PROCESS_EXTENDED_BASIC_INFORMATION结构中标志的含义? [英] Meaning of flags in PROCESS_EXTENDED_BASIC_INFORMATION struct?
问题描述
有人可以解释PROCESS_EXTENDED_BASIC_INFORMATION中所有这些位的含义吗?
Can someone explain what all those bits stand for in PROCESS_EXTENDED_BASIC_INFORMATION?
typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
SIZE_T Size; // Ignored as input, written with structure size on output
PROCESS_BASIC_INFORMATION BasicInfo;
union {
ULONG Flags;
struct {
ULONG IsProtectedProcess : 1;
ULONG IsWow64Process : 1;
ULONG IsProcessDeleting : 1;
ULONG IsCrossSessionCreate : 1;
ULONG IsFrozen : 1;
ULONG IsBackground : 1;
ULONG IsStronglyNamed : 1;
ULONG IsSecureProcess : 1;
ULONG IsSubsystemProcess : 1;
ULONG SpareBits : 23;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
Microsoft showed this struct in this article but gave no explanation for what those flags stand for.
推荐答案
以下是Microsoft可能不希望您使用的高度未公开的文件.这样做需要您自担风险.
The following is a highly undocumented stuff that Microsoft probably doesn't want you to use. Do so at your own risk.
PS.但是,您实际上有一个有趣的问题.因此,仅用于普通教育:
-
IsProtectedProcess (0x001)受系统保护的进程:其他进程无法读取/写入其VM或向其中注入远程线程. (旧样式.如果我没记错的话,从XP SP3开始就可以使用.)
IsProtectedProcess (0x001) System protected process: other processes can't read/write its VM or inject a remote thread into it. (Old style. If I'm not mistaking, it was available since XP SP3.)
IsWow64Process (0x002) WOW64 process, or 32-bit process running on a 64-bit Windows.
IsProcessDeleting (0x004)进程已终止,但是有开放的句柄-这是一个非常短暂的阶段. (只有当您是内核驱动程序时,您才应该对它感兴趣.)
IsProcessDeleting (0x004) Process was terminated, but there're open handles to it -- a very transient stage. (That should be of any interest to you only if you're a kernel driver.)
IsCrossSessionCreate (0x008)跨终端会话创建了进程. Ex:阅读 CreateProcessAsUser 以获得详细信息.
IsCrossSessionCreate (0x008) Process was created across terminal sessions. Ex: Read CreateProcessAsUser for details.
IsFrozen (0x010)更多信息
IsFrozen (0x010) Immersive process is suspended (applies only to UWP processes.) For example, Immersive process can be suspended if a user moves it to the background or minimizes it. Used mostly for power saving. More info.
IsBackground (0x020)沉浸式进程处于后台"任务模式. UWP进程可能会暂时切换为执行后台任务.主要用于省电.
IsBackground (0x020) Immersive process is in the Background task mode. UWP process may temporarily switch into performing a background task. Used mostly for power saving.
IsStronglyNamed (0x040)UWP强命名进程. UWP软件包已进行数字签名.可以跟踪对包内文件的任何修改. 这通常意味着,如果软件包签名被破坏,则UWP应用将无法启动.
IsStronglyNamed (0x040) UWP Strongly named process. The UWP package is digitally signed. Any modifications to files inside the package can be tracked. This usually means that if the package signature is broken the UWP app will not start.
IsSecureProcess (0x080) Isolated User Mode process -- new security mode in Windows 10, with more stringent restrictions on what can "tap" into this process.
IsSubsystemProcess (0x100)在进程子系统的类型不是Win32时设置(例如* NIX,例如Ubuntu).是的,您没看错,可以在Windows 10上原生运行Linux .( Ref2 .)
IsSubsystemProcess (0x100) Set when the type of the process subsystem is other than Win32 (like *NIX, such as Ubuntu.) Yes, you read it right, you can run Linux natively on Windows 10. (Ref1, Ref2.)
PS2.我愿意进行更正,如果有的话...
这篇关于PROCESS_EXTENDED_BASIC_INFORMATION结构中标志的含义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
