├── CMakeLists.txt ├── LICENSE ├── README.md ├── ntbcd.h ├── ntdbg.h ├── ntexapi.h ├── ntgdi.h ├── ntimage.h ├── ntintsafe.h ├── ntioapi.h ├── ntkeapi.h ├── ntldr.h ├── ntlpcapi.h ├── ntmisc.h ├── ntmmapi.h ├── ntnls.h ├── ntobapi.h ├── ntpebteb.h ├── ntpfapi.h ├── ntpnpapi.h ├── ntpoapi.h ├── ntpsapi.h ├── ntregapi.h ├── ntrtl.h ├── ntsam.h ├── ntseapi.h ├── ntsmss.h ├── ntstrsafe.h ├── ntsxs.h ├── nttmapi.h ├── nttp.h ├── ntuser.h ├── ntwmi.h ├── ntwow64.h ├── ntxcapi.h ├── ntzwapi.h ├── phnt.h ├── phnt_ntdef.h ├── phnt_windows.h ├── smbios.h ├── subprocesstag.h ├── usermgr.h └── winsta.h /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.10) 2 | 3 | project(phnt) 4 | 5 | add_library(phnt INTERFACE) 6 | target_include_directories(phnt INTERFACE "${CMAKE_CURRENT_LIST_DIR}") 7 | target_link_libraries(phnt INTERFACE "ntdll.lib") 8 | 9 | add_library(phnt::phnt ALIAS phnt) -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Winsider Seminars & Solutions, Inc. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information. 2 | 3 | ## Usage 4 | 5 | First make sure that your program is using the latest Windows SDK. 6 | 7 | These header files are designed to be used by user-mode programs. Instead of `#include `, place 8 | 9 | ``` 10 | #include 11 | #include 12 | ``` 13 | 14 | at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following: 15 | 16 | ``` 17 | #define PHNT_VERSION PHNT_WINDOWS_XP // Windows XP 18 | #define PHNT_VERSION PHNT_WINDOWS_SERVER_2003 // Windows Server 2003 19 | #define PHNT_VERSION PHNT_WINDOWS_VISTA // Windows Vista 20 | #define PHNT_VERSION PHNT_WINDOWS_7 // Windows 7 21 | #define PHNT_VERSION PHNT_WINDOWS_8 // Windows 8 22 | #define PHNT_VERSION PHNT_WINDOWS_8_1 // Windows 8.1 23 | #define PHNT_VERSION PHNT_WINDOWS_10 // Windows 10 24 | #define PHNT_VERSION PHNT_WINDOWS_11 // Windows 11 25 | ``` 26 | -------------------------------------------------------------------------------- /ntdbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Debugger support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTDBG_H 8 | #define _NTDBG_H 9 | 10 | // Debugging 11 | 12 | NTSYSAPI 13 | VOID 14 | NTAPI 15 | DbgUserBreakPoint( 16 | VOID 17 | ); 18 | 19 | NTSYSAPI 20 | VOID 21 | NTAPI 22 | DbgBreakPoint( 23 | VOID 24 | ); 25 | 26 | NTSYSAPI 27 | VOID 28 | NTAPI 29 | DbgBreakPointWithStatus( 30 | _In_ ULONG Status 31 | ); 32 | 33 | #define DBG_STATUS_CONTROL_C 1 34 | #define DBG_STATUS_SYSRQ 2 35 | #define DBG_STATUS_BUGCHECK_FIRST 3 36 | #define DBG_STATUS_BUGCHECK_SECOND 4 37 | #define DBG_STATUS_FATAL 5 38 | #define DBG_STATUS_DEBUG_CONTROL 6 39 | #define DBG_STATUS_WORKER 7 40 | 41 | NTSYSAPI 42 | ULONG 43 | STDAPIVCALLTYPE 44 | DbgPrint( 45 | _In_z_ _Printf_format_string_ PCCH Format, 46 | ... 47 | ); 48 | 49 | NTSYSAPI 50 | ULONG 51 | STDAPIVCALLTYPE 52 | DbgPrintEx( 53 | _In_ ULONG ComponentId, 54 | _In_ ULONG Level, 55 | _In_z_ _Printf_format_string_ PCCH Format, 56 | ... 57 | ); 58 | 59 | NTSYSAPI 60 | ULONG 61 | NTAPI 62 | vDbgPrintEx( 63 | _In_ ULONG ComponentId, 64 | _In_ ULONG Level, 65 | _In_z_ PCCH Format, 66 | _In_ va_list arglist 67 | ); 68 | 69 | NTSYSAPI 70 | ULONG 71 | NTAPI 72 | vDbgPrintExWithPrefix( 73 | _In_z_ PCCH Prefix, 74 | _In_ ULONG ComponentId, 75 | _In_ ULONG Level, 76 | _In_z_ PCCH Format, 77 | _In_ va_list arglist 78 | ); 79 | 80 | NTSYSAPI 81 | ULONG 82 | STDAPIVCALLTYPE 83 | DbgPrintReturnControlC( 84 | _In_z_ _Printf_format_string_ PCCH Format, 85 | ... 86 | ); 87 | 88 | NTSYSAPI 89 | NTSTATUS 90 | NTAPI 91 | DbgQueryDebugFilterState( 92 | _In_ ULONG ComponentId, 93 | _In_ ULONG Level 94 | ); 95 | 96 | NTSYSAPI 97 | NTSTATUS 98 | NTAPI 99 | DbgSetDebugFilterState( 100 | _In_ ULONG ComponentId, 101 | _In_ ULONG Level, 102 | _In_ BOOLEAN State 103 | ); 104 | 105 | NTSYSAPI 106 | ULONG 107 | NTAPI 108 | DbgPrompt( 109 | _In_ PCCH Prompt, 110 | _Out_writes_bytes_(Length) PCH Response, 111 | _In_ ULONG Length 112 | ); 113 | 114 | // Definitions 115 | 116 | typedef struct _DBGKM_EXCEPTION 117 | { 118 | EXCEPTION_RECORD ExceptionRecord; 119 | ULONG FirstChance; 120 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 121 | 122 | typedef struct _DBGKM_CREATE_THREAD 123 | { 124 | ULONG SubSystemKey; 125 | PVOID StartAddress; 126 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 127 | 128 | typedef struct _DBGKM_CREATE_PROCESS 129 | { 130 | ULONG SubSystemKey; 131 | HANDLE FileHandle; 132 | PVOID BaseOfImage; 133 | ULONG DebugInfoFileOffset; 134 | ULONG DebugInfoSize; 135 | DBGKM_CREATE_THREAD InitialThread; 136 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 137 | 138 | typedef struct _DBGKM_EXIT_THREAD 139 | { 140 | NTSTATUS ExitStatus; 141 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 142 | 143 | typedef struct _DBGKM_EXIT_PROCESS 144 | { 145 | NTSTATUS ExitStatus; 146 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 147 | 148 | typedef struct _DBGKM_LOAD_DLL 149 | { 150 | HANDLE FileHandle; 151 | PVOID BaseOfDll; 152 | ULONG DebugInfoFileOffset; 153 | ULONG DebugInfoSize; 154 | PVOID NamePointer; 155 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 156 | 157 | typedef struct _DBGKM_UNLOAD_DLL 158 | { 159 | PVOID BaseAddress; 160 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 161 | 162 | typedef enum _DBG_STATE 163 | { 164 | DbgIdle, 165 | DbgReplyPending, 166 | DbgCreateThreadStateChange, 167 | DbgCreateProcessStateChange, 168 | DbgExitThreadStateChange, 169 | DbgExitProcessStateChange, 170 | DbgExceptionStateChange, 171 | DbgBreakpointStateChange, 172 | DbgSingleStepStateChange, 173 | DbgLoadDllStateChange, 174 | DbgUnloadDllStateChange 175 | } DBG_STATE, *PDBG_STATE; 176 | 177 | typedef struct _DBGUI_CREATE_THREAD 178 | { 179 | HANDLE HandleToThread; 180 | DBGKM_CREATE_THREAD NewThread; 181 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 182 | 183 | typedef struct _DBGUI_CREATE_PROCESS 184 | { 185 | HANDLE HandleToProcess; 186 | HANDLE HandleToThread; 187 | DBGKM_CREATE_PROCESS NewProcess; 188 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 189 | 190 | typedef struct _DBGUI_WAIT_STATE_CHANGE 191 | { 192 | DBG_STATE NewState; 193 | CLIENT_ID AppClientId; 194 | union 195 | { 196 | DBGKM_EXCEPTION Exception; 197 | DBGUI_CREATE_THREAD CreateThread; 198 | DBGUI_CREATE_PROCESS CreateProcessInfo; 199 | DBGKM_EXIT_THREAD ExitThread; 200 | DBGKM_EXIT_PROCESS ExitProcess; 201 | DBGKM_LOAD_DLL LoadDll; 202 | DBGKM_UNLOAD_DLL UnloadDll; 203 | } StateInfo; 204 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 205 | 206 | #define DEBUG_READ_EVENT 0x0001 207 | #define DEBUG_PROCESS_ASSIGN 0x0002 208 | #define DEBUG_SET_INFORMATION 0x0004 209 | #define DEBUG_QUERY_INFORMATION 0x0008 210 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 211 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 212 | DEBUG_QUERY_INFORMATION) 213 | 214 | #define DEBUG_KILL_ON_CLOSE 0x1 215 | 216 | typedef enum _DEBUGOBJECTINFOCLASS 217 | { 218 | DebugObjectUnusedInformation, 219 | DebugObjectKillProcessOnExitInformation, // s: ULONG 220 | MaxDebugObjectInfoClass 221 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 222 | 223 | // System calls 224 | 225 | NTSYSCALLAPI 226 | NTSTATUS 227 | NTAPI 228 | NtCreateDebugObject( 229 | _Out_ PHANDLE DebugObjectHandle, 230 | _In_ ACCESS_MASK DesiredAccess, 231 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 232 | _In_ ULONG Flags 233 | ); 234 | 235 | NTSYSCALLAPI 236 | NTSTATUS 237 | NTAPI 238 | NtDebugActiveProcess( 239 | _In_ HANDLE ProcessHandle, 240 | _In_ HANDLE DebugObjectHandle 241 | ); 242 | 243 | NTSYSCALLAPI 244 | NTSTATUS 245 | NTAPI 246 | NtDebugContinue( 247 | _In_ HANDLE DebugObjectHandle, 248 | _In_ PCLIENT_ID ClientId, 249 | _In_ NTSTATUS ContinueStatus 250 | ); 251 | 252 | NTSYSCALLAPI 253 | NTSTATUS 254 | NTAPI 255 | NtRemoveProcessDebug( 256 | _In_ HANDLE ProcessHandle, 257 | _In_ HANDLE DebugObjectHandle 258 | ); 259 | 260 | NTSYSCALLAPI 261 | NTSTATUS 262 | NTAPI 263 | NtSetInformationDebugObject( 264 | _In_ HANDLE DebugObjectHandle, 265 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 266 | _In_reads_bytes_(DebugInformationLength) PVOID DebugInformation, 267 | _In_ ULONG DebugInformationLength, 268 | _Out_opt_ PULONG ReturnLength 269 | ); 270 | 271 | NTSYSCALLAPI 272 | NTSTATUS 273 | NTAPI 274 | NtWaitForDebugEvent( 275 | _In_ HANDLE DebugObjectHandle, 276 | _In_ BOOLEAN Alertable, 277 | _In_opt_ PLARGE_INTEGER Timeout, 278 | _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange 279 | ); 280 | 281 | // Debugging UI 282 | 283 | NTSYSAPI 284 | NTSTATUS 285 | NTAPI 286 | DbgUiConnectToDbg( 287 | VOID 288 | ); 289 | 290 | NTSYSAPI 291 | HANDLE 292 | NTAPI 293 | DbgUiGetThreadDebugObject( 294 | VOID 295 | ); 296 | 297 | NTSYSAPI 298 | VOID 299 | NTAPI 300 | DbgUiSetThreadDebugObject( 301 | _In_ HANDLE DebugObject 302 | ); 303 | 304 | NTSYSAPI 305 | NTSTATUS 306 | NTAPI 307 | DbgUiWaitStateChange( 308 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 309 | _In_opt_ PLARGE_INTEGER Timeout 310 | ); 311 | 312 | NTSYSAPI 313 | NTSTATUS 314 | NTAPI 315 | DbgUiContinue( 316 | _In_ PCLIENT_ID AppClientId, 317 | _In_ NTSTATUS ContinueStatus 318 | ); 319 | 320 | NTSYSAPI 321 | NTSTATUS 322 | NTAPI 323 | DbgUiStopDebugging( 324 | _In_ HANDLE Process 325 | ); 326 | 327 | NTSYSAPI 328 | NTSTATUS 329 | NTAPI 330 | DbgUiDebugActiveProcess( 331 | _In_ HANDLE Process 332 | ); 333 | 334 | NTSYSAPI 335 | VOID 336 | NTAPI 337 | DbgUiRemoteBreakin( 338 | _In_ PVOID Context 339 | ); 340 | 341 | NTSYSAPI 342 | NTSTATUS 343 | NTAPI 344 | DbgUiIssueRemoteBreakin( 345 | _In_ HANDLE Process 346 | ); 347 | 348 | NTSYSAPI 349 | NTSTATUS 350 | NTAPI 351 | DbgUiConvertStateChangeStructure( 352 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 353 | _Out_ LPDEBUG_EVENT DebugEvent 354 | ); 355 | 356 | NTSYSAPI 357 | NTSTATUS 358 | NTAPI 359 | DbgUiConvertStateChangeStructureEx( 360 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 361 | _Out_ LPDEBUG_EVENT DebugEvent 362 | ); 363 | 364 | typedef struct _EVENT_FILTER_DESCRIPTOR *PEVENT_FILTER_DESCRIPTOR; 365 | 366 | typedef VOID (NTAPI *PENABLECALLBACK)( 367 | _In_ LPCGUID SourceId, 368 | _In_ ULONG IsEnabled, 369 | _In_ UCHAR Level, 370 | _In_ ULONGLONG MatchAnyKeyword, 371 | _In_ ULONGLONG MatchAllKeyword, 372 | _In_opt_ PEVENT_FILTER_DESCRIPTOR FilterData, 373 | _Inout_opt_ PVOID CallbackContext 374 | ); 375 | 376 | typedef ULONGLONG REGHANDLE, *PREGHANDLE; 377 | 378 | NTSYSAPI 379 | NTSTATUS 380 | NTAPI 381 | EtwEventRegister( 382 | _In_ LPCGUID ProviderId, 383 | _In_opt_ PENABLECALLBACK EnableCallback, 384 | _In_opt_ PVOID CallbackContext, 385 | _Out_ PREGHANDLE RegHandle 386 | ); 387 | 388 | #endif 389 | -------------------------------------------------------------------------------- /ntgdi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Graphics device interface support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTGDI_H 8 | #define _NTGDI_H 9 | 10 | #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 11 | 12 | #define GDI_HANDLE_INDEX_SHIFT 0 13 | #define GDI_HANDLE_INDEX_BITS 16 14 | #define GDI_HANDLE_INDEX_MASK 0xffff 15 | 16 | #define GDI_HANDLE_TYPE_SHIFT 16 17 | #define GDI_HANDLE_TYPE_BITS 5 18 | #define GDI_HANDLE_TYPE_MASK 0x1f 19 | 20 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 21 | #define GDI_HANDLE_ALTTYPE_BITS 2 22 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 23 | 24 | #define GDI_HANDLE_STOCK_SHIFT 23 25 | #define GDI_HANDLE_STOCK_BITS 1 26 | #define GDI_HANDLE_STOCK_MASK 0x1 27 | 28 | #define GDI_HANDLE_UNIQUE_SHIFT 24 29 | #define GDI_HANDLE_UNIQUE_BITS 8 30 | #define GDI_HANDLE_UNIQUE_MASK 0xff 31 | 32 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 33 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 34 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 35 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 36 | 37 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 38 | 39 | // GDI server-side types 40 | 41 | #define GDI_DEF_TYPE 0 // invalid handle 42 | #define GDI_DC_TYPE 1 43 | #define GDI_DD_DIRECTDRAW_TYPE 2 44 | #define GDI_DD_SURFACE_TYPE 3 45 | #define GDI_RGN_TYPE 4 46 | #define GDI_SURF_TYPE 5 47 | #define GDI_CLIENTOBJ_TYPE 6 48 | #define GDI_PATH_TYPE 7 49 | #define GDI_PAL_TYPE 8 50 | #define GDI_ICMLCS_TYPE 9 51 | #define GDI_LFONT_TYPE 10 52 | #define GDI_RFONT_TYPE 11 53 | #define GDI_PFE_TYPE 12 54 | #define GDI_PFT_TYPE 13 55 | #define GDI_ICMCXF_TYPE 14 56 | #define GDI_ICMDLL_TYPE 15 57 | #define GDI_BRUSH_TYPE 16 58 | #define GDI_PFF_TYPE 17 // unused 59 | #define GDI_CACHE_TYPE 18 // unused 60 | #define GDI_SPACE_TYPE 19 61 | #define GDI_DBRUSH_TYPE 20 // unused 62 | #define GDI_META_TYPE 21 63 | #define GDI_EFSTATE_TYPE 22 64 | #define GDI_BMFD_TYPE 23 // unused 65 | #define GDI_VTFD_TYPE 24 // unused 66 | #define GDI_TTFD_TYPE 25 // unused 67 | #define GDI_RC_TYPE 26 // unused 68 | #define GDI_TEMP_TYPE 27 // unused 69 | #define GDI_DRVOBJ_TYPE 28 70 | #define GDI_DCIOBJ_TYPE 29 // unused 71 | #define GDI_SPOOL_TYPE 30 72 | 73 | // GDI client-side types 74 | 75 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 76 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 77 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 78 | 79 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 80 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 81 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 82 | 83 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 84 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 85 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 86 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 87 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 88 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 89 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 90 | 91 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 92 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 93 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 94 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 95 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 96 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 97 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 98 | 99 | typedef struct _GDI_HANDLE_ENTRY 100 | { 101 | union 102 | { 103 | PVOID Object; 104 | PVOID NextFree; 105 | }; 106 | union 107 | { 108 | struct 109 | { 110 | USHORT ProcessId; 111 | USHORT Lock : 1; 112 | USHORT Count : 15; 113 | }; 114 | ULONG Value; 115 | } Owner; 116 | USHORT Unique; 117 | UCHAR Type; 118 | UCHAR Flags; 119 | PVOID UserPointer; 120 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 121 | 122 | typedef struct _GDI_SHARED_MEMORY 123 | { 124 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 125 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 126 | 127 | #endif 128 | -------------------------------------------------------------------------------- /ntimage.h: -------------------------------------------------------------------------------- 1 | /* 2 | * PE format support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTIMAGE_H 8 | #define _NTIMAGE_H 9 | 10 | #include 11 | 12 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 13 | #define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64 14 | #define IMAGE_FILE_MACHINE_ARM64EC 0xA641 15 | #define IMAGE_FILE_MACHINE_ARM64X 0xA64E 16 | #endif 17 | 18 | typedef struct _IMAGE_DEBUG_POGO_ENTRY 19 | { 20 | ULONG Rva; 21 | ULONG Size; 22 | CHAR Name[1]; 23 | } IMAGE_DEBUG_POGO_ENTRY, *PIMAGE_DEBUG_POGO_ENTRY; 24 | 25 | typedef struct _IMAGE_DEBUG_POGO_SIGNATURE 26 | { 27 | ULONG Signature; 28 | } IMAGE_DEBUG_POGO_SIGNATURE, *PIMAGE_DEBUG_POGO_SIGNATURE; 29 | 30 | #define IMAGE_DEBUG_POGO_SIGNATURE_LTCG 'LTCG' // coffgrp LTCG (0x4C544347) 31 | #define IMAGE_DEBUG_POGO_SIGNATURE_PGU 'PGU\0' // coffgrp PGU (0x50475500) 32 | 33 | typedef struct _IMAGE_RELOCATION_RECORD 34 | { 35 | USHORT Offset : 12; 36 | USHORT Type : 4; 37 | } IMAGE_RELOCATION_RECORD, *PIMAGE_RELOCATION_RECORD; 38 | 39 | typedef struct _IMAGE_CHPE_METADATA_X86 40 | { 41 | ULONG Version; 42 | ULONG CHPECodeAddressRangeOffset; 43 | ULONG CHPECodeAddressRangeCount; 44 | ULONG WowA64ExceptionHandlerFunctionPointer; 45 | ULONG WowA64DispatchCallFunctionPointer; 46 | ULONG WowA64DispatchIndirectCallFunctionPointer; 47 | ULONG WowA64DispatchIndirectCallCfgFunctionPointer; 48 | ULONG WowA64DispatchRetFunctionPointer; 49 | ULONG WowA64DispatchRetLeafFunctionPointer; 50 | ULONG WowA64DispatchJumpFunctionPointer; 51 | ULONG CompilerIATPointer; // Present if Version >= 2 52 | ULONG WowA64RdtscFunctionPointer; // Present if Version >= 3 53 | } IMAGE_CHPE_METADATA_X86, *PIMAGE_CHPE_METADATA_X86; 54 | 55 | typedef struct _IMAGE_CHPE_RANGE_ENTRY 56 | { 57 | union 58 | { 59 | ULONG StartOffset; 60 | struct 61 | { 62 | ULONG NativeCode : 1; 63 | ULONG AddressBits : 31; 64 | } DUMMYSTRUCTNAME; 65 | } DUMMYUNIONNAME; 66 | 67 | ULONG Length; 68 | } IMAGE_CHPE_RANGE_ENTRY, *PIMAGE_CHPE_RANGE_ENTRY; 69 | 70 | typedef struct _IMAGE_ARM64EC_METADATA 71 | { 72 | ULONG Version; 73 | ULONG CodeMap; 74 | ULONG CodeMapCount; 75 | ULONG CodeRangesToEntryPoints; 76 | ULONG RedirectionMetadata; 77 | ULONG tbd__os_arm64x_dispatch_call_no_redirect; 78 | ULONG tbd__os_arm64x_dispatch_ret; 79 | ULONG tbd__os_arm64x_dispatch_call; 80 | ULONG tbd__os_arm64x_dispatch_icall; 81 | ULONG tbd__os_arm64x_dispatch_icall_cfg; 82 | ULONG AlternateEntryPoint; 83 | ULONG AuxiliaryIAT; 84 | ULONG CodeRangesToEntryPointsCount; 85 | ULONG RedirectionMetadataCount; 86 | ULONG GetX64InformationFunctionPointer; 87 | ULONG SetX64InformationFunctionPointer; 88 | ULONG ExtraRFETable; 89 | ULONG ExtraRFETableSize; 90 | ULONG __os_arm64x_dispatch_fptr; 91 | ULONG AuxiliaryIATCopy; 92 | } IMAGE_ARM64EC_METADATA, *PIMAGE_ARM64EC_METADATA; 93 | 94 | // rev 95 | #define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64 0 96 | #define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64EC 1 97 | #define IMAGE_ARM64EC_CODE_MAP_TYPE_AMD64 2 98 | 99 | // rev 100 | typedef struct _IMAGE_ARM64EC_CODE_MAP_ENTRY 101 | { 102 | union 103 | { 104 | ULONG StartOffset; 105 | struct 106 | { 107 | ULONG Type : 2; 108 | ULONG AddressBits : 30; 109 | } DUMMYSTRUCTNAME; 110 | } DUMMYUNIONNAME; 111 | 112 | ULONG Length; 113 | } IMAGE_ARM64EC_CODE_MAP_ENTRY, *PIMAGE_ARM64EC_CODE_MAP_ENTRY; 114 | 115 | typedef struct _IMAGE_ARM64EC_REDIRECTION_ENTRY 116 | { 117 | ULONG Source; 118 | ULONG Destination; 119 | } IMAGE_ARM64EC_REDIRECTION_ENTRY, *PIMAGE_ARM64EC_REDIRECTION_ENTRY; 120 | 121 | typedef struct _IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT 122 | { 123 | ULONG StartRva; 124 | ULONG EndRva; 125 | ULONG EntryPoint; 126 | } IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT, *PIMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT; 127 | 128 | #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL 0 129 | #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE 1 130 | #define IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA 2 131 | 132 | #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_2BYTES 1 133 | #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_4BYTES 2 134 | #define IMAGE_DVRT_ARM64X_FIXUP_SIZE_8BYTES 3 135 | 136 | typedef struct _IMAGE_DVRT_ARM64X_FIXUP_RECORD 137 | { 138 | USHORT Offset : 12; 139 | USHORT Type : 2; 140 | USHORT Size : 2; 141 | // Value of variable Size when IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE 142 | } IMAGE_DVRT_ARM64X_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_FIXUP_RECORD; 143 | 144 | typedef struct _IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD 145 | { 146 | USHORT Offset : 12; 147 | USHORT Type : 2; // IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA 148 | USHORT Sign : 1; // 1 = -, 0 = + 149 | USHORT Scale : 1; // 1 = 8, 0 = 4 150 | // USHORT Value; // Delta = Value * Scale * Sign 151 | } IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD; 152 | 153 | #include 154 | 155 | #define IMAGE_DYNAMIC_RELOCATION_ARM64X 0x00000006 156 | #define IMAGE_DYNAMIC_RELOCATION_MM_SHARED_USER_DATA_VA 0x7FFE0000 157 | #define IMAGE_DYNAMIC_RELOCATION_KI_USER_SHARED_DATA64 0xFFFFF78000000000UI64 158 | 159 | // Note: The Windows SDK defines UNALIGNED for PIMAGE_IMPORT_DESCRIPTOR but 160 | // doesn't include UNALIGNED for PIMAGE_THUNK_DATA (See GH#1694) (dmex) 161 | typedef struct _IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA32; 162 | typedef struct _IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA64; 163 | typedef IMAGE_THUNK_DATA32 UNALIGNED* UNALIGNED_PIMAGE_THUNK_DATA32; 164 | typedef IMAGE_THUNK_DATA64 UNALIGNED* UNALIGNED_PIMAGE_THUNK_DATA64; 165 | 166 | // Note: Required for legacy SDK support (dmex) 167 | #if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) 168 | #define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE 0x00000001 169 | #define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE 0x00000002 170 | #define IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER 0x00000003 171 | #define IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER 0x00000004 172 | #define IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH 0x00000005 173 | #define IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE 0x00000007 174 | 175 | typedef struct _IMAGE_FUNCTION_OVERRIDE_HEADER { 176 | ULONG FuncOverrideSize; 177 | // IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION FuncOverrideInfo[ANYSIZE_ARRAY]; // FuncOverrideSize bytes in size 178 | // IMAGE_BDD_INFO BDDInfo; // BDD region, size in bytes: DVRTEntrySize - sizeof(IMAGE_FUNCTION_OVERRIDE_HEADER) - FuncOverrideSize 179 | } IMAGE_FUNCTION_OVERRIDE_HEADER; 180 | typedef IMAGE_FUNCTION_OVERRIDE_HEADER UNALIGNED *PIMAGE_FUNCTION_OVERRIDE_HEADER; 181 | 182 | typedef struct _IMAGE_BDD_INFO { 183 | ULONG Version; // decides the semantics of serialized BDD 184 | ULONG BDDSize; 185 | // IMAGE_BDD_DYNAMIC_RELOCATION BDDNodes[ANYSIZE_ARRAY]; // BDDSize size in bytes. 186 | } IMAGE_BDD_INFO, *PIMAGE_BDD_INFO; 187 | 188 | typedef struct _IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION { 189 | ULONG OriginalRva; // RVA of original function 190 | ULONG BDDOffset; // Offset into the BDD region 191 | ULONG RvaSize; // Size in bytes taken by RVAs. Must be multiple of sizeof(DWORD). 192 | ULONG BaseRelocSize; // Size in bytes taken by BaseRelocs 193 | // DWORD RVAs[RvaSize / sizeof(DWORD)]; // Array containing overriding func RVAs. 194 | // IMAGE_BASE_RELOCATION BaseRelocs[ANYSIZE_ARRAY]; 195 | // ^Base relocations (RVA + Size + TO) 196 | // ^Padded with extra TOs for 4B alignment 197 | // ^BaseRelocSize size in bytes 198 | } IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, *PIMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION; 199 | 200 | typedef struct _IMAGE_BDD_DYNAMIC_RELOCATION { 201 | USHORT Left; // Index of FALSE edge in BDD array 202 | USHORT Right; // Index of TRUE edge in BDD array 203 | ULONG Value; // Either FeatureNumber or Index into RVAs array 204 | } IMAGE_BDD_DYNAMIC_RELOCATION, *PIMAGE_BDD_DYNAMIC_RELOCATION; 205 | 206 | // Function override relocation types in DVRT records. 207 | #define IMAGE_FUNCTION_OVERRIDE_INVALID 0 208 | #define IMAGE_FUNCTION_OVERRIDE_X64_REL32 1 // 32-bit relative address from byte following reloc 209 | #define IMAGE_FUNCTION_OVERRIDE_ARM64_BRANCH26 2 // 26 bit offset << 2 & sign ext. for B & BL 210 | #define IMAGE_FUNCTION_OVERRIDE_ARM64_THUNK 3 211 | #endif 212 | 213 | #if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) 214 | #define IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT 0x40 215 | #define IMAGE_DLLCHARACTERISTICS_EX_HOTPATCH_COMPATIBLE 0x80 216 | #endif 217 | 218 | #endif 219 | -------------------------------------------------------------------------------- /ntkeapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Kernel executive support library 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTKEAPI_H 8 | #define _NTKEAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define LOW_PRIORITY 0 // Lowest thread priority level 12 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 13 | #define HIGH_PRIORITY 31 // Highest thread priority level 14 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 15 | #endif 16 | 17 | typedef enum _KTHREAD_STATE 18 | { 19 | Initialized, 20 | Ready, 21 | Running, 22 | Standby, 23 | Terminated, 24 | Waiting, 25 | Transition, 26 | DeferredReady, 27 | GateWaitObsolete, 28 | WaitingForProcessInSwap, 29 | MaximumThreadState 30 | } KTHREAD_STATE, *PKTHREAD_STATE; 31 | 32 | // private 33 | typedef enum _KHETERO_CPU_POLICY 34 | { 35 | KHeteroCpuPolicyAll = 0, 36 | KHeteroCpuPolicyLarge = 1, 37 | KHeteroCpuPolicyLargeOrIdle = 2, 38 | KHeteroCpuPolicySmall = 3, 39 | KHeteroCpuPolicySmallOrIdle = 4, 40 | KHeteroCpuPolicyDynamic = 5, 41 | KHeteroCpuPolicyStaticMax = 5, // valid 42 | KHeteroCpuPolicyBiasedSmall = 6, 43 | KHeteroCpuPolicyBiasedLarge = 7, 44 | KHeteroCpuPolicyDefault = 8, 45 | KHeteroCpuPolicyMax = 9 46 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 47 | 48 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 49 | /** 50 | * KWAIT_REASON identifies the reasons for context switches or the current waiting state. 