NtApiDotNet
Result of an access check with specific access types.
The access rights type, must be derived from an Enum.
The NT status code from the access check.
The granted access mask from the check.
The granted access mapped to generic access mask.
The required privileges for this access.
The specific granted access mask from the check.
The specific granted access mapped to generic access mask.
Object type associated with the access.
The level of the object type if used.
Optional name for the object type.
When a result from an Audit Access Check indicates whether the
an audit needs to be generated on close.
Whether the access check was a success.
Get access check result as a specific access.
The specific access results.
Get access check result as a specific access.
The specific access.
Result of an access check.
Result of an access check with generic Enum access types.
Structure for an NT access mask.
The access mask's access bits.
Constructor.
Access bits to use
Implicit conversion from Int32.
The access enumeration.
Implicit conversion from UInt32.
The access enumeration.
Implicit conversion from enumerations.
The access enumeration.
Convert access mask to a generic access object.
The generic access mask
Convert access mask to a mandatory label policy
The mandatory label policy
Convert to a specific access right.
The specific access right.
The converted value.
Convert to a specific access right.
The type of enumeration to convert to.
The converted value.
Get whether this access mask is empty (i.e. it's 0)
Get whether this access mask has no access rights, i.e. not empty.
Get whether this access mask has generic access rights.
Get whether this access mask hash type specific access rights.
Get whether the current access mask is granted specific permissions.
The access mask to check
True one or more access granted.
Get whether the current access mask is granted all specific permissions.
The access mask to check
True access all is granted.
Bitwise AND operator.
Access mask 1
Access mask 2
The new access mask.
Bitwise OR operator.
Access mask 1
Access mask 2
The new access mask.
Bitwise AND operator.
Access mask 1
Access mask 2
The new access mask.
Bitwise OR operator.
Access mask 1
Access mask 2
The new access mask.
Equality operator.
Access mask 1
Access mask 2
True if equal.
Inequality operator.
Access mask 1
Access mask 2
True if equal.
Bitwise NOT operator.
Access mask 1
The new access mask.
Overridden GetHashCode.
The hash code.
Overridden Equals.
The object to compare against.
True if equal.
Get an empty access mask.
Overridden ToString method.
The access mask.
ToString method.
Format code for the access mask.
The formatting string.
ToString method.
Format code for the access mask.
The format provider.
The formatting string.
Flags representing what generic access the entry maps to.
Not mapped to any access.
Mapped to read.
Mapped to write.
Mapped to execute.
Mapped to All.
A structure to hold an access mask to enum mapping.
The access mask.
The value of the access mask entry enumeration.
The generic access this maps to.
The optional SDK name.
Overridden ToString method.
The string form of the entry.
Class to represent an Access Control Entry (ACE)
Check if the ACE is an allowed ACE.
Check if the ACE is a denied ACE.
Check if the ACE is an Object ACE
Check if the ACE is a callback ACE
Check if ACE is a conditional ACE
Check if ACE is a resource attribute ACE.
Check if ACE is a mandatory label ACE.
Check if ACE is a compound ACE.
Check if ACE is an audit ACE.
Check if ACE is an access filter ACE.
Check if ACE is a process trust label ACE.
Check if ACE is a critical ACE.
Check if ACE is inherit only.
Check if ACE is inherited by objects.
Check if ACE is inherited by objects.
Get ACE type
Get ACE flags
Get ACE access mask
Get ACE Security Identifier
The type of compound ACE. When serialized always set to Impersonate.
Get the client SID in a compound ACE.
Get optional Object Type
Get optional Inherited Object Type
Optional application data.
Get conditional check if a conditional ace.
Get or set resource attribute.
Constructor
ACE type
ACE flags
ACE access mask
ACE sid
Convert ACE to a string
The ACE as a string
Convert ACE to a string
An enumeration type to format the access mask
True to try and resolve SID to a name
The ACE as a string
Clone this ACE.
The cloned ACE.
Get whether the current access mask is granted specific permissions.
The access mask to check
True one or more access granted.
Get whether the current access mask is granted all specific permissions.
The access mask to check
True access all is granted.
Get the common name of the object type.
Specify the domain for the object type.
If true then expand the list of properties.
The common name of the object type, or the GUID as a string.
This function could be quite slow to query the first time.
Get the common name of the object type.
If true then expand the list of properties.
The common name of the object type, or the GUID as a string.
This will query the local domain, it could be quite slow to query the first time.
Get the common name of the object type.
The common name of the object type, or the GUID as a string.
This will query the local domain, it could be quite slow to query the first time.
Get the common name of the inherited object type.
Specify the domain for the object type.
The common name of the object type, or the GUID as a string.
This function could be quite slow to query the first time.
Get the common name of the inherited object type.
The common name of the object type, or the GUID as a string.
This will query the local domain, it could be quite slow to query the first time.
Convert the ACE to a byte array.
The ACE as a byte array.
Compare ACE to another object.
The other object.
True if the other object equals this ACE
Get hash code.
The hash code
Equality operator
Left ACE
Right ACE
True if the ACEs are equal
Not Equal operator
Left ACE
Right ACE
True if the ACEs are not equal
Class to represent an Access Control List (ACL)
Constructor
Pointer to a raw ACL in memory
True if the ACL was defaulted
Constructor
Buffer containing an ACL in memory
True if the ACL was defaulted
Constructor for a NULL ACL
True if the ACL was defaulted
Constructor for an empty ACL
Constructor
List of ACEs to add to ACL
True if the ACL was defaulted
Constructor
List of ACEs to add to ACL
Constructor.
An SDDL string to create the DACL from.
The SDDL string should be of the form D:(...) or S:(...), if you specify
both a DACL and a SACL then only the DACL will be used.
Convert the ACL to a byte array
The ACL as a byte array
Convert the ACL to a safe buffer
The safe buffer
Add an ace to the ACL
The ACE to add
Add an access allowed ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an access allowed ace to the ACL
The ACE access mask
The ACE SID
Add an access allowed ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an access allowed ace to the ACL
The ACE access mask
The ACE SID
Add an access denied ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an access denied ace to the ACL
The ACE access mask
The ACE SID
Add an access denied ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an access denied ace to the ACL
The ACE access mask
The ACE SID
Add an audit ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an audit ace to the ACL
The ACE access mask
The ACE flags
The ACE SID
Add an audit success ace to the ACL
The ACE access mask
The ACE SID
Add an audit success ace to the ACL
The ACE access mask
The ACE SID
Add an audit fail ace to the ACL
The ACE access mask
The ACE SID
Add an audit fail ace to the ACL
The ACE access mask
The ACE SID
Gets an indication if this ACL is canonical.
Canonical means that deny ACEs are before allow ACEs.
True to canonicalize a DACL, otherwise a SACL.
True if the ACL is canonical.
Gets an indication if this DACL is canonical.
Canonical basically means that deny ACEs are before allow ACEs.
True if the ACL is canonical.
Canonicalize the ACL.
True to canonicalize a DACL, otherwise a SACL.
Canonicalize the ACL (for use on DACLs only).
The canonical ACL.
Find the first ACE with a specified type.
The type to find.
True to include inherit only ACEs.
The found ace. Returns null if not found.
Find the first ACE with a specified type. Includes InheritOnly ACEs.
The type to find.
The found ace. Returns null if not found.
Find the all ACE with a specified type.
The type to find.
True to include inherit only ACEs.
The found aces.
Find the all ACE with a specified type. Includes InheritOnly ACEs.
The type to find.
The found aces.
Find the last ACE with a specified type.
The type to find.
The found ace. Returns null if not found.
Clone the ACL. Also clones all ACEs.
The cloned ACL.
Get or set whether the ACL was defaulted
Get or set whether the ACL is NULL (no security)
Get or set the protected flag.
Get or set the auto-inherited flag.
Get or set the auto-inherited required flag.
Get or set the ACL revision
Indicates the ACL has at least one conditional ACE.
Indicates the ACL has at least one object ACE.
Base class to represent an ALPC message.
Constructor.
The port message header.
Constructor.
Update the header length fields.
The length of the valid data.
The maximum data length supported by the packet.
Method to handle when ToSafeBuffer is called.
The message buffer being created.
Method to handle when FromSafeBuffer is called.
The message buffer to initialize from..
The ALPC port associated with this message.
Get or set the header.
The process ID of the sender.
The thread ID of the sender.
Get total length of the message.
Get the allocated data length for the message.
Get data length of the message.
Get the message ID.
Get the callback ID.
Get the message type.
Get additional flags on message type.
Indicates that the message requires a reply (otherwise things can leak).
Indicates that the message requires a reply (obsolete).
Get direct status for the message.
The direct status for the message. Returns STATUS_PENDING if the message is yet to be processed.
Get the maximum size of a message minus the header size.
Create a safe buffer for this message.
The safe buffer.
Method to query information for a message.
The information class.
The port which has processed the message.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
The port which has processed the message.
A default value for the query.
True to throw on error.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The port which has processed the message.
The information class to query.
A default value for the query.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The port which has processed the message.
The information class to query.
The result of the query.
Thrown on error.
An ALPC message which holds a raw set of bytes.
Constructor.
Data to initialize the message with.
Maximum length of the message buffer.
Specify a text encoding for the DataString property.
Constructor.
Data to initialize the message with.
Maximum length of the message buffer.
Constructor.
Data to initialize the message with.
Constructor.
Data to initialize the message with.
Specify a text encoding for the DataString property.
Constructor.
Total allocated length of the message buffer.
Constructor.
Total allocated length of the message buffer.
Specify a text encoding for the DataString property.
Get or set the message data.
When you set the data it'll update the DataLength and TotalLength fields.
Get or set the message data as an encoding string.
When you set the data it'll update the DataLength and TotalLength fields.
Get or set the text encoding in this raw message.
Method to handle when FromSafeBuffer is called.
The message buffer to initialize from..
The ALPC port associated with this message.
Method to handle when ToSafeBuffer is called.
The message buffer being created.
An ALPC message which holds a specific type with optional trailing data.
The type representing the data.
Constructor for a receive buffer.
Constructor for a receive buffer.
Length of message. This will be rounded up to at least accomodate the header.
Constructor for a send/receive buffer.
The initial value to set.
Trailing data.
Constructor for a send/receive buffer.
The initial value to set.
Get or set the type in the buffer.
Get or set any trailing data after the value.
Method to handle when FromSafeBuffer is called.
The message buffer to initialize from..
The ALPC port associated with this message.
Method to handle when ToSafeBuffer is called.
The message buffer being created.
Class to represent a set of sending attributes.
Constructor.
Constructor.
List of attributes to send.
Add an attribute object.
The attribute to add.
Remove an attribute object.
The attribute flag to remove.
Remove an attribute object.
The attribute to remove.
Add a list of handles to the send attributes.
The list of objects.
This method doesn't maintain a reference to the objects. You need to keep them alive elsewhere.
Add a list of handles to the send attributes.
The list of handles.
Add a list of handles to the send attributes.
The handle to add.
This method doesn't maintain a reference to the objects. You need to keep them alive elsewhere.
Add a list of handles to the send attributes.
The handle to add.
Get the allocated attributes.
Class to represent a set of received attributes.
Constructor. Allocated space for all known attributes.
Constructor.
Get the allocated attributes.
Get the list of valid attributes.
Get a list of the valid attributes.
Get list of passed handles.
Get the mapped data view. If no view sent this property is invalid.
Get the security context. If no security context this property is invalid.
Dispose method.
Get a typed attribute.
The type of attribute to get.
The attribute. Returns a default initialized object if not valid.
Get an attribute.
The attribute flag to get.
The attribute. Returns null if not found.
Convert this set of attributes to a buffer to send.
The send attributes.
Convert this set of attributes to one which can be used to free on continuation required.
The attributes to
The send attributes.
Checks if an attribute flag is valid.
The attribute to test.
True if the attribute is value.
Base class to represent a message attribute.
The flag for this attribute.
Constructor.
The single attribute flag which this represents.
Class representing a security message attribute.
Constructor.
Security attribute flags.
Security quality of service.
Context handle.
Create an attribute which with create a handle automatically.
The security quality of service.
The security message attribute.
Class representing a security message attribute.
Constructor.
Token ID of token.
Authentication ID of token.
Modified ID of token
Class representing a security message attribute.
Constructor.
Port context.
Message context.
Sequence number.
Message ID.
Callback ID.
Class representing a data view message attribute.
Constructor.
View flags.
Handle to section.
View base.
View size.
Handle attribute entry.
Handle flags.
The NT object.
The object type for the handle.
Desired access for the handle.
Constructor.
Handle attribute to initialize from.
Constructor.
Handle attribute to initialize from.
Constructor.
Information structure to initialize from.
Constructor.
Constructor.
The object to construct the entry from. Will take a copy of the handle.
Class representing a handle message attribute.
Constructor.
Constructor.
List of handle entries.
Constructor.
The handle entry.
Constructor.
List of objects to create the handle entries.
This constructor takes copies of the objects.
Constructor.
A single object to send.
This constructor takes copies of the object.
List of handles in this attribute.
Class representing a direct message attribute.
Constructor.
The event object.
The event object.
Class representing a work on behalf of message attribute.
Constructor.
Thread ID.
Thread creation time (low).
Safe buffer to store an allocated set of ALPC atributes.
Get a pointer to an allocated attribute. Returns NULL if not available.
The attribute to get.
The pointer to the attribute buffer, IntPtr.Zero if not found.
Get an attribute as a structured type.
The attribute type.
The attribute.
A buffer which represents the structured type.
Thrown if attribute doesn't exist.
Create a new buffer with allocations for a specified set of attributes.
The attributes to allocate.
The allocated buffed.
Dispose the safe buffer.
True if disposing
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Get the NULL buffer.
Class to represent an ALPC port section.
Handle to the port section.
Size of the port section.
The actual section size.
Create a new section view attribute.
Specify the flags for the data view attribute.
The section view size.
True to throw on error.
The section view attribute.
Create a new section view attribute.
True to throw on error.
The section view attribute.
Create a new section view attribute.
Specify the flags for the data view attribute.
The section view size.
The section view attribute.
Create a new section view attribute.
The section view attribute.
Dispose of the port section.
Supported windows verion
This should always be at the end.
Attribute to indicate the required version for a function.
Applied if the function needs a version greater than 7.
The supported version.
Constructor
The supported version
Attribute used for managed structures to indicate the start of data.
This is used in situations where the data immediately trail
Constructor
The field name which indicates the first address of data.
The field name which indicates the first address of data.
When allocating this structure always include the field in the total length calculation.
Class to represent an API set entry.
Flags for the entry.
The name of the API set.
The default host module.
Hash version of the name.
List of hosts.
Get host module for an import module.
Represents a single API set host.
The imported module this API set host applies to.
The module which implements this API set.
Is the host the default host.
Flags for API set namespace.
None.
The API set is sealed.
The API set is an extension.
Class to represent an API set namespace.
Flags for the namespace.
List of API set entries.
Get API set namespace from current process.
Gets an API set based on its name.
The API set name.
The API set entry. Returns null if not found.
Flags for a boundary descriptor
None
Automatically add the AppContainer package SID to the boundary
Class which represents a private namespace boundary descriptor
Constructor
The name of the boundary
Additional flags for the boundary
Constructor
The name of the boundary
Add a SID to the boundary descriptor.
This SID is used in an access check when creating or deleting private namespaces.
The SID to add.
Add an integrity level to the boundary descriptor.
This integrity level is used in an access check when creating or deleting private namespaces.
The integrity level to add.
Add a list of SIDs to the boundary descriptor.
The SIDs to add. This can include normal and integrity level SIDs
Add a list of SIDs to the boundary descriptor.
The first SID to add
Additional SIDs
The handle to the boundary descriptor.
Create a boundary descriptor from a string representation.
A boundary descriptor string of the form [SID[:SID...]@]NAME where SID is an SDDL format SID.
The new boundary descriptor.
Finalizer
Dispose
Some simple utilities to create structure buffers.
Create a buffer based on a passed type.
The type to use in the structure buffer.
The value to initialize the buffer with.
Additional byte data after the structure.
Indicates if additional_size includes the structure size or not.
The new structure buffer.
Create a buffer based on a passed type.
The type to use in the structure buffer.
The value to initialize the buffer with.
The new structure buffer.
Create a buffer based on a passed type.
The type to use in the structure buffer.
The value to initialize the buffer with.
The new structure buffer.
Create a buffer based on a passed type.
The type to use in the structure buffer.
The value to initialize the buffer with.
Additional byte data after the structure.
Indicates if additional_size includes the structure size or not.
The new structure buffer.
Create a buffer based on a byte array.
The byte array for the buffer.
The safe buffer.
Create an buffer from an array.
The array element type, must be a value type.
The array of elements.
The allocated array buffer.
Read a NUL terminated string for the byte offset.
The buffer to read from.
The byte offset to read from.
The string read from the buffer without the NUL terminator
Read a NUL terminated byte string for the byte offset.
The buffer to read from.
The byte offset to read from.
Text encoding for the string.
The string read from the buffer without the NUL terminator
Read a NUL terminated ANSI string for the byte offset.
The buffer to read from.
The byte offset to read from.
The string read from the buffer without the NUL terminator
Read a char array with length.
The buffer to read from.
The number of characters to read.
The byte offset to read from.
The chars read from the buffer
Read a Unicode string string with length.
The buffer to read from.
The number of characters to read.
The byte offset to read from.
The string read from the buffer.
Write char array.
The buffer to write to.
The byte offset to write to.
The chars to write.
Write unicode string.
The buffer to write to.
The byte offset to write to.
The string value to write.
Read bytes from buffer.
The buffer to read from.
The byte offset to read from.
The number of bytes to read.
The byte array.
Write bytes to a buffer.
The buffer to write to.
The byte offset to write to.
The data to write.
Get a structure buffer at a specific offset.
The type of structure.
The buffer to map.
The offset into the buffer.
The structure buffer.
The returned buffer is not owned, therefore you need to maintain the original buffer while operating on this buffer.
Creates a view of an existing safe buffer.
The buffer to create a view on.
The offset from the start of the buffer.
The length of the view.
The buffer view.
Note that the returned buffer doesn't own the memory, therefore the original buffer
must be maintained for the lifetime of this buffer.
Creates a view of an existing safe buffer.
The buffer to create a view on.
The offset from the start of the buffer.
The length of the view.
True to make the view writable, false for read-only.
The buffer view.
Note that the returned buffer doesn't own the memory, therefore the original buffer
must be maintained for the lifetime of this buffer.
Zero an entire buffer.
The buffer to zero.
Fill an entire buffer with a specific byte value.
The buffer to full.
The fill value.
Compare two buffers for equality.
The left buffer.
The offset into the left buffer.
The right buffer.
The offset into the right buffer.
The length to compare.
True if the buffers are equal.
Compare a buffer and a byte array for equality.
The buffer.
The offset into the left buffer.
The compare byte array.
True if the buffers are equal.
Find a byte array in a buffer. Returns all instances of the compare array.
The buffer to find the data in.
Start offset in the buffer.
The comparison byte array.
A list of offsets into the buffer where the compare was found.
Find a byte array in a buffer. Returns all instances of the compare array.
The buffer to find the data in.
The comparison byte array.
A list of offsets into the buffer where the compare was found.
Class to represent a Security Atttribute.
The name of the attribute.
The type of values.
The attribute flags.
The list of values.
The count of values.
Convert the attribute to a builder to modify it.
The builder object.
Convert the security attribute to an SDDL string.
The security attribute as an SDDL string.
Converts the attribute to a Resource Attribute ACE.
The resource attribute ACE.
Class to create a new user process using the native APIs.
Path to the executable to start.
Path to the executable to start which is passed in the process configuration.
Command line
Prepared environment block.
Title of the main window.
Path to DLLs.
Current directory for new process
Desktop information value
Shell information value
Runtime data.
Prohibited image characteristics for new process
Additional file access for opened executable file.
Process create flags.
Thread create flags.
Initialization flags
Parent process.
Restrict new child processes
Override restrict child process
Extra process/thread attributes
Added protected process protection level.
The type of protected process.
The signer level.
Return on error instead of throwing an exception.
Whether to terminate the process on dispose.
Specify a security descriptor for the process.
Specify a security descriptor for the initial thread.
Specify the primary token for the new process.
Access for process handle.
Access for thread handle.
Constructor
For the current process
The new forked process result
For the current process
Process create flags.
Thread create flags.
The new forked process result
For the current process
Process create flags.
Thread create flags.
True to throw on error.
The new forked process result
Start the new process based on the ImagePath parameter.
The result of the process creation
Start the new process
The image path to the file to execute
The result of the process creation
Result from a native create process call.
Handle to the process
Handle to the initial thread
Handle to the image file
Handle to the image section
Handle to the IFEO key (if it exists)
Image information
Client ID of process and thread
Process ID
Thread ID
Create status
True if create succeeded
Result of the create information
Creation state
Terminate the process
Exit code for termination
Resume initial thread
The suspend count
Set to true to terminate process on disposal
Finalizer
Dispose
The base class for a debug event.
Process ID for the event.
Thread ID for the event.
The event code.
Constructor.
The current debug event.
The debug port associated with this event.
Continue the debugged process.
The continue status code.
True to throw on error.
The NT status code.
Continue the debugged process.
The continue status code.
Continue the debugged process with a success code.
Dispose the event.
Debug event for the Create Process event.
Subsystem key for the process.
Handle to the process file (if available).
Base of image file.
Debug info file offset.
Debug info file size.
Subsystem key for the thread.
Start address of the thread.
Handle to the process (if available).
Handle to the thread (if available).
Dispose the event.
Debug event for the Create Thread event.
Subsystem key for the thread.
Start address of the thread.
Handle to the thread (if available).
Dispose the event.
Debug event for the Exit Thread event.
Exit status code.
Debug event for the Exit Process event.
Exit status code.
Debug event for load DLL event.
DLL file handle.
Base of loaded DLL.
Debug info offset.
Debug info size.
Address of name.
Dispose the event.
Debug event for unload DLL event.
Base of loaded DLL.
Debug event for exception event.
Indicates if this is a first chance exception.
Exception code.
Exception flags.
Pointer to next exception in the chain.
Address of exception.
Additional parameters for exception.
Debug event when we don't handle the state.
The raw debug event.
Represents a list where the elements can be trivially disposed in one go.
An IDisposable implementing type
Constructor
Constructor
The initial capacity of the list
Constructor
A collection to initialize the list
Add a resource to the list and return a reference to it.
The type of resource to add.
The resource object.
The added resource.
Add a resource to the list and return a reference to it.
The type of resource to add.
The added resource.
Convert this list to an array then clear it to the disposal no longer happens.
The elements as an array.
After doing this the current list will be cleared.
Detach a detachable reference and add it to the list.
The type of resource to detach.
The detached resource.
Dispose method
Implementation of disposable list which just accepts IDisposable objects.
Constructor
Constructor
The initial capacity of the list
Constructor
A collection to initialize the list
Adds a delegate which will be called when the list is disposed.
The delegate to call on dispose.
This can be used to add more complex disposable.
Disposable list of safe handles
Constructor
Constructor
The initial capacity of the list
Constructor
A collection to initialize the list
Move the handle list to a new disposable list.
The list of handles which have been moved.
After doing this the current list will be cleared.
Flags for an EA entry
No flags.
Processor must handle this EA.
A single EA entry.
Name of the entry
Data associated with the entry
Flags
Constructor
The name of the entry
Data associated with the entry
Flags for entry.
Constructor
The name of the entry
Data associated with the entry
Flags for entry.
Constructor
The name of the entry
Data associated with the entry
Flags for entry.
Get the EA buffer data as a string.
The data as a string.
Get the EA buffer data as an Int32.
The data as an Int32.
Convert entry to a string
The entry as a string
Class to create an Extended Attributes buffer for NtCreateFile
Constructor
Constructor
List of entries to add.
Constructor from a binary EA buffer
The EA buffer to parse
Constructor
Existing buffer to copy.
Add a new EA entry from an old entry. The data will be cloned.
The entry to add.
Add a new EA entry
The name of the entry
The associated data, will be cloned
The entry flags.
Add a new EA entry
The name of the entry
The associated data
The entry flags.
Add a new EA entry
The name of the entry
The associated data
The entry flags.
Get an entry by name.
The name of the entry.
The found entry.
Thrown if no entry by that name.
Remove an entry from the buffer.
The entry to remove.
Remove an entry from the buffer by name.
The name of the entry.
Thrown if no entry by that name.
Convert to a byte array
The byte array
Get the list of entries.
Get number of entries.
Get whether the buffer contains a specific entry.
The name of the entry.
True if the buffer contains an entry with the name.
Index to get an entry by name.
The name of the entry.
The found entry.
Thrown if no entry by that name.
Clear all entries.
Access rights generic mapping.
Mapping for Generic Read
Mapping for Generic Write
Mapping for Generic Execute
Mapping for Generic All
Map a generic access mask to a specific one.
The generic mask to map.
The mapped mask.
Get whether this generic mapping gives read access.
The mask to check against.
True if we have read access.
Get whether this generic mapping gives write access.
The mask to check against.
True if we have write access.
Get whether this generic mapping gives execute access.
The mask to check against.
True if we have execute access.
Get whether this generic mapping gives all access.
The mask to check against.
True if we have all access.
Try and unmap access mask to generic rights.
The mask to unmap.
The unmapped mask. Any access which can be generic mapped is left in the mask as specific rights.
Get the allowed access mask for a specified mandatory access policy.
The mandatory access policy.
The allowed access mask for the policy.
In general NoWriteUp will always be set on the policy.
Convert generic mapping to a string.
The generic mapping as a string.
Interface to abstract the kernel transaction manager support.
Get handle for the transaction.
Commit the transaction
Rollback the transaction
Enable the transaction for anything in the current thread context.
The transaction context. This should be disposed to disable the transaction.
Class to represent a mount point.
Symbolic link name.
Unique ID.
Device name.
Class to access mount point manager utilities.
Query the list of mount points.
True to throw on error.
The list of mount points.
Query the list of mount points.
The list of mount points.
Class to represent the USN journal data.
Flags for the USN journal change reason.
Class to represent a USN journal record.
Reference number of the file.
Reference number of the parent.
USN value.
Timestamp of entry.
Reason code.
Source info flags.
Security ID.
File attributes.
Filename.
Full path, if known.
Full Win32Path if known.
Flags for USN journal source information.
Class for methods relating to USN journal.
Read USN journal information.
The handle to the volume to query.
True to throw on error.
The USN journal information.
Read USN journal information.
The handle to the volume to query.
The USN journal information.
Read USN journal entries from the volume.
The volume to read.
The start USN to read.
Last USN to read, exclusive.
Mask for what records to read.
The list of USN journal entries.
Read all USN journal entries from the volume.
The volume to read.
The list of USN journal entries.
Read USN journal entries from the volume, unprivileged.
The volume to read.
The start USN to read.
Last USN to read, exclusive.
Mask for what records to read.
The list of USN journal entries.
Read USN journal entries from the volume, unprivileged.
The volume to read.
The list of USN journal entries.
An enumeration to reference a known SID.
NULL SID
Everyone SID
Local user SID
CREATOR OWNER SID
CREATOR GROUP SID
CREATOR OWNER SERVER SID
CREATOR OWNER SERVER SID
Service SID
ANONYMOUS LOGON SID
Authenticated Users SID
RESTRICTED SID
LOCAL SYSTEM SID
LOCAL SERVICE SID
NETWORK SERVICE SID
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES SID
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
NT SERVICE\TrustedInstaller
BUILTIN\Users
BUILTIN\Administrators
APPLICATION PACKAGE AUTHORITY\Your Internet connection
APPLICATION PACKAGE AUTHORITY\Your Internet connection, including incoming connections from the Internet
APPLICATION PACKAGE AUTHORITY\Your home or work networks
APPLICATION PACKAGE AUTHORITY\Your pictures library
APPLICATION PACKAGE AUTHORITY\Your videos library
APPLICATION PACKAGE AUTHORITY\Your music library
APPLICATION PACKAGE AUTHORITY\Your documents library
APPLICATION PACKAGE AUTHORITY\Your Windows credentials
APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card
APPLICATION PACKAGE AUTHORITY\Removable storage
APPLICATION PACKAGE AUTHORITY\Your Appointments
APPLICATION PACKAGE AUTHORITY\Your Contacts
APPLICATION PACKAGE AUTHORITY\Internet Explorer
Constrained Impersonation Capability
OWNER RIGHTS
NT AUTHORITY\SELF
NT AUTHORITY\WRITE RESTRICTED
BUILTIN\BUILTIN
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\DIALUP
NT AUTHORITY\NETWORK
NT AUTHORITY\BATCH
NT AUTHORITY\PROXY
Static methods to get some known SIDs.
