ZwQuerySystemInformation Function

ZwQuerySystemInformation Function

[ZwQuerySystemInformation may be altered or unavailable in subsequent versions of Windows. Applications should use the alternate functions listed in this topic.]

Retrieves the specified system information.

Syntax

NTSTATUS WINAPI ZwQuerySystemInformation( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __inout PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength );

Parameters

SystemInformationClass [in]

The type of system information to be retrieved. This parameter can be one of the following values from the SYSTEM_INFORMATION_CLASS enumeration type.

SystemBasicInformation

The number of processors in the system in a SYSTEM_BASIC_INFORMATION structure. Use the GetSystemInfo function instead.

SystemPerformanceInformation

An opaque SYSTEM_PERFORMANCE_INFORMATION structure that can be used to generate an unpredictable seed for a random number generator. Use the CryptGenRandom function instead.

SystemTimeOfDayInformation

An opaque SYSTEM_TIMEOFDAY_INFORMATION structure that can be used to generate an unpredictable seed for a random number generator. Use the CryptGenRandom function instead.

SystemProcessInformation

An array of SYSTEM_PROCESS_INFORMATION structures, one for each process running in the system.

These structures contain information about the resource usage of each process, including the number of handles used by the process, the peak page-file usage, and the number of memory pages that the process has allocated.

SystemProcessorPerformanceInformation

An array of SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION structures, one for each processor installed in the system.

SystemInterruptInformation

An opaque SYSTEM_INTERRUPT_INFORMATION structure that can be used to generate an unpredictable seed for a random number generator. Use the CryptGenRandom function instead.

SystemExceptionInformation

An opaque SYSTEM_EXCEPTION_INFORMATION structure that can be used to generate an unpredictable seed for a random number generator. Use the CryptGenRandom function instead.

SystemRegistryQuotaInformation

A SYSTEM_REGISTRY_QUOTA_INFORMATION structure.

SystemLookasideInformation

An opaque SYSTEM_LOOKASIDE_INFORMATION structure that can be used to generate an unpredictable seed for a random number generator. Use the CryptGenRandom function instead.

SystemInformation [in, out]

A pointer to a buffer that receives the requested information. The size and structure of this information varies depending on the value of the SystemInformationClass parameter, as indicated in the following table.

SYSTEM_BASIC_INFORMATION

When the SystemInformationClass parameter is SystemBasicInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold a single SYSTEM_BASIC_INFORMATION structure having the following layout:

typedef struct _SYSTEM_BASIC_INFORMATION { BYTE Reserved1[24]; PVOID Reserved2[4]; CCHAR NumberOfProcessors; } SYSTEM_BASIC_INFORMATION;

The NumberOfProcessors member contains the number of processors present in the system. Use GetSystemInfo instead to retrieve this information.

The other members of the structure are reserved for internal use by the operating system.

SYSTEM_PERFORMANCE_INFORMATION

When the SystemInformationClass parameter is SystemPerformanceInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an opaque SYSTEM_PERFORMANCE_INFORMATION structure for use in generating an unpredictable seed for a random number generator. For this purpose, the structure has the following layout:

typedef struct _SYSTEM_PERFORMANCE_INFORMATION { BYTE Reserved1[312]; } SYSTEM_PERFORMANCE_INFORMATION;

Individual members of the structure are reserved for internal use by the operating system.

Use the CryptGenRandom function instead to generate cryptographically random data.

SYSTEM_TIMEOFDAY_INFORMATION

When the SystemInformationClass parameter is SystemTimeOfDayInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an opaque SYSTEM_TIMEOFDAY_INFORMATION structure for use in generating an unpredictable seed for a random number generator. For this purpose, the structure has the following layout:

typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { BYTE Reserved1[48]; } SYSTEM_TIMEOFDAY_INFORMATION;

Individual members of the structure are reserved for internal use by the operating system.

Use the CryptGenRandom function instead to generate cryptographically random data.

SYSTEM_PROCESS_INFORMATION

When the SystemInformationClass parameter is SystemProcessInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an array that contains as many SYSTEM_PROCESS_INFORMATION structures as there are processes running in the system. Each structure has the following layout:

typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; BYTE Reserved1[48]; PVOID Reserved2[3]; HANDLE UniqueProcessId; PVOID Reserved3; ULONG HandleCount; BYTE Reserved4[4]; PVOID Reserved5[11]; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved6[6]; } SYSTEM_PROCESS_INFORMATION;

The NumberOfThreads member contains the total number of currently running threads in the process.

The HandleCount member contains the total number of handles being used by the process in question; use GetProcessHandleCount to retrieve this information instead.

The PeakPagefileUsage member contains the maximum number of bytes of page-file storage used by the process, and the PrivatePageCount member contains the number of memory pages allocated for the use of this process.

You can also retrieve this information using either the GetProcessMemoryInfo function or the Win32_Process class.

The other members of the structure are reserved for internal use by the operating system.

SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION

When the SystemInformationClass parameter is SystemProcessorPerformanceInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an array that contains as many SYSTEM_PROCESS_INFORMATION structures as there are processors (CPUs) installed in the system. Each structure has the following layout:

typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER Reserved1[2]; ULONG Reserved2; } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION;

The IdleTime member contains the amount of time that the system has been idle, in 1/100ths of a nanosecond.

The KernelTime member contains the amount of time that the system has spent executing in Kernel mode (including all threads in all processes, on all processors), in 1/100ths of a nanosecond.

The UserTime member contains the amount of time that the system has spent executing in User mode (including all threads in all processes, on all processors), in 1/100ths of a nanosecond.

Use GetSystemTimes instead to retrieve this information.

SYSTEM_INTERRUPT_INFORMATION

When the SystemInformationClass parameter is SystemInterruptInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an array that contains as many opaque SYSTEM_INTERRUPT_INFORMATION structures as there are processors (CPUs) installed on the system. Each structure, or the array as a whole, can be used to generate an unpredictable seed for a random number generator. For this purpose, the structure has the following layout:

typedef struct _SYSTEM_INTERRUPT_INFORMATION { BYTE Reserved1[24]; } SYSTEM_INTERRUPT_INFORMATION;

Individual members of the structure are reserved for internal use by the operating system.

Use the CryptGenRandom function instead to generate cryptographically random data.

SYSTEM_EXCEPTION_INFORMATION

When the SystemInformationClass parameter is SystemExceptionInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an opaque SYSTEM_EXCEPTION_INFORMATION structure for use in generating an unpredictable seed for a random number generator. For this purpose, the structure has the following layout:

typedef struct _SYSTEM_EXCEPTION_INFORMATION { BYTE Reserved1[16]; } SYSTEM_EXCEPTION_INFORMATION;

Individual members of the structure are reserved for internal use by the operating system.

Use the CryptGenRandom function instead to generate cryptographically random data.

SYSTEM_REGISTRY_QUOTA_INFORMATION

When the SystemInformationClass parameter is SystemRegistryQuotaInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold a single SYSTEM_REGISTRY_QUOTA_INFORMATION structure having the following layout:

typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { ULONG RegistryQuotaAllowed; ULONG RegistryQuotaUsed; PVOID Reserved1; } SYSTEM_REGISTRY_QUOTA_INFORMATION;

The RegistryQuotaAllowed member contains the maximum size, in bytes, that the Registry can attain on this system.

The RegistryQuotaUsed member contains the current size of the Registry, in bytes.

Use GetSystemRegistryQuota instead to retrieve this information.

The other member of the structure is reserved for internal use by the operating system.

SYSTEM_LOOKASIDE_INFORMATION

When the SystemInformationClass parameter is SystemLookasideInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold an opaque SYSTEM_LOOKASIDE_INFORMATION structure for use in generating an unpredictable seed for a random number generator. For this purpose, the structure has the following layout:

typedef struct _SYSTEM_LOOKASIDE_INFORMATION { BYTE Reserved1[32]; } SYSTEM_LOOKASIDE_INFORMATION;

Individual members of the structure are reserved for internal use by the operating system.

Use the CryptGenRandom function instead to generate cryptographically random data.

SystemInformationLength [in]

The size of the buffer pointed to by the SystemInformation parameter, in bytes.

ReturnLength [out, optional]

An optional pointer to a location where the function writes the actual size of the information requested. If that size is less than or equal to the SystemInformationLength parameter, the function copies the information into the SystemInformation buffer; otherwise, it returns an NTSTATUS error code and returns in ReturnLength the size of buffer required to receive the requested information.

Return Value

Returns an NTSTATUS success or error code.

The forms and significance of NTSTATUS error codes are listed in the Ntstatus.h header file available in the Windows Device Driver Kit (DDK), and are described in the DDK documentation.

Remarks

The ZwQuerySystemInformation function and the structures that it returns are internal to the operating system and subject to change from one release of Windows to another. To maintain the compatibility of your application, it is better to use the alternate functions previously mentioned instead.

If you do use ZwQuerySystemInformation, access the function through run-time dynamic linking. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable.

This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll.

Requirements

DLL	Requires Ntdll.dll.

SystemInformationClass  에 위에 나와 있지 않은 클레스들도 있다.. 많은 부분에 활용되고 있는 Native 함수 이므로
유념해두고 올바른 사용법을 기억하자

예전에 Zw..Process함수를 이용해서 FileSystem Driver에서 사용했을 경우 해당 스택으로 재귀 호출이 일어 났던 기억이 있다.
문제의 원인은 IRQL 레벨과 동기화 문제가 있었던듯..

위 강조된 부분은 대략적으로 이 함수를 API에서 사용할 경우 변경되거나 바뀔 수가 있으니  꼭 LoadLibrary를 사용해서 GetProcAddress를 사용하라는 뜻이다.  간단한 테스트를 위한 경우엔 문제가 없겠지만...습관 드리자.^^

해당함수는 구글에 많이 나와 있기 때문에 검색하면 쉽게 코드들도 얻을 수 있떠용~^^