+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0xffbcc030 - 0xffbcc030 ]
+0x018 DirectoryTableBase : [2] 0x2807000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0xf
+0x03c UserTime : 1
+0x040 ReadyListHead : _LIST_ENTRY [ 0xffbcc060 - 0xffbcc060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x80d946b8 - 0x80ee61d0 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 2
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 6 ''
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0 ''
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x32 '2'
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x000 Waiting : 0y0
+0x000 Exclusive : 0y0
+0x000 Shared : 0y000000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
+0x070 CreateTime : _LARGE_INTEGER 0x1c8afe7`be99a666
+0x000 LowPart : 0xbe99a666
+0x004 HighPart : 29929447
+0x000 u : __unnamed
+0x000 QuadPart : 128545999250105958
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : 0
+0x000 Ptr : (null)
+0x084 UniqueProcessId : 0x000007ac
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x805616d8 - 0x80ee6840 ]
+0x000 Flink : 0x805616d8 _LIST_ENTRY [ 0x80ede0a8 - 0xffbcc0a8 ]
+0x004 Blink : 0x80ee6840 _LIST_ENTRY [ 0xffbcc0a8 - 0x80d7bcb8 ]
+0x090 QuotaUsage : [3] 0xb18
+0x09c QuotaPeak : [3] 0xbb8
+0x0a8 CommitCharge : 0x1a8
+0x0ac PeakVirtualSize : 0x203e000
+0x0b0 VirtualSize : 0x1e71000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xfb087014 - 0x80ee686c ]
+0x000 Flink : 0xfb087014 _LIST_ENTRY [ 0x80eade54 - 0xffbcc0d4 ]
+0x004 Blink : 0x80ee686c _LIST_ENTRY [ 0xffbcc0d4 - 0x80d7bce4 ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe13c96b8
+0x0c4 ObjectTable : 0xe1cd4958 _HANDLE_TABLE
+0x000 TableCode : 0xe1060000
+0x004 QuotaProcess : 0xffbcc020 _EPROCESS
+0x008 UniqueProcessId : 0x000007ac
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0x805629c8 - 0xe1640594 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x11c
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 70
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
+0x0c8 Token : _EX_FAST_REF
+0x000 Object : 0xe10772a3
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10772a3
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x000 Count : 1
+0x004 Owner : 0xfacfa608 _KTHREAD
+0x008 Contention : 0
+0x00c Event : _KEVENT
+0x01c OldIrql : 0
+0x0ec WorkingSetPage : 0x1e0a
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x000 Count : 1
+0x004 Owner : 0xfacfacf4 _KTHREAD
+0x008 Contention : 0
+0x00c Event : _KEVENT
+0x01c OldIrql : 0
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x80e2d1f0
+0x120 VadHint : 0xffb6f870
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0xd8
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1062680
+0x134 Job : (null)
+0x138 SectionObject : 0xe1cfe480
+0x13c SectionBaseAddress : 0x00400000
+0x140 QuotaBlock : 0xffbcc498 _EPROCESS_QUOTA_BLOCK
+0x000 QuotaEntry : [3] _EPROCESS_QUOTA_ENTRY
+0x030 QuotaList : _LIST_ENTRY [ 0xffb46518 - 0x80d4fda8 ]
+0x038 ReferenceCount : 0x25a
+0x03c ProcessCount : 6
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000034
+0x14c InheritedFromUniqueProcessId : 0x00000670
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe18ed570
+0x160 PhysicalVadList : _LIST_ENTRY [ 0xffb66348 - 0xffb66348 ]
+0x000 Flink : 0xffb66348 _LIST_ENTRY [ 0xffbcc180 - 0xffbcc180 ]
+0x004 Blink : 0xffb66348 _LIST_ENTRY [ 0xffbcc180 - 0xffbcc180 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x000 Valid : 0y0
+0x000 Write : 0y0
+0x000 Owner : 0y0
+0x000 WriteThrough : 0y0
+0x000 CacheDisable : 0y0
+0x000 Accessed : 0y0
+0x000 Dirty : 0y0
+0x000 LargePage : 0y0
+0x000 Global : 0y0
+0x000 CopyOnWrite : 0y0
