ZwQuerySystemInformation / NtQuerySystemInformation - System Information Class 5

Question

Hi,

For 32-bit Windows, following declaration of _SYSTEM_PROCESSES structure ( System Information Class 5 ) with ZwQuerySystemInformation works fine for my purpose to construct process tree.

typedef struct _SYSTEM_PROCESSES
{ // System Information Class 5

 ULONG           NextEntryDelta;   
 ULONG           ThreadCount;  
 ULONG           Reserved1[6];  
 LARGE_INTEGER   CreateTime;  
 LARGE_INTEGER   UserTime;  
 LARGE_INTEGER   KernelTime;  
 UNICODE_STRING  ProcessName;  
 ULONG           BasePriority;  
 ULONG           ProcessId;  
 ULONG           InheritedFromProcessId;  
 ULONG           HandleCount;  
 ULONG           Reserved2[2];  

} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;

On the other hand, it doesn't function well in 64-bit Windows. If I declare the ProcessId as ULONG64, then the data for ProcessId comes right. Is the datatype defined for above structure is right for Windows-64?

Answer 1

For some weird reason, process and thread id's are 64bit in the kernel and 32bit in the documented windows api on x64

If you look at SYSTEM_PROCESS_INFORMATION @ ntinternals you see that they have declared the PID's as HANDLE (pointer sized)