PEB - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPEBTEB_H
/**
* Process Environment Block (PEB) structure.
*
* \sa https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
*/
typedef struct _PEB
{
//
// The process was cloned with an inherited address space.
//
BOOLEAN InheritedAddressSpace;
//
// The process has image file execution options (IFEO).
//
BOOLEAN ReadImageFileExecOptions;
//
// The process has a debugger attached.
//
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1; // The process uses large image regions (4 MB).
BOOLEAN IsProtectedProcess : 1; // The process is a protected process.
BOOLEAN IsImageDynamicallyRelocated : 1; // The process image base address was relocated.
BOOLEAN SkipPatchingUser32Forwarders : 1; // The process skipped forwarders for User32.dll functions. 1 for 64-bit, 0 for 32-bit.
BOOLEAN IsPackagedProcess : 1; // The process is a packaged store process (APPX/MSIX).
BOOLEAN IsAppContainerProcess : 1; // The process has an AppContainer token.
BOOLEAN IsProtectedProcessLight : 1; // The process is a protected process (light).
BOOLEAN IsLongPathAwareProcess : 1; // The process is long path aware.
};
};
//
// Handle to a mutex for synchronization.
//
HANDLE Mutant;
//
// Pointer to the base address of the process image.
//
PVOID ImageBaseAddress;
//
// Pointer to the process loader data.
//
PPEB_LDR_DATA Ldr;
//
// Pointer to the process parameters.
//
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
//
// Reserved.
//
PVOID SubSystemData;
//
// Pointer to the process default heap.
//
PVOID ProcessHeap;
//
// Pointer to a critical section used to synchronize access to the PEB.
//
PRTL_CRITICAL_SECTION FastPebLock;
//
// Pointer to a singly linked list used by ATL.
//
PSLIST_HEADER AtlThunkSListPtr;
//
// Pointer to the Image File Execution Options key.
//
PVOID IFEOKey;
//
// Cross process flags.
//
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1; // The process is part of a job.
ULONG ProcessInitializing : 1; // The process is initializing.
ULONG ProcessUsingVEH : 1; // The process is using VEH.
ULONG ProcessUsingVCH : 1; // The process is using VCH.
ULONG ProcessUsingFTH : 1; // The process is using FTH.
ULONG ProcessPreviouslyThrottled : 1; // The process was previously throttled.
ULONG ProcessCurrentlyThrottled : 1; // The process is currently throttled.
ULONG ProcessImagesHotPatched : 1; // The process images are hot patched. // RS5
ULONG ReservedBits0 : 24;
};
};
//
// User32 KERNEL_CALLBACK_TABLE (ntuser.h)
//
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
//
// Reserved.
//
ULONG SystemReserved;
//
// Pointer to the Active Template Library (ATL) singly linked list (32-bit)
//
ULONG AtlThunkSListPtr32;
//
// Pointer to the API Set Schema.
//
PAPI_SET_NAMESPACE ApiSetMap;
//
// Counter for TLS expansion.
//
ULONG TlsExpansionCounter;
//
// Pointer to the TLS bitmap.
//
PRTL_BITMAP TlsBitmap;
//
// Bits for the TLS bitmap.
//
ULONG TlsBitmapBits[2];
//
// Reserved for CSRSS.
//
PVOID ReadOnlySharedMemoryBase;
//
// Pointer to the USER_SHARED_DATA for the current SILO.
//
PSILO_USER_SHARED_DATA SharedData;
//
// Reserved for CSRSS.
//
PVOID* ReadOnlyStaticServerData;
//
// Pointer to the ANSI code page data. (PCPTABLEINFO)
//
PVOID AnsiCodePageData;
//
// Pointer to the OEM code page data. (PCPTABLEINFO)
//
PVOID OemCodePageData;
//
// Pointer to the Unicode case table data. (PNLSTABLEINFO)
//
PVOID UnicodeCaseTableData;
//
// The total number of system processors.
//
ULONG NumberOfProcessors;
//
// Global flags for the system.
//
union
{
ULONG NtGlobalFlag;
struct
{
ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION
ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS
ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND
ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI
ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK
ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK
ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS
ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL
ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER
ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT
ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING
ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING
ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB
ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB
ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST
ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL
ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION
ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG
ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD
ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS
ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS
ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING
ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS
ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING
ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING
ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS
ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX
ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT
ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION
ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN
ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS
ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS
} NtGlobalFlags;
};
//
// Timeout for critical sections.
