Process Environment Block

Last updated February 03, 2021

In computing the Process Environment Block (abbreviated PEB) is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system.^[1] Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows".^[2] The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.^[1]

The PEB is closely associated with the kernel mode EPROCESS data structure, as well as with per-process data structures managed within the address space of the Client-Server Runtime Sub-System process. However, (like the CSRSS data structures) the PEB is not a kernel mode data structure itself. It resides in the application mode address space of the process that it relates to. This is because it is designed to be used by the application-mode code in the operating system libraries, such as NTDLL, that executes outside of kernel mode, such as the code for the program image loader and the heap manager.^[3]

In WinDbg, the command that dumps the contents of a PEB is the !peb command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process command, which displays the information from the EPROCESS data structure, one of whose fields is the address of the PEB.^[3]

Fields of the PEB that are documented by Microsoft^[2]
Field	meaning	notes
`BeingDebugged`	Whether the process is being debugged	Microsoft recommends not using this field but using the official Win32 `CheckRemoteDebuggerPresent()` library function instead.^[2]
Ldr	A pointer to a `PEB_LDR_DATA` structure providing information about loaded modules	Contains the base address of kernel32 and ntdll.
ProcessParameters	A pointer to a `RTL_USER_PROCESS_PARAMETERS` structure providing information about process startup parameters	The `RTL_USER_PROCESS_PARAMETERS` structure is also mostly opaque and not guaranteed to be consistent across multiple versions of Windows.^[4]
PostProcessInitRoutine	A pointer to a callback function called after DLL initialization but before the main executable code is invoked	This callback function is used on Windows 2000, but is not guaranteed to be used on later versions of Windows NT.^[2]
SessionId	The session ID of the Terminal Services session that the process is part of	The `NtCreateUserProcess()` system call initializes this by calling the kernel's internal `MmGetSessionId()` function.^[3]

The contents of the PEB are initialized by the NtCreateUserProcess() system call, the Native API function that implements part of, and underpins, the Win32 CreateProcess(), CreateProcessAsUser(), CreateProcessWithTokenW(), and CreateProcessWithLogonW() library functions that are in the kernel32.dll and advapi32.dll libraries as well as underpinning the fork() function in the Windows NT POSIX library, posix.dll.^[3]

For Windows NT POSIX processes, the contents of a new process' PEB are initialized by NtCreateUserProcess() as simply a direct copy of the parent process' PEB, in line with how the fork() function operates. For Win32 processes, the initial contents of a new process' PEB are mainly taken from global variables maintained within the kernel. However, several fields may instead be taken from information provided within the process' image file, in particular information provided in the IMAGE_OPTIONAL_HEADER32 data structure within the PE file format (PE+ or PE32+ in 64 bit executable images).^[3]

Fields from a PEB that are initialized from kernel global variables^[3]
Field	is initialized from	overridable by PE information?
`NumberOfProcessors`	`KeNumberOfProcessors`	No
`NtGlobalFlag`	`NtGlobalFlag`	No
`CriticalSectionTimeout`	`MmCriticalSectionTimeout`	No
`HeapSegmentReserve`	`MmHeapSegmentReserve`	No
`HeapSegmentCommit`	`MmHeapSegmentCommit`	No
`HeapDeCommitTotalFreeThreshold`	`MmHeapDeCommitTotalFreeThreshold`	No
`HeapDeCommitFreeBlockThreshold`	`MmHeapDeCommitFreeBlockThreshold`	No
`MinimumStackCommit`	`MmMinimumStackCommitInBytes`	No
`ImageProcessAffinityMask`	`KeActiveProcessors`	`ImageLoadConfigDirectory.ProcessAffinityMask`
`OSMajorVersion`	`NtMajorVersion`	`OptionalHeader.Win32VersionValue&0xFF`
`OSMinorVersion`	`NtMinorVersion`	`(OptionalHeader.Win32VersionValue>>8)&0xFF`
`OSBuildNumber`	`NtBuildNumber&0x3FFF` combined with `CmNtCSDVersion`	`(OptionalHeader.Win32VersionValue>>16)&0x3FFF` combined with `ImageLoadConfigDirectory.CmNtCSDVersion`
`OSPlatformId`	`VER_PLATFORM_WIN32_NT`	`(OptionalHeader.Win32VersionValue>>30)^0x2`

The WineHQ project provides a fuller PEB definition in its version of winternl.h.^[5] Later versions of Windows have adjusted the number and purpose of some fields.^[6]

Related Research Articles

The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines the application programming interface (API), along with command line shells and utility interfaces, for software compatibility with variants of Unix and other operating systems.

The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS, MUI and other file types. The Unified Extensible Firmware Interface (UEFI) specification states that PE is the standard executable format in EFI environments.

The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations that are often referred to by their own names ; see the versions section. Almost all Windows programs interact with the Windows API. On the Windows NT line of operating systems, a small number use the Native API.

