How arbitrary is the ArbitraryUserPointer in the TEB?

Raymond Chen


There’s a member of the NT_TIB structure called Arbitrary­User­Pointer.

typedef struct _NT_TIB {
    PVOID StackBase;
    PVOID StackLimit;
    PVOID SubSystemTib;
    PVOID FiberData;
    PVOID ArbitraryUserPointer;
    struct _NT_TIB *Self;

How arbitrary is this value? Can I use it for anything I want?

This is another case of looking at the world through kernel-colored glasses. The Arbitrary­User­Pointer is arbitrary from the kernel’s point of view, but that doesn’t mean that it’s available for anybody to use. The User here means “user-mode”. The kernel is saying, “Dude, like, here’s a value for user-mode to use however it sees fit. I really don’t care.”

But user-mode might care.

In practice, the user-mode loader uses the Arbitrary­User­Pointer to pass information to the debugger. It’s not a random place for programs to stash data.


Comments are closed. Login to edit/delete your existing comments

  • Avatar
    George Gonzalez

    Going a way back to CDC KRONOS, the manuals said that for each directory entry there was a “USERCONTROLWORD”.  Neat, we thought, 60 bits where we could stuff some file meta-info.  
    But if you talked to the system programmers, they said “WE are the users!”  So they stole 12 bits to store the file’s language.  Then the computer science department decided they were going to use all the other bits to implement a crude user-id convention. 
    Are any of the Windows file system fields still up for grabs?

  • Avatar
    Kasper Brandt

    My favourite field in the TEB is Win32ThreadInfo. It points to a THREADINFO structure *in kernel-mode memory*. A kernel-mode pointer in user-mode memory is never a good sign…