2025-08-20 11:22:14 +08:00
# pragma once
# include <windows.h>
# include <psapi.h>
# include <iostream>
# include <string>
# include <atomic>
# include <vector>
# include <thread>
# include "Config.h"
# include "MemDefine.h"
using namespace std ;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation , // q: SYSTEM_BASIC_INFORMATION
SystemProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION
SystemPerformanceInformation , // q: SYSTEM_PERFORMANCE_INFORMATION
SystemTimeOfDayInformation , // q: SYSTEM_TIMEOFDAY_INFORMATION
SystemPathInformation , // not implemented
SystemProcessInformation , // q: SYSTEM_PROCESS_INFORMATION
SystemCallCountInformation , // q: SYSTEM_CALL_COUNT_INFORMATION
SystemDeviceInformation , // q: SYSTEM_DEVICE_INFORMATION
SystemProcessorPerformanceInformation , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup)
SystemFlagsInformation , // q: SYSTEM_FLAGS_INFORMATION
SystemCallTimeInformation , // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
SystemModuleInformation , // q: RTL_PROCESS_MODULES
SystemLocksInformation , // q: RTL_PROCESS_LOCKS
SystemStackTraceInformation , // q: RTL_PROCESS_BACKTRACES
SystemPagedPoolInformation , // not implemented
SystemNonPagedPoolInformation , // not implemented
SystemHandleInformation , // q: SYSTEM_HANDLE_INFORMATION
SystemObjectInformation , // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
SystemPageFileInformation , // q: SYSTEM_PAGEFILE_INFORMATION
SystemVdmInstemulInformation , // q: SYSTEM_VDM_INSTEMUL_INFO
SystemVdmBopInformation , // not implemented // 20
SystemFileCacheInformation , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
SystemPoolTagInformation , // q: SYSTEM_POOLTAG_INFORMATION
SystemInterruptInformation , // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup)
SystemDpcBehaviorInformation , // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
SystemFullMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
SystemLoadGdiDriverInformation , // s (kernel-mode only)
SystemUnloadGdiDriverInformation , // s (kernel-mode only)
SystemTimeAdjustmentInformation , // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
SystemSummaryMemoryInformation , // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION
SystemMirrorMemoryInformation , // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
SystemPerformanceTraceInformation , // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
SystemObsolete0 , // not implemented
SystemExceptionInformation , // q: SYSTEM_EXCEPTION_INFORMATION
SystemCrashDumpStateInformation , // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)
SystemKernelDebuggerInformation , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
SystemContextSwitchInformation , // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
SystemRegistryQuotaInformation , // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
SystemExtendServiceTableInformation , // s (requires SeLoadDriverPrivilege) // loads win32k only
SystemPrioritySeparation , // s (requires SeTcbPrivilege)
SystemVerifierAddDriverInformation , // s: UNICODE_STRING (requires SeDebugPrivilege) // 40
SystemVerifierRemoveDriverInformation , // s: UNICODE_STRING (requires SeDebugPrivilege)
SystemProcessorIdleInformation , // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup)
SystemLegacyDriverInformation , // q: SYSTEM_LEGACY_DRIVER_INFORMATION
SystemCurrentTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION
SystemLookasideInformation , // q: SYSTEM_LOOKASIDE_INFORMATION
SystemTimeSlipNotification , // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege)
SystemSessionCreate , // not implemented
SystemSessionDetach , // not implemented
SystemSessionInformation , // not implemented (SYSTEM_SESSION_INFORMATION)
SystemRangeStartInformation , // q: SYSTEM_RANGE_START_INFORMATION // 50
SystemVerifierInformation , // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
SystemVerifierThunkExtend , // s (kernel-mode only)
SystemSessionProcessInformation , // q: SYSTEM_SESSION_PROCESS_INFORMATION
SystemLoadGdiDriverInSystemSpace , // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation)
SystemNumaProcessorMap , // q: SYSTEM_NUMA_INFORMATION
SystemPrefetcherInformation , // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
SystemExtendedProcessInformation , // q: SYSTEM_EXTENDED_PROCESS_INFORMATION
SystemRecommendedSharedDataAlignment , // q: ULONG // KeGetRecommendedSharedDataAlignment
SystemComPlusPackage , // q; s: ULONG
SystemNumaAvailableMemory , // q: SYSTEM_NUMA_INFORMATION // 60
SystemProcessorPowerInformation , // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup)
SystemEmulationBasicInformation , // q: SYSTEM_BASIC_INFORMATION
SystemEmulationProcessorInformation , // q: SYSTEM_PROCESSOR_INFORMATION
SystemExtendedHandleInformation , // q: SYSTEM_HANDLE_INFORMATION_EX
SystemLostDelayedWriteInformation , // q: ULONG
SystemBigPoolInformation , // q: SYSTEM_BIGPOOL_INFORMATION
SystemSessionPoolTagInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION
SystemSessionMappedViewInformation , // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SystemHotpatchInformation , // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
SystemObjectSecurityMode , // q: ULONG // 70
SystemWatchdogTimerHandler , // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only)
SystemWatchdogTimerInformation , // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // NtQuerySystemInformationEx // (kernel-mode only)
SystemLogicalProcessorInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
SystemWow64SharedInformationObsolete , // not implemented
SystemRegisterFirmwareTableInformationHandler , // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)
SystemFirmwareTableInformation , // SYSTEM_FIRMWARE_TABLE_INFORMATION
SystemModuleInformationEx , // q: RTL_PROCESS_MODULE_INFORMATION_EX // since VISTA
SystemVerifierTriageInformation , // not implemented
SystemSuperfetchInformation , // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
SystemMemoryListInformation , // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
SystemFileCacheInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
SystemThreadPriorityClientIdInformation , // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) // NtQuerySystemInformationEx
SystemProcessorIdleCycleTimeInformation , // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
SystemVerifierCancellationInformation , // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation
SystemProcessorPowerInformationEx , // not implemented
SystemRefTraceInformation , // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
SystemSpecialPoolInformation , // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
SystemProcessIdInformation , // q: SYSTEM_PROCESS_ID_INFORMATION
SystemErrorPortInformation , // s (requires SeTcbPrivilege)
SystemBootEnvironmentInformation , // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
