CURRENT WORK ITEM - PREVIEW ONLY

EPROCESS

The EPROCESS structure is the kernel’s representation of a process object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsProcessType, then the pointer that the function produces for the object is a pointer to an EPROCESS.

Many functions that are exported from the kernel, e.g., for use by drivers, provide for referring to a process object through a pointer to an EPROCESS. However, the structure itself is meant to be opaque outside the kernel.

Layout

Since the EPROCESS structure is plainly internal to the kernel, it should not surprise that the layout changes greatly between Windows versions and even between builds. In the following table of sizes, different builds of the same version are distinguished as early and late because they are known to vary the structure even if they don’t change the size. These descriptions, as early and late, are then used throughout the article as a shorthand.

Version Size (x86) Size (x64)
3.51 to 4.0 0x01F8  
5.0 0x0288  
early 5.1 (before Windows XP SP2) 0x0258  
late 5.1 (Windows XP SP2 and higher) 0x0260  
early 5.2 (before Windows Server 2003 SP1);
late 5.2 (Windows Server 2003 SP1 and higher)
0x0278 0x03E0
early 6.0 (before Windows Vista SP1)
late 6.0 (Windows Vista SP1 and higher)
0x0270 0x03E8
6.1 0x02C0 0x04D0
6.2 0x02E8 0x0660
6.3 0x02F8 0x06B8
10.0 0x0380 0x0798

These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s symbol files for the kernel starting with Windows 2000 SP3. Since symbol files for earlier versions do not contain type information for the EPROCESS, what’s known for them is instead inferred from what use the kernel is seen to make of the EPROCESS. Sizes are straightforward, even without symbol files, since ObCreateObject and PsProcessType are exported. What’s known of Microsoft’s names and types is something of a guess. Where use of a member corresponds closely with that of a version for which Microsoft’s symbols are available, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
KPROCESS Pcb;
3.51 and higher
0x68 (3.51 to 4.0);
0x6C (5.0)
 
LONG ExitStatus;
3.51 to 5.0
0x6C (3.51 to 4.0);
0x70 (5.0)
 
KEVENT LockEvent;
3.51 to 5.0
0x7C (3.51 to 4.0);
0x80 (5.0)
 
ULONG LockCount;
3.51 to 5.0
0x6C (5.1 to early 5.2);
0x78 (late 5.2);
0x80 (6.0);
0x98 (6.1);
0xA0 (6.2 to 6.3);
0xA8
0xB8 (late 5.2);
0xC0 (6.0);
0x0160 (6.1);
0x02C8 (6.2 to 6.3);
0x02D8
EX_PUSH_LOCK ProcessLock;
5.1 and higher
0x80 (3.51 to 4.0);
0x88 (5.0);
0x70 (5.1 to early 5.2);
0x80 (late 5.2);
0x88 (6.0);
0xA0 (6.1);
0xA8 (6.2 to 6.3)
0xC0 (late 5.2);
0xC8 (6.0);
0x0168 (6.1);
0x02D0 (6.2 to 6.3)
LARGE_INTEGER CreateTime;
3.51 to 6.3
0x90 (5.0);
0x78 (5.1 to early 5.2);
0x88 (late 5.2);
0x90 (6.0);
0xA8 (6.1)
0xC8 (late 5.2);
0xD0 (6.0);
0x0170 (6.1)
LARGE_INTEGER ExitTime;
5.0 to 6.1
0x90 (3.51 to 4.0);
0x98 (5.0)
 
KTHREAD *LockOwner;
3.51 to 5.0
0x80 (5.1 to early 5.2);
0x90 (late 5.2);
0x98 (6.0);
0xB0 (6.2 to 6.3);
0xAC
0xD0 (late 5.2);
0xD8 (6.0);
0x0178 (6.1);
0x02D8 (6.2 to 6.3);
0x02E0
EX_RUNDOWN_REF RundownProtect;
5.1 and higher
0xB0  
PVOID VdmObjects;
10.0 and higher
0x94 (3.51 to 4.0);
0x9C (5.0);
0x84 (5.1 to early 5.2);
0x94 (late 5.2);
0x9C (6.0);
0xB4
0xD8 (late 5.2);
0xE0 (6.0);
0x0180 (6.1);
0x02E0 (6.2 to 6.3);
0x02E8
PVOID UniqueProcessId;
3.51 to 5.0
0x98 (3.51 to 4.0);
0xA0 (5.0);
0x88 (5.1 to early 5.2);
0x98 (late 5.2);
0xA0 (6.0);
0xB8
0xE0 (late 5.2);
0xE8 (6.0);
0x0188 (6.1);
0x02E8 (6.2 to 6.3);
0x02F0
LIST_ENTRY ActiveProcessLinks;
3.51 and higher

Two sets of bit fields that Windows XP and Windows Vista introduced towards what was then the end of the structure were moved near to the front for Windows 8. Perhaps not coincidentally, Windows 8 is the version that brings all bits into use. Windows 8.1 introduced a third set of flags, again near the end of the structure. For the individual bits and their complicated history, look to the end of this article.

