EPROCESS and KPEB structures

OSR_Community_User · March 23, 2004, 11:00pm

Hi All,

Does anyone have the definitions of EPROCESS and KPEB structures.

Thanks,
Kedar.

OSR_Community_User · March 24, 2004, 1:17am

At the begin of the EPROCESS structure,
there is complete KPROCESS structure
(not pointer, but the whole structure).
And AFAIK, EPROCESS definition varies in different
versions of Windows.
Unless you absolutely have to, don’t work with it,
because your software might nor run on every new
service pack.

L.

OSR_Community_User · March 24, 2004, 7:24am

For which version of windows? Which service pack?

For current versions and service packs use the WinDBG command “dt
nt!_EPROCESS” for the EPROCESS. I’m not sure what the KPEB means (does
it mean KPROCESS or does it mean TEB?) For the KPROCESS use “dt
nt!_KPROCESS” and for the TEB use “dt nt!_TEB”. Generally, when I need
information like this I use WinDBG in local kernel debug mode to get the
information about my current system.

Of course the fields and sizes of these structures do change, so the
results you find are going to depend upon the system that you are using.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Kedar
Sent: Tuesday, March 23, 2004 10:56 PM
To: ntfsd redirect
Subject: [ntfsd] EPROCESS and KPEB structures

Hi All,

Does anyone have the definitions of EPROCESS and KPEB structures.

Thanks,
Kedar.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2004, 5:51pm

In WinDbg, say

dt _EPROCESS

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Kedar”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, March 24, 2004 6:56 AM
Subject: [ntfsd] EPROCESS and KPEB structures

> Hi All,
>
> Does anyone have the definitions of EPROCESS and KPEB structures.
>
> Thanks,
> Kedar.
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2004, 5:52pm

> And AFAIK, EPROCESS definition varies in different

versions of Windows.

Even across at least some service packs.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com