2000操作系统
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ExitStatus : 259
+0x070 LockEvent : _KEVENT
+0x080 LockCount : 1
+0x088 CreateTime : _LARGE_INTEGER 0x1c87e74`e265cc4c
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 LockOwner : (null)
+0x09c UniqueProcessId : 0x000001c8
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8046dcb0 - 0x81672a60 ]
+0x0a8 QuotaPeakPoolUsage : [2] 0x824
+0x0b0 QuotaPoolUsage : [2] 0x684
+0x0b8 PagefileUsage : 0x39
+0x0bc CommitCharge : 0x39
+0x0c0 PeakPagefileUsage : 0x39
+0x0c4 PeakVirtualSize : 0x8f0000
+0x0c8 VirtualSize : 0x8f0000
+0x0d0 Vm : _MMSUPPORT
+0x118 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x120 DebugPort : (null)
+0x124 ExceptionPort : 0xe19c2b20
+0x128 ObjectTable : 0x8166ef48 _HANDLE_TABLE
+0x12c Token : 0xe1b61250
+0x130 WorkingSetLock : _FAST_MUTEX
+0x150 WorkingSetPage : 0x4886
+0x154 ProcessOutswapEnabled : 0 ''
+0x155 ProcessOutswapped : 0 ''
+0x156 AddressSpaceInitialized : 0x2 ''
+0x157 AddressSpaceDeleted : 0 ''
+0x158 AddressCreationLock : _FAST_MUTEX
+0x178 HyperSpaceLock : 0
+0x17c ForkInProgress : (null)
+0x180 VmOperation : 0
+0x182 ForkWasSuccessful : 0 ''
+0x183 MmAgressiveWsTrimMask : 0 ''
+0x184 VmOperationEvent : (null)
+0x188 PaeTop : (null)
+0x18c LastFaultCount : 0
+0x190 ModifiedPageCount : 0
+0x194 VadRoot : 0x8166f928
+0x198 VadHint : 0x8166c788
+0x19c CloneRoot : (null)
+0x1a0 NumberOfPrivatePages : 0x31
+0x1a4 NumberOfLockedPages : 0
+0x1a8 NextPageColor : 0x20c4
+0x1aa ExitProcessCalled : 0 ''
+0x1ab CreateProcessReported : 0 ''
+0x1ac SectionHandle : 0x00000004
+0x1b0 Peb : 0x7ffdf000 _PEB
+0x1b4 SectionBaseAddress : 0x01000000
+0x1b8 QuotaBlock : 0x8046dd00 _EPROCESS_QUOTA_BLOCK
+0x1bc LastThreadExitStatus : 0
+0x1c0 WorkingSetWatch : (null)
+0x1c4 Win32WindowStation : 0x00000040
+0x1c8 InheritedFromUniqueProcessId : 0x000000d4
+0x1cc GrantedAccess : 0x1f0fff
+0x1d0 DefaultHardErrorProcessing : 0
+0x1d4 LdtInformation : (null)
+0x1d8 VadFreeHint : 0x8166c768
+0x1dc VdmObjects : (null)
+0x1e0 DeviceMap : 0x8187dee8
+0x1e4 SessionId : 0
+0x1e8 PhysicalVadList : _LIST_ENTRY [ 0x8167db08 - 0x8167db08 ]
+0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86
+0x1f0 Filler : 0
+0x1f8 PaePageDirectoryPage : 0
+0x1fc ImageFileName : [16] "svchost.exe"
+0x20c VmTrimFaultValue : 0
+0x210 SetTimerResolution : 0 ''
+0x211 PriorityClass : 0x2 ''
+0x212 SubSystemMinorVersion : 0 ''
+0x213 SubSystemMajorVersion : 0x4 ''
+0x212 SubSystemVersion : 0x400
+0x214 Win32Process : 0xe1b64508
+0x218 Job : (null)
+0x21c JobStatus : 0
+0x220 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x228 LockedPagesList : (null)
+0x22c SecurityPort : (null)
+0x230 Wow64Process : (null)
+0x238 ReadOperationCount : _LARGE_INTEGER 0x2
+0x240 WriteOperationCount : _LARGE_INTEGER 0x2
+0x248 OtherOperationCount : _LARGE_INTEGER 0x39
+0x250 ReadTransferCount : _LARGE_INTEGER 0x30
+0x258 WriteTransferCount : _LARGE_INTEGER 0xc
+0x260 OtherTransferCount : _LARGE_INTEGER 0x920
+0x268 CommitChargeLimit : 0
+0x26c CommitChargePeak : 0x39
+0x270 ThreadListHead : _LIST_ENTRY [ 0x8166dfe0 - 0x8166be80 ]
+0x278 VadPhysicalPagesBitMap : (null)
+0x27c VadPhysicalPages : 0
+0x280 AweLock : 0