Offset (x86) Offset (x64) Definition Versions
0xC0 0x02F8 (6.2 to 6.3);
0x0300
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher
0xC4 0x02FC (6.2 to 6.3);
0x0304
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
6.2 and higher
0xC8 0x0308
LARGE_INTEGER CreateTime;
10.0 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0xA8 (5.0)
ULONG QuotaPeakPoolUsage [2];
5.0 only
0xB0 (5.0)  
ULONG QuotaPoolUsage [2];
5.0 only
0xB8 (5.0)  
ULONG PagefileUsage;
5.0 only
0x90 (5.1 to early 5.2);
0xA0 (late 5.2);
0xA8 (6.0)
0xF0 (late 5.2);
0xF8 (6.0)
ULONG_PTR QuotaUsage [3];
5.1 to 6.0
0x9C (5.1 to early 5.2);
0xAC (late 5.2);
0xB4 (6.0)
0x0108 (late 5.2);
0x0110 (6.0) 
ULONG_PTR QuotaPeak [3];
5.1 to 6.0
0xC0 (6.1);
0xC8 (6.2 to 6.3);
0xD0
0x0198 (6.1);
0x0300 (6.2 to 6.3);
0x0310
ULONG_PTR ProcessQuotaUsage [2];
6.1 and higher
0xC8 (6.1);
0xD0 (6.2 to 6.3);
0xD8
0x01A8 (6.1);
0x0310 (6.2 to 6.3);
0x0320
ULONG_PTR ProcessQuotaPeak [2];
6.1 and higher
0xBC (5.0);
0xA8 (5.1 to early 5.2);
0xB8 (late 5.2);
0xC0 (6.0);
0xD0 (6.1)
0x0120 (late 5.2);
0x0128 (6.0);
0x01B8 (6.1)
ULONG_PTR CommitCharge;
5.0 to 5.2
ULONG_PTR volatile CommitCharge;
6.0 to 6.1
0xC0 (5.0)  
ULONG PeakPagefileUsage;
5.0 only
0xD4 (6.1) 0x01C0 (6.1)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.1 only
0xD8 (6.1) 0x01C8 (6.1)
PS_CPU_QUOTA_BLOCK *CpuQuotaBlock;
6.1 only
0xC4 (5.0);
0xAC (5.1 to early 5.2);
0xBC (late 5.2);
0xC4 (6.0);
0xDC (6.1);
0xD8 (6.2 to 6.3);
0xE0
0x0128 (late 5.2);
0x0130 (6.0);
0x01D0 (6.1);
0x0320 (6.2 to 6.3);
0x0330
ULONG_PTR PeakVirtualSize;
5.0 and higher
0xC8 (5.0);
0xB0 (5.1 to early 5.2);
0xC0 (late 5.2);
0xC8 (6.0);
0xE0 (6.1);
0xDC (6.2 to 6.3);
0xE4
0x0130 (late 5.2);
0x0138 (6.0);
0x01D8 (6.1);
0x0328 (6.2 to 6.3);
0x0338
ULONG_PTR VirtualSize;
5.0 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0xC8 (3.51 to 4.0);
0xD0 (5.0)
 
MMSUPPORT Vm;
3.51 to 5.0
0x0118 (5.0);
0xB4 (5.1 to early 5.2);
0xC4 (late 5.2);
0xCC (6.0);
0xE4 (6.1);
0xE0 (6.2 to 6.3);
0xE8
0x0138 (late 5.2);
0x0140 (6.0);
0x01E0 (6.1);
0x0330 (6.2 to 6.3);
0x0340
LIST_ENTRY SessionProcessLinks;
5.0 and higher
0xFC (3.51 to 4.0);
0x0120 (5.0);
0xBC (5.1 to early 5.2);
0xCC (late 5.2);
0xD4 (6.0);
0xEC (6.1)
0x0148 (late 5.2);
0x0150 (6.0);
0x01F0 (6.1)
PVOID DebugPort;
3.51 to 6.1
0x0100 (3.51 to 4.0);
0x0124 (5.0);
0xC0 (5.1 to early 5.2);
0xD0 (late 5.2);
0xD8 (6.0);
0xF0 (6.1);
0xE8 (6.2 to 6.3);
0xF0
0x0150 (late 5.2);
0x0158 (6.0);
0x01F8 (6.1);
0x0340 (6.2 to 6.3);
0x0350
PVOID ExceptionPort;
3.51 to 5.2
union {
    PVOID ExceptionPortData;
    ULONG_PTR ExceptionPortValue;
    ULONG_PTR ExceptionPortState : 3;
};
6.0 and higher
0x0104 (3.51 to 4.0);
0x0128 (5.0);
0xC4 (5.1 to early 5.2);
0xD4 (late 5.2);
0xDC (6.0);
0xF4 (6.1)
0x0158 (late 5.2);
0x0160 (6.0);
0x0200 (6.1)
HANDLE_TABLE *ObjectTable;
3.51 to 6.1
0x0108 (3.51 to 4.0);
0x012C (5.0);
0xC8 (5.1 to early 5.2);
0xD8 (late 5.2);
0xE0 (6.0);
0xF8 (6.1);
0xEC (6.2 to 6.3);
0xF4
0x0160 (late 5.2);
0x0168 (6.0);
0x0208 (6.1);
0x0348 (6.2 to 6.3);
0x0358
PVOID Token;
3.51 to 5.0
EX_FAST_REF Token;
5.1 and higher
0x010C (3.51 to 4.0);
0x0130 (5.0);
0xCC (5.1)
 
FAST_MUTEX WorkingSetLock;
3.51 to 5.1
0x012C (3.51 to 4.0);
0x0150 (5.0);
0xEC (5.1);
0xCC (early 5.2);
0xDC (late 5.2);
0xE4 (6.0);
0xFC (6.1);
0xF0 (6.2 to 6.3);
0xF8
0x0168 (late 5.2);
0x0170 (6.0);
0x0210 (6.1);
0x0350 (6.2 to 6.3);
0x0360
ULONG_PTR WorkingSetPage;
3.51 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0154 (5.0)  
BOOLEAN ProcessOutswapEnabled;
5.0 only  
0x0155 (5.0)  
BOOLEAN ProcessOutswapped;
5.0 only  
0x0156 (5.0)  
BOOLEAN AddressSpaceInitialized;
5.0 only not known earlier
0x0157 (5.0)  
BOOLEAN AddressSpaceDeleted;
5.0 only  

There is a plan to write something here. thing here.

Offset (x86) Offset (x64) Definition Versions
0x0134 (3.51 to 4.0);
0x0158 (5.0);
0xF0 (5.1);
0xD0 (early 5.2);
0xE0 (late 5.2);
0xE8 (6.0);
0x0100 (6.1);
0xF4 (6.2 to 6.3);
0xFC
 