51 | */ 52 | typedef enum _KWAIT_REASON 53 | { 54 | Executive, // Waiting for an executive event. 55 | FreePage, // Waiting for a free page. 56 | PageIn, // Waiting for a page to be read in. 57 | PoolAllocation, // Waiting for a pool allocation. 58 | DelayExecution, // Waiting due to a delay execution. // NtDelayExecution 59 | Suspended, // Waiting because the thread is suspended. // NtSuspendThread 60 | UserRequest, // Waiting due to a user request. // NtWaitForSingleObject 61 | WrExecutive, // Waiting for an executive event. 62 | WrFreePage, // Waiting for a free page. 63 | WrPageIn, // Waiting for a page to be read in. 64 | WrPoolAllocation, // Waiting for a pool allocation. 65 | WrDelayExecution, // Waiting due to a delay execution. 66 | WrSuspended, // Waiting because the thread is suspended. 67 | WrUserRequest, // Waiting due to a user request. 68 | WrEventPair, // Waiting for an event pair. // NtCreateEventPair 69 | WrQueue, // Waiting for a queue. // NtRemoveIoCompletion 70 | WrLpcReceive, // Waiting for an LPC receive. 71 | WrLpcReply, // Waiting for an LPC reply. 72 | WrVirtualMemory, // Waiting for virtual memory. 73 | WrPageOut, // Waiting for a page to be written out. 74 | WrRendezvous, // Waiting for a rendezvous. 75 | WrKeyedEvent, // Waiting for a keyed event. // NtCreateKeyedEvent 76 | WrTerminated, // Waiting for thread termination. 77 | WrProcessInSwap, // Waiting for a process to be swapped in. 78 | WrCpuRateControl, // Waiting for CPU rate control. 79 | WrCalloutStack, // Waiting for a callout stack. 80 | WrKernel, // Waiting for a kernel event. 81 | WrResource, // Waiting for a resource. 82 | WrPushLock, // Waiting for a push lock. 83 | WrMutex, // Waiting for a mutex. 84 | WrQuantumEnd, // Waiting for the end of a quantum. 85 | WrDispatchInt, // Waiting for a dispatch interrupt. 86 | WrPreempted, // Waiting because the thread was preempted. 87 | WrYieldExecution, // Waiting to yield execution. 88 | WrFastMutex, // Waiting for a fast mutex. 89 | WrGuardedMutex, // Waiting for a guarded mutex. 90 | WrRundown, // Waiting for a rundown. 91 | WrAlertByThreadId, // Waiting for an alert by thread ID. 92 | WrDeferredPreempt, // Waiting for a deferred preemption. 93 | WrPhysicalFault, // Waiting for a physical fault. 94 | WrIoRing, // Waiting for an I/O ring. 95 | WrMdlCache, // Waiting for an MDL cache. 96 | WrRcu, // Waiting for read-copy-update (RCU) synchronization. 97 | MaximumWaitReason 98 | } KWAIT_REASON, *PKWAIT_REASON; 99 | 100 | typedef enum _KPROFILE_SOURCE 101 | { 102 | ProfileTime, 103 | ProfileAlignmentFixup, 104 | ProfileTotalIssues, 105 | ProfilePipelineDry, 106 | ProfileLoadInstructions, 107 | ProfilePipelineFrozen, 108 | ProfileBranchInstructions, 109 | ProfileTotalNonissues, 110 | ProfileDcacheMisses, 111 | ProfileIcacheMisses, 112 | ProfileCacheMisses, 113 | ProfileBranchMispredictions, 114 | ProfileStoreInstructions, 115 | ProfileFpInstructions, 116 | ProfileIntegerInstructions, 117 | Profile2Issue, 118 | Profile3Issue, 119 | Profile4Issue, 120 | ProfileSpecialInstructions, 121 | ProfileTotalCycles, 122 | ProfileIcacheIssues, 123 | ProfileDcacheAccesses, 124 | ProfileMemoryBarrierCycles, 125 | ProfileLoadLinkedIssues, 126 | ProfileMaximum 127 | } KPROFILE_SOURCE; 128 | 129 | #endif 130 | 131 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 132 | 133 | NTSYSCALLAPI 134 | NTSTATUS 135 | NTAPI 136 | NtCallbackReturn( 137 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 138 | _In_ ULONG OutputLength, 139 | _In_ NTSTATUS Status 140 | ); 141 | 142 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 143 | /** 144 | * The NtFlushProcessWriteBuffers routine flushes the write queue of each processor that is running a thread of the current process. 145 | * 146 | * @return NTSTATUS Successful or errant status. 147 | * @see https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-flushprocesswritebuffers 148 | */ 149 | NTSYSCALLAPI 150 | NTSTATUS 151 | NTAPI 152 | NtFlushProcessWriteBuffers( 153 | VOID 154 | ); 155 | #endif 156 | 157 | NTSYSCALLAPI 158 | NTSTATUS 159 | NTAPI 160 | NtQueryDebugFilterState( 161 | _In_ ULONG ComponentId, 162 | _In_ ULONG Level 163 | ); 164 | 165 | NTSYSCALLAPI 166 | NTSTATUS 167 | NTAPI 168 | NtSetDebugFilterState( 169 | _In_ ULONG ComponentId, 170 | _In_ ULONG Level, 171 | _In_ BOOLEAN State 172 | ); 173 | 174 | NTSYSCALLAPI 175 | NTSTATUS 176 | NTAPI 177 | NtYieldExecution( 178 | VOID 179 | ); 180 | 181 | #endif 182 | 183 | #endif 184 | -------------------------------------------------------------------------------- /ntmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Trace Control support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTMISC_H 8 | #define _NTMISC_H 9 | 10 | // 11 | // VDM 12 | // 13 | 14 | typedef enum _VDMSERVICECLASS 15 | { 16 | VdmStartExecution, 17 | VdmQueueInterrupt, 18 | VdmDelayInterrupt, 19 | VdmInitialize, 20 | VdmFeatures, 21 | VdmSetInt21Handler, 22 | VdmQueryDir, 23 | VdmPrinterDirectIoOpen, 24 | VdmPrinterDirectIoClose, 25 | VdmPrinterInitialize, 26 | VdmSetLdtEntries, 27 | VdmSetProcessLdtInfo, 28 | VdmAdlibEmulation, 29 | VdmPMCliControl, 30 | VdmQueryVdmProcess, 31 | VdmPreInitialize 32 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 33 | 34 | NTSYSCALLAPI 35 | NTSTATUS 36 | NTAPI 37 | NtVdmControl( 38 | _In_ VDMSERVICECLASS Service, 39 | _Inout_ PVOID ServiceData 40 | ); 41 | 42 | // 43 | // Sessions 44 | // 45 | 46 | typedef enum _IO_SESSION_EVENT 47 | { 48 | IoSessionEventIgnore, 49 | IoSessionEventCreated, 50 | IoSessionEventTerminated, 51 | IoSessionEventConnected, 52 | IoSessionEventDisconnected, 53 | IoSessionEventLogon, 54 | IoSessionEventLogoff, 55 | IoSessionEventMax 56 | } IO_SESSION_EVENT; 57 | 58 | typedef enum _IO_SESSION_STATE 59 | { 60 | IoSessionStateCreated = 1, 61 | IoSessionStateInitialized = 2, 62 | IoSessionStateConnected = 3, 63 | IoSessionStateDisconnected = 4, 64 | IoSessionStateDisconnectedLoggedOn = 5, 65 | IoSessionStateLoggedOn = 6, 66 | IoSessionStateLoggedOff = 7, 67 | IoSessionStateTerminated = 8, 68 | IoSessionStateMax 69 | } IO_SESSION_STATE; 70 | 71 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 72 | 73 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 74 | NTSYSCALLAPI 75 | NTSTATUS 76 | NTAPI 77 | NtOpenSession( 78 | _Out_ PHANDLE SessionHandle, 79 | _In_ ACCESS_MASK DesiredAccess, 80 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 81 | ); 82 | #endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 83 | 84 | #endif // (PHNT_MODE != PHNT_MODE_KERNEL) 85 | 86 | #if (PHNT_VERSION >= PHNT_WINDOWS_7) 87 | NTSYSCALLAPI 88 | NTSTATUS 89 | NTAPI 90 | NtNotifyChangeSession( 91 | _In_ HANDLE SessionHandle, 92 | _In_ ULONG ChangeSequenceNumber, 93 | _In_ PLARGE_INTEGER ChangeTimeStamp, 94 | _In_ IO_SESSION_EVENT Event, 95 | _In_ IO_SESSION_STATE NewState, 96 | _In_ IO_SESSION_STATE PreviousState, 97 | _In_reads_bytes_opt_(PayloadSize) PVOID Payload, 98 | _In_ ULONG PayloadSize 99 | ); 100 | #endif // (PHNT_VERSION >= PHNT_WINDOWS_7) 101 | 102 | // 103 | // ApiSet 104 | // 105 | 106 | NTSYSAPI 107 | BOOL 108 | NTAPI 109 | ApiSetQueryApiSetPresence( 110 | _In_ PCUNICODE_STRING Namespace, 111 | _Out_ PBOOLEAN Present 112 | ); 113 | 114 | NTSYSAPI 115 | BOOL 116 | NTAPI 117 | ApiSetQueryApiSetPresenceEx( 118 | _In_ PCUNICODE_STRING Namespace, 119 | _Out_ PBOOLEAN IsInSchema, 120 | _Out_ PBOOLEAN Present 121 | ); 122 | 123 | typedef enum _SECURE_SETTING_VALUE_TYPE 124 | { 125 | SecureSettingValueTypeBoolean = 0, 126 | SecureSettingValueTypeUlong = 1, 127 | SecureSettingValueTypeBinary = 2, 128 | SecureSettingValueTypeString = 3, 129 | SecureSettingValueTypeUnknown = 4 130 | } SECURE_SETTING_VALUE_TYPE, *PSECURE_SETTING_VALUE_TYPE; 131 | 132 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) 133 | // rev 134 | NTSYSCALLAPI 135 | NTSTATUS 136 | NTAPI 137 | NtQuerySecurityPolicy( 138 | _In_ PCUNICODE_STRING Policy, 139 | _In_ PCUNICODE_STRING KeyName, 140 | _In_ PCUNICODE_STRING ValueName, 141 | _In_ SECURE_SETTING_VALUE_TYPE ValueType, 142 | _Out_writes_bytes_opt_(*ValueSize) PVOID Value, 143 | _Inout_ PULONG ValueSize 144 | ); 145 | #endif 146 | 147 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) 148 | // rev 149 | NTSYSCALLAPI 150 | NTSTATUS 151 | NTAPI 152 | NtCreateCrossVmEvent( 153 | _Out_ PHANDLE CrossVmEvent, 154 | _In_ ACCESS_MASK DesiredAccess, 155 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 156 | _In_ ULONG CrossVmEventFlags, 157 | _In_ LPCGUID VMID, 158 | _In_ LPCGUID ServiceID 159 | ); 160 | 161 | // rev 162 | NTSYSCALLAPI 163 | NTSTATUS 164 | NTAPI 165 | NtCreateCrossVmMutant( 166 | _Out_ PHANDLE EventHandle, 167 | _In_ ACCESS_MASK DesiredAccess, 168 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 169 | _In_ ULONG CrossVmEventFlags, 170 | _In_ LPCGUID VMID, 171 | _In_ LPCGUID ServiceID 172 | ); 173 | 174 | // rev 175 | NTSYSCALLAPI 176 | NTSTATUS 177 | NTAPI 178 | NtAcquireCrossVmMutant( 179 | _In_ HANDLE CrossVmMutant, 180 | _In_ PLARGE_INTEGER Timeout 181 | ); 182 | 183 | // rev 184 | NTSYSCALLAPI 185 | NTSTATUS 186 | NTAPI 187 | NtDirectGraphicsCall( 188 | _In_ ULONG InputBufferLength, 189 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 190 | _In_ ULONG OutputBufferLength, 191 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 192 | _Out_ PULONG ReturnLength 193 | ); 194 | #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) 195 | 196 | #if (PHNT_VERSION >= PHNT_WINDOWS_11_22H2) 197 | // rev 198 | NTSYSCALLAPI 199 | NTSTATUS 200 | NTAPI 201 | NtOpenCpuPartition( 202 | _Out_ PHANDLE CpuPartitionHandle, 203 | _In_ ACCESS_MASK DesiredAccess, 204 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 205 | ); 206 | 207 | // rev 208 | NTSYSCALLAPI 209 | NTSTATUS 210 | NTAPI 211 | NtCreateCpuPartition( 212 | _Out_ PHANDLE CpuPartitionHandle, 213 | _In_ ACCESS_MASK DesiredAccess, 214 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 215 | ); 216 | 217 | // rev 218 | NTSYSCALLAPI 219 | NTSTATUS 220 | NTAPI 221 | NtSetInformationCpuPartition( 222 | _In_ HANDLE CpuPartitionHandle, 223 | _In_ ULONG CpuPartitionInformationClass, 224 | _In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation, 225 | _In_ ULONG CpuPartitionInformationLength, 226 | _Reserved_ PVOID, 227 | _Reserved_ ULONG, 228 | _Reserved_ ULONG 229 | ); 230 | #endif 231 | 232 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) 233 | // 234 | // Process KeepAlive (also WakeCounter) 235 | // 236 | 237 | typedef enum _PROCESS_ACTIVITY_TYPE 238 | { 239 | ProcessActivityTypeAudio = 0, 240 | ProcessActivityTypeMax = 1 241 | } PROCESS_ACTIVITY_TYPE; 242 | 243 | // rev 244 | NTSYSCALLAPI 245 | NTSTATUS 246 | NTAPI 247 | NtAcquireProcessActivityReference( 248 | _Out_ PHANDLE ActivityReferenceHandle, 249 | _In_ HANDLE ParentProcessHandle, 250 | _Reserved_ PROCESS_ACTIVITY_TYPE Reserved 251 | ); 252 | 253 | #endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) 254 | 255 | // 256 | // Appx/Msix Packages 257 | // 258 | 259 | // private 260 | typedef struct _PACKAGE_CONTEXT_REFERENCE 261 | { 262 | PVOID reserved; 263 | } *PACKAGE_CONTEXT_REFERENCE; 264 | 265 | // private 266 | typedef enum PackageProperty 267 | { 268 | PackageProperty_Name = 1, // q: WCHAR[] 269 | PackageProperty_Version = 2, // q: WCHAR[] 270 | PackageProperty_Architecture = 3, // q: ULONG (PROCESSOR_ARCHITECTURE_*) 271 | PackageProperty_ResourceId = 4, // q: WCHAR[] 272 | PackageProperty_Publisher = 5, // q: WCHAR[] 273 | PackageProperty_PublisherId = 6, // q: WCHAR[] 274 | PackageProperty_FamilyName = 7, // q: WCHAR[] 275 | PackageProperty_FullName = 8, // q: WCHAR[] 276 | PackageProperty_Flags = 9, // q: ULONG 277 | PackageProperty_InstalledLocation = 10, // q: WCHAR[] 278 | PackageProperty_DisplayName = 11, // q: WCHAR[] 279 | PackageProperty_PublisherDisplayName = 12, // q: WCHAR[] 280 | PackageProperty_Description = 13, // q: WCHAR[] 281 | PackageProperty_Logo = 14, // q: WCHAR[] 282 | PackageProperty_PackageOrigin = 15 // q: PackageOrigin 283 | } PackageProperty; 284 | 285 | // private 286 | typedef struct _PACKAGE_APPLICATION_CONTEXT_REFERENCE 287 | { 288 | PVOID reserved; 289 | } *PACKAGE_APPLICATION_CONTEXT_REFERENCE; 290 | 291 | // private 292 | typedef enum PackageApplicationProperty 293 | { 294 | PackageApplicationProperty_Aumid = 1, // q: WCHAR[] 295 | PackageApplicationProperty_Praid = 2, // q: WCHAR[] 296 | PackageApplicationProperty_DisplayName = 3, // q: WCHAR[] 297 | PackageApplicationProperty_Description = 4, // q: WCHAR[] 298 | PackageApplicationProperty_Logo = 5, // q: WCHAR[] 299 | PackageApplicationProperty_SmallLogo = 6, // q: WCHAR[] 300 | PackageApplicationProperty_ForegroundText = 7, // q: ULONG 301 | PackageApplicationProperty_ForegroundTextString = 8, // q: WCHAR[] 302 | PackageApplicationProperty_BackgroundColor = 9, // q: ULONG 303 | PackageApplicationProperty_StartPage = 10, // q: WCHAR[] 304 | PackageApplicationProperty_ContentURIRulesCount = 11, // q: ULONG 305 | PackageApplicationProperty_ContentURIRules = 12, // q: WCHAR[] (multi-sz) 306 | PackageApplicationProperty_StaticContentURIRulesCount = 13, // q: ULONG 307 | PackageApplicationProperty_StaticContentURIRules = 14, // q: WCHAR[] (multi-sz) 308 | PackageApplicationProperty_DynamicContentURIRulesCount = 15, // q: ULONG 309 | PackageApplicationProperty_DynamicContentURIRules = 16 // q: WCHAR[] (multi-sz) 310 | } PackageApplicationProperty; 311 | 312 | // private 313 | typedef struct _PACKAGE_RESOURCES_CONTEXT_REFERENCE 314 | { 315 | PVOID reserved; 316 | } *PACKAGE_RESOURCES_CONTEXT_REFERENCE; 317 | 318 | // private 319 | typedef enum PackageResourcesProperty 320 | { 321 | PackageResourcesProperty_DisplayName = 1, 322 | PackageResourcesProperty_PublisherDisplayName = 2, 323 | PackageResourcesProperty_Description = 3, 324 | PackageResourcesProperty_Logo = 4, 325 | PackageResourcesProperty_SmallLogo = 5, 326 | PackageResourcesProperty_StartPage = 6 327 | } PackageResourcesProperty; 328 | 329 | // private 330 | typedef struct _PACKAGE_SECURITY_CONTEXT_REFERENCE 331 | { 332 | PVOID reserved; 333 | } *PACKAGE_SECURITY_CONTEXT_REFERENCE; 334 | 335 | // private 336 | typedef enum PackageSecurityProperty 337 | { 338 | PackageSecurityProperty_SecurityFlags = 1, // q: ULONG 339 | PackageSecurityProperty_AppContainerSID = 2, // q: Sid 340 | PackageSecurityProperty_CapabilitiesCount = 3, // q: ULONG 341 | PackageSecurityProperty_Capabilities = 4 // q: Sid[] 342 | } PackageSecurityProperty; 343 | 344 | // private 345 | typedef struct _TARGET_PLATFORM_CONTEXT_REFERENCE 346 | { 347 | PVOID reserved; 348 | } *TARGET_PLATFORM_CONTEXT_REFERENCE; 349 | 350 | // private 351 | typedef enum TargetPlatformProperty 352 | { 353 | TargetPlatformProperty_Platform = 1, // q: ULONG 354 | TargetPlatformProperty_MinVersion = 2, // q: PACKAGE_VERSION 355 | TargetPlatformProperty_MaxVersion = 3 // q: PACKAGE_VERSION 356 | } TargetPlatformProperty; 357 | 358 | // private 359 | typedef struct _PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE 360 | { 361 | PVOID reserved; 362 | } *PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE; 363 | 364 | // private 365 | typedef enum PackageGlobalizationProperty 366 | { 367 | PackageGlobalizationProperty_ForceUtf8 = 1, // q: ULONG 368 | PackageGlobalizationProperty_UseWindowsDisplayLanguage = 2 // q: ULONG 369 | } PackageGlobalizationProperty; 370 | 371 | #if (PHNT_VERSION >= PHNT_WINDOWS_8_1) 372 | 373 | // rev 374 | WINBASEAPI 375 | ULONG 376 | WINAPI 377 | GetCurrentPackageContext( 378 | _In_ ULONG Index, 379 | _Reserved_ ULONG_PTR Unused, 380 | _Out_ PACKAGE_CONTEXT_REFERENCE *PackageContext 381 | ); 382 | 383 | // rev 384 | WINBASEAPI 385 | ULONG 386 | WINAPI 387 | GetPackageContext( 388 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 389 | _In_ ULONG Index, 390 | _Reserved_ ULONG_PTR Unused, 391 | _Out_ PACKAGE_CONTEXT_REFERENCE *PackageContext 392 | ); 393 | 394 | // rev 395 | WINBASEAPI 396 | ULONG 397 | WINAPI 398 | GetPackageProperty( 399 | _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, 400 | _In_ PackageProperty PropertyId, 401 | _Inout_ PULONG BufferSize, 402 | _Out_writes_bytes_(BufferSize) PVOID Buffer 403 | ); 404 | 405 | // rev 406 | WINBASEAPI 407 | ULONG 408 | WINAPI 409 | GetPackagePropertyString( 410 | _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, 411 | _In_ PackageProperty PropertyId, 412 | _Inout_ PULONG BufferLength, 413 | _Out_writes_(BufferLength) PWSTR Buffer 414 | ); 415 | 416 | // rev 417 | WINBASEAPI 418 | ULONG 419 | WINAPI 420 | GetPackageOSMaxVersionTested( 421 | _In_ PACKAGE_CONTEXT_REFERENCE PackageContext, 422 | _Out_ ULONGLONG *OSMaxVersionTested // PACKAGE_VERSION 423 | ); 424 | 425 | // 426 | // Package Application Properties 427 | // 428 | 429 | // rev 430 | WINBASEAPI 431 | ULONG 432 | WINAPI 433 | GetCurrentPackageApplicationContext( 434 | _In_ ULONG Index, 435 | _Reserved_ ULONG_PTR Unused, 436 | _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageApplicationContext 437 | ); 438 | 439 | // rev 440 | WINBASEAPI 441 | ULONG 442 | WINAPI 443 | GetPackageApplicationContext( 444 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 445 | _In_ ULONG Index, 446 | _Reserved_ ULONG_PTR Unused, 447 | _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageApplicationContext 448 | ); 449 | 450 | // rev 451 | WINBASEAPI 452 | ULONG 453 | WINAPI 454 | GetPackageApplicationProperty( 455 | _In_ PACKAGE_APPLICATION_CONTEXT_REFERENCE PackageApplicationContext, 456 | _In_ PackageApplicationProperty PropertyId, 457 | _Inout_ PULONG BufferSize, 458 | _Out_writes_bytes_(BufferSize) PVOID Buffer 459 | ); 460 | 461 | // rev 462 | WINBASEAPI 463 | ULONG 464 | WINAPI 465 | GetPackageApplicationPropertyString( 466 | _In_ PACKAGE_APPLICATION_CONTEXT_REFERENCE PackageApplicationContext, 467 | _In_ PackageApplicationProperty PropertyId, 468 | _Inout_ PULONG BufferLength, 469 | _Out_writes_(BufferLength) PWSTR Buffer 470 | ); 471 | 472 | // 473 | // Package Resource Properties 474 | // 475 | 476 | // rev 477 | WINBASEAPI 478 | ULONG 479 | WINAPI 480 | GetCurrentPackageResourcesContext( 481 | _In_ ULONG Index, 482 | _Reserved_ ULONG_PTR Unused, 483 | _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext 484 | ); 485 | 486 | // rev 487 | WINBASEAPI 488 | ULONG 489 | WINAPI 490 | GetPackageResourcesContext( 491 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 492 | _In_ ULONG Index, 493 | _Reserved_ ULONG_PTR Unused, 494 | _Out_ PACKAGE_RESOURCES_CONTEXT_REFERENCE *PackageResourcesContext 495 | ); 496 | 497 | // rev 498 | WINBASEAPI 499 | ULONG 500 | WINAPI 501 | GetCurrentPackageApplicationResourcesContext( 502 | _In_ ULONG Index, 503 | _Reserved_ ULONG_PTR Unused, 504 | _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageResourcesContext 505 | ); 506 | 507 | // rev 508 | WINBASEAPI 509 | LONG 510 | WINAPI 511 | GetPackageApplicationResourcesContext( 512 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 513 | _In_ ULONG Index, 514 | _Reserved_ ULONG_PTR Unused, 515 | _Out_ PACKAGE_APPLICATION_CONTEXT_REFERENCE *PackageResourcesContext 516 | ); 517 | 518 | // rev 519 | WINBASEAPI 520 | LONG 521 | WINAPI 522 | GetPackageResourcesProperty( 523 | _In_ PACKAGE_APPLICATION_CONTEXT_REFERENCE PackageResourcesContext, 524 | _In_ PackageResourcesProperty PropertyId, 525 | _Inout_ PULONG BufferSize, 526 | _Out_writes_bytes_(BufferSize) PVOID Buffer 527 | ); 528 | 529 | // 530 | // Package Security Properties 531 | // 532 | 533 | // rev 534 | WINBASEAPI 535 | LONG 536 | WINAPI 537 | GetCurrentPackageSecurityContext( 538 | _Reserved_ ULONG_PTR Unused, 539 | _Out_ PACKAGE_SECURITY_CONTEXT_REFERENCE *PackageSecurityContext 540 | ); 541 | 542 | // rev 543 | WINBASEAPI 544 | LONG 545 | WINAPI 546 | GetPackageSecurityContext( 547 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 548 | _Reserved_ ULONG_PTR Unused, 549 | _Out_ PACKAGE_SECURITY_CONTEXT_REFERENCE *PackageSecurityContext 550 | ); 551 | 552 | // rev 553 | WINBASEAPI 554 | LONG 555 | WINAPI 556 | GetPackageSecurityProperty( 557 | _In_ PACKAGE_SECURITY_CONTEXT_REFERENCE PackageSecurityContext, 558 | _In_ PackageSecurityProperty PropertyId, 559 | _Inout_ PULONG BufferSize, 560 | _Out_writes_bytes_(BufferSize) PVOID Buffer 561 | ); 562 | 563 | #endif // PHNT_VERSION >= PHNT_WINDOWS_8_1 564 | 565 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 566 | 567 | // 568 | // Target Platform Properties 569 | // 570 | 571 | // rev 572 | WINBASEAPI 573 | LONG 574 | WINAPI 575 | GetCurrentTargetPlatformContext( 576 | _Reserved_ ULONG_PTR Unused, 577 | _Out_ TARGET_PLATFORM_CONTEXT_REFERENCE *TargetPlatformContext 578 | ); 579 | 580 | WINBASEAPI 581 | LONG 582 | WINAPI 583 | GetTargetPlatformContext( 584 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 585 | _Reserved_ ULONG_PTR Unused, 586 | _Out_ TARGET_PLATFORM_CONTEXT_REFERENCE *TargetPlatformContext 587 | ); 588 | 589 | // rev 590 | WINBASEAPI 591 | LONG 592 | WINAPI 593 | GetPackageTargetPlatformProperty( 594 | _In_ TARGET_PLATFORM_CONTEXT_REFERENCE TargetPlatformContext, 595 | _In_ TargetPlatformProperty PropertyId, 596 | _Inout_ PULONG BufferSize, 597 | _Out_writes_bytes_(BufferSize) PVOID Buffer 598 | ); 599 | 600 | #endif // PHNT_VERSION >= PHNT_WINDOWS_10 601 | 602 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) 603 | 604 | // rev 605 | WINBASEAPI 606 | HRESULT 607 | WINAPI 608 | GetCurrentPackageInfo3( 609 | _In_ ULONG flags, 610 | _In_ ULONG packagePathType, // PackagePathType 611 | _Inout_ PULONG bufferLength, 612 | _Out_writes_bytes_opt_(*bufferLength) PVOID buffer, 613 | _Out_opt_ PULONG count 614 | ); 615 | 616 | // 617 | // Package Globalization Properties 618 | // 619 | 620 | // rev 621 | WINBASEAPI 622 | LONG 623 | WINAPI 624 | GetCurrentPackageGlobalizationContext( 625 | _In_ ULONG Index, 626 | _Reserved_ ULONG_PTR Unused, 627 | _Out_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE *PackageGlobalizationContext 628 | ); 629 | 630 | // rev 631 | WINBASEAPI 632 | LONG 633 | WINAPI 634 | GetPackageGlobalizationContext( 635 | _In_ PVOID PackageInfoReference, // PACKAGE_INFO_REFERENCE 636 | _In_ ULONG Index, 637 | _Reserved_ ULONG_PTR Unused, 638 | _Out_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE *PackageGlobalizationContext 639 | ); 640 | 641 | // rev 642 | WINBASEAPI 643 | LONG 644 | WINAPI 645 | GetPackageGlobalizationProperty( 646 | _In_ PACKAGE_GLOBALIZATION_CONTEXT_REFERENCE PackageGlobalizationContext, 647 | _In_ PackageGlobalizationProperty PropertyId, 648 | _Inout_ PULONG BufferSize, 649 | _Out_writes_bytes_(BufferSize) PVOID Buffer 650 | ); 651 | 652 | #endif // PHNT_VERSION >= PHNT_WINDOWS_10_20H1 653 | 654 | #endif 655 | -------------------------------------------------------------------------------- /ntnls.h: -------------------------------------------------------------------------------- 1 | /* 2 | * National Language Support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTNLS_H 8 | #define _NTNLS_H 9 | 10 | #define MAXIMUM_LEADBYTES 12 11 | 12 | typedef struct _CPTABLEINFO 13 | { 14 | USHORT CodePage; 15 | USHORT MaximumCharacterSize; 16 | USHORT DefaultChar; 17 | USHORT UniDefaultChar; 18 | USHORT TransDefaultChar; 19 | USHORT TransUniDefaultChar; 20 | USHORT DBCSCodePage; 21 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; 22 | PUSHORT MultiByteTable; 23 | PVOID WideCharTable; 24 | PUSHORT DBCSRanges; 25 | PUSHORT DBCSOffsets; 26 | } CPTABLEINFO, *PCPTABLEINFO; 27 | 28 | typedef struct _NLSTABLEINFO 29 | { 30 | CPTABLEINFO OemTableInfo; 31 | CPTABLEINFO AnsiTableInfo; 32 | PUSHORT UpperCaseTable; 33 | PUSHORT LowerCaseTable; 34 | } NLSTABLEINFO, *PNLSTABLEINFO; 35 | 36 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 37 | NTSYSAPI USHORT NlsAnsiCodePage; 38 | NTSYSAPI BOOLEAN NlsMbCodePageTag; 39 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag; 40 | #endif 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /ntobapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Object Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTOBAPI_H 8 | #define _NTOBAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define OBJECT_TYPE_CREATE 0x0001 12 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE) 13 | #endif 14 | 15 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 16 | #define DIRECTORY_QUERY 0x0001 17 | #define DIRECTORY_TRAVERSE 0x0002 18 | #define DIRECTORY_CREATE_OBJECT 0x0004 19 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 20 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | DIRECTORY_QUERY | DIRECTORY_TRAVERSE | DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY) 21 | #endif 22 | 23 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 24 | #define SYMBOLIC_LINK_QUERY 0x0001 25 | #define SYMBOLIC_LINK_SET 0x0002 26 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY) 27 | #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | SPECIFIC_RIGHTS_ALL) 28 | #endif 29 | 30 | #ifndef OBJ_PROTECT_CLOSE 31 | #define OBJ_PROTECT_CLOSE 0x00000001 32 | #endif 33 | #ifndef OBJ_INHERIT 34 | #define OBJ_INHERIT 0x00000002 35 | #endif 36 | #ifndef OBJ_AUDIT_OBJECT_CLOSE 37 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 38 | #endif 39 | 40 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 41 | typedef enum _OBJECT_INFORMATION_CLASS 42 | { 43 | ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 44 | ObjectNameInformation, // q: OBJECT_NAME_INFORMATION 45 | ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 46 | ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION 47 | ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 48 | ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) 49 | ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) 50 | MaxObjectInfoClass 51 | } OBJECT_INFORMATION_CLASS; 52 | #else 53 | #define ObjectBasicInformation 0 54 | #define ObjectNameInformation 1 55 | #define ObjectTypeInformation 2 56 | #define ObjectTypesInformation 3 57 | #define ObjectHandleFlagInformation 4 58 | #define ObjectSessionInformation 5 59 | #define ObjectSessionObjectInformation 6 60 | #endif 61 | 62 | /** 63 | * The OBJECT_BASIC_INFORMATION structure contains basic information about an object. 