+0x284 pImageFileName : 0x8167c818 _UNICODE_STRING "WINNTsystem32svchost.exe"
kd> dt nt!_KPROCESS 8167d920
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x8167d930 - 0x8167d930 ]
+0x018 DirectoryTableBase : [2] 0x47c4000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 VdmFlag : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0
+0x03c UserTime : 1
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8167d960 - 0x8167d960 ]
+0x048 SwapListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x050 ThreadListHead : _LIST_ENTRY [ 0x8166df44 - 0x8166bde4 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 2
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 6 ''
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0x62 'b'
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a Spare : [2] ""
XP操作系统
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1c87e9b`afdd9828
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000005bc
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8149c6f8 - 0x814a86c0 ]
+0x090 QuotaUsage : [3] 0x1e28
+0x09c QuotaPeak : [3] 0x1ef0
+0x0a8 CommitCharge : 0x793
+0x0ac PeakVirtualSize : 0x3b37000
+0x0b0 VirtualSize : 0x3a37000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x8149c724 - 0x814a86ec ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe13c5bb8
+0x0c4 ObjectTable : 0xe1708f10 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0x9ceb
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x81595c90
+0x120 VadHint : 0x814968a0
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0x53c
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1844e68
+0x134 Job : (null)
+0x138 SectionObject : 0xe18947e0
+0x13c SectionBaseAddress : 0x01000000
+0x140 QuotaBlock : 0x814b0b90 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000030
+0x14c InheritedFromUniqueProcessId : 0x000005ac
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe18de910
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x815a3f00 - 0x815a3f00 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler : 0
+0x170 Session : 0xf9eb8000
+0x174 ImageFileName : [16] "explorer.exe"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x815a2fd4 - 0x815ad58c ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : 0xf9fc91a0
+0x1a0 ActiveThreads : 0xc
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 0
+0x1ac LastThreadExitStatus : 0
+0x1b0 Peb : 0x7ffdb000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0xd0
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x6d1
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x31b8bb
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x184
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x7757
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x7b7
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 0x26
+0x240 NumberOfVads : 0xa5
+0x244 JobStatus : 0
+0x248 Flags : 0xd0800
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 259
+0x250 NextPageColor : 0x3eca
+0x252 SubSystemMinorVersion : 0xa ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x40a
+0x254 PriorityClass : 0x2 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie : 0xae152c49
kd> dt nt!_KPROCESS 815a3da0
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x815a3db0 - 0x815a3db0 ]
