Original link: http://www.rohitab.com/discuss/topic/38601-proc-thread-attribute-list-structure-documentation/
Starting with Windows Vista/Windows Server 2008, extended attributes can be specified for process and thread creation.
"To specify these attributes when creating a process, specifyEXTENDED_STARTUPINFO_PRESENTin the dwCreationFlag parameter and aSTARTUPINFOEXstructure in the lpStartupInfo parameter" - MSDN
The API's InitializeProcThreadAttributeList, UpdateProcThreadAttribute and DeleteProcThreadAttributeList are used for this. The attribute list passed to these API's is undocumented. While creating definitions for API Monitor, I searched around to see if any documentation was available for this structure. I found very few, and all of them were incorrect, so I decided to reverse engineer the structure. It was relatively easy since the API's for manipulating the list are documented and API Monitor was available for viewing/verifying the structures. These structures have been verified on Windows Vista 32-bit, Windows 7 32-bit and 64-bit.
Most people will not have a use for this, but I'm posting it here for those that might.
// Flags to indicate if an attribute is present in the list.
// I believe these are used so that Windows doesn't have to scan the complete list to see if an attribute is present.
#define PARENT_PROCESS (1 << ProcThreadAttributeParentProcess)
#define EXTENDED_FLAGS (1 << ProcThreadAttributeExtendedFlags)
#define HANDLE_LIST (1 << ProcThreadAttributeHandleList)
#define GROUP_AFFINITY (1 << ProcThreadAttributeGroupAffinity)
#define PREFERRED_NODE (1 << ProcThreadAttributePreferredNode)
#define IDEAL_PROCESSOR (1 << ProcThreadAttributeIdealProcessor)
#define UMS_THREAD (1 << ProcThreadAttributeUmsThread)
#define MITIGATION_POLICY (1 << ProcThreadAttributeMitigationPolicy)
// This structure stores the value for each attribute
typedef struct _PROC_THREAD_ATTRIBUTE_ENTRY
{
DWORD_PTR Attribute; // PROC_THREAD_ATTRIBUTE_xxx
SIZE_T cbSize;
PVOID lpValue;
} PROC_THREAD_ATTRIBUTE_ENTRY, *LPPROC_THREAD_ATTRIBUTE_ENTRY;
// This structure contains a list of attributes that have been added using UpdateProcThreadAttribute
typedef struct _PROC_THREAD_ATTRIBUTE_LIST
{
DWORD dwFlags;
ULONG Size;
ULONG Count;
ULONG Reserved;
PULONG Unknown;
PROC_THREAD_ATTRIBUTE_ENTRY Entries[ANYSIZE_ARRAY];
} PROC_THREAD_ATTRIBUTE_LIST, *LPPROC_THREAD_ATTRIBUTE_LIST;The attribute list is created using InitializeProcThreadAttributeList. Calling this API with a NULL value for lpAttributeList, returns the size required. The size is calculated as follows
- sizeof(PROC_THREAD_ATTRIBUTE_LIST) - sizeof(PROC_THREAD_ATTRIBUTE_ENTRY) + (dwAttributeCount * sizeof(PROC_THREAD_ATTRIBUTE_ENTRY))
InitializeProcThreadAttributeList initializes the attribute list as follows
- dwFlags = 0
- Size = Value of dwAttributeCount
- Count = 0
- Reserved = Not modified
- Unknown = NULL
UpdateProcThreadAttribute is used to add or modify attributes in the list. It modifies the structure as follows
- dwFlags is updated with a flag (e.g. GROUP_AFFINITY) to indicate that the attribute is present in the list
- Count is incremented if the attribute is being added. If an existing attribute is modified (e.g. PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS) the Count remains the same
- Unknown is only used for PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS. Not sure what it is, but it is always a pointer to a ULONG value of 0x00060001
- A new entry is added to the Entries array, or an existing entry is modified (in case of PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS)
API Monitor v2 Alpha-r9 contains the definitions for the above structures. Here is a screenshot displaying the parameters for UpdateProcThreadAttribute called by the Windows Command Prompt (cmd.exe) when launching Notepad (notepad.exe).
0 comment