//
LARGE_INTEGER CriticalSectionTimeout;
//
// Reserved size for heap segments.
//
SIZE_T HeapSegmentReserve;
//
// Committed size for heap segments.
//
SIZE_T HeapSegmentCommit;
//
// Threshold for decommitting total free heap.
//
SIZE_T HeapDeCommitTotalFreeThreshold;
//
// Threshold for decommitting free heap blocks.
//
SIZE_T HeapDeCommitFreeBlockThreshold;
//
// Number of process heaps.
//
ULONG NumberOfHeaps;
//
// Maximum number of process heaps.
//
ULONG MaximumNumberOfHeaps;
//
// Pointer to an array of process heaps. ProcessHeaps is initialized
// to point to the first free byte after the PEB and MaximumNumberOfHeaps
// is computed from the page size used to hold the PEB, less the fixed
// size of this data structure.
//
PVOID* ProcessHeaps;
//
// Pointer to the system GDI shared handle table.
//
PVOID GdiSharedHandleTable;
//
// Pointer to the process starter helper.
//
PVOID ProcessStarterHelper;
//
// The maximum number of GDI function calls during batch operations (GdiSetBatchLimit)
//
ULONG GdiDCAttributeList;
//
// Pointer to the loader lock critical section.
//
PRTL_CRITICAL_SECTION LoaderLock;
//
// Major version of the operating system.
//
ULONG OSMajorVersion;
//
// Minor version of the operating system.
//
ULONG OSMinorVersion;
//
// Build number of the operating system.
//
USHORT OSBuildNumber;
//
// CSD version of the operating system.
//
USHORT OSCSDVersion;
//
// Platform ID of the operating system.
//
ULONG OSPlatformId;
//
// Subsystem version of the current process image (PE Headers).
//
ULONG ImageSubsystem;
//
// Major version of the current process image subsystem (PE Headers).
//
ULONG ImageSubsystemMajorVersion;
//
// Minor version of the current process image subsystem (PE Headers).
//
ULONG ImageSubsystemMinorVersion;
//
// Affinity mask for the current process.
//
KAFFINITY ActiveProcessAffinityMask;
//
// Temporary buffer for GDI handles accumulated in the current batch.
//
GDI_HANDLE_BUFFER GdiHandleBuffer;
//
// Pointer to the post-process initialization routine available for use by the application.
//
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
//
// Pointer to the TLS expansion bitmap.
//
PRTL_BITMAP TlsExpansionBitmap;
//
// Bits for the TLS expansion bitmap. TLS_EXPANSION_SLOTS
//
ULONG TlsExpansionBitmapBits[32];
//
// Session ID of the current process.
//
ULONG SessionId;
//
// Application compatibility flags. KACF_*
//
ULARGE_INTEGER AppCompatFlags;
//
// Application compatibility flags. KACF_*
//
ULARGE_INTEGER AppCompatFlagsUser;
//
// Pointer to the Application SwitchBack Compatibility Engine.
//
PVOID pShimData;
//
// Pointer to the Application Compatibility Engine.
//
PAPPCOMPAT_EXE_DATA AppCompatInfo;
//
// CSD version string of the operating system.
//
UNICODE_STRING CSDVersion;
//
// Pointer to the process activation context.
//
PACTIVATION_CONTEXT_DATA ActivationContextData;
//
// Pointer to the process assembly storage map.
//
PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap;
//
// Pointer to the system default activation context.
//
PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData;
//
// Pointer to the system assembly storage map.
//
PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap;
//
// Minimum stack commit size.
//
SIZE_T MinimumStackCommit;
//
// since 19H1 (previously FlsCallback to FlsHighIndex)
//
PVOID SparePointers[2];
//
// Pointer to the patch loader data.
//
PVOID PatchLoaderData;
//
// Pointer to the CHPE V2 process information. CHPEV2_PROCESS_INFO
//
PVOID ChpeV2ProcessInfo;
//
// Packaged process feature state.
//
ULONG AppModelFeatureState;
//
// SpareUlongs
//
ULONG SpareUlongs[2];
//
// Active code page.
//
USHORT ActiveCodePage;
//
// OEM code page.
//
USHORT OemCodePage;
//
// Code page case mapping.
//
USHORT UseCaseMapping;
//
// Unused NLS field.
//
USHORT UnusedNlsField;
//
// Pointer to the application WER registration data.