+0x000 Prototype : 0y0
+0x000 reserved : 0y0
+0x000 PageFrameNumber : 0y00000000000000000000 (0)
+0x168 Filler : 0
+0x170 Session : 0xfb087000
+0x174 ImageFileName : [16] "Dbgview.exe"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x000 Flink : (null)
+0x004 Blink : (null)
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x80d94734 - 0x80ee624c ]
+0x000 Flink : 0x80d94734 _LIST_ENTRY [ 0x80ee624c - 0xffbcc1b0 ]
+0x004 Blink : 0x80ee624c _LIST_ENTRY [ 0xffbcc1b0 - 0x80d94734 ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 2
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 1
+0x1ac LastThreadExitStatus : 0
+0x1b0 Peb : 0x7ffde000 _PEB
+0x000 InheritedAddressSpace : 0xdc ''
+0x001 ReadImageFileExecOptions : 0xff ''
+0x002 BeingDebugged : 0xa8 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0x00a90000
+0x008 ImageBaseAddress : 0x00a8e000
+0x00c Ldr : (null)
+0x010 ProcessParameters : 0x00001e00 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x7ffde000
+0x01c FastPebLock : (null)
+0x020 FastPebLockRoutine : 0x0000073c
+0x024 FastPebUnlockRoutine : 0x00000760
+0x028 EnvironmentUpdateCount : 0
+0x02c KernelCallbackTable : (null)
+0x030 SystemReserved : [1] 0x7ffdd000
+0x034 AtlThunkSListPtr32 : 0
+0x038 FreeList : (null)
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0xe11a1008
+0x044 TlsBitmapBits : [2] 0
+0x04c ReadOnlySharedMemoryBase : (null)
+0x050 ReadOnlySharedMemoryHeap : (null)
+0x054 ReadOnlyStaticServerData : (null)
+0x058 AnsiCodePageData : (null)
+0x05c OemCodePageData : (null)
+0x060 UnicodeCaseTableData : (null)
+0x064 NumberOfProcessors : 0
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0x0
+0x078 HeapSegmentReserve : 0
+0x07c HeapSegmentCommit : 0
+0x080 HeapDeCommitTotalFreeThreshold : 0
+0x084 HeapDeCommitFreeBlockThreshold : 0
+0x088 NumberOfHeaps : 0
+0x08c MaximumNumberOfHeaps : 0
+0x090 ProcessHeaps : (null)
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : (null)
+0x0a4 OSMajorVersion : 0
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 0
+0x0b4 ImageSubsystem : 0
+0x0b8 ImageSubsystemMajorVersion : 0
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ImageProcessAffinityMask : 0
+0x0c4 GdiHandleBuffer : [34] 0x804
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : (null)
+0x154 TlsExpansionBitmapBits : [32] 0
+0x1d4 SessionId : 0
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : (null)
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x000 Object : (null)
+0x000 RefCnt : 0y000
+0x000 Value : 0
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0x4
+0x000 LowPart : 4
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 4
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x000 LowPart : 5
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x1a0
+0x000 LowPart : 0x1a0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 416
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x4f12
+0x000 LowPart : 0x4f12
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 20242
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x34d8
+0x000 LowPart : 0x34d8
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 13528
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x18420
+0x000 LowPart : 0x18420
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 99360
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x1a8
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : 0x80d4b810 _OBJECT_NAME_INFORMATION
+0x1f8 Vm : _MMSUPPORT
+0x000 LastTrimTime : _LARGE_INTEGER 0x1c8afe7`be97440c
+0x008 Flags : _MMSUPPORT_FLAGS
+0x00c PageFaultCount : 0x435
+0x010 PeakWorkingSetSize : 0x3fb
+0x014 WorkingSetSize : 0x3fb
+0x018 MinimumWorkingSetSize : 0x32