SystemHypervisorInformation , // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION
SystemVerifierInformationEx , // q; s: SYSTEM_VERIFIER_INFORMATION_EX
SystemTimeZoneInformation , // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
SystemImageFileExecutionOptionsInformation , // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
SystemCoverageInformation , // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege)
SystemPrefetchPatchInformation , // SYSTEM_PREFETCH_PATCH_INFORMATION
SystemVerifierFaultsInformation , // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)
SystemSystemPartitionInformation , // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
SystemSystemDiskInformation , // q: SYSTEM_SYSTEM_DISK_INFORMATION
SystemProcessorPerformanceDistribution , // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 100
SystemNumaProximityNodeInformation , // q; s: SYSTEM_NUMA_PROXIMITY_MAP
SystemDynamicTimeZoneInformation , // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)
SystemCodeIntegrityInformation , // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
SystemProcessorMicrocodeUpdateInformation , // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION
SystemProcessorBrandString , // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
SystemVirtualAddressInformation , // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
SystemLogicalProcessorAndGroupInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // NtQuerySystemInformationEx // KeQueryLogicalProcessorRelationship
SystemProcessorCycleTimeInformation , // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx
SystemStoreInformation , // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation
SystemRegistryAppendString , // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
SystemAitSamplingValue , // s: ULONG (requires SeProfileSingleProcessPrivilege)
SystemVhdBootInformation , // q: SYSTEM_VHD_BOOT_INFORMATION
SystemCpuQuotaInformation , // q; s: PS_CPU_QUOTA_QUERY_INFORMATION
SystemNativeBasicInformation , // q: SYSTEM_BASIC_INFORMATION
SystemErrorPortTimeouts , // SYSTEM_ERROR_PORT_TIMEOUTS
SystemLowPriorityIoInformation , // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
SystemTpmBootEntropyInformation , // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation
SystemVerifierCountersInformation , // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
SystemPagedPoolInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
SystemSystemPtesInformationEx , // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
SystemNodeDistanceInformation , // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) // NtQuerySystemInformationEx
SystemAcpiAuditInformation , // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
SystemBasicPerformanceInformation , // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
SystemQueryPerformanceCounterInformation , // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
SystemSessionBigPoolInformation , // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
SystemBootGraphicsInformation , // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
SystemScrubPhysicalMemoryInformation , // q; s: MEMORY_SCRUB_INFORMATION
SystemBadPageInformation , // SYSTEM_BAD_PAGE_INFORMATION
SystemProcessorProfileControlArea , // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
SystemCombinePhysicalMemoryInformation , // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
SystemEntropyInterruptTimingInformation , // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION
SystemConsoleInformation , // q; s: SYSTEM_CONSOLE_INFORMATION
SystemPlatformBinaryInformation , // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege)
SystemPolicyInformation , // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute)
SystemHypervisorProcessorCountInformation , // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
SystemDeviceDataInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION
SystemDeviceDataEnumerationInformation , // q: SYSTEM_DEVICE_DATA_INFORMATION
SystemMemoryTopologyInformation , // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
SystemMemoryChannelInformation , // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
SystemBootLogoInformation , // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
SystemProcessorPerformanceInformationEx , // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // since WINBLUE
SystemCriticalProcessErrorLogInformation , // CRITICAL_PROCESS_EXCEPTION_DATA
SystemSecureBootPolicyInformation , // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
SystemPageFileInformationEx , // q: SYSTEM_PAGEFILE_INFORMATION_EX
SystemSecureBootInformation , // q: SYSTEM_SECUREBOOT_INFORMATION
SystemEntropyInterruptTimingRawInformation , // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION
SystemPortableWorkspaceEfiLauncherInformation , // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
SystemFullProcessInformation , // q: SYSTEM_EXTENDED_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
SystemKernelDebuggerInformationEx , // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
SystemBootMetadataInformation , // 150 // (requires SeTcbPrivilege)
SystemSoftRebootInformation , // q: ULONG
SystemElamCertificateInformation , // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
SystemOfflineDumpConfigInformation , // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2
SystemProcessorFeaturesInformation , // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
SystemRegistryReconciliationInformation , // s: NULL (requires admin) (flushes registry hives)
SystemEdidInformation , // q: SYSTEM_EDID_INFORMATION
SystemManufacturingInformation , // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
SystemEnergyEstimationConfigInformation , // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
SystemHypervisorDetailInformation , // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
SystemProcessorCycleStatsInformation , // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 160
SystemVmGenerationCountInformation ,
SystemTrustedPlatformModuleInformation , // q: SYSTEM_TPM_INFORMATION
SystemKernelDebuggerFlags , // SYSTEM_KERNEL_DEBUGGER_FLAGS
SystemCodeIntegrityPolicyInformation , // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
SystemIsolatedUserModeInformation , // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
SystemHardwareSecurityTestInterfaceResultsInformation ,
SystemSingleModuleInformation , // q: SYSTEM_SINGLE_MODULE_INFORMATION
SystemAllowedCpuSetsInformation , // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION
SystemVsmProtectionInformation , // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
SystemInterruptCpuSetsInformation , // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
SystemSecureBootPolicyFullInformation , // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
