Document process information classes

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 All notable documentation content changes are documented in this file.
 <!-- content -->
+## 3 Dec 2023
+**Process information ([#11](https://github.com/m417z/ntdoc/pull/11))**: NtQueryInformationProcess, NtSetInformationProcess, and 100+ PROCESSINFOCLASS values.
+
 ## 13 Oct 2023
 
 **Token operations ([#8](https://github.com/m417z/ntdoc/pull/8))**: Various operations on tokens, capabilities, and AppContainer SIDs. 47 pages, including: NtCreateTokenEx, NtOpenThreadTokenEx, NtQueryInformationToken, NtSetInformationToken, NtDuplicateToken.

descriptions/client_id.md

@@ -3,3 +3,9 @@ This structure defines a pair of process and thread IDs.
 # Members
  - `UniqueProcess` - the process ID value.
  - `UniqueThread` - the thread ID value.
+
+# See also
+ - `NtOpenProcess`
+ - `NtOpenThread`
+ - `NtQueryInformationProcess` with `ProcessBasicInformation` (0)
+ - `NtQueryInformationThread` with `ThreadBasicInformation` (0)

descriptions/kernel_user_times.md

@@ -0,0 +1,19 @@
+This structure describes the timing information for threads.
+
+# Applicable to
+ - `NtQueryInformationThread` with `ThreadTimes` (1)
+ - `NtQueryInformationProcess` with `ProcessTimes` (4)
+
+# Members
+
+## CreateTime
+The number of 100-nanosecond intervals since the 1st of January 1600 to the creation of the thread/process.
+
+## ExitTime
+The number of 100-nanosecond intervals since 1st of January 1600 to the termination of the thread/process.
+
+## KernelTime
+The number of 100-nanosecond intervals spent by the thread(s) executing in kernel mode.
+
+## UserTime
+The number of 100-nanosecond intervals spent by the thread(s) executing in user mode.

descriptions/ntqueryinformationprocess.md

@@ -1,36 +1,38 @@
-This function is [documented in Windows SDK](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess).
-
----
-
-### ProcessHandle
-
-Handle to process opened with `PROCESS_QUERY_INFORMATION` access.
-
-### ProcessInformationClass
-
-See `PROCESS_INFORMATION_CLASS`.
-
-### ProcessInformation
-
-Buffer for results.
-
-### ProcessInformationLength
-
-Length of buffer. See `PROCESS_INFORMATION_CLASS` for additional information.
-
-### ReturnLength
-
-Number of bytes needed, if `ProcessInformationLength` was too small.
-
-# Documented by
-
-* ReactOS
-* Sven B. Schreiber
-* Tomasz Nowak
+Queries various information about the specified process. This function is partially [documented in Windows SDK](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess).
+
+# Parameters
+ - `ProcessHandle` - a handle to the process or the `NtCurrentProcess` pseudo-handle. For most information classes, the handle must grant either `PROCESS_QUERY_INFORMATION` or `PROCESS_QUERY_LIMITED_INFORMATION` access.
+ - `ProcessInformationClass` - the type of information to retrieve.
+ - `ProcessInformation` - a pointer to a user-allocated buffer that receives the requested information.
+ - `ProcessInformationLength` - the size of the provided buffer in bytes.
+ - `ReturnLength` - an optional pointer to a variable that receives the number of bytes written when the function succeeds or the number of bytes requires when the buffer is too small.
+
+# Information classes
+For the list of supported info classes and required process access, see `PROCESSINFOCLASS`.
+
+# Notable return values
+ - `STATUS_BUFFER_TOO_SMALL` and `STATUS_INFO_LENGTH_MISMATCH` indicate that the requested information does not fit into the provided buffer.
+
+# Related Win32 API
+ - [`GetExitCodeProcess`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getexitcodeprocess)
+ - [`GetProcessId`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessid)
+ - [`GetProcessInformation`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessinformation)
+ - [`GetProcessMitigationPolicy`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy)
+ - [`IsWow64Process`](https://learn.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process)
+ - [`IsProcessCritical`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-isprocesscritical)
+ - [`ProcessIdToSessionId`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-processidtosessionid)
+ - [`QueryProcessCycleTime`](https://learn.microsoft.com/en-us/windows/win32/api/realtimeapiset/nf-realtimeapiset-queryprocesscycletime)
+ - [`QueryProcessAffinityUpdateMode`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queryprocessaffinityupdatemode)
+ - [`GetProcessWorkingSetSizeEx`](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-getprocessworkingsetsizeex)
+ - [`GetProcessTimes`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocesstimes)
+ - [`GetErrorMode`](https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-geterrormode)
+ - [`GetProcessHandleCount`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocesshandlecount)
+ - [`GetProcessPriorityBoost`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocesspriorityboost)
+ - [`GetProcessVersion`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessversion)
+ - [`GetProcessGroupAffinity`](https://learn.microsoft.com/en-us/windows/win32/api/processtopologyapi/nf-processtopologyapi-getprocessgroupaffinity)
+ - [`GetPriorityClass`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getpriorityclass)
 
