCHAR KernelOnlyAccess : 1;
6.3 and higher
UCHAR ExclusiveObject : 1;
6.3 and higher
UCHAR PermanentObject : 1;
6.3 and higher
UCHAR DefaultSecurityQuota : 1;
6.3 and higher
UCHAR SingleHandleEntry : 1;
6.3 and higher
UCHAR DeletedInline : 1;
6.3 and higher

Before Windows 8.1, the bits look to have been accessd only through macro definitions of the masks. These are known from public disclosure of NTOSP.H in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10:

Mask Name Versions
0x01 OBJ_FLAG_NEW_OBJECT 3.50 and higher
0x02 OBJ_FLAG_KERNEL_OBJECT 3.50 and higher
0x04 OBJ_FLAG_KERNEL_ONLY_ACCESS 3.51 and higher
0x08 OBJ_FLAG_EXCLUSIVE_OBJECT 3.51 and higher
0x10 OBJ_FLAG_PERMANENT_OBJECT 3.50 and higher
0x40 OBJ_FLAG_SINGLE_HANDLE_ENTRY 3.51 and higher
0x80 OBJ_FLAG_DELETED_INLINE 5.1 and higher

The versions are the first for which the flag is yet known to be used. Identifying first use from inspection of binaries is, perhaps forever, a work in progress.

What makes an object count as new, in the sense of having a set OBJ_FLAG_NEW_OBJECT, is that the OBJECT_CREATE_INFORMATION that temporarily held parameters while creating the object has not yet been freed. Its address remains in the OBJECT_HEADER as the ObjectCreateInfo member.