{
	"id": "35a54f48-20d1-4fe2-a260-ac03ff5f74a3",
	"created_at": "2026-04-06T00:06:34.185263Z",
	"updated_at": "2026-04-10T03:20:43.545287Z",
	"deleted_at": null,
	"sha1_hash": "a3ee3fda11dd118f0ba902ec960dd4673830882e",
	"title": "NtQueryInformationProcess function (winternl.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70459,
	"plain_text": "NtQueryInformationProcess function (winternl.h) - Win32 apps\r\nBy karl-bridge-microsoft\r\nArchived: 2026-04-05 20:35:50 UTC\r\n[NtQueryInformationProcess may be altered or unavailable in future versions of Windows. Applications should\r\nuse the alternate functions listed in this topic.]\r\nRetrieves information about the specified process.\r\n__kernel_entry NTSTATUS NtQueryInformationProcess(\r\n [in] HANDLE ProcessHandle,\r\n [in] PROCESSINFOCLASS ProcessInformationClass,\r\n [out] PVOID ProcessInformation,\r\n [in] ULONG ProcessInformationLength,\r\n [out, optional] PULONG ReturnLength\r\n);\r\n[in] ProcessHandle\r\nA handle to the process for which information is to be retrieved.\r\n[in] ProcessInformationClass\r\nThe type of process information to be retrieved. This parameter can be one of the following values from the\r\nPROCESSINFOCLASS enumeration.\r\nValue Meaning\r\nProcessBasicInformation\r\n0\r\nRetrieves a pointer to a PEB structure that can be used to determine\r\nwhether the specified process is being debugged, and a unique value\r\nused by the system to identify the specified process.\r\nUse the CheckRemoteDebuggerPresent and GetProcessId functions to\r\nobtain this information.\r\nProcessDebugPort\r\n7\r\nRetrieves a DWORD_PTR value that is the port number of the\r\ndebugger for the process. A nonzero value indicates that the process is\r\nbeing run under the control of a ring 3 debugger.\r\nUse the CheckRemoteDebuggerPresent or IsDebuggerPresent function.\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nPage 1 of 4\n\nProcessWow64Information\r\n26\r\nDetermines whether the process is running in the WOW64 environment\r\n(WOW64 is the x86 emulator that allows Win32-based applications to\r\nrun on 64-bit Windows).\r\nUse the IsWow64Process2 function to obtain this information.\r\nProcessImageFileName\r\n27\r\nRetrieves a UNICODE_STRING value containing the name of the\r\nimage file for the process.\r\nUse the QueryFullProcessImageName or GetProcessImageFileName\r\nfunction to obtain this information.\r\nProcessBreakOnTermination\r\n29\r\nRetrieves a ULONG value indicating whether the process is considered\r\ncritical.\r\nNote  This value can be used starting in Windows XP with SP3. Starting\r\nin Windows 8.1, IsProcessCritical should be used instead.\r\nProcessTelemetryIdInformation\r\n64\r\nRetrieves a PROCESS_TELEMETRY_ID_INFORMATION_TYPE\r\nvalue that contains metadata about a process.\r\nProcessSubsystemInformation\r\n75\r\nRetrieves a SUBSYSTEM_INFORMATION_TYPE value indicating\r\nthe subsystem type of the process. The buffer pointed to by the\r\nProcessInformation parameter should be large enough to hold a single\r\nSUBSYSTEM_INFORMATION_TYPE enumeration.\r\n[out] ProcessInformation\r\nA pointer to a buffer supplied by the calling application into which the function writes the requested information.\r\nThe size of the information written varies depending on the data type of the ProcessInformationClass parameter:\r\nWhen the ProcessInformationClass parameter is ProcessBasicInformation, the buffer pointed to by the\r\nProcessInformation parameter should be large enough to hold a single PROCESS_BASIC_INFORMATION\r\nstructure having the following layout:\r\ntypedef struct _PROCESS_BASIC_INFORMATION {\r\n NTSTATUS ExitStatus;\r\n PPEB PebBaseAddress;\r\n ULONG_PTR AffinityMask;\r\n KPRIORITY BasePriority;\r\n ULONG_PTR UniqueProcessId;\r\n ULONG_PTR InheritedFromUniqueProcessId;\r\n} PROCESS_BASIC_INFORMATION;\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nPage 2 of 4\n\nField Meaning\r\nExitStatus\r\nContains the same value that GetExitCodeProcess returns. However the\r\nuse of GetExitCodeProcess is preferable for clarity and safety.