 # See also
-
-* `NtCreateProcess`
-* `NtOpenProcess`
-* `NtSetInformationProcess`
-* `PROCESS_INFORMATION_CLASS`
+ - `NtSetInformationProcess`
+ - `NtOpenProcess`
+ - `NtOpenProcessToken`

descriptions/ntsetinformationprocess.md

@@ -1,20 +1,29 @@
-### ProcessHandle
+Sets various information about the specified process.
 
-Handle to process opened with `PROCESS_SET_INFORMATION` access.
+# Parameters
+ - `ProcessHandle` - a handle to the process or the `NtCurrentProcess` pseudo-handle. For most information classes, the handle must grant either `PROCESS_SET_INFORMATION` or `PROCESS_SET_LIMITED_INFORMATION` access.
+ - `ProcessInformationClass` - the type of information to set.
+ - `ProcessInformation` - a pointer to the buffer with the data specific to the request.
+ - `ProcessInformationLength` - the size of the provided buffer in bytes.
 
-### ProcessInformationClass
+# Information classes
+For the list of supported info classes and required process access, see `PROCESSINFOCLASS`.
 
-See `PROCESS_INFORMATION_CLASS` for more information.
-
-# Documented by
-
-* ReactOS
-* Sven B. Schreiber
-* Tomasz Nowak
+# Related Win32 API
+ - [`SetProcessInformation`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessinformation)
+ - [`SetProcessMitigationPolicy`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
+ - [`SetProcessWorkingSetSizeEx`](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-setprocessworkingsetsizeex)
+ - [`SetErrorMode`](https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-seterrormode)
+ - [`SetPriorityClass`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setpriorityclass)
+ - [`SetProcessAffinityMask`](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setprocessaffinitymask)
+ - [`SetProcessAffinityUpdateMode`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessaffinityupdatemode)
+ - [`SetProcessPriorityBoost`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocesspriorityboost)
+ - [`SetProcessDefaultCpuSetMasks`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessdefaultcpusetmasks)
+ - [`SetProcessDefaultCpuSets`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessdefaultcpusets)
+ - [`SetProcessDynamicEHContinuationTargets`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessdynamicehcontinuationtargets)
+ - [`SetProcessDynamicEnforcedCetCompatibleRanges`](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessdynamicenforcedcetcompatibleranges)
+ - [`EnableProcessOptionalXStateFeatures`](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enableprocessoptionalxstatefeatures)
 
 # See also
-
-* `NtCreateProcess`
-* `NtOpenProcess`
-* `NtQueryInformationProcess`
-* `PROCESS_INFORMATION_CLASS`
+ - `NtOpenProcess`
+ - `NtQueryInformationProcess`

descriptions/obj_ignore_impersonated_devicemap.md

@@ -1,4 +1,4 @@
-This `OBJECT_ATTRIBUTES` flag indicates that the open/create operation should ignore the device map from the logon session of the impersonated token.
+This `OBJECT_ATTRIBUTES` flag indicates that the open/create operation should ignore the DOS Devices map from the logon session of the impersonated token.
 