SystemCodeIntegrityPolicyFullInformation ,
SystemAffinitizedInterruptProcessorInformation , // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege)
SystemRootSiloInformation , // q: SYSTEM_ROOT_SILO_INFORMATION
SystemCpuSetInformation , // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
SystemCpuSetTagInformation , // q: SYSTEM_CPU_SET_TAG_INFORMATION
SystemWin32WerStartCallout ,
SystemSecureKernelProfileInformation , // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
SystemCodeIntegrityPlatformManifestInformation , // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // NtQuerySystemInformationEx // since REDSTONE
SystemInterruptSteeringInformation , // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180
SystemSupportedProcessorArchitectures , // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx
SystemMemoryUsageInformation , // q: SYSTEM_MEMORY_USAGE_INFORMATION
SystemCodeIntegrityCertificateInformation , // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
SystemPhysicalMemoryInformation , // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
SystemControlFlowTransition , // (Warbird/Encrypt/Decrypt/Execute)
SystemKernelDebuggingAllowed , // s: ULONG
SystemActivityModerationExeState , // s: SYSTEM_ACTIVITY_MODERATION_EXE_STATE
SystemActivityModerationUserSettings , // q: SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
SystemCodeIntegrityPoliciesFullInformation , // NtQuerySystemInformationEx
SystemCodeIntegrityUnlockInformation , // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
SystemIntegrityQuotaInformation ,
SystemFlushInformation , // q: SYSTEM_FLUSH_INFORMATION
SystemProcessorIdleMaskInformation , // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3
SystemSecureDumpEncryptionInformation , // NtQuerySystemInformationEx
SystemWriteConstraintInformation , // SYSTEM_WRITE_CONSTRAINT_INFORMATION
SystemKernelVaShadowInformation , // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
SystemHypervisorSharedPageInformation , // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
SystemFirmwareBootPerformanceInformation ,
SystemCodeIntegrityVerificationInformation , // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
SystemFirmwarePartitionInformation , // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
SystemSpeculationControlInformation , // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
SystemDmaGuardPolicyInformation , // SYSTEM_DMA_GUARD_POLICY_INFORMATION
SystemEnclaveLaunchControlInformation , // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
SystemWorkloadAllowedCpuSetsInformation , // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
SystemCodeIntegrityUnlockModeInformation , // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
SystemLeapSecondInformation , // SYSTEM_LEAP_SECOND_INFORMATION
SystemFlags2Information , // q: SYSTEM_FLAGS_INFORMATION
SystemSecurityModelInformation , // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
SystemCodeIntegritySyntheticCacheInformation , // NtQuerySystemInformationEx
SystemFeatureConfigurationInformation , // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210
SystemFeatureConfigurationSectionInformation , // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx
SystemFeatureUsageSubscriptionInformation , // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE
SystemSecureSpeculationControlInformation , // SECURE_SPECULATION_CONTROL_INFORMATION
SystemSpacesBootInformation , // since 20H2
SystemFwRamdiskInformation , // SYSTEM_FIRMWARE_RAMDISK_INFORMATION
SystemWheaIpmiHardwareInformation ,
SystemDifSetRuleClassInformation , // s: SYSTEM_DIF_VOLATILE_INFORMATION (requires SeDebugPrivilege)
SystemDifClearRuleClassInformation , // s: NULL (requires SeDebugPrivilege)
SystemDifApplyPluginVerificationOnDriver , // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege)
SystemDifRemovePluginVerificationOnDriver , // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION (requires SeDebugPrivilege) // 220
SystemShadowStackInformation , // SYSTEM_SHADOW_STACK_INFORMATION
SystemBuildVersionInformation , // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222
SystemPoolLimitInformation , // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) // NtQuerySystemInformationEx
SystemCodeIntegrityAddDynamicStore , // CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
SystemCodeIntegrityClearDynamicStores , // CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners
SystemDifPoolTrackingInformation ,
SystemPoolZeroingInformation , // q: SYSTEM_POOL_ZEROING_INFORMATION
SystemDpcWatchdogInformation , // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION
SystemDpcWatchdogInformation2 , // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2
SystemSupportedProcessorArchitectures2 , // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230
SystemSingleProcessorRelationshipInformation , // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) // NtQuerySystemInformationEx
SystemXfgCheckFailureInformation , // q: SYSTEM_XFG_FAILURE_INFORMATION
SystemIommuStateInformation , // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1
SystemHypervisorMinrootInformation , // SYSTEM_HYPERVISOR_MINROOT_INFORMATION
SystemHypervisorBootPagesInformation , // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION
SystemPointerAuthInformation , // SYSTEM_POINTER_AUTH_INFORMATION
SystemSecureKernelDebuggerInformation , // NtQuerySystemInformationEx
SystemOriginalImageFeatureInformation , // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx
SystemMemoryNumaInformation , // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT // NtQuerySystemInformationEx
SystemMemoryNumaPerformanceInformation , // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240
SystemCodeIntegritySignedPoliciesFullInformation ,
SystemSecureCoreInformation , // SystemSecureSecretsInformation
SystemTrustedAppsRuntimeInformation , // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION
SystemBadPageInformationEx , // SYSTEM_BAD_PAGE_INFORMATION
SystemResourceDeadlockTimeout , // ULONG
SystemBreakOnContextUnwindFailureInformation , // ULONG (requires SeDebugPrivilege)
SystemOslRamdiskInformation , // SYSTEM_OSL_RAMDISK_INFORMATION
SystemCodeIntegrityPolicyManagementInformation , // since 25H2
SystemMemoryNumaCacheInformation ,
SystemProcessorFeaturesBitMapInformation ,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS ;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess ;
HANDLE UniqueThread ;
} CLIENT_ID , * PCLIENT_ID ;
typedef LONG KPRIORITY , * PKPRIORITY ;
typedef enum _KTHREAD_STATE
{
Initialized ,
Ready ,
Running ,
Standby ,
Terminated ,
Waiting ,
Transition ,
DeferredReady ,
GateWaitObsolete ,
WaitingForProcessInSwap ,
MaximumThreadState
} KTHREAD_STATE , * PKTHREAD_STATE ;
typedef enum _KWAIT_REASON
{
Executive , // Waiting for an executive event.
