Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Win32 Thread Information Block
open-in-new
<h2 id="contents-of-the-tib-on-windows">Contents of the TIB on Windows</h2> <p>This table is based on <a href="/facts/Wine_(software)/JF0wHs7y">Wine</a>'s work on <a href="/facts/Microsoft_Windows/bwhAhuSL">Microsoft Windows</a> internals.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <table><tbody><tr><th>Bytes/Type</th><th>offset (32-bit, FS)</th><th>offset (64-bit, GS)</th><th>Windows Versions</th><th>Description</th></tr><tr><td>pointer</td><td>FS:[0x00]</td><td>GS:[0x00]</td><td><a href="/facts/Windows_9x/f1zwlghw">Win9x</a> and <a href="/facts/Windows_NT/EtccWvxQ">NT</a></td><td>Current <a href="/facts/Structured_Exception_Handling/oK9Qs8Hr">Structured Exception Handling</a> (SEH) frame<p>Note: the 64-bit version of Windows uses <a href="/facts/Call_stack/1sMt713v">stack unwinding</a> done in <a href="/facts/Protection_ring/27y4kjHs">kernel mode</a> instead.</p></td></tr><tr><td>pointer</td><td>FS:[0x04]</td><td>GS:[0x08]</td><td>Win9x and NT</td><td><a href="/facts/Call_stack/1sMt713v">Stack</a> Base / Bottom of stack (high address)</td></tr><tr><td>pointer</td><td>FS:[0x08]</td><td>GS:[0x10]</td><td>Win9x and NT</td><td>Stack Limit / Ceiling of stack (low address)</td></tr><tr><td>pointer</td><td>FS:[0x0C]</td><td>GS:[0x18]</td><td>NT</td><td>SubSystemTib</td></tr><tr><td>pointer</td><td>FS:[0x10]</td><td>GS:[0x20]</td><td>NT</td><td><a href="/facts/Fiber_(computer_science)/lJxjqB79">Fiber</a> data</td></tr><tr><td>pointer</td><td>FS:[0x14]</td><td>GS:[0x28]</td><td>Win9x and NT</td><td>Arbitrary data slot</td></tr><tr><td>pointer</td><td>FS:[0x18]</td><td>GS:[0x30]</td><td>Win9x and NT</td><td>Linear address of TEB</td></tr><tr><th colspan="5">End of <a href="/facts/Architecture_of_Windows_NT/s0mJp1uG">NT subsystem</a> independent part; below are <a href="/facts/Windows_API/RRw4RtTu">Win32</a>-dependent</th></tr><tr><td>pointer</td><td>FS:[0x1C]</td><td>GS:[0x38]</td><td>NT</td><td>Environment Pointer</td></tr><tr><td>pointer</td><td>FS:[0x20]</td><td>GS:[0x40]</td><td>NT</td><td>Process ID (in some Windows distributions this field is used as DebugContext)</td></tr><tr><td>pointer</td><td>FS:[0x24]</td><td>GS:[0x48]</td><td>NT</td><td>Current thread ID</td></tr><tr><td>pointer</td><td>FS:[0x28]</td><td>GS:[0x50]</td><td>NT</td><td>Active RPC Handle</td></tr><tr><td>pointer</td><td>FS:[0x2C]</td><td>GS:[0x58]</td><td>Win9x and NT</td><td>Linear address of the <a href="/facts/Thread-local_storage/BPDI8VDU">thread-local storage</a> array</td></tr><tr><td>pointer</td><td>FS:[0x30]</td><td>GS:[0x60]</td><td>NT</td><td>Linear address of <a href="/facts/Process_Environment_Block/570d1tVM">Process Environment Block</a> (PEB)</td></tr><tr><td>4</td><td>FS:[0x34]</td><td>GS:[0x68]</td><td>NT</td><td>Last error number</td></tr><tr><td>4</td><td>FS:[0x38]</td><td>GS:[0x6C]</td><td>NT</td><td>Count of owned critical sections</td></tr><tr><td>pointer</td><td>FS:[0x3C]</td><td>GS:[0x70]</td><td>NT</td><td>Address of CSR Client Thread</td></tr><tr><td>pointer</td><td>FS:[0x40]</td><td>GS:[0x78]</td><td>NT</td><td>Win32 Thread Information</td></tr><tr><td>124</td><td>FS:[0x44]</td><td>GS:[0x80]</td><td>NT, Wine</td><td>Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95&98), 0x74 = LastError (WinME)</td></tr><tr><td>pointer</td><td>FS:[0xC0]</td><td>GS:[0x100]</td><td>NT</td><td>Reserved for Wow64. Contains a pointer to FastSysCall in Wow64.