 # Related flags
  - `OBJ_PROTECT_CLOSE`
@@ -17,4 +17,5 @@ This `OBJECT_ATTRIBUTES` flag indicates that the open/create operation should ig
 # See also
  - `OBJECT_ATTRIBUTES`
  - `NtOpenThreadToken`
- - `NtSetInformationThread` with `ThreadImpersonationToken`
+ - `NtSetInformationThread` with `THREADINFOCLASS` value of `ThreadImpersonationToken` (5)
+ - `NtSetInformationProcess` with `PROCESSINFOCLASS` value of `ProcessDeviceMap` (23)

descriptions/pooled_usage_and_limits.md

@@ -1,28 +1,38 @@
-### PeakPagedPoolUsage
+This structure describes the kernel pool memory usage and limits for the process.
 
-### PagedPoolUsage
+# Applicable to
+ - `NtQueryInformationProcess` with `ProcessPooledUsageAndLimits` (14)
 
-### PagedPoolLimit
+# Members
 
-### PeakNonPagedPoolUsage
+## PeakPagedPoolUsage
+The historical highest size of the paged pool charge in bytes.
 
-### NonPagedPoolUsage
+## PagedPoolUsage
+The current size of the paged pool charge in bytes.
 
-### NonPagedPoolLimit
+## PagedPoolLimit
+The paged pool quota size in bytes.
 
-### PeakPagefileUsage
+## PeakNonPagedPoolUsage
+The historical highest size of the non-paged pool charge in bytes.
 
-### PagefileUsage
+## NonPagedPoolUsage
+The current size of the non-paged pool charge in bytes.
 
-### PagefileLimit
+## NonPagedPoolLimit
+The non-paged pool quota size in bytes.
 
-# Documented by
+## PeakPagefileUsage
+The historical highest usage in bytes of the pagefiles.
 
-* Tomasz Nowak
+## PagefileUsage
+The current usage in bytes of the pagefiles.
 
-# See also
+## PagefileLimit
+The pagefile quota size in bytes.
 
-* `NtCreateProcess`
-* `NtOpenProcess`
-* `NtQueryInformationProcess`
-* `PROCESS_INFORMATION_CLASS`
+# See also
+ - `VM_COUNTERS`
+ - `VM_COUNTERS_EX`
+ 

descriptions/process_access_token.md

@@ -1,14 +1,12 @@
-### Token
+This structure defines a request to change the primary token of the process.
 
-### Thread
+# Applicable to
+ - `NtSetInformationProcess` with `ProcessAccessToken` (9)
 
-# Documented by
+# Members
 
-* Tomasz Nowak
+## Token
+A handle to a primary token to use. The handle must grant `TOKEN_ASSIGN_PRIMARY` access.
 
-# See also
-
-* `NtCreateProcess`
-* `NtOpenProcess`
-* `NtSetInformationProcess`
-* `PROCESS_INFORMATION_CLASS`
+## Thread
+This field is currently unused.

descriptions/process_basic_information.md

@@ -0,0 +1,43 @@
+This structure defines basic information about the process.
+
+# Applicable to
+ - `NtQueryInformationProcess` with `ProcessBasicInformation` (0)
+
+# Members
+
+## ExitStatus
+The exit code of the process. If the process has not exited, this field contains `STATUS_PENDING`.
+
+### See also
+ - `RtlExitUserProcess`
+ - `NtTerminateProcess`
+
+## PebBaseAddress
+The address of the Process Environment Block. See `PEB` for more details. To query the address of the 32-bit `PEB32`, use `ProcessWow64Information` (26).
+
+## AffinityMask
+The bit mask indicating on which processors the threads from the process are allowed to run.
+
+### See also
+ - `PROCESSINFOCLASS` value of `ProcessAffinityMask` (21)
+
+## BasePriority
+The base priority for the threads in the process.
+
+### See also
+ - `PROCESSINFOCLASS` value of `ProcessBasePriority` (5)
+
+## UniqueProcessId
+The PID of the process.
+
+### See also
+ - `CLIENT_ID`
+
+## InheritedFromUniqueProcessId
+The PID of the process's parent from which it inherits various attributes.
+
+### See also
+ - `PS_ATTRIBUTE_PARENT_PROCESS`
+
+# See also
+ - `PROCESS_EXTENDED_BASIC_INFORMATION`