FreePage , // Waiting for a free page.
PageIn , // Waiting for a page to be read in.
PoolAllocation , // Waiting for a pool allocation.
DelayExecution , // Waiting due to a delay execution. // NtDelayExecution
Suspended , // Waiting because the thread is suspended. // NtSuspendThread
UserRequest , // Waiting due to a user request. // NtWaitForSingleObject
WrExecutive , // Waiting for an executive event.
WrFreePage , // Waiting for a free page.
WrPageIn , // Waiting for a page to be read in.
WrPoolAllocation , // Waiting for a pool allocation.
WrDelayExecution , // Waiting due to a delay execution.
WrSuspended , // Waiting because the thread is suspended.
WrUserRequest , // Waiting due to a user request.
WrEventPair , // Waiting for an event pair. // NtCreateEventPair
WrQueue , // Waiting for a queue. // NtRemoveIoCompletion
WrLpcReceive , // Waiting for an LPC receive. // NtReplyWaitReceivePort
WrLpcReply , // Waiting for an LPC reply. // NtRequestWaitReplyPort
WrVirtualMemory , // Waiting for virtual memory.
WrPageOut , // Waiting for a page to be written out. // NtFlushVirtualMemory
WrRendezvous , // Waiting for a rendezvous.
WrKeyedEvent , // Waiting for a keyed event. // NtCreateKeyedEvent
WrTerminated , // Waiting for thread termination.
WrProcessInSwap , // Waiting for a process to be swapped in.
WrCpuRateControl , // Waiting for CPU rate control.
WrCalloutStack , // Waiting for a callout stack.
WrKernel , // Waiting for a kernel event.
WrResource , // Waiting for a resource.
WrPushLock , // Waiting for a push lock.
WrMutex , // Waiting for a mutex.
WrQuantumEnd , // Waiting for the end of a quantum.
WrDispatchInt , // Waiting for a dispatch interrupt.
WrPreempted , // Waiting because the thread was preempted.
WrYieldExecution , // Waiting to yield execution.
WrFastMutex , // Waiting for a fast mutex.
WrGuardedMutex , // Waiting for a guarded mutex.
WrRundown , // Waiting for a rundown.
WrAlertByThreadId , // Waiting for an alert by thread ID.
WrDeferredPreempt , // Waiting for a deferred preemption.
WrPhysicalFault , // Waiting for a physical fault.
WrIoRing , // Waiting for an I/O ring.
WrMdlCache , // Waiting for an MDL cache.
WrRcu , // Waiting for read-copy-update (RCU) synchronization.
MaximumWaitReason
} KWAIT_REASON , * PKWAIT_REASON ;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime ; // Number of 100-nanosecond intervals spent executing kernel code.
LARGE_INTEGER UserTime ; // Number of 100-nanosecond intervals spent executing user code.
LARGE_INTEGER CreateTime ; // The date and time when the thread was created.
ULONG WaitTime ; // The current time spent in ready queue or waiting (depending on the thread state).
PVOID StartAddress ; // The initial start address of the thread.
CLIENT_ID ClientId ; // The identifier of the thread and the process owning the thread.
KPRIORITY Priority ; // The dynamic priority of the thread.
KPRIORITY BasePriority ; // The starting priority of the thread.
ULONG ContextSwitches ; // The total number of context switches performed.
KTHREAD_STATE ThreadState ; // The current state of the thread.
KWAIT_REASON WaitReason ; // The current reason the thread is waiting.
} SYSTEM_THREAD_INFORMATION , * PSYSTEM_THREAD_INFORMATION ;
typedef struct _UNICODE_STRING
{
USHORT Length ;
USHORT MaximumLength ;
_Field_size_bytes_part_opt_ ( MaximumLength , Length ) PWCH Buffer ;
} UNICODE_STRING , * PUNICODE_STRING ;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset ; // The address of the previous item plus the value in the NextEntryOffset member. For the last item in the array, NextEntryOffset is 0.
