PROCESSINFOCLASS - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTPSAPI_H
#if (PHNT_MODE != PHNT_MODE_KERNEL)

typedef enum _PROCESSINFOCLASS
{
    ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
    ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
    ProcessIoCounters, // q: IO_COUNTERS
    ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
    ProcessTimes, // q: KERNEL_USER_TIMES
    ProcessBasePriority, // s: KPRIORITY
    ProcessRaisePriority, // s: ULONG
    ProcessDebugPort, // q: HANDLE
    ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege)
    ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
    ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
    ProcessLdtSize, // s: PROCESS_LDT_SIZE
    ProcessDefaultHardErrorMode, // qs: ULONG
    ProcessIoPortHandlers, // (kernel-mode only) // s: PROCESS_IO_PORT_HANDLER_INFORMATION
    ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
    ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
    ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege)
    ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
    ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
    ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)
    ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
    ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY
    ProcessPriorityBoost, // qs: ULONG
    ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
    ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
    ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
    ProcessWow64Information, // q: ULONG_PTR
    ProcessImageFileName, // q: UNICODE_STRING
    ProcessLUIDDeviceMapsEnabled, // q: ULONG
    ProcessBreakOnTermination, // qs: ULONG
    ProcessDebugObjectHandle, // q: HANDLE // 30
    ProcessDebugFlags, // qs: ULONG
    ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable
    ProcessIoPriority, // qs: IO_PRIORITY_HINT
    ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*)
    ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement
    ProcessCookie, // q: ULONG
    ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
    ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
    ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION
    ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
    ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
    ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void
    ProcessImageFileNameWin32, // q: UNICODE_STRING
    ProcessImageFileMapping, // q: HANDLE (input)
    ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
    ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
    ProcessGroupInformation, // q: USHORT[]
    ProcessTokenVirtualizationEnabled, // s: ULONG
    ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation
    ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
    ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
    ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
    ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION
    ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables
    ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
    ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
    ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege)
    ProcessHandleTable, // q: ULONG[] // since WINBLUE
    ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG)
    ProcessCommandLineInformation, // q: UNICODE_STRING // 60
    ProcessProtectionInformation, // q: PS_PROTECTION
    ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
    ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION
    ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION
    ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION
    ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5]
    ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5]
    ProcessSubsystemProcess,
    ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO
    ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70
    ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables
    ProcessIumChallengeResponse,
    ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION
    ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege)
    ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
    ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
    ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE
    ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY
    ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER
    ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80
    ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION
    ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE
    ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
    ProcessCaptureTrustletLiveDump,
    ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT
    ProcessEnclaveInformation,
    ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION
    ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION
    ProcessImageSection, // q: HANDLE
    ProcessDebugAuthInformation, // since REDSTONE4 // 90
    ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT
    ProcessSequenceNumber, // q: ULONGLONG
    ProcessLoaderDetour, // since REDSTONE5
    ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION
    ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
    ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION
    ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION
    ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1
    ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
    ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100
    ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
    ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2
    ProcessCreateStateChange, // since WIN11
    ProcessApplyStateChange,
    ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask
    ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1
    ProcessAssignCpuPartitions, // HANDLE
    ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX
    ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION
    ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110
    ProcessEffectivePagePriority, // q: ULONG
    ProcessSchedulerSharedData, // SCHEDULER_SHARED_DATA_SLOT_INFORMATION // since 24H2
    ProcessSlistRollbackInformation,
    ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS
    ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION
    MaxProcessInfoClass
} PROCESSINFOCLASS;

#endif
#endif

View code on GitHub

This enumeration defines types of information that can be queried or set for processes.

Applicable to

Members

ProcessBasicInformation (0)

Retrieves various information about the process, such as its ID, its parent ID, exit status, and PEB address.

Query Set
Type PROCESS_BASIC_INFORMATION or PROCESS_EXTENDED_BASIC_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

The extended structure was introduced in Windows 8.

ProcessQuotaLimits (1)

Retrieves or adjusts quota limits for the process.

Query Set
Type QUOTA_LIMITS or QUOTA_LIMITS_EX QUOTA_LIMITS or QUOTA_LIMITS_EX
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_QUOTA
Required privilege None SeIncreaseBasePriorityPrivilege or SeIncreaseWorkingSetPrivilege

ProcessIoCounters (2)

Retrieves I/O operation statistics for the process.

Query Set
Type IO_COUNTERS N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

ProcessVmCounters (3)

Retrieves virtual memory statistics for the process.