+0x01c MaximumWorkingSetSize : 0x159
+0x020 VmWorkingSetList : 0xc0503000 _MMWSL
+0x024 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x8055fc50 - 0x80ee69d4 ]
+0x02c Claim : 8
+0x030 NextEstimationSlot : 0x169
+0x034 NextAgingSlot : 0x14
+0x038 EstimatedAvailable : 8
+0x03c GrowthSinceLastEstimate : 0
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 7
+0x240 NumberOfVads : 0x45
+0x244 JobStatus : 0
+0x248 Flags : 0xd0a00
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y1
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 259
+0x250 NextPageColor : 0x79e0
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x2 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie : 0xbf681b82
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ExitStatus : 259
+0x070 LockEvent : _KEVENT
+0x080 LockCount : 1
+0x088 CreateTime : _LARGE_INTEGER 0x1c87e74`e265cc4c
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 LockOwner : (null)
+0x09c UniqueProcessId : 0x000001c8
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8046dcb0 - 0x81672a60 ]
+0x0a8 QuotaPeakPoolUsage : [2] 0x824
+0x0b0 QuotaPoolUsage : [2] 0x684
+0x0b8 PagefileUsage : 0x39
+0x0bc CommitCharge : 0x39
+0x0c0 PeakPagefileUsage : 0x39
+0x0c4 PeakVirtualSize : 0x8f0000
+0x0c8 VirtualSize : 0x8f0000
+0x0d0 Vm : _MMSUPPORT
+0x118 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x120 DebugPort : (null)
+0x124 ExceptionPort : 0xe19c2b20
+0x128 ObjectTable : 0x8166ef48 _HANDLE_TABLE
+0x12c Token : 0xe1b61250
+0x130 WorkingSetLock : _FAST_MUTEX
+0x150 WorkingSetPage : 0x4886
+0x154 ProcessOutswapEnabled : 0 ''
+0x155 ProcessOutswapped : 0 ''
+0x156 AddressSpaceInitialized : 0x2 ''
+0x157 AddressSpaceDeleted : 0 ''
+0x158 AddressCreationLock : _FAST_MUTEX
+0x178 HyperSpaceLock : 0
+0x17c ForkInProgress : (null)
+0x180 VmOperation : 0
+0x182 ForkWasSuccessful : 0 ''
+0x183 MmAgressiveWsTrimMask : 0 ''
+0x184 VmOperationEvent : (null)
+0x188 PaeTop : (null)
+0x18c LastFaultCount : 0
+0x190 ModifiedPageCount : 0
+0x194 VadRoot : 0x8166f928
+0x198 VadHint : 0x8166c788
+0x19c CloneRoot : (null)
+0x1a0 NumberOfPrivatePages : 0x31
+0x1a4 NumberOfLockedPages : 0
+0x1a8 NextPageColor : 0x20c4
+0x1aa ExitProcessCalled : 0 ''
+0x1ab CreateProcessReported : 0 ''
+0x1ac SectionHandle : 0x00000004
+0x1b0 Peb : 0x7ffdf000 _PEB
+0x1b4 SectionBaseAddress : 0x01000000
+0x1b8 QuotaBlock : 0x8046dd00 _EPROCESS_QUOTA_BLOCK
+0x1bc LastThreadExitStatus : 0
+0x1c0 WorkingSetWatch : (null)
+0x1c4 Win32WindowStation : 0x00000040
+0x1c8 InheritedFromUniqueProcessId : 0x000000d4
+0x1cc GrantedAccess : 0x1f0fff
+0x1d0 DefaultHardErrorProcessing : 0
+0x1d4 LdtInformation : (null)
+0x1d8 VadFreeHint : 0x8166c768
+0x1dc VdmObjects : (null)
+0x1e0 DeviceMap : 0x8187dee8
+0x1e4 SessionId : 0
+0x1e8 PhysicalVadList : _LIST_ENTRY [ 0x8167db08 - 0x8167db08 ]
+0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86
+0x1f0 Filler : 0
+0x1f8 PaePageDirectoryPage : 0
+0x1fc ImageFileName : [16] "svchost.exe"
+0x20c VmTrimFaultValue : 0
+0x210 SetTimerResolution : 0 ''
+0x211 PriorityClass : 0x2 ''
+0x212 SubSystemMinorVersion : 0 ''
+0x213 SubSystemMajorVersion : 0x4 ''
+0x212 SubSystemVersion : 0x400
+0x214 Win32Process : 0xe1b64508
+0x218 Job : (null)
+0x21c JobStatus : 0
+0x220 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x228 LockedPagesList : (null)
+0x22c SecurityPort : (null)
+0x230 Wow64Process : (null)
+0x238 ReadOperationCount : _LARGE_INTEGER 0x2
+0x240 WriteOperationCount : _LARGE_INTEGER 0x2
+0x248 OtherOperationCount : _LARGE_INTEGER 0x39
+0x250 ReadTransferCount : _LARGE_INTEGER 0x30
+0x258 WriteTransferCount : _LARGE_INTEGER 0xc
+0x260 OtherTransferCount : _LARGE_INTEGER 0x920