+0x018 DirectoryTableBase : [2] 0x62001a0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0x2e
+0x03c UserTime : 3
+0x040 ReadyListHead : _LIST_ENTRY [ 0x815a3de0 - 0x815a3de0 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x815a2f58 - 0x815ad510 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 0xc
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 18 ''
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0 ''
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
2003 sp0
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1c87ebc`04c7e13e
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x00000100
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x80570de8 - 0x82094e10 ]
+0x090 QuotaUsage : [3] 0xef0
+0x09c QuotaPeak : [3] 0xfb8
+0x0a8 CommitCharge : 0x19f
+0x0ac PeakVirtualSize : 0x1836000
+0x0b0 VirtualSize : 0x17ae000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xf799b010 - 0x82094e3c ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe1342030
+0x0c4 ObjectTable : 0xe19275e0 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetPage : 0x2b89
+0x0d0 AddressCreationLock : _KGUARDED_MUTEX
+0x0f0 HyperSpaceLock : 0
+0x0f4 ForkInProgress : (null)
+0x0f8 HardwareTrigger : 0
+0x0fc PhysicalVadRoot : (null)
+0x100 CloneRoot : (null)
+0x104 NumberOfPrivatePages : 0x120
+0x108 NumberOfLockedPages : 0
+0x10c Win32Process : 0xe1937008
+0x110 Job : 0x82328030 _EJOB
+0x114 SectionObject : 0xe170d030
+0x118 SectionBaseAddress : 0x01000000
+0x11c QuotaBlock : 0x80570ea0 _EPROCESS_QUOTA_BLOCK
+0x120 WorkingSetWatch : (null)
+0x124 Win32WindowStation : 0x0000002c
+0x128 InheritedFromUniqueProcessId : 0x00000298
+0x12c LdtInformation : (null)
+0x130 VadFreeHint : (null)
+0x134 VdmObjects : (null)
+0x138 DeviceMap : 0xe1001138
+0x13c Spare0 : [3] (null)
+0x148 PageDirectoryPte : _HARDWARE_PTE
+0x148 Filler : 0
+0x150 Session : 0xf799b000
+0x154 ImageFileName : [16] "wmiprvse.exe"
+0x164 JobLinks : _LIST_ENTRY [ 0x82328048 - 0x82328048 ]
+0x16c LockedPagesList : (null)
+0x170 ThreadListHead : _LIST_ENTRY [ 0x823edae4 - 0x8246cfd4 ]
+0x178 SecurityPort : (null)
+0x17c PaeTop : (null)
+0x180 ActiveThreads : 7
+0x184 GrantedAccess : 0x1f0fff
+0x188 DefaultHardErrorProcessing : 0
+0x18c LastThreadExitStatus : 0
+0x190 Peb : 0x7ffdf000 _PEB
+0x194 PrefetchTrace : _EX_FAST_REF
+0x198 ReadOperationCount : _LARGE_INTEGER 0x14d
+0x1a0 WriteOperationCount : _LARGE_INTEGER 0x14e
+0x1a8 OtherOperationCount : _LARGE_INTEGER 0x1da
+0x1b0 ReadTransferCount : _LARGE_INTEGER 0x7230
+0x1b8 WriteTransferCount : _LARGE_INTEGER 0x5a9f
+0x1c0 OtherTransferCount : _LARGE_INTEGER 0x3e54
+0x1c8 CommitChargeLimit : 0x8000
+0x1cc CommitChargePeak : 0x220
+0x1d0 AweInfo : (null)
+0x1d4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d8 Vm : _MMSUPPORT
+0x238 MmProcessLinks : _LIST_ENTRY [ 0x8056abc8 - 0x82094fc0 ]
+0x240 ModifiedPageCount : 0
+0x244 JobStatus : 0x10
+0x248 Flags : 0x450801
+0x248 CreateReported : 0y1
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 Wow64VaSpace4Gb : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y0
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 ImageNotifyDone : 0y1
+0x248 PdeUpdateNeeded : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y0000000 (0)