ULONG NumberOfThreads ; // The NumberOfThreads member contains the number of threads in the process.
ULONGLONG WorkingSetPrivateSize ; // The total private memory that a process currently has allocated and is physically resident in memory. // since VISTA
ULONG HardFaultCount ; // The total number of hard faults for data from disk rather than from in-memory pages. // since WIN7
ULONG NumberOfThreadsHighWatermark ; // The peak number of threads that were running at any given point in time, indicative of potential performance bottlenecks related to thread management.
ULONGLONG CycleTime ; // The sum of the cycle time of all threads in the process.
LARGE_INTEGER CreateTime ; // Number of 100-nanosecond intervals since the creation time of the process. Not updated during system timezone changes.
LARGE_INTEGER UserTime ; // Number of 100-nanosecond intervals the process has executed in user mode.
LARGE_INTEGER KernelTime ; // Number of 100-nanosecond intervals the process has executed in kernel mode.
UNICODE_STRING ImageName ; // The file name of the executable image.
KPRIORITY BasePriority ; // The starting priority of the process.
HANDLE UniqueProcessId ; // The identifier of the process.
HANDLE InheritedFromUniqueProcessId ; // The identifier of the process that created this process. Not updated and incorrectly refers to processes with recycled identifiers.
ULONG HandleCount ; // The current number of open handles used by the process.
ULONG SessionId ; // The identifier of the Remote Desktop Services session under which the specified process is running.
ULONG_PTR UniqueProcessKey ; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize ; // The peak size, in bytes, of the virtual memory used by the process.
SIZE_T VirtualSize ; // The current size, in bytes, of virtual memory used by the process.
ULONG PageFaultCount ; // The total number of page faults for data that is not currently in memory. The value wraps around to zero on average 24 hours.
SIZE_T PeakWorkingSetSize ; // The peak size, in kilobytes, of the working set of the process.
SIZE_T WorkingSetSize ; // The number of pages visible to the process in physical memory. These pages are resident and available for use without triggering a page fault.
SIZE_T QuotaPeakPagedPoolUsage ; // The peak quota charged to the process for pool usage, in bytes.
SIZE_T QuotaPagedPoolUsage ; // The quota charged to the process for paged pool usage, in bytes.
SIZE_T QuotaPeakNonPagedPoolUsage ; // The peak quota charged to the process for nonpaged pool usage, in bytes.
SIZE_T QuotaNonPagedPoolUsage ; // The current quota charged to the process for nonpaged pool usage.
SIZE_T PagefileUsage ; // The total number of bytes of page file storage in use by the process.
SIZE_T PeakPagefileUsage ; // The maximum number of bytes of page-file storage used by the process.
SIZE_T PrivatePageCount ; // The number of memory pages allocated for the use by the process.
LARGE_INTEGER ReadOperationCount ; // The total number of read operations performed.
LARGE_INTEGER WriteOperationCount ; // The total number of write operations performed.
LARGE_INTEGER OtherOperationCount ; // The total number of I/O operations performed other than read and write operations.
LARGE_INTEGER ReadTransferCount ; // The total number of bytes read during a read operation.
LARGE_INTEGER WriteTransferCount ; // The total number of bytes written during a write operation.
LARGE_INTEGER OtherTransferCount ; // The total number of bytes transferred during operations other than read and write operations.
SYSTEM_THREAD_INFORMATION Threads [ 1 ] ; // This type is not defined in the structure but was added for convenience.
} SYSTEM_PROCESS_INFORMATION , * PSYSTEM_PROCESS_INFORMATION ;
typedef struct _PROCESS_DISK_COUNTERS
{
ULONGLONG BytesRead ;
ULONGLONG BytesWritten ;
ULONGLONG ReadOperationCount ;
ULONGLONG WriteOperationCount ;
ULONGLONG FlushOperationCount ;
} PROCESS_DISK_COUNTERS , * PPROCESS_DISK_COUNTERS ;
typedef union _ENERGY_STATE_DURATION
{
ULONGLONG Value ;
struct
{
ULONG LastChangeTime ;
ULONG Duration : 31 ;
ULONG IsInState : 1 ;
} DUMMYSTRUCTNAME ;
} ENERGY_STATE_DURATION , * PENERGY_STATE_DURATION ;
typedef struct _PROCESS_ENERGY_VALUES
{
ULONGLONG Cycles [ 4 ] [ 2 ] ;
ULONGLONG DiskEnergy ;
ULONGLONG NetworkTailEnergy ;
ULONGLONG MBBTailEnergy ;
ULONGLONG NetworkTxRxBytes ;
ULONGLONG MBBTxRxBytes ;
union
{
ENERGY_STATE_DURATION Durations [ 3 ] ;
struct
{
ENERGY_STATE_DURATION ForegroundDuration ;
ENERGY_STATE_DURATION DesktopVisibleDuration ;
ENERGY_STATE_DURATION PSMForegroundDuration ;
