Using !kuser to find _KUSER_SHARED_DATA

The _KUSER_SHARED_DATA structure contains some interesting information related to the currently logged on user, we can obtain the address of this data structure by using the !kuser extension in WinDbg. Most of the fields aren’t officially documented from what I can find, but you should be easily be able to work out what they mean from their names.

Using the address with the _KUSER_SHARED_DATA will provide the following (omitted structure):

There is some debugging bit fields within this structure, so you can check what debugging features have been enabled for that user. It also contains some basic system information.

Additional Reading:

The System Call Dispatcher on x86

struct KUSER_SHARED_DATA


Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Debugging, WinDbg, Windows Internals. Bookmark the permalink.

One Response to Using !kuser to find _KUSER_SHARED_DATA

  1. Great post as always Harry 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s