Query Set
Type VM_COUNTERS, VM_COUNTERS_EX, or VM_COUNTERS_EX2 N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

ProcessTimes (4)

Retrieves combined timing information for all threads in the process.

Query Set
Type KERNEL_USER_TIMES N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

See also

ProcessBasePriority (5)

Sets the base priority for all threads in the process.

Query Set
Type N/A KPRIORITY
Required access N/A PROCESS_SET_INFORMATION
Required privilege N/A SeIncreaseBasePriorityPrivilege

Remarks

The highest order bit specifies the memory priority; the rest specify the scheduling priority.

ProcessRaisePriority (6)

Increases the base priority for all threads in the process by the specified amount, up to the maximum non-realtime priority.

Query Set
Type N/A ULONG
Required access N/A PROCESS_SET_INFORMATION

ProcessDebugPort (7)

Determined if the process is being debugged.

Query Set
Type LONG_PTR N/A
Required access PROCESS_QUERY_INFORMATION N/A

Remarks

The query returns -1 if the process has an associated debug object and 0 otherwise.

ProcessExceptionPort (8)

Query Set
Type N/A PROCESS_EXCEPTION_PORT
Required access N/A PROCESS_SUSPEND_RESUME + no specific access on the port handle
Required privilege N/A SeTcbPrivilege

ProcessAccessToken (9)

Replaces the primary token of the process.

Query Set
Type N/A PROCESS_ACCESS_TOKEN
Required access N/A PROCESS_SET_INFORMATION + TOKEN_ASSIGN_PRIMARY on the token
Required privilege N/A SeAssignPrimaryTokenPrivilege

Notable return values

Remarks

The privilege is required when the specified token is not a child or a sibling of the caller's token or has a higher integrity level.

See also

ProcessLdtInformation (10)

Retrieves or modifies Local Descriptor Table information for the process. This information class has no effect on modern versions of Windows.

Query Set
Type PROCESS_LDT_INFORMATION PROCESS_LDT_INFORMATION
Required access PROCESS_QUERY_INFORMATION | PROCESS_VM_READ PROCESS_SET_INFORMATION | PROCESS_VM_WRITE

ProcessLdtSize (11)

Adjusts the size of the Local Descriptor Table for the process. This information class has no effect on modern versions of Windows.

Query Set
Type N/A PROCESS_LDT_SIZE
Required access N/A PROCESS_SET_INFORMATION | PROCESS_VM_WRITE

ProcessDefaultHardErrorMode (12)

Retrieves or sets the default mode for handling hard errors.

Query Set
Type ULONG ULONG
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION

See also

ProcessIoPortHandlers (13)

Allows drivers to install a handler that traps I/O of a 16-bit process. This information class is not implemented on modern versions of Windows.

Query Set
Type N/A PROCESS_IO_PORT_HANDLER_INFORMATION
Required access N/A PROCESS_SET_INFORMATION
Required mode N/A Kernel mode

ProcessPooledUsageAndLimits (14)

Determines pool memory usage and limits for the process.

Query Set
Type POOLED_USAGE_AND_LIMITS N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

ProcessWorkingSetWatch (15)

Enables working set watch that allows monitoring page faults that occur in the specified process.

Query Set
Type PROCESS_WS_WATCH_INFORMATION[] void (zero-size)
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Required integrity Medium None

Notable return values

Remarks

Once enabled, WS watch cannot be disabled.

When the Restrict-Kernel-Address-Leaks feature is enabled and the caller doesn't have SeDebugPrivilege, the system removes kernel addresses from the returned data.

See also

ProcessUserModeIOPL (16)

Sets user-mode I/O privilege level for the process. This information class is not implemented on modern versions of Windows.

Query Set
Type N/A ULONG
Required access N/A PROCESS_SET_INFORMATION
Required privilege N/A SeTcbPrivilege

ProcessEnableAlignmentFaultFixup (17)

Enables or disables automatic memory alignment fixup on certain processor architectures for the process.

Query Set
Type N/A BOOLEAN
Required access N/A PROCESS_SET_INFORMATION

Remarks

Using this information class is equivalent to setting or clearing the SEM_NOALIGNMENTFAULTEXCEPT flag via the ProcessDefaultHardErrorMode (12) info class.

ProcessPriorityClass (18)

Retrieves or adjust the priority class for the process.

