Document RTL_USER_PROCESS_PARAMETERS #31
Conversation
m417z
force-pushed
the
rtl_user_process_parameters-20260120
branch
from
6829fd1 to
edad6f7
Compare
m417z
changed the title
Sources include: * https://github.com/je5442804/CreateProcessInternalW-Full for some of the flags * ntinternals.net * ReactOS * The mentioned sources for specific flags and fields
m417z
force-pushed
the
rtl_user_process_parameters-20260120
branch
from
edad6f7 to
ecdbd87
Compare
|
|
||
| ### Length | ||
|
|
||
| Total allocated size of the process parameter block, including the fixed structure and variable-length string data (such as `DllPath`, `ImagePathName`, `CommandLine`, `WindowTitle`, `DesktopInfo`, `ShellInfo`, `RuntimeData`) stored contiguously after the structure. |
There was a problem hiding this comment.
It might be worth explicitly pointing out that it does not include the size of the environment block, despite covering other variable-sized fields
|
|
||
| ### ConsoleHandle | ||
|
|
||
| Handle identifying the console session associated with the process. Inherited from parent process by default, or set to a special value during process creation: |
There was a problem hiding this comment.
For running console processes, this field usually stores the console connection handle (\Device\ConDrv\Connect)
|
|
||
| | Value | Description | | ||
| |-------|-------------| | ||
| | `0x01` | Set when process is created with `CREATE_NEW_PROCESS_GROUP` without `CREATE_NEW_CONSOLE`. | |
There was a problem hiding this comment.
This 0x01 stands for CONSOLE_IGNORE_CTRL_C (documented in Windows Terminal sources). It allows the process to temporarily block Ctrl+C requests, You can set/remove this flag via SetConsoleCtrlHandler(NULL, TRUE/FALSE).
|
|
||
| ### StandardInput | ||
|
|
||
| Handle to the standard input stream. Corresponds to `STARTUPINFO.hStdInput`. |
There was a problem hiding this comment.
For console processes, this field usually stores a \Device\ConDrv\Input handle.
|
|
||
| ### StandardOutput | ||
|
|
||
| Handle to the standard output stream. Corresponds to `STARTUPINFO.hStdOutput`. |
There was a problem hiding this comment.
For console processes, this field usually stores a \Device\ConDrv\Output handle.
|
|
||
| ### Environment | ||
|
|
||
| Pointer to the environment block. See `RtlCreateEnvironment` for creating environment blocks. |
There was a problem hiding this comment.
Note that this field always stores an absolute pointer (to outside of the structure), regardless of the normalization flag.
There was a problem hiding this comment.
Hmm, it might also be useful to add notes to all other variable-sized fields that the caller should always check the normalization flag before attempting to use pointers as-is
There was a problem hiding this comment.
Interestingly, HeapPartitionName isn't handled in RtlNormalizeProcessParams too (checking in 26100.7171). Seems like normalization is limited to:
CurrentDirectory.DosPathDllPathImagePathNameCommandLineWindowTitleDesktopInfoShellInfoRuntimeDataRedirectionDllName
|
|
||
| ### EnvironmentSize | ||
|
|
||
| Added in Windows Vista. |
There was a problem hiding this comment.
While it's possible to determine the size of the environment block by scanning it until a double-zero terminator, this field caches the size.
There was a problem hiding this comment.
According to RtlCreateProcessParametersInternal, if I got it right, it's the amount of allocated bytes (which is aligned to 8 bytes and may be larger than the double-zero calculation).
There was a problem hiding this comment.
Yeah, true, and RtlSetCurrentEnvironment uses RtlSizeHeap(NtCurrentPeb()->ProcessHeap, 0, Environment) which is more of a maximum size rather than the exact size
|
|
||
| ### EnvironmentVersion | ||
|
|
||
| Added in Windows 7. |
There was a problem hiding this comment.
The number of times the environment block has changed. Incremented every time by RtlSetEnvironmentStrings and RtlSetEnvironmentVar
|
|
||
| ### ProcessGroupId | ||
|
|
||
| Added in Windows 8. |
There was a problem hiding this comment.
The console group identifier to narrow down control signal delivery.
|
|
||
| | Flag | Value | Description | | ||
| |------|-------|-------------| | ||
| | `RTL_USER_PROC_PARAMS_NORMALIZED` | `0x00000001` | Structure is normalized by `RtlNormalizeProcessParams`. Pointers are absolute addresses rather than offsets. | |
There was a problem hiding this comment.
Except for the environment block, which is always an absolute address
| | `RTL_USER_PROC_APPX_LOADER_ALTERNATE_FORWARDER` | `0x04000000` | | | ||
| | `RTL_USER_PROC_APPX_GLOBAL_OVERRIDE` | `0x08000000` | | | ||
| | `RTL_USER_PROC_LOADER_FORWARDER` | `0x20000000` | | | ||
| | `RTL_USER_PROC_EXIT_PROCESS_NORMAL` | `0x40000000` | | |
There was a problem hiding this comment.
Allows processes with AppModelPolicy_ProcessEnd_TerminateProcess to opt back in to the normal ExitProcess path that detaches from DLLs on exit.
| | `RTL_USER_PROC_PROCESS_OR_1` | `0x00000200` | | | ||
| | `RTL_USER_PROC_PROCESS_OR_2` | `0x00000400` | | | ||
| | `RTL_USER_PROC_DLL_REDIRECTION_LOCAL` | `0x00001000` | | | ||
| | `RTL_USER_PROC_APP_MANIFEST_PRESENT` | `0x00002000` | | |
There was a problem hiding this comment.
The system has detected an application manifest upon process creation,
| | `RTL_USER_PROC_PROCESS_OR_2` | `0x00000400` | | | ||
| | `RTL_USER_PROC_DLL_REDIRECTION_LOCAL` | `0x00001000` | | | ||
| | `RTL_USER_PROC_APP_MANIFEST_PRESENT` | `0x00002000` | | | ||
| | `RTL_USER_PROC_IMAGE_KEY_MISSING` | `0x00004000` | | |
There was a problem hiding this comment.
The corresponding Image File Execution Options (IFEO) key was not found at process creation.
| | `RTL_USER_PROC_RESERVE_1MB` | `0x00000020` | | | ||
| | `RTL_USER_PROC_RESERVE_16MB` | `0x00000040` | | |
There was a problem hiding this comment.
The system should reserve a region at the lower addresses (the NULL page) at process creation. See also PS_MEMORY_RESERVE and PS_ATTRIBUTE_MEMORY_RESERVE.
Mostly based on feedback from @diversenok.
|
Pushed an update. Let me know if I missed anything. |
diversenok
left a comment
diversenok
left a comment
There was a problem hiding this comment.
Yes, that looks good 👍
Rendered.
Sources include:
@diversenok are you familiar with this struct? Would you like to take a look and review it?
Also, if you have any info about the undocumented fields (e.g.
DebugFlags), that'd be great.