} DUMMYSTRUCTNAME ;
} DUMMYUNIONNAME ;
ULONG CompositionRendered ;
ULONG CompositionDirtyGenerated ;
ULONG CompositionDirtyPropagated ;
ULONG Reserved1 ;
ULONGLONG AttributedCycles [ 4 ] [ 2 ] ;
ULONGLONG WorkOnBehalfCycles [ 4 ] [ 2 ] ;
} PROCESS_ENERGY_VALUES , * PPROCESS_ENERGY_VALUES ;
typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
{
PROCESS_DISK_COUNTERS DiskCounters ;
ULONGLONG ContextSwitches ;
union
{
ULONG Flags ;
struct
{
ULONG HasStrongId : 1 ;
ULONG Classification : 4 ; // SYSTEM_PROCESS_CLASSIFICATION
ULONG BackgroundActivityModerated : 1 ;
ULONG Spare : 26 ;
} DUMMYSTRUCTNAME ;
} DUMMYUNIONNAME ;
ULONG UserSidOffset ;
ULONG PackageFullNameOffset ; // since THRESHOLD
PROCESS_ENERGY_VALUES EnergyValues ; // since THRESHOLD
ULONG AppIdOffset ; // since THRESHOLD
SIZE_T SharedCommitCharge ; // since THRESHOLD2
ULONG JobObjectId ; // since REDSTONE
ULONG SpareUlong ; // since REDSTONE
ULONGLONG ProcessSequenceNumber ;
} SYSTEM_PROCESS_INFORMATION_EXTENSION , * PSYSTEM_PROCESS_INFORMATION_EXTENSION ;
typedef struct _RTL_OSVERSIONINFOEX
{
ULONG OSVersionInfoSize ;
ULONG MajorVersion ;
ULONG MinorVersion ;
ULONG BuildNumber ;
ULONG PlatformId ;
WCHAR CSDVersion [ 128 ] ;
USHORT ServicePackMajor ;
USHORT ServicePackMinor ;
USHORT SuiteMask ;
UCHAR ProductType ;
UCHAR Reserved ;
} RTL_OSVERSIONINFOEX , * PRTL_OSVERSIONINFOEX ;
# define WINDOWS_ANCIENT 0
# define WINDOWS_XP 51 // August, 2001
# define WINDOWS_SERVER_2003 52 // April, 2003
# define WINDOWS_VISTA 60 // November, 2006
# define WINDOWS_7 61 // July, 2009
# define WINDOWS_8 62 // August, 2012
# define WINDOWS_8_1 63 // August, 2013
# define WINDOWS_10 100 // July, 2015 // Version 1507, Build 10240
# define WINDOWS_10_TH2 101 // November, 2015 // Version 1511, Build 10586
# define WINDOWS_10_RS1 102 // August, 2016 // Version 1607, Build 14393
# define WINDOWS_10_RS2 103 // April, 2017 // Version 1703, Build 15063
# define WINDOWS_10_RS3 104 // October, 2017 // Version 1709, Build 16299
# define WINDOWS_10_RS4 105 // April, 2018 // Version 1803, Build 17134
# define WINDOWS_10_RS5 106 // November, 2018 // Version 1809, Build 17763
# define WINDOWS_10_19H1 107 // May, 2019 // Version 1903, Build 18362
# define WINDOWS_10_19H2 108 // November, 2019 // Version 1909, Build 18363
# define WINDOWS_10_20H1 109 // May, 2020 // Version 2004, Build 19041
# define WINDOWS_10_20H2 110 // October, 2020 // Build 19042
# define WINDOWS_10_21H1 111 // May, 2021 // Build 19043
# define WINDOWS_10_21H2 112 // November, 2021 // Build 19044
# define WINDOWS_10_22H2 113 // October, 2022 // Build 19045
# define WINDOWS_11 114 // October, 2021 // Build 22000
# define WINDOWS_11_22H2 115 // September, 2022 // Build 22621
# define WINDOWS_11_23H2 116 // October, 2023 // Build 22631
# define WINDOWS_11_24H2 117 // October, 2024 // Build 26100
# define WINDOWS_MAX WINDOWS_11_24H2
# define WINDOWS_NEW ULONG_MAX
# define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation , // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
ProcessQuotaLimits , // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
ProcessIoCounters , // q: IO_COUNTERS
ProcessVmCounters , // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
ProcessTimes , // q: KERNEL_USER_TIMES
ProcessBasePriority , // s: KPRIORITY
ProcessRaisePriority , // s: ULONG
ProcessDebugPort , // q: HANDLE
ProcessExceptionPort , // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege)
ProcessAccessToken , // s: PROCESS_ACCESS_TOKEN
ProcessLdtInformation , // qs: PROCESS_LDT_INFORMATION // 10
ProcessLdtSize , // s: PROCESS_LDT_SIZE
ProcessDefaultHardErrorMode , // qs: ULONG
ProcessIoPortHandlers , // s: PROCESS_IO_PORT_HANDLER_INFORMATION // (kernel-mode only)
ProcessPooledUsageAndLimits , // q: POOLED_USAGE_AND_LIMITS
ProcessWorkingSetWatch , // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
ProcessUserModeIOPL , // qs: ULONG (requires SeTcbPrivilege)
ProcessEnableAlignmentFaultFixup , // s: BOOLEAN
ProcessPriorityClass , // qs: PROCESS_PRIORITY_CLASS
ProcessWx86Information , // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)
ProcessHandleCount , // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
ProcessAffinityMask , // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY
ProcessPriorityBoost , // qs: ULONG
ProcessDeviceMap , // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
ProcessSessionInformation , // q: PROCESS_SESSION_INFORMATION
ProcessForegroundInformation , // s: PROCESS_FOREGROUND_BACKGROUND
ProcessWow64Information , // q: ULONG_PTR