+0x268 CommitChargeLimit : 0
+0x26c CommitChargePeak : 0x39
+0x270 ThreadListHead : _LIST_ENTRY [ 0x8166dfe0 - 0x8166be80 ]
+0x278 VadPhysicalPagesBitMap : (null)
+0x27c VadPhysicalPages : 0
+0x280 AweLock : 0
+0x284 pImageFileName : 0x8167c818 _UNICODE_STRING "\WINNT\system32\svchost.exe"
kd> dt nt!_KPROCESS 8167d920
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x8167d930 - 0x8167d930 ]
+0x018 DirectoryTableBase : [2] 0x47c4000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 VdmFlag : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0
+0x03c UserTime : 1
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8167d960 - 0x8167d960 ]
+0x048 SwapListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x050 ThreadListHead : _LIST_ENTRY [ 0x8166df44 - 0x8166bde4 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 2
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 6 ''
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0x62 'b'
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a Spare : [2] ""
}
_EPROCESS结构中的_PEB结构指针来得到ProcessParameters的地址。ProcessParameters保存着进程的完整路径。
0:001> dt _eprocess
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
+0x0c0 ProcessQuotaUsage : [2] Uint4B
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort : Ptr32 Void
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE_X86
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void
+0x16c ImageFileName : [15] UChar
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos 0, 1 Bit
+0x26c AccountingFolded : Pos 1, 1 Bit
+0x26c NewProcessReported : Pos 2, 1 Bit
+0x26c ExitProcessReported : Pos 3, 1 Bit
+0x26c ReportCommitChanges : Pos 4, 1 Bit
+0x26c LastReportMemory : Pos 5, 1 Bit
+0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x26c HandleTableRundown : Pos 7, 1 Bit
+0x26c NeedsHandleRundown : Pos 8, 1 Bit
+0x26c RefTraceEnabled : Pos 9, 1 Bit
+0x26c NumaAware : Pos 10, 1 Bit
+0x26c ProtectedProcess : Pos 11, 1 Bit
+0x26c DefaultPagePriority : Pos 12, 3 Bits
+0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x26c ProcessVerifierTarget : Pos 16, 1 Bit
+0x26c StackRandomizationDisabled : Pos 17, 1 Bit
+0x26c AffinityPermanent : Pos 18, 1 Bit
+0x26c AffinityUpdateEnable : Pos 19, 1 Bit
+0x26c PropagateNode : Pos 20, 1 Bit
+0x26c ExplicitAffinity : Pos 21, 1 Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos 0, 1 Bit
+0x270 NoDebugInherit : Pos 1, 1 Bit
+0x270 ProcessExiting : Pos 2, 1 Bit
+0x270 ProcessDelete : Pos 3, 1 Bit
+0x270 Wow64SplitPages : Pos 4, 1 Bit
+0x270 VmDeleted : Pos 5, 1 Bit
+0x270 OutswapEnabled : Pos 6, 1 Bit
+0x270 Outswapped : Pos 7, 1 Bit
+0x270 ForkFailed : Pos 8, 1 Bit
+0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x270 AddressSpaceInitialized : Pos 10, 2 Bits
+0x270 SetTimerResolution : Pos 12, 1 Bit
+0x270 BreakOnTermination : Pos 13, 1 Bit
+0x270 DeprioritizeViews : Pos 14, 1 Bit
+0x270 WriteWatch : Pos 15, 1 Bit
+0x270 ProcessInSession : Pos 16, 1 Bit
+0x270 OverrideAddressSpace : Pos 17, 1 Bit
+0x270 HasAddressSpace : Pos 18, 1 Bit
+0x270 LaunchPrefetched : Pos 19, 1 Bit
+0x270 InjectInpageErrors : Pos 20, 1 Bit
+0x270 VmTopDown : Pos 21, 1 Bit
+0x270 ImageNotifyDone : Pos 22, 1 Bit
+0x270 PdeUpdateNeeded : Pos 23, 1 Bit
+0x270 VdmAllowed : Pos 24, 1 Bit
+0x270 CrossSessionCreate : Pos 25, 1 Bit
+0x270 ProcessInserted : Pos 26, 1 Bit
+0x270 DefaultIoPriority : Pos 27, 3 Bits
+0x270 ProcessSelfDelete : Pos 30, 1 Bit
+0x270 SetTimerResolutionLink : Pos 31, 1 Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x8163cc00 - 0x8163cc00 ]
+0x018 DirectoryTableBase : [2] 0x249b000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0
