|
1 | 1 | #pragma once |
2 | 2 |
|
| 3 | +#include <ntdef.h> |
3 | 4 | #include <winternl.h> |
4 | 5 | #include <winnt.h> |
5 | 6 | #include <stdint.h> |
@@ -437,6 +438,12 @@ typedef struct _KSYSTEM_TIME |
437 | 438 | LONG High2Time; |
438 | 439 | } KSYSTEM_TIME, *PKSYSTEM_TIME; |
439 | 440 |
|
| 441 | +/** |
| 442 | + * PROCESSOR_FEATURE_MAX defines the maximum number of processor feature flags |
| 443 | + * that may be reported by the system. |
| 444 | + */ |
| 445 | +#define PROCESSOR_FEATURE_MAX 64 |
| 446 | + |
440 | 447 | /** |
441 | 448 | * The KUSER_SHARED_DATA structure contains information shared with user-mode. |
442 | 449 | * |
@@ -489,6 +496,142 @@ typedef struct _KUSER_SHARED_DATA |
489 | 496 |
|
490 | 497 | WCHAR NtSystemRoot[260]; |
491 | 498 |
|
| 499 | + // |
| 500 | + // Maximum stack trace depth if tracing enabled. |
| 501 | + // |
| 502 | + |
| 503 | + ULONG MaxStackTraceDepth; |
| 504 | + |
| 505 | + // |
| 506 | + // Crypto exponent value. |
| 507 | + // |
| 508 | + |
| 509 | + ULONG CryptoExponent; |
| 510 | + |
| 511 | + // |
| 512 | + // Time zone ID. |
| 513 | + // |
| 514 | + |
| 515 | + ULONG TimeZoneId; |
| 516 | + |
| 517 | + // |
| 518 | + // Minimum size of a large page on the system, in bytes. |
| 519 | + // |
| 520 | + // N.B. Returned by GetLargePageMinimum() function. |
| 521 | + // |
| 522 | + |
| 523 | + ULONG LargePageMinimum; |
| 524 | + |
| 525 | + // |
| 526 | + // This value controls the Application Impact Telemetry (AIT) Sampling rate. |
| 527 | + // |
| 528 | + // This value determines how frequently the system records AIT events, |
| 529 | + // which are used by the Application Experience and compatibility |
| 530 | + // subsystems to evaluate application behavior, performance, and |
| 531 | + // potential compatibility issues. |
| 532 | + // |
| 533 | + // Lower values increase sampling frequency, while higher values reduce it. |
| 534 | + // The kernel updates this field as part of its internal telemetry and |
| 535 | + // heuristics logic. |
| 536 | + // |
| 537 | + |
| 538 | + ULONG AitSamplingValue; |
| 539 | + |
| 540 | + // |
| 541 | + // This value controls Application Compatibility (AppCompat) switchback processing. |
| 542 | + // |
| 543 | + |
| 544 | + union |
| 545 | + { |
| 546 | + ULONG AppCompatFlag; |
| 547 | + struct |
| 548 | + { |
| 549 | + ULONG SwitchbackEnabled : 1; // Basic switchback processing |
| 550 | + ULONG ExtendedHeuristics : 1; // Extended switchback heuristics |
| 551 | + ULONG TelemetryFallback : 1; // Telemetry-driven fallback |
| 552 | + ULONG Reserved : 29; |
| 553 | + } AppCompatFlags; |
| 554 | + }; |
| 555 | + |
| 556 | + // |
| 557 | + // Current Kernel Root RNG state seed version |
| 558 | + // |
| 559 | + |
| 560 | + ULONGLONG RNGSeedVersion; |
| 561 | + |
| 562 | + // |
| 563 | + // This value controls assertion failure handling. |
| 564 | + // |
| 565 | + // Historically (prior to Windows 10), this value was also used by |
| 566 | + // Code Integrity (CI), AppLocker, and related security components to |
| 567 | + // determine the minimum validation requirements for executable images, |
| 568 | + // drivers, and privileged operations. |
| 569 | + // |
| 570 | + // In modern Windows versions, this field is used primarily by the kernel's |
| 571 | + // diagnostic and validation infrastructure to decide how assertion failures |
| 572 | + // should be handled (e.g., logging, debugger break-in, or bugcheck). |
| 573 | + |
| 574 | + ULONG GlobalValidationRunlevel; |
| 575 | + |
| 576 | + // |
| 577 | + // Monotonic stamp incremented by the kernel whenever the system's |
| 578 | + // time zone bias value changes. |
| 579 | + // |
| 580 | + // N.B. This field must be accessed via the RtlGetSystemTimeAndBias API for |
| 581 | + // an accurate result. |
| 582 | + // This value is read before and after accessing the bias fields to determine |
| 583 | + // whether the time zone data changed during the read. If the stamp differs, |
| 584 | + // the caller must re-read the bias values to ensure consistency. |
| 585 | + // |
| 586 | + |
| 587 | + volatile LONG TimeZoneBiasStamp; |
| 588 | + |
| 589 | + // |
| 590 | + // The shared collective build number undecorated with C or F. |
| 591 | + // GetVersionEx hides the real number |
| 592 | + // |
| 593 | + |
| 594 | + ULONG NtBuildNumber; |
| 595 | + |
| 596 | + // |
| 597 | + // Product type. |
| 598 | + // |
| 599 | + // N.B. This field must be accessed via the RtlGetNtProductType API for |
| 600 | + // an accurate result. |
| 601 | + // |
| 602 | + |
| 603 | + NT_PRODUCT_TYPE NtProductType; |
| 604 | + BOOLEAN ProductTypeIsValid; |
| 605 | + BOOLEAN Reserved0[1]; |
| 606 | + |
| 607 | + // |
| 608 | + // Native hardware processor architecture of the running system. |
| 609 | + // |
| 610 | + // N.B. User-mode components read this field to determine the true system |
| 611 | + // architecture, especially in WOW64 scenarios where the process architecture |
| 612 | + // differs from the native one. |
| 613 | + // |
| 614 | + |
| 615 | + USHORT NativeProcessorArchitecture; |
| 616 | + |
| 617 | + // |
| 618 | + // The NT Version. |
| 619 | + // |
| 620 | + // N. B. Note that each process sees a version from its PEB, but if the |
| 621 | + // process is running with an altered view of the system version, |
| 622 | + // the following two fields are used to correctly identify the |
| 623 | + // version |
| 624 | + // |
| 625 | + |
| 626 | + ULONG NtMajorVersion; |
| 627 | + ULONG NtMinorVersion; |
| 628 | + |
| 629 | + // |
| 630 | + // Processor features. |
| 631 | + // |
| 632 | + |
| 633 | + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; |
| 634 | + |
492 | 635 | // ... more fields follow, but we don't need them |
493 | 636 | } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; |
494 | 637 |
|
|
0 commit comments