NULL SID
Everyone SID
Local user SID
CREATOR OWNER SID
CREATOR GROUP SID
CREATOR OWNER SERVER SID
CREATOR OWNER SERVER SID
Service SID
ANONYMOUS LOGON SID
Authenticated Users SID
RESTRICTED SID
NT AUTHORITY\WRITE RESTRICTED
BUILTIN\BUILTIN
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\DIALUP
NT AUTHORITY\NETWORK
NT AUTHORITY\BATCH
NT AUTHORITY\PROXY
LOCAL SYSTEM SID
LOCAL SERVICE SID
NETWORK SERVICE SID
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES SID
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
NT SERVICE\TrustedInstaller
BUILTIN\Users
BUILTIN\Administrators
APPLICATION PACKAGE AUTHORITY\Your Internet connection
APPLICATION PACKAGE AUTHORITY\Your Internet connection, including incoming connections from the Internet
APPLICATION PACKAGE AUTHORITY\Your home or work networks
APPLICATION PACKAGE AUTHORITY\Your pictures library
APPLICATION PACKAGE AUTHORITY\Your videos library
APPLICATION PACKAGE AUTHORITY\Your music library
APPLICATION PACKAGE AUTHORITY\Your documents library
APPLICATION PACKAGE AUTHORITY\Your Windows credentials
APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card
APPLICATION PACKAGE AUTHORITY\Removable storage
APPLICATION PACKAGE AUTHORITY\Your Appointments
APPLICATION PACKAGE AUTHORITY\Your Contacts
APPLICATION PACKAGE AUTHORITY\Internet Explorer
Constrained Impersonation Capability
Get a known SID based on a specific enumeration.
The enumerated sid value.
Class to represent an Access Control Entry for a Mandatory Label.
Constructor.
Flags for the ACE.
The mandatory label policy.
The integrity level.
Constructor from a raw integrity level.
Flags for the ACE.
The mandatory label policy.
The integrity level sid.
The policy for the mandatory label.
Get or set the integrity level
Convert ACE to a string.
Class which represents a mapped file.
Native path to file.
Name of the file.
List of mapped sections.
Mapped base address of file.
Mapped size of file.
True if the mapped file is an image section.
Specified the signing level if an image (only on RS3+).
Class to represent memory information.
Base address of memory region.
Allocation base for memory region.
Initial allocation protection.
Region size.
Memory state.
Current memory protection.
Memory type.
The mapped image path, if an image.
The mapped image path name, if an image.
The region type.
Is this a software enclave.
Interface for a marshalled NDR conformant structure.
This interface is primarily for internal use only.
Gets the number of conformant dimensions, should be at least one.
The number of conformant dimensions.
Interface for a marshalled non-encapsulated NDR union.
This interface is primarily for internal use only.
Marshal the union to a stream.
The selector for union arm.
The marshal stream.
Interface for a marshalled NDR structure.
This interface is primarily for internal use only.
Marshal the stucture to a stream.
The marshal stream.
Unmarshal the structure from a stream.
The unmarshal stream.
Get the structure's alignment.
Structure to represent a context handle.
Context handle attributes.
Context handle UUID.
Constructor.
Context handle attributes.
Context handle UUID.
Overidden ToString method.
The handle as string.
NDR integer representation.
NDR character representation.
NDR floating point representation.
Definition of the NDR data representation for an NDR stream.
The integer representation of the NDR data.
The character representation of the NDR data.
The floating representation of the NDR data.
A class which represents an embedded pointer.
The underlying type.
Operator to convert from a value to an embedded pointer.
The value to point to.
Operator to convert from an embedded pointer to a value.
The embedded pointer.
Overridden ToString method.
The string form of the value.
Get the value from the embedded pointer.
The value of the pointer.
Structure to represent an empty value.
Class to represent a 16 bit enumerated type.
Value of the structure.
Constructor.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Equality operator.
The left value.
The right value.
True if the values are equal.
Inequality operator.
The left value.
The right value.
True if the values are not-equal.
Overridden ToString.
The value as a string.
ToString method.
The formatting string.
The value as a string.
IFormattable ToString.
The formatting string.
Formatting provider.
The value as a string.
Equals operator.
The other enum16.
True if the values are equal.
Compare
Overridden GetHashCode.
The hash code of the enumeration.
Structure which represents an NDR FC_INT3264
Value of the structure.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Convert to a native IntPtr.
The value to convert from.
Overridden ToString.
The value as a string.
ToString method.
The formatting string.
The value as a string.
IFormattable ToString.
The formatting string.
Formatting provider.
The value as a string.
Structure which represents an NDR FC_UINT3264
Value of the structure.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Constructor.
The value to construct from.
Convert to a native IntPtr.
The value to convert from.
Overridden ToString.
The value as a string.
ToString method.
The formatting string.
The value as a string.
IFormattable ToString.
The formatting string.
Formatting provider.
The value as a string.
Class to represent an NDR interface pointer.
The marshaled interface data.
Constructor.
The marshaled interface data.
A buffer to marshal NDR data to.
This class is primarily for internal use only.
Represents an NDR pickled type.
Constructor from a type 1 serialized buffer.
The type 1 serialized encoded buffer.
Convert the pickled type to a type 1 serialized encoded buffer.
The type 1 serialized encoded buffer.
Type for a synchronous NDR pipe.
The base type of pipe blocks.
The list of blocks for the pipe.
Constructor.
The list of blocks to return.
Constructor.
A single block to return.
Convert the pipe blocks to a flat array.
The flat array.
A buffer to unmarshal NDR data from.
This class is primarily for internal use only.
Place holder for unsupported types.
Class to represent a single COM proxy definition.
The name of the proxy interface.
The IID of the proxy interface.
The base IID of the proxy interface.
The number of dispatch methods on the interface.
List of parsed procedures for the interface.
Creates a proxy definition from a list of procedures.
The name of the proxy interface.
The IID of the proxy interface.
The base IID of the proxy interface.
The total dispatch count for the proxy interface.
The list of parsed procedures for the proxy interface.
Expression element.
Overridden ToString method.
The expression as a string.
The expression type.
Is this operator element valid.
Operator expression element.
NDR format type of element.
NDR format type of element.
Offset, used for OP_EXPRESSION.
Parsed arguments.
Overridden ToString method.
The expression as a string.
Variable expression element.
Offset of the variable.
NDR format type of element.
Overridden ToString method.
The expression as a string.
Expression element.
NDR format type of element.
Offset of the variable.
The value of the constant.
Overridden ToString method.
The expression as a string.
An interface which can be implemented to handle formatting parsed NDR data.
Format a complex type using the current formatter.
The complex type to format.
The formatted complex type.
Format a procedure using the current formatter.
The procedure to format.
The formatted procedure.
Format a COM proxy using the current formatter.
The COM proxy to format.
The formatted COM proxy.
Format an RPC server interface using the current formatter.
The RPC server.
The formatted RPC server interface.
An base class which describes a text formatter for NDR data.
This formatter generates data that the CPP compiler can (hopefully) understand,
at least it will serve as a good skeleton to support spinning up new projects easily.
Flags for the NDR formatter.
No flags.
Don't emit comments.
Default NDR formatter constructor.
Create the default formatter.
Specify a dictionary of IIDs to names.
Function to demangle COM interface names during formatting.
Formatter flags.
The default formatter.
Create the default formatter.
Specify a dictionary of IIDs to names.
Function to demangle COM interface names during formatting.
The default formatter.
Create the default formatter.
Specify a dictionary of IIDs to names.
Formatter flags.
The default formatter.
Create the default formatter.
Specify a dictionary of IIDs to names.
The default formatter.
Create the default formatter.
Formatter flags.
The default formatter.
Create the default formatter.
The default formatter.
NDR formatter constructor for CPP style output.
Create the CPP formatter.
Specify a dictionary of IIDs to names.
Function to demangle COM interface names during formatting.
Formatter flags.
The CPP formatter.
Create the CPP formatter.
Specify a dictionary of IIDs to names.
Function to demangle COM interface names during formatting.
The CPPformatter.
Create the CPP formatter.
Specify a dictionary of IIDs to names.
Formatter flags.
The CPP formatter.
Create the CPP formatter.
Specify a dictionary of IIDs to names.
The CPP formatter.
Create the default formatter.
Formatter flags.
The CPP formatter.
Create the default formatter.
The CPP formatter.
Flags for the parser.
No flags.
Ignore processing any complex user marshal types.
Resolve structure names, required private symbols.
Class to parse NDR data into a structured format.
Constructor.
Memory reader to parse from.
Process to read from.
Specify a symbol resolver to use for looking up symbols.
Flags which affect the parsing operation.
Constructor.
Process to parse from.
Specify a symbol resolver to use for looking up symbols.
Constructor.
Process to parse from.
Specify a symbol resolver to use for looking up symbols.
Flags which affect the parsing operation.
Constructor.
Specify a symbol resolver to use for looking up symbols.
Constructor.
Process to parse from.
Constructor.
Read COM proxy information from a ProxyFileInfo structure.
The address of the ProxyFileInfo structure.
The list of parsed proxy definitions.
Read COM proxy information from an array of pointers to ProxyFileInfo structures.
The address of an array of pointers to ProxyFileInfo structures. The last pointer should be NULL.
The list of parsed proxy definitions.
Read COM proxy information from a file.
The path to the DLL containing the proxy.
Optional CLSID for the proxy class.
List of IIDs to parse.
The list of parsed proxy definitions.
Read COM proxy information from a file.
The path to the DLL containing the proxy.
Optional CLSID for the proxy class.
The list of parsed proxy definitions.
Read COM proxy information from a file.
The path to the DLL containing the proxy.
The list of parsed proxy definitions.
Parse NDR content from an RPC_SERVER_INTERFACE structure in memory.
Pointer to the RPC_SERVER_INTERFACE.
The parsed NDR content.
Parse NDR content from an RPC_SERVER_INTERFACE structure in memory.
Pointer to the RPC_SERVER_INTERFACE.
Base address of the library which contains the interface.
The parsed NDR content.
Parse NDR content from an RPC_SERVER_INTERFACE structure in memory. Deprecated.
Pointer to the RPC_SERVER_INTERFACE.
The parsed NDR content.
Parse NDR content from an RPC_SERVER_INTERFACE structure in memory.
The path to a DLL containing the RPC_SERVER_INTERFACE.
Offset to the RPC_SERVER_INTERFACE from the base of the DLL.
The parsed NDR content.
Parse NDR procedures from an MIDL_SERVER_INFO structure in memory.
Pointer to the MIDL_SERVER_INFO.
Number of dispatch functions to parse.
The start offset to parse from. This is used for COM where the first few proxy stubs are not implemented.
List of names for the valid procedures. Should either be null or a list equal in size to dispatch_count - start_offset.
The parsed NDR content.
Parse NDR procedures from an MIDL_SERVER_INFO structure in memory.
Pointer to the MIDL_SERVER_INFO.
Number of dispatch functions to parse.
The start offset to parse from. This is used for COM where the first few proxy stubs are not implemented.
The parsed NDR content.
List of parsed types from the NDR.
List of parsed complex types from the NDR.
Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
The process to read from.
Pointer to the MIDL_TYPE_PICKLING_INFO structure.
The pointer to the MIDL_STUB_DESC structure.
Pointers to the the format string to the start of the types.
Specify additional parser flags.
The list of complex types.
This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
MIDL_STUB_DESC is the third, the Type Offsets is the fourth parameter.
Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
The process to read from.
Pointer to the MIDL_TYPE_PICKLING_INFO structure.
The pointer to the MIDL_STUBLESS_PROXY_INFO structure.
Pointer to the type pickling offset table.
Index into type_pickling_offset_table array.
Specify additional parser flags.
The list of complex types.
This function is used to extract type information for calls to NdrMesTypeDecode3. MIDL_TYPE_PICKLING_INFO is the second parameter,
MIDL_STUBLESS_PROXY_INFO is the third, the type pickling offset table is the fourth and the type index is the fifth.
Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
The process to read from.
Pointer to the MIDL_TYPE_PICKLING_INFO structure.
The pointer to the MIDL_STUB_DESC structure.
Offsets into the format string to the start of the types.
Specify additional parser flags.
The list of complex types.
This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
MIDL_STUB_DESC is the third (minus the offset).
Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
The process to read from.
Pointer to the MIDL_TYPE_PICKLING_INFO structure.
The pointer to the MIDL_STUB_DESC structure.
Offsets into the format string to the start of the types.
The list of complex types.
This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
MIDL_STUB_DESC is the third (minus the offset).
Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
Pointer to the MIDL_TYPE_PICKLING_INFO structure.
The pointer to the MIDL_STUB_DESC structure.
Offsets into the format string to the start of the types.
The list of complex types.
This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
MIDL_STUB_DESC is the third (minus the offset).
Exception thrown when NDR parsing fails.
Constructor.
Exception message.
Constructor.
Exception message.
Inner exception to wrap.
Class respresenting an RPC protocol sequence.
The protocol sequence for the endpoint.
The endpoint name.
A parsed NDR RPC_SERVER_INTERFACE structure.
The RPC interface GUID.
The RPC interface version.
The RPC transfer syntax GUID.
The RPC transfer syntax version.
List of parsed procedures.
List of protocol sequences.
Overridden ToString method.
The string form of this class.
NDR format character.
Class to build text strings for an NDR formatter.
Push an indent string on to the indent stack.
The string to indent any new lines.
The current builder instance.
Push an indent on to the indent stack.
The character to indent with.
The number of indent characters.
The current builder instance.
Pop the current indent off the indent stack.
The current builder instance.
Append a string to the builder.
The string to append.
The current builder instance.
Append a formatted string to the builder.
The string format.
The array of arguments to the formatter.
The current builder instance.
Append a new line to the builder.
The current builder instance.
Append a string to the builder with a new line.
The string to append.
The current builder instance.
Append a formatted string to the builder with a new line.
The string format.
The array of arguments to the formatter.
The current builder instance.
Overridden ToString method, returns the current state of the builder.
The current stated of the builder.
Utilities for NDR marshaling.
Specify NDR marshaler trace level.
Specify the NDR marshaler trace level.
Verbose marshal stack details.
Datalink address type.
Access rights for a firewall object.
Represents a firewall address and mask.
The IP address.
The mask.
Mask prefix length.
Overridden ToString method.
The value and mask as a string.
Address family when IP protocol is not specified.
IPv4
IPv6
Ethernet
None
Class to represent a firewall ALE endpoint.
The ID of the endpoint.
The local endpoint.
The remote endpoint.
The protocol type.
The LUID for the token associated with the endpoint.
The IPsec security association identifier.
The IPsec security association identifier to expire.
The IPsec status of the endpoint.
Flags.
Associated application.
Filename of AppId.
Enumeration for ALE layer types.
Class to represent a firewall callout object.
Flags for the callout.
Provider key.
Provider data.
Applicable layer key.
Callout ID.
Flags for a firewall callout.
Guids for pre-defined callouts.
Flags for classify output.
Class to represet the result of a classify operations.
Action type of the classify result.
Internal context.
ID of the filter.
Associated rights.
Classify flags.
Base class to implement common condition building operations.
Specify list of firewall filter conditions.
Add a condition.
The match type for the condition.
The field key for the condition.
The value for the condition.
Add a condition range.
The field key for the condition.
The low value for the range.
The high value from the range.
Add an executable filename condition.
The match type for the condition.
The path to the file to use.
Add an App ID condition.
The match type for the condition.
The path to the file already converted to absolute format.
Add a user ID security descriptor condition.
The match type for the condition.
The security descriptor.
Add a remote user ID security descriptor condition.
The match type for the condition.
The security descriptor.
Add a remote machine ID security descriptor condition.
The match type for the condition.
The security descriptor.
Add a IP protocol type condition.
The match type for the condition.
The protocol type for the condition.
Add a conditions flag condition.
The match type for the condition.
The flags for the condition.
Add IP address.
The match type for the condition.
True to specify remote, false for local.
The low IP address.
Add IP address range.
True to specify remote, false for local.
The low IP address.
The high IP address.
Add port range.
True to specify remote, false for local.
The low port.
The high port.
Add port.
The match type for the condition.
True to specify remote, false for local.
The port.
Add an IP endpoint.
The match type for the condition.
True to specify remote, false for local.
The IP endpoint.
Add token information.
The match type.
The token.
Add remote token information.
The match type.
The token.
Add remote machine token information.
The match type.
The token.
Add a package SID condition.
The match type.
The package SID.
Add a condition which excludes app containers.
Add a condition which includes app containers.
Adds details from a process, such as the process' App ID and package SID and token information.
The match type.
The process.
Adds details from a process, such as the process' App ID and package SID and token information.
The match type.
The PID of the process.
Add the RPC UUID.
Match type.
The RPC UUID.
Add a network event type.
Match type.
Network event type.
Constructor.
Firewall condition flags.
Guids for pre-defined firewall conditions.
Direction of stream for firewall.
Outbound flow.
Inbound flow.
Place holder for an empty value.
Overridden ToString method.
The value as a string.
Class to represent the firewall engine.
Open an instance of the engine.
The server name for the firewall service.
RPC authentication service. Use default or WinNT.
Optional authentication credentials.
Optional session information.
True to throw on error.
The opened firewall engine.
Open an instance of the engine.
The server name for the firewall service.
RPC authentication service. Use default or WinNT.
Optional authentication credentials.
Optional session information.
The opened firewall engine.
Open an instance of the engine.
True to throw on error.
The opened firewall engine.
Open an instance of the engine.
The opened firewall engine.
Open a dynamic instance of the engine.
True to throw on error.
The opened firewall engine.
Open a dynamic instance of the engine.
The opened firewall engine.
Get an engine option.
The option to get.
True to throw on error.
The engine option's value.
Get an engine option.
The option to get.
The engine option's value.
Get the current network event keywords setting.
True to throw on error.
The network event keywords.
Get the current network event keywords setting.
The network event keywords.
Get collect net events option.
True to throw on error.
True if net events are being collected.
Get collect net events option.
True if net events are being collected.
Set an engine option.
The option to set.
The value to set.
True to throw on error.
The NT status code.
Set an engine option.
The option to set.
The value to set.
Set network event keywords.
The keywords to set.
True to throw on error.
The NT status code.
Set network event keywords.
The keywords to set.
Set the collection net events engine option.
True to enable collection.
True to throw on error.
The NT status code.
Set the collection net events engine option.
True to enable collection.
Get a layer by its key.
The key of the layer.
True to throw on error.
The firewall layer.
Get a layer by its key.
The key of the layer.
The firewall layer.
Get a layer by its ID.
The ID of the layer.
True to throw on error.
The firewall layer.
Get a layer by its ID.
The ID of the layer.
The firewall layer.
Get a layer by its well-known key name.
The well-known key name of the layer.
True to throw on error.
The firewall layer.
Get a layer by its well-known key name.
The well-known key name of the layer.
The firewall layer.
Get a layer by an ALE layer type.
The ALE layer type.
True to throw on error.
The firewall layer.
Get a layer by an ALE layer type.
The ALE layer type.
The firewall layer.
Enumerate all layers.
True to throw on error.
The list of layers.
Enumerate all layers.
The list of layers.
Get a sub-layer by its key.
The key of the sub-layer.
True to throw on error.
The firewall sub-layer.
Get a sub-layer by its key.
The key of the sub-layer.
The firewall sub-layer.
Get a sub-layer by its well-known key name.
The well-known key name of the sub-layer.
True to throw on error.
The firewall sub-layer.
Get a sub-layer by its well-known key name.
The well-known key name of the sub-layer.
The firewall sub-layer.
Enumerate all sub-layers.
True to throw on error.
The list of sub-layers.
Enumerate all sub-layers.
The list of sub-layers.
Get a callout by its key.
The key of the callout.
True to throw on error.
The firewall callout.
Get a callout by its key.
The key of the callout.
The firewall callout.
Enumerate all callouts
True to throw on error.
The list of callouts.
Enumerate all callouts.
The list of callouts.
Get a filter by its key.
The key of the filter.
True to throw on error.
The firewall filter.
Get a filter by its key.
The key of the filter.
The firewall filter.
Get a filter by its id.
The ID of the filter.
True to throw on error.
The firewall filter.
Get a filter by its id.
The ID of the filter.
The firewall filter.
Enumerate filters
Specify a template for enumerating the filters.
True to throw on error.
The list of filters.
Enumerate filters
Specify a template for enumerating the filters.
The list of filters.
Enumerate all filters
True to throw on error.
The list of filters.
Enumerate all filters.
The list of filters.
Add a filter.
The builder used to create the filter.
Optional security descriptor.
True to throw on error.
The added filter ID.
Add a filter.
The builder used to create the filter.
Optional security descriptor.
The added filter ID.
Add a filter.
The builder used to create the filter.
The added filter ID.
Delete a filter.
The filter key.
True to throw on error.
The NT status.
Delete a filter.
The filter key.
Delete a filter.
The filter ID.
True to throw on error.
The NT status.
Delete a filter.
The filter ID.
Get a provider by its key.
The key of the provider.
True to throw on error.
The firewall provider.
Get a provider by its key.
The key of the provider.
The firewall provider.
Enumerate all providers.
True to throw on error.
The list of providers.
Enumerate all providers.
The list of providers.
Get the security descriptor for the IKE SA database.
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Get the security descriptor for the IKE SA database.
What parts of the security descriptor to retrieve
The security descriptor
Get the security descriptor for the IKE SA database.
The security descriptor
Enumerate all IKE security associatations.
True to throw on error.
The list of IKE security associatations.
Enumerate all IKE security associatations.
The list of IKE security associatations.
Get an IKE security association by its ID and lookup context.
The ID of the security association.
Optional lookup context.
True to throw on error.
The IKE security association.
Get an IKE security association by its ID and lookup context.
The ID of the security association.
Optional lookup context.
The IKE security association.
Classify a layer.
The ID of the layer.
A list of incoming values.
True to throw on error.
The classify result.
Classify a layer.
The ID of the layer.
A list of incoming values.
The classify result.
Enumerate IPSEC key managers.
True to throw on error.
The list of registered key managers.
Enumerate IPSEC key managers.
The list of registered key managers.
Get key manager component security descriptor.
The security information to query.
True to throw on error.
The security descriptor.
Get key manager component security descriptor.
The security information to query.
The security descriptor.
Open token from its modified ID.
The token's modified ID.
The desired token access.
True to throw on error.
The opened token.
Open token from its modified ID.
The token's modified ID.
The desired token access.
The opened token.
Enumerate all ALE endpoints.
True to throw on error.
The list of ALE endpoints.
Enumerate all ALE endpoints.
The list of ALE endpoints.
Get an ALE endpoint by its ID.
The ID of the ALE endpoint.
True to throw on error.
The ALE endpoint.
Get an ALE endpoint by its ID.
The ID of the ALE endpoint.
The ALE endpoint.
Get the ALE endpoint security.
The security information to query for.
True to throw on error.
The security descriptor.
Get the ALE endpoint security.
The security information to query for.
The security descriptor.
Enumerate all sessions.
True to throw on error.
The list of sessions.
Enumerate all sessions.
The list of sessions.
Enumerate all network events.
Template to filter down enumeration.
True to throw on error.
The list of network events.
Enumerate all network events.
True to throw on error.
The list of network events.
Enumerate all network events.
Template to filter down enumeration.
The list of network events.
Subscribe to read network event.s
True to throw on error.
Optional template to filter enumeration.
The network event listener.
Subscribe to read network event.s
Optional template to filter enumeration.
The network event listener.
Subscribe to read network event.s
True to throw on error.
The network event listener.
Begin a firewall transaction.
Flags for the transaction.
True to throw on error.
The firewall transaction.
Disposing the transaction will cause it to abort. You should call Commit to use it.
Enumerate all IPsec SA contexts.
True to throw on error.
The list of SA contexts.
Enumerate all IPsec SA contexts.
The list of SA contexts.
Get an IPsec SA context by its ID.
The ID of the IPsec SA context.
True to throw on error.
The IPsec SA context.
Get an IPsec SA context by its ID.
The ID of the IPsec SA context.
The IPsec SA context.
Begin a firewall transaction.
Flags for the transaction.
The firewall transaction.
Disposing the transaction will cause it to abort. You should call Commit to use it.
Begin a read/write firewall transaction.
The firewall transaction.
Disposing the transaction will cause it to abort. You should call Commit to use it.
Dispose the engine.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Engine option to query or set.
Represents a firewall field schema.
The field's key.
The name of the key if known.
The type of the field.
The data type of the field.
Field type.
A class to represent a firewall filter.
The filter action type.
The layer the filter applies to.
The name of the layer if known.
The sub-layer the filter applies to.
The name of the sub-layer if known.
The flags for the filter.
List of firewall conditions.
Original weight of the filter.
Provider key.
Provider data.
Filter identifier.
Effective weight of the filter.
Type of filter.
Key for the callout.
Name of the callout key if known.
Is the filter a callout.
Has the filter got an AppID condition.
Has the filter got an AppContainer package ID condition.
Has the filter got a condition to check for a user ID.
Has the filter got a condition to check for a remote user ID.
Get a layer for this filter.
True to throw on error.
The firewall layer.
Get a layer for this filter.
The firewall layer.
Get a sub-layer for this filter.
True to throw on error.
The firewall sub-layer.
Get a sub-layer for this filter.
The firewall sub-layer.
Check if filter has any condition of a specific type.
The condition type to check.
True if the filter has a condition of the specified type.
Get the filter condition for a GUID.
The condition type to get.
The filter condition.
Delete the filter.
True to throw on error.
The NT status.
Delete the filter.
Convert the filter into a builder so that it can be modified.
The created builder.
Access rights for a firewall filter.
A builder to create a new firewall filter.
The name of the filter.
The description of the filter.
The filter key. If empty will be automatically assigned.
The layer key.
The sub-layer key.
Flags for the filter.
Specify the initial weight.
You need to specify an EMPTY, UINT64 or UINT8 value.
Specify the action for this filter.
Specify the filter type GUID when not using a callout.
Specify callout key GUID when using a callout.
Specify provider key GUID.
Constructor.
Firewall filter condition.
The match type.
The key of the field.
The field key name.
The value for the condition
Constructor.
The condition match type.
The field key.
The value.
Overridden ToString method.
The condition as a string.
Options for enumerating a filter.
Specify the key for the layer to search for.
Specify the provider key.
Specify the flags for the enumeration.
Specify the action type.
Constructor.
The layer key.
Constructor.
The ALE layer type..
Constructor.
Class to represent a firewall layer object.
Layer flags.
Default sub-layer key.
The layer ID.
List of fields.
Is builtin layer.
Is a user-mode layer.
Enumerate filters for this layer.
True to throw on error.
The list of sorted filters.
Enumerate filters for this layer.
The list of sorted filters.
Flags for a firewall layer.
Guids for pre-defined firewall layers.
Firewall filter match type.
Direction type for a network event.
Inbound
Outbound.
Forwarding
Loopback.
Base class for a firewall network event.
Type of network event.
Flags for values set.
Timestamp of the event.
Type of protocol.
Local endpoint.
Remote endpoint.
IPv6 Scope ID.
Connection AppID.
Connection user ID.
Address family.
Package SID.
Class to represent a network event capability allow.
AppContainer network capability.
Filter ID.
Indicates whether the packet originated from (or was heading to) the loopback adapter.
Class to represent a network event capability drop.
AppContainer network capability.
Filter ID.
Indicates whether the packet originated from (or was heading to) the loopback adapter.
Class to represent a firewall classification allow.
Filter ID.
Layer ID.
Reason for reauthorizing
The original profile the connection was received on.
The profile the error occurred on.
Indicates the direction of the packet transmission.
Indicates whether the packet originated from (or was heading to) the loopback adapter.
Class to represent a firewall classification drop.
Filter ID.
Layer ID.
Reason for reauthorizing
The original profile the connection was received on.
The profile the error occurred on.
Indicates the direction of the packet transmission.
Indicates whether the packet originated from (or was heading to) the loopback adapter.
GUID identifier of a vSwitch.
Transient source port of a packet within the vSwitch.
Transient destination port of a packet within the vSwitch.
Template for network event enumeration.
Start time for events.
End time for event.s
Constructor.
Flags for a network event.
Class to represent an IKEEXT extended mode failure event.
Windows error code for the failure
Point of failure
Flags for the failure event
IKE or Authip.
Extended mode mode state
Initiator or Responder
Authentication method
Hash (SHA thumbprint) of the end certificate corresponding to failures
that happen during building or validating certificate chains.
LUID for the MM SA
Quick mode filter ID
Name of local security principal that was authenticated, if available.
If not available, an empty string will be stored.
Name of remote security principal that was authenticated, if available.
If not available, an empty string will be stored.
Array of group SIDs corresponding to the local security principal that
was authenticated, if available.
Array of group SIDs corresponding to the remote security principal that
was authenticated, if available.
Class to represent an IKEEXT main mode failure event.
Windows error code for the failure
Point of failure
Flags for the failure event
IKE or Authip.
Main mode state
Initiator or Responder
Authentication method
Hash (SHA thumbprint) of the end certificate corresponding to failures
that happen during building or validating certificate chains.
