RTL_USER_PROCESS_PARAMETERS structure

Hi,

What is the meaning of:

“ULONG Flags”, “ULONG DebugFlags”, “ULONG ConsoleFlags”, “ULONG WindowFlags”, “ULONG ShowWindowFlags”,below

typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
ULONG EnvironmentSize;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

If its not doc’d you may find that what it means now will be different in some other release of windows. Go up from that struct to PEB and up from there to EPROCESS. Its huge. It seems like duplication of info everywhere.

Caveat Emptor

yes, its not documented BUT its important to understand their meaning on different versions of windows.

xxxxx@gmail.com wrote:

yes, its not documented BUT its important to understand their meaning on different versions of windows.

I doubt it.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

meanings may or may not change across versions but volatile
undocumented stuff use with caution

WindowFlags Denotes the combined values of STARTF_XXXXXX that you
provide in STARTUPINFO struct for CreateProcess

likewise ShowWindowFlags Denotes combinedvalues of SW_XXXX values (for

+0x04c StartingX : 0x64 STARTF_USEPOSITION on CWUSEDEFAULT in
CreateWindow() call
+0x050 StartingY : 0x64
+0x054 CountX : 0x96 STARTF_USESIZE
+0x058 CountY : 0x96
+0x05c CountCharsX : 0
+0x060 CountCharsY : 0
+0x064 FillAttribute : 0x82 FOREGROUND_GREEN | BACKGROUND_INTENSITY
+0x068 WindowFlags : 0x17 STARTF_USEPOSITION |
STARTF_USESHOWWINDOW | STARTF_USESIZE| STARTF_USEFILLATTRIBUTE

+0x06c ShowWindowFlags : 1 from STARTF_USESHOWWIND
si.wShowWindow = SW_SHOWNORMAL;

For other Flags look ar k32.BasePushProcessParameters
ntdll.RtlCreateprocessparameters
they all get into picture when you use the MITIGATION params /
Creation Flags / Security Attributes of Createprocess call

Flags has some #defines in reactos / tomasz undocumented ntinternals
etc google is your best friend

On 9/3/14, xxxxx@gmail.com wrote:
> Hi,
>
> What is the meaning of:
>
> “ULONG Flags”, “ULONG DebugFlags”, “ULONG ConsoleFlags”, “ULONG
> WindowFlags”, “ULONG ShowWindowFlags”,below
>
> typedef struct _RTL_USER_PROCESS_PARAMETERS
> {
> ULONG MaximumLength;
> ULONG Length;
> ULONG Flags;
> ULONG DebugFlags;
> PVOID ConsoleHandle;
> ULONG ConsoleFlags;
> PVOID StandardInput;
> PVOID StandardOutput;
> PVOID StandardError;
> CURDIR CurrentDirectory;
> UNICODE_STRING DllPath;
> UNICODE_STRING ImagePathName;
> UNICODE_STRING CommandLine;
> PVOID Environment;
> ULONG StartingX;
> ULONG StartingY;
> ULONG CountX;
> ULONG CountY;
> ULONG CountCharsX;
> ULONG CountCharsY;
> ULONG FillAttribute;
> ULONG WindowFlags;
> ULONG ShowWindowFlags;
> UNICODE_STRING WindowTitle;
> UNICODE_STRING DesktopInfo;
> UNICODE_STRING ShellInfo;
> UNICODE_STRING RuntimeData;
> RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
> ULONG EnvironmentSize;
> } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

thanks raj… would it be possible to identify process creation flags too?