PROCESS_EXTENDED_BASIC_INFORMATION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
// Process information structures
#if (PHNT_MODE != PHNT_MODE_KERNEL)
typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
{
SIZE_T Size; // set to sizeof structure on input
PROCESS_BASIC_INFORMATION BasicInfo;
union
{
ULONG Flags;
struct
{
ULONG IsProtectedProcess : 1;
ULONG IsWow64Process : 1;
ULONG IsProcessDeleting : 1;
ULONG IsCrossSessionCreate : 1;
ULONG IsFrozen : 1;
ULONG IsBackground : 1; // WIN://BGKD
ULONG IsStronglyNamed : 1; // WIN://SYSAPPID
ULONG IsSecureProcess : 1;
ULONG IsSubsystemProcess : 1;
ULONG IsTrustedApp : 1; // since 24H2
ULONG SpareBits : 22;
};
};
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
View code on GitHubThis structure defines the extension to the basic information about the process.
NtQueryInformationProcess with ProcessBasicInformation (0)Specifies the size in bytes of the valid portion of this structure's header.
The basic information. See PROCESS_BASIC_INFORMATION for more details.
A bit mask of various flags about the process.
The process is full- or light-protected.
PROCESSINFOCLASS value of ProcessProtectionInformation (61)PS_PROTECTIONIndicates that the process is 32-bit and runs under the WoW64 emulation.
PROCESSINFOCLASS value of ProcessWow64Information (26)The process is terminating and its object is marked for deletion.
The process was created cross-session.
The threads in the process are suspended and cannot be resumed until the process is unfrozen.
The process belongs to a background job.
The process has a strong package identity.
The process runs in Isolated User Mode (IUM).
This field was introduced in Windows 10 TH1 (1507).
The process is a Pico or a WSL process.
This field was previously known as IsPicoProcess.
This field was introduced in Windows 10 RS1 (1607).
PROCESSINFOCLASS value of ProcessSubsystemInformation (75)This structure was introduced in Windows 8.