LUID for the MM SA
Main mode filter ID
Name of local security principal that was authenticated, if available.
If not available, an empty string will be stored.
Name of remote security principal that was authenticated, if available.
If not available, an empty string will be stored.
Array of group SIDs corresponding to the local security principal that
was authenticated, if available.
Array of group SIDs corresponding to the remote security principal that
was authenticated, if available.
Class to represent an IKEEXT quick mode failure event.
Windows error code for the failure
Point of failure
IKE or Authip.
Main mode state
Initiator or Responder
Tunnel or transport mode.
Main mode filter ID
Local subnet address and mask.
Remote subnet address and mask.
Class to represent an IPsec kernel drop event.
Failure error code.
Connection direction.
Security parameter index.
Filter ID.
Layer ID.
Flags for network events to capture.
Class to listen for network events.
Read the next network event.
Timeout in milliseconds.
Returns null if not event available, otherwise the next event.
Read the next network event. Waiting indefinetely for the event.
Returns null if not event available, otherwise the next event.
Dispose the listener.
Type of network event.
AppContainer capability type.
Abstract class to represent a firewall object.
The object's key.
The object's name.
The object's description.
The object's key name.
The object's security descriptor.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
The firewall engine object must still be open.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
The firewall engine object must still be open.
Profile ID for the firewall.
Class to represent a firewall provider.
Name of the service which implements the provider.
Flags for the provider.
Provider data.
Flags for a firewall provider.
A firewall value range.
The low value.
The high value.
Overridden ToString method.
The range as a string.
Right action flags.
Class to represent a firewall session.
The session key.
Name of the session.
Description of the session.
Session flags.
Transaction wait timeout in ms.
The process ID of the session owner.
The user SID of the owner.
The name of the owner.
Is session kernel mode.
Constructor. Used when opening a session.
The name of the session.
The description of the sesion.
Session flags.
Transaction timeout in ms.
Constructor. Used when opening a session.
Session flags.
Class to represent a firewall sublayer.
Sub-layer flags.
The provider key.
Provider data.
Weight of the sub-layer.
Flags for a sub-layer.
Guids for pre-defined firewall sub-layers.
Token information for a condition.
The list of SIDs.
The list of restricted SIDs.
Capabilities.
This is only used for local filtering. It's not used by WFP.
Appcontainer SID.
This is only used for local filtering. It's not used by WFP.
User SID.
This is only used for local filtering. It's not used by WFP.
Constructor from a token.
The token to constructo from.
Constructor.
The list of SIDs.
The list of restricted SIDs.
Class to scope a firewall transaction.
Abort the transaction.
True to throw on error.
The NT status code.
Abort the transaction.
Commit the transaction.
True to throw on error.
The NT status code.
Commit the transaction.
Dispose the transaction. Will ca
Flags when creating a transaction.
No flags, creates a read/write transaction.
Read-only transaction.
Static class for firewall utility functions.
Name for fake NT type.
Name for fake filter NT type.
Get the NT type for the firewall.
Get the NT type for the firewall.
Get the generic mapping for a firewall object.
The firewall object generic mapping.
Get the generic mapping for a firewall filter object.
The firewall filter object generic mapping.
Get App ID from a filename.
The filename to convert.
True to throw on error.
The App ID.
Get App ID from a filename.
The filename to convert.
The App ID.
Get a list of known layer names.
The list of known layer names.
Get a list of known layer guids.
The list of known layer guids.
Get a known layer GUID from its name.
The name of the layer.
The known layer GUID.
Get a known callout GUID from its name.
The name of the callout.
The known callout GUID.
Get a list of known sub-layer names.
The list of known sub-layer names.
Get a list of known callout names.
The list of known callout names.
Get a list of known sub-layer guids.
The list of known sub-layer guids.
Get a known sub-layer GUID from its name.
The name of the sub-layer.
The known sub-layer GUID.
Get a layer GUID for an ALE layer enumeration.
The ALE layer enumeration.
The ALE layer GUID.
Firewall value.
Type of the value.
The raw value.
The context specific value, might be the same as the original.
Get a value which represents Empty.
Create a value from a security descriptor.
The security descriptor.
The firewall value.
Create a value from a SID.
The SID.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The IPv4 address.
The IPv4 mask.
The firewall value.
Create a value.
The IPv6 address.
The prefix length.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a range value.
The low value.
The high value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Create a value.
The value.
The firewall value.
Overridden ToString method.
The value as a string.
Class to represent a certificate credential.
Certificate subject name.
Certificatehash.
Flags.
Certificate.
Overridden ToString method.
The pair as a string.
Class to represent an IKE credential.
Authentication method type.
Impersonation type.
Overridden ToString method.
The pair as a string.
Structure to represent a pair of credentials.
Local credentials.
Peer credentials.
Overridden ToString method.
The pair as a string.
IKEEXT EM failure flags.
Flag indicating that multiple IKE EM failure events have been reported that
should be correlated using the mmId field.
Flag indicating that the IKE EM failure event is a benign/expected failure
IKE extended mode states
Initial state. No EM packets have been sent to the peer yet.
State corresponding to the first EM roundtrip
State corresponding to the second EM roundtrip
State corresponding to the final EM roundtrip
State corresponding to the final EM roundtrip
EM has been completed
IKEEXT MM failure flags.
Flag indicating that the IKE MM failure event is a benign/expected failure.
Flag indicating that multiple IKE MM failure events have been reported that
should be correlated using the mmId field.
IKE main mode states
Initial state. No MM packets have been sent to the peer yet.
First roundtrip packet has been sent to the peer.
Second roundtrip packet has been sent to the peer, for SSPI auth.
Second roundtrip packet has been sent to the peer.
Final roundtrip packet has been sent to the peer.
MM has been completed.
IKE quick mode states
Initial state. No QM packets have been sent to the peer yet.
State corresponding to the first QM roundtrip
State corresponding to the final QM roundtrip
QM has been completed.
IKE main mode or quick mode SA role
SA is initiator
SA is responder
Class to represent an IKE name credential.
The credential principal name.
Overridden ToString method.
The pair as a string.
Class to represent an IKE pre-shared key credential.
The pre-shared key.
Key flags.
Class to represent an IKE security association.
ID for the security association.
Key module type.
The local address of the association.
The remote address of the association.
Initiator cookie.
Responder cookie.
IKE policy key,
Virtual interface tunnel ID.
Correlation key.
List of credentials.
Cipher algorithm for the security association.
Length of the key.
Number of rounds.
Integrity algorithm for the security association.
Maximum lifetime in seconds.
Diffie-Hellman group.
Quick mode limit.
IPsec auth config.
IPsec authentication type.
IPsec Cipher Configuration.
IPSec Cipher Type.
Type used for indicating where an IPsec failure occured.
No information available.
IPsec failure happened on local machine.
IPsec failure happened on remote machine.
Class to represent a IPsec identity
Main-mode target name.
Extended mode target name.
List of tokens.
Explicit credentials handle.
Logon ID.
Class to prepresent a key manager.
The manager's key.
The manager's name.
The manager's description.
The manager's flags.
The manager's dictation timeout hint.
Flags for IPsec key manager.
IPsec perfect forward secrecy group.
Class to represent the details of an IPsec security association.
Directory of SA.
Local endpoint.
Remote endpoint.
Traffic type.
Traffic type ID.
IP protocol type.
Interface LUID.
Real interface profile ID.
The SA bundle.
Local IPv4 UDP encapsulation port.
Remote IPv4 UDP encapsulation port.
Transport filter.
Virtual interface tunnel ID.
Traffic selector ID.
Overridden ToString method.
The overridden ToString method.
Class to represent a security association bundle.
Flags for the SA.
SA lifetime in seconds.
SA lifetime in KiB.
SA lifetime in packets.
Idle timeout.
ND allow clear timeout.
Identity for IPsec SA.
NAP context.
Quick-mode SA ID.
Key module key.
Key module state blob.
List of security association parameters.
Peer V4 private address.
Main-mode SA ID.
PFS group.
SA lookup context.
QM filter ID.
IPsec SA bundle flags.
Negotiation discovery is enabled in secure ring.
Negotiation discovery in enabled in the untrusted perimeter zone.
Peer is in untrusted perimeter zone ring and a network address translation (NAT) is in the way. Used with negotiation discovery.
Indicates that this is an SA for connections that require guaranteed encryption.
Indicates that this is an SA to an NLB server.
Indicates that this SA should bypass machine LUID verification.
Indicates that this SA should bypass impersonation LUID verification.
Indicates that this SA should bypass explicit credential handle matching.
Allows an SA formed with a peer name to carry traffic that does not have an associated peer target.
Clears the DontFragment bit on the outer IP header of an IPsec-tunneled packet. This flag is applicable only to tunnel mode SAs.
Default encapsulation ports (4500 and 4000) can be used when matching this SA with packets on outbound connections that do not have an associated IPsec-NAT-shim context.
Peer has negotiation discovery enabled, and is on a perimeter network.
Suppresses the duplicate SA deletion logic. THis logic is performed by the kernel when an outbound SA is added, to prevent unnecessary duplicate SAs.
Indicates that the peer computer supports negotiating a separate SA for connections that require guaranteed encryption.
Class to represent an IPsec security association context.
ID of the context.
Inbound security association.
Outbound security association.
Base security association class.
Index of the security parameter (SPI).
Transform type.
IPsec SA authentication information.
Type of authentication.
Authentication configuration.
Module ID for the crypto.
Authentication key.
IPsec SA authentication information.
Type of cipher.
Cipher configuration.
Module ID for the crypto.
Cipher key.
IPsec SA authentication information.
Type of authentication.
Authentication configuration.
Modify ID for the crypto.
Authentication key.
Type of cipher.
Cipher configuration.
Module ID for the crypto.
Cipher key.
Class to represent an IPsec token.
Type of token.
Token principal.
Token mode.
Handle to the token.
Get the token from the IKEEXT service.
True to throw on error.
The token.
Get the token from the IKEEXT service.
The token.
IPsec traffic type.
Network interface type.
See https://www.iana.org/assignments/ianaiftype-mib
Network layer address type.
Type of network tunnel.
Endpoint implementation for a HyperV socket.
Address family.
Protocol type for HyperV sockets.
Default constructor.
Constructor.
Get or set the service ID.
Get or set the VM ID.
Address family.
Serialize the socket address.
The serialized address.
Create a endpoint from a socket address.
The socket address.
The created endpoint.
Overridden ToString method.
The endpoint as a string.
Overridden equals method.
The object to compare.
True if the objects are equal.
Get endpoint hash code.
The hashcode.
GUIDs for HyperV Sockets.
Allows accepting connections from all partitions.
Broadcast. Send to all sockets.
Allows accepting connections form all child partitions.
Connect or bind to the loopback address.
Connect to the parent container.
Connect to the silo host container.
VSOCK template GUID.
Create an address for a VSOCK port.
The VSOCK port.
The address.
Checks if an address is a VSOCK address.
The address to check.
True if a VSOCK address.
Get the port for a VSOCK address.
The address to query.
The VSOCK port.
Throw if not a valid VSOCK address.
Convert an address to a string.
The address to convert.
The converted address. If not symbolic name found will return the GUID as a string.
Class to represent current socket security configuration.
Access token for the peer application.
Access token for the peer machine.
Socket security flags.
Security association ID for main mode.
Security association ID for quick mode.
Negotiation windows error.
Security association lookup context. Can be used to bypass security
checks for querying the security association information from the
firewall.
Dispose method.
Socket security IPsec flags.
Flags for querying socket security fields.
Flags for querying socket security information.
Socket security query flags.
Socket security setting flags.
Settings for socket security
The security flags.
The IPsec flags.
AuthIP MM policy key.
AuthIP QM policy key.
User credentials.
Authentication ID of a user, needs kernel mode to set.
Utilities for socket security.
Impersonate the socket's peer.
The socket to impersonate.
Optional peer address. Only needed for datagram sockets.
True to throw on error.
The impersonation context.
Impersonate the socket's peer.
The socket to impersonate.
Optional peer address. Only needed for datagram sockets.
The impersonation context.
Impersonate the socket's peer.
The TCP client to impersonate.
True to throw on error.
The impersonation context.
Impersonate the socket's peer.
The TCP client to impersonate.
The impersonation context.
Query the socket security information.
The socket to query.
Optional peer address. Only needed for datagram sockets.
Optional desired access for peer tokens. If set to None then no tokens will be returned.
True to throw on error.
The socket security information.
Query the socket security information.
The socket to query.
Optional peer address. Only needed for datagram sockets.
Optional desired access for peer tokens. If set to None then no tokens will be returned.
The socket security information.
Query the socket security information.
The TCP client to query.
Optional desired access for peer tokens. If set to None then no tokens will be returned.
True to throw on error.
The socket security information.
Query the socket security information.
The TCP client to query.
Optional desired access for peer tokens. If set to None then no tokens will be returned.
The socket security information.
Set the socket security information.
The socket to set.
The security settings.
True to throw on error.
The NT status code.
Set the socket security information.
The socket to set.
The security settings.
Set the socket security information.
The TCP listener to set.
The security settings.
True to throw on error.
The NT status code.
Set the socket security information.
The TCP listener to set.
The security settings.
Set the socket security information.
The TCP client to set.
The security settings.
True to throw on error.
The NT status code.
Set the socket security information.
The TCP client to set.
The security settings.
Set target peer for socket.
The socket to set.
The target name.
Optional peer address. Only needed for datagram sockets.
True to throw on error.
The NT status code.
Set target peer for socket.
The socket to set.
The target name.
Optional peer address. Only needed for datagram sockets.
Set target peer for socket.
The socket to set.
The target name.
True to throw on error.
The NT status code.
Set target peer for socket.
The socket to set.
The target name.
Set target peer for socket.
The socket to set.
The target name.
True to throw on error.
The NT status code.
Set target peer for socket.
The socket to set.
The target name.
Delete target peer for socket.
The socket to set.
Peer address.
True to throw on error.
The NT status code.
Security protocol for a socket.
Endpoint implementation for a AF_UNIX socket.
Default constructor.
Constructor.
The path to the unix socket.
Get or set the path.
Address family.
Serialize the socket address.
The serialized address.
Create a endpoint from a socket address.
The socket address.
The created endpoint.
Overridden ToString method.
The endpoint as a string.
Overridden equals method.
The object to compare.
True if the objects are equal.
Get endpoint hash code.
The hashcode.
A class to represent a TLS record.
TLS record type.
Version of protocol.
The record data.
Parse a TLS record from a binary reader.
The reader to read from.
The parsed TLS record.
Parse a TLS record from a byte array.
The byte array.
The parsed TLS record.
Type for a TLS record.
Change cipher spec.
Alert.
Handshake.
Application data.
Class to represent an ALPC port.
Disconnect this port.
Disconection flags.
True to throw on error.
The NT status code.
Disconnect this port.
Disconection flags.
Disconnect this port.
Cancel a message based on a context attribute.
Cancellation flags.
The context attributes.
True to throw on error.
The NT status code.
Cancel a message based on a context attribute.
Cancellation flags.
The context attributes.
Cancel a message based on a context attribute.
The context attributes.
Send and receive messages on an ALPC port.
Send/Receive flags.
The message to send. Optional.
The attributes to send with the message. Optional.
The message to receive. Optional.
The attributes to receive with the message. Optional.
Time out for the send/receive.
True to throw on error.
The NT status code.
The attribute parameters will be repopulated with the attribute results.
Send and receive messages on an ALPC port.
Send/Receive flags.
The message to send. Optional.
The attributes to send with the message. Optional.
The message to receive. Optional.
The attributes to receive with the message. Optional.
Time out for the send/receive.
True if completed successfully, false if timed out.
Thrown on error.
Send a message on an ALPC port.
Send flags.
The message to send. Optional.
The attributes to send with the message. Optional.
Time out for the send/receive.
True to throw on error.
The NT status code.
The attribute parameters will be repopulated with the attribute results.
Send a message on an ALPC port.
Send flags.
The message to send. Optional.
The attributes to send with the message. Optional.
Time out for the send/receive.
The attribute parameters will be repopulated with the attribute results.
True if completed successfully, false if timed out.
Thrown on error.
Send a message on an ALPC port.
Send flags.
The message to send. Optional.
The attribute parameters will be repopulated with the attribute results.
Receive a message on an ALPC port.
Receive flags.
The maximum length to receive.
The attributes to receive with the message. Optional.
Time out for the send/receive.
True to throw on error.
The received message.
The attribute parameters will be repopulated with the attribute results.
Receive a message on an ALPC port.
Receive flags.
The maximum length to receive.
The attributes to receive with the message. Optional.
Time out for the send/receive.
The received message.
The attribute parameters will be repopulated with the attribute results.
Receive a message on an ALPC port.
Receive flags.
The maximum length to receive.
The attributes to receive with the message. Optional.
The received message.
The attribute parameters will be repopulated with the attribute results.
Receive a message on an ALPC port.
Receive flags.
The maximum length to receive.
The received message.
The attribute parameters will be repopulated with the attribute results.
Receive a message on an ALPC port.
Receive flags.
The attributes to receive with the message. Optional.
Time out for the send/receive.
True to throw on error.
The received message.
The attribute parameters will be repopulated with the attribute results.
The type of structure to receive.
Receive a message on an ALPC port.
Receive flags.
The attributes to receive with the message. Optional.
Time out for the send/receive.
The attribute parameters will be repopulated with the attribute results.
The type of structure to receive.
Receive a message on an ALPC port.
Receive flags.
The attributes to receive with the message. Optional.
The attribute parameters will be repopulated with the attribute results.
The type of structure to receive.
Receive a message on an ALPC port.
Receive flags.
The type of structure to receive.
Impersonate client of port for a message.
The message send by the client.
Impersonation flags.
Required impersonation level. Need to set RequiredImpersonationLevel flag as well.
True to throw on error.
Thread impersonation context.
Impersonate client of port for a message.
The message send by the client.
Impersonation flags.
Required impersonation level. Need to set RequiredImpersonationLevel flag as well.
Thread impersonation context.
Impersonate client of port for a message.
The message send by the client.
Thread impersonation context.
Impersonate client container of port for a message.
The message send by the client.
Impersonation flags.
True to throw on error.
Thread impersonation context.
Impersonate client container of port for a message.
The message send by the client.
Impersonation flags.
Thread impersonation context.
Impersonate client container of port for a message.
The message send by the client.
Thread impersonation context.
Open the process of the message sender.
The sent message.
Optional flags. Currently none defined.
The desired access for the process.
Optional object attributes.
True to throw on error.
The opened process object.
Open the process of the message sender.
The sent message.
Optional flags. Currently none defined.
The desired access for the process.
Optional object attributes.
The opened process object.
Open the process of the message sender.
The sent message.
The desired access for the process.
The opened process object.
Open the process of the message sender with maximum privileges.
The sent message.
The opened process object.
Open the thread of the message sender.
The sent message.
Optional flags. Currently none defined.
The desired access for the thread.
Optional object attributes.
True to throw on error.
The opened thread object.
Open the thread of the message sender.
The sent message.
Optional flags. Currently none defined.
The desired access for the thread.
Optional object attributes.
The opened thread object.
Open the thread of the message sender.
The sent message.
The desired access for the thread.
The opened thread object.
Open the thread of the message sender with maximum privileges.
The sent message.
The opened thread object.
Associate an IO completion port with this ALPC port.
The IO completion object.
Optional completion key.
True to throw on error.
The NT status code.
Associate an IO completion port with this ALPC port.
The IO completion object.
Optional completion key.
The NT status code.
Check if the current SID matches the connected SID.
The SID to compare.
True to throw on error.
True if the connected SID matches the specified SID.
Check if the current SID matches the connected SID.
The SID to compare.
True if the connected SID matches the specified SID.
Create a new port section.
Flags for the port section.
Optional backing section.
Size of the section to create.
True to throw on error.
The created port section.
Create a new port section.
Flags for the port section.
Optional backing section.
Size of the section to create.
The created port section.
Create a new port section.
Flags for the port section.
Size of the section to create.
The created port section.
Create a new port section.
Size of the section to create.
The created port section.
Get a handle entry for a message.
The handle index to get.
The associated message.
True to throw on error.
The ALPC handle entry.
Get a handle entry for a message.
The handle index to get.
The associated message.
The ALPC handle entry.
Create a security context.
Flags for the creation.
Security quality of service.
True to throw on error.
The created security context.
Create a security context.
Flags for the creation.
Security quality of service.
The created security context.
Create a security context.
Security quality of service.
The created security context.
Create a security context.
The created security context.
Set port attribute flags.
The flags to set.
True to throw on error.
The NT status code.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Port flags.
Port sequence number.
Port context.
Class to represent an ALPC client port.
Connect to an ALPC port.
The path to the port.
Object attributes for the handle. Optional.
Attributes for the port. Optional.
Send flags for the initial connection message.
Required SID for the server.
Initial connection message.
Outbound message attributes.
Inbound message atributes.
Connect timeout.
True to throw on error.
The connected ALPC port.
Connect to an ALPC port.
The path to the port.
Object attributes for the handle. Optional.
Attributes for the port. Optional.
Send flags for the initial connection message.
Required SID for the server.
Initial connection message.
Outbound message attributes.
Inbound message atributes.
Connect timeout.
The connected ALPC port.
Thrown on error.
Connect to an ALPC port.
The name of the port to connect to.
Attributes for the port.
The connected ALPC port object.
Connect to an ALPC port.
Object attribute for the port name.
Object attributes for the handle. Optional.
Attributes for the port. Optional.
Send flags for the initial connection message.
Required security descriptor for the server.
Initial connection message.
Outbound message attributes.
Inbound message atributes.
Connect timeout.
True to throw on error.
The connected ALPC port.
Only available on Windows 8+.
Connect to an ALPC port.
Object attribute for the port name.
Object attributes for the handle. Optional.
Attributes for the port. Optional.
Send flags for the initial connection message.
Required security descriptor for the server.
Initial connection message.
Outbound message attributes.
Inbound message atributes.
Connect timeout.
The connected ALPC port.
Thrown on error.
Connect to an ALPC port.
Object attribute for the port name.
Attributes for the port.
The connected ALPC port object.
Get the server process information.
True to throw on error.
The process information.
Get the server process information.
The process information.
Get the server process ID.
Get the server session ID.
Class to represent an ALPC server port.
Create an ALPC port.
The object attributes for the port.
The attributes for the port.
True to throw on error.
The created object.
Create an ALPC port.
The object attributes for the port.
The attributes for the port.
The created object.
Thrown on error.
Create an ALPC port.
The name of the port to create.
The attributes for the port.
The created object.
Thrown on error.
Accept a new connection on a port.
The message send flags.
Object attributes. Optional.
The attributes for the port.
Port context. Optional.
Connect request message.
Connect request attributes.
True to accept the connection.
True to throw on error.
The accepted port.
Accept a new connection on a port.
The message send flags.
Object attributes. Optional.
The attributes for the port.
Port context. Optional.
Connect request message.
Connect request attributes.
True to accept the connection.
The accepted port.
Accept a new connection on a port.
The message send flags.
Connect request message.
Connect request attributes.
True to accept the connection.
The accepted port.
Access rights for ALPC
ALPC Port Information Class
If set then object duplication won't complete. Used by RPC to ensure
multi-handle attributes don't fail when receiving.
Use in a reply to release the view.
Automatically release the view once it's passed to the receiver.
Make the data view secure.
When used all structures passed to kernel need to be 64 bit versions.
Static utilities for ALPC.
Wait for the result to complete. This could be waiting on an event
or the file handle.
Wait timeout. Will cancel the operation if it times out.
Returns true if the wait completed successfully.
If true is returned then status and information can be read out.
Wait for the result to complete asynchronously. This could be waiting on an event
or the file handle.
Cancellation token.
Returns true if the wait completed successfully.
If true is returned then status and information can be read out.
Return the status information field.
Thrown if not complete.
Return the status information field. (32 bit)
Thrown if not complete.
Get completion status code.
Thrown if not complete.
Returns true if the call is pending.
Dispose object.
Reset the file result so it can be reused.
Cancel the pending IO operation.
Cancel the pending IO operation.
True to throw on error.
The NT status code.
Class to handle NT atoms
Add a global atom name
The name to add
Flags for the add.
True to throw on error.
A reference to the atom
Add a global atom name
The name to add
Flags for the add.
A reference to the atom
Add a global atom name
The name to add
True to throw on error.
A reference to the atom
Add a global atom name
The name to add
A reference to the atom
Find a global atom by name.
The name of the atom.
True to throw on error.
The found atom.
Find a global atom by name.
The name of the atom.
The found atom.
Query if a global atom exists.
The atom to check.
True if the atom exists.
Query if the atom exists.
The atom to check.
Specify true to check for a global atom, otherwise gets a user atom.
True if the atom exists.
Open a global atom by number.
The atom to open.
True to check atom exists.
True to open a global atom, otherwise a user atom.
True to throw on error.
The atom object.
Open a global atom by number.
The atom to open.
True to check atom exists.
True to throw on error.
The atom object.
Open a global atom by number.
The atom to open.
True to check atom exists.
The atom object.
Open a global atom by number.
The atom to open.
The atom object.
Enumerate all atoms.
An enumeration of all atoms on the system.
Enumerate all global atoms.
An enumeration of all atoms on the system.
Delete a global atom.
True to throw on error.
The NT status code.
Delete a global atom.
Get the name of the atom.
True to throw on error.
The name of the atom.
The atom value
Get the name of the atom.
The name of the atom
If true indicates this is a global atom, otherwise it's a user atom.
Class representing a NT Debug object
Create a debug object
The debug object name (can be null)
The root directory for relative names
Debug object flags.
The debug object
Create a debug object
Desired access for the debug object
Object attributes for debug object
Debug object flags.
The debug object
Create a debug object
Desired access for the debug object
Object attributes for debug object
Debug object flags.
True to throw an exception on error.
The NT status code and object result.
Create a debug object
The debug object
Open a named debug object
The debug object name
The root directory for relative names
Desired access for the debug object
The debug object
Open a named debug object
The object attributes to open.
Desired access for the debug object
The debug object
Open a named debug object
The object attributes to open.
Desired access for the debug object
True to throw an exception on error.
The NT status code and object result.
Open the current thread's debug object.
True to throw on error.
The opened debug object. Returns null if no object exists.
Open the current thread's debug object. Returns null if no object exists.
Attach to an active process.
The process to debug.
True to throw on error.
The NT status code.
Attach to an active process.
The process ID to debug.
True to throw on error.
The NT status code.
Attach to an active process.
The process to debug.
Attach to an active process.
The process ID to debug.
Detach a process from this debug object.
The process to remove.
True to throw on error.
The NT status code.
Detach a process from this debug object.
The process to remove.
Detach a process from this debug object.
The process ID to remove.
True to throw on error.
The NT status code.
Detach a process from this debug object.
The process ID to remove.
Set kill process on close flag.
The flag state.
True to throw on error.
The NT status code.
Set kill process on close flag.
The flag state.
Continue the debugged process.
The client ID for the process and thread IDs.
The continue status code.
True to throw on error.
The NT status code.
Continue the debugged process.
The process ID to continue.
The thread ID to continue.
The continue status code.
True to throw on error.
The NT status code.
Continue the debugged process.
The client ID for the process and thread IDs.
The continue status code.
Continue the debugged process.
The process ID to continue.
The thread ID to continue.
The continue status code.
Continue the debugged process with a success code.
The process ID to continue.
The thread ID to continue.
Wait for a debug event.
True to set the thread as alertable.
Wait timeout.
True to throw on error.
The debug event.
Wait for a debug event.
True to set the thread as alertable.
Wait timeout.
The debug event.
Wait for a debug event.
Wait timeout.
The debug event.
Wait for a debug event.
Wait timeout in milliseconds.
The debug event.
Wait for a debug event.
The debug event.
Class which represents a desktop object.
Open a desktop by name.
The object attributes for opening.
Flags for opening the desktop.
Desired access.
True to throw on error.
The instance of the desktop.
Thrown on error.
Open a desktop by name.
The object attributes for opening.
Flags for opening the desktop.
Desired access.
The instance of the desktop.
Thrown on error.
Open a desktop by name.
The name of the desktop.
Optional root object
An instance of NtDesktop.
Thrown on error.
Open a desktop by name.
The name of the desktop.
An instance of NtDesktop.
Create a new desktop.
The object attributes for opening.
Flags for opening the desktop.
Desired access.
True to throw on error.
Device name.
Device mode.
Heap size.
An instance of NtDesktop.
Create a new desktop.
The object attributes for opening.
Flags for opening the desktop.
Desired access.
Device name.
Device mode.
Heap size.
An instance of NtDesktop.
Create a new desktop.
The name of the desktop.
Optional root object
An instance of NtDesktop.
Create a new desktop.
The name of the desktop.
An instance of NtDesktop.
Get the desktop for a thread.
The thread ID of the thread.