+0x03c UserTime : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8163cc30 - 0x8163cc30 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x81204c00 - 0x811fed98 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags : 0
+0x064 BasePriority : 13 ''
+0x065 QuantumReset : 36 '$'
+0x066 State : 0 ''
+0x067 ThreadSeed : 0 ''
+0x068 PowerState : 0 ''
+0x069 IdealNode : 0 ''
+0x06a Visited : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
+0x06c StackCount : 4
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x078 ProcessLock : _EX_PUSH_LOCK
+0x000 Locked : 0y0
+0x000 Waiting : 0y0
+0x000 Waking : 0y0
+0x000 MultipleShared : 0y0
+0x000 Shared : 0y0000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
+0x080 CreateTime : _LARGE_INTEGER 0x1c8aff2`273b0893
+0x000 LowPart : 0x273b0893
+0x004 HighPart : 29929458
+0x000 u : __unnamed
+0x000 QuadPart : 128546043955185811
+0x088 ExitTime : _LARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 0
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : 0
+0x000 Ptr : (null)
+0x094 UniqueProcessId : 0x000007d4
+0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x808af068 - 0x81297958 ]
+0x000 Flink : 0x808af068 _LIST_ENTRY [ 0x8179d878 - 0x8163cc88 ]
+0x004 Blink : 0x81297958 _LIST_ENTRY [ 0x8163cc88 - 0x8120cad8 ]
+0x0a0 QuotaUsage : [3] 0xd20
+0x0ac QuotaPeak : [3] 0xde8
+0x0b8 CommitCharge : 0x182
+0x0bc PeakVirtualSize : 0x20ea000
+0x0c0 VirtualSize : 0x206a000
+0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0xfa119010 - 0x81297984 ]
+0x000 Flink : 0xfa119010 _LIST_ENTRY [ 0x815afc34 - 0x8163ccb4 ]
+0x004 Blink : 0x81297984 _LIST_ENTRY [ 0x8163ccb4 - 0x8120cb04 ]
+0x0cc DebugPort : (null)
+0x0d0 ExceptionPort : 0xe13e14d8
+0x0d4 ObjectTable : 0xe156c9d8 _HANDLE_TABLE
+0x000 TableCode : 0xe1103000
+0x004 QuotaProcess : 0x8163cbf0 _EPROCESS
+0x008 UniqueProcessId : 0x000007d4
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0x808b0928 - 0xe19f3e94 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x17c
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 93
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
+0x0d8 Token : _EX_FAST_REF
+0x000 Object : 0xe10eb705
+0x000 RefCnt : 0y101
+0x000 Value : 0xe10eb705
+0x0dc WorkingSetPage : 0x279e
+0x0e0 AddressCreationLock : _KGUARDED_MUTEX
+0x000 Count : 1
+0x004 Owner : (null)
+0x008 Contention : 0
+0x00c Gate : _KGATE
+0x01c KernelApcDisable : 0
+0x01e SpecialApcDisable : 0
+0x01c CombinedApcDisable : 0
+0x100 HyperSpaceLock : 0
+0x104 ForkInProgress : (null)
+0x108 HardwareTrigger : 0
+0x10c PhysicalVadRoot : (null)
+0x110 CloneRoot : (null)
+0x114 NumberOfPrivatePages : 0xec
+0x118 NumberOfLockedPages : 0
+0x11c Win32Process : 0xe10fe898
+0x120 Job : (null)
+0x124 SectionObject : 0xe18996c0
+0x128 SectionBaseAddress : 0x01000000
+0x12c QuotaBlock : 0x812c3828 _EPROCESS_QUOTA_BLOCK
+0x000 QuotaEntry : [3] _EPROCESS_QUOTA_ENTRY
+0x030 QuotaList : _LIST_ENTRY [ 0x808af228 - 0x8124fbe0 ]
+0x038 ReferenceCount : 0x30c
+0x03c ProcessCount : 6
+0x130 WorkingSetWatch : (null)
+0x134 Win32WindowStation : 0x00000050
+0x138 InheritedFromUniqueProcessId : 0x000006e4
+0x13c LdtInformation : (null)
+0x140 VadFreeHint : (null)
+0x144 VdmObjects : (null)
+0x148 DeviceMap : 0xe16ef388
+0x14c Spare0 : [3] (null)
+0x158 PageDirectoryPte : _HARDWARE_PTE
+0x000 Valid : 0y0
+0x000 Write : 0y0
+0x000 Owner : 0y0
+0x000 WriteThrough : 0y0
+0x000 CacheDisable : 0y0
+0x000 Accessed : 0y0
+0x000 Dirty : 0y0
+0x000 LargePage : 0y0
+0x000 Global : 0y0
+0x000 CopyOnWrite : 0y0
+0x000 Prototype : 0y0
+0x000 reserved : 0y0
+0x000 PageFrameNumber : 0y00000000000000000000 (0)
+0x158 Filler : 0
+0x160 Session : 0xfa119000
+0x164 ImageFileName : [16] "taskmgr.exe"