64 | */ 65 | typedef struct _OBJECT_BASIC_INFORMATION 66 | { 67 | ULONG Attributes; // The attributes of the object include whether the object is permanent, can be inherited, and other characteristics. 68 | ACCESS_MASK GrantedAccess; // Specifies a mask that represents the granted access when the object was created. 69 | ULONG HandleCount; // The number of handles that are currently open for the object. 70 | ULONG PointerCount; // The number of references to the object from both handles and other references, such as those from the system. 71 | ULONG PagedPoolCharge; // The amount of paged pool memory that the object is using. 72 | ULONG NonPagedPoolCharge; // The amount of non-paged pool memory that the object is using. 73 | ULONG Reserved[3]; // Reserved for future use. 74 | ULONG NameInfoSize; // The size of the name information for the object. 75 | ULONG TypeInfoSize; // The size of the type information for the object. 76 | ULONG SecurityDescriptorSize; // The size of the security descriptor for the object. 77 | LARGE_INTEGER CreationTime; // The time when a symbolic link was created. Not supported for other types of objects. 78 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 79 | 80 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 81 | /** 82 | * The OBJECT_NAME_INFORMATION structure contains the name, if there is one, of a given object. 83 | */ 84 | typedef struct _OBJECT_NAME_INFORMATION 85 | { 86 | UNICODE_STRING Name; // The object name (when present) includes a NULL-terminator and all path separators "\" in the name. 87 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 88 | #endif 89 | 90 | /** 91 | * The OBJECT_NAME_INFORMATION structure contains various statistics and properties about an object type. 92 | */ 93 | typedef struct _OBJECT_TYPE_INFORMATION 94 | { 95 | UNICODE_STRING TypeName; 96 | ULONG TotalNumberOfObjects; 97 | ULONG TotalNumberOfHandles; 98 | ULONG TotalPagedPoolUsage; 99 | ULONG TotalNonPagedPoolUsage; 100 | ULONG TotalNamePoolUsage; 101 | ULONG TotalHandleTableUsage; 102 | ULONG HighWaterNumberOfObjects; 103 | ULONG HighWaterNumberOfHandles; 104 | ULONG HighWaterPagedPoolUsage; 105 | ULONG HighWaterNonPagedPoolUsage; 106 | ULONG HighWaterNamePoolUsage; 107 | ULONG HighWaterHandleTableUsage; 108 | ULONG InvalidAttributes; 109 | GENERIC_MAPPING GenericMapping; 110 | ULONG ValidAccessMask; 111 | BOOLEAN SecurityRequired; 112 | BOOLEAN MaintainHandleCount; 113 | UCHAR TypeIndex; // since WINBLUE 114 | CHAR ReservedByte; 115 | ULONG PoolType; 116 | ULONG DefaultPagedPoolCharge; 117 | ULONG DefaultNonPagedPoolCharge; 118 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 119 | 120 | typedef struct _OBJECT_TYPES_INFORMATION 121 | { 122 | ULONG NumberOfTypes; 123 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 124 | 125 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 126 | { 127 | BOOLEAN Inherit; 128 | BOOLEAN ProtectFromClose; 129 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 130 | 131 | // Objects, handles 132 | 133 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 134 | 135 | NTSYSCALLAPI 136 | NTSTATUS 137 | NTAPI 138 | NtQueryObject( 139 | _In_opt_ HANDLE Handle, 140 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 141 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 142 | _In_ ULONG ObjectInformationLength, 143 | _Out_opt_ PULONG ReturnLength 144 | ); 145 | 146 | NTSYSCALLAPI 147 | NTSTATUS 148 | NTAPI 149 | NtSetInformationObject( 150 | _In_ HANDLE Handle, 151 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 152 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 153 | _In_ ULONG ObjectInformationLength 154 | ); 155 | 156 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 157 | #define DUPLICATE_SAME_ACCESS 0x00000002 158 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 159 | 160 | NTSYSCALLAPI 161 | NTSTATUS 162 | NTAPI 163 | NtDuplicateObject( 164 | _In_ HANDLE SourceProcessHandle, 165 | _In_ HANDLE SourceHandle, 166 | _In_opt_ HANDLE TargetProcessHandle, 167 | _Out_opt_ PHANDLE TargetHandle, 168 | _In_ ACCESS_MASK DesiredAccess, 169 | _In_ ULONG HandleAttributes, 170 | _In_ ULONG Options 171 | ); 172 | 173 | NTSYSCALLAPI 174 | NTSTATUS 175 | NTAPI 176 | NtMakeTemporaryObject( 177 | _In_ HANDLE Handle 178 | ); 179 | 180 | NTSYSCALLAPI 181 | NTSTATUS 182 | NTAPI 183 | NtMakePermanentObject( 184 | _In_ HANDLE Handle 185 | ); 186 | 187 | NTSYSCALLAPI 188 | NTSTATUS 189 | NTAPI 190 | NtSignalAndWaitForSingleObject( 191 | _In_ HANDLE SignalHandle, 192 | _In_ HANDLE WaitHandle, 193 | _In_ BOOLEAN Alertable, 194 | _In_opt_ PLARGE_INTEGER Timeout 195 | ); 196 | 197 | NTSYSCALLAPI 198 | NTSTATUS 199 | NTAPI 200 | NtWaitForSingleObject( 201 | _In_ HANDLE Handle, 202 | _In_ BOOLEAN Alertable, 203 | _In_opt_ PLARGE_INTEGER Timeout 204 | ); 205 | 206 | NTSYSCALLAPI 207 | NTSTATUS 208 | NTAPI 209 | NtWaitForMultipleObjects( 210 | _In_ ULONG Count, 211 | _In_reads_(Count) HANDLE Handles[], 212 | _In_ WAIT_TYPE WaitType, 213 | _In_ BOOLEAN Alertable, 214 | _In_opt_ PLARGE_INTEGER Timeout 215 | ); 216 | 217 | #if (PHNT_VERSION >= PHNT_WINDOWS_SERVER_2003) 218 | NTSYSCALLAPI 219 | NTSTATUS 220 | NTAPI 221 | NtWaitForMultipleObjects32( 222 | _In_ ULONG Count, 223 | _In_reads_(Count) LONG Handles[], 224 | _In_ WAIT_TYPE WaitType, 225 | _In_ BOOLEAN Alertable, 226 | _In_opt_ PLARGE_INTEGER Timeout 227 | ); 228 | #endif 229 | 230 | NTSYSCALLAPI 231 | NTSTATUS 232 | NTAPI 233 | NtSetSecurityObject( 234 | _In_ HANDLE Handle, 235 | _In_ SECURITY_INFORMATION SecurityInformation, 236 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 237 | ); 238 | 239 | NTSYSCALLAPI 240 | NTSTATUS 241 | NTAPI 242 | NtQuerySecurityObject( 243 | _In_ HANDLE Handle, 244 | _In_ SECURITY_INFORMATION SecurityInformation, 245 | _Out_writes_bytes_to_opt_(Length, *LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor, 246 | _In_ ULONG Length, 247 | _Out_ PULONG LengthNeeded 248 | ); 249 | 250 | NTSYSCALLAPI 251 | NTSTATUS 252 | NTAPI 253 | NtClose( 254 | _In_ _Post_ptr_invalid_ HANDLE Handle 255 | ); 256 | 257 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 258 | NTSYSCALLAPI 259 | NTSTATUS 260 | NTAPI 261 | NtCompareObjects( 262 | _In_ HANDLE FirstObjectHandle, 263 | _In_ HANDLE SecondObjectHandle 264 | ); 265 | #endif 266 | 267 | #endif 268 | 269 | // Directory objects 270 | 271 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 272 | 273 | NTSYSCALLAPI 274 | NTSTATUS 275 | NTAPI 276 | NtCreateDirectoryObject( 277 | _Out_ PHANDLE DirectoryHandle, 278 | _In_ ACCESS_MASK DesiredAccess, 279 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 280 | ); 281 | 282 | #if (PHNT_VERSION >= PHNT_WINDOWS_8) 283 | NTSYSCALLAPI 284 | NTSTATUS 285 | NTAPI 286 | NtCreateDirectoryObjectEx( 287 | _Out_ PHANDLE DirectoryHandle, 288 | _In_ ACCESS_MASK DesiredAccess, 289 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 290 | _In_ HANDLE ShadowDirectoryHandle, 291 | _In_ ULONG Flags 292 | ); 293 | #endif 294 | 295 | NTSYSCALLAPI 296 | NTSTATUS 297 | NTAPI 298 | NtOpenDirectoryObject( 299 | _Out_ PHANDLE DirectoryHandle, 300 | _In_ ACCESS_MASK DesiredAccess, 301 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 302 | ); 303 | 304 | typedef struct _OBJECT_DIRECTORY_INFORMATION 305 | { 306 | UNICODE_STRING Name; 307 | UNICODE_STRING TypeName; 308 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 309 | 310 | NTSYSCALLAPI 311 | NTSTATUS 312 | NTAPI 313 | NtQueryDirectoryObject( 314 | _In_ HANDLE DirectoryHandle, 315 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 316 | _In_ ULONG Length, 317 | _In_ BOOLEAN ReturnSingleEntry, 318 | _In_ BOOLEAN RestartScan, 319 | _Inout_ PULONG Context, 320 | _Out_opt_ PULONG ReturnLength 321 | ); 322 | 323 | #endif 324 | 325 | // Private namespaces 326 | 327 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 328 | 329 | // private 330 | typedef enum _BOUNDARY_ENTRY_TYPE 331 | { 332 | OBNS_Invalid, 333 | OBNS_Name, 334 | OBNS_SID, 335 | OBNS_IL 336 | } BOUNDARY_ENTRY_TYPE; 337 | 338 | // private 339 | typedef struct _OBJECT_BOUNDARY_ENTRY 340 | { 341 | BOUNDARY_ENTRY_TYPE EntryType; 342 | ULONG EntrySize; 343 | //union 344 | //{ 345 | // WCHAR Name[1]; 346 | // PSID Sid; 347 | // PSID IntegrityLabel; 348 | //}; 349 | } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; 350 | 351 | // rev 352 | #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 353 | 354 | // private 355 | typedef struct _OBJECT_BOUNDARY_DESCRIPTOR 356 | { 357 | ULONG Version; 358 | ULONG Items; 359 | ULONG TotalSize; 360 | union 361 | { 362 | ULONG Flags; 363 | struct 364 | { 365 | ULONG AddAppContainerSid : 1; 366 | ULONG Reserved : 31; 367 | }; 368 | }; 369 | //OBJECT_BOUNDARY_ENTRY Entries[1]; 370 | } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; 371 | 372 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 373 | 374 | NTSYSCALLAPI 375 | NTSTATUS 376 | NTAPI 377 | NtCreatePrivateNamespace( 378 | _Out_ PHANDLE NamespaceHandle, 379 | _In_ ACCESS_MASK DesiredAccess, 380 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 381 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 382 | ); 383 | 384 | NTSYSCALLAPI 385 | NTSTATUS 386 | NTAPI 387 | NtOpenPrivateNamespace( 388 | _Out_ PHANDLE NamespaceHandle, 389 | _In_ ACCESS_MASK DesiredAccess, 390 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 391 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 392 | ); 393 | 394 | NTSYSCALLAPI 395 | NTSTATUS 396 | NTAPI 397 | NtDeletePrivateNamespace( 398 | _In_ HANDLE NamespaceHandle 399 | ); 400 | 401 | #endif 402 | 403 | #endif 404 | 405 | // Symbolic links 406 | 407 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 408 | 409 | NTSYSCALLAPI 410 | NTSTATUS 411 | NTAPI 412 | NtCreateSymbolicLinkObject( 413 | _Out_ PHANDLE LinkHandle, 414 | _In_ ACCESS_MASK DesiredAccess, 415 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 416 | _In_ PUNICODE_STRING LinkTarget 417 | ); 418 | 419 | NTSYSCALLAPI 420 | NTSTATUS 421 | NTAPI 422 | NtOpenSymbolicLinkObject( 423 | _Out_ PHANDLE LinkHandle, 424 | _In_ ACCESS_MASK DesiredAccess, 425 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 426 | ); 427 | 428 | NTSYSCALLAPI 429 | NTSTATUS 430 | NTAPI 431 | NtQuerySymbolicLinkObject( 432 | _In_ HANDLE LinkHandle, 433 | _Inout_ PUNICODE_STRING LinkTarget, 434 | _Out_opt_ PULONG ReturnedLength 435 | ); 436 | 437 | typedef enum _SYMBOLIC_LINK_INFO_CLASS 438 | { 439 | SymbolicLinkGlobalInformation = 1, // s: ULONG 440 | SymbolicLinkAccessMask, // s: ACCESS_MASK 441 | MaxnSymbolicLinkInfoClass 442 | } SYMBOLIC_LINK_INFO_CLASS; 443 | 444 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 445 | NTSYSCALLAPI 446 | NTSTATUS 447 | NTAPI 448 | NtSetInformationSymbolicLink( 449 | _In_ HANDLE LinkHandle, 450 | _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, 451 | _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, 452 | _In_ ULONG SymbolicLinkInformationLength 453 | ); 454 | #endif 455 | 456 | #endif 457 | 458 | #endif 459 | -------------------------------------------------------------------------------- /ntpfapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Prefetcher (Superfetch) support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPFAPI_H 8 | #define _NTPFAPI_H 9 | 10 | // begin_private 11 | 12 | // Prefetch 13 | 14 | typedef enum _PF_BOOT_PHASE_ID 15 | { 16 | PfKernelInitPhase = 0, 17 | PfBootDriverInitPhase = 90, 18 | PfSystemDriverInitPhase = 120, 19 | PfSessionManagerInitPhase = 150, 20 | PfSMRegistryInitPhase = 180, 21 | PfVideoInitPhase = 210, 22 | PfPostVideoInitPhase = 240, 23 | PfBootAcceptedRegistryInitPhase = 270, 24 | PfUserShellReadyPhase = 300, 25 | PfMaxBootPhaseId = 900 26 | } PF_BOOT_PHASE_ID; 27 | 28 | typedef enum _PF_ENABLE_STATUS 29 | { 30 | PfSvNotSpecified, 31 | PfSvEnabled, 32 | PfSvDisabled, 33 | PfSvMaxEnableStatus 34 | } PF_ENABLE_STATUS; 35 | 36 | typedef struct _PF_TRACE_LIMITS 37 | { 38 | ULONG MaxNumPages; 39 | ULONG MaxNumSections; 40 | LONGLONG TimerPeriod; 41 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 42 | 43 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 44 | { 45 | PF_ENABLE_STATUS EnableStatus[2]; 46 | PF_TRACE_LIMITS TraceLimits[2]; 47 | ULONG MaxNumActiveTraces; 48 | ULONG MaxNumSavedTraces; 49 | WCHAR RootDirPath[32]; 50 | WCHAR HostingApplicationList[128]; 51 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 52 | 53 | #define PF_BOOT_CONTROL_VERSION 1 54 | 55 | typedef struct _PF_BOOT_CONTROL 56 | { 57 | ULONG Version; 58 | ULONG DisableBootPrefetching; 59 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 60 | 61 | typedef enum _PREFETCHER_INFORMATION_CLASS 62 | { 63 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 64 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 65 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 66 | PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] 67 | PrefetcherBootControl, // s: PF_BOOT_CONTROL 68 | PrefetcherScenarioPolicyControl, 69 | PrefetcherSpare2, 70 | PrefetcherAppLaunchScenarioControl, 71 | PrefetcherInformationMax 72 | } PREFETCHER_INFORMATION_CLASS; 73 | 74 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 75 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 76 | 77 | typedef struct _PREFETCHER_INFORMATION 78 | { 79 | _In_ ULONG Version; 80 | _In_ ULONG Magic; 81 | _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 82 | _Inout_ PVOID PrefetcherInformation; 83 | _Inout_ ULONG PrefetcherInformationLength; 84 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 85 | 86 | // Superfetch 87 | 88 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 89 | { 90 | ULONG EnabledComponents; 91 | ULONG BootID; 92 | ULONG SavedSectInfoTracesMax; 93 | ULONG SavedPageAccessTracesMax; 94 | ULONG ScenarioPrefetchTimeoutStandby; 95 | ULONG ScenarioPrefetchTimeoutHibernate; 96 | ULONG ScenarioPrefetchTimeoutHiberBoot; 97 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 98 | 99 | // rev 100 | typedef enum _PF_EVENT_TYPE 101 | { 102 | PfEventTypeImageLoad = 0, 103 | PfEventTypeAppLaunch = 1, 104 | PfEventTypeStartTrace = 2, 105 | PfEventTypeEndTrace = 3, 106 | PfEventTypeTimestamp = 4, 107 | PfEventTypeOperation = 5, 108 | PfEventTypeRepurpose = 6, 109 | PfEventTypeForegroundProcess = 7, 110 | PfEventTypeTimeRange = 8, 111 | PfEventTypeUserInput = 9, 112 | PfEventTypeFileAccess = 10, 113 | PfEventTypeUnmap = 11, 114 | PfEventTypeUtilization = 11, 115 | PfEventTypeMemInfo = 12, 116 | PfEventTypeFileDelete = 13, 117 | PfEventTypeAppExit = 14, 118 | PfEventTypeSystemTime = 15, 119 | PfEventTypePower = 16, 120 | PfEventTypeSessionChange = 17, 121 | PfEventTypeHardFaultTimeStamp = 18, 122 | PfEventTypeVirtualFree = 19, 123 | PfEventTypePerfInfo = 20, 124 | PfEventTypeProcessSnapshot = 21, 125 | PfEventTypeUserSnapshot = 22, 126 | PfEventTypeStreamSequenceNumber = 23, 127 | PfEventTypeFileTruncate = 24, 128 | PfEventTypeFileRename = 25, 129 | PfEventTypeFileCreate = 26, 130 | PfEventTypeAgCxContext = 27, 131 | PfEventTypePowerAction = 28, 132 | PfEventTypeHardFaultTS = 29, 133 | PfEventTypeRobustInfo = 30, 134 | PfEventTypeFileDefrag = 31, 135 | PfEventTypeMax = 32 136 | } PF_EVENT_TYPE; 137 | 138 | // rev 139 | typedef struct _PF_LOG_EVENT_DATA 140 | { 141 | ULONG EventType : 5; // PF_EVENT_TYPE 142 | ULONG Flags : 2; 143 | ULONG DataSize : 25; 144 | PVOID EventData; 145 | } PF_LOG_EVENT_DATA, *PPF_LOG_EVENT_DATA; 146 | 147 | #define PF_PFN_PRIO_REQUEST_VERSION 1 148 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 149 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 150 | 151 | typedef struct _PF_PFN_PRIO_REQUEST 152 | { 153 | ULONG Version; 154 | ULONG RequestFlags; 155 | ULONG_PTR PfnCount; 156 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 157 | MMPFN_IDENTITY PageData[256]; 158 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 159 | 160 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 161 | { 162 | PfsPrivateSourceKernel, 163 | PfsPrivateSourceSession, 164 | PfsPrivateSourceProcess, 165 | PfsPrivateSourceMax 166 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 167 | 168 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 169 | { 170 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 171 | union 172 | { 173 | ULONG SessionId; 174 | ULONG ProcessId; 175 | }; 176 | ULONG ImagePathHash; 177 | ULONG_PTR UniqueProcessHash; 178 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 179 | 180 | typedef struct _PF_PRIVSOURCE_INFO 181 | { 182 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 183 | PVOID EProcess; 184 | SIZE_T WsPrivatePages; 185 | SIZE_T TotalPrivatePages; 186 | ULONG SessionID; 187 | CHAR ImageName[16]; 188 | union { 189 | ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. 190 | ULONG_PTR SessionPagedPoolPages; // session only. 191 | ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. 192 | }; 193 | ULONG_PTR WsTotalPages; // process/session only. 194 | ULONG DeepFreezeTimeMs; // process only. 195 | ULONG ModernApp : 1; // process only. 196 | ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred 197 | ULONG Foreground : 1; // process only. 198 | ULONG PerProcessStore : 1; // process only. 199 | ULONG Spare : 28; 200 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 201 | 202 | // rev 203 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 204 | #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYWSPAGES 0x1 205 | #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYCOMPRESSEDPAGES 0x2 206 | #define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYSKIPPAGES 0x4 // ?? 207 | 208 | // rev 209 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 210 | { 211 | ULONG Version; 212 | ULONG Flags; 213 | ULONG InfoCount; 214 | PF_PRIVSOURCE_INFO InfoArray[1]; 215 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 216 | 217 | // rev 218 | typedef enum _PF_PHASED_SCENARIO_TYPE 219 | { 220 | PfScenarioTypeNone, 221 | PfScenarioTypeStandby, 222 | PfScenarioTypeHibernate, 223 | PfScenarioTypeFUS, 224 | PfScenarioTypeMax 225 | } PF_PHASED_SCENARIO_TYPE; 226 | 227 | // rev 228 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 229 | 230 | // rev 231 | typedef struct _PF_SCENARIO_PHASE_INFO 232 | { 233 | ULONG Version; 234 | PF_PHASED_SCENARIO_TYPE ScenType; 235 | ULONG PhaseId; 236 | ULONG SequenceNumber; 237 | ULONG Flags; 238 | ULONG FUSUserId; 239 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 240 | 241 | // rev 242 | typedef struct _PF_MEMORY_LIST_NODE 243 | { 244 | ULONGLONG Node : 8; 245 | ULONGLONG Spare : 56; 246 | ULONGLONG StandbyLowPageCount; 247 | ULONGLONG StandbyMediumPageCount; 248 | ULONGLONG StandbyHighPageCount; 249 | ULONGLONG FreePageCount; 250 | ULONGLONG ModifiedPageCount; 251 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 252 | 253 | // rev 254 | typedef struct _PF_ROBUST_PROCESS_ENTRY 255 | { 256 | ULONG ImagePathHash; 257 | ULONG Pid; 258 | ULONG Alignment; 259 | } PF_ROBUST_PROCESS_ENTRY, *PPF_ROBUST_PROCESS_ENTRY; 260 | 261 | // rev 262 | typedef struct _PF_ROBUST_FILE_ENTRY 263 | { 264 | ULONG FilePathHash; 265 | } PF_ROBUST_FILE_ENTRY, *PPF_ROBUST_FILE_ENTRY; 266 | 267 | // rev 268 | typedef enum _PF_ROBUSTNESS_CONTROL_COMMAND 269 | { 270 | PfRpControlUpdate = 0, 271 | PfRpControlReset = 1, 272 | PfRpControlRobustAllStart = 2, 273 | PfRpControlRobustAllStop = 3, 274 | PfRpControlCommandMax = 4 275 | } PF_ROBUSTNESS_CONTROL_COMMAND; 276 | 277 | // rev 278 | #define PF_ROBUSTNESS_CONTROL_VERSION 1 279 | 280 | // rev 281 | typedef struct _PF_ROBUSTNESS_CONTROL 282 | { 283 | ULONG Version; 284 | PF_ROBUSTNESS_CONTROL_COMMAND Command; 285 | ULONG DeprioProcessCount; 286 | ULONG ExemptProcessCount; 287 | ULONG DeprioFileCount; 288 | ULONG ExemptFileCount; 289 | PF_ROBUST_PROCESS_ENTRY ProcessEntries[1]; 290 | PF_ROBUST_FILE_ENTRY FileEntries[1]; 291 | } PF_ROBUSTNESS_CONTROL, *PPF_ROBUSTNESS_CONTROL; 292 | 293 | // rev 294 | typedef struct _PF_TIME_CONTROL 295 | { 296 | LONG TimeAdjustment; 297 | } PF_TIME_CONTROL, *PPF_TIME_CONTROL; 298 | 299 | #define PF_MEMORY_LIST_INFO_VERSION 1 300 | 301 | typedef struct _PF_MEMORY_LIST_INFO 302 | { 303 | ULONG Version; 304 | ULONG Size; 305 | ULONG NodeCount; 306 | PF_MEMORY_LIST_NODE Nodes[1]; 307 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 308 | 309 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 310 | { 311 | ULONG_PTR BasePfn; 312 | ULONG_PTR PageCount; 313 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 314 | 315 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 316 | 317 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 318 | { 319 | ULONG Version; 320 | ULONG RangeCount; 321 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 322 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; 323 | 324 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 325 | 326 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 327 | { 328 | ULONG Version; 329 | ULONG Flags; 330 | ULONG RangeCount; 331 | PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; 332 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; 333 | 334 | // rev 335 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 336 | 337 | // rev 338 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 339 | { 340 | ULONG Version; 341 | SIZE_T RepurposedByPrefetch; 342 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 343 | 344 | // rev 345 | #define PF_VIRTUAL_QUERY_VERSION 1 346 | 347 | // rev 348 | typedef struct _PF_VIRTUAL_QUERY 349 | { 350 | ULONG Version; 351 | union 352 | { 353 | ULONG Flags; 354 | struct 355 | { 