True to throw on error.
The desktop result.
Get the desktop for a thread.
The thread ID of the thread.
The desktop result.
Get desktop for current thread.
Get list of top level Windows for this Desktop.
Close the Desktop. This is different from normal Close as it destroys the Desktop.
True to throw on error.
The NT status.
NT Directory Object class
Open a directory object
The object attributes to use for the open call.
Access rights for directory object
True to throw an exception on error.
The NT status code and object result.
Thrown on error and throw_on_error is true.
Open a directory object
The object attributes to use for the open call.
Access rights for directory object
The directory object
Throw on error
Open a directory object by name
The directory object to open
Optional root directory to parse from
Access rights for directory object
The directory object
Throw on error
Open a directory object by name
The directory object to open
Optional root directory to parse from
Access rights for directory object
True to throw an exception on error.
The directory object
Throw on error
Open a directory object by full name
The directory object to open
The directory object
Throw on error
Create a directory object with a shadow
The object attributes to create the directory with
The desired access to the directory
The shadow directory
Flags for creation.
True to throw an exception on error.
The NT status code and object result.
Thrown on error and throw_on_error is true.
Create a directory object with a shadow
The object attributes to create the directory with
The desired access to the directory
The shadow directory
True to throw an exception on error.
The NT status code and object result.
Thrown on error and throw_on_error is true.
Create a directory object with a shadow
The object attributes to create the directory with
The desired access to the directory
The shadow directory
Flags for creation.
The directory object
Thrown on error
Create a directory object with a shadow
The object attributes to create the directory with
The desired access to the directory
The shadow directory
The directory object
Thrown on error
Create a directory object
The directory object to create, if null will create a unnamed directory object
The desired access to the directory
Root directory from where to start the creation operation
The directory object
Thrown on error
Create a directory object with a shadow
The directory object to create, if null will create a unnamed directory object
The desired access to the directory
Root directory from where to start the creation operation
The shadow directory
The directory object
Thrown on error
Create a directory object
The directory object to create, if null will create a unnamed directory object
The directory object
Thrown on error
Open a session directory.
The session ID to open
Sub directory to open.
Desired access to open directory.
The directory object
Thrown on error
Open the current session directory.
The directory object
Thrown on error
Open the current session directory.
The directory object
Thrown on error
Open basenamedobjects for a session.
The session ID to open
The directory object
Thrown on error
Open basenamedobjects for current session.
The directory object
Thrown on error
Get the based named object's directory for a session.
The session ID
The based named object's directory.
Get the based named object's directory for the current session.
The based named object's directory.
Get the a session's Windows object directory.
The session id to use.
The path to the windows object directory.
Get the current session's Windows object directory.
The path to the windows object directory.
Get the a session's Window Stations object directory.
The session id to use.
The path to the window stations object directory.
Get the current session's Window Stations object directory.
The path to the window stations object directory.
Open dos devices directory for a token.
The directory object
Thrown on error
Open dos devices directory for current effective token.
The directory object
Thrown on error
Create a private namespace directory.
Object attributes for the directory
Boundary descriptor for the namespace
Desired access for the directory
True to throw an exception on error.
The directory object
Thrown on error
Create a private namespace directory.
Object attributes for the directory
Boundary descriptor for the namespace
Desired access for the directory
The directory object
Thrown on error
Create a private namespace directory.
Boundary descriptor for the namespace
The directory object
Thrown on error
Open a private namespace directory.
Object attributes for the directory
Boundary descriptor for the namespace
Desired access for the directory
True to throw an exception on error.
The directory object
Thrown on error
Open a private namespace directory.
Object attributes for the directory
Boundary descriptor for the namespace
Desired access for the directory
The directory object
Thrown on error
Open a private namespace directory.
Boundary descriptor for the namespace
The directory object
Thrown on error
Returns whether a directory exists for this path.
The path to the entry.
The root directory.
True if the directory exists for the specified path.
Get the type of a directory entry by path.
The path to the directory entry
The root object to look up if path is relative
The type name, or null if it can't be found.
Query the directory for a list of entries.
The list of entries.
Thrown on error
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
Specify the desired access for the directory
True to recurse into sub directories.
Specify max recursive depth. -1 to not set a limit.
True if all children were visited.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
True to recurse into sub directories.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
Specify the desired access for the directory
True to recurse into sub directories.
Deletes a private namespace. If not a private namespace this does nothing.
Deletes a private namespace. If not a private namespace this does nothing.
True to throw on error.
The NT status code.
Get a directory entry based on a name.
The name of the entry.
The typename to verify against, can be null.
True if look up is case sensitive.
The directory entry, or null if it can't be found.
Get a directory entry based on a name.
The name of the entry.
The directory entry, or null if it can't be found.
Check whether a directory is exists relative to the current directory.
Relative path to directory
True if the directory exists.
Set the session ID for this directory to the current session.
True to throw on error.
The NT status code.
Thrown on error.
Needs SeTcbPrivilege.
Set the session object for this directory to the current session.
True to throw on error.
The NT status code.
Thrown on error.
Needs SeTcbPrivilege.
Returns whether this object is a container.
Directory access rights.
Base class to implement an enclave.
The base address of the enclave.
The type of enclave.
Dispose of the enclave.
Close the enclave.
Call a method in the enclave.
The routine address to call.
The parameter to pass to the routine.
True to wait for a free thread.
True to throw on error.
The return value from the call.
Call a method in the enclave.
The routine address to call.
The parameter to pass to the routine.
True to wait for a free thread.
The return value from the call.
Type of enclave.
Class to represent a VBS enclave.
Create a VBS enclave.
The process to create the enclave in.
Size of the enclave.
Flags for the enclave.
Owner ID. Must be 32 bytes.
True to throw on error.
The created enclave.
Create a VBS enclave.
The process to create the enclave in.
Size of the enclave.
Flags for the enclave.
Owner ID. Must be 32 bytes.
The created enclave.
Get a procedure address in the loaded enclave.
The name of the procedure.
True to throw on error.
The address of the procedure.
Get a procedure address in the loaded enclave.
The name of the procedure.
The address of the procedure.
Terminate the enclave.
Flags for the terminate.
True to throw on error.
The NT status code.
Terminate the enclave.
Flags for the terminate.
The NT status code.
Load a module into the enclave.
The name of the module
Flags or path.
True to throw on error.
The NT status.
Load a module into the enclave.
The name of the module
Flags or path.
The NT status.
Initialize the enclave.
The number of threads to create.
True to throw on error.
The number of created threads.
Initialize the enclave.
The number of threads to create.
The number of created threads.
Dispose of the enclave.
Class to represent a kernel transaction enlistment.
Create a new enlistment object.
The object attributes
Desired access for the handle
Resource manager to handle the enlistment.
The transaction to enlist.
Optional create options.
Notification mask.
Enlistment key returned during notification.
True to throw an exception on error.
The created enlistment and NT status code.
Create a new enlistment object.
The object attributes
Desired access for the handle
Resource manager to handle the enlistment.
The transaction to enlist.
Optional create options.
Notification mask.
Enlistment key returned during notification.
The created enlistment.
Open a existing new enlistment object.
The object attributes
Desired access for the handle
Resource manager handling the enlistment.
ID of the enlistment to open.
True to throw an exception on error.
The opened enlistment and NT status code.
Open a existing new enlistment object.
The object attributes
Desired access for the handle
Resource manager handling the enlistment.
ID of the enlistment to open.
The opened enlistment.
Get a default mask for creating an enlistment object.
The creation option to get default mask for.
A default working mask.
Commit complete enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Commit enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Preprepare complete enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Preprepare enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Prepare complete enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Prepare enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Rollback complete enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Rollback enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Read only enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Recover enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Single phase reject enlistment.
Optional virtual clock value.
True to throw on error.
The NT status code.
Commit complete enlistment.
Optional virtual clock value.
Commit enlistment.
Optional virtual clock value.
Preprepare complete enlistment.
Optional virtual clock value.
Preprepare enlistment.
Optional virtual clock value.
Prepare complete enlistment.
Optional virtual clock value.
Prepare enlistment.
Optional virtual clock value.
Rollback complete enlistment.
Optional virtual clock value.
Rollback enlistment.
Optional virtual clock value.
Read only enlistment.
Optional virtual clock value.
Recover enlistment.
Optional virtual clock value.
Single phase reject enlistment.
Optional virtual clock value.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get enlistment ID.
Get associated transaction ID.
Get resource manager ID.
Get CRM enlistment ID.
Get CRM transaction manager ID.
Get CRM resource manager ID.
Get or set recovery information.
Class to represent an NT trace GUID.
Class representing a NT Event object
Create an event object
The path to the event
The root object for relative path names
The type of the event
The initial state of the event
True to throw on error.
The event object
Create an event object
The path to the event
The root object for relative path names
The type of the event
The initial state of the event
The event object
Create an event object
The event object attributes
The type of the event
The initial state of the event
The desired access for the event
The event object
Create an event object
The event object attributes
The type of the event
The initial state of the event
The desired access for the event
True to throw an exception on error.
The NT status code and object result.
Create an event object
The path to the event
The type of the event
The initial state of the event
The event object
Open an event object
The path to the event
The root object for relative path names
The desired access for the event
The event object
Open an event object
The event object attributes
The desired access for the event
The event object.
Open an event object
The event object attributes
The desired access for the event
True to throw an exception on error.
The NT status code and object result.
Open an event object
The path to the event
The root object for relative path names
The event object
Open an event object
The path to the event
The event object
Set the event state
True to throw an exception on error.
The previous state of the event and NT status.
Set the event state
The previous state of the event
Clear the event state
True to throw an exception on error.
The NT status code.
Clear the event state
Pulse the event state.
True to throw an exception on error.
The previous state of the event and NT status.
Pulse the event state.
The previous state of the event
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get event type.
Get current event state.
Type of Event object.
Manual reset event.
Automatic reset event.
Exception class representing an NT status error.
Constructor
Status result
Returns the contained NT status code
Returns a string form of the NT status code.
Class representing a NT File object
Create a new file
The object attributes
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
Optional allocation size.
True to throw an exception on error.
The NT status code and object result.
Create a new file
The object attributes
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
Optional allocation size.
The created/opened file object.
Create a new file
The object attributes
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
True to throw an exception on error.
The NT status code and object result.
Create a new file
The object attributes
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
The created/opened file object.
Create a new file
The path to the file
A root object to parse relative filenames
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
True to throw an exception on error.
The created/opened file object.
Create a new file
The path to the file
A root object to parse relative filenames
Desired access for the file
Attributes for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
The created/opened file object.
Create a new file
The path to the file
Desired access for the file
Share access for the file
Open options for file
Disposition when opening the file
Extended Attributes buffer
The created/opened file object.
Create a new named pipe file
The object attributes
Desired access for the file
Share access for the file
Open options for file
Disposition when opening the file
Pipe completion mode
Default timeout
Input quota
Maximum number of instances (-1 for infinite)
Output quota
Type of pipe to create
Pipe read mode
True to throw an exception on error.
The NT status code and object result.
Thrown on error.
Create a new named pipe file
The object attributes
Desired access for the file
Share access for the file
Open options for file
Disposition when opening the file
Pipe completion mode
Default timeout
Input quota
Maximum number of instances (-1 for infinite)
Output quota
Type of pipe to create
Pipe read mode
The file instance for the pipe.
Thrown on error.
Create a new named pipe file
The path to the pipe file
A root object to parse relative filenames
Desired access for the file
Share access for the file
Open options for file
Disposition when opening the file
Pipe completion mode
Default timeout
Input quota
Maximum number of instances (-1 for infinite)
Output quota
Type of pipe to create
Pipe read mode
True to throw an exception on error.
The file instance for the pipe.
Thrown on error.
Create a new named pipe file
The path to the pipe file
A root object to parse relative filenames
Desired access for the file
Share access for the file
Open options for file
Disposition when opening the file
Pipe completion mode
Default timeout
Input quota
Maximum number of instances (-1 for infinite)
Output quota
Type of pipe to create
Pipe read mode
The file instance for the pipe.
Thrown on error.
Create an anonymous named pipe pair.
True to throw on error.
The named pipe pair.
Create an anonymous named pipe pair.
The named pipe pair.
Create a new named mailslot file
The object attributes
Desired access for the file
Open options for file
Mailslot quota
Maximum message size (0 for any size)
Read Timeout.
True to throw on error.
The file instance for the mailslot.
Thrown on error.
Create a new named mailslot file
The object attributes
Desired access for the file
Open options for file
Mailslot quota
Maximum message size (0 for any size)
Read timeout in MS (<0 is infinite)
True to throw on error.
The file instance for the mailslot.
Thrown on error.
Create a new named mailslot file
The object attributes
Desired access for the file
Open options for file
Mailslot quota
Maximum message size (0 for any size)
Read timeout in MS ( <0 is infinite)
The file instance for the mailslot.
Thrown on error.
Create a new named mailslot file
The path to the mailslot file
A root object to parse relative filenames
Desired access for the file
Open options for file
Mailslot quota
Maximum message size (0 for any size)
Timeout in MS ( <0 is infinite)
The file instance for the mailslot.
Thrown on error.
Open a file
The object attributes
The desired access for the file handle
The file share access
File open options
True to throw an exception on error.
The NT status code and object result.
Open a file
The object attributesf
The desired access for the file handle
The file share access
File open options
The opened file
Thrown on error.
Open a file
The path to the file
The root directory if path is relative.
The desired access for the file handle
The file share access
File open options
True to throw an exception on error.
The opened file
Thrown on error.
Open a file
The path to the file
The root directory if path is relative.
The desired access for the file handle
The file share access
File open options
The opened file
Thrown on error.
Open a file
The path to the file
The root directory if path is relative.
The desired access for the file handle
The opened file
Thrown on error.
Get the object ID of a file as a string
The path to the file
The object ID as a string
Thrown on error.
Open a file by its object ID
A handle to the volume on which the file resides.
The object ID as a binary string
The desired access for the file
File share access
Open options.
True to throw on error
The opened file object
Open a file by its object ID
A handle to the volume on which the file resides.
The object ID as a binary string
The desired access for the file
File share access
Open options.
The opened file object
Thrown on error.
Open a file by its ID
A handle to the volume on which the file resides.
The file's ID. Can be a file reference number or an Object ID.
The desired access for the file
File share access
Open options.
True to throw on error
The opened file object
Open a file by its ID
A handle to the volume on which the file resides.
The file's ID. Can be a file reference number or an Object ID.
The desired access for the file
File share access
Open options.
The opened file object
Open a file by its object ID
A handle to the volume on which the file resides.
The file ID.
The desired access for the file
File share access
Open options.
True to throw on error
The opened file object
Open a file by its file ID
A handle to the volume on which the file resides.
The file ID.
The desired access for the file
File share access
Open options.
The opened file object
Thrown on error.
Open a file by its file ID
The path to the volume which contains the file.
The file ID.
The desired access for the file
File share access
Open options.
True to throw on error
The opened file object
Open a file by its file ID
The path to the volume which contains the file.
The file ID.
The desired access for the file
File share access
Open options.
The opened file object
Delete a file
The object attributes for the file.
True to throw an exception on error
The status result of the delete
Delete a file
The object attributes for the file.
Delete a file
The path to the file.
Rename file.
The file to rename.
The target NT path.
Thrown on error.
Create a hardlink to another file.
The file to hardlink to.
The desintation hardlink path.
Thrown on error.
Create a mount point.
The path to the mount point to create.
The substitute name to reparse to.
The print name to display (can be null).
Create a symlink.
The path to the mount point to create.
True to create a directory symlink, false for a file.
The substitute name to reparse to.
The print name to display.
Additional flags for the symlink.
Get the reparse point buffer for the file.
The path to the reparse point.
The reparse point buffer.
Delete the reparse point buffer.
The path to the reparse point.
The original reparse buffer.
Query attributes of a file.
The object attributes.
True to throw on error.
The file attributes.
Query attributes of a file.
The object attributes.
The file attributes.
Query attributes of a file.
The path to the file.
The root directory to parse from.
True to throw on error.
The file attributes.
Query attributes of a file.
The path to the file.
The root directory to parse from.
The file attributes.
Query attributes of a file.
The path to the file.
The file attributes.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Cancellation token to cancel the async operation.
True to throw on error.
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
Cancellation token to cancel the async operation.
True to throw on error.
The output buffer returned by the kernel.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Cancellation token to cancel the async operation.
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
Cancellation token to cancel the async operation.
The output buffer returned by the kernel.
Send a File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Cancellation token to cancel the async operation.
True to throw on error.
Thrown on error.
The length of output bytes returned.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
Cancellation token to cancel the async operation.
True to throw on error.
The output buffer returned by the kernel.
Send a File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Cancellation token to cancel the async operation.
Thrown on error.
The length of output bytes returned.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
Cancellation token to cancel the async operation.
The output buffer returned by the kernel.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
The output buffer returned by the kernel.
Send a File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Thrown on error.
The length of output bytes returned.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
The output buffer returned by the kernel.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
True to throw on error.
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
True to throw on error.
The output buffer returned by the kernel.
Send a File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
True to throw on error.
Thrown on error.
The length of output bytes returned.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
True to throw on error.
The output buffer returned by the kernel.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
True to throw an exception on error.
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
Thrown on error.
The length of output bytes returned.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
True to throw an exception on error.
The output buffer returned by the kernel.
Send a Device IO Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
The output buffer returned by the kernel.
Send an File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
True to throw an exception on error.
The length of output bytes returned.
Thrown on error.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
True to throw an exception on error.
The output buffer returned by the kernel.
Send an File System Control code to the file driver
The control code
Input buffer can be null
Output buffer can be null
The length of output bytes returned.
Thrown on error.
Send a File System Control code to the file driver.
The control code
Input buffer can be null
Maximum output buffer size
The output buffer returned by the kernel.
Re-open an existing file for different access.
The desired access for the file handle
The file share access
File open options
Flags for the object attributes.
True to throw an exception on error.
The NT status code and object result.
Thrown on error.
Re-open an existing file for different access.
The desired access for the file handle
The file share access
File open options
True to throw an exception on error.
The NT status code and object result.
Thrown on error.
Re-open an exsiting file for different access.
The desired access for the file handle
The file share access
File open options
The opened file
Thrown on error.
Specify file disposition.
True to set delete on close, false to clear delete on close.
True to throw on error.
The NT status code.
Thrown on error.
You can't prevent deletion if file opened with DeleteOnClose flag.
Specify file disposition.
True to set delete on close, false to clear delete on close.
Thrown on error.
You can't prevent deletion if file opened with DeleteOnClose flag.
Delete the file. Must have been opened with DELETE access.
True to throw on error.
The NT status code.
Thrown on error.
Delete the file. Must have been opened with DELETE access.
Thrown on error.
Set disposition on the file (extended Windows version).
True to throw on error.
Flags for SetDispositionEx call.
The NT status code.
Thrown on error.
Set disposition on the file (extended Windows version).
Flags for SetDispositionEx call.
Thrown on error.
Delete the file (extended Windows version). Must have been opened with DELETE access.
True to throw on error.
Flags for DeleteEx call.
The NT status code.
Thrown on error.
Delete the file (extended Windows version). Must have been opened with DELETE access.
Flags for DeleteEx call.
Thrown on error.
Create a new hardlink to this file.
The target NT path.
The root directory if linkname is relative
Thrown on error.
Create a new hardlink to this file.
The target absolute NT path.
Thrown on error.
Create a new hardlink to this file.
The target NT path.
The root directory if linkname is relative
If TRUE, replaces the target file if it exists. If FALSE, fails if the target file already exists.
True to throw on error.
The NT status code.
Thrown on error.
Create a new hardlink to this file.
The target NT path.
The root directory if linkname is relative
If TRUE, replaces the target file if it exists. If FALSE, fails if the target file already exists.
Thrown on error.
Create a new hardlink to this file.
The target NT path.
The root directory if linkname is relative
The flags associated to FileLinkInformationEx.
True to throw on error.
The NT status code.
Thrown on error.
Create a new hardlink to this file.
The target NT path.
The root directory if linkname is relative
The flags associated to FileLinkInformationEx.
Thrown on error.
Rename file.
The target NT path.
The root directory if new_name is relative
If TRUE, replaces the target file if it exists. If FALSE, fails if the target file already exists.
True to throw on error.
The NT status code.
Thrown on error.
Rename file.
The target NT path.
The root directory if new_name is relative
If TRUE, replaces the target file if it exists. If FALSE, fails if the target file already exists.
Thrown on error.
Rename file.
The target NT path.
The root directory if new_name is relative
Thrown on error.
Rename this file with an absolute path.
The target absolute NT path.
If TRUE, replace the target file if it exists. If FALSE, fails if the target file already exists.
Thrown on error.
Rename this file with an absolute path.
The target absolute NT path.
Thrown on error.
Rename (extended Windows version) this file with an absolute path.
The target absolute NT path.
The root directory if new_name is relative
The flags associated to FileRenameInformationEx.
True to throw on error.
The NT status code.
Thrown on error.
Rename (extended Windows version) this file with an absolute path.
The target absolute NT path.
The root directory if new_name is relative
The flags associated to FileRenameInformationEx.
Thrown on error.
Rename (extended Windows version) this file with an absolute path.
The target absolute NT path.
The flags associated to FileRenameInformationEx.
Thrown on error.
Set an arbitrary reparse point.
The reparse point data.
Set an arbitrary reparse point.
The reparse point data.
True to throw on error.
The NT status code.
Set an arbitrary reparse point as a raw byte array.
The reparse point data as a byte array.
Set an arbitrary reparse point as a raw byte array.
The reparse point data as a byte array.
True to throw on error.
The NT status code.
Set an arbitrary reparse point.
The reparse point data.
Flags for the reparse buffer.
Existing tag to check against. If no check required use 0.
Existing Guid to check against. If no check requested use empty GUID.
True to throw on error.
The NT status code.
Set an arbitrary reparse point.
The reparse point data.
Flags for the reparse buffer.
Existing tag to check against. If no check required use 0.
Existing Guid to check against. If no check requested use empty GUID.
Set an arbitrary reparse point.
The reparse point data.
Existing tag to check against. If no check required use 0.
Set an arbitrary reparse point.
The reparse point data.>
Set a mount point on the current file object.
The substitute name to reparse to.
The print name to display (can be null).
Set a symlink on the current file object.
The substitute name to reparse to.
The print name to display.
Additional flags for the symlink.
Set a mount point on the current file object.
The substitute name to reparse to.
The print name to display (can be null).
True to throw on error.
The NT status code.
Set a symlink on the current file object.
The substitute name to reparse to.
The print name to display.
Additional flags for the symlink.
True to throw on error.
The NT status code.
Get the reparse point buffer for the file.
True to throw on error.
The reparse point buffer.
Get the reparse point buffer for the file.
The reparse point buffer.
Get the reparse point buffer for the file as a raw buffer.
True to throw on error.
The reparse point buffer.
Get the reparse point buffer for the file as a raw buffer.
The reparse point buffer.
Delete the reparse point buffer
The reparse tag.
The NT status code.
True to throw on error.
Delete the reparse point buffer
The reparse tag.
Delete the reparse point buffer
The original reparse buffer.
True to throw on error.
Delete the reparse point buffer
The original reparse buffer.
Get list of accessible files underneath a directory.
Share access for file open
Options for open call.
The desired access for each file.
A file name mask (such as *.txt). Can be null.
Indicate what entries to return.
The list of files which can be access.
Get list of accessible files underneath a directory.
Share access for file open
Options for open call.
The desired access for each file.
The list of files which can be access.
Query a directory for files.
The list of directory entries.
Query a directory for files.
A file name mask (such as *.txt). Can be null.
Indicate what entries to return.
Specify what additional data to include in the directory entries.
The list of directory entries. You might need to cast the directories to the appropriate types if using include flags.
Query a directory for files.
A file name mask (such as *.txt). Can be null.
Indicate what entries to return.
The list of directory entries.
Query a directory for files with file ID.
A file name mask (such as *.txt). Can be null.
Indicate what entries to return.
Return placeholder parent and current directory entries.
The list of directory entries.
Read data from a file with a length and position.
The buffer to read to.
The position in the file to read. The position is optional.
True to throw on error.
The length of bytes read into the buffer.
Read data from a file with a length and position.
The buffer to read to.
The position in the file to read. The position is optional.
The length of bytes read into the buffer.
Read data from a file with a length and position.
The length of the read
The position in the file to read. The position is optional.
True to throw on error.
The read bytes, this can be smaller than length.
Read data from a file with a length and position.
The length of the read
The position in the file to read
The read bytes, this can be smaller than length.
Read data from a file with a length.
The length of the read
The read bytes, this can be smaller than length.
Read data from a file with a length over a scatter set of pages.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
True to throw on error.
The length of bytes read.
Read data from a file with a length over a scatter set of pages.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
The length of bytes read.
Read data from a file with a length and position asynchronously.
The buffer to read to.
The position in the file to read. The position is optional.
Cancellation token to cancel async operation.
True to throw on error.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously.
The buffer to read to.
The position in the file to read. The position is optional.
Cancellation token to cancel async operation.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously.
The length of the read
The position in the file to read. The position is optional.
Cancellation token to cancel async operation.
True to throw on error.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously..
The length of the read
The position in the file to read
Cancellation token to cancel async operation.
The read bytes, this can be smaller than length.
Read data from a file with a length and position asynchronously..
The length of the read
The position in the file to read
The read bytes, this can be smaller than length.
Read data from a file with a length and position asynchronously.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
Cancellation token to cancel async operation.
True to throw on error.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
True to throw on error.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
Cancellation token to cancel async operation.
The length of bytes read into the buffer.
Read data from a file with a length and position asynchronously.
List of pages to read into. These pages must be Page Size aligned.
The length of the read
The position in the file to read.
The length of bytes read into the buffer.
Write data to a file at a specific position asynchronously.
The data to write as a buffer.
The position to write to.
Cancellation token to cancel async operation.
True to throw on error.
The number of bytes written
Write data to a file at a specific position asynchronously.
The data to write as a buffer.
The position to write to.
Cancellation token to cancel async operation.
The number of bytes written
Write data to a file at a specific position asynchronously.
The data to write.
The position to write to.
Cancellation token to cancel async operation.
The number of bytes written
Write data to a file at a specific position asynchronously.
The data to write
The position to write to
The number of bytes written
Write data to a file at a specific position asynchronously.
The data to write.
The position to write to.
Cancellation token to cancel async operation.
True to throw on error.
The number of bytes written
Write data to a file at a specific position.
The data to write
The position to write to. Optional
True to throw on error.
The number of bytes written.
Write data to a file at a specific position.
The data to write
The position to write to. Optional
The number of bytes written.
Write data to a file at a specific position.
The data to write
The position to write to. Optional
True to throw on error.
The number of bytes written.
Write data to a file at a specific position.
The data to write
The position to write to
The number of bytes written
Write data to a file
The data to write
The number of bytes written
Write data to a file at a specific position gathered from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
True to throw on error.
The number of bytes written.
Write data to a file at a specific position gathered from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
The number of bytes written.
Write data to a file at a specific position asynchronously from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
Cancellation token to cancel async operation.
True to throw on error.
The number of bytes written
Write data to a file at a specific position asynchronously from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
True to throw on error.
The number of bytes written
Write data to a file at a specific position asynchronously from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
Cancellation token to cancel async operation.
The number of bytes written
Write data to a file at a specific position asynchronously from a list of pages.
List of pages to write. These pages must be page size aligned.
The length of the write.
The position to write to.
The number of bytes written
Lock part of a file.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
True to throw on error.
The NT status code.
Lock part of a file.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
Shared lock part of a file.
The offset into the file to lock
The number of bytes to lock
Lock part of a file asynchronously.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
Cancellation token to cancel async operation.
True to throw on error.
The NT status code.
Lock part of a file asynchronously.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
Cancellation token to cancel async operation.
Lock part of a file asynchronously.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
Shared lock part of a file asynchronously.
The offset into the file to lock
The number of bytes to lock
Unlock part of a file previously locked with Lock
The offset into the file to unlock
The number of bytes to unlock
Thrown on error.
Unlock part of a file previously locked with Lock
The offset into the file to unlock
The number of bytes to unlock
True to throw on error.
The NT status code.
Convert this NtFile to a FileStream for reading/writing.
The stream must be closed separately from the NtFile.
The file stream.
Thrown on error.
Get the Win32 path name for the file.
The flags to determine what path information to get.
The path.
Throw on error.
Get the Win32 path name for the file.
The flags to determine what path information to get.
True to throw on error.
The path.
Oplock the file with a specific level.
The level of oplock to set.
True to throw on error.
The oplock response level.
Oplock the file with a specific level.
The level of oplock to set.
The oplock response level.
Oplock the file with a specific level.
The level of oplock to set.
Cancellation token to cancel async operation.
True to throw on error.
The oplock response level.
Oplock the file with a specific level.
The level of oplock to set.