+0x24c ExitStatus : 259
+0x250 NextPageColor : 0xfc2a
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x2 ''
+0x258 VadRoot : _MM_AVL_TABLE
kd> dt nt!_KPROCESS 824da270
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x824da280 - 0x824da280 ]
+0x018 DirectoryTableBase : [2] 0x46000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0x10
+0x03c UserTime : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x824da2b0 - 0x824da2b0 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x823eda5c - 0x8246cf4c ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 7
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 36 '$'
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0 ''
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode : 0 ''
+0x06b Spare : 0 ''
2003 sp1
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x078 ProcessLock : _EX_PUSH_LOCK
+0x080 CreateTime : _LARGE_INTEGER 0x1c87ebe`2c3522e8
+0x088 ExitTime : _LARGE_INTEGER 0x0
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x094 UniqueProcessId : 0x000001cc
+0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x82370e20 - 0x81f6fde0 ]
+0x0a0 QuotaUsage : [3] 0x1ca0
+0x0ac QuotaPeak : [3] 0x1e30
+0x0b8 CommitCharge : 0x684
+0x0bc PeakVirtualSize : 0x3ce8000
+0x0c0 VirtualSize : 0x3ca0000
+0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0x82370e4c - 0x81f6fe0c ]
+0x0cc DebugPort : (null)
+0x0d0 ExceptionPort : 0xe1439470
+0x0d4 ObjectTable : 0xe1529d38 _HANDLE_TABLE
+0x0d8 Token : _EX_FAST_REF
+0x0dc WorkingSetPage : 0x3877
+0x0e0 AddressCreationLock : _KGUARDED_MUTEX
+0x100 HyperSpaceLock : 0
+0x104 ForkInProgress : (null)
+0x108 HardwareTrigger : 0
+0x10c PhysicalVadRoot : (null)
+0x110 CloneRoot : (null)
+0x114 NumberOfPrivatePages : 0x466
+0x118 NumberOfLockedPages : 0
+0x11c Win32Process : 0xe18dbcc8
+0x120 Job : (null)
+0x124 SectionObject : 0xe1720ba0
+0x128 SectionBaseAddress : 0x01000000
+0x12c QuotaBlock : 0x82438cc8 _EPROCESS_QUOTA_BLOCK
+0x130 WorkingSetWatch : (null)
+0x134 Win32WindowStation : 0x00000034
+0x138 InheritedFromUniqueProcessId : 0x000001b0
+0x13c LdtInformation : (null)
+0x140 VadFreeHint : (null)
+0x144 VdmObjects : (null)
+0x148 DeviceMap : 0xe1766a58
+0x14c Spare0 : [3] (null)
+0x158 PageDirectoryPte : _HARDWARE_PTE
+0x158 Filler : 0
+0x160 Session : 0xf79bd000
+0x164 ImageFileName : [16] "explorer.exe"
+0x174 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x17c LockedPagesList : (null)
+0x180 ThreadListHead : _LIST_ENTRY [ 0x81f44fd4 - 0x81f1952c ]
+0x188 SecurityPort : (null)
+0x18c PaeTop : 0xf7aa1240
+0x190 ActiveThreads : 0xa
+0x194 GrantedAccess : 0x1f0fff
+0x198 DefaultHardErrorProcessing : 0
+0x19c LastThreadExitStatus : 0
+0x1a0 Peb : 0x7ffdc000 _PEB
+0x1a4 PrefetchTrace : _EX_FAST_REF
+0x1a8 ReadOperationCount : _LARGE_INTEGER 0xc7
+0x1b0 WriteOperationCount : _LARGE_INTEGER 0x8
+0x1b8 OtherOperationCount : _LARGE_INTEGER 0x8f2
+0x1c0 ReadTransferCount : _LARGE_INTEGER 0x29dc8a
+0x1c8 WriteTransferCount : _LARGE_INTEGER 0x338
+0x1d0 OtherTransferCount : _LARGE_INTEGER 0x12011
+0x1d8 CommitChargeLimit : 0
+0x1dc CommitChargePeak : 0x695
+0x1e0 AweInfo : (null)
+0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1e8 Vm : _MMSUPPORT
