PROCESS_TELEMETRY_ID_INFORMATION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// begin_private
typedef struct _PROCESS_TELEMETRY_ID_INFORMATION
{
ULONG HeaderSize;
ULONG ProcessId;
ULONGLONG ProcessStartKey;
ULONGLONG CreateTime;
ULONGLONG CreateInterruptTime;
ULONGLONG CreateUnbiasedInterruptTime;
ULONGLONG ProcessSequenceNumber;
ULONGLONG SessionCreateTime;
ULONG SessionId;
ULONG BootId;
ULONG ImageChecksum;
ULONG ImageTimeDateStamp;
ULONG UserSidOffset;
ULONG ImagePathOffset;
ULONG PackageNameOffset;
ULONG RelativeAppNameOffset;
ULONG CommandLineOffset;
} PROCESS_TELEMETRY_ID_INFORMATION, *PPROCESS_TELEMETRY_ID_INFORMATION;
View code on GitHubContains various telemetry-related information about the process. This structure is documented in Windows SDK.
NtQueryInformationProcess with ProcessTelemetryIdInformation (64)The size of the header of this structure in bytes. Fields beyond this size are not populated and will contain invalid data.
The PID of the process.
The unique value identifying the process across reboots. In the current implementation contains ProcessSequenceNumber | (BootId << 48).
The number of 100-nanosecond intervals since the 1st of January 1600 to the creation of the process.
PROCESSINFOCLASS value of ProcessTimes (4)The number of 100-nanosecond intervals passed since boot to the creation of the process.
PROCESSINFOCLASS value of ProcessUptimeInformation (88)The number of 100-nanosecond intervals the system was active since boot to the creation of the process.
A unique sequence number of the process.
PROCESSINFOCLASS value of ProcessSequenceNumber (92)The number of 100-nanosecond intervals passed since boot to the creation of the process's session.
The ID of the process's session.
PROCESSINFOCLASS value of ProcessSessionInformation (24)NtQueryInformationToken with TOKEN_INFORMATION_CLASS value of TokenSessionId (12)The sequence number of the current OS boot.
The checksum value from the process's PE file header.
The timestamp value from the process's PE file header.
An offset from the start of this structure to the user SID from the process's primary token.
NtOpenProcessTokenNtQueryInformationToken with TOKEN_INFORMATION_CLASS value of TokenUser (1)An offset from the start of this structure to the native filename of the process's image.
PROCESSINFOCLASS values of ProcessImageFileName (27) and ProcessImageFileNameWin32 (43)An offset from the start of this structure to the full package name for processes with package identity.
An offset from the start of this structure to the relative application user model ID for processes with package identity.
An offset from the start of this structure to the command line string for the process.
PROCESSINFOCLASS value of ProcessCommandLineInformation (60)This structure was introduced in Windows 10 TH1 (1507).