+0x174 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x000 Flink : (null)
+0x004 Blink : (null)
+0x17c LockedPagesList : (null)
+0x180 ThreadListHead : _LIST_ENTRY [ 0x81204c7c - 0x811fee14 ]
+0x000 Flink : 0x81204c7c _LIST_ENTRY [ 0x81202fd4 - 0x8163cd70 ]
+0x004 Blink : 0x811fee14 _LIST_ENTRY [ 0x8163cd70 - 0x8120477c ]
+0x188 SecurityPort : (null)
+0x18c PaeTop : (null)
+0x190 ActiveThreads : 4
+0x194 GrantedAccess : 0x1f0fff
+0x198 DefaultHardErrorProcessing : 0
+0x19c LastThreadExitStatus : 0
+0x1a0 Peb : 0x7ffd9000 _PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0 ''
+0x003 BitField : 0 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 SpareBits : 0y0000000 (0)
+0x004 Mutant : 0xffffffff
+0x008 ImageBaseAddress : 0x01000000
+0x00c Ldr : 0x7c9b77e0 _PEB_LDR_DATA
+0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x000a0000
+0x01c FastPebLock : 0x7c9b7740 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : (null)
+0x024 SparePtr2 : (null)
+0x028 EnvironmentUpdateCount : 1
+0x02c KernelCallbackTable : 0x77e129b0
+0x030 SystemReserved : [1] 0
+0x034 SpareUlong : 0
+0x038 FreeList : (null)
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x7c9b8fd8
+0x044 TlsBitmapBits : [2] 0xffff
+0x04c ReadOnlySharedMemoryBase : 0x7f6f0000
+0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000
+0x054 ReadOnlyStaticServerData : 0x7f6f0688 -> (null)
+0x058 AnsiCodePageData : 0x7ffa0000
+0x05c OemCodePageData : 0x7ffa0000
+0x060 UnicodeCaseTableData : 0x7ffd1000
+0x064 NumberOfProcessors : 1
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 0xa
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x7c9b8a20 -> 0x000a0000
+0x094 GdiSharedHandleTable : 0x00430000
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x7c9b77a0 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : 5
+0x0a8 OSMinorVersion : 2
+0x0ac OSBuildNumber : 0xece
+0x0ae OSCSDVersion : 0x200
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 4
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ImageProcessAffinityMask : 0
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x7c9b8fd0
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 0
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 2"
+0x1f8 ActivationContextData : 0x00090000 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : 0x000a3740 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : 0x00080000 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x000a5408 -> (null)
+0x210 FlsListHead : _LIST_ENTRY [ 0xa1f60 - 0xb3c48 ]
+0x218 FlsBitmap : 0x7c9b8fc0
+0x21c FlsBitmapBits : [4] 0xf
+0x22c FlsHighIndex : 3
+0x1a4 PrefetchTrace : _EX_FAST_REF
+0x000 Object : (null)
+0x000 RefCnt : 0y000
+0x000 Value : 0
+0x1a8 ReadOperationCount : _LARGE_INTEGER 0x33
+0x000 LowPart : 0x33
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 51
+0x1b0 WriteOperationCount : _LARGE_INTEGER 0x33
+0x000 LowPart : 0x33
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 51
+0x1b8 OtherOperationCount : _LARGE_INTEGER 0x290
+0x000 LowPart : 0x290
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 656
+0x1c0 ReadTransferCount : _LARGE_INTEGER 0x1254
+0x000 LowPart : 0x1254
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 4692
+0x1c8 WriteTransferCount : _LARGE_INTEGER 0x171c
+0x000 LowPart : 0x171c
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 5916
+0x1d0 OtherTransferCount : _LARGE_INTEGER 0x5385
+0x000 LowPart : 0x5385
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 21381
+0x1d8 CommitChargeLimit : 0
+0x1dc CommitChargePeak : 0x182
+0x1e0 AweInfo : (null)
+0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : 0x811f1b58 _OBJECT_NAME_INFORMATION