+0x230 MmProcessLinks : _LIST_ENTRY [ 0x82370fb8 - 0x81f6ff78 ]
+0x238 ModifiedPageCount : 0x58
+0x23c JobStatus : 0
+0x240 Flags : 0x450801
+0x240 CreateReported : 0y1
+0x240 NoDebugInherit : 0y0
+0x240 ProcessExiting : 0y0
+0x240 ProcessDelete : 0y0
+0x240 Wow64SplitPages : 0y0
+0x240 VmDeleted : 0y0
+0x240 OutswapEnabled : 0y0
+0x240 Outswapped : 0y0
+0x240 ForkFailed : 0y0
+0x240 Wow64VaSpace4Gb : 0y0
+0x240 AddressSpaceInitialized : 0y10
+0x240 SetTimerResolution : 0y0
+0x240 BreakOnTermination : 0y0
+0x240 SessionCreationUnderway : 0y0
+0x240 WriteWatch : 0y0
+0x240 ProcessInSession : 0y1
+0x240 OverrideAddressSpace : 0y0
+0x240 HasAddressSpace : 0y1
+0x240 LaunchPrefetched : 0y0
+0x240 InjectInpageErrors : 0y0
+0x240 VmTopDown : 0y0
+0x240 ImageNotifyDone : 0y1
+0x240 PdeUpdateNeeded : 0y0
+0x240 VdmAllowed : 0y0
+0x240 SmapAllowed : 0y0
+0x240 CreateFailed : 0y0
+0x240 DefaultIoPriority : 0y000
+0x240 Spare1 : 0y0
+0x240 Spare2 : 0y0
+0x244 ExitStatus : 259
+0x248 NextPageColor : 0x57a1
+0x24a SubSystemMinorVersion : 0xa ''
+0x24b SubSystemMajorVersion : 0x4 ''
+0x24a SubSystemVersion : 0x40a
+0x24c PriorityClass : 0x2 ''
+0x250 VadRoot : _MM_AVL_TABLE
+0x270 Cookie : 0x2dfee548
kd> dt nt!_KPROCESS 81f43d88
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x81f43d98 - 0x81f43d98 ]
+0x018 DirectoryTableBase : [2] 0x14b04240
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 7
+0x03c UserTime : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x81f43dc8 - 0x81f43dc8 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x81f44f58 - 0x81f194b0 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags : 0
+0x064 BasePriority : 8 ''
+0x065 QuantumReset : 36 '$'
+0x066 State : 0 ''
+0x067 ThreadSeed : 0 ''
+0x068 PowerState : 0 ''
+0x069 IdealNode : 0 ''
+0x06a Visited : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
+0x06c StackCount : 0xa
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
2003 sp2
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x078 ProcessLock : _EX_PUSH_LOCK
+0x080 CreateTime : _LARGE_INTEGER 0x1c87ebf`670a897a
+0x088 ExitTime : _LARGE_INTEGER 0x0
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x094 UniqueProcessId : 0x00000618
+0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x8256f680 - 0x824a16d8 ]
+0x0a0 QuotaUsage : [3] 0x1ca0
+0x0ac QuotaPeak : [3] 0x1e68
+0x0b8 CommitCharge : 0x69d
+0x0bc PeakVirtualSize : 0x3cd8000
+0x0c0 VirtualSize : 0x3c91000
+0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0x8256f6ac - 0x824a1704 ]
+0x0cc DebugPort : (null)
+0x0d0 ExceptionPort : 0xe14544a8
+0x0d4 ObjectTable : 0xe1898bf8 _HANDLE_TABLE
+0x0d8 Token : _EX_FAST_REF
+0x0dc WorkingSetPage : 0x5df
+0x0e0 AddressCreationLock : _KGUARDED_MUTEX
+0x100 HyperSpaceLock : 0
+0x104 ForkInProgress : (null)
+0x108 HardwareTrigger : 0
+0x10c PhysicalVadRoot : (null)
+0x110 CloneRoot : (null)
+0x114 NumberOfPrivatePages : 0x472
+0x118 NumberOfLockedPages : 0
+0x11c Win32Process : 0xe18aa2d8
+0x120 Job : (null)
+0x124 SectionObject : 0xe188d6e8
+0x128 SectionBaseAddress : 0x01000000
+0x12c QuotaBlock : 0x827eece8 _EPROCESS_QUOTA_BLOCK
+0x130 WorkingSetWatch : (null)
+0x134 Win32WindowStation : 0x0000004c
+0x138 InheritedFromUniqueProcessId : 0x00000608
