PROCESS_EXTENDED_BASIC_INFORMATION - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTPSAPI_H
// Process information structures
#if (PHNT_MODE != PHNT_MODE_KERNEL)

typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
{
    SIZE_T Size; // set to sizeof structure on input
    union
    {
        PROCESS_BASIC_INFORMATION BasicInfo;
        struct
        {
            NTSTATUS ExitStatus;
            PPEB PebBaseAddress;
            KAFFINITY AffinityMask;
            KPRIORITY BasePriority;
            HANDLE UniqueProcessId;
            HANDLE InheritedFromUniqueProcessId;
        };
    };
    union
    {
        ULONG Flags;
        struct
        {
            ULONG IsProtectedProcess : 1;
            ULONG IsWow64Process : 1;
            ULONG IsProcessDeleting : 1;
            ULONG IsCrossSessionCreate : 1;
            ULONG IsFrozen : 1;
            ULONG IsBackground : 1; // WIN://BGKD
            ULONG IsStronglyNamed : 1; // WIN://SYSAPPID
            ULONG IsSecureProcess : 1;
            ULONG IsSubsystemProcess : 1;
            ULONG IsTrustedApp : 1; // since 24H2
            ULONG SpareBits : 22;
        };
    };
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;

#endif
#endif

View code on GitHub

This structure defines the extension to the basic information about the process.

Applicable to

Members

Size

Specifies the size in bytes of the valid portion of this structure's header.

BasicInfo

The basic information. See PROCESS_BASIC_INFORMATION for more details.

Flags

A bit mask of various flags about the process.

IsProtectedProcess

The process is full- or light-protected.

See also

IsWow64Process

Indicates that the process is 32-bit and runs under the WoW64 emulation.

See also

IsProcessDeleting

The process is terminating and its object is marked for deletion.

See also

IsCrossSessionCreate

The process was created cross-session.

IsFrozen

The threads in the process are suspended and cannot be resumed until the process is unfrozen.

IsBackground

The process belongs to a background job.

IsStronglyNamed

The process has a strong package identity.

See also

IsSecureProcess

The process runs in Isolated User Mode (IUM).

Required OS version

This field was introduced in Windows 10 TH1 (1507).

IsSubsystemProcess

The process is a Pico or a WSL process.

Remarks

This field was previously known as IsPicoProcess.

Required OS version

This field was introduced in Windows 10 RS1 (1607).

See also

Required OS version

This structure was introduced in Windows 8.