Query Set
Type PROCESS_PRIORITY_CLASS PROCESS_PRIORITY_CLASS
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Required privilege None SeIncreaseBasePriorityPrivilege

Known values

Remarks

The privilege is required only when setting the priority class to realtime.

The system ignores the request if the process's job object specifies a conflicting value via JOB_OBJECT_LIMIT_PRIORITY_CLASS.

See also

ProcessWx86Information (19)

This information classes accesses the EPROCESS->VdmAllowed flag for the process.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Required privilege None SeTcbPrivilege

ProcessHandleCount (20)

Determines the current and historical highest number of handles for the process.

Query Set
Type ULONG or PROCESS_HANDLE_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

To retrieve handle values, use the ProcessHandleInformation (51) info class.

See also

ProcessAffinityMask (21)

Enumerates or limits on which processors the threads from the specified process are allowed to run.

Query Set
Type KAFFINITY or GROUP_AFFINITY KAFFINITY or GROUP_AFFINITY
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION

See also

ProcessPriorityBoost (22)

Enables or disables priority boosting for the process.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION

ProcessDeviceMap (23)

Enumerates defined drives in the DOS Devices directory and allows replacing the device map directory for the process.

Query Set
Type PROCESS_DEVICEMAP_INFORMATION or PROCESS_DEVICEMAP_INFORMATION_EX PROCESS_DEVICEMAP_INFORMATION or PROCESS_DEVICEMAP_INFORMATION_EX
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION + DIRECTORY_TRAVERSE on the directory handle
Required integrity None Medium

Remarks

But default, processes use per-logon session DOS Devices directories \Sessions\0\DosDevices\{xxxxxxxx-xxxxxxxx} with names derived from the token's logon session LUID.

When using PROCESS_DEVICEMAP_INFORMATION_EX to query information, the caller must initialize the Flags field first. See the documentation of the structure for more details.

See also

ProcessSessionInformation (24)

Retrieves the session ID of the process. Changing the value is not supported on modern versions of Windows.

Query Set
Type PROCESS_SESSION_INFORMATION PROCESS_SESSION_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION | PROCESS_SET_SESSIONID
Required privilege None SeTcbPrivilege

See also

ProcessForegroundInformation (25)

Switches the process's priority class between foreground and background.

Query Set
Type N/A PROCESS_FOREGROUND_BACKGROUND
Required access N/A PROCESS_SET_LIMITED_INFORMATION

See also

ProcessWow64Information (26)

Retrieves the address of the WoW64 PEB (PEB32) for the process.

Query Set
Type ULONG_PTR or PPEB32 N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

The system returns NULL if the target process is not running under WoW64.

See also

ProcessImageFileName (27)

Retrieves the image filename associated with the process in the native format.

Query Set
Type UNICODE_STRING N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

The system populates this string by looking up the name from the file object during process creation and doesn’t track subsequent renames. The field holds NULL pointer if the system failed to retrieve the value.

See also

ProcessLUIDDeviceMapsEnabled (28)

Determines if the LUID device maps are enabled for the process. This info class always returns TRUE on modern versions of Windows.

Query Set
Type ULONG or BOOL N/A
Required access None N/A

ProcessBreakOnTermination (29)

Retrieves or sets the critical status for the process. Termination of a critical process causes a BSOD.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Required privilege None SeDebugPrivilege

See also

ProcessDebugObjectHandle (30)

Opens a handle to process's debug port object.

Query Set
Type HANDLE N/A
Required access PROCESS_QUERY_INFORMATION N/A

Notable return values

Remarks

Opening the debug object requires passing an access check on its security descriptor and will return MAXIMUM_ALLOWED access on the handle or fail with STATUS_ACCESS_DENIED.

ProcessDebugFlags (31)

Retrieves or sets a bit mask of debugging-related flags for the process.

Query Set
Type ULONG ULONG
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION

Known flags

ProcessHandleTracing (32)

Allows collecting handle tracing information for the process. The trace records open, close, and bad reference operations on handles.

Query Set
Type PROCESS_HANDLE_TRACING_QUERY PROCESS_HANDLE_TRACING_ENABLE or PROCESS_HANDLE_TRACING_ENABLE_EX or void (zero-sized buffer) to disable
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Required integrity Medium None

Remarks

The system rounds the specified number of slots up to the closest power of two between 0x80 and 0x20000. Specifying a zero value (do not confuse with providing a zero-sized buffer) defaults it to 0x1000.

