#ifndef _NTEXAPI_H

/**
 * Extended process information appended to SYSTEM_PROCESS_INFORMATION in full process enumeration queries.
 *
 * \details This structure provides additional process accounting, classification, and energy metrics
 * not present in the base SYSTEM_PROCESS_INFORMATION structure. It is returned when querying
 * SystemFullProcessInformation (information class 148) or SystemExtendedProcessInformation (information class 57)
 * via NtQuerySystemInformation.
 *
 * The structure is appended immediately after the SYSTEM_THREAD_INFORMATION array in
 * SYSTEM_EXTENDED_PROCESS_INFORMATION, and the offsets are relative to the start of this extension structure.
 *
 * \since Windows 10 Threshold (version 1507, build 10240)
 *
 * \remarks This structure contains variable-length data. The UserSidOffset, PackageFullNameOffset,
 * and AppIdOffset fields point to data stored immediately after this structure in memory.
 * Callers must use these offsets to locate the actual strings and SID data.
 */
typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
{
    /**
     * Cumulative disk I/O counters for the process (reads, writes, flushes).
     * Includes total bytes transferred and operation counts for read, write, and flush operations.
     */
    PROCESS_DISK_COUNTERS DiskCounters;

    /**
     * Total number of context switches performed by all threads in the process since creation.
     * Use this to measure scheduling overhead and CPU time-sharing behavior.
     */
    ULONGLONG ContextSwitches;

    /**
     * Process classification flags and security attributes.
     */
    union
    {
        /**
         * Raw flags value containing all classification bits.
         */
        ULONG Flags;

        struct
        {
            /**
             * If set, the process has a strong identity (e.g., packaged app with cryptographic signing).
             * Strong identities are used for security policy enforcement and resource isolation.
             */
            ULONG HasStrongId : 1;

            /**
             * Process classification type (SYSTEM_PROCESS_CLASSIFICATION).
             * Indicates whether this is a normal user process, system process, secure system process,
             * memory compression process, or registry process. Used by the kernel for resource
             * management, security policy, and scheduling decisions.
             */
            ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION

            /**
             * If set, the process has had background activity moderation applied to it.
             * The system may throttle CPU, I/O, or network resources when the process is not in the foreground.
             * \since Windows 10 Redstone 2 (version 1703)
             */
            ULONG BackgroundActivityModerated : 1;

            /**
             * Reserved for future use.
             */
            ULONG Spare : 26;
        } DUMMYSTRUCTNAME;
    } DUMMYUNIONNAME;

    /**
     * Offset, in bytes, from the start of this structure to the user SID (Security Identifier).
     * If zero, no user SID is available. The SID data is stored in standard binary format.
     * Use this offset to locate the process owner's security identifier for access control
     * and auditing purposes.
     */
    ULONG UserSidOffset;

    /**
     * Offset, in bytes, from the start of this structure to a null-terminated WCHAR string
     * containing the full package name (e.g., "Contoso.App_1.0.0.0_x64__8wekyb3d8bbwe").
     * If zero, the process is not packaged (classic Win32 application).
     * \since Windows 10 Threshold (version 1507)
     */
    ULONG PackageFullNameOffset; // since THRESHOLD

    /**
     * Detailed energy accounting values for the process, including CPU cycles, disk energy,
     * network/MBB tail energy, DWM composition metrics, and activity state durations.
     * Provides per-QoS-bucket breakdowns of energy consumption for foreground/background
     * resource usage analysis.
     * \since Windows 10 Threshold (version 1507)
     */
    PROCESS_ENERGY_VALUES EnergyValues; // since THRESHOLD

    /**
     * Offset, in bytes, from the start of this structure to a null-terminated WCHAR string
     * containing the Application User Model ID (AUMID) for packaged applications.
     * If zero, the process does not have an AppId (either not packaged or not a UWP app).
     * \since Windows 10 Threshold (version 1507)
     */
    ULONG AppIdOffset; // since THRESHOLD

    /**
     * Number of bytes of committed memory shared between this process and other processes
     * (e.g., memory-mapped sections, shared DLLs, or copy-on-write pages).
     * Use this to measure memory overhead due to sharing and to calculate true private bytes.
     * SharedCommitCharge + PrivatePageCount gives a more accurate picture of process memory usage.
     * \since Windows 10 Threshold 2 (version 1511)
     */
    SIZE_T SharedCommitCharge; // since THRESHOLD2

    /**
     * Identifier of the job object to which the process belongs, if any.
     * If zero, the process is not assigned to a job object. Job objects are used to group
     * processes and apply resource limits, accounting, and management policies.
     * \since Windows 10 Redstone (version 1607)
     */
    ULONG JobObjectId; // since REDSTONE

    /**
     * Reserved for future use.
     * \since Windows 10 Redstone (version 1607)
     */
    ULONG SpareUlong; // since REDSTONE

    /**
     * Unique monotonically-increasing sequence number assigned when the process was created.
     * Unlike ProcessId (which can be recycled), this value is never reused and provides
     * a stable identifier for correlation across logs and telemetry even after process termination.
     * \since Windows 10 Redstone (version 1607)
     */
    ULONGLONG ProcessSequenceNumber;
} SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION;

#endif
View code on GitHub