356 | ULONG FaultInPageTables : 1; 357 | ULONG ReportPageTables : 1; 358 | ULONG Spare : 30; 359 | }; 360 | }; 361 | PVOID QueryBuffer; // MEMORY_WORKING_SET_EX_INFORMATION[NumberOfPages] (input: VirtualAddress[], output: VirtualAttributes[]) 362 | SIZE_T QueryBufferSize; // NumberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION) 363 | HANDLE ProcessHandle; 364 | } PF_VIRTUAL_QUERY, *PPF_VIRTUAL_QUERY; 365 | 366 | // rev 367 | #define PF_MIN_WS_AGE_RATE_CONTROL_VERSION 1 368 | 369 | // rev 370 | typedef struct _PF_MIN_WS_AGE_RATE_CONTROL 371 | { 372 | ULONG Version; 373 | ULONG SecondsToOldestAge; 374 | } PF_MIN_WS_AGE_RATE_CONTROL, *PPF_MIN_WS_AGE_RATE_CONTROL; 375 | 376 | // rev 377 | #define PF_DEPRIORITIZE_OLD_PAGES_VERSION 3 378 | 379 | // rev 380 | typedef struct _PF_DEPRIORITIZE_OLD_PAGES 381 | { 382 | ULONG Version; 383 | HANDLE ProcessHandle; 384 | union 385 | { 386 | ULONG Flags; 387 | struct 388 | { 389 | ULONG TargetPriority : 4; 390 | ULONG TrimPages : 2; 391 | ULONG Spare : 26; 392 | }; 393 | }; 394 | } PF_DEPRIORITIZE_OLD_PAGES, *PPF_DEPRIORITIZE_OLD_PAGES; 395 | 396 | // rev 397 | #define PF_GPU_UTILIZATION_INFO_VERSION 1 398 | 399 | // rev 400 | typedef struct _PF_GPU_UTILIZATION_INFO 401 | { 402 | ULONG Version; 403 | ULONG SessionId; 404 | ULONGLONG GpuTime; 405 | } PF_GPU_UTILIZATION_INFO, *PPF_GPU_UTILIZATION_INFO; 406 | 407 | // rev 408 | typedef enum _SUPERFETCH_INFORMATION_CLASS 409 | { 410 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 411 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 412 | SuperfetchLogEvent, // s: PF_LOG_EVENT_DATA 413 | SuperfetchGenerateTrace, // s: NULL 414 | SuperfetchPrefetch, 415 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 416 | SuperfetchPfnSetPriority, 417 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 418 | SuperfetchSequenceNumberQuery, // q: ULONG 419 | SuperfetchScenarioPhase, // 10 420 | SuperfetchWorkerPriority, // s: KPRIORITY 421 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 422 | SuperfetchScenarioPrefetch, 423 | SuperfetchRobustnessControl, // s: PF_ROBUSTNESS_CONTROL 424 | SuperfetchTimeControl, // s: PF_TIME_CONTROL 425 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 426 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 427 | SuperfetchTracingControl, 428 | SuperfetchTrimWhileAgingControl, 429 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // 20 430 | SuperfetchChannelPowerRequest, 431 | SuperfetchMovePages, 432 | SuperfetchVirtualQuery, // q: PF_VIRTUAL_QUERY 433 | SuperfetchCombineStatsQuery, 434 | SuperfetchSetMinWsAgeRate, // s: PF_MIN_WS_AGE_RATE_CONTROL 435 | SuperfetchDeprioritizeOldPagesInWs, // s: PF_DEPRIORITIZE_OLD_PAGES 436 | SuperfetchFileExtentsQuery, // q: PF_FILE_EXTENTS_INFO 437 | SuperfetchGpuUtilizationQuery, // q: PF_GPU_UTILIZATION_INFO 438 | SuperfetchPfnSet, // s: PF_PFN_PRIO_REQUEST // since WIN11 439 | SuperfetchInformationMax 440 | } SUPERFETCH_INFORMATION_CLASS; 441 | 442 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 443 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 444 | 445 | typedef struct _SUPERFETCH_INFORMATION 446 | { 447 | _In_ ULONG Version; 448 | _In_ ULONG Magic; 449 | _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; 450 | _Inout_ PVOID SuperfetchInformation; 451 | _Inout_ ULONG SuperfetchInformationLength; 452 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 453 | 454 | // end_private 455 | 456 | #endif 457 | -------------------------------------------------------------------------------- /ntpnpapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Plug and Play support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPNPAPI_H 8 | #define _NTPNPAPI_H 9 | 10 | #include 11 | 12 | typedef enum _PLUGPLAY_EVENT_CATEGORY 13 | { 14 | HardwareProfileChangeEvent, 15 | TargetDeviceChangeEvent, 16 | DeviceClassChangeEvent, 17 | CustomDeviceEvent, 18 | DeviceInstallEvent, 19 | DeviceArrivalEvent, 20 | PowerEvent, 21 | VetoEvent, 22 | BlockedDriverEvent, 23 | InvalidIDEvent, 24 | MaxPlugEventCategory 25 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 26 | 27 | typedef struct _PLUGPLAY_EVENT_BLOCK 28 | { 29 | GUID EventGuid; 30 | PLUGPLAY_EVENT_CATEGORY EventCategory; 31 | PULONG Result; 32 | ULONG Flags; 33 | ULONG TotalSize; 34 | PVOID DeviceObject; 35 | 36 | union 37 | { 38 | struct 39 | { 40 | GUID ClassGuid; 41 | WCHAR SymbolicLinkName[1]; 42 | } DeviceClass; 43 | struct 44 | { 45 | WCHAR DeviceIds[1]; 46 | } TargetDevice; 47 | struct 48 | { 49 | WCHAR DeviceId[1]; 50 | } InstallDevice; 51 | struct 52 | { 53 | PVOID NotificationStructure; 54 | WCHAR DeviceIds[1]; 55 | } CustomNotification; 56 | struct 57 | { 58 | PVOID Notification; 59 | } ProfileNotification; 60 | struct 61 | { 62 | ULONG NotificationCode; 63 | ULONG NotificationData; 64 | } PowerNotification; 65 | struct 66 | { 67 | PNP_VETO_TYPE VetoType; 68 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 69 | } VetoNotification; 70 | struct 71 | { 72 | GUID BlockedDriverGuid; 73 | } BlockedDriverNotification; 74 | struct 75 | { 76 | WCHAR ParentId[1]; 77 | } InvalidIDNotification; 78 | } u; 79 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 80 | 81 | typedef enum _PLUGPLAY_CONTROL_CLASS 82 | { 83 | PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA 84 | PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 85 | PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 86 | PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 87 | PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 88 | PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 89 | PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA 90 | PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA 91 | PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA 92 | PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA 93 | PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA 94 | PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA 95 | PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA 96 | PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA 97 | PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA 98 | PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA 99 | PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA 100 | PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA 101 | PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST 102 | PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA 103 | PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 104 | PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 105 | PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA 106 | PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED 107 | MaxPlugPlayControl 108 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 109 | 110 | // pub 111 | typedef enum _DEVICE_RELATION_TYPE 112 | { 113 | BusRelations, 114 | EjectionRelations, 115 | PowerRelations, 116 | RemovalRelations, 117 | TargetDeviceRelation, 118 | SingleBusRelations, 119 | TransportRelations 120 | } DEVICE_RELATION_TYPE, *PDEVICE_RELATION_TYPE; 121 | 122 | // pub 123 | typedef enum _BUS_QUERY_ID_TYPE 124 | { 125 | BusQueryDeviceID = 0, // \ 126 | BusQueryHardwareIDs = 1, // Hardware ids 127 | BusQueryCompatibleIDs = 2, // compatible device ids 128 | BusQueryInstanceID = 3, // persistent id for this instance of the device 129 | BusQueryDeviceSerialNumber = 4, // serial number for this device 130 | BusQueryContainerID = 5 // unique id of the device's physical container 131 | } BUS_QUERY_ID_TYPE, *PBUS_QUERY_ID_TYPE; 132 | 133 | // pub 134 | typedef enum _DEVICE_TEXT_TYPE 135 | { 136 | DeviceTextDescription = 0, // DeviceDesc property 137 | DeviceTextLocationInformation = 1 // DeviceLocation property 138 | } DEVICE_TEXT_TYPE, *PDEVICE_TEXT_TYPE; 139 | 140 | // pub 141 | typedef enum _DEVICE_USAGE_NOTIFICATION_TYPE 142 | { 143 | DeviceUsageTypeUndefined, 144 | DeviceUsageTypePaging, 145 | DeviceUsageTypeHibernation, 146 | DeviceUsageTypeDumpFile, 147 | DeviceUsageTypeBoot, 148 | DeviceUsageTypePostDisplay, 149 | DeviceUsageTypeGuestAssigned 150 | } DEVICE_USAGE_NOTIFICATION_TYPE, *PDEVICE_USAGE_NOTIFICATION_TYPE; 151 | 152 | #if (PHNT_VERSION < PHNT_WINDOWS_8) 153 | NTSYSCALLAPI 154 | NTSTATUS 155 | NTAPI 156 | NtGetPlugPlayEvent( 157 | _In_ HANDLE EventHandle, 158 | _In_opt_ PVOID Context, 159 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 160 | _In_ ULONG EventBufferSize 161 | ); 162 | #endif 163 | 164 | NTSYSCALLAPI 165 | NTSTATUS 166 | NTAPI 167 | NtPlugPlayControl( 168 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 169 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 170 | _In_ ULONG PnPControlDataLength 171 | ); 172 | 173 | #if (PHNT_VERSION >= PHNT_WINDOWS_7) 174 | 175 | NTSYSCALLAPI 176 | NTSTATUS 177 | NTAPI 178 | NtSerializeBoot( 179 | VOID 180 | ); 181 | 182 | NTSYSCALLAPI 183 | NTSTATUS 184 | NTAPI 185 | NtEnableLastKnownGood( 186 | VOID 187 | ); 188 | 189 | NTSYSCALLAPI 190 | NTSTATUS 191 | NTAPI 192 | NtDisableLastKnownGood( 193 | VOID 194 | ); 195 | 196 | #endif 197 | 198 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 199 | NTSYSCALLAPI 200 | NTSTATUS 201 | NTAPI 202 | NtReplacePartitionUnit( 203 | _In_ PUNICODE_STRING TargetInstancePath, 204 | _In_ PUNICODE_STRING SpareInstancePath, 205 | _In_ ULONG Flags 206 | ); 207 | #endif 208 | 209 | #endif 210 | -------------------------------------------------------------------------------- /ntsmss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows Session Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTSMSS_H 8 | #define _NTSMSS_H 9 | 10 | // SmApiPort 11 | 12 | // private 13 | typedef enum _SMAPINUMBER 14 | { 15 | SmNotImplementedApi = 0, 16 | SmSessionCompleteApi = 1, 17 | SmNotImplemented2Api = 2, 18 | SmExecPgmApi = 3, 19 | SmLoadDeferedSubsystemApi = 4, 20 | SmStartCsrApi = 5, 21 | SmStopCsrApi = 6, 22 | SmStartServerSiloApi = 7, 23 | SmMaxApiNumber = 8, 24 | } SMAPINUMBER, *PSMAPINUMBER; 25 | 26 | // private 27 | typedef struct _SMSESSIONCOMPLETE 28 | { 29 | _In_ ULONG SessionId; 30 | _In_ NTSTATUS CompletionStatus; 31 | } SMSESSIONCOMPLETE, *PSMSESSIONCOMPLETE; 32 | 33 | // private 34 | typedef struct _SMEXECPGM 35 | { 36 | _In_ RTL_USER_PROCESS_INFORMATION ProcessInformation; 37 | _In_ BOOLEAN DebugFlag; 38 | } SMEXECPGM, *PSMEXECPGM; 39 | 40 | // private 41 | typedef struct _SMLOADDEFERED 42 | { 43 | _In_ ULONG SubsystemNameLength; 44 | _In_ _Field_size_bytes_(SubsystemNameLength) WCHAR SubsystemName[32]; 45 | } SMLOADDEFERED, *PSMLOADDEFERED; 46 | 47 | // private 48 | typedef struct _SMSTARTCSR 49 | { 50 | _Inout_ ULONG MuSessionId; 51 | _In_ ULONG InitialCommandLength; 52 | _In_ _Field_size_bytes_(InitialCommandLength) WCHAR InitialCommand[128]; 53 | _Out_ HANDLE InitialCommandProcessId; 54 | _Out_ HANDLE WindowsSubSysProcessId; 55 | } SMSTARTCSR, *PSMSTARTCSR; 56 | 57 | // private 58 | typedef struct _SMSTOPCSR 59 | { 60 | _In_ ULONG MuSessionId; 61 | } SMSTOPCSR, *PSMSTOPCSR; 62 | 63 | // private 64 | typedef struct _SMSTARTSERVERSILO 65 | { 66 | _In_ HANDLE JobHandle; 67 | _In_ BOOLEAN CreateSuspended; 68 | } SMSTARTSERVERSILO, *PSMSTARTSERVERSILO; 69 | 70 | // private 71 | typedef struct _SMAPIMSG 72 | { 73 | PORT_MESSAGE h; 74 | SMAPINUMBER ApiNumber; 75 | NTSTATUS ReturnedStatus; 76 | union 77 | { 78 | union 79 | { 80 | SMSESSIONCOMPLETE SessionComplete; 81 | SMEXECPGM ExecPgm; 82 | SMLOADDEFERED LoadDefered; 83 | SMSTARTCSR StartCsr; 84 | SMSTOPCSR StopCsr; 85 | SMSTARTSERVERSILO StartServerSilo; 86 | }; 87 | } u; 88 | } SMAPIMSG, *PSMAPIMSG; 89 | 90 | // SbApiPort 91 | 92 | // private 93 | typedef enum _SBAPINUMBER 94 | { 95 | SbCreateSessionApi = 0, 96 | SbTerminateSessionApi = 1, 97 | SbForeignSessionCompleteApi = 2, 98 | SbCreateProcessApi = 3, 99 | SbMaxApiNumber = 4, 100 | } SBAPINUMBER, *PSBAPINUMBER; 101 | 102 | // private 103 | typedef struct _SBCONNECTINFO 104 | { 105 | _In_ ULONG SubsystemImageType; 106 | _In_ WCHAR EmulationSubSystemPortName[120]; 107 | } SBCONNECTINFO, *PSBCONNECTINFO; 108 | 109 | // private 110 | typedef struct _SBCREATESESSION 111 | { 112 | _In_ ULONG SessionId; 113 | _In_ RTL_USER_PROCESS_INFORMATION ProcessInformation; 114 | _In_opt_ PVOID UserProfile; 115 | _In_ ULONG DebugSession; 116 | _In_ CLIENT_ID DebugUiClientId; 117 | } SBCREATESESSION, *PSBCREATESESSION; 118 | 119 | // private 120 | typedef struct _SBTERMINATESESSION 121 | { 122 | _In_ ULONG SessionId; 123 | _In_ NTSTATUS TerminationStatus; 124 | } SBTERMINATESESSION, *PSBTERMINATESESSION; 125 | 126 | // private 127 | typedef struct _SBFOREIGNSESSIONCOMPLETE 128 | { 129 | _In_ ULONG SessionId; 130 | _In_ NTSTATUS TerminationStatus; 131 | } SBFOREIGNSESSIONCOMPLETE, *PSBFOREIGNSESSIONCOMPLETE; 132 | 133 | // dbg/rev 134 | #define SMP_DEBUG_FLAG 0x00000001 135 | #define SMP_ASYNC_FLAG 0x00000002 136 | #define SMP_DONT_START 0x00000004 137 | 138 | // private 139 | typedef struct _SBCREATEPROCESSIN 140 | { 141 | _In_ PUNICODE_STRING ImageFileName; 142 | _In_ PUNICODE_STRING CurrentDirectory; 143 | _In_ PUNICODE_STRING CommandLine; 144 | _In_opt_ PUNICODE_STRING DefaultLibPath; 145 | _In_ ULONG Flags; // SMP_* 146 | _In_ ULONG DefaultDebugFlags; 147 | } SBCREATEPROCESSIN, *PSBCREATEPROCESSIN; 148 | 149 | // private 150 | typedef struct _SBCREATEPROCESSOUT 151 | { 152 | _Out_ HANDLE Process; 153 | _Out_ HANDLE Thread; 154 | _Out_ ULONG SubSystemType; 155 | _Out_ CLIENT_ID ClientId; 156 | } SBCREATEPROCESSOUT, *PSBCREATEPROCESSOUT; 157 | 158 | // private 159 | typedef struct _SBCREATEPROCESS 160 | { 161 | union 162 | { 163 | SBCREATEPROCESSIN i; 164 | SBCREATEPROCESSOUT o; 165 | }; 166 | } SBCREATEPROCESS, *PSBCREATEPROCESS; 167 | 168 | // private 169 | typedef struct _SBAPIMSG 170 | { 171 | PORT_MESSAGE h; 172 | union 173 | { 174 | SBCONNECTINFO ConnectionRequest; 175 | struct 176 | { 177 | SBAPINUMBER ApiNumber; 178 | NTSTATUS ReturnedStatus; 179 | union 180 | { 181 | SBCREATESESSION CreateSession; 182 | SBTERMINATESESSION TerminateSession; 183 | SBFOREIGNSESSIONCOMPLETE ForeignSessionComplete; 184 | SBCREATEPROCESS CreateProcessA; 185 | }; 186 | }; 187 | } u; 188 | } SBAPIMSG, *PSBAPIMSG; 189 | 190 | // functions 191 | 192 | NTSYSAPI 193 | NTSTATUS 194 | NTAPI 195 | RtlConnectToSm( 196 | _In_opt_ PUNICODE_STRING ApiPortName, 197 | _In_opt_ HANDLE ApiPortHandle, 198 | _In_ ULONG ProcessImageType, 199 | _Out_ PHANDLE SmssConnection 200 | ); 201 | 202 | NTSYSAPI 203 | NTSTATUS 204 | NTAPI 205 | RtlSendMsgToSm( 206 | _In_ HANDLE ApiPortHandle, 207 | _Inout_updates_(MessageData->u1.s1.TotalLength) PPORT_MESSAGE MessageData 208 | ); 209 | 210 | #endif 211 | -------------------------------------------------------------------------------- /ntsxs.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Side-by-side assembly support definitions. 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTSXS_H 8 | #define _NTSXS_H 9 | 10 | #define ACTIVATION_CONTEXT_DATA_MAGIC ('xtcA') 11 | #define ACTIVATION_CONTEXT_DATA_FORMAT_WHISTLER 1 12 | 13 | #define ACTIVATION_CONTEXT_FLAG_NO_INHERIT 0x00000001 14 | 15 | #if (PHNT_MODE == PHNT_MODE_KERNEL) 16 | typedef enum _ACTCTX_REQUESTED_RUN_LEVEL 17 | { 18 | ACTCTX_RUN_LEVEL_UNSPECIFIED = 0, 19 | ACTCTX_RUN_LEVEL_AS_INVOKER, 20 | ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE, 21 | ACTCTX_RUN_LEVEL_REQUIRE_ADMIN, 22 | ACTCTX_RUN_LEVEL_NUMBERS 23 | } ACTCTX_REQUESTED_RUN_LEVEL; 24 | 25 | typedef enum _ACTCTX_COMPATIBILITY_ELEMENT_TYPE 26 | { 27 | ACTCTX_COMPATIBILITY_ELEMENT_TYPE_UNKNOWN = 0, 28 | ACTCTX_COMPATIBILITY_ELEMENT_TYPE_OS, 29 | ACTCTX_COMPATIBILITY_ELEMENT_TYPE_MITIGATION, 30 | ACTCTX_COMPATIBILITY_ELEMENT_TYPE_MAXVERSIONTESTED 31 | } ACTCTX_COMPATIBILITY_ELEMENT_TYPE; 32 | #endif 33 | 34 | #include 35 | 36 | typedef struct _ACTIVATION_CONTEXT_DATA 37 | { 38 | ULONG Magic; 39 | ULONG HeaderSize; 40 | ULONG FormatVersion; 41 | ULONG TotalSize; 42 | ULONG DefaultTocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER 43 | ULONG ExtendedTocOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER 44 | ULONG AssemblyRosterOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER 45 | ULONG Flags; // ACTIVATION_CONTEXT_FLAG_* 46 | } ACTIVATION_CONTEXT_DATA, *PACTIVATION_CONTEXT_DATA; 47 | 48 | #define ACTIVATION_CONTEXT_DATA_TOC_HEADER_DENSE 0x00000001 49 | #define ACTIVATION_CONTEXT_DATA_TOC_HEADER_INORDER 0x00000002 50 | 51 | typedef struct _ACTIVATION_CONTEXT_DATA_TOC_HEADER 52 | { 53 | ULONG HeaderSize; 54 | ULONG EntryCount; 55 | ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_TOC_ENTRY[], from ACTIVATION_CONTEXT_DATA base 56 | ULONG Flags; // ACTIVATION_CONTEXT_DATA_TOC_HEADER_* 57 | } ACTIVATION_CONTEXT_DATA_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_TOC_HEADER; 58 | 59 | typedef struct _ACTIVATION_CONTEXT_DATA_TOC_ENTRY 60 | { 61 | ULONG Id; // ACTIVATION_CONTEXT_SECTION_* 62 | ULONG Offset; // to ACTIVATION_CONTEXT_*_SECTION_HEADER, from ACTIVATION_CONTEXT_DATA base 63 | ULONG Length; 64 | ULONG Format; // ACTIVATION_CONTEXT_SECTION_FORMAT_* 65 | } ACTIVATION_CONTEXT_DATA_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_TOC_ENTRY; 66 | 67 | typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER 68 | { 69 | ULONG HeaderSize; 70 | ULONG EntryCount; 71 | ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY[], from ACTIVATION_CONTEXT_DATA base 72 | ULONG Flags; 73 | } ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER; 74 | 75 | typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY 76 | { 77 | GUID ExtensionGuid; 78 | ULONG TocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER, from ACTIVATION_CONTEXT_DATA base 79 | ULONG Length; 80 | } ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY; 81 | 82 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_INVALID 0x00000001 83 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_ROOT 0x00000002 84 | 85 | typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER 86 | { 87 | ULONG HeaderSize; 88 | ULONG HashAlgorithm; // HASH_STRING_ALGORITHM_* 89 | ULONG EntryCount; 90 | ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY[], from ACTIVATION_CONTEXT_DATA base 91 | ULONG AssemblyInformationSectionOffset; // to resolve section-relative offsets 92 | } ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER; 93 | 94 | typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY 95 | { 96 | ULONG Flags; 97 | ULONG PseudoKey; 98 | ULONG AssemblyNameOffset; // to WCHAR[], from ACTIVATION_CONTEXT_DATA base 99 | ULONG AssemblyNameLength; 100 | ULONG AssemblyInformationOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, from ACTIVATION_CONTEXT_DATA base 101 | ULONG AssemblyInformationLength; 102 | } ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY; 103 | 104 | #define ACTIVATION_CONTEXT_SECTION_FORMAT_UNKNOWN 0 105 | #define ACTIVATION_CONTEXT_SECTION_FORMAT_STRING_TABLE 1 // ACTIVATION_CONTEXT_STRING_SECTION_HEADER 106 | #define ACTIVATION_CONTEXT_SECTION_FORMAT_GUID_TABLE 2 // ACTIVATION_CONTEXT_GUID_SECTION_HEADER 107 | 108 | #define ACTIVATION_CONTEXT_STRING_SECTION_MAGIC ('dHsS') 109 | #define ACTIVATION_CONTEXT_STRING_SECTION_FORMAT_WHISTLER 1 110 | 111 | #define ACTIVATION_CONTEXT_STRING_SECTION_CASE_INSENSITIVE 0x00000001 112 | #define ACTIVATION_CONTEXT_STRING_SECTION_ENTRIES_IN_PSEUDOKEY_ORDER 0x00000002 113 | 114 | typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HEADER 115 | { 116 | ULONG Magic; 117 | ULONG HeaderSize; 118 | ULONG FormatVersion; 119 | ULONG DataFormatVersion; 120 | ULONG Flags; // ACTIVATION_CONTEXT_STRING_SECTION_* 121 | ULONG ElementCount; 122 | ULONG ElementListOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_ENTRY[], from this struct base 123 | ULONG HashAlgorithm; // HASH_STRING_ALGORITHM_* 124 | ULONG SearchStructureOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, from this struct base 125 | ULONG UserDataOffset; // to data depending on section Id, from this struct base 126 | ULONG UserDataSize; 127 | } ACTIVATION_CONTEXT_STRING_SECTION_HEADER, *PACTIVATION_CONTEXT_STRING_SECTION_HEADER; 128 | 129 | typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_ENTRY 130 | { 131 | ULONG PseudoKey; 132 | ULONG KeyOffset; // to WCHAR[], from section header 133 | ULONG KeyLength; 134 | ULONG Offset; // to data depending on section Id, from section header 135 | ULONG Length; 136 | ULONG AssemblyRosterIndex; 137 | } ACTIVATION_CONTEXT_STRING_SECTION_ENTRY, *PACTIVATION_CONTEXT_STRING_SECTION_ENTRY; 138 | 139 | typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE 140 | { 141 | ULONG BucketTableEntryCount; 142 | ULONG BucketTableOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET[], from section header 143 | } ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE; 144 | 145 | typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET 146 | { 147 | ULONG ChainCount; 148 | ULONG ChainOffset; // to LONG[], from section header 149 | } ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET; 150 | 151 | #define ACTIVATION_CONTEXT_GUID_SECTION_MAGIC ('dHsG') 152 | #define ACTIVATION_CONTEXT_GUID_SECTION_FORMAT_WHISTLER 1 153 | 154 | #define ACTIVATION_CONTEXT_GUID_SECTION_ENTRIES_IN_ORDER 0x00000001 155 | 156 | typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HEADER 157 | { 158 | ULONG Magic; 159 | ULONG HeaderSize; 160 | ULONG FormatVersion; 161 | ULONG DataFormatVersion; 162 | ULONG Flags; // ACTIVATION_CONTEXT_GUID_SECTION_* 163 | ULONG ElementCount; 164 | ULONG ElementListOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_ENTRY[], from this struct base 165 | ULONG SearchStructureOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, from this struct base 166 | ULONG UserDataOffset; // to data depending on section Id, from this struct base 167 | ULONG UserDataSize; 168 | } ACTIVATION_CONTEXT_GUID_SECTION_HEADER, *PACTIVATION_CONTEXT_GUID_SECTION_HEADER; 169 | 170 | typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_ENTRY 171 | { 172 | GUID Guid; 173 | ULONG Offset; // to data depending on section Id, from section header 174 | ULONG Length; 175 | ULONG AssemblyRosterIndex; 176 | } ACTIVATION_CONTEXT_GUID_SECTION_ENTRY, *PACTIVATION_CONTEXT_GUID_SECTION_ENTRY; 177 | 178 | typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE 179 | { 180 | ULONG BucketTableEntryCount; 181 | ULONG BucketTableOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, from section header 182 | } ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE; 183 | 184 | typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET 185 | { 186 | ULONG ChainCount; 187 | ULONG ChainOffset; // to LONG[], from section header 188 | } ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET; 189 | 190 | // winnt.h - known section IDs 191 | // #define ACTIVATION_CONTEXT_SECTION_ASSEMBLY_INFORMATION (1) // ACTIVATION_CONTEXT_SECTION_ASSEMBLY_INFORMATION + ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION 192 | // #define ACTIVATION_CONTEXT_SECTION_DLL_REDIRECTION (2) // ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION 193 | // #define ACTIVATION_CONTEXT_SECTION_WINDOW_CLASS_REDIRECTION (3) // ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION 194 | // #define ACTIVATION_CONTEXT_SECTION_COM_SERVER_REDIRECTION (4) // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION 195 | // #define ACTIVATION_CONTEXT_SECTION_COM_INTERFACE_REDIRECTION (5) // ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION 196 | // #define ACTIVATION_CONTEXT_SECTION_COM_TYPE_LIBRARY_REDIRECTION (6) // ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION 197 | // #define ACTIVATION_CONTEXT_SECTION_COM_PROGID_REDIRECTION (7) // ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION 198 | // #define ACTIVATION_CONTEXT_SECTION_GLOBAL_OBJECT_RENAME_TABLE (8) 199 | // #define ACTIVATION_CONTEXT_SECTION_CLR_SURROGATES (9) // ACTIVATION_CONTEXT_DATA_CLR_SURROGATE 200 | // #define ACTIVATION_CONTEXT_SECTION_APPLICATION_SETTINGS (10) // ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS 201 | // #define ACTIVATION_CONTEXT_SECTION_COMPATIBILITY_INFO (11) // ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION[_LEGACY] 202 | // #define ACTIVATION_CONTEXT_SECTION_WINRT_ACTIVATABLE_CLASSES (12) // since 19H1 203 | 204 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_FORMAT_WHISTLER 1 205 | 206 