FAST_MUTEX AddressCreationLock;
3.51 to 5.1
0x0170 (late 5.2);
0x0178 (6.0);
0x0218 (6.1);
0x0358 (6.2 to 6.3);
0x0368
KGUARDED_MUTEX AddressCreationLock;
5.2 only
EX_PUSH_LOCK AddressCreationLock;
6.0 and higher
0x0154 (3.51 to 4.0);
0x0178 (5.0);
0x0110 (5.1);
0xF0 (early 5.2);
0x0100 (late 5.2)
0x01A8 (late 5.2)
KSPIN_LOCK HyperSpaceLock;
3.51 to 5.2
0xF8 (6.3);
0x0100
0x0360 (6.2 to 6.3);
0x0370
EX_PUSH_LOCK PageTableCommitmentLock;
6.3 and higher
0xEC (6.0);
0x0104 (6.1);
0xF8 (6.2);
0xFC (6.3);
0x0104
0x0180 (6.0);
0x0220 (6.1);
0x0360 (6.2);
0x0368 (6.2 to 6.3);
0x0378
ETHREAD *RotateInProgress;
6.0 and higher
0x017C (5.0);
0x0114 (5.1);
0xF4 (early 5.2);
0x0104 (late 5.2);
0xF0 (6.0);
0x0108 (6.1);
0xFC (6.2);
0x0100 (6.3);
0x0108
0x01B0 (late 5.2);
0x0188 (6.0);
0x0228 (6.1);
0x0368 (6.2);
0x0370 (6.2 to 6.3);
0x0380
ETHREAD *ForkInProgress;
5.0 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0180 (5.0)  
USHORT VmOperation;
5.0 only
0x0182 (5.0)  
BOOLEAN ForkWasSuccessful;
5.0 only
0x0183 (5.0)  
UCHAR MmAgressiveWsTrimMask;
5.0 only
0x0184 (5.0)  
KEVENT *VmOperationEvent;
5.0 only
0x0188 (5.0)  
PVOID PaeTop;
5.0 only
0x018C (5.0)  
ULONG LastFaultCount;
5.0 only
0x0190 (5.0)  
ULONG ModifiedPageCount;
5.0 only

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0118 (5.1);
0xF8 (early 5.2);
0x0108 (late 5.2);
0xF4 (6.0);
0x010C (6.1);
0x0100 (6.2)
0x01B8 (late 5.2);
0x0190 (6.0);
0x0230 (6.1);
0x0370 (6.2)
ULONG_PTR HardwareTrigger;
5.1 to 6.2
0x0194 (5.0);
0x011C (5.1)
 
PVOID VadRoot;
5.0 to 5.1
0x0198 (5.0);
0x0120 (5.1)
 
PVOID VadHint;
5.0 to 5.1
0xFC (early 5.2);
0x010C (late 5.2);
0xF8 (6.0);
0x0110 (6.1)
0x01C0 (late 5.2);
0x0198 (6.0);
0x0238 (6.1)
MM_AVL_TABLE *PhysicalVadRoot;
5.2 to 6.1
0x0104 (6.2 to 6.3);
0x010C
0x0378 (6.2 to 6.3);
0x0388
EJOB *CommitChargeJob;
6.2 and higher
0x019C (5.0);
0x0124 (5.1);
0x0100 (early 5.2);
0x0110 (late 5.2);
0xFC (6.0);
0x0114 (6.1);
0x0108 (6.2 to 6.3);
0x0110
0x01C8 (late 5.2);
0x01A0 (6.0);
0x0240 (6.1);
0x0380 (6.2 to 6.3);
0x0390
PVOID CloneRoot;
5.0 to 6.2
RTL_AVL_TREE CloneRoot;
6.3 and higher
0x01A0 (5.0);
0x0128 (5.1);
0x0104 (early 5.2);
0x0114 (late 5.2);
0x0100 (6.0);
0x0118 (6.1);
0x010C (6.2 to 6.3);
0x0114
0x01D0 (late 5.2);
0x01A8 (6.0);
0x0248 (6.1);
0x0388 (6.2 to 6.3);
0x0398
ULONG_PTR NumberOfPrivatePages;
5.0 to 5.2
ULONG_PTR volatile NumberOfPrivatePages;
6.0 and higher
0x01A4 (5.0);
0x012C (5.1);
0x0108 (early 5.2);
0x0118 (late 5.2);
0x0104 (6.0);
0x011C (6.1);
0x0110 (6.2 to 6.3);
0x0118
0x01D8 (late 5.2);
0x01B0 (6.0);
0x0250 (6.1);
0x0390 (6.2 to 6.3);
0x03A0
ULONG_PTR NumberOfLockedPages;
5.0 to 5.2
ULONG_PTR volatile NumberOfLockedPages;
6.0 and higher
0x0184 (3.51 to 4.0);
0x01A8 (5.0)
 
USHORT NextPageColor;
3.51 to 5.0
0x01AA (5.0)  
BOOLEAN ExitProcessCalled;
5.0 only
0x0187 (3.51 to 4.0);
0x01AB (5.0)
 
BOOLEAN CreateProcessReported;
3.51 to 5.0
0x0130 (5.1);
0x010C (early 5.2);
0x011C (late 5.2);
0x0108 (6.0);
0x0120 (6.1);
0x0114 (6.2 to 6.3);
0x011C
0x01E0 (late 5.2);
0x01B8 (6.0);
0x0258 (6.1);
0x0398 (6.2 to 6.3);
0x03A8
PVOID Win32Process;
5.1 and higher
0x0134 (5.1);
0x0110 (early 5.2);
0x0120 (late 5.2);
0x010C (6.0);
0x0124 (6.1);
0x0118 (6.2 to 6.3);
0x0120
0x01E8 (late 5.2);
0x01C0 (6.0);
0x0260 (6.1);
0x03A0 (6.2 to 6.3);
0x03B0
EJOB *Job;
5.1 and higher
0x0188 (3.51 to 4.0);
0x01AC (5.0);
0x0138 (5.1);
0x0114 (early 5.2);
0x0124 (late 5.2);
0x0110 (6.0);
0x0128 (6.1);
0x011C (6.2 to 6.3);
0x0124
0x01F0 (late 5.2);
0x01C8 (6.0);
0x0268 (6.1);
0x03A8 (6.2 to 6.3);
0x03B8
HANDLE SectionHandle;
3.51 to 5.0
PVOID SectionObject;
5.1 and higher
0x018C (3.51 to 4.0);
0x01B0 (5.0)
 