ProcessImageFileName , // q: UNICODE_STRING
ProcessLUIDDeviceMapsEnabled , // q: ULONG
ProcessBreakOnTermination , // qs: ULONG
ProcessDebugObjectHandle , // q: HANDLE // 30
ProcessDebugFlags , // qs: ULONG
ProcessHandleTracing , // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable
ProcessIoPriority , // qs: IO_PRIORITY_HINT
ProcessExecuteFlags , // qs: ULONG (MEM_EXECUTE_OPTION_*)
ProcessTlsInformation , // PROCESS_TLS_INFORMATION // ProcessResourceManagement
ProcessCookie , // q: ULONG
ProcessImageInformation , // q: SECTION_IMAGE_INFORMATION
ProcessCycleTime , // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
ProcessPagePriority , // qs: PAGE_PRIORITY_INFORMATION
ProcessInstrumentationCallback , // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
ProcessThreadStackAllocation , // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
ProcessWorkingSetWatchEx , // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void
ProcessImageFileNameWin32 , // q: UNICODE_STRING
ProcessImageFileMapping , // q: HANDLE (input)
ProcessAffinityUpdateMode , // qs: PROCESS_AFFINITY_UPDATE_MODE
ProcessMemoryAllocationMode , // qs: PROCESS_MEMORY_ALLOCATION_MODE
ProcessGroupInformation , // q: USHORT[]
ProcessTokenVirtualizationEnabled , // s: ULONG
ProcessConsoleHostProcess , // qs: ULONG_PTR // ProcessOwnerInformation
ProcessWindowInformation , // q: PROCESS_WINDOW_INFORMATION // 50
ProcessHandleInformation , // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
ProcessMitigationPolicy , // s: PROCESS_MITIGATION_POLICY_INFORMATION
ProcessDynamicFunctionTableInformation , // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION
ProcessHandleCheckingMode , // qs: ULONG; s: 0 disables, otherwise enables
ProcessKeepAliveCount , // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
ProcessRevokeFileHandles , // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
ProcessWorkingSetControl , // s: PROCESS_WORKING_SET_CONTROL
ProcessHandleTable , // q: ULONG[] // since WINBLUE
ProcessCheckStackExtentsMode , // qs: ULONG // KPROCESS->CheckStackExtents (CFG)
ProcessCommandLineInformation , // q: UNICODE_STRING // 60
ProcessProtectionInformation , // q: PS_PROTECTION
ProcessMemoryExhaustion , // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
ProcessFaultInformation , // s: PROCESS_FAULT_INFORMATION
ProcessTelemetryIdInformation , // q: PROCESS_TELEMETRY_ID_INFORMATION
ProcessCommitReleaseInformation , // qs: PROCESS_COMMIT_RELEASE_INFORMATION
ProcessDefaultCpuSetsInformation , // qs: SYSTEM_CPU_SET_INFORMATION[5]
ProcessAllowedCpuSetsInformation , // qs: SYSTEM_CPU_SET_INFORMATION[5]
ProcessSubsystemProcess , // s: void // EPROCESS->SubsystemProcess
ProcessJobMemoryInformation , // q: PROCESS_JOB_MEMORY_INFO
ProcessInPrivate , // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70
ProcessRaiseUMExceptionOnInvalidHandleClose , // qs: ULONG; s: 0 disables, otherwise enables
ProcessIumChallengeResponse ,
ProcessChildProcessInformation , // q: PROCESS_CHILD_PROCESS_INFORMATION
ProcessHighGraphicsPriorityInformation , // qs: BOOLEAN (requires SeTcbPrivilege)
ProcessSubsystemInformation , // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
ProcessEnergyValues , // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
ProcessPowerThrottlingState , // qs: POWER_THROTTLING_PROCESS_STATE
ProcessReserved3Information , // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY
ProcessWin32kSyscallFilterInformation , // q: WIN32K_SYSCALL_FILTER
ProcessDisableSystemAllowedCpuSets , // s: BOOLEAN // 80
ProcessWakeInformation , // q: PROCESS_WAKE_INFORMATION
ProcessEnergyTrackingState , // qs: PROCESS_ENERGY_TRACKING_STATE
ProcessManageWritesToExecutableMemory , // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
ProcessCaptureTrustletLiveDump , // q: ULONG
ProcessTelemetryCoverage , // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT
ProcessEnclaveInformation ,
ProcessEnableReadWriteVmLogging , // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION
ProcessUptimeInformation , // q: PROCESS_UPTIME_INFORMATION
ProcessImageSection , // q: HANDLE
ProcessDebugAuthInformation , // s: CiTool.exe --device-id // PplDebugAuthorization // since RS4 // 90
ProcessSystemResourceManagement , // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT
ProcessSequenceNumber , // q: ULONGLONG
ProcessLoaderDetour , // since RS5
ProcessSecurityDomainInformation , // q: PROCESS_SECURITY_DOMAIN_INFORMATION
ProcessCombineSecurityDomainsInformation , // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
ProcessEnableLogging , // qs: PROCESS_LOGGING_INFORMATION