NTLDR is the boot loader for all releases of Windows NT operating system up to and including Windows XP and Windows Server 2003. NTLDR is typically run from the primary hard disk drive, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

In computing, a virtual address space (VAS) or address space is the set of ranges of virtual addresses that an operating system makes available to a process. The range of virtual addresses usually starts at a low address and can extend to the highest address allowed by the computer's instruction set architecture and supported by the operating system's pointer size implementation, which can be 4 bytes for 32-bit or 8 bytes for 64-bit OS versions. This provides several benefits, one of which is security through process isolation assuming each process is given a separate address space.

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interface can all use the registry. The registry also allows access to counters for profiling system performance.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, they use packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX, or DRV . The file formats for DLLs are the same as for Windows EXE files – that is, Portable Executable (PE) for 32-bit and 64-bit Windows, and New Executable (NE) for 16-bit Windows. As with EXEs, DLLs can contain code, data, and resources, in any combination.

The Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize. In Windows Vista and later, this process has changed significantly; see Windows Vista startup process for information about what has changed.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

In computing ntoskrnl.exe, also known as kernel image, provides the kernel and executive layers of the Microsoft Windows NT kernel space, and is responsible for various system services such as hardware abstraction, process and memory management, thus making it a fundamental part of the system. It contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler (Dispatcher).

A hybrid kernel is an operating system kernel architecture that attempts to combine aspects and benefits of microkernel and monolithic kernel architectures used in computer operating systems.

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend. For example, the injected code could hook system function calls, or read the contents of password textboxes, which cannot be done the usual way. A program used to inject arbitrary code into arbitrary processes is called a DLL injector.

Microsoft Windows OS family employs some exception handling mechanisms that are based on the operating system specifics.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system.(at 0:31) However in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

Microsoft POSIX subsystem is one of four subsystems shipped with the first versions of Windows NT, the other three being the Win32 subsystem which provided the primary API for Windows NT, plus the OS/2 and security subsystems.

Windows NT is a family of operating systems produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system.

In computing on Microsoft platforms, WoW64 is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows. It is included in all 64-bit versions of Windows—including Windows XP Professional x64 Edition, IA-64 and x64 versions of Windows Server 2003, as well as 64-bit versions of Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, Windows 8.1 and Windows 10. In Windows Server 2008 R2 Server Core, it is an optional component. It is not available in Windows Nano Server variants. WoW64 aims to take care of many of the differences between 32-bit Windows and 64-bit Windows, particularly involving structural changes to Windows itself.

The Windows 9x series of operating systems refers to the kernel which lies at the heart of Windows 9x. Its architecture is monolithic.

References

1 2 Rajeev Nagar (1997). Windows NT file system internals: a developer's guide . O'Reilly Series. O'Reilly. pp. 129. ISBN 9781565922495.
1 2 3 4 "Process and Thread structures: PEB Structure". MSDN Library . Microsoft. 2010-07-15. Archived from the original on 2012-10-22. Retrieved 2010-07-15.
1 2 3 4 5 6 Mark E. Russinovich, David A. Solomon, and Alex Ionescu (2009). Windows internals. Microsoft Press Series (5th ed.). Microsoft Press. pp. 335–336, 341–342, 348, 357–358. ISBN 9780735625303.CS1 maint: multiple names: authors list (link)
↑ "Process and Thread structures: RTL_USER_PROCESS_PARAMETERS Structure". MSDN Library . Microsoft. 2010-07-15. Retrieved 2010-07-15.
↑ "wine winternl.h: typedef struct _PEB". GitHub. wine-mirror. 29 October 2019.
↑ Chappel, Geoff. "PEB" . Retrieved 30 October 2019.

External links

PEB definitions for various Windows versions

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Nagar1997-1] 1 2 Rajeev Nagar (1997). Windows NT file system internals: a developer's guide . O'Reilly Series. O'Reilly. pp. 129. ISBN 9781565922495.

[MSDN1-2] 1 2 3 4 "Process and Thread structures: PEB Structure". MSDN Library . Microsoft. 2010-07-15. Archived from the original on 2012-10-22. Retrieved 2010-07-15.

[Internals5-3] 1 2 3 4 5 6 Mark E. Russinovich, David A. Solomon, and Alex Ionescu (2009). Windows internals. Microsoft Press Series (5th ed.). Microsoft Press. pp. 335–336, 341–342, 348, 357–358. ISBN 9780735625303.CS1 maint: multiple names: authors list (link)

[MSDN3-4] "Process and Thread structures: RTL_USER_PROCESS_PARAMETERS Structure". MSDN Library . Microsoft. 2010-07-15. Retrieved 2010-07-15.

[wine-winternl-5] "wine winternl.h: typedef struct _PEB". GitHub. wine-mirror. 29 October 2019.

[6] Chappel, Geoff. "PEB" . Retrieved 30 October 2019.

[1]

[2]

[3]

[4]

[5]

[6]