PEB *Peb;
3.51 to 5.0
0x0190 (3.51 to 4.0);
0x01B4 (5.0);
0x013C (5.1);
0x0118 (early 5.2);
0x0128 (late 5.2);
0x0114 (6.0);
0x012C (6.1);
0x0120 (6.2 to 6.3);
0x0128
0x01F8 (late 5.2);
0x01D0 (6.0);
0x0270 (6.1);
0x03B0 (6.2 to 6.3);
0x03C0
PVOID SectionBaseAddress;
3.51 and higher
0x0194 (3.51 to 4.0);
0x01B8 (5.0);
0x0140 (5.1);
0x011C (early 5.2);
0x012C (late 5.2);
0x0118 (6.0)
0x0200 (late 5.2);
0x01D8 (6.0)
EPROCESS_QUOTA_BLOCK *QuotaBlock;
3.51 to 6.0
0x0130 (6.1);
0x0124 (6.2 to 6.3);
0x012C
0x0278 (6.1);
0x03B8 (6.2 to 6.3);
0x03C8
ULONG Cookie;
6.1 and higher
0x0134 (6.1) 0x027C (6.1)
ULONG Spare8;
6.1 only (x86)
ULONG UmsScheduledThreads;
6.1 only (x64)
0x0128 (6.2 to 6.3)  
PVOID VdmObjects;
6.2 to 6.3
0x01BC (5.0)  
LONG LastThreadExitStatus;
5.0 only

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x01C0 (5.0);
0x0144 (5.1);
0x0120 (early 5.2);
0x0130 (late 5.2);
0x011C (6.0);
0x0138 (6.1);
0x012C (6.2 to 6.3);
0x0130
0x0208 (late 5.2);
0x01E0 (6.0);
0x0280 (6.1);
0x03C0 (6.2 to 6.3);
0x03D0
PAGEFAULT_HISTORY *WorkingSetWatch;
5.0 and higher
0x01C4 (5.0);
0x0148 (5.1);
0x0124 (early 5.2);
0x0134 (late 5.2);
0x0120 (6.0);
0x013C (6.1);
0x0130 (6.2 to 6.3);
0x0134
0x0210 (late 5.2);
0x01E8 (6.0);
0x0288 (6.1);
0x03C8 (6.2 to 6.3);
0x03D8
PVOID Win32WindowStation;
5.0 and higher
0x01A4 (3.51 to 4.0);
0x01C8 (5.0);
0x014C (5.1);
0x0128 (early 5.2);
0x0138 (late 5.2);
0x0124 (6.0);
0x0140 (6.1);
0x0134 (6.2 to 6.3);
0x0138
0x0218 (late 5.2);
0x01F0 (6.0);
0x0290 (6.1);
0x03D0 (6.2 to 6.3);
0x03E0
PVOID InheritedFromUniqueProcessId;
3.51 and higher
0x01A8 (3.51 to 4.0);
0x01CC (5.0)
 
ULONG GrantedAccess;
3.51 to 5.0
0x01AC (3.51 to 4.0);
0x01D0 (5.0)
 
ULONG DefaultHardErrorProcessing;
3.51 to 5.0
0x01D4 (5.0);
0x0150 (5.1);
0x012C (early 5.2);
0x013C (late 5.2);
0x0128 (6.0);
0x0144 (6.1);
0x0138 (6.2 to 6.3);
0x013C
0x0220 (late 5.2);
0x01F8 (6.0);
0x0298 (6.1);
0x03D8 (6.2 to 6.3);
0x03E8
PVOID LdtInformation;
5.0 and higher
0x01D8 (5.0);
0x0154 (5.1);
0x0130 (early 5.2);
0x0140 (late 5.2);
0x012C (6.0)
0x0228 (late 5.2);
0x0200 (6.0)
PVOID VadFreeHint;
5.0 to early 6.0
PVOID Spare;
late 6.0 only
0x01DC (5.0);
0x0158 (5.1);
0x0x134 (early 5.2);
0x0144 (late 5.2);
0x0130 (6.0);
0x0148 (6.1)
0x0230 (late 5.2);
0x0208 (6.0);
0x02A0 (6.1)
PVOID VdmObjects;
5.0 to 6.1 (x86);
5.0 to 6.0 (x64)
PVOID Spare;
6.1 only (x64)
0x014C (6.1);
0x013C (6.2 to 6.3);
0x0140
0x02A8 (6.1);
0x03E0 (6.2 to 6.3);
0x03F0
ULONG_PTR ConsoleHostProcess;
6.1 only
union {
    EPROCESS *CreatorProcess;
    ULONG_PTR ConsoleHostProcess;
};
6.2 only
ULONG_PTR volatile OwnerProcessId;
6.3 and higher
0x0140 (6.2 to 6.3);
0x0144
0x03E8 (6.2 to 6.3);
0x03F8
PEB *Peb;
6.2 and higher
0x0144 (6.2 to 6.3);
0x0148
0x03F0 (6.2 to 6.3);
0x0400
PVOID Session;
6.2 and higher
0x0148 (6.2 to 6.3);
0x014C
0x03F8 (6.2 to 6.3);
0x0400
PVOID AweInfo;
6.2 and higher
0x014C (6.2 to 6.3);
0x0150
0x0400 (6.2 to 6.3);
0x0410
EPROCESS_QUOTA_BLOCK *QuotaBlock;
6.2 and higher
0x0150 (6.2 to 6.3);
0x0154
0x0408 (6.2 to 6.3);
0x0418
HANDLE_TABLE *ObjectTable;
6.2 and higher
0x0154 (6.2 to 6.3);
0x0158
0x0410 (6.2 to 6.3);
0x0420
PVOID DebugPort;
6.2 and higher
0x0158 (6.2 to 6.3);
0x015C
 
PVOID PaeTop;
6.2 and higher
  0x0418 (6.2 to 6.3);
0x0428
PVOID Wow64Process;
6.2 and higher
0x01E0 (5.0);
0x015C (5.1);
0x0138 (early 5.2);
0x0148 (late 5.2);
0x0134 (6.0);
0x0150 (6.1);
0x015C (6.2 to 6.3);
0x0160
0x0238 (late 5.2);
0x0210 (6.0);
0x02B0 (6.1);
0x0420 (6.2 to 6.3);
0x0430
PVOID DeviceMap;
5.0 and higher
0x01E4 (5.0)  
ULONG SessionId;
5.0 only
0x01E8 (5.0);
0x0160 (5.1);
0x013C (early 5.2);
0x014C (late 5.2)
 