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_ASSEMBLY 0x00000001 207 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_POLICY_APPLIED 0x00000002 208 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ASSEMBLY_POLICY_APPLIED 0x00000004 209 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_POLICY_APPLIED 0x00000008 210 | #define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_PRIVATE_ASSEMBLY 0x00000010 211 | 212 | typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION 213 | { 214 | ULONG Size; 215 | ULONG Flags; // ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_* 216 | ULONG EncodedAssemblyIdentityLength; 217 | ULONG EncodedAssemblyIdentityOffset; // to WCHAR[], from section header 218 | ULONG ManifestPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* 219 | ULONG ManifestPathLength; 220 | ULONG ManifestPathOffset; // to WCHAR[], from section header 221 | LARGE_INTEGER ManifestLastWriteTime; 222 | ULONG PolicyPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* 223 | ULONG PolicyPathLength; 224 | ULONG PolicyPathOffset; // to WCHAR[], from section header 225 | LARGE_INTEGER PolicyLastWriteTime; 226 | ULONG MetadataSatelliteRosterIndex; 227 | ULONG Unused2; 228 | ULONG ManifestVersionMajor; 229 | ULONG ManifestVersionMinor; 230 | ULONG PolicyVersionMajor; 231 | ULONG PolicyVersionMinor; 232 | ULONG AssemblyDirectoryNameLength; 233 | ULONG AssemblyDirectoryNameOffset; // to WCHAR[], from section header 234 | ULONG NumOfFilesInAssembly; 235 | ULONG LanguageLength; 236 | ULONG LanguageOffset; // to WCHAR[], from section header 237 | ACTCTX_REQUESTED_RUN_LEVEL RunLevel; 238 | ULONG UiAccess; 239 | } ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION; 240 | 241 | // via UserData 242 | typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION 243 | { 244 | ULONG Size; 245 | ULONG Flags; 246 | GUID PolicyCoherencyGuid; 247 | GUID PolicyOverrideGuid; 248 | ULONG ApplicationDirectoryPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* 249 | ULONG ApplicationDirectoryLength; 250 | ULONG ApplicationDirectoryOffset; // to WCHAR[], from this struct base 251 | ULONG ResourceName; 252 | } ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION; 253 | 254 | #define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_FORMAT_WHISTLER 1 255 | 256 | #define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_INCLUDES_BASE_NAME 0x00000001 257 | #define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_OMITS_ASSEMBLY_ROOT 0x00000002 258 | #define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_EXPAND 0x00000004 259 | #define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SYSTEM_DEFAULT_REDIRECTED_SYSTEM32_DLL 0x00000008 260 | 261 | typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION 262 | { 263 | ULONG Size; 264 | ULONG Flags; // ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_* 265 | ULONG TotalPathLength; 266 | ULONG PathSegmentCount; 267 | ULONG PathSegmentOffset; // to ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT[], from section header 268 | } ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION; 269 | 270 | typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT 271 | { 272 | ULONG Length; 273 | ULONG Offset; // to WCHAR[], from section header 274 | } ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT; 275 | 276 | #define ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION_FORMAT_WHISTLER 1 277 | 278 | typedef struct _ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION 279 | { 280 | ULONG Size; 281 | ULONG Flags; 282 | ULONG VersionSpecificClassNameLength; 283 | ULONG VersionSpecificClassNameOffset; // to WHCAR[], from this struct base 284 | ULONG DllNameLength; 285 | ULONG DllNameOffset; // to WCHAR[], from section header 286 | } ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION, *PACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION; 287 | 288 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_FORMAT_WHISTLER 1 289 | 290 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_INVALID 0 291 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_APARTMENT 1 292 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_FREE 2 293 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_SINGLE 3 294 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_BOTH 4 295 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_NEUTRAL 5 296 | 297 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET 8 298 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DEFAULT (0x01 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) 299 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_ICON (0x02 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) 300 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_CONTENT (0x04 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) 301 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_THUMBNAIL (0x08 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) 302 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DOCPRINT (0x10 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) 303 | 304 | typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION 305 | { 306 | ULONG Size; 307 | ULONG Flags; 308 | ULONG ThreadingModel; // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_* 309 | GUID ReferenceClsid; 310 | GUID ConfiguredClsid; 311 | GUID ImplementedClsid; 312 | GUID TypeLibraryId; 313 | ULONG ModuleLength; 314 | ULONG ModuleOffset; // to WCHAR[], from section header 315 | ULONG ProgIdLength; 316 | ULONG ProgIdOffset; // to WCHAR[], from this struct base 317 | ULONG ShimDataLength; 318 | ULONG ShimDataOffset; // to ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, from this struct base 319 | ULONG MiscStatusDefault; 320 | ULONG MiscStatusContent; 321 | ULONG MiscStatusThumbnail; 322 | ULONG MiscStatusIcon; 323 | ULONG MiscStatusDocPrint; 324 | } ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION; 325 | 326 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_OTHER 1 327 | #define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_CLR_CLASS 2 328 | 329 | typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM 330 | { 331 | ULONG Size; 332 | ULONG Flags; 333 | ULONG Type; // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_* 334 | ULONG ModuleLength; 335 | ULONG ModuleOffset; // to WCHAR[], from section header 336 | ULONG TypeLength; 337 | ULONG TypeOffset; // to WCHAR[], from this struct base 338 | ULONG ShimVersionLength; 339 | ULONG ShimVersionOffset; // to WCHAR[], from this struct base 340 | ULONG DataLength; 341 | ULONG DataOffset; // from this struct base 342 | } ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM; 343 | 344 | #define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FORMAT_WHISTLER 1 345 | 346 | #define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_NUM_METHODS_VALID 0x00000001 347 | #define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_BASE_INTERFACE_VALID 0x00000002 348 | 349 | typedef struct _ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION 350 | { 351 | ULONG Size; 352 | ULONG Flags; // ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_* 353 | GUID ProxyStubClsid32; 354 | ULONG NumMethods; 355 | GUID TypeLibraryId; 356 | GUID BaseInterface; 357 | ULONG NameLength; 358 | ULONG NameOffset; // to WCHAR[], from this struct base 359 | } ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION; 360 | 361 | #define ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION_FORMAT_WHISTLER 1 362 | 363 | typedef struct _ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION 364 | { 365 | USHORT Major; 366 | USHORT Minor; 367 | } ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION, *PACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION; 368 | 369 | typedef struct _ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION 370 | { 371 | ULONG Size; 372 | ULONG Flags; 373 | ULONG NameLength; 374 | ULONG NameOffset; // to WCHAR[], from section header 375 | USHORT ResourceId; 376 | USHORT LibraryFlags; // LIBFLAG_* oaidl.h 377 | ULONG HelpDirLength; 378 | ULONG HelpDirOffset; // to WCHAR[], from this struct base 379 | ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION Version; 380 | } ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION; 381 | 382 | #define ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION_FORMAT_WHISTLER 1 383 | 384 | typedef struct _ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION 385 | { 386 | ULONG Size; 387 | ULONG Flags; 388 | ULONG ConfiguredClsidOffset; // to CLSID, from section header 389 | } ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION; 390 | 391 | #define ACTIVATION_CONTEXT_DATA_CLR_SURROGATE_FORMAT_WHISTLER 1 392 | 393 | typedef struct _ACTIVATION_CONTEXT_DATA_CLR_SURROGATE 394 | { 395 | ULONG Size; 396 | ULONG Flags; 397 | GUID SurrogateIdent; 398 | ULONG VersionOffset; 399 | ULONG VersionLength; 400 | ULONG TypeNameOffset; 401 | ULONG TypeNameLength; // to WCHAR[], from this struct base 402 | } ACTIVATION_CONTEXT_DATA_CLR_SURROGATE, *PACTIVATION_CONTEXT_DATA_CLR_SURROGATE; 403 | 404 | #define ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS_FORMAT_LONGHORN 1 405 | 406 | #define SXS_WINDOWS_SETTINGS_NAMESPACE L"http://schemas.microsoft.com/SMI/2005/WindowsSettings" 407 | #define SXS_WINDOWS_SETTINGS_2011_NAMESPACE L"http://schemas.microsoft.com/SMI/2011/WindowsSettings" 408 | #define SXS_WINDOWS_SETTINGS_2013_NAMESPACE L"http://schemas.microsoft.com/SMI/2013/WindowsSettings" 409 | #define SXS_WINDOWS_SETTINGS_2014_NAMESPACE L"http://schemas.microsoft.com/SMI/2014/WindowsSettings" 410 | #define SXS_WINDOWS_SETTINGS_2016_NAMESPACE L"http://schemas.microsoft.com/SMI/2016/WindowsSettings" 411 | #define SXS_WINDOWS_SETTINGS_2017_NAMESPACE L"http://schemas.microsoft.com/SMI/2017/WindowsSettings" 412 | #define SXS_WINDOWS_SETTINGS_2019_NAMESPACE L"http://schemas.microsoft.com/SMI/2019/WindowsSettings" 413 | #define SXS_WINDOWS_SETTINGS_2020_NAMESPACE L"http://schemas.microsoft.com/SMI/2020/WindowsSettings" 414 | 415 | typedef struct _ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS 416 | { 417 | ULONG Size; 418 | ULONG Flags; 419 | ULONG SettingNamespaceLength; 420 | ULONG SettingNamespaceOffset; // to WCHAR[], from this struct base 421 | ULONG SettingNameLength; 422 | ULONG SettingNameOffset; // to WCHAR[], from this struct base 423 | ULONG SettingValueLength; 424 | ULONG SettingValueOffset; // to WCHAR[], from this struct base 425 | } ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS, *PACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS; 426 | 427 | // COMPATIBILITY_CONTEXT_ELEMENT from winnt.h before 19H1 428 | typedef struct _COMPATIBILITY_CONTEXT_ELEMENT_LEGACY 429 | { 430 | GUID Id; 431 | ACTCTX_COMPATIBILITY_ELEMENT_TYPE Type; 432 | } COMPATIBILITY_CONTEXT_ELEMENT_LEGACY, *PCOMPATIBILITY_CONTEXT_ELEMENT_LEGACY; 433 | 434 | // ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION from winnt.h before 19H1 435 | typedef struct _ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY 436 | { 437 | ULONG ElementCount; 438 | COMPATIBILITY_CONTEXT_ELEMENT_LEGACY Elements[ANYSIZE_ARRAY]; 439 | } ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY, *PACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY; 440 | 441 | #include 442 | 443 | // begin_private 444 | 445 | typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY 446 | { 447 | ULONG Flags; 448 | UNICODE_STRING DosPath; 449 | HANDLE Handle; 450 | } ASSEMBLY_STORAGE_MAP_ENTRY, *PASSEMBLY_STORAGE_MAP_ENTRY; 451 | 452 | #define ASSEMBLY_STORAGE_MAP_ASSEMBLY_ARRAY_IS_HEAP_ALLOCATED 0x00000001 453 | 454 | typedef struct _ASSEMBLY_STORAGE_MAP 455 | { 456 | ULONG Flags; 457 | ULONG AssemblyCount; 458 | PASSEMBLY_STORAGE_MAP_ENTRY *AssemblyArray; 459 | } ASSEMBLY_STORAGE_MAP, *PASSEMBLY_STORAGE_MAP; 460 | 461 | typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; 462 | 463 | #define ACTIVATION_CONTEXT_NOTIFICATION_DESTROY 1 464 | #define ACTIVATION_CONTEXT_NOTIFICATION_ZOMBIFY 2 465 | #define ACTIVATION_CONTEXT_NOTIFICATION_USED 3 466 | 467 | typedef VOID (NTAPI *PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( 468 | _In_ ULONG NotificationType, // ACTIVATION_CONTEXT_NOTIFICATION_* 469 | _In_ PACTIVATION_CONTEXT ActivationContext, 470 | _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, 471 | _In_opt_ PVOID NotificationContext, 472 | _In_opt_ PVOID NotificationData, 473 | _Inout_ PBOOLEAN DisableThisNotification 474 | ); 475 | 476 | typedef struct _ACTIVATION_CONTEXT 477 | { 478 | LONG RefCount; 479 | ULONG Flags; 480 | PACTIVATION_CONTEXT_DATA ActivationContextData; 481 | PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine; 482 | PVOID NotificationContext; 483 | ULONG SentNotifications[8]; 484 | ULONG DisabledNotifications[8]; 485 | ASSEMBLY_STORAGE_MAP StorageMap; 486 | PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32]; 487 | } ACTIVATION_CONTEXT, *PACTIVATION_CONTEXT; 488 | 489 | #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION 0x00000001 490 | #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE 0x00000002 491 | #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST 0x00000004 492 | #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED 0x00000008 493 | #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NOT_REALLY_ACTIVATED 0x00000010 494 | 495 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME 496 | { 497 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *Previous; 498 | PACTIVATION_CONTEXT ActivationContext; 499 | ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* 500 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 501 | 502 | #define ACTIVATION_CONTEXT_STACK_FLAG_QUERIES_DISABLED 0x00000001 503 | 504 | typedef struct _ACTIVATION_CONTEXT_STACK 505 | { 506 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 507 | LIST_ENTRY FrameListCache; 508 | ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* 509 | ULONG NextCookieSequenceNumber; 510 | ULONG StackId; 511 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; 512 | 513 | // end_private 514 | 515 | #endif 516 | -------------------------------------------------------------------------------- /nttmapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Transaction Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTMAPI_H 8 | #define _NTTMAPI_H 9 | 10 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 11 | NTSYSCALLAPI 12 | NTSTATUS 13 | NTAPI 14 | NtCreateTransactionManager( 15 | _Out_ PHANDLE TmHandle, 16 | _In_ ACCESS_MASK DesiredAccess, 17 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 18 | _In_opt_ PUNICODE_STRING LogFileName, 19 | _In_opt_ ULONG CreateOptions, 20 | _In_opt_ ULONG CommitStrength 21 | ); 22 | #endif 23 | 24 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 25 | NTSYSCALLAPI 26 | NTSTATUS 27 | NTAPI 28 | NtOpenTransactionManager( 29 | _Out_ PHANDLE TmHandle, 30 | _In_ ACCESS_MASK DesiredAccess, 31 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 32 | _In_opt_ PUNICODE_STRING LogFileName, 33 | _In_opt_ LPGUID TmIdentity, 34 | _In_opt_ ULONG OpenOptions 35 | ); 36 | #endif 37 | 38 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 39 | NTSYSCALLAPI 40 | NTSTATUS 41 | NTAPI 42 | NtRenameTransactionManager( 43 | _In_ PUNICODE_STRING LogFileName, 44 | _In_ LPGUID ExistingTransactionManagerGuid 45 | ); 46 | #endif 47 | 48 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 49 | NTSYSCALLAPI 50 | NTSTATUS 51 | NTAPI 52 | NtRollforwardTransactionManager( 53 | _In_ HANDLE TransactionManagerHandle, 54 | _In_opt_ PLARGE_INTEGER TmVirtualClock 55 | ); 56 | #endif 57 | 58 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 59 | NTSYSCALLAPI 60 | NTSTATUS 61 | NTAPI 62 | NtRecoverTransactionManager( 63 | _In_ HANDLE TransactionManagerHandle 64 | ); 65 | #endif 66 | 67 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 68 | NTSYSCALLAPI 69 | NTSTATUS 70 | NTAPI 71 | NtQueryInformationTransactionManager( 72 | _In_ HANDLE TransactionManagerHandle, 73 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 74 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 75 | _In_ ULONG TransactionManagerInformationLength, 76 | _Out_opt_ PULONG ReturnLength 77 | ); 78 | #endif 79 | 80 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 81 | NTSYSCALLAPI 82 | NTSTATUS 83 | NTAPI 84 | NtSetInformationTransactionManager( 85 | _In_opt_ HANDLE TmHandle, 86 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 87 | _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 88 | _In_ ULONG TransactionManagerInformationLength 89 | ); 90 | #endif 91 | 92 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 93 | NTSYSCALLAPI 94 | NTSTATUS 95 | NTAPI 96 | NtEnumerateTransactionObject( 97 | _In_opt_ HANDLE RootObjectHandle, 98 | _In_ KTMOBJECT_TYPE QueryType, 99 | _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, 100 | _In_ ULONG ObjectCursorLength, 101 | _Out_ PULONG ReturnLength 102 | ); 103 | #endif 104 | 105 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 106 | NTSYSCALLAPI 107 | NTSTATUS 108 | NTAPI 109 | NtCreateTransaction( 110 | _Out_ PHANDLE TransactionHandle, 111 | _In_ ACCESS_MASK DesiredAccess, 112 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 113 | _In_opt_ LPGUID Uow, 114 | _In_opt_ HANDLE TmHandle, 115 | _In_opt_ ULONG CreateOptions, 116 | _In_opt_ ULONG IsolationLevel, 117 | _In_opt_ ULONG IsolationFlags, 118 | _In_opt_ PLARGE_INTEGER Timeout, 119 | _In_opt_ PUNICODE_STRING Description 120 | ); 121 | #endif 122 | 123 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtOpenTransaction( 128 | _Out_ PHANDLE TransactionHandle, 129 | _In_ ACCESS_MASK DesiredAccess, 130 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 131 | _In_ LPGUID Uow, 132 | _In_opt_ HANDLE TmHandle 133 | ); 134 | #endif 135 | 136 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 137 | NTSYSCALLAPI 138 | NTSTATUS 139 | NTAPI 140 | NtQueryInformationTransaction( 141 | _In_ HANDLE TransactionHandle, 142 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 143 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, 144 | _In_ ULONG TransactionInformationLength, 145 | _Out_opt_ PULONG ReturnLength 146 | ); 147 | #endif 148 | 149 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 150 | NTSYSCALLAPI 151 | NTSTATUS 152 | NTAPI 153 | NtSetInformationTransaction( 154 | _In_ HANDLE TransactionHandle, 155 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 156 | _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, 157 | _In_ ULONG TransactionInformationLength 158 | ); 159 | #endif 160 | 161 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 162 | NTSYSCALLAPI 163 | NTSTATUS 164 | NTAPI 165 | NtCommitTransaction( 166 | _In_ HANDLE TransactionHandle, 167 | _In_ BOOLEAN Wait 168 | ); 169 | #endif 170 | 171 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 172 | NTSYSCALLAPI 173 | NTSTATUS 174 | NTAPI 175 | NtRollbackTransaction( 176 | _In_ HANDLE TransactionHandle, 177 | _In_ BOOLEAN Wait 178 | ); 179 | #endif 180 | 181 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 182 | NTSYSCALLAPI 183 | NTSTATUS 184 | NTAPI 185 | NtCreateEnlistment( 186 | _Out_ PHANDLE EnlistmentHandle, 187 | _In_ ACCESS_MASK DesiredAccess, 188 | _In_ HANDLE ResourceManagerHandle, 189 | _In_ HANDLE TransactionHandle, 190 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 191 | _In_opt_ ULONG CreateOptions, 192 | _In_ NOTIFICATION_MASK NotificationMask, 193 | _In_opt_ PVOID EnlistmentKey 194 | ); 195 | #endif 196 | 197 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 198 | NTSYSCALLAPI 199 | NTSTATUS 200 | NTAPI 201 | NtOpenEnlistment( 202 | _Out_ PHANDLE EnlistmentHandle, 203 | _In_ ACCESS_MASK DesiredAccess, 204 | _In_ HANDLE ResourceManagerHandle, 205 | _In_ LPGUID EnlistmentGuid, 206 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 207 | ); 208 | #endif 209 | 210 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 211 | NTSYSCALLAPI 212 | NTSTATUS 213 | NTAPI 214 | NtQueryInformationEnlistment( 215 | _In_ HANDLE EnlistmentHandle, 216 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 217 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 218 | _In_ ULONG EnlistmentInformationLength, 219 | _Out_opt_ PULONG ReturnLength 220 | ); 221 | #endif 222 | 223 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 224 | NTSYSCALLAPI 225 | NTSTATUS 226 | NTAPI 227 | NtSetInformationEnlistment( 228 | _In_opt_ HANDLE EnlistmentHandle, 229 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 230 | _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 231 | _In_ ULONG EnlistmentInformationLength 232 | ); 233 | #endif 234 | 235 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 236 | NTSYSCALLAPI 237 | NTSTATUS 238 | NTAPI 239 | NtRecoverEnlistment( 240 | _In_ HANDLE EnlistmentHandle, 241 | _In_opt_ PVOID EnlistmentKey 242 | ); 243 | #endif 244 | 245 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 246 | NTSYSCALLAPI 247 | NTSTATUS 248 | NTAPI 249 | NtPrePrepareEnlistment( 250 | _In_ HANDLE EnlistmentHandle, 251 | _In_opt_ PLARGE_INTEGER TmVirtualClock 252 | ); 253 | #endif 254 | 255 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 256 | NTSYSCALLAPI 257 | NTSTATUS 258 | NTAPI 259 | NtPrepareEnlistment( 260 | _In_ HANDLE EnlistmentHandle, 261 | _In_opt_ PLARGE_INTEGER TmVirtualClock 262 | ); 263 | #endif 264 | 265 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 266 | NTSYSCALLAPI 267 | NTSTATUS 268 | NTAPI 269 | NtCommitEnlistment( 270 | _In_ HANDLE EnlistmentHandle, 271 | _In_opt_ PLARGE_INTEGER TmVirtualClock 272 | ); 273 | #endif 274 | 275 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 276 | NTSYSCALLAPI 277 | NTSTATUS 278 | NTAPI 279 | NtRollbackEnlistment( 280 | _In_ HANDLE EnlistmentHandle, 281 | _In_opt_ PLARGE_INTEGER TmVirtualClock 282 | ); 283 | #endif 284 | 285 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 286 | NTSYSCALLAPI 287 | NTSTATUS 288 | NTAPI 289 | NtPrePrepareComplete( 290 | _In_ HANDLE EnlistmentHandle, 291 | _In_opt_ PLARGE_INTEGER TmVirtualClock 292 | ); 293 | #endif 294 | 295 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 296 | NTSYSCALLAPI 297 | NTSTATUS 298 | NTAPI 299 | NtPrepareComplete( 300 | _In_ HANDLE EnlistmentHandle, 301 | _In_opt_ PLARGE_INTEGER TmVirtualClock 302 | ); 303 | #endif 304 | 305 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 306 | NTSYSCALLAPI 307 | NTSTATUS 308 | NTAPI 309 | NtCommitComplete( 310 | _In_ HANDLE EnlistmentHandle, 311 | _In_opt_ PLARGE_INTEGER TmVirtualClock 312 | ); 313 | #endif 314 | 315 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 316 | NTSYSCALLAPI 317 | NTSTATUS 318 | NTAPI 319 | NtReadOnlyEnlistment( 320 | _In_ HANDLE EnlistmentHandle, 321 | _In_opt_ PLARGE_INTEGER TmVirtualClock 322 | ); 323 | #endif 324 | 325 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 326 | NTSYSCALLAPI 327 | NTSTATUS 328 | NTAPI 329 | NtRollbackComplete( 330 | _In_ HANDLE EnlistmentHandle, 331 | _In_opt_ PLARGE_INTEGER TmVirtualClock 332 | ); 333 | #endif 334 | 335 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 336 | NTSYSCALLAPI 337 | NTSTATUS 338 | NTAPI 339 | NtSinglePhaseReject( 340 | _In_ HANDLE EnlistmentHandle, 341 | _In_opt_ PLARGE_INTEGER TmVirtualClock 342 | ); 343 | #endif 344 | 345 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 346 | NTSYSCALLAPI 347 | NTSTATUS 348 | NTAPI 349 | NtCreateResourceManager( 350 | _Out_ PHANDLE ResourceManagerHandle, 351 | _In_ ACCESS_MASK DesiredAccess, 352 | _In_ HANDLE TmHandle, 353 | _In_ LPGUID RmGuid, 354 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 355 | _In_opt_ ULONG CreateOptions, 356 | _In_opt_ PUNICODE_STRING Description 357 | ); 358 | #endif 359 | 360 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 361 | NTSYSCALLAPI 362 | NTSTATUS 363 | NTAPI 364 | NtOpenResourceManager( 365 | _Out_ PHANDLE ResourceManagerHandle, 366 | _In_ ACCESS_MASK DesiredAccess, 367 | _In_ HANDLE TmHandle, 368 | _In_opt_ LPGUID ResourceManagerGuid, 369 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 370 | ); 371 | #endif 372 | 373 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 374 | NTSYSCALLAPI 375 | NTSTATUS 376 | NTAPI 377 | NtRecoverResourceManager( 378 | _In_ HANDLE ResourceManagerHandle 379 | ); 380 | #endif 381 | 382 