Thread Information Structure (TIS)
Details about the internal data structure used by the Windows kernel to manage thread information.
Introduction
The Thread Information Structure (TIS) is a critical kernel data structure that holds all relevant information about a thread's state, context, and resources. It's the central point for the operating system's management of thread execution, scheduling, and synchronization.
TIS Fields
The TIS is comprised of numerous fields, each serving a specific purpose. Some of the key fields include:
| Field Name | Type | Description |
|---|---|---|
ThreadId |
ULONG_PTR |
Unique identifier for the thread. |
ProcessObject |
PEPROCESS |
Pointer to the parent process's EPROCESS structure. |
ThreadState |
KTHREAD_STATE |
Current state of the thread (e.g., Running, Ready, Waiting). |
KernelStack |
PVOID |
Pointer to the kernel stack allocated for the thread. |
UserStack |
PVOID |
Pointer to the user-mode stack. |
Teb |
PTEB |
Pointer to the Thread Environment Block (TEB). |
Quantum |
KTIME |
Time slice allocated to the thread. |
Affinity |
KAFFINITY |
Processor affinity mask for the thread. |
WaitStatus |
NTSTATUS |
Status code if the thread is currently waiting. |
WaitReason |
KWAIT_REASON |
Reason why the thread is currently waiting. |
Accessing TIS Information
Direct access to the TIS is generally restricted to kernel-mode components. User-mode applications can obtain thread-specific information through Windows API functions such as:
GetCurrentThreadId()GetThreadContext()NtQueryInformationThread()(via kernel32.dll wrappers)
The NtQueryInformationThread API allows for querying various thread attributes by providing a specific THREAD_INFORMATION_CLASS enumeration value. This provides a controlled interface for retrieving information from the TIS without exposing its internal structure directly.
Internal Structure and Memory Layout
The TIS is typically embedded within the kernel's internal KTHREAD structure. The exact memory layout and available fields can vary slightly between Windows versions and kernel architectures (x86, x64, ARM). Understanding the layout is crucial for advanced debugging and kernel development.
Example of obtaining Thread ID (Conceptual User-Mode)
#include <windows.h>
#include <iostream>
int main() {
DWORD threadId = GetCurrentThreadId();
std::wcout << L"Current Thread ID: " << threadId << std::endl;
return 0;
}
Related Structures
KTHREAD: The primary kernel structure containing the thread's execution context and control information. The TIS is often considered part of or closely related to theKTHREADstructure.TEB(Thread Environment Block): A user-mode structure containing thread-specific information, such as thread-local storage, exception handler pointers, and basic thread state. The TIS contains a pointer to the TEB.PEPROCESS: The kernel structure representing a process, which owns one or more threads.
Evolution and Versioning
The Thread Information Structure has evolved significantly over the history of Windows. Microsoft occasionally modifies the internal fields and layout of the TIS with new releases to introduce new features or optimize performance. Documentation for specific Windows versions is essential for accurate understanding.