LIST_ENTRY PhysicalVadList;
5.0 to 5.1
0x0240 (late 5.2)
PVOID Spare0 [3];
5.2 only
0x0138 (6.0);
0x0154 (6.1);
0x0160 (6.2 to 6.3);
0x0164
0x0218 (6.0);
0x02B8 (6.1);
0x0428 (6.2 to 6.3);
0x0438
PVOID EtwDataSource;
6.0 and higher
0x013C (6.0);
0x0158 (6.1)
0x0220 (6.0);
0x02C0 (6.1)
PVOID FreeTebHint;
6.0 to 6.1
  0x02C8 (6.1)
PVOID FreeUmsTebHint;
6.1 only
0x01F0 (5.0);
0x0168 (5.1);
0x0148 (early 5.2);
0x0158 (late 5.2);
0x0140 (6.0);
0x0160 (6.1);
0x0168
0x0258 (late 5.2);
0x0228 (6.0);
0x02D0 (6.1);
0x0430 (6.2 to 6.3);
0x0440
union {
    #ifdef _WIN64
    HARDWARE_PTE PageDirectoryPte;
    #else
    HARDWARE_PTE_X86PAE PageDirectoryPte;
    #endif
    ULONGLONG Filler;
};
5.0 to 6.1
ULONGLONG PageDirectoryPte;
6.2 and higher
0x01F8 (5.0)  
ULONG PaePageDirectoryPage;
5.0 only
0x0170 (5.1);
0x0150 (early 5.2);
0x0160 (late 5.2);
0x0148 (6.0);
0x0168 (6.1)
0x0260 (late 5.2);
0x0230 (6.0);
0x02D8 (6.1)
PVOID Session;
5.1 to 6.1
0x01FC (5.0);
0x0174 (5.1);
0x0154 (early 5.2);
0x0164 (late 5.2);
0x014C (6.0);
0x016C (6.1);
0x0170
0x0268 (late 5.2);
0x0238 (6.0);
0x02E0 (6.1);
0x0438 (6.2 to 6.3);
0x0448
UCHAR ImageFileName [0x10];
5.0 to 6.0
UCHAR ImageFileName [0x0F];
6.1 and higher
0x017B (6.1);
0x017F
0x02EF (6.1);
0x0447 (6.2 to 6.3);
0x0457
UCHAR PriorityClass;
6.1 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x020C (5.0)  
ULONG VmTrimFaultValue;
5.0 only
0x0210 (5.0)  
BOOLEAN SetTimerResolution;
5.0 only
0x0211 (5.0)  
UCHAR PriorityClass;
5.0 only
0x0212 (5.0)  
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
5.0 only
0x0214 (5.0)  
PVOID Win32Process;
5.0 only
0x0218 (5.0)  
EJOB *Job;
5.0 only
0x021C (5.0)  
ULONG JobStatus;
5.0 only

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0180 0x0448 (6.2 to 6.3);
0x0458
PVOID SecurityPort;
6.2 and higher
0x0184 0x0450 (6.2 to 6.3);
0x0460
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
6.2 and higher
0x0220 (5.0);
0x0184 (5.1);
0x0164 (early 5.2);
0x0174 (late 5.2);
0x015C (6.0);
0x017C (6.1);
0x0188
0x0278 (late 5.2);
0x0248 (6.0);
0x02F0 (6.1);
0x0458 (6.2 to 6.3);
0x0468
LIST_ENTRY JobLinks;
5.0 and higher
0x0228 (5.0);
0x018C (5.1);
0x016C (early 5.2);
0x017C (late 5.2);
0x0164 (6.0);
0x0184 (6.1)
0x0288 (late 5.2);
0x0258 (6.0);
0x0300 (6.1)
PVOID LockedPagesList;
5.0 to 6.1
0x0190 0x0468 (6.2 to 6.3);
0x0478
PVOID HighestUserAddress;
6.2 and higher
0x0190 (5.1);
0x0170 (early 5.2);
0x0180 (late 5.2);
0x0168 (6.0);
0x0188 (6.1);
0x0194
0x0290 (late 5.2);
0x0260 (6.0);
0x0308 (6.1);
0x0470 (6.2 to 6.3);
0x0480
LIST_ENTRY ThreadListHead;
5.1 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x022C (5.0);
0x0198 (5.1);
0x0178 (early 5.2);
0x0188 (late 5.2);
0x0170 (6.0);
0x0190 (6.1)
0x02A0 (late 5.2);
0x0270 (6.0);
0x0318 (6.1)
PVOID SecurityPort;
5.0 to 6.1
0x0230 (5.0) 0x02A8 (late 5.2);
0x0278 (6.0);
0x0320 (6.1)
WOW64_PROCESS *Wow64Process;
5.0 only (x86);
late 5.2 to 6.1 (x64)
0x019C (5.1);
0x017C (early 5.2);
0x018C (late 5.2);
0x0174 (6.0);
0x0194 (6.1)
 