When querying, the caller can specify a non-NULL value in the Handle field to filter the output.

When the Restrict-Kernel-Address-Leaks feature is enabled, querying handle tracing information requires SeDebugPrivilege.

See also

ProcessIoPriority (33)

Retrieves or sets the priority for I/O operations issued by the process.

Query Set
Type IO_PRIORITY_HINT IO_PRIORITY_HINT
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Required privilege None SeIncreaseBasePriorityPrivilege

See also

ProcessExecuteFlags (34)

Retrieves or modifies the bit mask of Data Execution Prevention (DEP) options for the process.

Query Set
Type ULONG ULONG
Required access PROCESS_QUERY_INFORMATION N/A (NtCurrentProcess only)

Known values

Remarks

Trying to modify the options when the permanent bit is already set fails the request with STATUS_ACCESS_DENIED.

ProcessTlsInformation (35)

This information class is not implemented on modern versions of Windows.

ProcessCookie (36)

Retrieves the cookie value for the process.

Query Set
Type ULONG N/A
Required access PROCESS_VM_WRITE N/A

Remarks

If the value haven't been queried before, it will be initialized.

See also

ProcessImageInformation (37)

Retrieves information about the executable image section used to create the process.

Query Set
Type SECTION_IMAGE_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

See also

ProcessCycleTime (38)

Retrieves the number of cycles spent by all threads of the process.

Query Set
Type PROCESS_CYCLE_TIME_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

See also

ProcessPagePriority (39)

Retrieves or adjusts paging priority for the process.

Query Set
Type PAGE_PRIORITY_INFORMATION PAGE_PRIORITY_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION

See also

ProcessInstrumentationCallback (40)

Sets the instrumentation callback for the process.

Query Set
Type N/A PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION
Required access N/A PROCESS_SET_INFORMATION
Required privilege N/A SeDebugPrivilege

Remarks

The instrumentation callback executes on every transition from kernel to user mode, such as on syscall returns. Instead of returning to the intended location, the thread jumps to the callback which receives the original target in the r10 register. You can read more about using instrumentation callbacks in this blog.

Installing the callback for the current process does not require any privileges.

ProcessThreadStackAllocation (41)

Reserves memory for an additional thread stack in the current process.

Query Set
Type N/A PROCESS_STACK_ALLOCATION_INFORMATION or PROCESS_STACK_ALLOCATION_INFORMATION_EX
Required access N/A N/A (NtCurrentProcess only)

See also

ProcessWorkingSetWatchEx (42)

Enables working set watch that allows monitoring page faults that occur in the specified process.

Query Set
Type PROCESS_WS_WATCH_INFORMATION_EX[] void (zero-size)
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Required integrity Medium None

Notable return values

Remarks

Once enabled, WS watch cannot be disabled.

When the Restrict-Kernel-Address-Leaks feature is enabled and the caller doesn't have SeDebugPrivilege, the system removes kernel addresses from the returned data.

See also

ProcessImageFileNameWin32 (43)

Retrieves the image filename associated with the process in the Win32 format.

Query Set
Type UNICODE_STRING N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

The system dynamically retrieves this string from the file object associated with the process. Therefore, it tracks rename operations. The query results in an error if the file doesn’t have a valid Win32 name or has been deleted.

See also

ProcessImageFileMapping (44)

Checks if the file used to create the process is the same as the specified file.

Query Set
Type HANDLE to a file N/A
Required access PROCESS_QUERY_INFORMATION + FILE_EXECUTE | SYNCHRONIZE on the file N/A

Notable return values

Remarks

Despite being used with NtQueryInformationProcess, this information class reads the provided buffer and does not write anything back.

The files are considered the same if they share SectionObjectPointer.

ProcessAffinityUpdateMode (45)

Retrieves or sets the affinity update mode for the process.

Query Set
Type PROCESS_AFFINITY_UPDATE_MODE PROCESS_AFFINITY_UPDATE_MODE
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A (NtCurrentProcess only)

See also

ProcessMemoryAllocationMode (46)

Retrieves or sets the memory allocation mode for the process.