+0x1e8 Vm : _MMSUPPORT
+0x000 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x808ad410 - 0x81297aa8 ]
+0x008 LastTrimTime : _LARGE_INTEGER 0x1c8aff2`273b0893
+0x010 Flags : _MMSUPPORT_FLAGS
+0x014 PageFaultCount : 0x584
+0x018 PeakWorkingSetSize : 0x481
+0x01c GrowthSinceLastEstimate : 0x584
+0x020 MinimumWorkingSetSize : 0x32
+0x024 MaximumWorkingSetSize : 0x159
+0x028 VmWorkingSetList : 0xc0502000 _MMWSL
+0x02c Claim : 0
+0x030 NextEstimationSlot : 0
+0x034 NextAgingSlot : 0
+0x038 EstimatedAvailable : 0
+0x03c WorkingSetSize : 0x481
+0x040 WorkingSetMutex : _EX_PUSH_LOCK
+0x230 MmProcessLinks : _LIST_ENTRY [ 0x808a8e08 - 0x81297af0 ]
+0x000 Flink : 0x808a8e08 _LIST_ENTRY [ 0x808a0230 - 0x8163ce20 ]
+0x004 Blink : 0x81297af0 _LIST_ENTRY [ 0x8163ce20 - 0x8120cc70 ]
+0x238 ModifiedPageCount : 0x764
+0x23c JobStatus : 0
+0x240 Flags : 0x450801
+0x240 CreateReported : 0y1
+0x240 NoDebugInherit : 0y0
+0x240 ProcessExiting : 0y0
+0x240 ProcessDelete : 0y0
+0x240 Wow64SplitPages : 0y0
+0x240 VmDeleted : 0y0
+0x240 OutswapEnabled : 0y0
+0x240 Outswapped : 0y0
+0x240 ForkFailed : 0y0
+0x240 Wow64VaSpace4Gb : 0y0
+0x240 AddressSpaceInitialized : 0y10
+0x240 SetTimerResolution : 0y0
+0x240 BreakOnTermination : 0y0
+0x240 SessionCreationUnderway : 0y0
+0x240 WriteWatch : 0y0
+0x240 ProcessInSession : 0y1
+0x240 OverrideAddressSpace : 0y0
+0x240 HasAddressSpace : 0y1
+0x240 LaunchPrefetched : 0y0
+0x240 InjectInpageErrors : 0y0
+0x240 VmTopDown : 0y0
+0x240 ImageNotifyDone : 0y1
+0x240 PdeUpdateNeeded : 0y0
+0x240 VdmAllowed : 0y0
+0x240 SmapAllowed : 0y0
+0x240 CreateFailed : 0y0
+0x240 DefaultIoPriority : 0y000
+0x240 Spare1 : 0y0
+0x240 Spare2 : 0y0
+0x244 ExitStatus : 259
+0x248 NextPageColor : 0xe4d2
+0x24a SubSystemMinorVersion : 0 ''
+0x24b SubSystemMajorVersion : 0x4 ''
+0x24a SubSystemVersion : 0x400
+0x24c PriorityClass : 0x3 ''
+0x250 VadRoot : _MM_AVL_TABLE
+0x000 BalancedRoot : _MMADDRESS_NODE
+0x014 DepthOfTree : 0y00111 (0x7)
+0x014 Unused : 0y000
+0x014 NumberGenericTableElements : 0y000000000000000001010100 (0x54)
+0x018 NodeHint : 0x811b2b80
+0x01c NodeFreeHint : (null)
+0x270 Cookie : 0x26f245ab
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x080 ProcessLock : _EX_PUSH_LOCK
+0x088 CreateTime : _LARGE_INTEGER 0x1c87ec2`f35608ed
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId : 0x00000768
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8532d260 - 0x8533d0c0 ]
+0x0a8 QuotaUsage : [3] 0x4c88
+0x0b4 QuotaPeak : [3] 0x50e8
+0x0c0 CommitCharge : 0xd13
+0x0c4 PeakVirtualSize : 0xa09d000
+0x0c8 VirtualSize : 0x9445000
+0x0cc SessionProcessLinks : _LIST_ENTRY [ 0x85311b64 - 0x8533d0ec ]
+0x0d4 DebugPort : (null)
+0x0d8 ExceptionPortData : 0x851a5030
+0x0d8 ExceptionPortValue : 0x851a5030
+0x0d8 ExceptionPortState : 0y000
+0x0dc ObjectTable : 0x92ef1260 _HANDLE_TABLE
+0x0e0 Token : _EX_FAST_REF
+0x0e4 WorkingSetPage : 0x84c1
+0x0e8 AddressCreationLock : _EX_PUSH_LOCK
+0x0ec RotateInProgress : (null)
+0x0f0 ForkInProgress : (null)
+0x0f4 HardwareTrigger : 0
+0x0f8 PhysicalVadRoot : (null)
+0x0fc CloneRoot : (null)
+0x100 NumberOfPrivatePages : 0x76e
+0x104 NumberOfLockedPages : 0
+0x108 Win32Process : 0xfe6847c0
+0x10c Job : (null)
+0x110 SectionObject : 0x92ef1030
+0x114 SectionBaseAddress : 0x006d0000
+0x118 QuotaBlock : 0x84fd6370 _EPROCESS_QUOTA_BLOCK
+0x11c WorkingSetWatch : (null)
+0x120 Win32WindowStation : 0x00000034
+0x124 InheritedFromUniqueProcessId : 0x00000728
+0x128 LdtInformation : (null)
+0x12c Spare : (null)
+0x130 VdmObjects : (null)
+0x134 DeviceMap : 0x8f5d9990
+0x138 EtwDataSource : (null)
+0x13c FreeTebHint : 0x7ffde000
+0x140 PageDirectoryPte : _HARDWARE_PTE
+0x140 Filler : 0