True to throw on error.
The oplock response level.
Oplock the file with a specific level.
The level of oplock to set.
Cancellation token to cancel async operation.
The oplock response level.
Oplock the file with a specific level.
The level of oplock to set.
The oplock response level.
Acknowledge an oplock break.
The acknowledgment level.
True to throw on error.
The NT status code.
Oplock break acknowledgement returns STATUS_PENDING.
Acknowledge an oplock break.
The acknowledgment level.
Oplock the file with a specific level.
The oplock cache level.
Specify additional flags for the request.
True to throw on error.
The result of the oplock request.
Oplock the file with a specific level.
The oplock cache level.
True to throw on error.
The result of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
Cancellation token to cancel async operation.
Specify additional flags for the request.
True to throw on error.
The request of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
Cancellation token to cancel async operation.
True to throw on error.
The request of the oplock request.
Oplock the file with a specific lease level and flags.
The oplock lease level.
Specify additional flags for the request.
The result of the oplock request.
Oplock the file with a specific lease level and flags.
The oplock lease level.
The result of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
Specify additional flags for the request.
Cancellation token to cancel async operation.
The request of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
Cancellation token to cancel async operation.
The request of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
True to throw on error.
The request of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
The response of the oplock request.
Oplock the file with a specific level and flags.
The oplock level.
Specify additional flags for the request.
The response of the oplock request.
Acknowledge a lease oplock started with RequestOplockLease.
True to complete acknowledgement on close.
True to throw on error.
The NT status code.
This breaks to None. If you want to request the new oplock level then request a new oplock.
Acknowledge a lease oplock started with RequestOplockLease.
True to complete acknowledgement on close.
Acknowledge a lease oplock started with RequestOplockLease.
Oplock the file exclusively (no other users can access the file).
True to throw on error.
The oplock response level.
Oplock the file exclusively (no other users can access the file).
The oplock response level.
Oplock the file exclusively (no other users can access the file).
Cancellation token to cancel async operation.
The oplock response level.
Oplock the file exclusively (no other users can access the file).
The oplock response level.
Wait for an oplock break to complete.
True to throw on error.
The NT status code.
Wait for an oplock break to complete.
The NT status code.
Wait for an oplock break to complete.
True to throw on error.
The NT status code.
Wait for an oplock break to complete.
The NT status code.
Dispose.
True is disposing.
Try and cancel any pending asynchronous IO.
Get the extended attributes of a file.
True to throw on error.
The extended attributes, empty if no extended attributes.
Get the extended attributes of a file.
The extended attributes, empty if no extended attributes.
Set the extended attributes for a file.
The EA buffer to set.
True to throw on error.
This will add entries if they no longer exist,
remove entries if the data is empty or update existing entires.
Set the extended attributes for a file.
The EA buffer to set.
This will add entries if they no longer exist,
remove entries if the data is empty or update existing entires.
Set the extended attributes for a file.
The name of the entry
The associated data
The entry flags.
Set the extended attributes for a file.
The name of the entry
The associated data
The entry flags.
Set the extended attributes for a file.
The name of the entry
The associated data
The entry flags.
Remove an extended attributes entry for a file.
The name of the entry
Assign completion port to file.
The completion port.
A key to associate with this completion.
Check if a specific set of file directory access rights is granted
The file directory access rights to check
True if all access rights are granted
Get the cached signing level for a file.
The cached signing level.
Get the cached signing level for a file.
The cached signing level.
Get the cached singing level from the raw EA buffer.
The cached signing level data.
Throw on error.
Set the cached signing level for a file.
Flags to set for the cache.
The signing level to cache
Set the cached signing level for a file.
Flags to set for the cache.
The signing level to cache
Optional directory path to look for catalog files.
Set the cached signing level for a file.
Flags to set for the cache.
The signing level to cache
Files for signature.
Optional directory path to look for catalog files.
Set the cached signing level for a file.
Flags to set for the cache.
The signing level to cache
Files for signature.
Optional directory path to look for catalog files.
True to throw on error.
Set the end of file.
The offset to the end of file.
Set the valid data length of the file without zeroing. Needs SeManageVolumePrivilege.
The length to set.
Get list of hard link entries for a file.
The list of entries.
Get a list of stream entries for the current file.
The list of streams.
Visit all accessible streams under this file.
A function to be called on every accessible stream. Return true to continue enumeration.
Specify the desired access for the streams.
The share access to open the streams with.
Additional options to open the s with.
True if all accessible streams were visited, false if not.
Get list of process ids using this file.
The list of process ids.
Visit all accessible files under this directory.
A function to be called on every accessible file. Return true to continue enumeration.
Specify the desired access for the files.
True to recurse into sub keys.
The share access to open the files with.
Specify max recursive depth. -1 to not set a limit.
Additional options to open the files with.
A file name mask (such as *.txt). Can be null.
Indicate what entries to return.
True if all accessible files were visited, false if not.
Visit all accessible files under this directory.
A function to be called on every accessible file. Return true to continue enumeration.
Specify the desired access for the files.
True to recurse into sub keys.
The share access to open the files with.
Specify max recursive depth. -1 to not set a limit.
Additional options to open the files with.
True if all accessible files were visited, false if not.
Visit all accessible files under this directory.
A function to be called on every accessible file. Return true to continue enumeration.
Visit all accessible files under this directory.
A function to be called on every accessible file. Return true to continue enumeration.
Specify the desired access for the files.
The share access to open the files with.
Query whether a file is trusted for dynamic code.
Returns true if the file is trusted.
Set a file is trusted for dynamic code.
Set a file is trusted for dynamic code.
True to throw on error.
The NT status code.
Find files in a directory by the owner SID.
The owner SID.
A list of files in the directory.
For this method to work you need Quota enabled on the volume.
Get full change notifications. Will pick ex version if available and revert to old format if not.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
Wait timeout.
The list of changes.
Get full change notifications. Will pick ex version if available and revert to old format if not.
The filter of events to watch for.
True to watch all sub directories.
Wait timeout.
The list of changes.
Get full change notifications asynchronously. Will pick ex version if available and revert to old format if not.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
Cancellation token.
The list of changes.
Get full change notifications asynchronously. Will pick ex version if available and revert to old format if not.
The filter of events to watch for.
True to watch all sub directories.
Cancellation token.
The list of changes.
Get full change notifications asynchronously. Will pick ex version if available and revert to old format if not.
The filter of events to watch for.
True to watch all sub directories.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
Wait timeout.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
Wait timeout.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
Cancellation token.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
Cancellation token.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
The list of changes.
Get extended change notifications.
The filter of events to watch for.
True to watch all sub directories.
Timeout to wait.
True to throw on error.
The list of changes.
Get extended change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
Timeout to wait.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
Cancellation token.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
True to throw on error.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
Cancellation token.
The list of changes.
Get change notifications.
The filter of events to watch for.
True to watch all sub directories.
The list of changes.
Get the file attributes.
True to throw on error.
The file attributes.
Set the file attributes.
The file attributes to set.
True to throw on error.
The NT status code.
Get the creation time.
True to throw on error.
The creation time.
Get the last write time.
True to throw on error.
The last write time.
Get the change time time.
True to throw on error.
The change time.
Get the last access time.
True to throw on error.
The last access time time.
Set the file's creation time.
The time to set.
True to throw on error.
The NT status code.
Set the file's last access time.
The time to set.
True to throw on error.
The NT status code.
Set the file's last write time.
The time to set.
True to throw on error.
The NT status code.
Set the file's change time.
The time to set.
True to throw on error.
The NT status code.
Set the file position.
The file position to set.
True to throw on error.
The NT status code.
Get file information.
Query all reparse points from a volume.
The list of reparse points.
You'll need to open the reparse database, which is typically \$Extend\$Reparse:$R:$INDEX_ALLOCATION on the volume.
Query all object ids from a volume.
The list of object ids.
You need to open the object ID database, which is typically \$Extend\$ObjId:$O:$INDEX_ALLOCATION on the volume.
Get the Object ID buffer for a file.
True to throw on error.
The object ID buffer.
Get the Object ID create for a file.
The object ID buffer.
Get the Object ID buffer for a file.
True to throw on error.
The object ID buffer.
Get or create the Object ID for a file.
The object ID buffer.
Set Object ID and extended information.
The Object ID buffer.
Only set the extended information.
True to throw on error.
The NT status code.
Set Object ID and extended information.
The Object ID buffer.
Only set the extended information.
The NT status code.
Set Object ID and extended information.
The Object ID GUID.
Extended info buffer, needs to be 48 bytes in size.
The NT status code.
Set only Object ID extended information.
>
Extended info buffer, needs to be 48 bytes in size.
The NT status code.
Delete the Object ID for a file.
True to throw on error.
The NT status code.
Delete the Object ID for a file.
Make the file sparse.
True to make the file sparse.
True to throw on error.
The NT status code.
Query if the driver is in the device stack for the device.
The driver path. Can be a plain name of full object manager path, e.g. \Device\Blah.
True to throw on error.
True indicating driver in path.
Query if the driver is in the device stack for the device.
The driver path.
True indicating driver in path.
Get filesystem and volume information.
Query a fixed buffer for a volume.
The type to query.
The volume information class.
The returned type.
Query a fixed buffer for a volume.
The type to query.
The volume information class.
True to throw on error.
The returned type.
Query a buffer for a volume.
The type to query.
The volume information class.
True to throw on error.
The returned type.
Query a buffer for a volume.
The volume information class.
Initialization buffer.
True to throw on error.
The returned type.
Query a buffer for a volume.
The volume information class.
Initialization buffer.
The returned type.
Query a buffer for a volume.
The type to query.
The volume information class.
The returned type.
Query a buffer for a volume.
The volume information class.
The buffer for the query. Can be initialized.
True to throw on error.
The NT status code.
Query a buffer for a volume.
The volume information class.
The buffer for the query. Can be initialized.
Set a buffer on a volume.
The volume information class.
The buffer for the set.
True to throw on error.
The NT status code.
Set a buffer on a volume.
The volume information class.
The buffer for the set.
Set a fixed value on a volume.
The volume information class.
The fixed value to set.
True to throw on error.
The NT status code.
Set a fixed value on a volume.
The volume information class.
The fixed value to set.
Query the quota entries for a volume.
Return quote entries for the specified SIDs.
The list of quota entries.
Query all quota entries for a volume.
The list of quota entries.
Set quota entries.
The quota entries to set.
True to throw on error.
The NT status code.
Set quota entries.
The quota entries to set.
Set quota entry.
The quota entry to set.
Set quota entry.
The SID for the quota.
The quota limit to set.
The quota threshold to set.
Get the file's full path.
True to throw on error.
The file name.
Get the file's normalized path.
True to throw on error.
The file name.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get object ID for current file
The object ID as a string
Thrown on error.
Get object ID for current file as a number.
The object ID as a number.
Thrown on error.
Get or set the attributes of a file.
The file attributes
Thrown on error.
Get or set the creation time.
Get or set the last access time.
Get or set the last write time.
Get or set the change time.
Get file information, which is times, attributes and sizes.
Get or set the file as sparse.
Get whether this file represents a directory.
Get whether this file repsents a reparse point.
The result of opening the file, whether it was created, overwritten etc.
Get or set the current file position.
Get or sets the file's length
Get the file's allocation size.
Get the number of links.
Get whether delete is pending.
Get the Win32 path name for the file.
The path, string.Empty on error.
Get the low-level device type of the file.
The file device type.
Get the low-level device characteristics of the file.
The file device characteristics.
Get filesystem and volume information.
Get or set the file's compression format.
Gets whether the file is on a remote file system.
Get or set whether this file/directory is case sensitive.
Get or set whether this file/directory is case sensitive.
Get the file mode.
Get file access information.
Get the filename with the volume path.
Get the normalized filename with the volume path.
Get the associated short filename
Get the associated short filename
Get the normalized name.
Get or set the storage reserve ID.
Returns whether this object is a container.
Get or set the read only status of the file.
Is the file compressed.
Get remote protocol information.
Get the granted access as directory rights.
Get the file system control flags.
Get persist volume flags.
Return the status information field. (32 bit)
Class representing file information.
Time of creation.
Time of last access.
Time of last write.
Time of change.
Length of the file.
Length of the file, alias of EndOfFile.
Allocation size.
File attributes.
Has the file got a set of attributes set.
The attributes to check.
True if it has the attributes.
Is the file a directory.
Is the file a reparse point.
Class to represent a directory entry.
Index of the file.
File name.
Class to represent a directory entry with file IDs.
Length of any EA buffer.
The file reference number if known.
Class to represent a directory entry with short names.
Length of any EA buffer.
The short name of the file.
Class to represent a directory entry with short names and file ids.
Length of any EA buffer.
The short name of the file.
The file reference number if known.
Class to represent a file quota entry.
Class to represet a file object ID.
Full path to the file with the reparse point.
Win32 path to the file with the reparse point.
Reference number for the file.
The file's attributes.
The file's object ID.
The file's extended info.
File's birth volume ID.
File's birth object ID.
File's domain ID.
Class to represent a file reparse point.
Full path to the file with the reparse point.
Win32 path to the file with the reparse point.
Reference number for the file.
The file's attributes.
The reparse point buffer.
The reparse point tag.
Utility functions for files
Convert a DOS filename to an absolute NT filename
The filename, can be relative
True to throw on error.
The NT filename
Convert a DOS filename to an absolute NT filename
The filename, can be relative
The NT filename
Convert a DOS filename to an absolute NT filename
List of paths to combine before converting.
The NT filename
Convert a DOS filename to an NT filename and get as an ObjectAttributes structure
The DOS filename.
The object attribute flags.
An optional security quality of service.
An optional security descriptor.
True to throw on error.
The object attributes
Convert a DOS filename to an NT filename and get as an ObjectAttributes structure
The DOS filename.
The object attribute flags.
An optional security quality of service.
An optional security descriptor.
The object attributes
Convert a DOS filename to an NT filename and get as an ObjectAttributes structure
The filename
The object attributes
Convert a DOS filename to a UNICODE_STRING structure
The DOS filename
The UNICODE_STRING
Get type of DOS path
The DOS filename
The type of DOS path
Map directory access rights to file access rights.
The directory access rights to map.
The mapped access rights.
Convert a file ID long to a string.
The file ID to convert
The string format of the file id.
Convert a string to a file ID.
The file ID as a string (must be 4 characters).
The file ID as a long.
Get if a reparse tag is a Microsoft defined one.
The reparse tag.
True if it's a Microsoft reparse tag.
Get if a reparse tag is a name surrogate.
The reparse tag.
True if it's a surrogate reparse tag.
Get if a reparse tag is a directory which can have children.
The reparse tag.
True if it's a directory reparse tag which can have children.
Convert a directory access rights mask to a normal file access mask.
The access to convert.
The converted access rights.
Convert a file access rights mask to a directory file access mask.
The access to convert.
The converted access rights.
Enable or disable Wow64 FS redirection.
True to enable FS redirection.
True to throw on error.
The old enable state.
Enable or disable Wow64 FS redirection.
True to enable FS redirection.
The old enable state.
Split an allocated address into a list of pages. This can be used to pass to
ReadScatter or WriteGather file APIs.
The base address to split. The address should be page aligned.
The length of bytes to split into pages. This will be rounded up to the next page boundary.
The list of pages.
Split an allocated address into a list of pages. This can be used to pass to
ReadScatter or WriteGather file APIs.
The allocated buffer to split. The address should be page aligned.
The buffer will be split up based on its length. Note that the length will be rounded up.
The list of pages.
Attempt to convert an NT device filename to a DOS filename.
The filename to convert.
The converted string. Returns a path prefixed with GLOBALROOT if it doesn't understand the format.
Build a path for an open by ID file.
The path to the volume.
The ID.
The bytes for the ID path.
Build a path for a file ID volume.
The path to the volume.
The file reference number.
The bytes for the file ID path.
Build a path for an object ID volume.
The path to the volume.
The file object ID.
The bytes for the file ID path.
Generate a DOS filename from a full filename.
The full filename.
True to allow extended characters.
Number of iterations of the algorithm to test.
True throw on error.
The DOS filename.
Generate a DOS filename from a full filename.
The full filename.
True to allow extended characters.
Number of iterations of the algorithm to test.
The DOS filename.
Generate a DOS filename from a full filename.
The full filename.
True to allow extended characters.
The DOS filename.
Is the filename a legal 8dot3 name.
The filename to check.
True if it's a legal 8dot3 name.
Class representing a NT FilterConnectionPort object. Note this is just a dummy object for typing purposes.
A generic wrapper for any object, used if we don't know the type ahead of time.
Convert the generic object to the best typed object.
The typed object. Can be NtGeneric if no better type is known.
Convert the generic object to the best typed object.
True to throw on error.
The typed object. Can be NtGeneric if no better type is known.
Returns whether this object is a container.
Class to represent a system handle
The ID of the process holding the handle
Get the image path for the process which contains this handle.
Get name of the process which contains this handle.
The object type index
The object type name
The object type
The handle attribute flags.
The handle value
The address of the object.
The granted access mask
The granted access mask as a string.
The granted access mask as a string.
Whether the handle is inheritable.
Whether the handle is protected from close.
Whether the handle has write access.
Whether the handle has read access.
Whether the handle has execute access.
Whether the handle has full access.
The name of the object (needs to have set query access in constructor)
The security of the object (needs to have set query access in constructor)
Indicates if the handle was valid.
This can cause the handle's values to be queried which can take time.
Overridden ToString.
The handle as a string.
Get handle into the current process
True to throw on error.
The handle to the object
Get handle into the current process
The handle to the object
Close the handle in the original process.
True throw on error.
The NT status code.
This is not recommended.
Close the handle in the original process.
This is not recommended.
Class to call NT heap APIs.
Allocate a buffer from the heap.
Heap flags.
Size of the allocation.
True to throw on error.
The allocated memory address.
Allocate a buffer from the heap.
Heap flags.
Size of the allocation.
The allocated memory address.
Free a buffer from the heap.
Heap flags.
Address of the allocation.
True to throw on error.
Free a buffer from the heap.
Heap flags.
Address of the allocation.
Get the current process heap.
Class representing an NT IO Completion Port object
Create an IO Completion Port object
The object attributes
The desired access for the event
Number of concurrent threads to process I/O packets. 0 for CPU count.
True to throw an exception on error.
The NT status code and object result.
Thrown on error.
Create an IO Completion Port object
The object attributes
The desired access for the event
Number of concurrent threads to process I/O packets. 0 for CPU count.
The IO Completion Port object.
Thrown on error.
Create an IO Completion Port object
The path to the IO Completion Port
The root object for relative path names
The desired access for the event
Number of concurrent threads to process I/O packets. 0 for CPU count.
The IO Completion Port object.
Thrown on error.
Create an unnamed IO Completion Port object.
The IO Completion Port object.
Thrown on error.
Open an IO Completion Port object
The object attributes
The desired access for the event
The IO Completion Port object.
Thrown on error.
Open an IO Completion Port object
The object attributes
The desired access for the event
True to throw an exception on error.
The NT status code and object result.
Thrown on error.
Open an IO Completion Port object
The path to the IO Completion Port
The root object for relative path names
The desired access for the event
The IO Completion Port object.
Thrown on error.
Open an IO Completion Port object
The path to the IO Completion Port
The IO Completion Port object.
Thrown on error.
Remove a queued status from the queue.
An optional timeout.
True to throw on error.
The completion result.
Thrown on error or timeout.
Remove a queued status from the queue.
An optional timeout.
The completion result.
Thrown on error or timeout.
Remove multiple queued status from the queue.
Maximum number of status to remove.
An optional timeout.
Indicate whether the wait is alertable.
True to throw on error.
Array of completion results. Length can be <= max_count.
Remove multiple queued status from the queue.
Maximum number of status to remove.
An optional timeout.
Indicate whether the wait is alertable.
Array of completion results. Length can be <= max_count. If timeout then returns an empty array.
Remove multiple queued status from the queue.
Maximum number of status to remove.
Array of completion results. Length can be <= max_count
Remove a queued status from the queue. Wait for an infinite time for the result.
The completion result.
Add a queued status to the queue.
The optional key context.
The optional APC context.
Status code
The information context.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Get current depth of IO Completion Port
Memory control method.
Buffered.
IN Direct.
OUT Direct.
Neither.
Access control flags.
Any access.
Read access.
Write access.
Represents a NT file IO control code.
Type of device
Function number
Buffering method
Access of file handle
Is the function number custom, i.e. has the top bit set.
Get a known name associated with this IO control code.
Constructor
Type of device
Function number
Buffering method
Access of file handle
Constructor
Raw IO control code to convert.
Static method to create an NtIoControlCode
The conde as an integer.
The io control code.
Convert the io control code to an Int32
The int32 version of the code
Overriden hash code.
The hash code.
Overridden equals.
The object to compare against.
True if equal.
Overridden ToString method.
The IO control code as a string.
Format IO control code with an format specifier.
The format specified. For example use X to format as a hexadecimal number.
The formatted string.
Format the underlying IO control code with an format specifier.
The format specified. For example use X to format as a hexadecimal number.
Format provider.
The formatted string.
Class representing a NT Job object
Create a job object
The object attributes
Desired access for job.
True to throw an exception on error.
The NT status code and object result.
Create a job object
The object attributes
Desired access for job.
The Job object.
Create a job object
The path to the job object (can be null)
The root object when path is relative
Desired access for job.
The Job object
Create a job object
The path to the job object (can be null)
The root object when path is relative
The Job object
Create an unnamed job object
The Job object
Open a job object
The object attributes
Desired access for job.
True to throw an exception on error.
The NT status code and object result.
Open a job object
The object attributes
Desired access for job.
The Job object
Open a job object
The path to the job object
The root object when path is relative
Desired access for the job object
The Job object
Open a job object
The path to the job object
The root object when path is relative
The Job object
Create and initialize a Silo,
Flags for root directory.
Desired access for the job.
Object attributes.
True to throw on error.
The Job object.
Create and initialize a Silo,
Flags for root directory.
Desired access for the job.
Object attributes.
The Job object.
Create and initialize a Silo,
Flags for root directory.
True to throw on error.
The Job object.
Create an initialize a Silo,
Flags for root directory.
The Job object.
Create and initialize a Server Silo,
Flags for root directory.
True to throw on error.
Path to the system root.
Event to signal when silo deleted.
True if a downlevel container.
Desired access for the job.
Object attributes.
The Job object.
Create and initialize a Server Silo,
Flags for root directory.
Path to the system root.
Event to signal when silo deleted.
True if a downlevel container.
Desired access for the job.
Object attributes.
The Job object.
Create and initialize a Server Silo,
Flags for root directory.
True to throw on error.
Path to the system root.
Event to signal when silo deleted.
True if a downlevel container.
The Job object.
Create and initialize a Server Silo,
Flags for root directory.
Path to the system root.
Event to signal when silo deleted.
True if a downlevel container.
The Job object.
Convert Job object into a Silo
True to throw on error.
The NT status code.
Convert Job object into a Silo
Initialize a Silo,
Flags for root directory.
True to throw on error.
The NT status code.
Initialize a Silo,
Flags for root directory.
Initialize a Silo to a Server Silo.
Event to signal when silo deleted.
True if a downlevel container.
True to throw on error.
The NT status code.
You must have set a system root and added a \Device directory (which shadows the real directory) to the silo object directory.
Initialize a Silo to a Server Silo.
Event to signal when silo deleted.
True if a downlevel container.
The NT status code.
Create the silo's root object directory.
The flags for the creation.
True to throw on error.
The NT status code.
Create the silo's root object directory.
The flags for the creation.
The NT status code.
Assign a process to this job object.
The process to assign.
Assign a process to this job object.
True to throw on error.
The process to assign.
The NT status code.
Assign a process to this job object using current Job on Windows 1709+.
Assign a process to this job object using current Job on Windows 1709+.
Associate a completion port with the job.
The completion port.
The key associated with the port.
Terminate this job object.
The termination status.
True to throw on error.
The NT status code.
Terminate this job object.
The termination status.
Set the limit flags for the job.
The limit flags.
True to throw on error.
The NT status code.
Set the limit flags for the job.
The limit flags.
Set the Silo system root directory.
The absolute path to the system root directory.
True to throw on error.
The system_root path must start with a capital drive letter and not end with a backslash.
The NT status code.
Set the Silo system root directory.
The absolute path to the system root directory.
The system_root path must start with a capital drive letter and not end with a backslash.
Set the active process limit.
The number of active processes in the job.
True to throw on error.
The NT status code.
Set the active process limit.
The number of active processes in the job.
Set minimum and maximum working set size.
The minimum working set size.
The maximum working set size.
True to throw on error.
The NT status code.
Set minimum and maximum working set size.
The minimum working set size.
The maximum working set size.
Set the process memory limit.
The memory limit for a process.
True to throw on error.
The NT status code.
Set the process memory limit.
The memory limit for a process.
The NT status code.
Set the job memory limit.
The memory limit for a job.
True to throw on error.
The NT status code.
Set the job memory limit.
The memory limit for a job.
The NT status code.
Set the time limit for a process.
The time limit for a process, in 100ns ticks. Set to 0 to clear the timeout.
True to throw on error.
The NT status code.
Set the time limit for a process.
The time limit for a process, in 100ns ticks. Set to 0 to clear the timeout.
Set the time limit for a process.
The time limit for a process.
True to throw on error.
The NT status code.
Set the time limit for a process.
The time limit for a process.
Set the time limit for a job.
The time limit for a job, in 100ns ticks. Set to 0 to clear timeout.
True to throw on error.
The NT status code.
Set the time limit for a job.
The time limit for a job, in 100ns ticks. Set to 0 to clear timeout.
Set the time limit for a job.
The time limit for a job.
True to throw on error.
The NT status code.
Set the time limit for a job.
The time limit for a job.
Get list of process IDs in Job.
True to throw on error.
The list of process IDs.
Get list of process IDs in Job.
The list of process IDs.
Set UI Restriction Flags.
The UI Restriction Flags.
True to throw on error.
The NT status code.
Set UI Restriction Flags.
The UI Restriction Flags.
The NT status code.
Query Silo Root directory.
True to throw on error.
The silo root directory.
Get Silo basic information.
True to throw on error.
The Silo Basic Information.
Get Silo basic information.
True to throw on error.
The Server Silo Basic Information.
Get Silo user shared data.
True to throw on error.
The Silo User Shared Data.
Get whether this job object can be impersonated.
True to throw on error.
True if the job object can be impersonated.
Enable thread impersonation on this job object.
True to throw on error.
The NT status code.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Get or set completion filter for job object.
The count of completions for the job.
Get or set the Maximum Bandwith NetRate limitation.
Get or set the DSCP Tag NetRate limitation.
Get or set the active process limit.
Get or set the active process limit.
Get or set the minimum working set size.
Get or set the maximum working set size.
Get or set the process time limit.
Get or set the process time limit.
Get or set the process memory limit.
Get or set the process memory limit.
Get used peak job memory used.
Get used peak job memory used.
Get or set the job limit flags.
Get or set the job UI Restriction flags.
Get or set whether job breakaway is allowed.
Get or set whether silenty job breakaway is allowed.
ID of container.
ID of container telemetry.
Job ID.
Get the Silo's Root Directory.
Get Silo basic information.
Get Silo basic information.
Get Silo user shared data.
Get or set the thread impersonation status.
Get whether this Job object is a silo.
Class to represent an NT Key object
Load a new hive
The destination path
The path to the hive
Load flags
The opened root key
Thrown on error.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
The opened root key
Thrown on error.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
Key that this hive will be trusted for.
Event handle for key load.
True to throw an exception on error.
The NT status code and object result.
Load a new hive and do not open the root key.
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Key that this hive will be trusted for.
Event handle for key load.
True to throw an exception on error.
The NT status code.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
Key that this hive will be trusted for.
Event handle for key load.
The opened key.
Load a new hive and do not open the root key.
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Key that this hive will be trusted for.
Event handle for key load.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
True to throw an exception on error.
The NT status code and object result.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
Token to open the hive files under.
Key that this hive will be trusted for.
Event handle for key load.
True to throw an exception on error.
The NT status code and object result.
Load a new hive and do not open the root key.
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Token to open the hive files under.
Key that this hive will be trusted for.
Event handle for key load.
True to throw an exception on error.
The NT status code.
Load a new hive
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Desired access for the root key
Token to open the hive files under.
Key that this hive will be trusted for.
Event handle for key load.
The loaded key.
Load a new hive and do not open the root key.
Object attributes for the key name
Object attributes for the path to the hive file
Load flags
Token to open the hive files under.
Key that this hive will be trusted for.
Event handle for key load.
Unload an existing hive.
Object attributes for the key name
Unload flags
True to throw an exception on error.
The NT status code.
Unload an existing hive.
Path to key to unload.
Unload flags
Thrown on error.
Unload an existing hive.
Path to key to unload.
Thrown on error.