+0x13c LdtInformation : (null)
+0x140 VadFreeHint : (null)
+0x144 VdmObjects : (null)
+0x148 DeviceMap : 0xe151d140
+0x14c Spare0 : [3] (null)
+0x158 PageDirectoryPte : _HARDWARE_PTE
+0x158 Filler : 0
+0x160 Session : 0xf79a5000
+0x164 ImageFileName : [16] "explorer.exe"
+0x174 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x17c LockedPagesList : (null)
+0x180 ThreadListHead : _LIST_ENTRY [ 0x824524f4 - 0x8262cfd4 ]
+0x188 SecurityPort : (null)
+0x18c PaeTop : 0xf7aae240
+0x190 ActiveThreads : 0xb
+0x194 GrantedAccess : 0x1f0fff
+0x198 DefaultHardErrorProcessing : 0
+0x19c LastThreadExitStatus : 0
+0x1a0 Peb : 0x7ffdf000 _PEB
+0x1a4 PrefetchTrace : _EX_FAST_REF
+0x1a8 ReadOperationCount : _LARGE_INTEGER 0x10c
+0x1b0 WriteOperationCount : _LARGE_INTEGER 0x7
+0x1b8 OtherOperationCount : _LARGE_INTEGER 0x96a
+0x1c0 ReadTransferCount : _LARGE_INTEGER 0x2afac0
+0x1c8 WriteTransferCount : _LARGE_INTEGER 0x2c4
+0x1d0 OtherTransferCount : _LARGE_INTEGER 0xcc41
+0x1d8 CommitChargeLimit : 0
+0x1dc CommitChargePeak : 0x6ad
+0x1e0 AweInfo : (null)
+0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1e8 Vm : _MMSUPPORT
+0x230 MmProcessLinks : _LIST_ENTRY [ 0x8256f818 - 0x824a1870 ]
+0x238 ModifiedPageCount : 0x3a
+0x23c JobStatus : 0
+0x240 Flags : 0x450801
+0x240 CreateReported : 0y1
+0x240 NoDebugInherit : 0y0
+0x240 ProcessExiting : 0y0
+0x240 ProcessDelete : 0y0
+0x240 Wow64SplitPages : 0y0
+0x240 VmDeleted : 0y0
+0x240 OutswapEnabled : 0y0
+0x240 Outswapped : 0y0
+0x240 ForkFailed : 0y0
+0x240 Wow64VaSpace4Gb : 0y0
+0x240 AddressSpaceInitialized : 0y10
+0x240 SetTimerResolution : 0y0
+0x240 BreakOnTermination : 0y0
+0x240 SessionCreationUnderway : 0y0
+0x240 WriteWatch : 0y0
+0x240 ProcessInSession : 0y1
+0x240 OverrideAddressSpace : 0y0
+0x240 HasAddressSpace : 0y1
+0x240 LaunchPrefetched : 0y0
+0x240 InjectInpageErrors : 0y0
+0x240 VmTopDown : 0y0
+0x240 ImageNotifyDone : 0y1
+0x240 PdeUpdateNeeded : 0y0
+0x240 VdmAllowed : 0y0
+0x240 SmapAllowed : 0y0
+0x240 CreateFailed : 0y0
+0x240 DefaultIoPriority : 0y000
+0x240 Spare1 : 0y0
+0x240 Spare2 : 0y0
+0x244 ExitStatus : 259
+0x248 NextPageColor : 0xf1e2
+0x24a SubSystemMinorVersion : 0xa ''
+0x24b SubSystemMajorVersion : 0x4 ''
+0x24a SubSystemVersion : 0x40a
+0x24c PriorityClass : 0x2 ''
+0x250 VadRoot : _MM_AVL_TABLE
+0x270 Cookie : 0x66c14914
kd> dt nt!_KPROCESS 82479a78
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x82479a88 - 0x82479a88 ]
+0x018 DirectoryTableBase : [2] 0xfe96240
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 4
+0x03c UserTime : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x82479ab8 - 0x82479ab8 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x82452478 - 0x8262cf58 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags : 0
+0x064 BasePriority : 8 ''
+0x065 QuantumReset : 36 '$'
+0x066 State : 0 ''
+0x067 ThreadSeed : 0 ''
+0x068 PowerState : 0 ''
+0x069 IdealNode : 0 ''
+0x06a Visited : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
+0x06c StackCount : 0xb
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
vista sp0
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x080 ProcessLock : _EX_PUSH_LOCK
+0x088 CreateTime : _LARGE_INTEGER 0x1c87ec7`5cb74e5b