descriptions/process_devicemap_information.md

@@ -0,0 +1,37 @@
+This structure defines information about the process's DOS devices map.
+
+# Applicable to
+ - `NtQueryInformationProcess` with `ProcessDeviceMap` (23)
+ - `NtSetInformationProcess` with `ProcessDeviceMap` (23)
+
+# Members
+
+## Set
+
+### DirectoryHandle
+A handle to a directory object to set as the new device map for the process. The handle must grant `DIRECTORY_TRAVERSE` access.
+
+#### See also
+ - `NtOpenDirectoryObject`
+ - `NtCreateDirectoryObject`
+
+## Query
+
+### DriveMap
+A bit mask defining which drive letters are currently in use in the process's device map. Bit 0 corresponds to `A:`, bit 1 to `B:`, and so on.
+
+### DriveType
+An array where each element defines the type of the drive associated with the specified letter. The value is meaningful only when the corresponding bit set in the `DriveMap` field.
+
+#### Known values
+The possible values are defined in SDK in `WinBase.h`:
+ - `DRIVE_UNKNOWN` (0) - the type of the drive is unknown.
+ - `DRIVE_NO_ROOT_DIR` (1) - the letter points to a directory on another drive.
+ - `DRIVE_REMOVABLE` (2) - the drive is a removable media.
+ - `DRIVE_FIXED` (3) - the drive is a fixed disk.
+ - `DRIVE_REMOTE` (4) - the drive is a remote device.
+ - `DRIVE_CDROM` (5) - the drive is a CD-ROM.
+ - `DRIVE_RAMDISK` (6) - the drive is a RAM disk.
+
+# See also
+ - `PROCESS_DEVICEMAP_INFORMATION_EX`

descriptions/process_devicemap_information_ex.md

@@ -0,0 +1,43 @@
+This structure defines information about the process's DOS Devices map.
+
+# Applicable to
+ - `NtQueryInformationProcess` with `ProcessDeviceMap` (23)
+ - `NtSetInformationProcess` with `ProcessDeviceMap` (23)
+
+# Members
+
+## Set
+
+### DirectoryHandle
+A handle to a directory object to set as the new device map for the process. The handle must grant `DIRECTORY_TRAVERSE` access.
+
+#### See also
+ - `NtOpenDirectoryObject`
+ - `NtCreateDirectoryObject`
+
+## Query
+
+### DriveMap
+A bit mask defining which drive letters are currently in use in the process's device map. Bit 0 corresponds to `A:`, bit 1 to `B:`, and so on.
+
+### DriveType
+An array where each element defines the type of the drive associated with the specified letter. The value is meaningful only when the corresponding bit is set in the `DriveMap` field.
+
+#### Known values
+The possible values are defined in SDK in `WinBase.h`:
+ - `DRIVE_UNKNOWN` (0) - the type of the drive is unknown.
+ - `DRIVE_NO_ROOT_DIR` (1) - the letter points to a directory on another drive.
+ - `DRIVE_REMOVABLE` (2) - the drive is a removable media.
+ - `DRIVE_FIXED` (3) - the drive is a fixed disk.
+ - `DRIVE_REMOTE` (4) - the drive is a remote device.
+ - `DRIVE_CDROM` (5) - the drive is a CD-ROM.
+ - `DRIVE_RAMDISK` (6) - the drive is a RAM disk.
+
+## Flags
+A bit mask of flags that control the operation.
+
+### Known flags
+ - `PROCESS_LUID_DOSDEVICES_ONLY` - perform a query only for devices defined for the current process or logon session, ignoring entries from the global DOS Devices directory.
+
+# See also
+ - `PROCESS_DEVICEMAP_INFORMATION`