Query Set
Type PROCESS_MEMORY_ALLOCATION_MODE PROCESS_MEMORY_ALLOCATION_MODE
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION

ProcessGroupInformation (47)

Retrieves thread affinity to processors and processor groups.

Query Set
Type USHORT[] N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

ProcessTokenVirtualizationEnabled (48)

Enables or disables UAC filesystem and registry virtualization on the process's primary token.

Query Set
Type N/A ULONG or BOOL
Required access N/A PROCESS_SET_INFORMATION

Remarks

This information class does not require the caller to pass additional access checks on the token.

See also

ProcessConsoleHostProcess (49)

Retrieves or sets the PID of the associated console host for the process.

Query Set
Type ULONG_PTR ULONG_PTR
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A (NtCurrentProcess only)

Remarks

The system uses the two lower bits of the PID as flags. The lowest bit must be set for the request to succeed.

This information class was previously known as ProcessOwnerInformation.

ProcessWindowInformation (50)

Reads windows flags and title information from the process parameters (RTL_USER_PROCESS_PARAMETERS) from PEB of the specified process.

Query Set
Type PROCESS_WINDOW_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A

Remarks

Note that this information class fails to parse denormalized process parameters (the ones that don't have the RTL_USER_PROC_PARAMS_NORMALIZED flag set).

ProcessHandleInformation (51)

Enumerates the handle table of the process.

Query Set
Type PROCESS_HANDLE_SNAPSHOT_INFORMATION N/A
Required access PROCESS_QUERY_INFORMATION N/A
Minimal version Windows 8 N/A

See also

ProcessMitigationPolicy (52)

Retrieves or adjusts various mitigation policies for the process.

Query Set
Type PROCESS_MITIGATION_POLICY_INFORMATION PROCESS_MITIGATION_POLICY_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION for ProcessDynamicCodePolicy and NtCurrentProcess-only otherwise
Minimal version Windows 8 Windows 8

Remarks

See Exploit Protection Reference for more details on mitigation policies.

ProcessDynamicFunctionTableInformation (53)

Adds or removes dynamic function table entries for the current process.

Query Set
Type N/A PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION
Required access N/A N/A (NtCurrentProcess only)
Minimal version N/A Windows 8

ProcessHandleCheckingMode (54)

Retrieves or sets whether the system should generate exceptions on invalid handle operations for the process.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Minimal version Windows 8 Windows 8

See also

ProcessKeepAliveCount (55)

Retrieves the wake (keep-alive) counter for the process.

Query Set
Type PROCESS_KEEPALIVE_COUNT_INFORMATION N/A
Required access PROCESS_QUERY_INFORMATION N/A
Minimal version Windows 8 N/A

ProcessRevokeFileHandles (56)

Revokes file handles on the specified device from an AppContainer process.

Query Set
Type N/A PROCESS_REVOKE_FILE_HANDLES_INFORMATION
Required access N/A PROCESS_SET_LIMITED_INFORMATION
Minimal version N/A Windows 8

Remarks

Trying to perform file operations on a revoked handle fails with STATUS_FILE_HANDLE_REVOKED.

Handle revocation has no effect on non-AppContainer processes.

ProcessWorkingSetControl (57)

Perform an operation on the working set of the process.

Query Set
Type N/A PROCESS_WORKING_SET_CONTROL
Required access N/A PROCESS_SET_LIMITED_INFORMATION
Required privilege N/A SeDebugPrivilege
Minimal version N/A Windows 8

ProcessHandleTable (58)

Enumerate handle values present in the handle table of the process.

Query Set
Type ULONG[] N/A
Required access PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE N/A
Minimal version Windows 8.1 N/A

See also

ProcessCheckStackExtentsMode (59)

Retrieve or set whether the system should verify that the stack pointer belongs to the stack on context changes for the process. This info class accesses the KPROCESS->CheckStackExtents field.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_INFORMATION PROCESS_SET_INFORMATION
Required privilege None SeDebugPrivilege
Minimal version Windows 8.1 Windows 8.1

ProcessCommandLineInformation (60)

Reads the command line string from the process parameters (RTL_USER_PROCESS_PARAMETERS) from PEB of the specified process.

Query Set
Type UNICODE_STRING N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 8.1 N/A

Remarks

Note that this information class fails to parse denormalized process parameters (the ones that don't have the RTL_USER_PROC_PARAMS_NORMALIZED flag set).

