Lets see EPROCESS.Flags3 in w10 build 16193:
and compare it with EPROCESS.Flags3 in w10 build 16215:
dramatic difference
it seems that in build 16215 all secure related settings was moved to EPROCESS.MitigationFlags at offset 0x3d8 which is just DWORD (perhaps bitmask with _PS_MITIGATION_OPTION as bitindex). quick search shows pair of exported functions and lots of using in PspApplyMitigationOptions/NtSetInformationProcess/NtQueryInformationProcess
PsIsWin32KFilterAuditEnabledForProcess
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long DisableNonSystemFonts:2:1;
unsigned long AuditNonSystemFontLoading:3:1;
unsigned long Crashed:4:1;
unsigned long JobVadsAreTracked:5:1;
unsigned long VadTrackingDisabled:6:1;
unsigned long AuxiliaryProcess:7:1;
unsigned long SubsystemProcess:8:1;
unsigned long IndirectCpuSets:9:1;
unsigned long InPrivate:a:1;
unsigned long ProhibitRemoteImageMap:b:1;
unsigned long ProhibitLowILImageMap:c:1;
unsigned long SignatureMitigationOptIn:d:1;
unsigned long DisableDynamicCodeAllowOptOut:e:1;
unsigned long EnableFilteredWin32kAPIs:f:1;
unsigned long AuditFilteredWin32kAPIs:10:1;
unsigned long PreferSystem32Images:11:1;
unsigned long RelinquishedCommit:12:1;
unsigned long Reserved:13:1;
unsigned long HighGraphicsPriority:14:1;
unsigned long CommitFailLogged:15:1;
unsigned long ReserveFailLogged:16:1;
unsigned long DisableDynamicCodeAllowRemoteDowngrade:17:1;
unsigned long LoaderIntegrityContinuityEnabled:18:1;
unsigned long LoaderIntegrityContinuityAudit:19:1;
unsigned long ControlFlowGuardExportSuppressionEnabled:1a:1;
unsigned long FatalAccessTerminationRequested:1b:1;
unsigned long DisableSystemAllowedCpuSet:1c:1;
unsigned long ControlFlowGuardStrict:1d:1;
and compare it with EPROCESS.Flags3 in w10 build 16215:
unsigned long Flags3;
unsigned long Minimal:0:1;
unsigned long ReplacingPageRoot:1:1;
unsigned long Crashed:2:1;
unsigned long JobVadsAreTracked:3:1;
unsigned long VadTrackingDisabled:4:1;
unsigned long AuxiliaryProcess:5:1;
unsigned long SubsystemProcess:6:1;
unsigned long IndirectCpuSets:7:1;
unsigned long RelinquishedCommit:8:1;
unsigned long HighGraphicsPriority:9:1;
unsigned long CommitFailLogged:a:1;
unsigned long ReserveFailLogged:b:1;
unsigned long SystemProcess:c:1;
dramatic difference
it seems that in build 16215 all secure related settings was moved to EPROCESS.MitigationFlags at offset 0x3d8 which is just DWORD (perhaps bitmask with _PS_MITIGATION_OPTION as bitindex). quick search shows pair of exported functions and lots of using in PspApplyMitigationOptions/NtSetInformationProcess/NtQueryInformationProcess
PsIsWin32KFilterAuditEnabledForProcess
mov edi, edi
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov eax, [eax+3D8h]
shr eax, 0Fh
and al, 1
pop ebp
retn 4
PsIsWin32KFilterAuditEnabledForProcess
mov edi, edi
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov eax, [eax+3D8h]
shr eax, 0Eh
and al, 1
pop ebp
retn 4