//
PWER_PEB_HEADER_BLOCK WerRegistrationData;
//
// Pointer to the application WER assert pointer.
//
PVOID WerShipAssertPtr;
//
// Pointer to the EC bitmap on ARM64. (Windows 11 and above)
//
union
{
PVOID pContextData; // Pointer to the switchback compatibility engine (Windows 7 and below)
PVOID EcCodeBitMap; // Pointer to the EC bitmap on ARM64 (Windows 11 and above) // since WIN11
};
//
// Reserved.
//
PVOID pImageHeaderHash;
//
// ETW tracing flags.
//
union
{
ULONG TracingFlags;
struct
{
ULONG HeapTracingEnabled : 1; // ETW heap tracing enabled.
ULONG CritSecTracingEnabled : 1; // ETW lock tracing enabled.
ULONG LibLoaderTracingEnabled : 1; // ETW loader tracing enabled.
ULONG SpareTracingBits : 29;
};
};
//
// Reserved for CSRSS.
//
ULONGLONG CsrServerReadOnlySharedMemoryBase;
//
// Pointer to the thread pool worker list lock.
//
PRTL_CRITICAL_SECTION TppWorkerpListLock;
//
// Pointer to the thread pool worker list.
//
LIST_ENTRY TppWorkerpList;
//
// Wait on address hash table. (RtlWaitOnAddress)
//
PVOID WaitOnAddressHashTable[128];
//
// Pointer to the telemetry coverage header. // since RS3
//
PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader;
//
// Cloud file flags. (ProjFs and Cloud Files) // since RS4
//
ULONG CloudFileFlags;
//
// Cloud file diagnostic flags.
//
ULONG CloudFileDiagFlags;
//
// Placeholder compatibility mode. (ProjFs and Cloud Files)
//
CHAR PlaceholderCompatibilityMode;
//
// Reserved for placeholder compatibility mode.
//
CHAR PlaceholderCompatibilityModeReserved[7];
//
// Pointer to leap second data. // since RS5
//
PLEAP_SECOND_DATA LeapSecondData;
//
// Leap second flags.
//
union
{
ULONG LeapSecondFlags;
struct
{
ULONG SixtySecondEnabled : 1; // Leap seconds enabled.
ULONG Reserved : 31;
};
};
//
// Global flags for the process.
//
ULONG NtGlobalFlag2;
//
// Extended feature disable mask (AVX). // since WIN11
//
ULONGLONG ExtendedFeatureDisableMask;
} PEB, *PPEB;
View code on GitHub// winternl.h
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
View the official Win32 API referenceNo description available.
[This structure may be altered in future versions of Windows.]
Contains process information.
Reserved1Reserved for internal use by the operating system.
BeingDebuggedIndicates whether the specified process is currently being debugged. The PEB structure, however, is an internal operating-system structure whose layout may change in the future. It is best to use the CheckRemoteDebuggerPresent function instead.
Reserved2Reserved for internal use by the operating system.
Reserved3Reserved for internal use by the operating system.
LdrA pointer to a PEB_LDR_DATA structure that contains information about the loaded modules for the process.
ProcessParametersA pointer to an RTL_USER_PROCESS_PARAMETERS structure that contains process parameter information such as the command line.
Reserved4Reserved for internal use by the operating system.
AtlThunkSListPtrReserved5Reserved for internal use by the operating system.
Reserved6Reserved for internal use by the operating system.
Reserved7Reserved for internal use by the operating system.
Reserved8AtlThunkSListPtr32Reserved9Reserved10PostProcessInitRoutineNot supported.
Reserved11Reserved12SessionIdThe Terminal Services session identifier associated with the current process.
The syntax for this structure on 64-bit Windows is as follows:
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[21];
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[520];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved4[136];
ULONG SessionId;
} PEB;
This structure is documented in Windows SDK.
Structure PEB (Process Environment Block) contains all User-Mode parameters associated by system with current process.
Address of executable image in process' memory.
Pointer to PEB_LDR_DATA structure contains information filled by Loader.
Pointer to RTL_USER_PROCESS_PARAMETERS structure.
Address of process' first heap allocated by Loader.
Parameter for PEBLOCKROUTINE (see below).
Address of fast-locking routine for PEB. Definition of routine is:
typedef void (*PPEBLOCKROUTINE)(
PVOID PebLock
);
PEB fast-unlock routine.
Counter of process environment updates.