ProcessProtectionInformation (61)

Retrieves protection level for the process.

Query Set
Type PS_PROTECTION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 8.1 N/A

See also

ProcessMemoryExhaustion (62)

Sets whether the system should terminate the process if it fails to commit memory.

Query Set
Type N/A PROCESS_MEMORY_EXHAUSTION_INFO
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 10 TH1 (1507)

ProcessFaultInformation (63)

Reports the process crash.

Query Set
Type N/A PROCESS_FAULT_INFORMATION
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 10 TH1 (1507)

ProcessTelemetryIdInformation (64)

Retrieves many various properties of the process for telemetry collection.

Query Set
Type PROCESS_TELEMETRY_ID_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 TH1 (1507) N/A

See also

ProcessCommitReleaseInformation (65)

Retrieves or sets whether the process is eligible for automatic commit memory releasing.

Query Set
Type PROCESS_COMMIT_RELEASE_INFORMATION PROCESS_COMMIT_RELEASE_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION | PROCESS_TERMINATE
Minimal version Windows 10 TH1 (1507) Windows 10 TH1 (1507)

ProcessDefaultCpuSetsInformation (66)

Retrieves or sets the default CPU Sets assignment for threads in the process.

Query Set
Type SYSTEM_CPU_SET_INFORMATION[5] SYSTEM_CPU_SET_INFORMATION[5]
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Minimal version Windows 10 TH1 (1507) Windows 10 TH1 (1507)

ProcessAllowedCpuSetsInformation (67)

Retrieves or sets the allowed CPU Sets assignment for threads in the process.

Query Set
Type SYSTEM_CPU_SET_INFORMATION[5] SYSTEM_CPU_SET_INFORMATION[5]
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Required privilege N/A SeIncreaseBasePriorityPrivilege
Minimal version Windows 10 TH1 (1507) Windows 10 TH1 (1507)

Remarks

The system doesn't requires the caller to have the privilege if it can pass an access check against ExpCpuSetSecurityDescriptor which grants access to NT AUTHORITY\SYSTEM and NT SERVICE\Audiosrv.

ProcessSubsystemProcess (68)

Marks the process as the Subsystem Process. This info class sets the EPROCESS->SubsystemProcess flag.

Query Set
Type N/A void (zero-size)
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 10 TH1 (1507)

Remarks

The caller must be the session master. Otherwise, the operation fails with STATUS_PRIVILEGE_NOT_HELD.

ProcessJobMemoryInformation (69)

Retrieves memory statistics and limits from the process's job object.

Query Set
Type PROCESS_JOB_MEMORY_INFO N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 TH1 (1507) N/A

Notable return values

ProcessInPrivate (70)

Retrieves or sets whether trace sessions with EVENT_ENABLE_PROPERTY_EXCLUDE_INPRIVATE flag should drop all events from the process.

Query Set
Type BOOLEAN void (zero-size)
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Minimal version Windows 10 TH2 (1511) Windows 10 TH2 (1511)

ProcessRaiseUMExceptionOnInvalidHandleClose (71)

Retrieves or sets whether the system should raise user-mode exceptions when the process attempts to close invalid handles.

Query Set
Type ULONG or BOOL ULONG or BOOL
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Minimal version Windows 10 TH2 (1511) Windows 10 TH2 (1511)

See also

ProcessIumChallengeResponse (72)

ProcessChildProcessInformation (73)

Retrieves child process creation restriction from the process's primary token.

Query Set
Type PROCESS_CHILD_PROCESS_INFORMATION N/A
Required access PROCESS_QUERY_INFORMATION N/A
Minimal version Windows 10 TH2 (1511) N/A

See also

ProcessHighGraphicsPriorityInformation (74)

Retrieves, enables, or disables high graphics priority for the process.

Query Set
Type BOOLEAN BOOLEAN
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Required privilege None SeTcbPrivilege
Minimal version Windows 10 TH2 (1511) Windows 10 TH2 (1511)

ProcessSubsystemInformation (75)

Retrieves the subsystem type used by the process.

Query Set
Type SUBSYSTEM_INFORMATION_TYPE N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS2 (1703) N/A

ProcessEnergyValues (76)

Retrieves energy-related statistics for the process.

