[Vol-dev] Windows 7 x64 _KTHREAD structure

I've noticed that on an unpatched Windows 7 x64 SP1 machine, the _KTHREAD structure ends as follows: +350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS +358 XSaveState : Ptr64 _XSAVE_STATE On a version of the machine that is up to date on patches, I see _KTHREAD ending like this: +350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS +358 StateSaveArea : Ptr64 _XSAVE_FORMAT +360 XSaveState : Ptr64 _XSAVE_STATE The result is that fields in the _ETHREAD structure are shifted by 8 bytes. on the patched machine. I can't be certain that it was a Microsoft Update (I'm only assuming), but does anyone know which patch causes the update? At the very least, is there a good method for detecting if a memory image uses one version of KTHREAD or the other? Any information would be helpful. Thanks!