Application Compatibility Flags in the PEB

The PEB got two sets of flags for Application Compatibility in Windows XP, one each apparently for kernel and user issues. The kernel set is named AppCompatFlags and is reliably at offsets 0x01D8 and 0x02C8 in 32-bit and 64-bit Windows, respectively. As a set, these flags are a ULARGE_INTEGER. Individual flags are defined by macros. Microsoft’s names for them therefore do not show in public symbol files and might have been unknown forever except that Microsoft published some in a header named APCOMPAT.H in the Enterprise edition of the Windows Driver Kit (WDK) for the 1511 release of Windows 10.

Mask Name
0x00000001 KACF_OLDGETSHORTPATHNAME
0x00000002 KACF_VERSIONLIE_NOT_USED
0x00000004 not defined
0x00000008 KACF_GETDISKFREESPACE
0x00000010 not defined
0x00000020 KACF_FTMFROMCURRENTAPT
0x00000040 KACF_DISALLOWORBINDINGCHANGES
0x00000080 KACF_OLE32VALIDATEPTRS
0x00000100 KACF_DISABLECICERO
0x00000200 KACF_OLE32ENABLEASYNCDOCFILE
0x00000400 KACF_OLE32ENABLELEGACYEXCEPTIONHANDLING
0x00000800 KACF_RPCDISABLENDRCLIENTHARDENING
0x00001000 KACF_RPCDISABLENDRMAYBENULL_SIZEIS
0x00002000 KACF_DISABLEALLDDEHACK_NOT_USED
0x00004000 KACF_RPCDISABLENDR61_RANGE
0x00008000 KACF_RPC32ENABLELEGACYEXCEPTIONHANDLING
0x00010000 KACF_OLE32DOCFILEUSELEGACYNTFSFLAGS
0x00020000 KACF_RPCDISABLENDRCONSTIIDCHECK
0x00040000 KACF_USERDISABLEFORWARDERPATCH
0x00080000 not defined
0x00100000 KACF_OLE32DISABLENEW_WMPAINT_DISPATCH
0x00200000 KACF_ADDRESTRICTEDSIDINCOINITIALIZESECURITY
0x00400000 KACF_ALLOCDEBUGINFOFORCRITSECTIONS
0x00800000 KACF_OLEAUT32ENABLEUNSAFELOADTYPELIBRELATIVE
0x01000000 KACF_ALLOWMAXIMIZEDWINDOWGAMMA
0x80000000 KACF_DONOTADDTOCACHE

That the AppCompatFlags represent kernel compatibility issues, as distinct from the issues that have the separate AppCompatFlagsUser member, looks to be entirely a user-mode distinction, as originally modelled by the separation of KERNEL32 and USER32. APPHELP loads them from the MASK attribute of a <FLAG> tag whose TYPE is KERNEL.