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 383 | NTSYSCALLAPI 384 | NTSTATUS 385 | NTAPI 386 | NtGetNotificationResourceManager( 387 | _In_ HANDLE ResourceManagerHandle, 388 | _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, 389 | _In_ ULONG NotificationLength, 390 | _In_opt_ PLARGE_INTEGER Timeout, 391 | _Out_opt_ PULONG ReturnLength, 392 | _In_ ULONG Asynchronous, 393 | _In_opt_ ULONG_PTR AsynchronousContext 394 | ); 395 | #endif 396 | 397 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 398 | NTSYSCALLAPI 399 | NTSTATUS 400 | NTAPI 401 | NtQueryInformationResourceManager( 402 | _In_ HANDLE ResourceManagerHandle, 403 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 404 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 405 | _In_ ULONG ResourceManagerInformationLength, 406 | _Out_opt_ PULONG ReturnLength 407 | ); 408 | #endif 409 | 410 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 411 | NTSYSCALLAPI 412 | NTSTATUS 413 | NTAPI 414 | NtSetInformationResourceManager( 415 | _In_ HANDLE ResourceManagerHandle, 416 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 417 | _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 418 | _In_ ULONG ResourceManagerInformationLength 419 | ); 420 | #endif 421 | 422 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 423 | NTSYSCALLAPI 424 | NTSTATUS 425 | NTAPI 426 | NtRegisterProtocolAddressInformation( 427 | _In_ HANDLE ResourceManager, 428 | _In_ PCRM_PROTOCOL_ID ProtocolId, 429 | _In_ ULONG ProtocolInformationSize, 430 | _In_ PVOID ProtocolInformation, 431 | _In_opt_ ULONG CreateOptions 432 | ); 433 | #endif 434 | 435 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 436 | NTSYSCALLAPI 437 | NTSTATUS 438 | NTAPI 439 | NtPropagationComplete( 440 | _In_ HANDLE ResourceManagerHandle, 441 | _In_ ULONG RequestCookie, 442 | _In_ ULONG BufferLength, 443 | _In_ PVOID Buffer 444 | ); 445 | #endif 446 | 447 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 448 | NTSYSCALLAPI 449 | NTSTATUS 450 | NTAPI 451 | NtPropagationFailed( 452 | _In_ HANDLE ResourceManagerHandle, 453 | _In_ ULONG RequestCookie, 454 | _In_ NTSTATUS PropStatus 455 | ); 456 | #endif 457 | 458 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 459 | // private 460 | NTSYSCALLAPI 461 | NTSTATUS 462 | NTAPI 463 | NtFreezeTransactions( 464 | _In_ PLARGE_INTEGER FreezeTimeout, 465 | _In_ PLARGE_INTEGER ThawTimeout 466 | ); 467 | #endif 468 | 469 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 470 | // private 471 | NTSYSCALLAPI 472 | NTSTATUS 473 | NTAPI 474 | NtThawTransactions( 475 | VOID 476 | ); 477 | #endif 478 | 479 | #endif 480 | -------------------------------------------------------------------------------- /nttp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Thread Pool support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTP_H 8 | #define _NTTP_H 9 | 10 | // Some types are already defined in winnt.h. 11 | 12 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 13 | 14 | // private 15 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 16 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 17 | _Inout_opt_ PVOID Context, 18 | _In_ PTP_ALPC Alpc 19 | ); 20 | 21 | // rev 22 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 23 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 24 | _Inout_opt_ PVOID Context, 25 | _In_ PTP_ALPC Alpc, 26 | _In_ PVOID ApcContext 27 | ); 28 | 29 | #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) 30 | 31 | // winbase:CreateThreadpool 32 | NTSYSAPI 33 | NTSTATUS 34 | NTAPI 35 | TpAllocPool( 36 | _Out_ PTP_POOL *PoolReturn, 37 | _Reserved_ PVOID Reserved 38 | ); 39 | 40 | // winbase:CloseThreadpool 41 | NTSYSAPI 42 | VOID 43 | NTAPI 44 | TpReleasePool( 45 | _Inout_ PTP_POOL Pool 46 | ); 47 | 48 | // winbase:SetThreadpoolThreadMaximum 49 | NTSYSAPI 50 | VOID 51 | NTAPI 52 | TpSetPoolMaxThreads( 53 | _Inout_ PTP_POOL Pool, 54 | _In_ ULONG MaxThreads 55 | ); 56 | 57 | // winbase:SetThreadpoolThreadMinimum 58 | NTSYSAPI 59 | NTSTATUS 60 | NTAPI 61 | TpSetPoolMinThreads( 62 | _Inout_ PTP_POOL Pool, 63 | _In_ ULONG MinThreads 64 | ); 65 | 66 | #if (PHNT_VERSION >= PHNT_WINDOWS_7) 67 | // winbase:QueryThreadpoolStackInformation 68 | NTSYSAPI 69 | NTSTATUS 70 | NTAPI 71 | TpQueryPoolStackInformation( 72 | _In_ PTP_POOL Pool, 73 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 74 | ); 75 | 76 | // winbase:SetThreadpoolStackInformation 77 | NTSYSAPI 78 | NTSTATUS 79 | NTAPI 80 | TpSetPoolStackInformation( 81 | _Inout_ PTP_POOL Pool, 82 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 83 | ); 84 | 85 | // rev 86 | NTSYSAPI 87 | NTSTATUS 88 | NTAPI 89 | TpSetPoolThreadBasePriority( 90 | _Inout_ PTP_POOL Pool, 91 | _In_ ULONG BasePriority 92 | ); 93 | #endif 94 | 95 | // winbase:CreateThreadpoolCleanupGroup 96 | NTSYSAPI 97 | NTSTATUS 98 | NTAPI 99 | TpAllocCleanupGroup( 100 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 101 | ); 102 | 103 | // winbase:CloseThreadpoolCleanupGroup 104 | NTSYSAPI 105 | VOID 106 | NTAPI 107 | TpReleaseCleanupGroup( 108 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 109 | ); 110 | 111 | // winbase:CloseThreadpoolCleanupGroupMembers 112 | NTSYSAPI 113 | VOID 114 | NTAPI 115 | TpReleaseCleanupGroupMembers( 116 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 117 | _In_ LOGICAL CancelPendingCallbacks, 118 | _Inout_opt_ PVOID CleanupParameter 119 | ); 120 | 121 | // winbase:SetEventWhenCallbackReturns 122 | NTSYSAPI 123 | VOID 124 | NTAPI 125 | TpCallbackSetEventOnCompletion( 126 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 127 | _In_ HANDLE Event 128 | ); 129 | 130 | // winbase:ReleaseSemaphoreWhenCallbackReturns 131 | NTSYSAPI 132 | VOID 133 | NTAPI 134 | TpCallbackReleaseSemaphoreOnCompletion( 135 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 136 | _In_ HANDLE Semaphore, 137 | _In_ ULONG ReleaseCount 138 | ); 139 | 140 | // winbase:ReleaseMutexWhenCallbackReturns 141 | NTSYSAPI 142 | VOID 143 | NTAPI 144 | TpCallbackReleaseMutexOnCompletion( 145 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 146 | _In_ HANDLE Mutex 147 | ); 148 | 149 | // winbase:LeaveCriticalSectionWhenCallbackReturns 150 | NTSYSAPI 151 | VOID 152 | NTAPI 153 | TpCallbackLeaveCriticalSectionOnCompletion( 154 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 155 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 156 | ); 157 | 158 | // winbase:FreeLibraryWhenCallbackReturns 159 | NTSYSAPI 160 | VOID 161 | NTAPI 162 | TpCallbackUnloadDllOnCompletion( 163 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 164 | _In_ PVOID DllHandle 165 | ); 166 | 167 | // winbase:CallbackMayRunLong 168 | NTSYSAPI 169 | NTSTATUS 170 | NTAPI 171 | TpCallbackMayRunLong( 172 | _Inout_ PTP_CALLBACK_INSTANCE Instance 173 | ); 174 | 175 | // winbase:DisassociateCurrentThreadFromCallback 176 | NTSYSAPI 177 | VOID 178 | NTAPI 179 | TpDisassociateCallback( 180 | _Inout_ PTP_CALLBACK_INSTANCE Instance 181 | ); 182 | 183 | // winbase:TrySubmitThreadpoolCallback 184 | NTSYSAPI 185 | NTSTATUS 186 | NTAPI 187 | TpSimpleTryPost( 188 | _In_ PTP_SIMPLE_CALLBACK Callback, 189 | _Inout_opt_ PVOID Context, 190 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 191 | ); 192 | 193 | // winbase:CreateThreadpoolWork 194 | NTSYSAPI 195 | NTSTATUS 196 | NTAPI 197 | TpAllocWork( 198 | _Out_ PTP_WORK *WorkReturn, 199 | _In_ PTP_WORK_CALLBACK Callback, 200 | _Inout_opt_ PVOID Context, 201 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 202 | ); 203 | 204 | // winbase:CloseThreadpoolWork 205 | NTSYSAPI 206 | VOID 207 | NTAPI 208 | TpReleaseWork( 209 | _Inout_ PTP_WORK Work 210 | ); 211 | 212 | // winbase:SubmitThreadpoolWork 213 | NTSYSAPI 214 | VOID 215 | NTAPI 216 | TpPostWork( 217 | _Inout_ PTP_WORK Work 218 | ); 219 | 220 | // winbase:WaitForThreadpoolWorkCallbacks 221 | NTSYSAPI 222 | VOID 223 | NTAPI 224 | TpWaitForWork( 225 | _Inout_ PTP_WORK Work, 226 | _In_ LOGICAL CancelPendingCallbacks 227 | ); 228 | 229 | // winbase:CreateThreadpoolTimer 230 | NTSYSAPI 231 | NTSTATUS 232 | NTAPI 233 | TpAllocTimer( 234 | _Out_ PTP_TIMER *Timer, 235 | _In_ PTP_TIMER_CALLBACK Callback, 236 | _Inout_opt_ PVOID Context, 237 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 238 | ); 239 | 240 | // winbase:CloseThreadpoolTimer 241 | NTSYSAPI 242 | VOID 243 | NTAPI 244 | TpReleaseTimer( 245 | _Inout_ PTP_TIMER Timer 246 | ); 247 | 248 | // winbase:SetThreadpoolTimer 249 | NTSYSAPI 250 | VOID 251 | NTAPI 252 | TpSetTimer( 253 | _Inout_ PTP_TIMER Timer, 254 | _In_opt_ PLARGE_INTEGER DueTime, 255 | _In_ ULONG Period, 256 | _In_opt_ ULONG WindowLength 257 | ); 258 | 259 | #if (PHNT_VERSION >= PHNT_WINDOWS_8) 260 | // winbase:SetThreadpoolTimerEx 261 | NTSYSAPI 262 | NTSTATUS 263 | NTAPI 264 | TpSetTimerEx( 265 | _Inout_ PTP_TIMER Timer, 266 | _In_opt_ PLARGE_INTEGER DueTime, 267 | _In_ ULONG Period, 268 | _In_opt_ ULONG WindowLength 269 | ); 270 | #endif 271 | 272 | // winbase:IsThreadpoolTimerSet 273 | NTSYSAPI 274 | LOGICAL 275 | NTAPI 276 | TpIsTimerSet( 277 | _In_ PTP_TIMER Timer 278 | ); 279 | 280 | // winbase:WaitForThreadpoolTimerCallbacks 281 | NTSYSAPI 282 | VOID 283 | NTAPI 284 | TpWaitForTimer( 285 | _Inout_ PTP_TIMER Timer, 286 | _In_ LOGICAL CancelPendingCallbacks 287 | ); 288 | 289 | // winbase:CreateThreadpoolWait 290 | NTSYSAPI 291 | NTSTATUS 292 | NTAPI 293 | TpAllocWait( 294 | _Out_ PTP_WAIT *WaitReturn, 295 | _In_ PTP_WAIT_CALLBACK Callback, 296 | _Inout_opt_ PVOID Context, 297 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 298 | ); 299 | 300 | // winbase:CloseThreadpoolWait 301 | NTSYSAPI 302 | VOID 303 | NTAPI 304 | TpReleaseWait( 305 | _Inout_ PTP_WAIT Wait 306 | ); 307 | 308 | // winbase:SetThreadpoolWait 309 | NTSYSAPI 310 | VOID 311 | NTAPI 312 | TpSetWait( 313 | _Inout_ PTP_WAIT Wait, 314 | _In_opt_ HANDLE Handle, 315 | _In_opt_ PLARGE_INTEGER Timeout 316 | ); 317 | 318 | #if (PHNT_VERSION >= PHNT_WINDOWS_8) 319 | // winbase:SetThreadpoolWaitEx 320 | NTSYSAPI 321 | NTSTATUS 322 | NTAPI 323 | TpSetWaitEx( 324 | _Inout_ PTP_WAIT Wait, 325 | _In_opt_ HANDLE Handle, 326 | _In_opt_ PLARGE_INTEGER Timeout, 327 | _In_opt_ PVOID Reserved 328 | ); 329 | #endif 330 | 331 | // winbase:WaitForThreadpoolWaitCallbacks 332 | NTSYSAPI 333 | VOID 334 | NTAPI 335 | TpWaitForWait( 336 | _Inout_ PTP_WAIT Wait, 337 | _In_ LOGICAL CancelPendingCallbacks 338 | ); 339 | 340 | // private 341 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 342 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 343 | _Inout_opt_ PVOID Context, 344 | _In_ PVOID ApcContext, 345 | _In_ PIO_STATUS_BLOCK IoSB, 346 | _In_ PTP_IO Io 347 | ); 348 | 349 | // winbase:CreateThreadpoolIo 350 | NTSYSAPI 351 | NTSTATUS 352 | NTAPI 353 | TpAllocIoCompletion( 354 | _Out_ PTP_IO *IoReturn, 355 | _In_ HANDLE File, 356 | _In_ PTP_IO_CALLBACK Callback, 357 | _Inout_opt_ PVOID Context, 358 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 359 | ); 360 | 361 | // winbase:CloseThreadpoolIo 362 | NTSYSAPI 363 | VOID 364 | NTAPI 365 | TpReleaseIoCompletion( 366 | _Inout_ PTP_IO Io 367 | ); 368 | 369 | // winbase:StartThreadpoolIo 370 | NTSYSAPI 371 | VOID 372 | NTAPI 373 | TpStartAsyncIoOperation( 374 | _Inout_ PTP_IO Io 375 | ); 376 | 377 | // winbase:CancelThreadpoolIo 378 | NTSYSAPI 379 | VOID 380 | NTAPI 381 | TpCancelAsyncIoOperation( 382 | _Inout_ PTP_IO Io 383 | ); 384 | 385 | // winbase:WaitForThreadpoolIoCallbacks 386 | NTSYSAPI 387 | VOID 388 | NTAPI 389 | TpWaitForIoCompletion( 390 | _Inout_ PTP_IO Io, 391 | _In_ LOGICAL CancelPendingCallbacks 392 | ); 393 | 394 | // private 395 | NTSYSAPI 396 | NTSTATUS 397 | NTAPI 398 | TpAllocAlpcCompletion( 399 | _Out_ PTP_ALPC *AlpcReturn, 400 | _In_ HANDLE AlpcPort, 401 | _In_ PTP_ALPC_CALLBACK Callback, 402 | _Inout_opt_ PVOID Context, 403 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 404 | ); 405 | 406 | #if (PHNT_VERSION >= PHNT_WINDOWS_7) 407 | // rev 408 | NTSYSAPI 409 | NTSTATUS 410 | NTAPI 411 | TpAllocAlpcCompletionEx( 412 | _Out_ PTP_ALPC *AlpcReturn, 413 | _In_ HANDLE AlpcPort, 414 | _In_ PTP_ALPC_CALLBACK_EX Callback, 415 | _Inout_opt_ PVOID Context, 416 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 417 | ); 418 | #endif 419 | 420 | // private 421 | NTSYSAPI 422 | VOID 423 | NTAPI 424 | TpReleaseAlpcCompletion( 425 | _Inout_ PTP_ALPC Alpc 426 | ); 427 | 428 | // private 429 | NTSYSAPI 430 | VOID 431 | NTAPI 432 | TpWaitForAlpcCompletion( 433 | _Inout_ PTP_ALPC Alpc 434 | ); 435 | 436 | // rev 437 | NTSYSAPI 438 | VOID 439 | NTAPI 440 | TpAlpcRegisterCompletionList( 441 | _Inout_ PTP_ALPC Alpc 442 | ); 443 | 444 | // rev 445 | NTSYSAPI 446 | VOID 447 | NTAPI 448 | TpAlpcUnregisterCompletionList( 449 | _Inout_ PTP_ALPC Alpc 450 | ); 451 | 452 | // private 453 | typedef enum _TP_TRACE_TYPE 454 | { 455 | TpTraceThreadPriority = 1, 456 | TpTraceThreadAffinity, 457 | MaxTpTraceType 458 | } TP_TRACE_TYPE; 459 | 460 | // private 461 | NTSYSAPI 462 | VOID 463 | NTAPI 464 | TpCaptureCaller( 465 | _In_ TP_TRACE_TYPE Type 466 | ); 467 | 468 | // private 469 | NTSYSAPI 470 | VOID 471 | NTAPI 472 | TpCheckTerminateWorker( 473 | _In_ HANDLE Thread 474 | ); 475 | 476 | #endif 477 | 478 | #endif 479 | -------------------------------------------------------------------------------- /ntwow64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows on Windows support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTWOW64_H 8 | #define _NTWOW64_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #include 12 | #endif 13 | 14 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64" 15 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" 16 | #define WOW64_X86_TAG " (x86)" 17 | #define WOW64_X86_TAG_U L" (x86)" 18 | 19 | // In USER_SHARED_DATA 20 | typedef enum _WOW64_SHARED_INFORMATION 21 | { 22 | SharedNtdll32LdrInitializeThunk, 23 | SharedNtdll32KiUserExceptionDispatcher, 24 | SharedNtdll32KiUserApcDispatcher, 25 | SharedNtdll32KiUserCallbackDispatcher, 26 | SharedNtdll32ExpInterlockedPopEntrySListFault, 27 | SharedNtdll32ExpInterlockedPopEntrySListResume, 28 | SharedNtdll32ExpInterlockedPopEntrySListEnd, 29 | SharedNtdll32RtlUserThreadStart, 30 | SharedNtdll32pQueryProcessDebugInformationRemote, 31 | SharedNtdll32BaseAddress, 32 | SharedNtdll32LdrSystemDllInitBlock, 33 | Wow64SharedPageEntriesCount 34 | } WOW64_SHARED_INFORMATION; 35 | 36 | // 32-bit definitions 37 | 38 | #define WOW64_POINTER(Type) ULONG 39 | 40 | typedef struct _RTL_BALANCED_NODE32 41 | { 42 | union 43 | { 44 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2]; 45 | struct 46 | { 47 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left; 48 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right; 49 | }; 50 | }; 51 | union 52 | { 53 | WOW64_POINTER(UCHAR) Red : 1; 54 | WOW64_POINTER(UCHAR) Balance : 2; 55 | WOW64_POINTER(ULONG_PTR) ParentValue; 56 | }; 57 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32; 58 | 59 | typedef struct _RTL_RB_TREE32 60 | { 61 | WOW64_POINTER(PRTL_BALANCED_NODE) Root; 62 | WOW64_POINTER(PRTL_BALANCED_NODE) Min; 63 | } RTL_RB_TREE32, *PRTL_RB_TREE32; 64 | 65 | typedef struct _PEB_LDR_DATA32 66 | { 67 | ULONG Length; 68 | BOOLEAN Initialized; 69 | WOW64_POINTER(HANDLE) SsHandle; 70 | LIST_ENTRY32 InLoadOrderModuleList; 71 | LIST_ENTRY32 InMemoryOrderModuleList; 72 | LIST_ENTRY32 InInitializationOrderModuleList; 73 | WOW64_POINTER(PVOID) EntryInProgress; 74 | BOOLEAN ShutdownInProgress; 75 | WOW64_POINTER(HANDLE) ShutdownThreadId; 76 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32; 77 | 78 | typedef struct _LDR_SERVICE_TAG_RECORD32 79 | { 80 | WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next; 81 | ULONG ServiceTag; 82 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32; 83 | 84 | typedef struct _LDRP_CSLIST32 85 | { 86 | WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail; 87 | } LDRP_CSLIST32, *PLDRP_CSLIST32; 88 | 89 | typedef struct _LDR_DDAG_NODE32 90 | { 91 | LIST_ENTRY32 Modules; 92 | WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList; 93 | ULONG LoadCount; 94 | ULONG LoadWhileUnloadingCount; 95 | ULONG LowestLink; 96 | union 97 | { 98 | LDRP_CSLIST32 Dependencies; 99 | SINGLE_LIST_ENTRY32 RemovalLink; 100 | }; 101 | LDRP_CSLIST32 IncomingDependencies; 102 | LDR_DDAG_STATE State; 103 | SINGLE_LIST_ENTRY32 CondenseLink; 104 | ULONG PreorderNumber; 105 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32; 106 | 107 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode) 108 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue) 109 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions) 110 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN10_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, SigningLevel) 111 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN11_32 sizeof(LDR_DATA_TABLE_ENTRY32) 112 | 113 | typedef struct _LDR_DATA_TABLE_ENTRY32 114 | { 115 | LIST_ENTRY32 InLoadOrderLinks; 116 | LIST_ENTRY32 InMemoryOrderLinks; 117 | union 118 | { 119 | LIST_ENTRY32 InInitializationOrderLinks; 120 | LIST_ENTRY32 InProgressLinks; 121 | }; 122 | WOW64_POINTER(PVOID) DllBase; 123 | WOW64_POINTER(PVOID) EntryPoint; 124 | ULONG SizeOfImage; 125 | UNICODE_STRING32 FullDllName; 126 | UNICODE_STRING32 BaseDllName; 127 | union 128 | { 129 | UCHAR FlagGroup[4]; 130 | ULONG Flags; 131 | struct 132 | { 133 | ULONG PackagedBinary : 1; 134 | ULONG MarkedForRemoval : 1; 135 | ULONG ImageDll : 1; 136 | ULONG LoadNotificationsSent : 1; 137 | ULONG TelemetryEntryProcessed : 1; 138 | ULONG ProcessStaticImport : 1; 139 | ULONG InLegacyLists : 1; 140 | ULONG InIndexes : 1; 141 | ULONG ShimDll : 1; 142 | ULONG InExceptionTable : 1; 143 | ULONG ReservedFlags1 : 2; 144 | ULONG LoadInProgress : 1; 145 | ULONG LoadConfigProcessed : 1; 146 | ULONG EntryProcessed : 1; 147 | ULONG ProtectDelayLoad : 1; 148 | ULONG ReservedFlags3 : 2; 149 | ULONG DontCallForThreads : 1; 150 | ULONG ProcessAttachCalled : 1; 151 | ULONG ProcessAttachFailed : 1; 152 | ULONG CorDeferredValidate : 1; 153 | ULONG CorImage : 1; 154 | ULONG DontRelocate : 1; 155 | ULONG CorILOnly : 1; 156 | ULONG ChpeImage : 1; 157 | ULONG ReservedFlags5 : 2; 158 | ULONG Redirected : 1; 159 | ULONG ReservedFlags6 : 2; 160 | ULONG CompatDatabaseProcessed : 1; 161 | }; 162 | }; 163 | USHORT ObsoleteLoadCount; 164 | USHORT TlsIndex; 165 | LIST_ENTRY32 HashLinks; 166 | ULONG TimeDateStamp; 167 | WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext; 168 | WOW64_POINTER(PVOID) Lock; 169 | WOW64_POINTER(PLDR_DDAG_NODE) DdagNode; 170 | LIST_ENTRY32 NodeModuleLink; 171 | WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext; 172 | WOW64_POINTER(PVOID) ParentDllBase; 173 | WOW64_POINTER(PVOID) SwitchBackContext; 174 | RTL_BALANCED_NODE32 BaseAddressIndexNode; 175 | RTL_BALANCED_NODE32 MappingInfoIndexNode; 176 | WOW64_POINTER(ULONG_PTR) OriginalBase; 177 | LARGE_INTEGER LoadTime; 178 | ULONG BaseNameHashValue; 179 | LDR_DLL_LOAD_REASON LoadReason; 180 | ULONG ImplicitPathOptions; 181 | ULONG ReferenceCount; 182 | ULONG DependentLoadFlags; 183 | UCHAR SigningLevel; // since REDSTONE2 184 | ULONG CheckSum; // since 22H1 185 | WOW64_POINTER(PVOID) ActivePatchImageBase; 186 | LDR_HOT_PATCH_STATE HotPatchState; 187 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; 188 | 189 | typedef struct _CURDIR32 190 | { 191 | UNICODE_STRING32 DosPath; 192 | WOW64_POINTER(HANDLE) Handle; 193 | } CURDIR32, *PCURDIR32; 194 | 195 | typedef struct _RTL_DRIVE_LETTER_CURDIR32 196 | { 197 | USHORT Flags; 198 | USHORT Length; 199 | ULONG TimeStamp; 200 | STRING32 DosPath; 201 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; 202 | 203 | typedef struct _RTL_USER_PROCESS_PARAMETERS32 204 | { 205 | ULONG MaximumLength; 206 | ULONG Length; 207 | 208 | ULONG Flags; 209 | ULONG DebugFlags; 210 | 211 | WOW64_POINTER(HANDLE) ConsoleHandle; 212 | ULONG ConsoleFlags; 213 | WOW64_POINTER(HANDLE) StandardInput; 214 | WOW64_POINTER(HANDLE) StandardOutput; 215 | WOW64_POINTER(HANDLE) StandardError; 216 | 217 | CURDIR32 CurrentDirectory; 218 | UNICODE_STRING32 DllPath; 219 | UNICODE_STRING32 ImagePathName; 220 | UNICODE_STRING32 CommandLine; 221 | WOW64_POINTER(PVOID) Environment; 222 | 223 | ULONG StartingX; 224 | ULONG StartingY; 225 | ULONG CountX; 226 | ULONG CountY; 227 | ULONG CountCharsX; 228 | ULONG CountCharsY; 229 | ULONG FillAttribute; 230 | 231 | ULONG WindowFlags; 232 | ULONG ShowWindowFlags; 233 | UNICODE_STRING32 WindowTitle; 234 | UNICODE_STRING32 DesktopInfo; 235 | UNICODE_STRING32 ShellInfo; 236 | UNICODE_STRING32 RuntimeData; 237 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 238 | 239 | WOW64_POINTER(ULONG_PTR) EnvironmentSize; 240 | WOW64_POINTER(ULONG_PTR) EnvironmentVersion; 241 | WOW64_POINTER(PVOID) PackageDependencyData; 242 | ULONG ProcessGroupId; 243 | ULONG LoaderThreads; 244 | 245 | UNICODE_STRING32 RedirectionDllName; // REDSTONE4 246 | UNICODE_STRING32 HeapPartitionName; // 19H1 247 | WOW64_POINTER(ULONGLONG) DefaultThreadpoolCpuSetMasks; 248 | ULONG DefaultThreadpoolCpuSetMaskCount; 249 | ULONG DefaultThreadpoolThreadMaximum; 250 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; 251 | 252 | typedef struct _LEAP_SECOND_DATA *PLEAP_SECOND_DATA; 253 | 254 | typedef struct _PEB32 255 | { 256 | BOOLEAN InheritedAddressSpace; 257 | BOOLEAN ReadImageFileExecOptions; 258 | BOOLEAN BeingDebugged; 259 | union 260 | { 261 | BOOLEAN BitField; 262 | struct 263 | { 264 | BOOLEAN ImageUsesLargePages : 1; 265 | BOOLEAN IsProtectedProcess : 1; 266 | BOOLEAN IsImageDynamicallyRelocated : 1; 267 | BOOLEAN SkipPatchingUser32Forwarders : 1; 268 | BOOLEAN IsPackagedProcess : 1; 269 | BOOLEAN IsAppContainer : 1; 270 | BOOLEAN IsProtectedProcessLight : 1; 271 | BOOLEAN IsLongPathAwareProcess : 1; 272 | }; 273 | }; 274 | WOW64_POINTER(HANDLE) Mutant; 275 | 276 | WOW64_POINTER(PVOID) ImageBaseAddress; 277 | WOW64_POINTER(PPEB_LDR_DATA) Ldr; 278 | WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; 279 | WOW64_POINTER(PVOID) SubSystemData; 280 | WOW64_POINTER(PVOID) ProcessHeap; 281 | WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; 282 | WOW64_POINTER(PVOID) AtlThunkSListPtr; 283 | WOW64_POINTER(PVOID) IFEOKey; 284 | union 285 | { 286 | ULONG CrossProcessFlags; 287 | struct 288 | { 289 | ULONG ProcessInJob : 1; 290 | ULONG ProcessInitializing : 1; 291 | ULONG ProcessUsingVEH : 1; 292 | ULONG ProcessUsingVCH : 1; 293 | ULONG ProcessUsingFTH : 1; 294 | ULONG ReservedBits0 : 27; 295 | }; 296 | }; 297 | union 298 | { 299 | WOW64_POINTER(PVOID) KernelCallbackTable; 300 | WOW64_POINTER(PVOID) UserSharedInfoPtr; 301 | }; 302 | ULONG SystemReserved; 303 | ULONG AtlThunkSListPtr32; 304 | WOW64_POINTER(PVOID) ApiSetMap; 305 | ULONG TlsExpansionCounter; 306 | WOW64_POINTER(PVOID) TlsBitmap; 307 | ULONG TlsBitmapBits[2]; 308 | WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; 309 | WOW64_POINTER(PVOID) SharedData; 310 | WOW64_POINTER(PVOID *) ReadOnlyStaticServerData; 311 | WOW64_POINTER(PVOID) AnsiCodePageData; 312 | WOW64_POINTER(PVOID) OemCodePageData; 313 | WOW64_POINTER(PVOID) UnicodeCaseTableData; 314 | 315 | ULONG NumberOfProcessors; 316 | ULONG NtGlobalFlag; 317 | 318 | LARGE_INTEGER CriticalSectionTimeout; 319 | WOW64_POINTER(SIZE_T) HeapSegmentReserve; 320 | WOW64_POINTER(SIZE_T) HeapSegmentCommit; 321 | WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; 322 | WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; 323 | 324 | ULONG NumberOfHeaps; 325 | ULONG MaximumNumberOfHeaps; 326 | WOW64_POINTER(PVOID *) ProcessHeaps; 327 | 328 | WOW64_POINTER(PVOID) GdiSharedHandleTable; 329 | WOW64_POINTER(PVOID) ProcessStarterHelper; 330 | ULONG GdiDCAttributeList; 331 | 332 | WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; 333 | 334 | ULONG OSMajorVersion; 335 | ULONG OSMinorVersion; 336 | USHORT OSBuildNumber; 337 | USHORT OSCSDVersion; 338 | ULONG OSPlatformId; 339 | ULONG ImageSubsystem; 340 | ULONG ImageSubsystemMajorVersion; 341 | ULONG ImageSubsystemMinorVersion; 342 | WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask; 343 | GDI_HANDLE_BUFFER32 GdiHandleBuffer; 344 | WOW64_POINTER(PVOID) PostProcessInitRoutine; 345 | 346 | WOW64_POINTER(PVOID) TlsExpansionBitmap; 347 | ULONG TlsExpansionBitmapBits[32]; 348 | 349 | ULONG SessionId; 350 | 351 | ULARGE_INTEGER AppCompatFlags; 352 | ULARGE_INTEGER AppCompatFlagsUser; 