PVOID PaeTop;
5.1 to 6.1

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x01A0 (5.1);
0x0180 (early 5.2);
0x0190 (late 5.2);
0x0178 (6.0);
0x0198 (6.1);
0x019C
0x02B0 (late 5.2);
0x0280 (6.0);
0x0328 (6.1);
0x0480 (6.2 to 6.3);
0x0490
ULONG ActiveThreads;
5.1 to 5.2
ULONG volatile ActiveThreads;
6.0 and higher
0x01A4 (5.1);
0x0184 (early 5.2);
0x0194 (late 5.2)
0x02B0 (late 5.2)
ULONG GrantedAccess;
5.1 to 5.2
0x017C (6.0);
0x019C (6.1);
0x01A0
0x0284 (6.0);
0x032C (6.1);
0x0484 (6.2 to 6.3);
0x0494
ULONG ImagePathHash;
6.0 and higher
0x01A8 (5.1);
0x0188 (early 5.2);
0x0198 (late 5.2);
0x0180 (6.0);
0x01A0 (6.1);
0x01A4
0x02B8 (late 5.2);
0x0288 (6.0);
0x0330 (6.1);
0x0488 (6.2 to 6.3);
0x0498
ULONG DefaultHardErrorProcessing;
5.1 and higher
0x01AC (5.1);
0x018C (early 5.2);
0x019C (late 5.2);
0x0184 (6.0);
0x01A4 (6.1);
0x01A8
0x02BC (late 5.2);
0x028C (6.0);
0x0334 (6.1);
0x048C (6.2 to 6.3);
0x049C
LONG LastThreadExitStatus;
5.1 and higher
0x01B0 (5.1);
0x0190 (early 5.2);
0x01A0 (late 5.2);
0x0188 (6.0);
0x01A8 (6.1)
0x02C0 (late 5.2);
0x0290 (6.0);
0x0338 (6.1)
PEB *Peb;
5.1 to 6.1
0x01B4 (5.1);
0x0194 (early 5.2);
0x01A4 (late 5.2);
0x018C (6.0);
0x01AC
0x02C8 (late 5.2);
0x0298 (6.0);
0x0340 (6.1);
0x0490 (6.2 to 6.3);
0x04A0
EX_FAST_REF PrefetchTrace;
5.1 and higher
0x01B0 0x0498 (6.2 to 6.3);
0x04A8
MM_AVL_TABLE *LockedPagesList;
6.2 only
PVOID LockedPagesList;
6.3 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions
0x0238 (5.0);
0x01B8 (5.1);
0x0198 (early 5.2);
0x01A8 (late 5.2);
0x0190 (6.0);
0x01B0 (6.1);
0x01B8
0x02D0 (late 5.2);
0x02A0 (6.0);
0x0348 (6.1);
0x04A0 (6.2 to 6.3);
0x04B0
LARGE_INTEGER ReadOperationCount;
5.0 and higher
0x0240 (5.0);
0x01C0 (5.1);
0x01A0 (early 5.2);
0x01B0 (late 5.2);
0x0198 (6.0);
0x01B8 (6.1);
0x01C0
0x02D8 (late 5.2);
0x02A8 (6.0);
0x0350 (6.1);
0x04A8 (6.2 to 6.3);
0x04B8
LARGE_INTEGER WriteOperationCount;
5.0 and higher
0x0248 (5.0);
0x01C8 (5.1);
0x01A8 (early 5.2);
0x01B8 (late 5.2);
0x01A0 (6.0);
0x01C0 (6.1);
0x01C8
0x02E0 (late 5.2);
0x02B0 (6.0);
0x0358 (6.1);
0x04B0 (6.2 to 6.3);
0x04C0
LARGE_INTEGER OtherOperationCount;
5.0 and higher
0x0250 (5.0);
0x01D0 (5.1);
0x01B0 (early 5.2);
0x01C0 (late 5.2);
0x01A8 (6.0);
0x01C8 (6.1);
0x01D0
0x02E8 (late 5.2);
0x02B8 (6.0);
0x0360 (6.1);
0x04B8 (6.2 to 6.3);
0x04C8
LARGE_INTEGER ReadTransferCount;
5.0 and higher
0x0258 (5.0);
0x01D8 (5.1);
0x01B8 (early 5.2);
0x01C8 (late 5.2);
0x01B0 (6.0);
0x01D0 (6.1);
0x01D8
0x02F0 (late 5.2);
0x02C0 (6.0);
0x0368 (6.1);
0x04C0 (6.2 to 6.3);
0x04D0
LARGE_INTEGER WriteTransferCount;
5.0 and higher
0x0260 (5.0);
0x01E0 (5.1);
0x01C0 (early 5.2);
0x01D0 (late 5.2);
0x01B8 (6.0);
0x01D8 (6.1);
0x01E0
0x02F8 (late 5.2);
0x02C8 (6.0);
0x0370 (6.1);
0x04C8 (6.2 to 6.3);
0x04D8
LARGE_INTEGER OtherTransferCount;
5.0 and higher
0x0268 (5.0);
0x01E8 (5.1);
0x01C8 (early 5.2);
0x01D8 (late 5.2);
0x01C0 (6.0);
0x01E0 (6.1);
0x01E8
0x0300 (late 5.2);
0x02D0 (6.0);
0x0378 (6.1);
0x04D0 (6.2 to 6.3);
0x04E0
ULONG_PTR CommitChargeLimit;
5.0 and higher
0x01EC 0x04D8 (6.2 to 6.3);
0x04E8
ULONG_PTR volatile CommitCharge;
6.2 and higher
0x026C (5.0);
0x01EC (5.1);
0x01CC (early 5.2);
0x01DC (late 5.2);
0x01C4 (6.0);
0x01E4 (6.1);
0x01F0
0x0308 (late 5.2);
0x02D8 (6.0);
0x0380 (6.1);
0x04E0 (6.2 to 6.3);
0x04F0
ULONG_PTR CommitChargePeak;
5.0 to 5.2
ULONG_PTR volatile CommitChargePeak;
6.0 and higher

There is a plan to write something here.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0270 (5.0)  
LIST_ENTRY ThreadListHead;
5.0 only
 
0x0278 (5.0)  
RTL_BITMAP *VadPhysicalPagesBitMap;
5.0 only  
0x027C (5.0)  
ULONG VadPhysicalPages;
5.0 only  
0x0280 (5.0)  
ULONG AweLock;
5.0 only  
0x0284 (5.0)  
UNICODE_STRING *pImageFileName;
5.0 only last member in 5.0

Appended for Windows XP

Offset (x86) Offset (x64) Definition Versions Remarks
0x01F0 (5.1);
0x01D0 (early 5.2);
0x01E0 (late 5.2);
0x01C8 (6.0);
0x01E8 (6.1)
0x0310 (late 5.2);
0x02E0 (6.0);
0x0388 (6.1)
PVOID AweInfo;
5.1 to 6.1  
0x01F4 (5.1);
0x01D4 (early 5.2);
0x01E4 (late 5.2);
0x01CC (6.0);
0x01EC (6.1)
0x0318 (late 5.2);
0x02E8 (6.0);
0x0390 (6.1)
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
5.1 to 6.1  
0x01F8 (5.1);
0x01D8 (early 5.2);
0x01E8 (late 5.2);
0x01D0 (6.0);
0x01F0 (6.1);
0x01F4
0x0320 (late 5.2);
0x02F0 (6.0);
0x0398 (6.1);
0x04E8 (6.2 to 6.3);
0x04F8
MMSUPPORT Vm;
5.1 and higher
 
0x0238 (5.1)  
ULONG LastFaultCount;
5.1 only
 
  0x0378 (late 5.2)
ULONG Spares [2];
late 5.2 only  
0x0238 (early 5.2);
0x0230 (late 5.2);
0x0218 (6.0);
0x025C (6.1);
0x0264 (6.2 to 6.3);
0x0274
0x0358 (6.0);
0x0420 (6.1);
0x0578 (6.2);
0x05C0 (6.3);
0x05F0
LIST_ENTRY MmProcessLinks;
5.2 and higher (x86);
6.0 and higher (x64)
 
