RTL_USER_PROCESS_PARAMETERS - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
UNICODE_STRING RedirectionDllName; // REDSTONE4
UNICODE_STRING HeapPartitionName; // 19H1
PULONGLONG DefaultThreadpoolCpuSetMasks;
ULONG DefaultThreadpoolCpuSetMaskCount;
ULONG DefaultThreadpoolThreadMaximum;
ULONG HeapMemoryTypeMask; // WIN11
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
View code on GitHub// winternl.h
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
View the official Win32 API referenceNo description available.
[This structure may be altered in future versions of Windows.]
Contains process parameter information.
Reserved1Reserved for internal use by the operating system.
Reserved2Reserved for internal use by the operating system.
ImagePathNameThe path of the image file for the process.
CommandLineThe command-line string passed to the process.
This structure is documented in Windows SDK.
Should be set before call RtlCreateProcessParameters.
Length of valid structure.
Currently these flags are known:
// Means that the structure is normalized by RtlNormalizeProcessParams.
#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01
// Source:
// https://github.com/arizvisa/ndk/blob/6851da4ab49ca07ddae29b6d4d255726ad04ef86/ndk/rtltypes.h#L39
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08
#define RTL_USER_PROCESS_PARAMETERS_UNKNOWN 0x10
#define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20
#define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40
#define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80
#define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_CHECKS 0x100
#define RTL_USER_PROCESS_PARAMETERS_PROCESS_OR_1 0x200
#define RTL_USER_PROCESS_PARAMETERS_PROCESS_OR_2 0x400
#define RTL_USER_PROCESS_PARAMETERS_PRIVATE_DLL_PATH 0x1000
#define RTL_USER_PROCESS_PARAMETERS_LOCAL_DLL_PATH 0x2000
#define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000
// Documented by sixtyvividtails, source:
// https://x.com/sixtyvividtails/status/1719785195086266581
// This flag is needed on certain codepath for DotLocal to work. Set in
// PspSetupUserProcessAddressSpace from PspGlobalFlags.DevOverrideEnabled
// (bit0). And that comes off system-global (not per image) IFEO
// "DevOverrideEnable" (def absent). Old flag, but was mostly ignored.
#define RTL_USER_PROCESS_PARAMETERS_DEVOVERRIDE_ENABLED 0x8000
#define RTL_USER_PROCESS_PARAMETERS_NX 0x20000
HWND to console window associated with process (if any).
Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32"
Handle to FILE object.
DOS-like paths separated by ';' where system should search for DLL files.
Full path in DOS-like format to process'es file image.
Command line.
Pointer to environment block (see RtlCreateEnvironment).
Name of WindowStation and Desktop objects, where process is assigned.
???
RTL_USER_PROCESS_PARAMETERS is located at address 0x20000 (for all processes created by call WIN32 API CreateProcess).