Create a new Key
Object attributes for the key name
Desired access for the root key
Create options
Optional transaction object.
True to throw an exception on error.
The NT status code and object result.
Create a new Key
Object attributes for the key name
Desired access for the root key
Create options
True to throw an exception on error.
The NT status code and object result.
Create a new Key
Object attributes for the key name
Desired access for the root key
Create options
The opened key
Thrown on error.
Create a new Key
Object attributes for the key name
Desired access for the root key
Create options
Optional transaction object.
The NT status code and object result.
Create a new Key
Path to the key to create
Root key if key_name is relative
Desired access for the root key
Create options
The opened key
Thrown on error.
Try and open a Key
Object attributes for the key name
Desired access for the root key
Open options.
Optional transaction object.
True to throw an exception on error.
The NT status code and object result.
Try and open a Key
Object attributes for the key name
Desired access for the root key
Open options.
True to throw an exception on error.
The NT status code and object result.
Try and open a Key
Path to the key to open
Root key if key_name is relative
Desired access for the root key
Open options.
Optional transaction object.
True to throw an exception on error.
The NT status code and object result.
Try and open a Key
Path to the key to open
Root key if key_name is relative
Desired access for the root key
Open options.
True to throw an exception on error.
The NT status code and object result.
Open a Key
Object attributes for the key name
Desired access for the root key
Open options.
The opened key
Thrown on error.
Open a Key
Object attributes for the key name
Desired access for the root key
Open options.
Optional transaction object.
The opened key
Thrown on error.
Open a Key
Path to the key to open
Root key if key_name is relative
Desired access for the root key
The opened key
Thrown on error.
Query a license value. While technically not directly a registry key
it has many of the same properties such as using the same registry
value types.
The name of the license value.
True to throw an exception on error
The license value key
Query a license value. While technically not directly a registry key
it has many of the same properties such as using the same registry
value types.
The name of the license value.
The license value key
Create a registry key symbolic link
Root key if path is relative
Path to the key to create
Target resistry path
The created symbolic link key
Thrown on error.
Open the machine key
The opened key with the maximum access allowed.
Thrown on error.
Open the machine key
The opened key with the maximum access allowed.
True to throw on error.
Thrown on error.
Open the user key
The opened key
Thrown on error.
Open the user key
The opened key with the maximum access allowed.
True to throw on error.
Thrown on error.
Open a specific user key
The SID of the user to open
The opened key
Thrown on error.
Open the user key
The SID of the user to open
True to throw on error.
The opened key with the maximum access allowed.
Thrown on error.
Open the current user key
The opened key
Thrown on error.
Open the current user key
True to throw on error.
The opened key with the maximum access allowed.
Thrown on error.
Open the root key
The opened key
Thrown on error.
Open the root key
The opened key with the maximum access allowed.
True to throw on error.
Thrown on error.
Create a new Key
Path to the key to create
The opened key
Thrown on error.
Create a new Key
Path to the key to create
Desired access for the root key
Create options
The opened key
Thrown on error.
Delete the key
True to throw on error.
Delete the key
Set a resistry value
The name of the value
The type of the value
The raw value data
True to throw on error.
Thrown on error.
The NT status code.
Set a resistry value
The name of the value
The type of the value
The raw value data
Thrown on error.
Set a string resistry value
The name of the value
The type of the value
The value data
True to throw on error.
Thrown on error.
The NT status code.
Set a string resistry value as REG_SZ.
The name of the value
The value data
True to throw on error.
Thrown on error.
The NT status code.
Set a string resistry value
The name of the value
The type of the value
The value data
Thrown on error.
Set a string resistry value as REG_SZ.
The name of the value
The value data
Thrown on error.
Set a list of strings as a resistry value.
The name of the value
The list of strings to set.
True to throw on error.
Thrown on error.
The NT status code.
Set a list of strings as a resistry value.
The name of the value
The list of strings to set.
Thrown on error.
Set a DWORD resistry value
The name of the value
The value data
True to throw on error.
Thrown on error.
The NT status code.
Set a DWORD resistry value
The name of the value
The value data
True to set the value of big endian.
True to throw on error.
Thrown on error.
The NT status code.
Set a QWORD resistry value
The name of the value
The value data
True to throw on error.
Thrown on error.
The NT status code.
Set a DWORD resistry value
The name of the value
The value data
Thrown on error.
Set a DWORD resistry value
The name of the value
The value data
True to set the value of big endian.
Thrown on error.
Set a QWORD resistry value
The name of the value
The value data
Thrown on error.
Delete a registry value
The name of the value
True to throw on error.
Thrown on error.
The NT status code.
Delete a registry value
The name of the value
Thrown on error.
Query a value by name
The name of the value
True to throw on error
The value information
Query a value by name
The name of the value
The value information
Thrown on error.
Query all values for this key
A list of values
Thrown on error.
Query all subkey entries.
The list of subkey entries
Thrown on error.
Query all subkey names
The list of subkey names
Thrown on error.
Return a list of subkeys which can be accessed.
The required access rights for the subkeys
True to open link keys rather than following the link.
True to open keys with backup flag set.
The disposable list of subkeys.
Return a list of subkeys which can be accessed.
The required access rights for the subkeys
The disposable list of subkeys.
Thrown on error.
Set a symbolic link target for this key (must have been created with
appropriate create flags)
The symbolic link target.
True to throw on error.
The NT status code.
Thrown on error.
Set a symbolic link target for this key (must have been created with
appropriate create flags)
The symbolic link target.
Get the symbolic link target for this key.
True to throw on error.
The symbolic link target.
Thrown on error.
Get the symbolic link target for this key.
The symbolic link target.
Thrown on error.
Open a key
The path to the key to open
The opened key
Thrown on error.
Open a key
The path to the key to open
Access rights for the key
The opened key
Thrown on error.
Open a key
The path to the key to open
Access rights for the key
True to throw on error.
The opened key
Thrown on error.
Open a key
The path to the key to open
Access rights for the key
Key open options.
True to throw on error.
The opened key
Thrown on error.
Reopen the key with different access rights.
The access rights to reopen with.
Open options.
True to throw on error.
The opened key.
Reopen the key with different access rights.
The access rights to reopen with.
The object attributes to open with.
Open options.
True to throw on error.
The opened key.
Reopen the key with different access rights.
The access rights to reopen with.
Open options.
The opened key.
Convert object to a .NET RegistryKey object
The registry key object
Rename key.
The new name for the key.
True to throw on error.
The NT status code.
Thrown on error.
Rename key.
The new name for the key.
Thrown on error.
Save the opened key into a file.
The file to save to.
Save key flags
True to throw on error.
The NT status code.
Thrown on error.
Save the opened key into a file.
The file to save to.
Save key flags
Save the opened key into a file.
The file path to save to.
Save key flags
True to throw on error.
The NT status code.
Thrown on error.
Save the opened key into a file.
The file path to save to.
Save key flags
Save the opened key into a file.
The file path to save to.
Restore key from a file.
The file to restore from
Restore key flags
True to throw on error.
The NT status code.
Thrown on error.
Restore key from a file.
The file to restore from
Restore key flags
Restore key from a file.
The file path to restore from
Restore key flags
True to throw on error.
The NT status code.
Thrown on error.
Restore key from a file.
The file path to restore from
Restore key flags
Restore key from a file.
The file path to restore from
Try and lock the registry key to prevent further modification.
Note that this almost certainly never works from usermode, there's an explicit
check to prevent it in the kernel.
Wait for a change on the registry key.
Specify what changes will be notified.
True to watch the entire tree.
The status from the change notification.
Thrown on error.
Wait for a change on thie registry key asynchronously.
Specify what changes will be notified.
True to watch the entire tree.
The status from the change notification.
Thrown on error.
Visit all accessible keys under this one.
A function to be called on every accessible key. Return true to continue enumeration.
Specify the desired access for the keys.
True to recurse into sub keys.
Specify max recursive depth. -1 to not set a limit.
Open the key using backup privileges.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
True to recurse into sub directories.
Visit all accessible directories under this one.
A function to be called on every accessible directory. Return true to continue enumeration.
Specify the desired access for the directory
True to recurse into sub directories.
Open the key using backup privileges.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Get key last write time
The last write time
Thrown on error.
Get key subkey count
The subkey count
Thrown on error.
Get key value count
The key value count
Thrown on error.
Get the key title index
The key title index
Thrown on error.
Get the key class name
The key class name
Thrown on error.
Get the maximum key value name length
The maximum key value name length
Thrown on error.
Get the maximum key value data length
The maximum key value data length
Thrown on error.
Get the maximum subkey name length
The maximum subkey name length
Thrown on error.
Get the maximum class name length
The maximum class name length
Thrown on error.
Get the key path as a Win32 style one. If not possible returns
the original path.
The disposition when the key was created.
Indicates the handle is a special pre-defined one by the kernel.
Get or set virtualization flags.
Get or set key control flags.
Get or set wow64 flags.
Get key flags.
Indicates if this key is from a trusted hive.
Indicates if this key is a symbolic link.
Indicates if this key is volatile.
Get the name from NtQueryKey.
Returns whether this object is a container.
A key entry.
The name of the key.
The last write time.
The key's title index.
Class to represent a loaded hive from the Hive List.
Path to the root key.
Path to the hive file.
Utilities for registry keys.
Convert a Win32 style keyname such as HKEY_LOCAL_MACHINE\Path into a native key path.
The win32 style keyname to convert.
The converted keyname.
Thrown if invalid name.
Attempt to convert an NT style registry key name to Win32 form.
If it's not possible to convert the function will return the
original form.
The NT path to convert.
The converted path, or original if it can't be converted.
Query list of loaded hives from the Registry.
Convert the file path to a DOS path.
The list of loaded hives.
Query list of loaded hives from the Registry.
The list of loaded hives.
Class representing a single Key value
Name of the value
Type of the value
Raw data for the value
Title index for the value
Get the value as an object.
Convert the value to a string
The value as a string
Convert value to an object
The value as an object
LDR static methods.
Get address of a procedure in a mapped image.
The handle to the mapped image.
The name of the procedure to find.
True to throw on error.
The procedure address.
Get address of a procedure in a mapped image.
The handle to the mapped image.
The name of the procedure to find.
The procedure address.
Class to access NT locale information
Get mapped NLS section
The type of section
The codepage number
True to throw on error.
The mapped section if it exists.
Get mapped NLS section
The type of section
The codepage number
The mapped section if it exists.
Get default locale ID
True if the locale should be the thread's, otherwise the systems
True to throw on error.
The locale ID
Get default locale ID
True if the locale should be the thread's, otherwise the systems
The locale ID
Set default locale
True if the locale should be the thread's, otherwise the systems
True to throw on error.
The locale ID
The NT status code.
Set default locale
True if the locale should be the thread's, otherwise the systems
The locale ID
Class representing a NT File Mailslot client object
Set the mailslot read timeout.
The timeout to set.
True to throw on error.
The NT Status code.
Peek on the current status of the Mailslot.
True to throw on error.
The peek status.
Peek on the current status of the Mailslot.
The peek status.
Get or set the Read Timeout.
Get maximum message size.
Get mailslot quota.
Get next message size.
Get messages available.
Class representing a mapped section
The process which the section is mapped into
The valid length of the mapped section from the current position.
This doesn't take into account the possibility of fragmented commits.
Get full path for mapped section.
Query the memory protection setting for this mapping.
Get image signing level.
Get the base address of the mapped section.
Release the internal handle
Checks if this mapped view represents the same file.
The address to check.
True to throw on error.
True if the mapped view represents the same file.
Checks if this mapped view represents the same file.
The address to check.
True if the mapped view represents the same file.
Detaches the current buffer and allocates a new one.
Specify a new length for the detached buffer. Must be <= Length.
The detached buffer.
The original buffer will become invalid after this call.
Class representing a NT Mutant object
Create a new mutant
The path to the mutant
The root object if path is relative
True to set current thread as initial owner
The opened mutant
Thrown on error
Create a new mutant
Object attributes
True to set current thread as initial owner
Desired access for mutant
The opened mutant
Thrown on error
Create a new mutant
Object attributes
True to set current thread as initial owner
Desired access for mutant
True to throw an exception on error.
The NT status code and object result.
Open a mutant
The path to the mutant
The root object if path is relative
Desired access for mutant
The opened mutant
Thrown on error
Open a mutant
The path to the mutant
The root object if path is relative
The opened mutant
Thrown on error
Open a mutant
Object attributes
Desired access for mutant
The opened mutant
Thrown on error
Open a mutant
Object attributes
Desired access for mutant
True to throw an exception on error.
The NT status code and object result.
Release the mutant
True to throw on error.
The previous release count
Release the mutant
The previous release count
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Get the owner of the mutant.
Get current count.
Get wether mutant owned by current thread.
Get whether mutant is abandoned.
Pipe attribute type.
The pipe attributes.
The pipe connect attributes.
The pipe handle attributes.
Class to add additional methods to a file for a named pipe. This is a base class for server and client types.
Get a named attribute from the pipe.
The attribute type to query.
The name of the attribute.
True to throw on error.
The attribute value as a byte array.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
True to throw on error.
The status code for the attribute.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
True to throw on error.
The status code for the attribute.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
True to throw on error.
The status code for the attribute.
Thrown on error.
Set a named attribute for a pipe.
The attribute type to set.
The name of the attribute.
The value to set.
Thrown on error.
Get a named attribute from the pipe.
The attribute type to query.
The name of the attribute.
The attribute value as a byte array.
Thrown on error.
Get a named attribute from the pipe as an integer.
The attribute type to query.
The name of the attribute.
True to throw on error.
The attribute value as an integer.
Thrown on error.
Get a named attribute from the pipe as an integer.
The attribute type to query.
The name of the attribute.
The attribute value as an integer.
Thrown on error.
Get a named attribute from the pipe as an integer.
The attribute type to query.
The name of the attribute.
True to throw on error.
The attribute value as an integer.
Thrown on error.
Get a named attribute from the pipe as an integer.
The attribute type to query.
The name of the attribute.
The attribute value as an integer.
Thrown on error.
Send and receive a message in one call.
The input buffer to send.
The maximum output size.
True to throw on error.
The received buffer.
Send and receive a message in one call.
The input buffer to send.
The maximum output size.
The received buffer.
Send and receive a message in one call.
The input buffer to send.
The maximum output size.
True to throw on error.
The received buffer.
Send and receive a message in one call.
The input buffer to send.
The maximum output size.
The received buffer.
Set pipe information flags.
The read mode to set.
The completion mode.
True to throw on error.
The NT status code.
Set pipe information flags.
The read mode to set.
The completion mode.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Pipe completion mode.
Pipe read mode.
Pipe type.
Pipe configuration.
Maximum instances of the pipe, -1 is unlimited.
Current pipe instances.
Inbound quota.
Available bytes to read.
Outbound quota.
Available outbound quota.
Connect state of the named pipe.
Type of pipe endpoint.
Class to add additional methods to a file for a named pipe server.
Listen for a new connection to this named pipe server.
Listen for a new connection to this named pipe server asynchronously.
An optional cancellation token.
The async task to complete.
Listen for a new connection to this named pipe server asynchronously.
The async task to complete.
Disconnect this named pipe server.
Disconnect this named pipe server asynchronously.
An optional cancellation token.
The async task to complete.
Disconnect this named pipe server asynchronously.
The async task to complete.
Impersonate the client of the named pipe.
The impersonation context. Dispose to revert to self.
Get client process ID.
Get client session ID. If this is 0 then the client is local, otherwise it's set by the SMB server.
Get client computer name.
Get the default named pipe ACL for the current caller.
The default named pipe ACL.
Class to add additional methods to a file for a named pipe client.
Disables impersonation on a named pipe.
Get server process ID.
Get client session ID.
A pair of named pipes.
Read pipe for the pair.
Write pipe for the pair.
Base class for all NtObject types we handle
Get the basic information for the object.
The basic information
Base constructor
Handle to the object
Duplicate the internal handle to a new handle.
Attribute flags for new handle
The source handle to duplicate
The source process to duplicate from
The desination process for the handle
Duplicate handle options
The access rights for the new handle
True to throw an exception on error.
The NT status code and object result.
Duplicate the internal handle to a new handle.
The source handle to duplicate
The desination process for the handle
Duplicate handle options
The access rights for the new handle
The duplicated handle.
Duplicate a handle from the current process to a new handle with the same access rights.
The source handle to duplicate
The desination process for the handle
The duplicated handle.
Duplicate a handle from and to the current process to a new handle with the same access rights.
The source handle to duplicate
The duplicated handle.
Duplicate a handle from and to the current process to a new handle with the same access rights.
The source handle to duplicate
True to throw on error.
The duplicated handle.
Duplicate a handle from and to the current process to a new handle with new access rights.
The source handle to duplicate
The access for the new handle.
The duplicated handle.
Indicates whether a specific type of kernel object can be opened.
The kernel typename to check.
True if this type of object can be opened.
Open an NT object with a specified type.
The type to open. If null the method will try and lookup the appropriate type.
Object attributes for object.
Generic access rights to the object.
True to throw on error.
The opened object.
Thrown if an error occurred opening the object.
Open an NT object with a specified type.
The name of the type to open (e.g. Event). If null the method will try and lookup the appropriate type.
The path to the object to open.
A root directory to open from.
Generic access rights to the object.
Attributes to open the object.
Security quality of service.
True to throw on error.
The opened object.
Thrown if an error occurred opening the object.
Open an NT object with a specified type.
The name of the type to open (e.g. Event). If null the method will try and lookup the appropriate type.
The path to the object to open.
A root directory to open from.
Generic access rights to the object.
Attributes to open the object.
Security quality of service.
The opened object.
Thrown if an error occurred opening the object.
Open an NT object with a specified type.
The name of the type to open (e.g. Event). If null the method will try and lookup the appropriate type.
The path to the object to open.
A root directory to open from.
Generic access rights to the object.
The opened object.
Thrown if an error occurred opening the object.
Thrown if type of resource couldn't be found.
Close a handle in another process.
The source handle to close.
The source process containing the handle to close.
True to throw an exception on error.
The NT status code.
Close a handle in another process.
The source handle to close.
The source process containing the handle to close.
Close a handle in another process by PID.
The source handle to close.
The source process ID containing the handle to close.
True to throw an exception on error.
The NT status code.
Close a handle in another process by PID.
The source handle to close.
The source process ID containing the handle to close.
Close a handle.
The handle to close.
The NT status code.
Close a handle.
The handle to close.
The NT status code.
Duplicate a handle to a new handle, potentially in a different process.
Attribute flags for new handle
The source handle to duplicate
The source process to duplicate from
The desination process for the handle
Duplicate handle options
The access rights for the new handle
True to throw an exception on error.
The NT status code and object result.
Duplicate a handle to a new handle, potentially in a different process.
Attribute flags for new handle
The source handle to duplicate
The source process to duplicate from
The desination process for the handle
Duplicate handle options
The access rights for the new handle
The NT status code and object result.
Duplicate object.
Access rights to duplicate with.
Attribute flags.
Duplicate options
True to throw an exception on error.
The duplicated object.
Duplicate object.
Access rights to duplicate with.
Attribute flags.
Duplicate options
The duplicated object.
Duplicate object with specific access rights.
Access rights to duplicate with.
The duplicated object.
Duplicate object with same access rights.
The duplicated object.
Duplicate the object handle as a WaitHandle.
The wait handle.
Check if access is granted to a set of rights
The access rights to check
True if all the access rights are granted
Get security descriptor as a byte array
What parts of the security descriptor to retrieve
The security descriptor
Get security descriptor as a byte array
What parts of the security descriptor to retrieve
True to throw on error.
The NT status result and security descriptor.
Get security descriptor as a byte array
Returns an array of bytes for the security descriptor
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status result.
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status code.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Get the security descriptor as an SDDL string
The security descriptor as an SDDL string
Make the object a temporary object
True to throw on error.
The NT status code.
Make the object a temporary object
Make the object a permanent object
True to throw on error.
The NT status code.
Make the object a permanent object
Wait on the object to become signaled
True to make the wait alertable
The time out
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Thrown on error
Wait on the object to become signaled
The time out
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Thrown on error
Wait on the object to become signaled
True to make the wait alertable
The time out in seconds
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Thrown on error
Wait on the object to become signaled
The time out in seconds
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Thrown on error
Wait on the object to become signaled for an infinite time.
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Thrown on error
Wait on the object to become signaled.
Timeout in seconds.
Cancellation token for wait.
A task to wait on. If result is true then event was signaled.
Wait on the object to become signaled.
Timeout in seconds.
A task to wait on. If result is true then event was signaled.
Wait on the object to become signaled.
Will wait an infinite time.
A task to wait on.
Convert an enumerable access rights to a string
True to try and convert to generic rights where possible.
The string format of the access rights
Convert an enumerable access rights to a string
The string format of the access rights
Check if this object is exactly the same as another using NtCompareObject.
The object to compare against.
True if this is the same object.
Thrown on error.
This is only supported on Windows 10 and above. For one which works on everything use SameObject.
Check if this object is exactly the same as another.
The object to compare against.
True if this is the same object.
Thrown on error.
This function can be slow to run and unreliable. Use CompareObject is Windows 10 or above.
Convert to a string
The string form of the object
Get full path to the object
Get the granted access as an unsigned integer
Get the security descriptor, with Dacl, Owner, Group and Label
Get the security descriptor as an SDDL string
The security descriptor as an SDDL string
The low-level handle to the object.
Get the NT type name for this object.
The NT type name.
Get the NtType for this object.
The NtType for the type name
Get the name of the object
Indicates if the handle can be used for synchronization.
Get object creation time.
Get the attribute flags for the object.
Get number of handles for this object.
Get reference count for this object.
Get or set whether the handle is inheritable.
Get or set whether the handle is protected from closing.
Get the object's address is kernel memory.
As getting the address is expensive you need to pass the object to NtSystemInfo::ResolveObjectAddress to intialize.
Returns whether this object is a container.
Returns whether this object is closed.
Virtual Dispose method.
True if disposing, false if finalizing
Finalizer
Dispose
Close handle
Generic access rights.
Options for duplicating objects.
Close the original handle.
Duplicate with the same access.
Duplicate with the same handle attributes.
Prevent duplicating handle above the existing access.
Information class for NtQueryObject
Structure to return Object Name
Structure to return Object basic information
Type of kernel pool used for object allocation
Native structure used for getting type information.
Static utility methods.
Convert the safe handle to an array of bytes.
The data contained in the allocaiton.
Convert an NtStatus to an exception if the status is an error
The NtStatus
The original NtStatus if not an error
Thrown if status is an error.
Convert an NtStatus to an exception if the status is an error and throw_on_error is true.
The NtStatus
True to throw an exception onerror.
The original NtStatus if not thrown
Thrown if status is an error and throw_on_error is true.
Checks if the NtStatus value is a success
The NtStatus value
True if a success
Checks if the NtStatus value is an error.
The NtStatus value
True if an error.
Get the severity of the NTSTATUS.
The NtStatus value
The severity.
Get the facility of the NTSTATUS.
The NtStatus value
The facility.
Get the status code of the NTSTATUS.
The NtStatus value.
The static code.
Is an NTSTATUS a customer code.
The NtStatus value
True if is a customer code.
Is an NTSTATUS reserved.
The NtStatus value
True if reserved.
Build a status from it's component parts.
The severity of the status code.
Is this a customer code?
Is this a reserved code?
The facility.
The status code.
Convert an NTSTATUS to a message description.
The status to convert.
The message description, or an empty string if not found.
Convert an integer to an NtStatus code.
The integer status.
The converted code.
Convert an enumerable access rights to a string
The granted access mask.
Generic mapping for object type.
Enum type to convert to string.
True to try and convert to generic rights where possible.
The string format of the access rights
Convert an IEnumerable to a Disposable List.
Run a function on an NtResult and dispose the result afterwards.
The underlying result type.
The result of the function.
The result.
The function to call.
The default value to return if an error occurred.
The result of func.
If result is not a success then the function is not called.
Run a function on an NtResult and dispose the result afterwards.
The underlying result type.
The result of the function.
The result.
The function to call.
The result of func.
If result is not a success then the function is not called.
Run an action on an NtResult and dispose the result afterwards.
The underlying result type.
The result.
The action to call.
If result is not a success then the action is not called.
Run a function on an NtResult and dispose the result afterwards.
The underlying result type.
The result of the function.
The result.
The function to call.
The result of func.
Run an action on an NtResult and dispose the result afterwards.
The underlying result type.
The result.
The action to call.
Convert a handle to a known object type.
The handle.
The object type.
Convert a handle to a known object type.
The handle.
True to own the handle.
The object type.
Convert a handle to a known object type.
The handle.
True to own the handle.
The object type.
Map a DOS error to an NT status code.
The DOS error.
The NT status code.
Map a status to a DOS error code. Takes into account NTWIN32
status codes.
The status code.
The mapped DOS error.
Get the last NT status code in this thread set for Win32 last error.
The last NT status code.
Create an NT result object. If status is successful then call function otherwise use default value.
The result type.
The associated status code.
Throw an exception on error.
Function to call to create an instance of the result
The created result.
Create a successful NT result object.
The result type.
The result value.
The created result.
Create an NT result object. If status is successful then call function otherwise use default value.
The result type.
The associated status code.
Throw an exception on error.
Function to call to create an instance of the result
Function to call on error.
The created result.
Create an NT result object. If status is successful then call function otherwise use default value.
The result type.
The associated status code.
Throw an exception on error.
Function to call to create an instance of the result
The created result.
A derived class to add some useful functions such as Duplicate
The derived type to use as return values
An enum which represents the access mask values for the type
Reopen object with different access rights.
The desired access.
Additional attributes for open.
True to throw on error.
The reopened object.
Reopen object with different access rights.
The desired access.
True to throw on error.
The reopened object.
Reopen object with different access rights.
The desired access.
The reopened object.
Duplicate object.
Access rights to duplicate with.
Attribute flags.
Duplicate options
True to throw an exception on error.
The duplicated object.
Duplicate object.
Access rights to duplicate with.
Attribute flags.
Duplicate options
True to throw an exception on error.
The duplicated object.
Duplicate object.
Access rights to duplicate with.
Attribute flags.
Duplicate options
The duplicated object.
Duplicate the object with specific access rights
The access rights for the new handle
The duplicated object
Duplicate the object with specific access rights
The access rights for the new handle
True to throw an exception on error.
The duplicated object
Duplicate the object with same access rights
The duplicated object
Duplicate the object with same access rights
True to throw on error.
The duplicated object
Get granted access for handle.
Granted access
Get generic granted access for handle.
Generic Granted access
Get the maximum permission access for this object based on a token
and it's security descriptor.
The token to check against.
Returns 0 if can't read the security descriptor.
Get the maximum permission access for this object based on the current token
and its security descriptor.
Returns 0 if can't read the security descriptor.
Check if a specific set of access rights is granted
The access rights to check
True if all access rights are granted
Create a new instance from a kernel handle
The kernel handle
The new typed instance
Create a new instance from a kernel handle
The kernel handle
True to own the handle.
The new typed instance
Create a new instance from a kernel handle.
The kernel handle
The call doesn't own the handle. The returned object can't be used to close the handle.
The new typed instance
Duplicate an instance from a process
The process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
The attribute flags for the new object.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from a process
The process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
The attribute flags for the new object.
The NT status code and object result.
Duplicate an instance from a process
The process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from a process
The process ID
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from a process with a specified access rights.
The process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate.
The duplicated handle
Duplicate an instance from a process
The process ID
The handle value to duplicate
The access rights to duplicate with
The duplicated handle
Duplicate an instance from a process with same access rights.
The process (with DupHandle access)
The handle value to duplicate
The duplicated object.
Duplicate an instance from a process with same access rights
The process ID
The handle value to duplicate
The duplicated handle
Duplicate an instance from current process to an other process
The destination process (with DupHandle access)
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from current process to an other process
The destination process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from current process to an other process
The destination process ID
The handle value to duplicate
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from current process to an other process with a specified access rights.
The destination process (with DupHandle access)
The handle value to duplicate
The access rights to duplicate.
The duplicated handle
Duplicate an instance from current process to an other process
The destination process ID
The handle value to duplicate
The access rights to duplicate with
The duplicated handle
Duplicate an instance from current process to an other process with same access rights.
The destination process (with DupHandle access)
The handle value to duplicate
The duplicated object.
Duplicate an instance from current process to an other process with same access rights.
The destination process (with DupHandle access)
The duplicated object.
Duplicate an instance from current process to an other process with same access rights
The destination process ID
The handle value to duplicate
The duplicated handle
Duplicate an instance from current process to an other process with same access rights
The destination process ID
The duplicated handle
Duplicate an instance from a process to an other process
The source process (with DupHandle access)
The handle value to duplicate
The destination process (with DupHandle access)
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from a process to an other process
The source process ID
The handle value to duplicate
The destination process ID
The access rights to duplicate with
The options for duplication.
True to throw an exception on error.