0x0264 (6.1) 0x0430 (6.1)
PVOID HighestUserAddress;
6.1 only  
0x023C (5.1);
0x0240 (early 5.2);
0x0238 (late 5.2);
0x0220 (6.0);
0x0268 (6.1);
0x026C (6.2 to 6.3);
0x027C
0x0380 (late 5.2);
0x0368 (6.0);
0x0438 (6.1);
0x0588 (6.2);
0x05D0 (6.3);
0x0600
ULONG ModifiedPageCount;
5.1 and higher
 
0x0240 (5.1)  
ULONG NumberOfVads;
5.1 only  
0x0244 (5.1 to early 5.2);
0x023C (late 5.2)
0x0384 (late 5.2)
ULONG JobStatus;
5.1 to 5.2  
0x0224 (6.0);
0x026C (6.1)
0x036C (6.0);
0x043C (6.1)
union {
    ULONG Flags2;
    struct {
        /*  bit fields, follow link  */
    };
};
6.0 to 6.1  
0x0248 (5.1 to early 5.2);
0x0240 (late 5.2);
0x0228 (6.0);
0x0270 (6.1)
0x0388 (late 5.2);
0x0370 (6.0);
0x0440 (6.1)
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
5.1 to 6.1  
0x024C (5.1 to early 5.2);
0x0244 (late 5.2);
0x022C (6.0);
0x0274 (6.1);
0x0270 (6.2 to 6.3);
0x0280
0x038C (late 5.2);
0x0374 (6.0);
0x0444 (6.1);
0x058C (6.2);
0x05D4 (6.3);
0x0604
LONG ExitStatus;
5.1 and higher  
0x0250 (5.1 to early 5.2);
0x0248 (late 5.2);
0x0230 (6.0)
0x0390 (late 5.2);
0x0378 (6.0)
USHORT NextPageColor;
5.1 to 5.2  
USHORT Spare7;
6.0 only  
0x0252 (5.1 to early 5.2);
0x024A (late 5.2);
0x0232 (6.0)
0x0392 (late 5.2);
0x037A (6.0)
union {
    struct {
        UCHAR SubSystemMinorVersion;
        UCHAR SubSystemMajorVersion;
    };
    USHORT SubSystemVersion;
};
5.1 to 6.0  
0x0254 (5.1 to early 5.2);
0x024C (late 5.2);
0x0234 (6.0)
0x0394 (late 5.2);
0x037C (6.0)
UCHAR PriorityClass;
5.1 to 6.0  
0x0255 (5.1)  
BOOLEAN WorkingSetAcquiredUnsafe;
5.1 only last member in early 5.1
0x0258 (late 5.1)  
ULONG Cookie;
late 5.1 only last member in late 5.1

Appended for Windows Server 2003

Offset (x86) Offset (x64) Definition Versions Remarks
0x0258 (early 5.2);
0x0250 (late 5.2);
0x0238 (6.0);
0x0278 (6.1);
0x0274 (6.2 to 6.3);
0x0284
0x0398 (late 5.2);
0x0380 (6.0);
0x0448 (6.1);
0x0590 (6.2);
0x05D8 (6.3);
0x0608
MM_AVL_TABLE VadRoot;
5.2 to 6.2
last member in early 5.2
RTL_AVL_TREE VadRoot;
6.3 and higher  
0x0278 (6.3);
0x0288
0x05E0 (6.3);
0x0610
PVOID VadHint;
6.3 and higher  
0x027C (6.3);
0x028C
0x05E8 (6.3);
0x0618
ULONG_PTR VadCount;
6.3 and higher  
0x028C (6.2);
0x0280 (6.3);
0x0290
0x05C0 (6.2);
0x05F0 (6.3);
0x0620
ULONG_PTR volatile VadPhysicalPages;
6.2 and higher  
0x0290 (6.2);
0x0284 (6.3);
0x0294
0x05C8 (6.2);
0x05F8 (6.3);
0x0628
UULONG_PTR VadPhysicalPagesLimit;
6.2 and higher  
0x0270 (late 5.2);
0x0258 (6.0)
0x03D8 (late 5.2);
0x03C0 (6.0)
ULONG Cookie;
late 5.2 to 6.0 last member in late 5.2

Appended for Windows Vista

Offset (x86) Offset (x64) Definition Versions Remarks
0x025C (6.0);
0x0298 (6.1);
0x0294 (6.2);
0x0288 (6.3);
0x0298
0x03C8 (6.0);
0x0488 (6.1);
0x05D0 (6.2);
0x0600 (6.3);
0x0630
ALPC_PROCESS_CONTEXT AlpcContext;
6.0 and higher last member in 6.0

Appended for Windows 7

Offset (x86) Offset (x64) Definition Versions Remarks
0x02A8 (6.1);
0x02A4 (6.2);
0x0298 (6.3);
0x02A8
0x04A8 (6.1);
0x05F0 (6.2);
0x0620 (6.3);
0x0650
LIST_ENTRY TimerResolutionLink;
6.1 and higher  
0x02B0 (6.1) 0x04B8 (6.1)
ULONG RequestedTimerResolution;
6.1 only  
0x02B4 (6.1) 0x04BC (6.1)
ULONG ActiveThreadsHighWatermark;
6.1 only  
0x02B8 (6.1) 0x04C0 (6.1)
ULONG SmallestTimerResolution;
6.1 only  
0x02BC (6.1);
0x02AC (6.2);
0x02A0 (6.3);
0x02B0
0x04C8 (6.1);
0x0600 (6.2);
0x0630 (6.3);
0x0660
PO_DIAG_STACK_RECORD *TimerResolutionStackRecord;
6.1 and higher last member in 6.1

