I&#39;ve noticed that on an unpatched Windows 7 x64 SP1 machine, the _KTHREAD structure ends as follows:<br><br>+350 ThreadCounters  : Ptr64 _KTHREAD_COUNTERS<br>+358 XSaveState       : Ptr64 _XSAVE_STATE<br><br>On a version of the machine that is up to date on patches, I see _KTHREAD ending like this:<br>
<br>+350 ThreadCounters  : Ptr64 _KTHREAD_COUNTERS<br>+358 StateSaveArea   : Ptr64 _XSAVE_FORMAT<br>+360 XSaveState       : Ptr64 _XSAVE_STATE<br><br>The result is that fields in the _ETHREAD structure are shifted by 8 bytes. on the patched machine.<br>
<br>I can&#39;t be certain that it was a Microsoft Update (I&#39;m only assuming), but does anyone know which patch causes the update?<br><br>At the very least, is there a good method for detecting if a memory image uses one version of KTHREAD or the other?<br>
<br>Any information would be helpful.<br><br>Thanks!<br>