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId : 0x00000660
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8b441e30 - 0x843c9e30 ]
+0x0a8 QuotaUsage : [3] 0x4b80
+0x0b4 QuotaPeak : [3] 0x59a0
+0x0c0 CommitCharge : 0x10e1
+0x0c4 PeakVirtualSize : 0xb2cf000
+0x0c8 VirtualSize : 0x9d6c000
+0x0cc SessionProcessLinks : _LIST_ENTRY [ 0x8489faf4 - 0x8b438b7c ]
+0x0d4 DebugPort : (null)
+0x0d8 ExceptionPortData : 0x847e86d8
+0x0d8 ExceptionPortValue : 0x847e86d8
+0x0d8 ExceptionPortState : 0y000
+0x0dc ObjectTable : 0x8fe393f0 _HANDLE_TABLE
+0x0e0 Token : _EX_FAST_REF
+0x0e4 WorkingSetPage : 0xd5eb
+0x0e8 AddressCreationLock : _EX_PUSH_LOCK
+0x0ec RotateInProgress : (null)
+0x0f0 ForkInProgress : (null)
+0x0f4 HardwareTrigger : 0
+0x0f8 PhysicalVadRoot : (null)
+0x0fc CloneRoot : (null)
+0x100 NumberOfPrivatePages : 0xa93
+0x104 NumberOfLockedPages : 0
+0x108 Win32Process : 0xffbfc908
+0x10c Job : (null)
+0x110 SectionObject : 0x8fe39ac0
+0x114 SectionBaseAddress : 0x00760000
+0x118 QuotaBlock : 0x8b48f828 _EPROCESS_QUOTA_BLOCK
+0x11c WorkingSetWatch : (null)
+0x120 Win32WindowStation : 0x00000034
+0x124 InheritedFromUniqueProcessId : 0x00000610
+0x128 LdtInformation : (null)
+0x12c VadFreeHint : 0x849b53c8
+0x130 VdmObjects : (null)
+0x134 DeviceMap : 0x8cb48870
+0x138 EtwDataSource : 0x848982a0
+0x13c FreeTebHint : 0x7ffd9000
+0x140 PageDirectoryPte : _HARDWARE_PTE
+0x140 Filler : 0
+0x148 Session : 0x84aec000
+0x14c ImageFileName : [16] "explorer.exe"
+0x15c JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x164 LockedPagesList : (null)
+0x168 ThreadListHead : _LIST_ENTRY [ 0x8b5a04c0 - 0x848ec278 ]
+0x170 SecurityPort : (null)
+0x174 PaeTop : 0x822ad300
+0x178 ActiveThreads : 0x1a
+0x17c ImagePathHash : 0x7a3328da
+0x180 DefaultHardErrorProcessing : 0
+0x184 LastThreadExitStatus : 0
+0x188 Peb : 0x7ffdd000 _PEB
+0x18c PrefetchTrace : _EX_FAST_REF
+0x190 ReadOperationCount : _LARGE_INTEGER 0x36e
+0x198 WriteOperationCount : _LARGE_INTEGER 0xe
+0x1a0 OtherOperationCount : _LARGE_INTEGER 0x3693
+0x1a8 ReadTransferCount : _LARGE_INTEGER 0x193e99
+0x1b0 WriteTransferCount : _LARGE_INTEGER 0x8718
+0x1b8 OtherTransferCount : _LARGE_INTEGER 0xaa92cf
+0x1c0 CommitChargeLimit : 0
+0x1c4 CommitChargePeak : 0x1357
+0x1c8 AweInfo : (null)
+0x1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d0 Vm : _MMSUPPORT
+0x218 MmProcessLinks : _LIST_ENTRY [ 0x8b441fa8 - 0x843c9fa8 ]
+0x220 ModifiedPageCount : 0x5f8
+0x224 Flags2 : 0xd000
+0x224 JobNotReallyActive : 0y0
+0x224 AccountingFolded : 0y0
+0x224 NewProcessReported : 0y0
+0x224 ExitProcessReported : 0y0
+0x224 ReportCommitChanges : 0y0
+0x224 LastReportMemory : 0y0
+0x224 ReportPhysicalPageChanges : 0y0
+0x224 HandleTableRundown : 0y0
+0x224 NeedsHandleRundown : 0y0
+0x224 RefTraceEnabled : 0y0
+0x224 NumaAware : 0y0
+0x224 ProtectedProcess : 0y0
+0x224 DefaultPagePriority : 0y101
+0x224 PrimaryTokenFrozen : 0y1
+0x224 ProcessVerifierTarget : 0y0
+0x224 StackRandomizationDisabled : 0y0
+0x228 Flags : 0x144d0801
+0x228 CreateReported : 0y1
+0x228 NoDebugInherit : 0y0
+0x228 ProcessExiting : 0y0
+0x228 ProcessDelete : 0y0
+0x228 Wow64SplitPages : 0y0
+0x228 VmDeleted : 0y0
+0x228 OutswapEnabled : 0y0
+0x228 Outswapped : 0y0
+0x228 ForkFailed : 0y0