ProcessLeapSecondInformation , // qs: PROCESS_LEAP_SECOND_INFORMATION
ProcessFiberShadowStackAllocation , // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1
ProcessFreeFiberShadowStackAllocation , // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
ProcessAltSystemCallInformation , // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100
ProcessDynamicEHContinuationTargets , // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
ProcessDynamicEnforcedCetCompatibleRanges , // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2
ProcessCreateStateChange , // since WIN11
ProcessApplyStateChange ,
ProcessEnableOptionalXStateFeatures , // s: ULONG64 // optional XState feature bitmask
ProcessAltPrefetchParam , // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1
ProcessAssignCpuPartitions , // HANDLE
ProcessPriorityClassEx , // s: PROCESS_PRIORITY_CLASS_EX
ProcessMembershipInformation , // q: PROCESS_MEMBERSHIP_INFORMATION
ProcessEffectiveIoPriority , // q: IO_PRIORITY_HINT // 110
ProcessEffectivePagePriority , // q: ULONG
ProcessSchedulerSharedData , // SCHEDULER_SHARED_DATA_SLOT_INFORMATION // since 24H2
ProcessSlistRollbackInformation ,
ProcessNetworkIoCounters , // q: PROCESS_NETWORK_COUNTERS
ProcessFindFirstThreadByTebValue , // PROCESS_TEB_VALUE_INFORMATION
ProcessEnclaveAddressSpaceRestriction , // since 25H2
ProcessAvailableCpus , // PROCESS_AVAILABLE_CPUS_INFORMATION
MaxProcessInfoClass
} PROCESSINFOCLASS ;
typedef _Return_type_success_ ( return > = 0 ) LONG NTSTATUS ;
typedef NTSTATUS * PNTSTATUS ;
# define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
# define PH_FIRST_PROCESS(Processes) ((PSYSTEM_PROCESS_INFORMATION)(Processes))
# define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset)))
# define PH_NEXT_PROCESS(Process) ( \
( ( PSYSTEM_PROCESS_INFORMATION ) ( Process ) ) - > NextEntryOffset ? \
( PSYSTEM_PROCESS_INFORMATION ) PTR_ADD_OFFSET ( ( Process ) , \
( ( PSYSTEM_PROCESS_INFORMATION ) ( Process ) ) - > NextEntryOffset ) : \
NULL \
)
# define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
# define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
//#define STATUS_NO_MEMORY ((NTSTATUS)0xC0000017L)
# define PH_PROCESS_EXTENSION(Process) \
( ( PSYSTEM_PROCESS_INFORMATION_EXTENSION ) PTR_ADD_OFFSET ( ( Process ) , \
UFIELD_OFFSET ( SYSTEM_PROCESS_INFORMATION , Threads ) + \
sizeof ( SYSTEM_THREAD_INFORMATION ) * \
( ( PSYSTEM_PROCESS_INFORMATION ) ( Process ) ) - > NumberOfThreads ) )
typedef NTSTATUS ( NTAPI * PNTQUERYSYSTEMINFORMATION ) (
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass ,
_Out_writes_bytes_opt_ ( SystemInformationLength ) PVOID SystemInformation ,
_In_ ULONG SystemInformationLength ,
_Out_opt_ PULONG ReturnLength
) ;
typedef
NTSTATUS
( NTAPI * pNtQueryInformationProcess )
(
_In_ HANDLE ProcessHandle ,
_In_ PROCESSINFOCLASS ProcessInformationClass ,
_Out_writes_bytes_ ( ProcessInformationLength ) PVOID ProcessInformation ,
_In_ ULONG ProcessInformationLength ,
_Out_opt_ PULONG ReturnLength
) ;
class MemoryCheck
{
public :
static MemoryCheck & GetInstance ( ) {
static MemoryCheck instance ;
return instance ;
}
void Init ( ) ;
void Start ( ) ;
void Stop ( ) ;
//void GetSystemMemoryUsage(MEMORYSTATUSEX& memStatus); // 返回0~100的百分比
std : : vector < MemoryCheckLog > GetTopProcesses ( int topN = 5 ) ;
std : : vector < MemoryCheckLog > GetTopProcesses2 ( int topN = 5 ) ;
MemoryCheck ( const MemoryCheck & ) = delete ;
MemoryCheck & operator = ( const MemoryCheck & ) = delete ;
private :
MemoryCheck ( ) : m_WindowsVersion ( 0xffffffffUL ) , m_UseSysApi ( false ) , m_EnableProcessExtension ( false ) , m_Config ( nullptr ) {
}
~ MemoryCheck ( ) ;
void MonitorProc ( ) ;
void CheckAndAlert ( ) ;
MemoryCheckLog GetWinProcessInfo ( DWORD pid ) ;
double SafeToDouble ( const std : : string & str ) ;
NTSTATUS HbEnumProcesses ( PVOID * Processes ) ;
void InitializeWindowsInformation ( ) ;
BOOLEAN PhIsExecutingInWow64 ( VOID ) ;
FORCEINLINE NTSTATUS PhGetProcessIsWow64 ( _In_ HANDLE ProcessHandle , _Out_ PBOOLEAN IsWow64Process ) ;
2025-09-26 13:44:47 +08:00
void TestRestartProcess ( ) ;
BOOL StartInteractiveProcess ( ) ;
2025-08-20 11:22:14 +08:00
private :
std : : atomic < bool > m_Running { false } ;
//std::thread m_MonitorThread;
//AlarmCfgWrapper* m_AlarmCfgWrapper;
ULONG m_WindowsVersion ;
bool m_UseSysApi ;
bool m_EnableProcessExtension ;
HMODULE m_HNtDll ;
PNTQUERYSYSTEMINFORMATION NtQuerySystemInformation = nullptr ;
pNtQueryInformationProcess NtQueryInformationProcess = nullptr ;
Config * m_Config ;
} ;
