The Thread Information Block (TIB) or Thread Environment Block (TEB) is a

data structure In computer science, a data structure is a data organization and storage format that is usually chosen for Efficiency, efficient Data access, access to data. More precisely, a data structure is a collection of data values, the relationships amo ...

Win32 The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running. Programs can acces ...

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

that stores information about the currently running thread. It descended from, and is backward-compatible on 32-bit systems with, a similar structure in

OS/2 OS/2 is a Proprietary software, proprietary computer operating system for x86 and PowerPC based personal computers. It was created and initially developed jointly by IBM and Microsoft, under the leadership of IBM software designer Ed Iacobucci, ...

. The TIB is officially undocumented for

Windows 9x Windows 9x is a generic term referring to a line of discontinued Microsoft Windows operating systems released from 1995 to 2000 and supported until 2006, which were based on the kernel introduced in Windows 95 and modified in succeeding version ...

. The

Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...

series DDK (as well as the

MinGW MinGW ("Minimalist GNU for Windows"), formerly mingw32, is a free and open source software development environment to create Microsoft Windows applications. MinGW includes a port of the GNU Compiler Collection (GCC), GNU Binutils for Windows ...

ReactOS ReactOS is a Free and open-source software, free and open-source operating system for i586/amd64 personal computers that is intended to be binary-code compatibility, binary-compatible with computer programs and device drivers developed for Wind ...

implementation) includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Even before TIB was effectively documented, many applications have already started using its fields that they are effectively a part of the

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

. The first field containing the SEH frame, in particular, is directly referenced by the code produced by Microsoft's own compiler. The Win32 subsystem-specific part of the TEB is undocumented, but

Wine Wine is an alcoholic drink made from Fermentation in winemaking, fermented fruit. Yeast in winemaking, Yeast consumes the sugar in the fruit and converts it to ethanol and carbon dioxide, releasing heat in the process. Wine is most often made f ...

includes a TEB definition in winternl.h. The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register on 32-bit Windows and GS on 64-bit Windows.

Contents of the TIB on Windows

This table is based on

's work on

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

internals. FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.

Stack information stored in the TIB

A process should be free to move the

stack Stack may refer to: Places * Stack Island, an island game reserve in Bass Strait, south-eastern Australia, in Tasmania’s Hunter Island Group * Blue Stack Mountains, in Co. Donegal, Ireland People * Stack (surname) (including a list of people ...

of its threads as long as it updates the information stored in the TIB accordingly. A few fields are key to this matter: stack base, stack limit, deallocation stack, and guaranteed stack bytes, respectively stored at offsets 0x8, 0x10, 0x1478 and 0x1748 in 64 bits. Different Windows kernel functions read and write these values, specially to distinguish stack overflows from other read/write page faults (a read or write to a page guarded among the stack limits in guaranteed stack bytes will generate a stack-overflow exception instead of an access violation). The deallocation stack is important because Windows API allows to change the amount of guarded pages: the function SetThreadStackGuarantee allows both read the current space and to grow it. In order to read it, it reads the GuaranteedStackBytes field, and to grow it, it uses has to uncommit stack pages. Setting stack limits without setting DeallocationStack will probably cause odd behavior in SetThreadStackGuarantee. For example, it will overwrite the stack limits to wrong values. Different libraries call SetThreadStackGuarantee, for example the .NET CLR uses it for setting up the stack of their threads.

Accessing the TIB

The TIB of the current thread can be accessed as an offset of segment

register Register or registration may refer to: Arts, entertainment, and media Music * Register (music), the relative "height" or range of a note, melody, part, instrument, etc. * ''Register'', a 2017 album by Travis Miller * Registration (organ), ...

FS (x86) or GS (x64). It is not common to access the TIB fields by an offset from

FS: /code>, but rather first getting a linear self-referencing pointer to it stored at FS: 8h/code>. That pointer can be used with pointer arithmetic or be cast to a struct 

In computer science, a record (also called a structure,   struct, or  compound data type) is a composite data structure  a collection of fields, possibly of different data types, typically fixed in number and sequence.

For example, a date could b ...
  pointer.

Using  Microsoft Windows SDK or similar, a programmer could use an inline function defined in winnt.h named NtCurrentTeb which returns the address of the current Thread Information Block as NT_TIB *.

Alternative methods of access for IA-32 



IA-32 (short for "Intel Architecture, 32-bit", commonly called ''i386'') is the 32-bit version of the x86 instruction set architecture, designed by Intel and first implemented in the i386, 80386 microprocessor in 1985.  IA-32 is the first incarn ...
 architectures are as follows:


// gcc (AT&T-style inline assembly).
void *getTIB(void) 



// gcc (named address spaces, same as the inline assembly version on -O1 or -ftree-ter).
void *getTIB(void) 



// Microsoft C
__declspec(naked)
void *getTIB() 



// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)
void *getTIB() 


 See also

*  Structured Exception Handling

 References



 Further reading

* {{cite book, url=https://archive.org/details/windows95systemp00matt/page/136, title=Windows 95 Programming Secrets, author-last=Pietrek, author-first=Matt, author-link=Matt Pietrek, date=March 1996, publisher=IDG, isbn=978-1-56884-318-6, page
136–138
format=pdf, accessdate=2010-07-17, url-access=registration

 External links




Structured Exception Handling and the TIB





TEB definitions for various Windows versions

 Windows NT architecture
 Microsoft application programming interfaces
 Threads (computing)