PROCESS_EXTENDED_BASIC_INFORMATION - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTPSAPI_H
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * The PROCESS_EXTENDED_BASIC_INFORMATION structure contains extended basic information about a process.
 */
typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
{
    _In_ SIZE_T Size; // The size of the structure, in bytes. This member must be set to sizeof(PROCESS_EXTENDED_BASIC_INFORMATION).
    union
    {
        PROCESS_BASIC_INFORMATION BasicInfo;
        struct
        {
            NTSTATUS ExitStatus;    // The exit status of the process. (GetExitCodeProcess)
            PPEB PebBaseAddress;    // A pointer to the process environment block (PEB) of the process.
            KAFFINITY AffinityMask; // The affinity mask of the process. (GetProcessAffinityMask) (deprecated)
            KPRIORITY BasePriority; // The base priority of the process. (GetPriorityClass)
            HANDLE UniqueProcessId; // The unique identifier of the process. (GetProcessId)
            HANDLE InheritedFromUniqueProcessId; // The unique identifier of the parent process.
        };
    };
    union
    {
        ULONG Flags;
        struct
        {
            ULONG IsProtectedProcess : 1;
            ULONG IsWow64Process : 1;
            ULONG IsProcessDeleting : 1;
            ULONG IsCrossSessionCreate : 1;
            ULONG IsFrozen : 1;
            ULONG IsBackground : 1; // WIN://BGKD
            ULONG IsStronglyNamed : 1; // WIN://SYSAPPID
            ULONG IsSecureProcess : 1;
            ULONG IsSubsystemProcess : 1;
            ULONG IsTrustedApp : 1; // since 24H2
            ULONG SpareBits : 22;
        };
    };
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;

#endif
#endif

View code on GitHub

This structure defines the extension to the basic information about the process.

Applicable to

Members

Size

Specifies the size in bytes of the valid portion of this structure's header.

BasicInfo

The basic information. See PROCESS_BASIC_INFORMATION for more details.

Flags

A bit mask of various flags about the process.

IsProtectedProcess

The process is full- or light-protected.

See also

IsWow64Process

Indicates that the process is 32-bit and runs under the WoW64 emulation.

See also

IsProcessDeleting

The process is terminating and its object is marked for deletion.

See also

IsCrossSessionCreate

The process was created cross-session.

IsFrozen

The threads in the process are suspended and cannot be resumed until the process is unfrozen.

IsBackground

The process belongs to a background job.

IsStronglyNamed

The process has a strong package identity.

See also

IsSecureProcess

The process runs in Isolated User Mode (IUM).

Required OS version

This field was introduced in Windows 10 TH1 (1507).

IsSubsystemProcess

The process is a Pico or a WSL process.

Remarks

This field was previously known as IsPicoProcess.

Required OS version

This field was introduced in Windows 10 RS1 (1607).

See also

Required OS version

This structure was introduced in Windows 8.