Appended for Windows 8

Offset (x86) Offset (x64) Definition Versions Remarks
0x02B0 (6.2);
0x02A4 (6.3);
0x02B4
0x0608 (6.2);
0x0638 (6.3);
0x0668
ULONG RequestedTimerResolution;
6.2 and higher  
0x02B4 (6.2);
0x02A8 (6.3);
0x02B8
0x060C (6.2);
0x063C (6.3);
0x066C
ULONG SmallestTimerResolution;
6.2 and higher  
0x02B8 (6.2);
0x02B0 (6.3);
0x02C0
0x0610 (6.2);
0x0640 (6.3);
0x0670
LARGE_INTEGER ExitTime;
6.2 and higher  
  0x0618 (6.2);
0x0648 (6.3);
0x0678
INVERTED_FUNCTION_TABLE *InvertedFunctionTable;
6.2 and higher  
  0x0620 (6.2);
0x0650 (6.3);
0x0680
EX_PUSH_LOCK InvertedFunctionTableLock;
6.2 and higher  
0x02C0 (6.2);
0x02B8 (6.3);
0x02C8
0x0628 (6.2);
0x0658 (6.3);
0x0688
ULONG ActiveThreadsHighWatermark;
6.2 and higher  
0x02C4 (6.2);
0x02BC (6.3);
0x02CC
0x062C (6.2);
0x065C (6.3);
0x068C
ULONG LargePrivateVadCount;
6.2 and higher  
0x02C8 (6.2);
0x02C0 (6.3);
0x02D0
0x0630 (6.2);
0x0660 (6.3);
0x0690
EX_PUSH_LOCK ThreadListLock;
6.2 and higher  
0x02CC (6.2);
0x02C4 (6.3);
0x02D4
0x0638 (6.2);
0x0668 (6.3);
0x0698
PVOID WnfContext;
6.2 and higher  
0x02D0 (6.2);
0x02C8 (6.3);
0x02D8
0x0640 (6.2);
0x0670 (6.3);
0x06A0
ULONG_PTR SectionMappingSize;
6.2 only  
ULONG_PTR Spare0;
6.3 and higher  
0x02D4 (6.2);
0x02CC (6.3);
0x02DC
0x0648 (6.2);
0x0678 (6.3);
0x06A8
UCHAR SignatureLevel;
6.2 and higher  
0x02D5 (6.2);
0x02CD (6.3);
0x02DD
0x0649 (6.2);
0x0679 (6.3);
0x06A9
UCHAR SectionSignatureLevel;
6.2 and higher  
0x02D6 (6.2);
0x02CE (6.3);
0x02DE
0x064A (6.2);
0x067A (6.3);
0x06AA
UCHAR SpareByte20 [2];
6.2 only  
PS_PROTECTION Protection;
6.3 and higher  
0x02CF (6.3);
0x02DF
0x067B (6.3);
0x06AB
UCHAR SpareByte20 [1];
6.3 only  
UCHAR HangCount;
10.0 and higher  
0x02D0 (6.3);
0x02E0
0x067C (6.3);
0x06AC
union {
    ULONG Flags3;
    struct {
        /*  bit fields, follow link  */
    };
};
6.3 and higher  
0x02E4 0x06B0
LONG DeviceAsid;
10.0 and higher  
0x02D4 (6.3) 0x0680 (6.3)
LONG SvmReserved;
6.3 only  
0x02D8 (6.3);
0x02E8
0x0688 (6.3);
0x06B8
PVOID SvmReserved1;
6.3 and higher  
PVOID SvmData;
10.0 and higher  
0x02DC (6.3);
0x02EC
0x0690 (6.3);
0x06C0
ULONG_PTR SvmReserved2;
6.3 only  
EX_PUSH_LOCK SvmProcessLock;
10.0 and higher  
0x02F0 0x06C8
ULONG_PTR SvmLock;
10.0 and higher  
0x02F4 0x06D0
LIST_ENTRY SvmProcessDeviceListHead;
10.0 and higher  
0x02D8 (6.2) 0x064C (6.2)
ULONG KeepAliveCounter;
6.2 and higher  
0x02DC (6.2) 0x0650 (6.2)
PROCESS_DISK_COUNTERS *DiskCounters;
6.2 only  
0x02E0 (6.2 to 6.3);
0x0300
0x0658 (6.2);
0x0698 (6.3);
0x06E0
ULONGLONG LastFreezeInterruptTime;
6.2 and higher last member in 6.2
0x02E8 (6.3);
0x0308
0x06A0 (6.3);
0x06E8
PROCESS_DISK_COUNTERS *DiskCounters;
6.3 and higher  
0x030C 0x06A8 (6.3);
0x06F0
PVOID PicoContext;
6.3 and higher (x64);
10.0 and higher (x86)
 
  0x06F8
ULONGLONG TrustletIdentity;
10.0 and higher  
0x02EC (6.3);
0x0310
0x06B0 (6.3);
0x0700
ULONG KeepAliveCounter;
6.3 and higher  
0x02F0 (6.3);
0x0314
0x06B4 (6.3);
0x0704
ULONG NoWakeKeepAliveCounter;
6.3 and higher last member in 6.3

Appended for Windows 10

Offset (x86) Offset (x64) Definition Versions Remarks
0x0318 0x0708
ULONG HighPriorityFaultsAllowed;
10.0 and higher  
0x031C  
PVOID InstrumentationCallback;
10.0 and higher  
0x0320 0x0710
PROCESS_ENERGY_VALUES *EnergyValues;
10.0 and higher  
0x0324 0x0718
PVOID VmContext;
10.0 and higher  
0x0328 0x0720
ESILO *Silo;
10.0 and higher  
0x032C 0x0728
LIST_ENTRY SiloEntry;
10.0 and higher  
0x0338 0x0738
ULONGLONG SequenceNumber;
10.0 and higher  
0x0340 0x0740
ULONGLONG CreateInterruptTime;
10.0 and higher  
0x0348 0x0748
ULONGLONG CreateUnbiasedInterruptTime;
10.0 and higher  
0x0350 0x0750
ULONGLONG TotalUnbiasedFrozenTime;
10.0 and higher  
0x0358 0x0758
ULONGLONG LastAppStateUpdateTime;
10.0 and higher  
0x0360 0x0760
ULONGLONG LastAppStateUptime : 61;
ULONGLONG LastAppState : 3;
10.0 and higher  
0x0368 0x0768
ULONG_PTR volatile SharedCommitCharge;
10.0 and higher  
0x036C 0x0770
EX_PUSH_LOCK SharedCommitLock;
10.0 and higher  
0x0370 0x0778
LIST_ENTRY SharedCommitLinks;
10.0 and higher  
0x0378 0x0788
union {
    struct {
        ULONG_PTR AllowedCpuSets;
        ULONG_PTR DefaultCpuSets;
    };
    struct {
        ULONG_PTR *AllowedCpuSetsIndirect;
        ULONG_PTR *DefaultCpuSetsIndirect;
    };
};
10.0 and higher last member in 10.0