+0x228 Wow64VaSpace4Gb : 0y0
+0x228 AddressSpaceInitialized : 0y10
+0x228 SetTimerResolution : 0y0
+0x228 BreakOnTermination : 0y0
+0x228 DeprioritizeViews : 0y0
+0x228 WriteWatch : 0y0
+0x228 ProcessInSession : 0y1
+0x228 OverrideAddressSpace : 0y0
+0x228 HasAddressSpace : 0y1
+0x228 LaunchPrefetched : 0y1
+0x228 InjectInpageErrors : 0y0
+0x228 VmTopDown : 0y0
+0x228 ImageNotifyDone : 0y1
+0x228 PdeUpdateNeeded : 0y0
+0x228 VdmAllowed : 0y0
+0x228 SmapAllowed : 0y0
+0x228 ProcessInserted : 0y1
+0x228 DefaultIoPriority : 0y010
+0x228 SparePsFlags1 : 0y00
+0x22c ExitStatus : 259
+0x230 Spare7 : 0
+0x232 SubSystemMinorVersion : 0 ''
+0x233 SubSystemMajorVersion : 0x6 ''
+0x232 SubSystemVersion : 0x600
+0x234 PriorityClass : 0x2 ''
+0x238 VadRoot : _MM_AVL_TABLE
+0x258 Cookie : 0xf71da56b
+0x25c AlpcContext : _ALPC_PROCESS_CONTEXT
kd> dt nt!_KPROCESS 8473d020
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x8473d030 - 0x8473d030 ]
+0x018 DirectoryTableBase : 0x1d35b300
+0x01c Unused0 : 0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0x124
+0x03c UserTime : 0x50
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8473d060 - 0x8473d060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x8b5a043c - 0x848ec1f4 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags : 0
+0x064 BasePriority : 8 ''
+0x065 QuantumReset : 6 ''
+0x066 State : 0 ''
+0x067 ThreadSeed : 0 ''
+0x068 PowerState : 0 ''
+0x069 IdealNode : 0 ''
+0x06a Visited : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x32 '2'
+0x06c StackCount : 0x1a
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x078 CycleTime : 0x2`539d00ea
vista sp1
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x080 ProcessLock : _EX_PUSH_LOCK
+0x088 CreateTime : _LARGE_INTEGER 0x1c87ec2`f35608ed
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId : 0x00000768
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8532d260 - 0x8533d0c0 ]
+0x0a8 QuotaUsage : [3] 0x4c88
+0x0b4 QuotaPeak : [3] 0x50e8
+0x0c0 CommitCharge : 0xd13
+0x0c4 PeakVirtualSize : 0xa09d000
+0x0c8 VirtualSize : 0x9445000
+0x0cc SessionProcessLinks : _LIST_ENTRY [ 0x85311b64 - 0x8533d0ec ]
+0x0d4 DebugPort : (null)
+0x0d8 ExceptionPortData : 0x851a5030
+0x0d8 ExceptionPortValue : 0x851a5030
+0x0d8 ExceptionPortState : 0y000
+0x0dc ObjectTable : 0x92ef1260 _HANDLE_TABLE
+0x0e0 Token : _EX_FAST_REF
+0x0e4 WorkingSetPage : 0x84c1
+0x0e8 AddressCreationLock : _EX_PUSH_LOCK
+0x0ec RotateInProgress : (null)
+0x0f0 ForkInProgress : (null)
+0x0f4 HardwareTrigger : 0
+0x0f8 PhysicalVadRoot : (null)
+0x0fc CloneRoot : (null)
+0x100 NumberOfPrivatePages : 0x76e
+0x104 NumberOfLockedPages : 0
+0x108 Win32Process : 0xfe6847c0
+0x10c Job : (null)
+0x110 SectionObject : 0x92ef1030
+0x114 SectionBaseAddress : 0x006d0000
+0x118 QuotaBlock : 0x84fd6370 _EPROCESS_QUOTA_BLOCK
+0x11c WorkingSetWatch : (null)
+0x120 Win32WindowStation : 0x00000034
+0x124 InheritedFromUniqueProcessId : 0x00000728
+0x128 LdtInformation : (null)
+0x12c Spare
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.xiaopingtou.cn//data/attach/topic/topicKPo7gB.jpg', '推荐 hjxown 的文章《各系统 EPROCESS 结构》','https://www.xiaopingtou.net/article-94763.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}