353 | WOW64_POINTER(PVOID) pShimData; 354 | WOW64_POINTER(PVOID) AppCompatInfo; 355 | 356 | UNICODE_STRING32 CSDVersion; 357 | 358 | WOW64_POINTER(PACTIVATION_CONTEXT_DATA) ActivationContextData; 359 | WOW64_POINTER(PVOID) ProcessAssemblyStorageMap; 360 | WOW64_POINTER(PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; 361 | WOW64_POINTER(PVOID) SystemAssemblyStorageMap; 362 | 363 | WOW64_POINTER(SIZE_T) MinimumStackCommit; 364 | 365 | WOW64_POINTER(PVOID) SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) 366 | WOW64_POINTER(PVOID) PatchLoaderData; 367 | WOW64_POINTER(PVOID) ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO 368 | 369 | ULONG AppModelFeatureState; 370 | ULONG SpareUlongs[2]; 371 | 372 | USHORT ActiveCodePage; 373 | USHORT OemCodePage; 374 | USHORT UseCaseMapping; 375 | USHORT UnusedNlsField; 376 | 377 | WOW64_POINTER(PVOID) WerRegistrationData; 378 | WOW64_POINTER(PVOID) WerShipAssertPtr; 379 | 380 | union 381 | { 382 | WOW64_POINTER(PVOID) pContextData; // WIN7 383 | WOW64_POINTER(PVOID) pUnused; // WIN10 384 | WOW64_POINTER(PVOID) EcCodeBitMap; // WIN11 385 | }; 386 | 387 | WOW64_POINTER(PVOID) pImageHeaderHash; 388 | union 389 | { 390 | ULONG TracingFlags; 391 | struct 392 | { 393 | ULONG HeapTracingEnabled : 1; 394 | ULONG CritSecTracingEnabled : 1; 395 | ULONG LibLoaderTracingEnabled : 1; 396 | ULONG SpareTracingBits : 29; 397 | }; 398 | }; 399 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 400 | WOW64_POINTER(PVOID) TppWorkerpListLock; 401 | LIST_ENTRY32 TppWorkerpList; 402 | WOW64_POINTER(PVOID) WaitOnAddressHashTable[128]; 403 | WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3 404 | ULONG CloudFileFlags; 405 | ULONG CloudFileDiagFlags; // REDSTONE4 406 | CHAR PlaceholderCompatibilityMode; 407 | CHAR PlaceholderCompatibilityModeReserved[7]; 408 | WOW64_POINTER(PLEAP_SECOND_DATA) LeapSecondData; // REDSTONE5 409 | union 410 | { 411 | ULONG LeapSecondFlags; 412 | struct 413 | { 414 | ULONG SixtySecondEnabled : 1; 415 | ULONG Reserved : 31; 416 | }; 417 | }; 418 | ULONG NtGlobalFlag2; 419 | ULONGLONG ExtendedFeatureDisableMask; // since WIN11 420 | } PEB32, *PPEB32; 421 | 422 | //static_assert(sizeof(PEB32) == 0x460, "sizeof(PEB32) is incorrect"); // REDSTONE3 423 | //static_assert(sizeof(PEB32) == 0x470, "sizeof(PEB32) is incorrect"); // REDSTONE5 424 | static_assert(sizeof(PEB32) == 0x488, "sizeof(PEB32) is incorrect"); // WIN11 425 | 426 | // Note: Use PhGetProcessPeb32 instead. (dmex) 427 | //#define WOW64_GET_PEB32(peb64) \ 428 | // ((PPEB32)RtlOffsetToPointer((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) 429 | 430 | #define GDI_BATCH_BUFFER_SIZE 310 431 | 432 | typedef struct _GDI_TEB_BATCH32 433 | { 434 | ULONG Offset; 435 | WOW64_POINTER(ULONG_PTR) HDC; 436 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 437 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; 438 | 439 | typedef struct _TEB32 440 | { 441 | NT_TIB32 NtTib; 442 | 443 | WOW64_POINTER(PVOID) EnvironmentPointer; 444 | CLIENT_ID32 ClientId; 445 | WOW64_POINTER(PVOID) ActiveRpcHandle; 446 | WOW64_POINTER(PVOID) ThreadLocalStoragePointer; 447 | WOW64_POINTER(PPEB) ProcessEnvironmentBlock; 448 | 449 | ULONG LastErrorValue; 450 | ULONG CountOfOwnedCriticalSections; 451 | WOW64_POINTER(PVOID) CsrClientThread; 452 | WOW64_POINTER(PVOID) Win32ThreadInfo; 453 | ULONG User32Reserved[26]; 454 | ULONG UserReserved[5]; 455 | WOW64_POINTER(PVOID) WOW32Reserved; 456 | LCID CurrentLocale; 457 | ULONG FpSoftwareStatusRegister; 458 | WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16]; 459 | WOW64_POINTER(PVOID) SystemReserved1[36]; 460 | UCHAR WorkingOnBehalfTicket[8]; 461 | NTSTATUS ExceptionCode; 462 | 463 | WOW64_POINTER(PVOID) ActivationContextStackPointer; 464 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp; 465 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc; 466 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp; 467 | BOOLEAN InstrumentationCallbackDisabled; 468 | UCHAR SpareBytes[23]; 469 | ULONG TxFsContext; 470 | 471 | GDI_TEB_BATCH32 GdiTebBatch; 472 | CLIENT_ID32 RealClientId; 473 | WOW64_POINTER(HANDLE) GdiCachedProcessHandle; 474 | ULONG GdiClientPID; 475 | ULONG GdiClientTID; 476 | WOW64_POINTER(PVOID) GdiThreadLocalInfo; 477 | WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; 478 | WOW64_POINTER(PVOID) glDispatchTable[233]; 479 | WOW64_POINTER(ULONG_PTR) glReserved1[29]; 480 | WOW64_POINTER(PVOID) glReserved2; 481 | WOW64_POINTER(PVOID) glSectionInfo; 482 | WOW64_POINTER(PVOID) glSection; 483 | WOW64_POINTER(PVOID) glTable; 484 | WOW64_POINTER(PVOID) glCurrentRC; 485 | WOW64_POINTER(PVOID) glContext; 486 | 487 | NTSTATUS LastStatusValue; 488 | UNICODE_STRING32 StaticUnicodeString; 489 | WCHAR StaticUnicodeBuffer[261]; 490 | 491 | WOW64_POINTER(PVOID) DeallocationStack; 492 | WOW64_POINTER(PVOID) TlsSlots[64]; 493 | LIST_ENTRY32 TlsLinks; 494 | 495 | WOW64_POINTER(PVOID) Vdm; 496 | WOW64_POINTER(PVOID) ReservedForNtRpc; 497 | WOW64_POINTER(PVOID) DbgSsReserved[2]; 498 | 499 | ULONG HardErrorMode; 500 | WOW64_POINTER(PVOID) Instrumentation[9]; 501 | GUID ActivityId; 502 | 503 | WOW64_POINTER(PVOID) SubProcessTag; 504 | WOW64_POINTER(PVOID) PerflibData; 505 | WOW64_POINTER(PVOID) EtwTraceData; 506 | WOW64_POINTER(PVOID) WinSockData; 507 | ULONG GdiBatchCount; 508 | 509 | union 510 | { 511 | PROCESSOR_NUMBER CurrentIdealProcessor; 512 | ULONG IdealProcessorValue; 513 | struct 514 | { 515 | UCHAR ReservedPad0; 516 | UCHAR ReservedPad1; 517 | UCHAR ReservedPad2; 518 | UCHAR IdealProcessor; 519 | }; 520 | }; 521 | 522 | ULONG GuaranteedStackBytes; 523 | WOW64_POINTER(PVOID) ReservedForPerf; 524 | WOW64_POINTER(PVOID) ReservedForOle; 525 | ULONG WaitingOnLoaderLock; 526 | WOW64_POINTER(PVOID) SavedPriorityState; 527 | WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage; 528 | WOW64_POINTER(PVOID) ThreadPoolData; 529 | WOW64_POINTER(PVOID *) TlsExpansionSlots; 530 | 531 | ULONG MuiGeneration; 532 | ULONG IsImpersonating; 533 | WOW64_POINTER(PVOID) NlsCache; 534 | WOW64_POINTER(PVOID) pShimData; 535 | USHORT HeapVirtualAffinity; 536 | USHORT LowFragHeapDataSlot; 537 | WOW64_POINTER(HANDLE) CurrentTransactionHandle; 538 | WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame; 539 | WOW64_POINTER(PVOID) FlsData; 540 | 541 | WOW64_POINTER(PVOID) PreferredLanguages; 542 | WOW64_POINTER(PVOID) UserPrefLanguages; 543 | WOW64_POINTER(PVOID) MergedPrefLanguages; 544 | ULONG MuiImpersonation; 545 | 546 | union 547 | { 548 | USHORT CrossTebFlags; 549 | USHORT SpareCrossTebBits : 16; 550 | }; 551 | union 552 | { 553 | USHORT SameTebFlags; 554 | struct 555 | { 556 | USHORT SafeThunkCall : 1; 557 | USHORT InDebugPrint : 1; 558 | USHORT HasFiberData : 1; 559 | USHORT SkipThreadAttach : 1; 560 | USHORT WerInShipAssertCode : 1; 561 | USHORT RanProcessInit : 1; 562 | USHORT ClonedThread : 1; 563 | USHORT SuppressDebugMsg : 1; 564 | USHORT DisableUserStackWalk : 1; 565 | USHORT RtlExceptionAttached : 1; 566 | USHORT InitialThread : 1; 567 | USHORT SessionAware : 1; 568 | USHORT LoadOwner : 1; 569 | USHORT LoaderWorker : 1; 570 | USHORT SpareSameTebBits : 2; 571 | }; 572 | }; 573 | 574 | WOW64_POINTER(PVOID) TxnScopeEnterCallback; 575 | WOW64_POINTER(PVOID) TxnScopeExitCallback; 576 | WOW64_POINTER(PVOID) TxnScopeContext; 577 | ULONG LockCount; 578 | LONG WowTebOffset; 579 | WOW64_POINTER(PVOID) ResourceRetValue; 580 | WOW64_POINTER(PVOID) ReservedForWdf; 581 | ULONGLONG ReservedForCrt; 582 | GUID EffectiveContainerId; 583 | } TEB32, *PTEB32; 584 | 585 | static_assert(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030, "FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) is incorrect"); 586 | static_assert(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4, "FIELD_OFFSET(TEB32, ExceptionCode) is incorrect"); 587 | static_assert(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00, "FIELD_OFFSET(TEB32, StaticUnicodeBuffer) is incorrect"); 588 | static_assert(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10, "FIELD_OFFSET(TEB32, TlsLinks) is incorrect"); 589 | static_assert(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94, "FIELD_OFFSET(TEB32, TlsExpansionSlots) is incorrect"); 590 | static_assert(FIELD_OFFSET(TEB32, FlsData) == 0xfb4, "FIELD_OFFSET(TEB32, FlsData) is incorrect"); 591 | static_assert(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4, "FIELD_OFFSET(TEB32, MuiImpersonation) is incorrect"); 592 | static_assert(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0, "FIELD_OFFSET(TEB32, EffectiveContainerId) is incorrect"); 593 | static_assert(sizeof(TEB32) == 0x1000, "sizeof(TEB32) is incorrect"); 594 | 595 | // Conversion 596 | 597 | FORCEINLINE VOID UStr32ToUStr( 598 | _Out_ PUNICODE_STRING Destination, 599 | _In_ PUNICODE_STRING32 Source 600 | ) 601 | { 602 | Destination->Length = Source->Length; 603 | Destination->MaximumLength = Source->MaximumLength; 604 | Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer); 605 | } 606 | 607 | FORCEINLINE VOID UStrToUStr32( 608 | _Out_ PUNICODE_STRING32 Destination, 609 | _In_ PUNICODE_STRING Source 610 | ) 611 | { 612 | Destination->Length = Source->Length; 613 | Destination->MaximumLength = Source->MaximumLength; 614 | Destination->Buffer = PtrToUlong(Source->Buffer); 615 | } 616 | 617 | // The Wow64Info structure follows the PEB32/TEB32 structures and is shared between 32-bit and 64-bit modules inside a Wow64 process. 618 | // from SDK/10.0.10240.0/um/minwin/wow64t.h (dmex) 619 | // 620 | // Page size on x86 NT 621 | // 622 | #define PAGE_SIZE_X86NT 0x1000 623 | #define PAGE_SHIFT_X86NT 12L 624 | #define WOW64_SPLITS_PER_PAGE (PAGE_SIZE_X86NT / PAGE_SIZE_X86NT) 625 | 626 | // 627 | // Convert the number of native pages to sub x86-pages 628 | // 629 | #define Wow64GetNumberOfX86Pages(NativePages) \ 630 | ((NativePages) * (PAGE_SIZE_X86NT >> PAGE_SHIFT_X86NT)) 631 | 632 | // 633 | // Macro to round to the nearest page size 634 | // 635 | #define WOW64_ROUND_TO_PAGES(Size) \ 636 | (((ULONG_PTR)(Size) + PAGE_SIZE_X86NT - 1) & ~(PAGE_SIZE_X86NT - 1)) 637 | 638 | // 639 | // Get number of native pages 640 | // 641 | #define WOW64_BYTES_TO_PAGES(Size) \ 642 | (((ULONG)(Size) >> WOW64_ROUND_TO_PAGES) + (((ULONG)(Size) & (PAGE_SIZE_X86NT - 1)) != 0)) 643 | 644 | // 645 | // Get the 32-bit TEB without doing a memory reference. 646 | // 647 | #define WOW64_GET_TEB32(teb64) ((PTEB32)(((ULONG_PTR)(teb64)) + ((ULONG_PTR)WOW64_ROUND_TO_PAGES(sizeof(TEB))))) 648 | #define WOW64_TEB32_POINTER_ADDRESS(teb64) ((PVOID)&(((PTEB)(teb64))->NtTib.ExceptionList)) 649 | 650 | // 651 | // Get the 32-bit execute options. 652 | // 653 | typedef union _WOW64_EXECUTE_OPTIONS 654 | { 655 | ULONG Flags; 656 | struct 657 | { 658 | ULONG StackReserveSize : 8; 659 | ULONG StackCommitSize : 4; 660 | ULONG Deprecated0 : 1; 661 | ULONG DisableWowAssert : 1; 662 | ULONG DisableTurboDispatch : 1; 663 | ULONG Unused : 13; 664 | ULONG Reserved0 : 1; 665 | ULONG Reserved1 : 1; 666 | ULONG Reserved2 : 1; 667 | ULONG Reserved3 : 1; 668 | }; 669 | } WOW64_EXECUTE_OPTIONS, *PWOW64_EXECUTE_OPTIONS; 670 | 671 | #define WOW64_CPUFLAGS_MSFT64 0x00000001 672 | #define WOW64_CPUFLAGS_SOFTWARE 0x00000002 673 | #define WOW64_CPUFLAGS_IA64 0x00000004 674 | 675 | typedef struct _WOW64INFO 676 | { 677 | ULONG NativeSystemPageSize; 678 | ULONG CpuFlags; 679 | WOW64_EXECUTE_OPTIONS Wow64ExecuteFlags; 680 | ULONG InstrumentationCallback; 681 | } WOW64INFO, *PWOW64INFO; 682 | 683 | typedef struct _PEB32_WITH_WOW64INFO 684 | { 685 | PEB32 Peb32; 686 | WOW64INFO Wow64Info; 687 | } PEB32_WITH_WOW64INFO, *PPEB32_WITH_WOW64INFO; 688 | 689 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 690 | #ifdef _M_X64 691 | 692 | FORCEINLINE 693 | TEB32* 694 | POINTER_UNSIGNED 695 | Wow64CurrentGuestTeb( 696 | VOID 697 | ) 698 | { 699 | TEB* POINTER_UNSIGNED Teb; 700 | TEB32* POINTER_UNSIGNED Teb32; 701 | 702 | Teb = NtCurrentTeb(); 703 | 704 | if (Teb->WowTebOffset == 0) 705 | { 706 | // 707 | // Not running under or over WoW, so there is no "guest teb" 708 | // 709 | 710 | return NULL; 711 | } 712 | 713 | if (Teb->WowTebOffset < 0) 714 | { 715 | // 716 | // Was called while running under WoW. The current teb is the guest teb. 717 | // 718 | 719 | Teb32 = (PTEB32)Teb; 720 | 721 | #if defined(RTL_ASSERT) 722 | RTL_ASSERT(&Teb32->WowTebOffset == &Teb->WowTebOffset); 723 | #endif 724 | } 725 | else 726 | { 727 | // 728 | // Called by the WoW Host, so calculate the position of the guest teb 729 | // relative to the current (host) teb. 730 | // 731 | 732 | Teb32 = (PTEB32)RtlOffsetToPointer(Teb, Teb->WowTebOffset); 733 | } 734 | 735 | #if defined(RTL_ASSERT) 736 | RTL_ASSERT(Teb32->NtTib.Self == PtrToUlong(Teb32)); 737 | #endif 738 | 739 | return Teb32; 740 | } 741 | 742 | FORCEINLINE 743 | VOID* 744 | POINTER_UNSIGNED 745 | Wow64CurrentNativeTeb( 746 | VOID 747 | ) 748 | { 749 | TEB* POINTER_UNSIGNED Teb; 750 | VOID* POINTER_UNSIGNED HostTeb; 751 | 752 | Teb = NtCurrentTeb(); 753 | 754 | if (Teb->WowTebOffset >= 0) 755 | { 756 | // 757 | // Not running under WoW, so it it either not running on WoW at all, or 758 | // it is the host. Return the current teb as native teb. 759 | // 760 | 761 | HostTeb = (PVOID)Teb; 762 | } 763 | else 764 | { 765 | // 766 | // Called while running under WoW Host, so calculate the position of the 767 | // host teb relative to the current (guest) teb. 768 | // 769 | 770 | HostTeb = (PVOID)RtlOffsetToPointer(Teb, Teb->WowTebOffset); 771 | } 772 | 773 | #if defined(RTL_ASSERT) 774 | RTL_ASSERT((((PTEB32)HostTeb)->NtTib.Self == PtrToUlong(HostTeb)) || ((ULONG_PTR)((PTEB)HostTeb)->NtTib.Self == (ULONG_PTR)HostTeb)); 775 | #endif 776 | 777 | return HostTeb; 778 | } 779 | 780 | #define NtCurrentTeb32() (Wow64CurrentGuestTeb()) 781 | #define NtCurrentPeb32() ((PPEB32)(UlongToPtr((NtCurrentTeb32()->ProcessEnvironmentBlock)))) 782 | 783 | #define Wow64GetNativeTebField(teb, field) (((ULONG)(teb) == ((PTEB32)(teb))->NtTib.Self) ? (((PTEB32)(teb))->##field) : (((PTEB)(teb))->##field) ) 784 | #define Wow64SetNativeTebField(teb, field, value) { if ((ULONG)(teb) == ((PTEB32)(teb))->NtTib.Self) {(((PTEB32)(teb))->##field) = (value);} else {(((PTEB)(teb))->##field) = (value);} } 785 | 786 | #endif // _M_X64 787 | #endif // (PHNT_MODE != PHNT_MODE_KERNEL) 788 | 789 | #endif 790 | -------------------------------------------------------------------------------- /ntxcapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Exception support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTXCAPI_H 8 | #define _NTXCAPI_H 9 | 10 | NTSYSAPI 11 | BOOLEAN 12 | NTAPI 13 | RtlDispatchException( 14 | _In_ PEXCEPTION_RECORD ExceptionRecord, 15 | _In_ PCONTEXT ContextRecord 16 | ); 17 | 18 | _Analysis_noreturn_ 19 | NTSYSAPI 20 | DECLSPEC_NORETURN 21 | VOID 22 | NTAPI 23 | RtlRaiseStatus( 24 | _In_ NTSTATUS Status 25 | ); 26 | 27 | NTSYSAPI 28 | VOID 29 | NTAPI 30 | RtlRaiseException( 31 | _In_ PEXCEPTION_RECORD ExceptionRecord 32 | ); 33 | 34 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_20H1) 35 | // rev 36 | NTSYSAPI 37 | VOID 38 | NTAPI 39 | RtlRaiseExceptionForReturnAddressHijack( 40 | VOID 41 | ); 42 | 43 | // rev 44 | _Analysis_noreturn_ 45 | NTSYSAPI 46 | DECLSPEC_NORETURN 47 | VOID 48 | NTAPI 49 | RtlRaiseNoncontinuableException( 50 | _In_ PEXCEPTION_RECORD ExceptionRecord, 51 | _In_ PCONTEXT ContextRecord 52 | ); 53 | #endif // PHNT_VERSION >= PHNT_WINDOWS_10_20H1 54 | 55 | NTSYSCALLAPI 56 | NTSTATUS 57 | NTAPI 58 | NtContinue( 59 | _In_ PCONTEXT ContextRecord, 60 | _In_ BOOLEAN TestAlert 61 | ); 62 | 63 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 64 | typedef enum _KCONTINUE_TYPE 65 | { 66 | KCONTINUE_UNWIND, 67 | KCONTINUE_RESUME, 68 | KCONTINUE_LONGJUMP, 69 | KCONTINUE_SET, 70 | KCONTINUE_LAST, 71 | } KCONTINUE_TYPE; 72 | 73 | typedef struct _KCONTINUE_ARGUMENT 74 | { 75 | KCONTINUE_TYPE ContinueType; 76 | ULONG ContinueFlags; 77 | ULONGLONG Reserved[2]; 78 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; 79 | 80 | #define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny 81 | #define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny 82 | 83 | NTSYSCALLAPI 84 | NTSTATUS 85 | NTAPI 86 | NtContinueEx( 87 | _In_ PCONTEXT ContextRecord, 88 | _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid 89 | ); 90 | 91 | //FORCEINLINE 92 | //NTSTATUS 93 | //NtContinue( 94 | // _In_ PCONTEXT ContextRecord, 95 | // _In_ BOOLEAN TestAlert 96 | // ) 97 | //{ 98 | // return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); 99 | //} 100 | #endif // PHNT_VERSION >= PHNT_WINDOWS_10 101 | 102 | NTSYSCALLAPI 103 | NTSTATUS 104 | NTAPI 105 | NtRaiseException( 106 | _In_ PEXCEPTION_RECORD ExceptionRecord, 107 | _In_ PCONTEXT ContextRecord, 108 | _In_ BOOLEAN FirstChance 109 | ); 110 | 111 | _Analysis_noreturn_ 112 | NTSYSAPI 113 | DECLSPEC_NORETURN 114 | VOID 115 | NTAPI 116 | RtlAssert( 117 | _In_ PVOID VoidFailedAssertion, 118 | _In_ PVOID VoidFileName, 119 | _In_ ULONG LineNumber, 120 | _In_opt_ PSTR MutableMessage 121 | ); 122 | 123 | #define RTL_ASSERT(exp) \ 124 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) 125 | #define RTL_ASSERTMSG(msg, exp) \ 126 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) 127 | #define RTL_SOFT_ASSERT(_exp) \ 128 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) 129 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ 130 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) 131 | 132 | #endif 133 | -------------------------------------------------------------------------------- /phnt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NT Header annotations 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_H 8 | #define _PHNT_H 9 | 10 | // This header file provides access to NT APIs. 11 | 12 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 13 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 14 | 15 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 16 | // winbase.h. 17 | // * "rev" indicates that a definition has been reverse-engineered. 18 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 19 | // checked build of the kernel or file. 20 | 21 | // Reliability: 22 | // 1. No annotation. 23 | // 2. dbg. 24 | // 3. symbols, private. Types may be incorrect. 25 | // 4. winbase. Names and types may be incorrect. 26 | // 5. rev. 27 | 28 | // Mode 29 | #define PHNT_MODE_KERNEL 0 30 | #define PHNT_MODE_USER 1 31 | 32 | // Version 33 | #define PHNT_WINDOWS_ANCIENT 0 34 | #define PHNT_WINDOWS_XP 51 // August, 2001 35 | #define PHNT_WINDOWS_SERVER_2003 52 // April, 2003 36 | #define PHNT_WINDOWS_VISTA 60 // November, 2006 37 | #define PHNT_WINDOWS_7 61 // July, 2009 38 | #define PHNT_WINDOWS_8 62 // August, 2012 39 | #define PHNT_WINDOWS_8_1 63 // August, 2013 40 | #define PHNT_WINDOWS_10 100 // July, 2015 // Version 1507, Build 10240 41 | #define PHNT_WINDOWS_10_TH2 101 // November, 2015 // Version 1511, Build 10586 42 | #define PHNT_WINDOWS_10_RS1 102 // August, 2016 // Version 1607, Build 14393 43 | #define PHNT_WINDOWS_10_RS2 103 // April, 2017 // Version 1703, Build 15063 44 | #define PHNT_WINDOWS_10_RS3 104 // October, 2017 // Version 1709, Build 16299 45 | #define PHNT_WINDOWS_10_RS4 105 // April, 2018 // Version 1803, Build 17134 46 | #define PHNT_WINDOWS_10_RS5 106 // November, 2018 // Version 1809, Build 17763 47 | #define PHNT_WINDOWS_10_19H1 107 // May, 2019 // Version 1903, Build 18362 48 | #define PHNT_WINDOWS_10_19H2 108 // November, 2019 // Version 1909, Build 18363 49 | #define PHNT_WINDOWS_10_20H1 109 // May, 2020 // Version 2004, Build 19041 50 | #define PHNT_WINDOWS_10_20H2 110 // October, 2020 // Build 19042 51 | #define PHNT_WINDOWS_10_21H1 111 // May, 2021 // Build 19043 52 | #define PHNT_WINDOWS_10_21H2 112 // November, 2021 // Build 19044 53 | #define PHNT_WINDOWS_10_22H2 113 // October, 2022 // Build 19045 54 | #define PHNT_WINDOWS_11 114 // October, 2021 // Build 22000 55 | #define PHNT_WINDOWS_11_22H2 115 // September, 2022 // Build 22621 56 | #define PHNT_WINDOWS_11_23H2 116 // October, 2023 // Build 22631 57 | #define PHNT_WINDOWS_11_24H2 117 // October, 2024 // Build 26100 58 | #define PHNT_WINDOWS_NEW ULONG_MAX 59 | 60 | #ifndef PHNT_MODE 61 | #define PHNT_MODE PHNT_MODE_USER 62 | #endif 63 | 64 | #ifndef PHNT_VERSION 65 | #define PHNT_VERSION PHNT_WINDOWS_NEW 66 | #endif 67 | 68 | // 69 | // Options 70 | // 71 | 72 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 73 | //#ifndef PHNT_NO_INLINE_INIT_STRING 74 | //#define PHNT_NO_INLINE_INIT_STRING 75 | //#endif // !PHNT_NO_INLINE_INIT_STRING 76 | #ifndef PHNT_INLINE_TYPEDEFS 77 | #define PHNT_INLINE_TYPEDEFS 78 | #endif // !PHNT_INLINE_TYPEDEFS 79 | #endif // (PHNT_MODE != PHNT_MODE_KERNEL) 80 | 81 | EXTERN_C_START 82 | 83 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 84 | #include 85 | #include 86 | #endif // (PHNT_MODE != PHNT_MODE_KERNEL) 87 | 88 | #include 89 | #include 90 | #include 91 | 92 | #include 93 | #include 94 | #include 95 | #include 96 | 97 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 98 | #include 99 | #include 100 | #include 101 | #include 102 | #include 103 | #include 104 | #include 105 | #include 106 | #include 107 | #include 108 | #include 109 | #include 110 | #include 111 | #include 112 | #include 113 | #include 114 | #include 115 | #include 116 | #include 117 | #include 118 | #endif // (PHNT_MODE != PHNT_MODE_KERNEL) 119 | 120 | EXTERN_C_END 121 | 122 | static_assert(__alignof(LARGE_INTEGER) == 8, "Windows headers require the default packing option. Changing the packing can lead to memory corruption."); 123 | static_assert(__alignof(PROCESS_CYCLE_TIME_INFORMATION) == 8, "PHNT headers require the default packing option. Changing the packing can lead to memory corruption."); 124 | 125 | #endif 126 | -------------------------------------------------------------------------------- /phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Native definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_NTDEF_H 8 | #define _PHNT_NTDEF_H 9 | 10 | #ifndef _NTDEF_ 11 | #define _NTDEF_ 12 | 13 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 14 | // (perhaps indirectly), you must use this file instead of ntdef.h. 15 | 16 | #ifndef NOTHING 17 | #define NOTHING 18 | #endif 19 | 20 | // 21 | // Basic types 22 | // 23 | 24 | typedef struct _QUAD 25 | { 26 | union 27 | { 28 | __int64 UseThisFieldToCopy; 29 | double DoNotUseThisField; 30 | }; 31 | } QUAD, *PQUAD; 32 | 33 | // This isn't in NT, but it's useful. 