The NT status code and object result.
Duplicate an instance from a process to an other process with a specified access rights.
The source process (with DupHandle access)
The handle value to duplicate
The destination process (with DupHandle access)
The access rights to duplicate.
The duplicated handle
Duplicate an instance from a process to an other process
The source process ID
The handle value to duplicate
The destination process ID
The access rights to duplicate with
The duplicated handle
Duplicate an instance from a process to an other process with same access rights.
The source process (with DupHandle access)
The handle value to duplicate
The destination process (with DupHandle access)
The duplicated object.
Duplicate an instance from a process to an other process with same access rights
The source process ID
The handle value to duplicate
The destination process ID
The duplicated handle
Interface to generically query an object.
Interface to generically set an object.
A derived class to add some useful functions such as Duplicate as well as generic Query and Set information methods.
The derived type to use as return values
An enum which represents the access mask values for the type
An enum which represents the information class for query.
An enum which represents the information class for set.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
A default value for the query.
True to throw on error.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
A default value for the query.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
The result of the query.
Thrown on error.
Query an enumerated value from the object.
The type of enum to return.
The base type for the enumeration.
The information class to query.
The result of the query.
Thrown on error.
Query an enumerated value from the object.
The type of enum to return.
The information class to query.
The result of the query.
Thrown on error.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Query the information class as an object.
The information class.
The information class as an object.
If the information class doesn't have an explicit object type a raw byte query will be made.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
A default value for the query.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
A buffer to initialize the initial query. Can be null.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
A buffer to initialize the initial query. Can be null.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
A buffer to initialize the initial query. Can be null.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
A buffer to initialize the initial query. Can be null.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
A default value for the query.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
The result of the query.
Thrown on error.
Set a value to the object.
The type of structure to set.
The information class to set.
The value to set. If you specify a SafeBuffer then it'll be passed directly.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a value to the object.
The type of structure to set.
The information class to set.
The value to set.
The NT status code of the set.
Thrown on error.
Set a value to the object from a buffer.
The information class to set.
The value to set.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a value to the object from a buffer..
The information class to set.
The value to set.
The NT status code of the set.
Thrown on error.
Set a raw value to the object.
The information class to set.
The raw value to set.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a raw value to the object.
The information class to set.
The raw value to set.
The NT status code of the set.
Thrown on error.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Overriddable method to determine the maximum brute force length for query.
Information class to key on if needs to return different sizes.
The maximum bytes to brute force. Returning 0 will disable brute force.
Overridable method to determine if the return length shouldn't be trusted for this info class when querying a variable buffer.
Information class to key on.
True to trust the return length when querying a variable buffer.
Class representing a NT Partition object
Create a partition object
The object attributes
Optional parent parition.
Desired access for the partition.
The preferred node, -1 for any node.
True to throw an exception on error.
The NT status code and object result.
Create a partition object
The object attributes
Optional parent parition.
Desired access for the partition.
The preferred node, -1 for any node.
The NT status code and object result.
Open a partition object
The object attributes
Desired access for the partition.
True to throw an exception on error.
The NT status code and object result.
Open a partition object
The object attributes
Desired access for the partition.
The NT status code and object result.
Class representing a NT Process object.
Gets all accessible processes on the system.
The access desired for each process.
The list of accessible processes.
Gets all accessible processes on the system.
The access desired for each process.
True to get processes from system information rather than NtGetNextProcess
The list of accessible processes.
Gets all accessible processes on the system in a particular session.
The session ID.
The access desired for each process.
The list of accessible processes.
Gets all accessible processes on the system in the current session session.
The access desired for each process.
The list of accessible processes.
Get first accessible process (used in combination with GetNextProcess)
The access required for the process.
The accessible process, or null if one couldn't be opened.
Open a process
The process ID to open
Optional thread ID to verify the correct process is opened.
The desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Open a process
The process ID to open
The desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Open a process
The process ID to open
The desired access for the handle
The opened process
Open a process
The process ID to open
Optional thread ID to verify the correct process is opened.
The desired access for the handle
The opened process.
Create a new process
Optional object attributes.
Desired access for the new process.
The parent process
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
True to throw on error.
The created process
Create a new process
Desired access for the new process.
Optional object attributes.
The parent process
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
The created process
Create a new process
The parent process
Creation flags
Handle to the executable image section
Access token for the new process.
The created process
Create a new process
The parent process
Creation flags
Handle to the executable image section
The created process
Create a new process
Handle to the executable image section
Access token for the new process.
The created process
Create a new process
Handle to the executable image section
The created process
Create a new process
Optional object attributes.
Desired access for the new process.
The parent process
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
True to throw on error.
The created process
This uses NtCreateProcessEx rather than NtCreateUserProcess
Create a new process
Desired access for the new process.
Optional object attributes.
The parent process
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
The created process
Create a new user process.
The process configuration.
True to throw on error.
The result of the process creation
Create a new user process.
The process configuration.
The result of the process creation
Fork a process.
The process configuration.
True to throw on error.
The new forked process result
This uses NtCreateUserProcess.
Fork a process.
The process configuration.
The new forked process result
This uses NtCreateUserProcess.
Open an actual handle to the current process rather than the pseudo one used for Current
The process object
Test whether a process can access another protected process.
The current process.
The target process.
True if the process can be accessed.
Reopen object with different access rights.
The desired access.
Additional attributes for open.
True to throw on error.
The reopened object.
Get next accessible process (used in combination with GetFirstProcess)
The access required for the process.
The accessible process, or null if one couldn't be opened.
Get previous accessible process (used in combination with GetFirstProcess)
The access required for the process.
The accessible process, or null if one couldn't be opened.
Get previous accessible process (used in combination with GetFirstProcess)
The accessible process, or null if one couldn't be opened.
Get first accessible thread for process.
The desired access for the thread.
The first thread object, or null if not accessible threads.
Get first accessible thread for process.
The first thread object, or null if not accessible threads.
Get accessible threads for a process.
The desired access for the threads
The list of threads
Get accessible threads for a process.
The list of threads
Read a partial PEB from the process.
The read PEB structure.
Create a new process
Creation flags
Handle to the executable image section
The created process
This uses NtCreateProcessEx rather than NtCreateUserProcess
Create a new process
Optional object attributes.
Desired access for the new process.
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
True to throw on error.
The created process
This uses NtCreateProcessEx rather than NtCreateUserProcess
Create a new process
Optional object attributes.
Desired access for the new process.
Creation flags
Handle to the executable image section
Debug port for the new process.
Access token for the new process.
The created process
This uses NtCreateProcessEx rather than NtCreateUserProcess
Terminate the process
The exit code for the termination
Terminate the process
The exit code for the termination
Terminate the process
The exit code for the termination
True to throw on error.
The NT status code.
Get process image file path
True to return the native image path, false for a Win32 style path
True to throw on error.
The process image file path
Get process image file path
True to return the native image path, false for a Win32 style path
The process image file path
Get a mitigation policy raw value
The policy to get
True to throw on error.
The raw policy value
Get a mitigation policy raw value
The policy to get
The raw policy value
Get a mitigation policy as an enumeration.
The policy to get.
True to throw on error.
The mitigation policy value
Get a mitigation policy as an enumeration.
The policy to get.
The mitigation policy value
Get a mitigation policy raw value
The policy to get
True to throw on error.
The raw policy value
Get a mitigation policy raw value
The policy to get
The raw policy value
Set a mitigation policy raw value
The policy to set
The value to set
True to throw on error.
The NT status code.
Set a mitigation policy raw value
The policy to set
The value to set
Set a mitigation policy value from an enum.
The policy to set
The value to set
True to throw on error.
The NT status code.
Set a mitigation policy value from an enum.
The policy to set
The value to set
Set a mitigation policy raw value
The policy to set
The value to set
True to throw on error.
The NT status code.
Set a mitigation policy raw value
The policy to set
The value to set
Disable dynamic code policy on another process.
Suspend the entire process.
True to throw on error.
The NT status code.
Resume the entire process.
True to throw on error.
The NT status code.
Suspend the entire process.
Resume the entire process.
Open the process' token
The process token.
Open the process' token
True to throw on error.
The process token.
Open the process' token
Desired access for token.
True to throw on error.
The process token.
Set process access token. Process must be have not been started.
The token to set.
True to throw on error.
The NT status code.
Set process access token. Process must be have not been started.
The token to set.
Read memory from a process.
The base address in the process.
The length to read.
If true ensure we read all bytes, otherwise throw on exception.
The array of bytes read from the location.
If a read is short then returns fewer bytes than requested.
Thrown on error.
Read memory from a process.
The base address in the process.
The length to read.
The array of bytes read from the location.
If a read is short then returns fewer bytes than requested.
Thrown on error.
Write memory to a process.
The base address in the process.
The data to write.
The number of bytes written to the location
Thrown on error.
Read structured memory from a process.
The base address in the process.
The read structure.
Thrown on error.
Type of structure to read.
Write structured memory to a process.
The base address in the process.
The data to write.
Thrown on error.
Type of structure to write.
Read structured memory array from a process.
The base address in the process.
The number of elements in the array to read.
The read structure.
Thrown on error.
Type of structure to read.
Write structured memory array to a process.
The base address in the process.
The data array to write.
Thrown on error.
Type of structure to write.
Query memory information for a process.
The base address.
The queries memory information.
Thrown on error.
Query all memory information regions in process memory.
The list of memory regions.
Specify memory types to filter on.
Set of flags which indicate the memory states to return.
Thrown on error.
Query all memory information regions in process memory.
The list of memory regions.
True to include free regions of memory.
Specify memory types to filter on.
Thrown on error.
Query all memory information regions in process memory.
The list of memory regions.
True to include free regions of memory.
Thrown on error.
Query all memory information regions in process memory excluding free regions.
The list of memory regions.
Thrown on error.
Query a list of mapped images in a process.
The list of mapped images
Thrown on error.
Query a list of mapped files in a process.
The list of mapped images
Thrown on error.
Query a list of all mapped files and images in a process.
The list of mapped images
Thrown on error.
Allocate virtual memory in a process.
Optional base address, if 0 will automatically select a base.
The region size to allocate.
The type of allocation.
The allocation protection.
True to throw on error.
The address of the allocated region.
Thrown on error.
Allocate virtual memory in a process.
Optional base address, if 0 will automatically select a base.
The region size to allocate.
The type of allocation.
The allocation protection.
The address of the allocated region.
Thrown on error.
Allocate read/write virtual memory in a process.
The region size to allocate.
The address of the allocated region.
Thrown on error.
Free virtual emmory in a process.
Base address of region to free
The size of the region.
The type to free.
Thrown on error.
Free virtual emmory in a process.
Base address of region to free
The size of the region.
The type to free.
True to throw on error.
Thrown on error.
Change protection on a region of memory.
The base address
The size of the memory region.
The new protection type.
The old protection for the region.
Thrown on error.
Change protection on a region of memory.
The base address
The size of the memory region.
The new protection type.
True to throw on error.
The old protection for the region.
Thrown on error.
Flush instruction cache.
The address to flush.
The number of bytes to flush/
True to throw on error.
The NT status code.
Flush instruction cache.
The address to flush.
The number of bytes to flush/
Query working set information for an address in a process.
The base address to query.
True to throw on error
The working set information.
Thrown on error.
Query working set information for an address in a process.
The base address to query.
The working set information.
Thrown on error.
Set the process device map.
The device map directory to set.
Note that due to a bug in the Wow64 layer this won't work in a 32 bit process on a 64 bit system.
Set the process device map.
The device map directory to set.
True to throw on error.
Note that due to a bug in the Wow64 layer this won't work in a 32 bit process on a 64 bit system.
Set the process device map.
The device map directory to set.
Note that due to a bug in the Wow64 layer this won't work in a 32 bit process on a 64 bit system.
Set the process device map.
The device map directory to set.
True to throw on error.
Note that due to a bug in the Wow64 layer this won't work in a 32 bit process on a 64 bit system.
Open a process' debug object.
True to throw on error.
The process' debug object.
Open a process' debug object.
The process' debug object.
Queries whether process is backed by a specific file.
File object opened with Synchronize and Execute access to test against.
True if the process is created from the image file.
Open parent process by ID.
The desired process access rights.
True to throw on error.
The opened process.
Thrown on error.
Open parent process by ID.
The desired process access rights.
The opened process.
Thrown on error.
Open parent process by ID.
The opened process.
Thrown on error.
Open owner process by ID.
The desired process access rights.
True to throw on error.
The opened process.
Thrown on error.
Open owner process by ID.
The desired process access rights.
The opened process.
Thrown on error.
Open owner process by ID.
The opened process.
Thrown on error.
Get if process is in a job.
A specific job to check
True if in specific job.
Get if process is in a job.
True if in a job.
Get process handle table.
The list of process handles.
Get handles for process.
Specify to all name/details to be queried from the handle.
Force file query for name/details for non-filesystem handles.
True to throw on error.
The list of handles.
This queries the handles from the process which does not contain the Object's addres in kernel memory.
Get handles for process.
Specify to all name/details to be queried from the handle.
True to throw on error.
The list of handles.
This queries the handles from the process which does not contain the Object's addres in kernel memory.
Get handles for process.
Specify to all name/details to be queried from the handle.
The list of handles.
This queries the handles from the process which does not contain the Object's addres in kernel memory.
Get handles for process.
The list of handles.
This queries the handles from the process which does not contain the Object's addres in kernel memory.
Get the process handle table and try and get them as objects.
True to only return named objects
A list of typenames to filter on (if empty then return all)
The list of handles as objects.
This function will drop handles it can't duplicate.
Get the process handle table and try and get them as objects.
The list of handles as objects.
This function will drop handles it can't duplicate.
Open image section for process.
True to throw on error.
The opened image section.
Should only work on the pseudo process handle.
Open image section for process.
The opened image section.
Should only work on the pseudo process handle.
Unmap a section.
The base address to unmap.
Flags for unmapping memory.
True to throw on error.
The NT status code.
Unmap a section.
The base address to unmap.
True to throw on error.
The NT status code.
Unmap a section.
The base address to unmap.
Flags for unmapping memory.
Unmap a section.
The base address to unmap.
Get the user SID for the process.
True to throw on error.
The user SID.
Get the user SID for the process.
The user SID.
Get the integrity level for the process.
True to throw on error.
The integerity level.
Set process fault flags.
The flags to set.
True to throw on error.
The NT status code for the operation.
Set process fault flags.
The flags to set.
The NT status code for the operation.
Set the process exception port.
The exception port to set.
Additional state flags.
True to throw on error.
The NT status code.
Set the process exception port.
The exception port to set.
True to throw on error.
The NT status code.
Set the process exception port.
The exception port to set.
The NT status code.
Get the user process parameters.
The user process parameters.
Fork the process.
Extra flags for fork.
True to throw on error.
The new forked process result.
This uses NtCreateProcessEx.
Fork the process.
Extra flags for fork.
The new forked process result.
This uses NtCreateProcessEx.
Fork the process.
The new forked process result.
This uses NtCreateProcessEx.
Get the accessible job objects this process is in.
This tries to find accessible Job handles. There's no guarantee that all Job objects will be found for the process.
The list of job objects.
Set thread intelligence logging flags.
The flags to set.
True to throw on error.
The NT status code.
Set thread intelligence logging flags.
The flags to set.
Get the process security domain.
True to throw on error.
The security domain.
Get the process security domain.
The security domain.
Combine two process' security domains.
The process to combine with. Needs QueryLimitedInformation.
True to throw on error.
The NT status code.
The current process need SetLimitedInformation access.
Combine two process' security domains.
The process to combine with. Needs QueryLimitedInformation.
The current process need SetLimitedInformation access.
Get the session ID for the process.
True to throw on error.
The session ID.
Test whether the current process can access another protected process.
The target process.
True if the process can be accessed.
Get the environment from the process.
List of environment variables.
Get an environment variable by name.
The name of the variable.
The value of the environment variable. Returns null if it doesn't exist.
Only returns the first variable with a case insensitive name.
Revoke file handles for an AppContainer process.
The device path for the files to revoke.
True to throw on error.
The NT status code.
Revoke file handles for an AppContainer process.
The device path for the files to revoke.
Get the process command line.
True to throw on error.
The process command line.
Get the IO counters for the process.
True to throw on error.
The IO counters.
Create a VBS enclave.
Size of the enclave.
Flags for the enclave.
Owner ID. Must be 32 bytes.
True to throw on error.
The created enclave.
Create a VBS enclave.
Size of the enclave.
Flags for the enclave.
Owner ID. Must be 32 bytes.
The created enclave.
Get priority boost disable value.
True to throw on error.
True if priority base
Set priority boost disable value.
True to disable priority boost.
True to throw on error.
The NT status code.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get the process' session ID
Get the process' ID
Get the process' parent process ID
Get the memory address of the PEB
Get the memory address of the PEB for a 32 bit process.
If the process is 64 bit, or the OS is 32 bit this returns the same value as PebAddress.
Get the base address of the process from the PEB.
Read flags from PEB.
Get the process' exit status.
Get the process' exit status as an NtStatus code.
Get the process' command line
Get the command line as parsed arguments.
Get process DEP status
Get whether process has a debug port.
Get handle count.
Get break on termination flag.
Get or set debug flags.
Get or set execute flags.
Get IO priority.
Get secure cookie.
Get the process user.
Get the integrity level of the process.
Get process mitigations
Get extended process flags.
Get process window title (from Process Parameters).
Get process window flags (from Process Parameters).
Get the process subsystem type.
Get if the process is Wow64
Get whether the process is 64bit.
Get whether LUID device maps are enabled.
Return whether this process is sandboxed.
Get or set the hard error mode.
Does the process has a child process restriction?
Gets whether the process is currently deleting.
Gets whether the process is secure.
Gets whether the process is protected.
Gets whether the process is a subsystem process.
Gets whether the process is frozen.
Get process protection information.
Query process section image information.
Get full image path name in native format
Get the Win32 image path.
Get owner process ID
Query the process token's full package name.
Get or set whether resource virtualization is enabled.
Get the security domain of the process.
Get the creation time of the process.
Get the exit time of the process.
Get the time spent in the kernel.
Get the time spent in user mode.
Get the time spent in the kernel in seconds.
Get the time spent in user mode.
Get the process IO counters.
Get or set priority boost disabled.
Get the current process.
This only uses the pseudo handle, for the process. If you need a proper handle use OpenCurrent.
Get the current PEB address.
Configuration for a new NT Process.
Path to the executable to start.
Path to the executable to start which is passed in the process configuration.
This doesn't have to match ImagePath.
Command line
Prepared environment block.
Title of the main window.
Path to DLLs.
Current directory for new process
Desktop information value
Shell information value
Runtime data.
Prohibited image characteristics for new process
Additional file access for opened executable file.
Process create flags.
Thread create flags.
Initialization flags
Parent process.
Specify child process mitigations.
Whether to terminate the process on dispose.
Specify a security descriptor for the process.
Specify a security descriptor for the initial thread.
Specify the primary token for the new process.
Access for process handle.
Access for thread handle.
Set protection level.
Set to create a trustlet.
Set to specify the configuration for the trustlet if Secure is set.
Capture additional information when NtProcess.Create returns.
Specify callback to update process parameters.
Redirection DLL path. Only supported from 1903.
Inheritable handles.
Debug object.
Toggle inherit handles process create flag.
Add an extra process/thread attribute.
The process attribute to add.
The caller is responsible for disposing the attribute, this class does not hold a reference.
Set protected process protection level.
The type of protected process.
The signer level.
Constructor
Result from creating a user process.
Handle to the process
Handle to the initial thread
Handle to the image file
Handle to the image section
Handle to the IFEO key (if it exists)
Image information
Client ID of process and thread
Process ID
Thread ID
Create status.
True if create succeeded.
DLL characterists if CreateState is FailMachineMismatch.
Creation state
Output flags if CreateStatus is Success.
Native user process parameters pointer if CreateStatus is Success.
Wow64 user process parameters pointer if CreateStatus is Success.
Current parameter flags if CreateStatus is Success.
PEB pointer if CreateStatus is Success.
Wow64 PEB pointer if CreateStatus is Success.
Manifest pointer if CreateStatus is Success.
Manifest size if CreateStatus is Success.
Set to true to terminate process on disposal
Terminate the process
Exit code for termination
Resume initial thread
The suspend count
Explicit conversion operator to an NtThread object.
The win32 process
Explicit conversion operator to an NtProcess object.
The win32 process
Dispose
Entry for a process environment block.
Name of the environment variable.
Value of the environment variable.
Constructor.
Name of the environment variable.
Value of the environment variable.
Class representing various process mitigations
Partial definition of the PEB
Partial definition of the PEB
Class which represents the configuration for a trustlet.
The ID of the trustlet.
The mailbox key. Must be 2 longs.
The collaboration ID. Must be 2 longs.
The VM ID. Must be 2 longs.
The TK sessio ID. Must be 4 longs.
Overridden ToString method.
The object as a string.
Create a trustlet configuration from an image file.
The path to the image file. Should be a native path.
True to throw on error.
The trustlet configuration.
Create a trustlet configuration from an image file.
The path to the image file. Should be a win32 path.
The trustlet configuration.
Constructor
Constructor
The ID of the trustlet.
Class to represent a registry transaction object
Create a transaction
The object attributes
Desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Create a transaction
The object attributes
Desired access for the handle
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
The opened transaction
Create a transaction
The path of the transaction
The opened transaction
Create a transaction
The opened transaction
Open a transaction object.
The path to the object
The root if path is relative
The desired access for the object
The opened object
Open a transaction object.
The object attributes for the object
The desired access for the object
True to throw an exception on error.
The NT status code and object result.
Open a transaction object.
The object attributes for the object
The desired access for the object
The opened object
Open a transaction object.
The path to the object
The opened object
Commit the transaction
Rollback the transaction
Enable the transaction for anything in the current thread context.
The transaction context. This should be disposed to disable the transaction.
Class to represent a transaction resource manager.
Create a new resource manager object.
The object attributes
Desired access for the handle
Creation options flags.
Optional transaction manager to assign the resource manager to.
Resource manager GUID.
Optional description.
True to throw an exception on error.
The NT status code and object result.
Create a new resource manager object.
The object attributes
Desired access for the handle
Creation options flags.
Optional transaction manager to assign the resource manager to.
Resource manager GUID.
Optional description.
The object result.
Thrown on error.
Create a new resource manager object.
The path to the resource manager.
The root if path is relative.
Desired access for the handle
Creation options flags.
Optional transaction manager to assign the resource manager to.
Resource manager GUID.
Optional description.
True to throw an exception on error.
The NT status code and object result.
Create a new resource manager object.
The path to the resource manager.
The root if path is relative.
Desired access for the handle
Creation options flags.
Optional transaction manager to assign the resource manager to.
Resource manager GUID.
Optional description.
The object result.
Thrown on error.
Create a new volatile resource manager object.
The path to the resource manager.
The root if path is relative.
Desired access for the handle
Optional transaction manager to assign the resource manager to.
Resource manager GUID.
The object result.
Thrown on error.
Create a new volatile resource manager object.
The path to the resource manager.
The root if path is relative.
Desired access for the handle
Optional transaction manager to assign the resource manager to.
The object result.
Thrown on error.
Create a new volatile resource manager object.
The path to the resource manager.
The root if path is relative.
Optional transaction manager to assign the resource manager to.
The object result.
Thrown on error.
Create a new volatile resource manager object.
The path to the resource manager.
Optional transaction manager to assign the resource manager to.
The object result.
Thrown on error.
Create a new volatile resource manager object.
Optional transaction manager to assign the resource manager to.
The object result.
Thrown on error.
Opens an existing resource manager object.
The object attributes
Desired access for the handle
Transaction manager which contains the resource manager.
Resource manager GUID.
True to throw an exception on error.
The NT status code and object result.
Opens an existing resource manager object.
The object attributes
Desired access for the handle
Transaction manager which contains the resource manager.
Resource manager GUID.
The object result.
Thrown on error.
Recover the the transaction manager.
True to throw on error.
The NT status code.
Recover the the transaction manager.
Set an IO completion port on the resource manager.
The IO completion port.
Associated completion key.
True to throw on error.
The NT status code.
Set an IO completion port on the resource manager.
The IO completion port.
Associated completion key.
Get a notification synchronously.
Optional timeout for getting the notification.
True to throw on error.
The transaction notification.
Get a notification synchronously.
Optional timeout for getting the notification.
The transaction notification.
Get a notification synchronously waiting indefinetly.
The transaction notification.
Register protocol information.
The ID of the protocol to register.
An opaque protocol buffer.
Optional create options.
True to throw on error.
The NT status code.
Register protocol information.
The ID of the protocol to register.
An opaque protocol buffer.
Optional create options.
Complete propagation request.
The cookie to identify the request.
An optional buffer to pass with the request.
True to throw on error.
The NT status code.
Complete propagation request.
The cookie to identify the request.
An optional buffer to pass with the request.
Fail propagation request.
The cookie to identify the request.
Optional NT status code for the failure.
True to throw on error.
The NT status code.
Get a list of all accessible enlistment objects owned by this resource manager.
The object attributes
The access for the enlistment objects.
The list of all accessible enlistment objects.
Get a list of all accessible enlistment objects owned by this resource manager.
The access for the enlistment objects.
The list of all accessible enlistment objects.
Get a list of all accessible resource manager objects owned by this transaction manager.
The list of all accessible resource manager objects.
Create an enlistment in this resource manager.
Desired access for the handle
The transaction to enlist.
Optional create options.
Notification mask.
Enlistment key returned during notification.
True to throw an exception on error.
The created enlistment and NT status code.
Create an enlistment in this resource manager.
Desired access for the handle
The transaction to enlist.
Optional create options.
Notification mask.
Enlistment key returned during notification.
The created enlistment.
Create an enlistment in this resource manager.
The transaction to enlist.
Notification mask.
Enlistment key returned during notification.
The created enlistment.
Create an enlistment in this resource manager.
The transaction to enlist.
Enlistment key returned during notification.
The created enlistment.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get the resource manager ID.
Get the description for the resource manager.
A structure to return the result of an NT system call with status.
This allows a function to return both a status code and a result
without having to resort to out parameters.
The result type.
The NT status code.
The result of the NT call.
Get the result object or throw an exception if status code is an error.
The result NT result.
Thrown if status code is an error.
Get the result object or a default value if an error occurred.
The default value to return.
The result or the default if an error occurred.
Get the result object or a default value if an error occurred.
The result or the default if an error occurred.
Is the result successful.
Map result to a different type.
The different type to map to.
A function to map the result.
The mapped result.
Map result to a different type.
The different type to map to.
A function to map the result.
The mapped result.
Cast result to a different type.
The different type to cast to.
The mapped result.
Forward the result and check for an exception.
True to throw on error.
The forwarded result.
Dispose result.
Create a result from an error.
The error status code.
True to throw on error.
The result.
Create a result.
Create a new result.
Conversion operator from T to object.
The result to convert.
Compression format for RtlDecompressBuffer.
Class to represent a NT Section object
Create an Image section object
The object attributes for the image section.
The file to create the image section from
The opened section
Thrown on error.
Create an Image section object
The object name to use for the image section.
Root directory for the object.
The file to create the image section from
The opened section
Thrown on error.
Create an Image section object
The object name to use for the image section.
The file to create the image section from
The opened section
Thrown on error.
Create an Image section object
The file to create the image section from
The opened section
Thrown on error.
Create a data section from a file.
The file to create from.
The created section object.
Create a section object
The object attributes
The desired access
Optional size of the section
The section protection
The section attributes. The lower 5 bits can be used to specify the NUMA node.
Optional backing file
True to throw an exception on error.
The NT status code and object result.
Create a section object
The object attributes
The desired access
Optional size of the section
The section protection
The section attributes
Optional backing file
The opened section
Thrown on error.
Create a section object
The path to the section
The root if path is relative
The desired access
Optional size of the section
The section protection
The section attributes. The lower 5 bits can be used to specify the NUMA node.
Optional backing file
The opened section
Thrown on error.
Create a section object
Size of the section
The opened section
Thrown on error.
Create a section object
The object attributes
The desired access
Optional size of the section
The section protection
The section attributes
Optional backing file
Extended parameters for section create.
True to throw an exception on error.
The NT status code and object result.
Create a section object
The object attributes
The desired access
Optional size of the section
The section protection
The section attributes
Optional backing file
Extended parameters for section create.
The NT status code and object result.
Open a section object
The object attributes for the section
The desired access for the sections
True to throw an exception on error.
The NT status code and object result.
Open a section object
The object attributes for the section
The desired access for the sections
The opened section
Open a section object
The path to the section
Root object if the path is relative
The desired access for the sections
The opened section
Unmap a section in a specified process.
The process to unmap the section.
The base address to unmap.
Flags for unmapping memory.
True to throw on error.
The NT status code.
Unmap a section in a specified process.
The process to unmap the section.
The base address to unmap.
True to throw on error.
The NT status code.
