In computing the Process Environment Block (abbreviated PEB) is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures.
The PEB is closely associated with the kernel mode
In WinDbg, the command that dumps the contents of a PEB is the !peb
command, which is passed the address of the PEB within a process' application address space. That information, in turn, is obtained by the !process
command, which displays the information from the
Field | meaning | notes | |
---|---|---|---|
BeingDebugged | Whether the process is being debugged | Microsoft recommends not using this field but using the official Win32 | |
Ldr | A pointer to a | Contains the base address of kernel32 and ntdll. | |
ProcessParameters | A pointer to a | The | |
PostProcessInitRoutine | A pointer to a callback function called after DLL initialization but before the main executable code is invoked | This callback function is used on Windows 2000, but is not guaranteed to be used on later versions of Windows NT. | |
SessionId | The session ID of the Terminal Services session that the process is part of | The |
The contents of the PEB are initialized by the [[fork (file system)|fork]]
function in the Windows NT POSIX library, posix.dll.
For Windows NT POSIX processes, the contents of a new process' PEB are initialized by
Field | is initialized from | overridable by PE information? | |
---|---|---|---|
NumberOfProcessors | KeNumberOfProcessors | ||
NtGlobalFlag | NtGlobalFlag | ||
CriticalSectionTimeout | MmCriticalSectionTimeout | ||
HeapSegmentReserve | MmHeapSegmentReserve | ||
HeapSegmentCommit | MmHeapSegmentCommit | ||
HeapDeCommitTotalFreeThreshold | MmHeapDeCommitTotalFreeThreshold | ||
HeapDeCommitFreeBlockThreshold | MmHeapDeCommitFreeBlockThreshold | ||
MinimumStackCommit | MmMinimumStackCommitInBytes | ||
ImageProcessAffinityMask | KeActiveProcessors | ||
OSMajorVersion | NtMajorVersion | ||
OSMinorVersion | NtMinorVersion | ||
OSBuildNumber | CmNtCSDVersion | ||
OSPlatformId |
The WineHQ project provides a fuller PEB definition in its version of winternl.h.[1] Later versions of Windows have adjusted the number and purpose of some fields.[2]