34 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 35 | { 36 | ULONG_PTR DoNotUseThisField1; 37 | ULONG_PTR DoNotUseThisField2; 38 | } QUAD_PTR, *PQUAD_PTR; 39 | 40 | typedef ULONG LOGICAL; 41 | typedef ULONG *PLOGICAL; 42 | 43 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 44 | typedef NTSTATUS *PNTSTATUS; 45 | 46 | // 47 | // Cardinal types 48 | // 49 | 50 | typedef char CCHAR; 51 | typedef short CSHORT; 52 | typedef ULONG CLONG; 53 | 54 | typedef CCHAR *PCCHAR; 55 | typedef CSHORT *PCSHORT; 56 | typedef CLONG *PCLONG; 57 | 58 | typedef PCSTR PCSZ; 59 | 60 | typedef PVOID* PPVOID; 61 | typedef CONST VOID *PCVOID; 62 | 63 | // 64 | // Specific 65 | // 66 | 67 | typedef UCHAR KIRQL, *PKIRQL; 68 | typedef LONG KPRIORITY, *PKPRIORITY; 69 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 70 | 71 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 72 | 73 | typedef struct _LARGE_INTEGER_128 74 | { 75 | LONGLONG QuadPart[2]; 76 | } LARGE_INTEGER_128, *PLARGE_INTEGER_128; 77 | 78 | typedef struct _ULARGE_INTEGER_128 79 | { 80 | ULONGLONG QuadPart[2]; 81 | } ULARGE_INTEGER_128, *PULARGE_INTEGER_128; 82 | 83 | // 84 | // Limits 85 | // 86 | 87 | #define MINCHAR 0x80 // winnt 88 | #define MAXCHAR 0x7f // winnt 89 | #define MINSHORT 0x8000 // winnt 90 | #define MAXSHORT 0x7fff // winnt 91 | #define MINLONG 0x80000000 // winnt 92 | #define MAXLONG 0x7fffffff // winnt 93 | #define MAXUCHAR 0xff // winnt 94 | #define MAXUSHORT 0xffff // winnt 95 | #define MAXULONG 0xffffffff // winnt 96 | 97 | // 98 | // NT status macros 99 | // 100 | 101 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 102 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 103 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 104 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 105 | 106 | #define NT_CUSTOMER_SHIFT 29 107 | #define NT_CUSTOMER(Status) ((((ULONG)(Status)) >> NT_CUSTOMER_SHIFT) & 1) 108 | 109 | #define NT_FACILITY_MASK 0xfff 110 | #define NT_FACILITY_SHIFT 16 111 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 112 | 113 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 114 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 115 | 116 | // 117 | // Functions 118 | // 119 | 120 | #if defined(_WIN64) 121 | #define FASTCALL 122 | #else 123 | #define FASTCALL __fastcall 124 | #endif 125 | 126 | #if defined(_WIN64) 127 | #define POINTER_ALIGNMENT DECLSPEC_ALIGN(8) 128 | #else 129 | #define POINTER_ALIGNMENT 130 | #endif 131 | 132 | #if defined(_WIN64) || defined(_M_ALPHA) 133 | #define MAX_NATURAL_ALIGNMENT sizeof(ULONGLONG) 134 | #define MEMORY_ALLOCATION_ALIGNMENT 16 135 | #else 136 | #define MAX_NATURAL_ALIGNMENT sizeof(DWORD) 137 | #define MEMORY_ALLOCATION_ALIGNMENT 8 138 | #endif 139 | 140 | #ifndef DECLSPEC_NOALIAS 141 | #if _MSC_VER < 1900 142 | #define DECLSPEC_NOALIAS 143 | #else 144 | #define DECLSPEC_NOALIAS __declspec(noalias) 145 | #endif 146 | #endif 147 | 148 | #ifndef DECLSPEC_IMPORT 149 | #define DECLSPEC_IMPORT __declspec(dllimport) 150 | #endif 151 | 152 | #ifndef DECLSPEC_EXPORT 153 | #define DECLSPEC_EXPORT __declspec(dllexport) 154 | #endif 155 | 156 | // 157 | // Synchronization enumerations 158 | // 159 | 160 | typedef enum _EVENT_TYPE 161 | { 162 | NotificationEvent, 163 | SynchronizationEvent 164 | } EVENT_TYPE; 165 | 166 | typedef enum _TIMER_TYPE 167 | { 168 | NotificationTimer, 169 | SynchronizationTimer 170 | } TIMER_TYPE; 171 | 172 | typedef enum _WAIT_TYPE 173 | { 174 | WaitAll, 175 | WaitAny, 176 | WaitNotification, 177 | WaitDequeue, 178 | WaitDpc, 179 | } WAIT_TYPE; 180 | 181 | // 182 | // Strings 183 | // 184 | 185 | typedef struct _STRING 186 | { 187 | USHORT Length; 188 | USHORT MaximumLength; 189 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 190 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 191 | 192 | typedef STRING UTF8_STRING; 193 | typedef PSTRING PUTF8_STRING; 194 | 195 | typedef const STRING *PCSTRING; 196 | typedef const ANSI_STRING *PCANSI_STRING; 197 | typedef const OEM_STRING *PCOEM_STRING; 198 | 199 | typedef struct _UNICODE_STRING 200 | { 201 | USHORT Length; 202 | USHORT MaximumLength; 203 | _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer; 204 | } UNICODE_STRING, *PUNICODE_STRING; 205 | 206 | typedef const UNICODE_STRING *PCUNICODE_STRING; 207 | 208 | #define RTL_CONSTANT_STRING(s) { sizeof((s)) - sizeof((s)[0]), sizeof((s)), (PWCH)(s) } 209 | 210 | #define DECLARE_CONST_UNICODE_STRING(_var, _str) \ 211 | const WCHAR _var ## _buffer[] = _str; \ 212 | const UNICODE_STRING _var = { sizeof(_str) - sizeof(WCHAR), sizeof(_str), (PWCH) _var ## _buffer } 213 | 214 | #define DECLARE_GLOBAL_CONST_UNICODE_STRING(_var, _str) \ 215 | extern const DECLSPEC_SELECTANY UNICODE_STRING _var = RTL_CONSTANT_STRING(_str) 216 | 217 | #define DECLARE_UNICODE_STRING_SIZE(_var, _size) \ 218 | WCHAR _var ## _buffer[_size]; \ 219 | UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } 220 | 221 | // 222 | // Balanced tree node 223 | // 224 | 225 | #ifndef RTL_BALANCED_NODE_RESERVED_PARENT_MASK 226 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 227 | #endif 228 | 229 | typedef struct _RTL_BALANCED_NODE 230 | { 231 | union 232 | { 233 | struct _RTL_BALANCED_NODE *Children[2]; 234 | struct 235 | { 236 | struct _RTL_BALANCED_NODE *Left; 237 | struct _RTL_BALANCED_NODE *Right; 238 | } DUMMYSTRUCTNAME; 239 | } DUMMYUNIONNAME; 240 | union 241 | { 242 | UCHAR Red : 1; 243 | UCHAR Balance : 2; 244 | ULONG_PTR ParentValue; 245 | } DUMMYUNIONNAME2; 246 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 247 | 248 | #ifndef RTL_BALANCED_NODE_GET_PARENT_POINTER 249 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 250 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 251 | #endif 252 | 253 | // 254 | // Portability 255 | // 256 | 257 | typedef struct _SINGLE_LIST_ENTRY32 258 | { 259 | ULONG Next; 260 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 261 | 262 | typedef struct _STRING32 263 | { 264 | USHORT Length; 265 | USHORT MaximumLength; 266 | ULONG Buffer; 267 | } STRING32, *PSTRING32; 268 | 269 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 270 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 271 | 272 | typedef struct _STRING64 273 | { 274 | USHORT Length; 275 | USHORT MaximumLength; 276 | ULONGLONG Buffer; 277 | } STRING64, *PSTRING64; 278 | 279 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 280 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 281 | 282 | // 283 | // Object attributes 284 | // 285 | 286 | #define OBJ_PROTECT_CLOSE 0x00000001L 287 | #define OBJ_INHERIT 0x00000002L 288 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L 289 | #define OBJ_NO_RIGHTS_UPGRADE 0x00000008L 290 | #define OBJ_PERMANENT 0x00000010L 291 | #define OBJ_EXCLUSIVE 0x00000020L 292 | #define OBJ_CASE_INSENSITIVE 0x00000040L 293 | #define OBJ_OPENIF 0x00000080L 294 | #define OBJ_OPENLINK 0x00000100L 295 | #define OBJ_KERNEL_HANDLE 0x00000200L 296 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 297 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L 298 | #define OBJ_DONT_REPARSE 0x00001000L 299 | #define OBJ_VALID_ATTRIBUTES 0x00001FF2L 300 | 301 | typedef struct _OBJECT_ATTRIBUTES 302 | { 303 | ULONG Length; 304 | HANDLE RootDirectory; 305 | PCUNICODE_STRING ObjectName; 306 | ULONG Attributes; 307 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 308 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 309 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 310 | 311 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 312 | 313 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 314 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 315 | (p)->RootDirectory = r; \ 316 | (p)->Attributes = a; \ 317 | (p)->ObjectName = n; \ 318 | (p)->SecurityDescriptor = s; \ 319 | (p)->SecurityQualityOfService = NULL; \ 320 | } 321 | 322 | #define InitializeObjectAttributesEx(p, n, a, r, s, q) { \ 323 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 324 | (p)->RootDirectory = r; \ 325 | (p)->Attributes = a; \ 326 | (p)->ObjectName = n; \ 327 | (p)->SecurityDescriptor = s; \ 328 | (p)->SecurityQualityOfService = q; \ 329 | } 330 | 331 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 332 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 333 | 334 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') 335 | #define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') 336 | 337 | // 338 | // Portability 339 | // 340 | 341 | typedef struct _OBJECT_ATTRIBUTES64 342 | { 343 | ULONG Length; 344 | ULONG64 RootDirectory; 345 | ULONG64 ObjectName; 346 | ULONG Attributes; 347 | ULONG64 SecurityDescriptor; 348 | ULONG64 SecurityQualityOfService; 349 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 350 | 351 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 352 | 353 | typedef struct _OBJECT_ATTRIBUTES32 354 | { 355 | ULONG Length; 356 | ULONG RootDirectory; 357 | ULONG ObjectName; 358 | ULONG Attributes; 359 | ULONG SecurityDescriptor; 360 | ULONG SecurityQualityOfService; 361 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 362 | 363 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 364 | 365 | // 366 | // Product types 367 | // 368 | 369 | typedef enum _NT_PRODUCT_TYPE 370 | { 371 | NtProductWinNt = 1, 372 | NtProductLanManNt, 373 | NtProductServer 374 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 375 | 376 | typedef enum _SUITE_TYPE 377 | { 378 | SmallBusiness, 379 | Enterprise, 380 | BackOffice, 381 | CommunicationServer, 382 | TerminalServer, 383 | SmallBusinessRestricted, 384 | EmbeddedNT, 385 | DataCenter, 386 | SingleUserTS, 387 | Personal, 388 | Blade, 389 | EmbeddedRestricted, 390 | SecurityAppliance, 391 | StorageServer, 392 | ComputeServer, 393 | WHServer, 394 | PhoneNT, 395 | MaxSuiteType 396 | } SUITE_TYPE; 397 | 398 | // 399 | // Specific 400 | // 401 | 402 | typedef struct _CLIENT_ID 403 | { 404 | HANDLE UniqueProcess; 405 | HANDLE UniqueThread; 406 | } CLIENT_ID, *PCLIENT_ID; 407 | 408 | typedef struct _CLIENT_ID32 409 | { 410 | ULONG UniqueProcess; 411 | ULONG UniqueThread; 412 | } CLIENT_ID32, *PCLIENT_ID32; 413 | 414 | typedef struct _CLIENT_ID64 415 | { 416 | ULONGLONG UniqueProcess; 417 | ULONGLONG UniqueThread; 418 | } CLIENT_ID64, *PCLIENT_ID64; 419 | 420 | #include 421 | 422 | typedef struct _KSYSTEM_TIME 423 | { 424 | ULONG LowPart; 425 | LONG High1Time; 426 | LONG High2Time; 427 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 428 | 429 | #include 430 | 431 | #ifndef AFFINITY_MASK 432 | #define AFFINITY_MASK(n) ((KAFFINITY)1 << (n)) 433 | #endif 434 | 435 | #ifndef FlagOn 436 | #define FlagOn(_F, _SF) ((_F) & (_SF)) 437 | #endif 438 | #ifndef BooleanFlagOn 439 | #define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 440 | #endif 441 | #ifndef SetFlag 442 | #define SetFlag(_F, _SF) ((_F) |= (_SF)) 443 | #endif 444 | #ifndef ClearFlag 445 | #define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) 446 | #endif 447 | 448 | #ifndef Add2Ptr 449 | #define Add2Ptr(P,I) ((PVOID)((PUCHAR)(P) + (I))) 450 | #endif 451 | #ifndef PtrOffset 452 | #define PtrOffset(B,O) ((ULONG)((ULONG_PTR)(O) - (ULONG_PTR)(B))) 453 | #endif 454 | 455 | #ifndef ALIGN_UP_BY 456 | #define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1)) 457 | #endif 458 | #ifndef ALIGN_UP_POINTER_BY 459 | #define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align)) 460 | #endif 461 | #ifndef ALIGN_UP 462 | #define ALIGN_UP(Address, Type) ALIGN_UP_BY(Address, sizeof(Type)) 463 | #endif 464 | #ifndef ALIGN_UP_POINTER 465 | #define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type)) 466 | #endif 467 | #ifndef ALIGN_DOWN_BY 468 | #define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1)) 469 | #endif 470 | #ifndef ALIGN_DOWN_POINTER_BY 471 | #define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align)) 472 | #endif 473 | #ifndef ALIGN_DOWN 474 | #define ALIGN_DOWN(Address, Type) ALIGN_DOWN_BY(Address, sizeof(Type)) 475 | #endif 476 | #ifndef ALIGN_DOWN_POINTER 477 | #define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type)) 478 | #endif 479 | #ifndef IS_ALIGNED 480 | #define IS_ALIGNED(Pointer, Alignment) ((((ULONG_PTR)(Pointer)) & ((Alignment) - 1)) == 0) 481 | #endif 482 | 483 | #ifndef PAGE_SIZE 484 | #define PAGE_SIZE 0x1000 485 | #endif 486 | #ifndef PAGE_MASK 487 | #define PAGE_MASK 0xFFF 488 | #endif 489 | #ifndef PAGE_SHIFT 490 | #define PAGE_SHIFT 0xC 491 | #endif 492 | 493 | #ifndef BYTE_OFFSET 494 | #define BYTE_OFFSET(Address) ((SIZE_T)((ULONG_PTR)(Address) & PAGE_MASK)) 495 | #endif 496 | #ifndef PAGE_ALIGN 497 | #define PAGE_ALIGN(Address) ((PVOID)((ULONG_PTR)(Address) & ~PAGE_MASK)) 498 | #endif 499 | #ifndef PAGE_OFFSET 500 | #define PAGE_OFFSET(p) ((PAGE_MASK) & (ULONG_PTR)(p)) 501 | #endif 502 | 503 | #ifndef ADDRESS_AND_SIZE_TO_SPAN_PAGES 504 | #define ADDRESS_AND_SIZE_TO_SPAN_PAGES(Address, Size) ((BYTE_OFFSET(Address) + ((SIZE_T)(Size)) + PAGE_MASK) >> PAGE_SHIFT) 505 | #endif 506 | #ifndef ROUND_TO_SIZE 507 | #define ROUND_TO_SIZE(Size, Alignment) ((((ULONG_PTR)(Size))+((Alignment)-1)) & ~(ULONG_PTR)((Alignment)-1)) 508 | #endif 509 | #ifndef ROUND_TO_PAGES 510 | #define ROUND_TO_PAGES(Size) (((ULONG_PTR)(Size) + PAGE_MASK) & ~PAGE_MASK) 511 | #endif 512 | #ifndef BYTES_TO_PAGES 513 | #define BYTES_TO_PAGES(Size) (((Size) >> PAGE_SHIFT) + (((Size) & PAGE_MASK) != 0)) 514 | #endif 515 | 516 | #endif // _NTDEF_ 517 | 518 | #endif 519 | -------------------------------------------------------------------------------- /phnt_windows.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Win32 definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_WINDOWS_H 8 | #define _PHNT_WINDOWS_H 9 | 10 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 11 | 12 | #ifndef UNICODE 13 | #define UNICODE 14 | #endif 15 | 16 | #ifndef _CRT_SECURE_NO_WARNINGS 17 | #define _CRT_SECURE_NO_WARNINGS 18 | #endif 19 | 20 | #ifndef __cplusplus 21 | #ifndef CINTERFACE 22 | #define CINTERFACE 23 | #endif 24 | 25 | #ifndef COBJMACROS 26 | #define COBJMACROS 27 | #endif 28 | #endif 29 | 30 | #ifndef NOMINMAX 31 | #define NOMINMAX 32 | #endif 33 | 34 | #ifndef INT_ERROR 35 | #define INT_ERROR (-1) 36 | #endif 37 | 38 | #ifndef ULONG64_MAX 39 | #define ULONG64_MAX 0xffffffffffffffffui64 40 | #endif 41 | 42 | #ifndef SIZE_T_MAX 43 | #ifdef _WIN64 44 | #define SIZE_T_MAX 0xffffffffffffffffui64 45 | #else 46 | #define SIZE_T_MAX 0xffffffffUL 47 | #endif 48 | #endif 49 | 50 | #ifndef MAXLONGLONG 51 | // The Windows SDK basetsd.h is missing the MAXLONGLONG definition. (dmex) 52 | #define MAXLONGLONG (0x7fffffffffffffff) 53 | #endif 54 | 55 | #ifndef MINLONGLONG 56 | // The Windows SDK basetsd.h references non-existent MAXLONGLONG definition 57 | // and breaks MINLONGLONG or in other cases results in a definition of zero. (dmex) 58 | #define MINLONGLONG ((LONGLONG)~MAXLONGLONG) 59 | #endif 60 | 61 | #ifndef ENABLE_RTL_NUMBER_OF_V2 62 | #define ENABLE_RTL_NUMBER_OF_V2 63 | #endif 64 | 65 | #ifndef INITGUID 66 | #define INITGUID 67 | #endif 68 | 69 | #ifndef WIN32_LEAN_AND_MEAN 70 | #define WIN32_LEAN_AND_MEAN 71 | #endif 72 | 73 | #ifndef WIN32_NO_STATUS 74 | #define WIN32_NO_STATUS 75 | #endif 76 | 77 | #ifndef COM_NO_WINDOWS_H 78 | #define COM_NO_WINDOWS_H 79 | #endif 80 | 81 | #ifndef STRICT_TYPED_ITEMIDS 82 | #define STRICT_TYPED_ITEMIDS 83 | #endif 84 | 85 | #ifndef __cplusplus 86 | // This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) 87 | #ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 88 | #define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 89 | #endif 90 | #endif 91 | 92 | #ifdef __cplusplus 93 | #define RTL_ADDRESS_OF(v) (&const_cast(reinterpret_cast(v))) // _ADDRESSOF() macro 94 | #else 95 | #define RTL_ADDRESS_OF(v) (&(v)) 96 | #endif 97 | 98 | #include 99 | #include 100 | #undef WIN32_NO_STATUS 101 | #include 102 | #include 103 | #include 104 | #include 105 | #include 106 | 107 | #ifdef COM_NO_WINDOWS_H 108 | #include 109 | #endif 110 | 111 | typedef DOUBLE *PDOUBLE; 112 | typedef GUID *PGUID; 113 | 114 | // Desktop access rights 115 | #define DESKTOP_ALL_ACCESS \ 116 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 117 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 118 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 119 | STANDARD_RIGHTS_REQUIRED) 120 | #define DESKTOP_GENERIC_READ \ 121 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 122 | #define DESKTOP_GENERIC_WRITE \ 123 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 124 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 125 | STANDARD_RIGHTS_WRITE) 126 | #define DESKTOP_GENERIC_EXECUTE \ 127 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 128 | 129 | // Window station access rights 130 | #define WINSTA_GENERIC_READ \ 131 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 132 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 133 | #define WINSTA_GENERIC_WRITE \ 134 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 135 | STANDARD_RIGHTS_WRITE) 136 | #define WINSTA_GENERIC_EXECUTE \ 137 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 138 | 139 | // WMI access rights 140 | #define WMIGUID_GENERIC_READ \ 141 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 142 | STANDARD_RIGHTS_READ) 143 | #define WMIGUID_GENERIC_WRITE \ 144 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 145 | STANDARD_RIGHTS_WRITE) 146 | #define WMIGUID_GENERIC_EXECUTE \ 147 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 148 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 149 | STANDARD_RIGHTS_EXECUTE) 150 | 151 | // Note: Some parts of the Windows Runtime, COM or third party hooks are returning 152 | // S_FALSE and null pointers on errors when S_FALSE is a success code. (dmex) 153 | #define HR_SUCCESS(hr) (((HRESULT)(hr)) == S_OK) 154 | #define HR_FAILED(hr) (((HRESULT)(hr)) != S_OK) 155 | 156 | // Note: The CONTAINING_RECORD macro doesn't support UBSan and generates false positives, 157 | // we redefine the macro with FIELD_OFFSET as a workaround until the WinSDK is fixed (dmex) 158 | #undef CONTAINING_RECORD 159 | #define CONTAINING_RECORD(address, type, field) \ 160 | ((type *)((ULONG_PTR)(address) - UFIELD_OFFSET(type, field))) 161 | 162 | #ifndef __PCGUID_DEFINED__ 163 | #define __PCGUID_DEFINED__ 164 | typedef const GUID* PCGUID; 165 | #endif 166 | 167 | #ifndef GUID_NULL 168 | DEFINE_GUID(GUID_NULL, 0x00000000L, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); 169 | #endif 170 | 171 | #endif 172 | -------------------------------------------------------------------------------- /subprocesstag.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Subprocess tag information 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _SUBPROCESSTAG_H 8 | #define _SUBPROCESSTAG_H 9 | 10 | typedef enum _TAG_INFO_LEVEL 11 | { 12 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 13 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 14 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 15 | eTagInfoLevelMax 16 | } TAG_INFO_LEVEL; 17 | 18 | typedef enum _TAG_TYPE 19 | { 20 | eTagTypeService = 1, 21 | eTagTypeMax 22 | } TAG_TYPE; 23 | 24 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 25 | { 26 | ULONG ProcessId; 27 | ULONG ServiceTag; 28 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 29 | 30 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 31 | { 32 | ULONG TagType; 33 | PCWSTR Name; 34 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 35 | 36 | typedef struct _TAG_INFO_NAME_FROM_TAG 37 | { 38 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 39 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 40 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 41 | 42 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 43 | { 44 | ULONG ProcessId; 45 | PCWSTR ModuleName; 46 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 47 | 48 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 49 | { 50 | ULONG TagType; 51 | PCWSTR Names; 52 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 53 | 54 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 55 | { 56 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 57 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 58 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 59 | 60 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 61 | { 62 | ULONG ProcessId; 63 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 64 | 65 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 66 | { 67 | ULONG TagType; 68 | ULONG Tag; 69 | PCWSTR Name; 70 | PCWSTR GroupName; 71 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 72 | 73 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 74 | { 75 | ULONG Count; 76 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT NameTagMappingElements; 77 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 78 | 79 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 80 | { 81 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 82 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 83 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 84 | 85 | _Must_inspect_result_ 86 | NTSYSAPI 87 | ULONG 88 | NTAPI 89 | I_QueryTagInformation( 90 | _In_opt_ PCWSTR MachineName, 91 | _In_ TAG_INFO_LEVEL InfoLevel, 92 | _Inout_ PVOID TagInfo 93 | ); 94 | 95 | typedef _Function_class_(QUERY_TAG_INFORMATION) 96 | ULONG NTAPI QUERY_TAG_INFORMATION( 97 | _In_opt_ PCWSTR MachineName, 98 | _In_ TAG_INFO_LEVEL InfoLevel, 99 | _Inout_ PVOID TagInfo 100 | ); 101 | typedef QUERY_TAG_INFORMATION *PQUERY_TAG_INFORMATION; 102 | 103 | #endif 104 | -------------------------------------------------------------------------------- /usermgr.h: -------------------------------------------------------------------------------- 1 | /* 2 | * User Manager service API definitions. 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _USERMGR_H 8 | #define _USERMGR_H 9 | 10 | // private 11 | typedef struct _SESSION_USER_CONTEXT 12 | { 13 | ULONGLONG ContextToken; 14 | ULONG SessionId; 15 | ULONG Reserved; 16 | } SESSION_USER_CONTEXT, *PSESSION_USER_CONTEXT; 17 | 18 | // private 19 | typedef struct _CRED_PROV_CREDENTIAL 20 | { 21 | ULONG Flags; 22 | ULONG AuthenticationPackage; 23 | ULONG Size; 24 | PVOID Information; 25 | } CRED_PROV_CREDENTIAL, *PCRED_PROV_CREDENTIAL; 26 | 27 | #define USERMGRAPI DECLSPEC_IMPORT 28 | 29 | // Contexts 30 | 31 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 32 | 33 | // rev 34 | USERMGRAPI 35 | VOID 36 | WINAPI 37 | UMgrFreeSessionUsers( 38 | _In_ _Post_invalid_ PSESSION_USER_CONTEXT SessionUsers 39 | ); 40 | 41 | // rev 42 | USERMGRAPI 43 | HRESULT 44 | WINAPI 45 | UMgrEnumerateSessionUsers( 46 | _Out_ PULONG Count, 47 | _Outptr_ PSESSION_USER_CONTEXT *SessionUsers 48 | ); 49 | 50 | // rev 51 | USERMGRAPI 52 | HRESULT 53 | WINAPI 54 | UMgrQueryUserContext( 55 | _In_ HANDLE TokenHandle, 56 | _Out_ PULONGLONG ContextToken 57 | ); 58 | 59 | // rev 60 | USERMGRAPI 61 | HRESULT 62 | WINAPI 63 | UMgrQueryUserContextFromSid( 64 | _In_ PCWSTR SidString, 65 | _Out_ PULONGLONG ContextToken 66 | ); 67 | 68 | // rev 69 | USERMGRAPI 70 | HRESULT 71 | WINAPI 72 | UMgrQueryUserContextFromName( 73 | _In_ PCWSTR UserName, 74 | _Out_ PULONGLONG ContextToken 75 | ); 76 | 77 | #endif 78 | 79 | // Tokens 80 | 81 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 82 | 83 | // rev 84 | USERMGRAPI 85 | HRESULT 86 | WINAPI 87 | UMgrQueryDefaultAccountToken( 88 | _Out_ PHANDLE TokenHandle 89 | ); 90 | 91 | // rev 92 | USERMGRAPI 93 | HRESULT 94 | WINAPI 95 | UMgrQuerySessionUserToken( 96 | _In_ ULONG SessionId, 97 | _Out_ PHANDLE TokenHandle 98 | ); 99 | 100 | // rev 101 | USERMGRAPI 102 | HRESULT 103 | WINAPI 104 | UMgrQueryUserToken( 105 | _In_ ULONGLONG Context, 106 | _Out_ PHANDLE TokenHandle 107 | ); 108 | 109 | // rev 110 | USERMGRAPI 111 | HRESULT 112 | WINAPI 113 | UMgrQueryUserTokenFromSid( 114 | _In_ PCWSTR SidString, 115 | _Out_ PHANDLE TokenHandle 116 | ); 117 | 118 | // rev 119 | USERMGRAPI 120 | HRESULT 121 | WINAPI 122 | UMgrQueryUserTokenFromName( 123 | _In_ PCWSTR UserName, 124 | _Out_ PHANDLE TokenHandle 125 | ); 126 | 127 | // rev 128 | USERMGRAPI 129 | HRESULT 130 | WINAPI 131 | UMgrGetConstrainedUserToken( 132 | _In_opt_ HANDLE InputTokenHandle, 133 | _In_ ULONGLONG Context, 134 | _In_opt_ PSECURITY_CAPABILITIES Capabilities, 135 | _Out_ _Ret_maybenull_ PHANDLE OutputTokenHandle 136 | ); 137 | 138 | #endif 139 | 140 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_TH2) 141 | 142 | // rev 143 | USERMGRAPI 144 | HRESULT 145 | WINAPI 146 | UMgrChangeSessionUserToken( 147 | _In_ HANDLE TokenHandle 148 | ); 149 | 150 | // rev 151 | USERMGRAPI 152 | HRESULT 153 | WINAPI 154 | UMgrGetImpersonationTokenForContext( 155 | _In_ HANDLE InputTokenHandle, 156 | _In_ ULONGLONG Context, 157 | _Out_ PHANDLE OutputTokenHandle 158 | ); 159 | 160 | #endif 161 | 162 | #if (PHNT_VERSION >= PHNT_WINDOWS_10_RS1) 163 | 164 | // rev 165 | USERMGRAPI 166 | HRESULT 167 | WINAPI 168 | UMgrGetSessionActiveShellUserToken( 169 | _In_ ULONG SessionId, 170 | _Out_ PHANDLE TokenHandle 171 | ); 172 | 173 | #endif 174 | 175 | // Single-session SKU 176 | 177 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 178 | 179 | // rev 180 | USERMGRAPI 181 | HRESULT 182 | WINAPI 183 | UMgrOpenProcessTokenForQuery( 184 | _In_ ULONG ProcessId, 185 | _Out_ PHANDLE TokenHandle 186 | ); 187 | 188 | // rev 189 | USERMGRAPI 190 | HRESULT 191 | WINAPI 192 | UMgrOpenProcessHandleForAccess( 193 | _In_ ACCESS_MASK DesiredAccess, 194 | _In_ ULONG ProcessId, 195 | _Out_ PHANDLE ProcessHandle 196 | ); 197 | 198 | #endif 199 | 200 | // Credentials 201 | 202 | #if (PHNT_VERSION >= PHNT_WINDOWS_10) 203 | 204 | // rev 205 | USERMGRAPI 206 | HRESULT 207 | WINAPI 208 | UMgrFreeUserCredentials( 209 | _In_ PCRED_PROV_CREDENTIAL Credentials 210 | ); 211 | 212 | // rev 213 | USERMGRAPI 214 | HRESULT 215 | WINAPI 216 | UMgrGetCachedCredentials( 217 | _In_ PSID Sid, 218 | _Outptr_ PCRED_PROV_CREDENTIAL *Credentials 219 | ); 220 | 221 | #endif 222 | 223 | #endif 224 | --------------------------------------------------------------------------------