http://qtnes.com/tags/windows/Recent content in Windows on QtnesHugoen-usWed, 22 Apr 2026 00:00:00 +0000http://qtnes.com/til/kuser-shared-data/Wed, 22 Apr 2026 00:00:00 +0000http://qtnes.com/til/kuser-shared-data/<p>Today I learned about KUSER_SHARED_DATA: a kernel-populated shared page that user mode can read directly.</p> <h2 id="user-mode-address">User-mode address</h2> <ul> <li>User mode reads it at fixed address <code>0x7FFE0000</code> (same on x86 and x64).</li> <li>It is mapped read-only in user mode.</li> <li>Kernel has a different fixed mapping, but from user-mode reversing, <code>0x7FFE0000</code> is the important one.</li> </ul> <h2 id="what-is-stored-there-high-value-fields">What is stored there (high value fields)</h2> <p>This structure contains fast-access global OS data, historically heavy on time-related values:</p>