RTL_USER_PROCESS_PARAMETERS - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
UNICODE_STRING RedirectionDllName; // REDSTONE4
UNICODE_STRING HeapPartitionName; // 19H1
PULONGLONG DefaultThreadpoolCpuSetMasks;
ULONG DefaultThreadpoolCpuSetMaskCount;
ULONG DefaultThreadpoolThreadMaximum;
ULONG HeapMemoryTypeMask; // WIN11
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
View code on GitHubThis structure is documented in Windows SDK.
Should be set before call RtlCreateProcessParameters.
Length of valid structure.
Currently these flags are known:
// Means that the structure is normalized by RtlNormalizeProcessParams.
#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01
// Source:
// https://github.com/arizvisa/ndk/blob/6851da4ab49ca07ddae29b6d4d255726ad04ef86/ndk/rtltypes.h#L39
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04
#define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08
#define RTL_USER_PROCESS_PARAMETERS_UNKNOWN 0x10
#define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20
#define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40
#define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80
#define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_CHECKS 0x100
#define RTL_USER_PROCESS_PARAMETERS_PROCESS_OR_1 0x200
#define RTL_USER_PROCESS_PARAMETERS_PROCESS_OR_2 0x400
#define RTL_USER_PROCESS_PARAMETERS_PRIVATE_DLL_PATH 0x1000
#define RTL_USER_PROCESS_PARAMETERS_LOCAL_DLL_PATH 0x2000
#define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000
// Documented by sixtyvividtails, source:
// https://x.com/sixtyvividtails/status/1719785195086266581
// This flag is needed on certain codepath for DotLocal to work. Set in
// PspSetupUserProcessAddressSpace from PspGlobalFlags.DevOverrideEnabled
// (bit0). And that comes off system-global (not per image) IFEO
// "DevOverrideEnable" (def absent). Old flag, but was mostly ignored.
#define RTL_USER_PROCESS_PARAMETERS_DEVOVERRIDE_ENABLED 0x8000
#define RTL_USER_PROCESS_PARAMETERS_NX 0x20000
HWND to console window associated with process (if any).
Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32"
Handle to FILE object.
DOS-like paths separated by ';' where system should search for DLL files.
Full path in DOS-like format to process'es file image.
Command line.
Pointer to environment block (see RtlCreateEnvironment).
Name of WindowStation and Desktop objects, where process is assigned.
???
RTL_USER_PROCESS_PARAMETERS is located at address 0x20000 (for all processes created by call WIN32 API CreateProcess).