\r\nPebBaseAddress Points to a PEB structure.\r\nAffinityMask\r\nCan be cast to a DWORD and contains the same value that\r\nGetProcessAffinityMask returns for the lpProcessAffinityMask\r\nparameter.\r\nBasePriority Contains the process priority as described in Scheduling Priorities.\r\nUniqueProcessId\r\nCan be cast to a DWORD and contains a unique identifier for this\r\nprocess. We recommend using the GetProcessId function to retrieve this\r\ninformation.\r\nInheritedFromUniqueProcessId\r\nCan be cast to a DWORD and contains a unique identifier for the parent\r\nprocess.\r\nWhen the ProcessInformationClass parameter is ProcessWow64Information, the buffer pointed to by the\r\nProcessInformation parameter should be large enough to hold a ULONG_PTR. If this value is nonzero, the\r\nprocess is running in a WOW64 environment. Otherwise, the process is not running in a WOW64 environment.\r\nUse the IsWow64Process2 function to determine whether a process is running in the WOW64 environment.\r\nWhen the ProcessInformationClass parameter is ProcessImageFileName, the buffer pointed to by the\r\nProcessInformation parameter should be large enough to hold a UNICODE_STRING structure as well as the\r\nstring itself. The string stored in the Buffer member is the name of the image file.\r\nIf the buffer is too small, the function fails with the STATUS_INFO_LENGTH_MISMATCH error code and the\r\nReturnLength parameter is set to the required buffer size.\r\n[in] ProcessInformationLength\r\nThe size of the buffer pointed to by the ProcessInformation parameter, in bytes.\r\n[out, optional] ReturnLength\r\nA pointer to a variable in which the function returns the size of the requested information. If the function was\r\nsuccessful, this is the size of the information written to the buffer pointed to by the ProcessInformation parameter\r\n(if the buffer was too small, this is the minimum size of buffer needed to receive the information successfully).\r\nThe function returns an NTSTATUS success or error code.\r\nThe forms and significance of NTSTATUS error codes are listed in the Ntstatus.h header file available in the\r\nDDK. See Logging Errors for more details.\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nPage 3 of 4\n\nThe NtQueryInformationProcess function and the structures that it returns are internal to the operating system\r\nand subject to change from one release of Windows to another. To maintain the compatibility of your application,\r\nit is better to use public functions mentioned in the description of the ProcessInformationClass parameter instead.\r\nIf you do use NtQueryInformationProcess, access the function through run-time dynamic linking. This gives\r\nyour code an opportunity to respond gracefully if the function has been changed or removed from the operating\r\nsystem. Signature changes, however, may not be detectable.\r\nThis function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to\r\ndynamically link to Ntdll.dll.\r\nRequirement Value\r\nTarget Platform Windows\r\nHeader winternl.h\r\nLibrary ntdll.lib\r\nDLL ntdll.dll\r\nCheckRemoteDebuggerPresent\r\nGetProcessId\r\nIsDebuggerPresent\r\nIsWow64Process\r\nIsWow64Process2\r\nSource: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess"
	],
	"report_names": [
		"nf-winternl-ntqueryinformationprocess"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3ee3fda11dd118f0ba902ec960dd4673830882e.pdf",
		"text": "https://archive.orkl.eu/a3ee3fda11dd118f0ba902ec960dd4673830882e.txt",
		"img": "https://archive.orkl.eu/a3ee3fda11dd118f0ba902ec960dd4673830882e.jpg"
	}
}