</td></tr><tr><td>4</td><td>FS:[0xC4]</td><td>GS:[0x108]</td><td>NT</td><td>Current Locale</td></tr><tr><td>4</td><td>FS:[0xC8]</td><td>GS:[0x10C]</td><td>NT</td><td>FP Software Status Register</td></tr><tr><td>216</td><td>FS:[0xCC]</td><td>GS:[0x110]</td><td>NT, Wine</td><td>Reserved for OS (NT), kernel32 private data (Wine)herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure</td></tr><tr><td>4</td><td>FS:[0x1A4]</td><td>GS:[0x2C0]</td><td>NT</td><td>Exception code</td></tr><tr><td>18</td><td>FS:[0x1A8]</td><td>GS:[0x2C8]</td><td>NT</td><td>Activation context stack</td></tr><tr><td>24</td><td>FS:[0x1BC]</td><td>GS:[0x2E8]</td><td>NT, Wine</td><td>Spare bytes (NT), ntdll private data (Wine)</td></tr><tr><td>40</td><td>FS:[0x1D4]</td><td>GS:[0x300]</td><td>NT, Wine</td><td>Reserved for OS (NT), ntdll private data (Wine)</td></tr><tr><td>1248</td><td>FS:[0x1FC]</td><td>GS:[0x350]</td><td>NT, Wine</td><td><a href="/facts/Graphics_Device_Interface/C8yuXxtL">GDI</a> TEB Batch (OS), vm86 private data (Wine)</td></tr><tr><td>4</td><td>FS:[0x6DC]</td><td>GS:[0x838]</td><td>NT</td><td>GDI Region</td></tr><tr><td>4</td><td>FS:[0x6E0]</td><td>GS:[0x840]</td><td>NT</td><td>GDI Pen</td></tr><tr><td>4</td><td>FS:[0x6E4]</td><td>GS:[0x848]</td><td>NT</td><td>GDI Brush</td></tr><tr><td>4</td><td>FS:[0x6E8]</td><td>GS:[0x850]</td><td>NT</td><td>Real Process ID</td></tr><tr><td>4</td><td>FS:[0x6EC]</td><td>GS:[0x858]</td><td>NT</td><td>Real Thread ID</td></tr><tr><td>4</td><td>FS:[0x6F0]</td><td>GS:[0x860]</td><td>NT</td><td>GDI cached process handle</td></tr><tr><td>4</td><td>FS:[0x6F4]</td><td>GS:[0x868]</td><td>NT</td><td>GDI client process ID (PID)</td></tr><tr><td>4</td><td>FS:[0x6F8]</td><td>GS:[0x86C]</td><td>NT</td><td>GDI client thread ID (TID)</td></tr><tr><td>4</td><td>FS:[0x6FC]</td><td>GS:[0x870]</td><td>NT</td><td>GDI thread locale information</td></tr><tr><td>20</td><td>FS:[0x700]</td><td>GS:[0x878]</td><td>NT</td><td>Reserved for user application</td></tr><tr><td>1248</td><td>FS:[0x714]</td><td>GS:[0x890]</td><td>NT</td><td>Reserved for GL (See wine ref for internals)<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a></td></tr><tr><td>4</td><td>FS:[0xBF4]</td><td>GS:[0x1250]</td><td>NT</td><td>Last Status Value</td></tr><tr><td>532</td><td>FS:[0xBF8]</td><td>GS:[0x1258]</td><td>NT</td><td>Static UNICODE_STRING buffer</td></tr><tr><td>pointer</td><td>FS:[0xE0C]</td><td>GS:[0x1478]</td><td>NT</td><td>Also known as DeallocationStack, it establishes the actual start address of the stack buffer, which defines the true stack limit. This limit is a few pages less than the stack limit field, as the latter includes the guard pages used to manage the growth of the stack. <a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a></td></tr><tr><td>pointer[]</td><td>FS:[0xE10]</td><td>GS:[0x1480]</td><td>NT</td><td>TLS slots, 4/8 bytes per slot, 64 slots</td></tr><tr><td>8</td><td>FS:[0xF10]</td><td>GS:[0x1680]</td><td>NT</td><td>TLS links (LIST_ENTRY structure)</td></tr><tr><td>4</td><td>FS:[0xF18]</td><td>GS:[0x1690]</td><td>NT</td><td>VDM</td></tr><tr><td>4</td><td>FS:[0xF1C]</td><td>GS:[0x1698]</td><td>NT</td><td>Reserved for RPC</td></tr><tr><td>4</td><td>FS:[0xF28]</td><td>GS:[0x16B0]</td><td>NT</td><td>Thread error mode (RtlSetThreadErrorMode)</td></tr><tr><td>4</td><td>FS:[0xF78]</td><td>GS:[0x1748]</td><td>NT</td><td>Guaranteed stack bytes</td></tr><tr><th colspan="5">This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17c8].