Query Set
Type PROCESS_ENERGY_VALUES or PROCESS_EXTENDED_ENERGY_VALUES N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS2 (1703) N/A

ProcessPowerThrottlingState (77)

Retrieves or adjusts power throttling settings for the process.

Query Set
Type POWER_THROTTLING_PROCESS_STATE POWER_THROTTLING_PROCESS_STATE
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Minimal version Windows 10 RS2 (1703) Windows 10 RS2 (1703)

ProcessReserved3Information (78)

ProcessWin32kSyscallFilterInformation (79)

Retrieves the win32k syscall filter for the process.

Query Set
Type WIN32K_SYSCALL_FILTER N/A
Required access PROCESS_QUERY_INFORMATION N/A
Minimal version Windows 10 RS2 (1703) N/A

See also

ProcessDisableSystemAllowedCpuSets (80)

Query Set
Type N/A BOOLEAN
Required access N/A PROCESS_SET_LIMITED_INFORMATION
Required privilege N/A SeIncreaseBasePriorityPrivilege
Minimal version N/A Windows 10 RS2 (1703)

Remarks

The system doesn't requires the caller to have the privilege if it can pass an access check against ExpCpuSetSecurityDescriptor which grants access to NT AUTHORITY\SYSTEM and NT SERVICE\Audiosrv.

ProcessWakeInformation (81)

Allocates wake notification channel for the process.

Query Set
Type PROCESS_WAKE_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS2 (1703) N/A

ProcessEnergyTrackingState (82)

Retrieves or sets energy tracking for the process.

Query Set
Type PROCESS_ENERGY_TRACKING_STATE PROCESS_ENERGY_TRACKING_STATE
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION
Minimal version Windows 10 RS2 (1703) Windows 10 RS2 (1703)

ProcessManageWritesToExecutableMemory (83)

ProcessCaptureTrustletLiveDump (84)

Query Set
Type ULONG N/A
Required access PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ N/A
Minimal version Windows 10 RS3 (1709) N/A

ProcessTelemetryCoverage (85)

Retrieves or adjusts ETW telemetry coverage for the process.

Query Set
Type TELEMETRY_COVERAGE_HEADER TELEMETRY_COVERAGE_POINT
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_INFORMATION | PROCESS_VM_WRITE
Required membership BUILTIN\Administrators None
Minimal version Windows 10 RS3 (1709) Windows 10 RS3 (1709)

See also

ProcessEnclaveInformation (86)

ProcessEnableReadWriteVmLogging (87)

Retrieves, enables, or disables whether EtwTi should log virtual memory read/write operations for the process.

Query Set
Type PROCESS_READWRITEVM_LOGGING_INFORMATION PROCESS_READWRITEVM_LOGGING_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Required privilege None SeDebugPrivilege or SeTcbPrivilege
Required protection None PPL Antimalware (Windows 11 only)
Minimal version Windows 10 RS3 (1709) Windows 10 RS3 (1709)

See also

ProcessUptimeInformation (88)

Retrieves the uptime statistics for the process.

Query Set
Type PROCESS_UPTIME_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS3 (1709) N/A

See also

ProcessImageSection (89)

Opens a handle to the image section associated with the process.

Query Set
Type HANDLE N/A
Required access N/A (NtCurrentProcess only) N/A
Minimal version Windows 10 RS3 (1709) N/A

Remarks

The system requires the caller to pass an access check for SECTION_QUERY | SECTION_MAP_READ on the section object and returns a handle with the these rights.

ProcessDebugAuthInformation (90)

ProcessSystemResourceManagement (91)

Switches the process between foreground and background resource management.

Query Set
Type N/A PROCESS_SYSTEM_RESOURCE_MANAGEMENT
Required access N/A PROCESS_SET_LIMITED_INFORMATION
Required privilege N/A SeTcbPrivilege
Minimal version N/A Windows 10 RS4 (1803)

ProcessSequenceNumber (92)

Retrieves the unique sequence number of the process.

Query Set
Type ULONGLONG N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS4 (1803) N/A

ProcessLoaderDetour (93)

ProcessSecurityDomainInformation (94)

Retrieves the ID of the security domain for the process. Processes in different security domains are isolated from each other's side-channel attacks.

Query Set
Type PROCESS_SECURITY_DOMAIN_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 10 RS5 (1809) N/A

Notable return values

See also

ProcessCombineSecurityDomainsInformation (95)

Combines security domains of two processes. Processes in different security domains are isolated from each other's side-channel attacks. This operation changes the security domain of the process passed in the ProcessHandle parameter to the security domain of the process passed in the ProcessInformation parameter.

