How arbitrary is the ArbitraryUserPointer in the TEB?

Raymond Chen

There’s a member of the NT_TIB structure called Arbitrary­User­Pointer.

typedef struct _NT_TIB {
    PVOID StackBase;
    PVOID StackLimit;
    PVOID SubSystemTib;
    PVOID FiberData;
    PVOID ArbitraryUserPointer;
    struct _NT_TIB *Self;

How arbitrary is this value? Can I use it for anything I want?

This is another case of looking at the world through kernel-colored glasses. The Arbitrary­User­Pointer is arbitrary from the kernel’s point of view, but that doesn’t mean that it’s available for anybody to use. The User here means “user-mode”. The kernel is saying, “Dude, like, here’s a value for user-mode to use however it sees fit. I really don’t care.”

But user-mode might care.

In practice, the user-mode loader uses the Arbitrary­User­Pointer to pass information to the debugger. It’s not a random place for programs to stash data.