+0x148 Session : 0x8970c000
+0x14c ImageFileName : [16] "explorer.exe"
+0x15c JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x164 LockedPagesList : (null)
+0x168 ThreadListHead : _LIST_ENTRY [ 0x85308278 - 0x852f0950 ]
+0x170 SecurityPort : (null)
+0x174 PaeTop : 0x84b5b340
+0x178 ActiveThreads : 0x19
+0x17c ImagePathHash : 0x7a3328da
+0x180 DefaultHardErrorProcessing : 0
+0x184 LastThreadExitStatus : 0
+0x188 Peb : 0x7ffd8000 _PEB
+0x18c PrefetchTrace : _EX_FAST_REF
+0x190 ReadOperationCount : _LARGE_INTEGER 0x2b0
+0x198 WriteOperationCount : _LARGE_INTEGER 0xa
+0x1a0 OtherOperationCount : _LARGE_INTEGER 0x2f54
+0x1a8 ReadTransferCount : _LARGE_INTEGER 0x63ef8
+0x1b0 WriteTransferCount : _LARGE_INTEGER 0x420
+0x1b8 OtherTransferCount : _LARGE_INTEGER 0xaafc45
+0x1c0 CommitChargeLimit : 0
+0x1c4 CommitChargePeak : 0xd99
+0x1c8 AweInfo : (null)
+0x1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d0 Vm : _MMSUPPORT
+0x218 MmProcessLinks : _LIST_ENTRY [ 0x8532d3d8 - 0x8533d238 ]
+0x220 ModifiedPageCount : 0x5a7
+0x224 Flags2 : 0xd000
+0x224 JobNotReallyActive : 0y0
+0x224 AccountingFolded : 0y0
+0x224 NewProcessReported : 0y0
+0x224 ExitProcessReported : 0y0
+0x224 ReportCommitChanges : 0y0
+0x224 LastReportMemory : 0y0
+0x224 ReportPhysicalPageChanges : 0y0
+0x224 HandleTableRundown : 0y0
+0x224 NeedsHandleRundown : 0y0
+0x224 RefTraceEnabled : 0y0
+0x224 NumaAware : 0y0
+0x224 ProtectedProcess : 0y0
+0x224 DefaultPagePriority : 0y101
+0x224 PrimaryTokenFrozen : 0y1
+0x224 ProcessVerifierTarget : 0y0
+0x224 StackRandomizationDisabled : 0y0
+0x224 AffinityPermanent : 0y0
+0x224 AffinityUpdateEnable : 0y0
+0x224 CrossSessionCreate : 0y0
+0x228 Flags : 0x144d0801
+0x228 CreateReported : 0y1
+0x228 NoDebugInherit : 0y0
+0x228 ProcessExiting : 0y0
+0x228 ProcessDelete : 0y0
+0x228 Wow64SplitPages : 0y0
+0x228 VmDeleted : 0y0
+0x228 OutswapEnabled : 0y0
+0x228 Outswapped : 0y0
+0x228 ForkFailed : 0y0
+0x228 Wow64VaSpace4Gb : 0y0
+0x228 AddressSpaceInitialized : 0y10
+0x228 SetTimerResolution : 0y0
+0x228 BreakOnTermination : 0y0
+0x228 DeprioritizeViews : 0y0
+0x228 WriteWatch : 0y0
+0x228 ProcessInSession : 0y1
+0x228 OverrideAddressSpace : 0y0
+0x228 HasAddressSpace : 0y1
+0x228 LaunchPrefetched : 0y1
+0x228 InjectInpageErrors : 0y0
+0x228 VmTopDown : 0y0
+0x228 ImageNotifyDone : 0y1
+0x228 PdeUpdateNeeded : 0y0
+0x228 VdmAllowed : 0y0
+0x228 SmapAllowed : 0y0
+0x228 ProcessInserted : 0y1
+0x228 DefaultIoPriority : 0y010
+0x228 ProcessSelfDelete : 0y0
+0x228 SpareProcessFlags : 0y0
+0x22c ExitStatus : 259
+0x230 Spare7 : 0
+0x232 SubSystemMinorVersion : 0 ''
+0x233 SubSystemMajorVersion : 0x6 ''
+0x232 SubSystemVersion : 0x600
+0x234 PriorityClass : 0x2 ''
+0x238 VadRoot : _MM_AVL_TABLE
+0x258 Cookie : 0x72607a1f
+0x25c AlpcContext : _ALPC_PROCESS_CONTEXT
kd> dt nt!_KPROCESS 8535f020
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0x8535f030 - 0x8535f030 ]
+0x018 DirectoryTableBase : 0x1f75b340
+0x01c Unused0 : 0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Unused1 : 0 ''
+0x033 Unused2 : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0x7e
+0x03c UserTime : 0x22
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8535f060 - 0x8535f060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x853081f4 - 0x852f08cc ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags : 0
+0x064 BasePriority : 8 ''
+0x065 QuantumReset : 6 ''
+0x066 State : 0 ''
+0x067 ThreadSeed : 0 ''
+0x068 PowerState : 0 ''
+0x069 IdealNode : 0 ''
+0x06a Visited : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x72 'r'
+0x06c StackCount : 0x19
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x078 CycleTime : 0x1`236c8e36