Query Set
Type N/A PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
Required access N/A PROCESS_SET_LIMITED_INFORMATION + PROCESS_QUERY_LIMITED_INFORMATION on the other.
Minimal version N/A Windows 10 RS5 (1809)

Notable return values

See also

ProcessEnableLogging (96)

Retrieves, enables, or disables EtwTi logging for various operations for the process.

Query Set
Type PROCESS_LOGGING_INFORMATION PROCESS_LOGGING_INFORMATION
Required access PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION
Required privilege None SeDebugPrivilege or SeTcbPrivilege
Required protection None PPL Antimalware (Windows 11 only)
Minimal version Windows 10 RS5 (1809) Windows 10 RS5 (1809)

See also

ProcessLeapSecondInformation (97)

Retrieves or adjusts the leap second handling mode for the current process.

Query Set
Type PROCESS_LEAP_SECOND_INFORMATION PROCESS_LEAP_SECOND_INFORMATION
Required access N/A (NtCurrentProcess only) N/A (NtCurrentProcess only)
Minimal version Windows 10 RS5 (1809) Windows 10 RS5 (1809)

See also

ProcessFiberShadowStackAllocation (98)

Allocates a shadow stack for a fiber in the current process.

Query Set
Type N/A PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
Required access N/A N/A (NtCurrentProcess only)
Minimal version N/A Windows 10 19H1 (1903)

Notable return values

ProcessFreeFiberShadowStackAllocation (99)

Frees a shadow stack for a fiber in the current process.

Query Set
Type N/A PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
Required access N/A N/A (NtCurrentProcess only)
Minimal version N/A Windows 10 19H1 (1903)

Notable return values

ProcessAltSystemCallInformation (100)

Changes the syscall provider for the process.

Query Set
Type N/A PROCESS_SYSCALL_PROVIDER_INFORMATION
Required access N/A PROCESS_VM_WRITE
Minimal version N/A Windows 10 20H1 (2004)

ProcessDynamicEHContinuationTargets (101)

Sets dynamic exception handling continuation targets for the process.

Query Set
Type N/A PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 10 20H1 (2004)

Notable return values

ProcessDynamicEnforcedCetCompatibleRanges (102)

Sets CET-compatible ranges where shadow stack violations are fatal for the process.

Query Set
Type N/A PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 10 20H2 (2009)

Notable return values

ProcessCreateStateChange (103)

This information class has been superseded by NtCreateProcessStateChange.

ProcessApplyStateChange (104)

This information class has been superseded by NtChangeProcessState.

ProcessEnableOptionalXStateFeatures (105)

Enables optional XState features for the process.

Query Set
Type N/A ULONG64
Required access N/A PROCESS_SET_INFORMATION
Minimal version N/A Windows 11

ProcessAltPrefetchParam (106)

ProcessAssignCpuPartitions (107)

ProcessPriorityClassEx (108)

Adjust the priority class for the process.

Query Set
Type N/A PROCESS_PRIORITY_CLASS_EX
Required access N/A PROCESS_SET_INFORMATION
Required privilege N/A SeIncreaseBasePriorityPrivilege
Minimal version N/A Windows 11 22H2

Known values

Remarks

Only setting the priority class to realtime requires the privilege.

The system ignores the request if the process's job object specifies a conflicting value via JOB_OBJECT_LIMIT_PRIORITY_CLASS.

See also

ProcessMembershipInformation (109)

Retrieves the effective server silo ID for the process.

Query Set
Type PROCESS_MEMBERSHIP_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 11 22H2 N/A

Remarks

This info class lies and returns zero if the calling thread is in a server silo.

ProcessEffectiveIoPriority (110)

Determines the effective priority for I/O operations issued by the process (taking its job object into account).

Query Set
Type IO_PRIORITY_HINT N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 11 22H2 N/A

See also

ProcessEffectivePagePriority (111)

Determines the effective paging priority for the process (taking its job object into account).

Query Set
Type PAGE_PRIORITY_INFORMATION N/A
Required access PROCESS_QUERY_LIMITED_INFORMATION N/A
Minimal version Windows 11 22H2 N/A

See also

Edit description on GitHub