<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> Newer Windows versions extend the size of TIB further, up to 0x1000/0x1838 in Windows 10. Some of the fields appended are removed, leading to conflicting definitions.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></th></tr></tbody></table> <p>FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage. </p> <h2 id="stack-information-stored-in-the-tib">Stack information stored in the TIB</h2> <p>A process should be free to move the <a href="/facts/Stack-based_memory_allocation/Wem3dQa6">stack</a> of its threads as long as it updates the information stored in the TIB accordingly. A few fields are key to this matter: stack base, stack limit, deallocation stack, and guaranteed stack bytes, respectively stored at offsets 0x8, 0x10, 0x1478 and 0x1748 in 64 bits. Different Windows <a href="/facts/Kernel_(operating_system)/uEj4U3Rz">kernel</a> functions read and write these values, specially to distinguish <a href="/facts/Stack_overflow/HnmlFXA1">stack overflows</a> from other read/write <a href="/facts/Page_fault/0pzn9ByX">page faults</a> (a read or write to a page guarded among the stack limits in guaranteed stack bytes will generate a stack-overflow exception instead of an access violation). The deallocation stack is important because Windows API allows to change the amount of guarded pages: the function SetThreadStackGuarantee allows both read the current space and to grow it. In order to read it, it reads the GuaranteedStackBytes field, and to grow it, it uses has to uncommit stack pages. Setting stack limits without setting DeallocationStack will probably cause odd behavior in SetThreadStackGuarantee. For example, it will overwrite the stack limits to wrong values. Different libraries call SetThreadStackGuarantee, for example the <a href="/facts/Common_Language_Runtime/4Y0cUdkd">.NET CLR</a> uses it for setting up the stack of their threads. </p> <h2 id="accessing-the-tib">Accessing the TIB</h2> <p>The TIB of the current thread can be accessed as an offset of segment <a href="/facts/Processor_register/32RvbUdz">register</a> FS (x86) or GS (x64). </p><p>It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[18h]. That pointer can be used with pointer arithmetic or be cast to a <a href="/facts/Struct_(C_programming_language)/mmhEWucA">struct</a> <a href="/facts/Pointer_(computer_programming)/fPoNzy9b">pointer</a>. </p><p>Using <a href="/facts/Microsoft_Windows_SDK/8otR4u2w">Microsoft Windows SDK</a> or similar, a programmer could use an inline function defined in winnt.h named NtCurrentTeb which returns the address of the current Thread Information Block as NT_TIB *.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p><p>Alternative methods of access for <a href="/facts/IA-32/7yTv1aHH">IA-32</a> architectures are as follows: </p> // gcc (AT&T-style inline assembly). void *getTIB(void) { register void *pTIB; #if defined(__x86_64__) || defined(__amd64__) __asm__("movq %%gs:0x30, %0" : "=r" (pTIB)); #elif defined(__i386__) __asm__("movl %%fs:0x18, %0" : "=r" (pTIB)); #else #error unsupported architecture #endif return pTIB; } // gcc (named address spaces, same as the inline assembly version on -O1 or -ftree-ter). void *getTIB(void) { #if defined(__x86_64__) || defined(__amd64__) #ifndef __SEG_GS #error unsupported GCC version #endif return *(void *__seg_gs *) 0x30; #elif defined(__i386__) #ifndef __SEG_FS #error unsupported GCC version #endif return *(void *__seg_fs *) 0x18; #else #error unsupported architecture #endif } // Microsoft C __declspec(naked) void *getTIB() { __asm mov EAX, FS:[18h] __asm ret } // Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures) void *getTIB() { #ifdef _M_IX86 return (void *)__readfsdword(0x18); #elif _M_AMD64 return (void *)__readgsqword(0x30); #else #error unsupported architecture #endif } <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Structured_Exception_Handling/oK9Qs8Hr">Structured Exception Handling</a></li></ul> <h2 id="further-reading">Further reading</h2> <ul><li><a href="/facts/Matt_Pietrek/Qa4SkRv0">Pietrek, Matt</a> (March 1996). <a href="https://archive.org/details/windows95systemp00matt/page/136"><i>Windows 95 Programming Secrets</i></a> (pdf). IDG. pp. <a href="https://archive.org/details/windows95systemp00matt/page/136">136–138</a>. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-56884-318-6. Retrieved 2010-07-17.</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/TEB.html">TEB layout on NTinternals.net</a></li> <li><a href="http://www.microsoft.com/msj/0197/exception/exception.aspx">Structured Exception Handling and the TIB</a></li> <li><a href="https://www.nirsoft.net/kernel_struct/vista/NT_TIB.html">Description of the first slots of the TIB</a></li> <li><a href="https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/teb/index.htm">Description of TEB, field by field</a></li> <li><a href="https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_TEB">TEB definitions for various Windows versions</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Pietrek, Matt (May 1996). "Under The Hood". Microsoft Systems Journal. Archived from the original on 2009-06-14. Retrieved 2010-07-07. <a href="/wiki/Matt_Pietrek" target="_blank">/wiki/Matt_Pietrek</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Pietrek, Matt (May 1996). "Under The Hood". Microsoft Systems Journal. Archived from the original on 2009-06-14. Retrieved 2010-07-07. <a href="/wiki/Matt_Pietrek" target="_blank">/wiki/Matt_Pietrek</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019. <a href="https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347" target="_blank">https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019. <a href="https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347" target="_blank">https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019. <a href="https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347" target="_blank">https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"A closer look at the stack guard page". 3 February 2022. <a href="https://devblogs.microsoft.com/oldnewthing/20220203-00/?p=106215" target="_blank">https://devblogs.microsoft.com/oldnewthing/20220203-00/?p=106215</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019. <a href="https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347" target="_blank">https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L347</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Chapell, Geoff. "TEB". <a href="https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/teb/index.htm" target="_blank">https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/teb/index.htm</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"NtCurrentTeb function". Microsoft Docs. Retrieved 20 November 2019. <a href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-ntcurrentteb" target="_blank">https://docs.microsoft.com/en-us/windows/win32/api/winnt/nf-winnt-ntcurrentteb</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> </ol>