Unmap a section in the current process.
The base address to unmap.
True to throw on error.
The NT status code.
Unmap a section in a specified process.
The process to unmap the section.
The base address to unmap.
Flags for unmapping memory.
Unmap a section in a specified process.
The process to unmap the section.
The base address to unmap.
Unmap a section in the current process.
The base address to unmap.
Map section Read/Write into a specific process
The process to map into
The mapped section
Map section Read Only into a specific process
The process to map into
The mapped section
Map section Read/Write into a specific process
The process to map into
True to throw on error.
The mapped section
Map section Read Only into a specific process
The process to map into
True to throw on error.
The mapped section
Map section Read Only into a current process
The mapped section
Map section Read Only into a current process
True to throw on error.
The mapped section
Map section Read/Write into a current process
The mapped section
Map section Read/Write into a current process
True to throw on error.
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
True to throw on error.
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
Optional base address
Number of zero bits.
Size of pages to commit.
Offset into the section.
Optional view size
Allocation type.
Section inheritance type.
True to throw on error.
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
Optional base address
Number of zero bits.
Size of pages to commit.
Offset into the section.
Optional view size
Allocation type.
Section inheritance type.
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
Optional base address
Optional view size
The mapped section
Map section into a specific process
The process to map into
The protection of the mapping
Optional base address
Optional view size
True to throw on error.
The mapped section
Map section into the current process
The protection of the mapping
The mapped section
Extend the section to a new size.
The new size to extend to.
True to throw on error.
The new size.
Thrown on error.
Extend the section to a new size.
The new size to extend to.
The new size.
Thrown on error.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Get the size of the section
Get the attributes of the section
Get section image information.
Get original section base address.
Get relocation address.
Static class to access NT security manager routines.
Looks up the account name of a SID.
The system name to lookup the SID on.
The SID to lookup
True to throw on error.
The name.
Looks up the account name of a SID.
The SID to lookup
True to throw on error.
The name.
Looks up the account name of a SID.
The SID to lookup
The SID name.
Thrown if lookup fails.
Looks up the account name of a SID.
The SID to lookup
True to throw on error.
The name.
Looks up the account name of a SID.
The SID to lookup
The name, or null if the lookup failed
Looks up a capability SID to see if it's already known.
The capability SID to lookup
The name of the capability, null if not found.
Lookup a SID from a username.
The system name to lookup the SID on.
The username, can be in the form domain\account.
True to throw on error.
The Security Identifier
Thrown if account cannot be found.
Lookup a SID from a username.
The system name to lookup the SID on.
The username, can be in the form domain\account.
The Security Identifier
Thrown if account cannot be found.
Lookup a SID from a username.
The username, can be in the form domain\account.
The Security Identifier
Thrown if account cannot be found.
Lookup the name of a process trust SID.
The trust sid to lookup.
The name of the trust sid. null if not found.
Thrown if trust_sid is not a trust sid.
Try and lookup the moniker associated with a package sid.
The package sid.
Returns the moniker name. If not found returns null.
Thrown if SID is not a package sid.
Lookup a device capability SID name if known.
The SID to lookup.
Returns the device capability name. If not found returns null.
Thrown if SID is not a package sid.
Convert a package SID to a capability.
The package SID to convert.
The package SID as a capability.
Convert a security descriptor to SDDL string
The security descriptor
Indicates what parts of the security descriptor to include
The SDDL string
Thrown if cannot convert to a SDDL string.
Convert a security descriptor to SDDL string
The security descriptor
Indicates what parts of the security descriptor to include
True to throw on errror.
The SDDL string
Thrown if cannot convert to a SDDL string.
Convert an SDDL string to a binary security descriptor
The SDDL string
True to throw on error.
The binary security descriptor
Thrown if cannot convert from a SDDL string.
Convert an SDDL string to a binary security descriptor
The SDDL string
The binary security descriptor
Thrown if cannot convert from a SDDL string.
Convert an SDDL string to a binary security descriptor
The SDDL string
True to throw on error.
The binary security descriptor
Thrown if cannot convert from a SDDL string.
Convert an SDDL string to a binary security descriptor
The SDDL string
The binary security descriptor
Thrown if cannot convert from a SDDL string.
Convert an SDDL SID string to a Sid
The SDDL SID string
True to throw on error.
The converted Sid
Thrown if cannot convert from a SDDL string.
Convert an SDDL SID string to a Sid
The SDDL SID string
The converted Sid
Thrown if cannot convert from a SDDL string.
Do an access check between a security descriptor and a token to determine the allowed access.
This function returns a list of results rather than a single entry. It should only be used
with object types.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
True to throw on error.
The list of access check results.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
This function returns a list of results rather than a single entry. It should only be used
with object types.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
The list of access check results.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
The allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
The type specific generic mapping (get from corresponding NtType entry).
The allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the maximum allowed access.
The security descriptor
The access token.
The type specific generic mapping (get from corresponding NtType entry).
The maximum allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the maximum allowed access.
The security descriptor
The access token.
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
The maximum allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access.
The security descriptor
The access token.
The set of access rights to check against
The type used to determine generic access mapping..
The allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the maximum allowed access.
The security descriptor
The access token.
The type used to determine generic access mapping..
The allowed access mask as a unsigned integer.
Thrown if an error occurred in the access check.
Get a security descriptor from a named object.
The path to the resource (such as \BaseNamedObejct\ABC)
The type of resource, can be null to get the method to try and discover the correct type.
The named resource security descriptor. Returns null if can't open the resource.
Do an access check between a security descriptor and a token to determine the allowed access and
audit the result.
The name of the subsystem to audit.
The handle ID to audit. Used when issuing a close audit.
The object type name.
The name of the object.
Indicates if this is an object creation operation.
Type of audit.
Flags for the audit operation.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access and
audit the result.
The name of the subsystem to audit.
The handle ID to audit. Used when issuing a close audit.
The object type name.
The name of the object.
Indicates if this is an object creation operation.
Type of audit.
Flags for the audit operation.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access
and audit. This function returns a list of results rather than a single entry. It should only
be used with object types.
The name of the subsystem to audit.
The handle ID to audit. Used when issuing a close audit.
The object type name.
The name of the object.
Indicates if this is an object creation operation.
Type of audit.
Flags for the audit operation.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
True to throw on error.
The result of the access check.
Thrown if an error occurred in the access check.
Do an access check between a security descriptor and a token to determine the allowed access
and audit. This function returns a list of results rather than a single entry. It should only
be used with object types.
The name of the subsystem to audit.
The handle ID to audit. Used when issuing a close audit.
The object type name.
The name of the object.
Indicates if this is an object creation operation.
Type of audit.
Flags for the audit operation.
The security descriptor
The access token.
The set of access rights to check against
An optional principal SID used to replace the SELF SID in a security descriptor.
The type specific generic mapping (get from corresponding NtType entry).
List of object types to check against.
The result of the access check.
Thrown if an error occurred in the access check.
Get a SID for a specific mandatory integrity level.
The mandatory integrity level.
The integrity SID
Get a SID for a specific mandatory integrity level.
The mandatory integrity level.
The integrity SID
Checks if a SID is an integrity level SID
The SID to check
True if an integrity SID
Get the integrity level from an integrity SID
The integrity SID
The token integrity level.
Gets the SID for a service name.
The service name.
The service SID.
Thrown on error.
Checks if a SID is a service SID.
The sid to check.
True if a service sid.
Checks if a SID is a logon session SID.
The sid to check.
True if a logon session sid.
Checks if a SID is a process trust SID.
The sid to check.
True if a process trust sid.
Checks if a SID is a domain SID.
The SID to check.
True if a domain SID.
Checks if a SID is a domain SID and is a member of the local machine domain.
The SID to check.
True if a domain SID.
Checks if a SID is a capability SID.
The sid to check.
True if a capability sid.
Checks if a SID is a capbility group SID.
The sid to check.
True if a capability group sid.
Get a capability sid by name.
The name of the capability.
True to throw on error.
The capability SID.
Get a capability sid by name.
The name of the capability.
The capability SID.
Get a capability group sid by name.
The name of the capability.
True to throw on error.
The capability SID.
Get a capability group sid by name.
The name of the capability.
The capability SID.
Get the type of package sid.
The sid to get type.
The package sid type, Unknown if invalid.
Checks if a SID is a valid package SID.
The sid to check.
True if a capability sid.
Get the parent package SID for a child package SID.
The child package SID.
The parent package SID.
Thrown if sid not a child package SID.
Checks if a SID is a Scoped Policy ID SID.
The SID to check.
True if a Scoped Policy ID SID.
Converts conditional ACE data to an SDDL string
The conditional application data.
True to throw on error.
The conditional ACE string.
Converts conditional ACE data to an SDDL string
The conditional application data.
The conditional ACE string.
Converts a condition in SDDL format to an ACE application data.
The condition in SDDL format.
The condition in ACE application data format.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in SDDL format.
Specify resource attributes to add to the check.
True to throw on error.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in SDDL format.
True to throw on error.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in SDDL format.
Specify resource attributes to add to the check.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in SDDL format.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in binary format.
Specify resource attributes to add to the check.
True to throw on error.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in binary format.
True to throw on error.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in binary format.
Specify resource attributes to add to the check.
True if the conditional expression was a success.
Evaluate a condition ACE expression.
The Token to check against.
The conditional expression in binary format.
True if the conditional expression was a success.
Get the cached signing level for a file.
The handle to the file to query.
The cached signing level.
Get the cached signing level for a file.
The handle to the file to query.
True to throw on error.
The cached signing level.
Get the cached singing level from the raw EA buffer.
The EA buffer to read the cached signing level from.
The cached signing level.
Throw on error.
Set the cached signing level for a file.
The handle to the file to set the cache on.
Flags to set for the cache.
The signing level to cache
A list of source file for the cache.
Optional directory path to look for catalog files.
Set the cached signing level for a file.
The handle to the file to set the cache on.
Flags to set for the cache.
The signing level to cache
A list of source file for the cache.
Optional directory path to look for catalog files.
True to throw on error.
Compare two signing levels.
The current level.
The signing level to compare against.
True if the current level is above or equal to the signing level.
Get readable name for a SID, if known. This covers sources of names such as LSASS lookup, capability names and package names.
The SID to lookup.
True to bypass the internal cache and get the current name.
The name for the SID. Returns the SDDL form if no other name is known.
Get readable name for a SID, if known. This covers sources of names such as LSASS lookup, capability names and package names.
The SID to lookup.
The name for the SID. Returns the SDDL form if no other name is known.
This function will cache name lookups, this means the name might not reflect what's currently in LSASS if it's been changed.
Add a SID name to the local name cache.
The SID to add.
The SID's domain name.
The name of the account.
The name user value.
Remove a SID name from the local cache.
The SID to remove.
Clear the SID name cache.
Get a logon session SID from an ID.
The logon session ID.
The new logon session SID.
Get a new logon session SID.
The new logon session SID.
Get session id from logon session SID.
The logon session SID.
The logon session ID.
Get security descriptor as a byte array
Handle to the object to query.
What parts of the security descriptor to retrieve
True to throw on error.
The NT status result and security descriptor as a buffer.
Set the object's security descriptor
Handle to the object to set.
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status result.
Do a privilege check on a token.
A handle to a token object.
The list of privileges to check.
True to require all necessary privileges.
True to throw on error.
The privilege check result.
Get the access mask for querying a specific security information class.
The information class.
The access mask for the information.
Get the access mask for setting a specific security information class.
The information class.
The access mask for the information.
Get whether an ACE type is an allowed ACE type.
The ACE type.
True if an allowed ACE type.
Get whether an ACE type is a denied ACE type.
The ACE type.
True if a denied ACE type.
Get whether an ACE type is an object ACE type.
The ACE type.
True if an object ACE type.
Get whether an ACE type is an audit ACE type.
The ACE type.
True if an audit ACE type.
Get whether an ACE type is used int the SACL.
The ACE type.
True if a system ACE type.
Get whether an ACE type is a callback type.
The ACE type.
True if a callback type.
Convert an access rights type to a string.
The access mask to convert
The enumeration type for the string conversion
Set to true to use SDK style names.
The string version of the access
Convert an access rights type to a string.
The access mask to convert
The enumeration type for the string conversion
The string version of the access
Convert an access rights type to a string.
The access mask to convert
The string version of the access
Convert an access rights type to a string.
The access mask to convert
Set to true to use SDK style names.
The string version of the access
Convert an enumerable access rights to a string
The access mask.
Enum type to convert to string.
Generic mapping for object type.
True to try and convert to generic rights where possible.
The string format of the access rights. Will return Full Access if not a generic access and has all rights and None if no access.
Convert an enumerable access rights to a string
The access mask.
Enum type to convert to string.
Generic mapping for object type.
True to try and convert to generic rights where possible.
Set to true to use SDK style names.
The string format of the access rights. Will return Full Access if not a generic access and has all rights and None if no access.
Convert an ACE type to an SDK type string.
The ACE type.
The ACE type as an SDK type string.
Convert the ACE flags to an SDK type string.
The ACE type as an SDK type string.
Convert the security descriptor control flags to an SDK type string.
The security descriptor control as an SDK type string.
Get a Process Trust Level SID.
The Trust Type.
The Trust Level.
The Process Trust Level SID.
Generate audit event for an object open.
The subsystem name.
Handle ID.
The typename of the object.
The name of the object.
The security descriptor set for the object.
The client token used to open the object.
Desired access for the open.
Granted access from the open.
Privileges used to open the object.
True if the object was created.
Specify whether access was granted.
True to throw on error.
A value indicating whether an event need to be generated on close.
Generate audit event for an object open.
The subsystem name.
Handle ID.
The typename of the object.
The name of the object.
The security descriptor set for the object.
The client token used to open the object.
Desired access for the open.
Granted access from the open.
Privileges used to open the object.
True if the object was created.
Specify whether access was granted.
A value indicating whether an event need to be generated on close.
Generate audit event for an object close.
The subsystem name.
Handle ID.
True indicates to generate on close.
True to throw on error.
The NT status code.
Generate audit event for an object close.
The subsystem name.
Handle ID.
True indicates to generate on close.
The NT status code.
Generate audit event for an object deleted.
The subsystem name.
Handle ID.
True indicates to generate on close.
True to throw on error.
The NT status code.
Generate audit event for an object deleted.
The subsystem name.
Handle ID.
True indicates to generate on close.
Generate audit event for a privileges used with an object.
The subsystem name.
Handle ID.
The client token used.
Desired access for the object.
Privileges used to open the object.
Specify whether access was granted.
True to throw on error.
The NT status code.
Generate audit event for a privileges used with an object.
The subsystem name.
Handle ID.
The client token used.
Desired access for the object.
Privileges used to open the object.
Specify whether access was granted.
Generate audit event for a privileges used by a client.
The subsystem name.
The client token used.
The name of the service.
Privileges used in the operation.
Specify whether access was granted.
True to throw on error.
The NT status code.
Generate audit event for a privileges used by a client.
The subsystem name.
The client token used.
The name of the service.
Privileges used in the operation.
Specify whether access was granted.
Perform a capability check for a token.
Specify the token handle. If null will use the effective token.
The name of the capability to check.
True to throw on error.
True if the token has the capability.
Perform a capability check for a token.
Specify the token handle. If null will use the effective token.
The name of the capability to check.
True if the token has the capability.
Get GenericMapping for standard access rights.
Security information class for security descriptors.
ACE Flags. Note that the value isn't completely the same as
the real flags.
Class to represent a NT Semaphore object.
Create a semaphore object.
The object attributes for the object
The desired access for the object
Initial count for semaphore
Maximum count for semaphore
True to throw an exception on error.
The NT status code and object result.
Create a semaphore object.
The object attributes for the object
The desired access for the object
Initial count for semaphore
Maximum count for semaphore
The opened object
Create a semaphore object.
The path to the object
The root if path is relative
Initial count for semaphore
/// Maximum count for semaphore
The opened object
Open a semaphore object.
The object attributes for the object
The desired access for the object
True to throw an exception on error.
The NT status code and object result.
Open a semaphore object.
The object attributes for the object
The desired access for the object
The opened object
Open a semaphore object.
The path to the object
The root if path is relative
The desired access for the object
The opened object
Release the semaphore
The release count
The previous count
Release the semaphore
The release count
True to throw an exception on error.
The previous count
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Current count of the semaphore.
Maximum count of the semaphore.
Semaphore access rights.
Class to represent a Session object
Open a session object.
The object attributes
Desired access for the object
True to throw on error.
The open result.
Open a session object.
The object attributes
Desired access for the object
The open result.
Open a session object.
Name of the object
Optional root directory for lookup
Desired access for the object
The open result.
NT status values
Class representing a NT SymbolicLink object
Create a symbolic link object.
The path to the object
The root if path is relative
The desired access for the object
The target path
The opened object
Create a symbolic link object.
The object attributes for the object
The desired access for the object
The target path
True to throw an exception on error.
The NT status code and object result.
Create a symbolic link object.
The object attributes for the object
The desired access for the object
The target path
The opened object
Create a symbolic link object.
The path to the object
The root if path is relative
The target path
The opened object
Create a symbolic link object.
The path to the object
The target path
The opened object
Open a symbolic link object.
The path to the object
The root if path is relative
The desired access for the object
The opened object
Open a symbolic link object.
The path to the object
The root if path is relative
The desired access for the object
True to throw on error.
The opened object
Open a symbolic link object.
The object attributes for the object
The desired access for the object
True to throw an exception on error.
The NT status code and object result.
Open a symbolic link object.
The object attributes for the object
The desired access for the object
The opened object
Open a symbolic link object.
The path to the object
The root if path is relative
The opened object
Open a symbolic link object.
The path to the object
The opened object
Resolve a symlink name to a final target.
The name of the symlink to resolve.
True to throw on error.
The final target.
This function will return the last name which returns STATUS_OBJECT_TYPE_MISMATCH. Anything else is an error.
Resolve a symlink name to a final target.
The name of the symlink to resolve.
The final target.
This function will return the last name which returns STATUS_OBJECT_TYPE_MISMATCH. Anything else is an error.
Get the symbolic link target.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Set access mask filter.
The access mask to set.
True to throw on error.
The NT status code.
Needs SeTcbPrivilege.
Set access mask filter.
The access mask to set.
Needs SeTcbPrivilege.
Set as a global link.
True to throw on error.
The NT status code.
Needs SeTcbPrivilege.
Set as a global link.
Needs SeTcbPrivilege.
Get the symbolic link target path.
True to throw on error.
The target path.
Class to access some NT system information
Get a list of handles
A process ID to filter on. If -1 will get all handles
True to allow the handles returned to query for certain properties
True to force all file names to be queried. Otherwise limits to only DISK files.
The list of handles
The purpose of force_file_name to disable querying a file handle for its path unless it's on a FS volume.
This is because some non-file types can be in a locked state which causes the filename lookup to hang.
Get a list of handles
A process ID to filter on. If -1 will get all handles
True to allow the handles returned to query for certain properties
The list of handles
Get a list of all handles
The list of handles
Get a list of threads for a specific process.
The process ID to list.
True to throw on error.
The list of thread information.
Get a list of threads for a specific process.
The process ID to list.
The list of thread information.
Get a list of all threads.
The list of thread information.
Get a list of all threads.
The list of thread information.
Get a list of threads for a specific process.
The process ID to list.
True to throw on error.
The list of thread information.
Get a list of threads for a specific process.
The process ID to list.
The list of thread information.
Get a list of all threads.
The list of thread information.
Get a list of all threads.
The list of thread information.
Get all process information for the system.
The list of process information.
Get all process information for the system.
True to throw on error.
The list of process information.
Get all process information for the system.
The list of process information.
Get all process information for the system.
True to throw on error.
The list of process information.
Get all process information for the system.
The list of process information.
Get all process information for the system.
True to throw on error.
The list of process information.
Get list of page filenames.
The list of page file names.
Create a kernel dump for current system.
The path to the output file.
Flags
Page flags
Query all system environment value names.
A list of names of environment values
Query all system environment value names and values.
A list of names of environment values
Query a single system environment value.
The name of the value.
The associated vendor guid
True to throw on error.
The system environment value.
Query a single system environment value.
The name of the value.
The associated vendor guid
The system environment value.
Set a system environment variable.
The name of the variable.
The vendor GUID
The value to set
Attributes of the value
Set a system environment variable.
The name of the variable.
The vendor GUID
The value to set
Attributes of the value
Set a system environment variable.
The name of the variable.
The vendor GUID
The value to set
Attributes of the value
Set a system environment variable.
The name of the variable.
The vendor GUID
The value to set
Attributes of the value
Allocate a LUID.
The allocated LUID.
Allocate a LUID.
The allocated LUID.
Get the addresses of a list of objects from the handle table and initialize the Address property.
The list of objects to initialize.
Get the address of an object in kernel memory from the handle table and initialize the Address property.
The object.
Get the address of an object in kernel memory from the handle table and initialize the Address property.
The object.
Any remaining objects.
Query whether a file is trusted for dynamic code.
The handle to a file to query.
Pointer to a memory buffer containing the image.
The size of the in-memory buffer.
True if the file is trusted.
Query whether a file is trusted for dynamic code.
Pointer to a memory buffer containing the image.
The status code from the operation. Returns STATUS_SUCCESS is valid.
Query whether a file is trusted for dynamic code.
The handle to a file to query.
The status code from the operation. Returns STATUS_SUCCESS is valid.
Set a file is trusted for dynamic code.
The handle to a file to set.
The status code from the operation.
Get list of root silos.
The list of root silos.
Set the ELAM certificate information.
The signed file containing an ELAM certificate resource.
The NT status code.
Query code integrity certificate information.
The image file.
The type of check to make.
The NT status code.
Query the image path from a process ID.
The ID of the process.
True to throw on error.
The image path.
This method can be called without any permissions on the process.
Query the image path from a process ID.
The ID of the process.
The image path.
This method can be called without any permissions on the process.
Get flags for isolated user mode.
True to throw on error.
The ISO flags.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
A default value for the query.
True to throw on error.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
A default value for the query.
The result of the query.
Thrown on error.
Query a fixed structure from the object.
The type of structure to return.
The information class to query.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
A default value for the query.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
A buffer to initialize the initial query. Can be null.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
A buffer to initialize the initial query. Can be null.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The information class to query.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
A buffer to initialize the initial query. Can be null.
True to throw on error.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
A buffer to initialize the initial query. Can be null.
The result of the query.
Thrown on error.
Query a variable buffer from the object and return as bytes.
The information class to query.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
A default value for the query.
The result of the query.
Thrown on error.
Query a variable buffer from the object.
The type of structure to return.
The information class to query.
The result of the query.
Thrown on error.
Set a value to the object.
The type of structure to set.
The information class to set.
The value to set. If you specify a SafeBuffer then it'll be passed directly.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a value to the object.
The type of structure to set.
The information class to set.
The value to set.
The NT status code of the set.
Thrown on error.
Set a value to the object from a buffer.
The information class to set.
The value to set.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a value to the object from a buffer..
The information class to set.
The value to set.
The NT status code of the set.
Thrown on error.
Set a raw value to the object.
The information class to set.
The raw value to set.
True to throw on error.
The NT status code of the set.
Thrown on error.
Set a raw value to the object.
The information class to set.
The raw value to set.
The NT status code of the set.
Thrown on error.
Draw text on the background.
The text to draw.
True to throw on error.
The NT status code.
Draw text on the background.
The text to draw.
Display a string.
The text to display.
True to throw on error.
The NT status code.
Display a string.
The text to display.
Load a driver.
The name of the driver service.
True to throw on error.
The NT status code.
Unload a driver.
The name of the driver service.
True to throw on error.
The NT status code.
Get kernel modules.
True to throw on error.
The list of kernel modules.
Get kernel modules.
The list of kernel modules.
Get whether the kernel debugger is enabled.
Get whether the kernel debugger is not present.
Get current code integrity option settings.
Get code integrity policy.
Get code integrity unlock information.
Get all code integrity policies.
Get whether secure boot is enabled.
Get whether system supports secure boot.
Extract the secure boot policy.
Get system timer resolution.
Get system page size.
Get number of physical pages.
Get lowest page number.
Get highest page number.
Get allocation granularity.
Get minimum user mode address.
Get maximum user mode address.
Get active processor affinity mask.
Get number of processors.
Get system device information.
Get the system processor information.
Get the system emulation processor information.
Get the Isolated User Mode flags.
Get the NT product type.
Get OS version info,
Get whether this is a multi-session SKU.
True if multi-session.
Get whether this there are multiple users in a session.
True if multi-session.
Query the system elevation flags.
Class to represent a NT Thread object
Create a new thread in a process.
The object attributes for the thread object.
Desired access for the handle.
Process to create the thread in.
Address of the start routine.
Argument to pass to the thread.
Creation flags.
Zero bits for the stack address.
Size of the committed stack.
Maximum reserved stack size.
Optional attribute list.
True to throw on error
The created thread object.
This creates a native thread, not a Win32 thread. This might cause unexpected things to fail as they're not initialized.
Create a new thread in a process.
The object attributes for the thread object.
Desired access for the handle.
Process to create the thread in.
Address of the start routine.
Argument to pass to the thread.
Creation flags.
Zero bits for the stack address.
Size of the committed stack.
Maximum reserved stack size.
Optional attribute list.
The created thread object.
This creates a native thread, not a Win32 thread. This might cause unexpected things to fail as they're not initialized.
Create a new thread in a process.
Process to create the thread in.
Address of the start routine.
Argument to pass to the thread.
Creation flags.
Size of the committed stack.
True to throw on error
The created thread object.
This creates a native thread, not a Win32 thread. This might cause unexpected things to fail as they're not initialized.
Create a new thread in a process.
Process to create the thread in.
Address of the start routine.
Argument to pass to the thread.
Creation flags.
Size of the committed stack.
The created thread object.
This creates a native thread, not a Win32 thread. This might cause unexpected things to fail as they're not initialized.
Open a thread
The process ID containing the thread.
The thread ID to open
The desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Open a thread
The thread ID to open
The desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Open a thread
The process ID containing the thread.
The thread ID to open
The desired access for the handle
The NT status code and object result.
Open a thread
The thread ID to open
The desired access for the handle
The opened object
Gets all accessible threads on the system.
The desired access for each thread.
Get the thread list from system information.
The list of accessible threads.
Gets all accessible threads on the system.
The desired access for each thread.
The list of accessible threads.
Get first thread for process.
The process handle to get the threads.
The desired access for the thread.
The first thread, or null if no more available.
Sleep the current thread
Set if the thread should be alertable
The delay, negative values indicate relative times.
True to throw on error.
STATUS_ALERTED if the thread was alerted, other success or error code.
Sleep the current thread
Set if the thread should be alertable
The delay, negative values indicate relative times.
True if the thread was alerted before the delay expired.
Sleep the current thread
Set if the thread should be alertable
The delay, negative values indicate relative times.
True if the thread was alerted before the delay expired.
Sleep the current thread for a specified number of milliseconds.
The delay in milliseconds.
True if the thread was alerted before the delay expired.
Open an actual handle to the current thread rather than the pseudo one used for Current
The thread object
Set the work on behalf ticket.
The ticket to set.
True to throw on error.
The status code from the set.
Set the work on behalf ticket.
The ticket to set.
Set the work on behalf ticket.
The ticket to set.
True to throw on error.
The status code from the set.
Set the work on behalf ticket.
The ticket to set.
Set the work on behalf ticket.
The thread ID.
True to throw on error.
The NT status.
Set the work on behalf ticket.
The thread ID.
Test alert status for the current thread.
True to throw on error.
The NT status code.
Test alert status for the current thread.
Attach a silo container to the current thread.
The silo to attach.
True to throw on error.
The thread impersonation context.
Attach a silo container to the current thread.
The silo to attach.
The thread impersonation context.
Detach container from the current thread.
True to throw on error.
The NT status code.
Detach container from the current thread.
Get XOR key for the work-on-behalf ticket.
True to throw on error.
The XOR key.
Get the current thread.
This only uses the pseudo handle, for the thread. You can't use it in different threads. If you need to do that use OpenCurrent.
Get or set the work on behalf ticket for the current thread.
Get the work on behalf ticket xor key.
Reopen object with different access rights.
The desired access.
Additional attributes for open.
True to throw on error.
The reopened object.
Resume the thread.
True to throw on error.
The suspend count
Resume the thread.
The suspend count
Suspend the thread.
True to throw on error.
The suspend count
Suspend the thread
The suspend count
Terminate the thread
True to throw on error.
The thread status exit code
The NT status code.
Terminate the thread
The thread status exit code
Wake the thread from an alertable state.
True to throw on error.
The NT status code.
Wake the thread from an alertable state.
Wake the thread from an alertable state and resume the thread.
True to throw on error.
The previous suspend count for the thread.
Wake the thread from an alertable state and resume the thread.
The previous suspend count for the thread.
Hide the thread from debug events.
True to throw on error.
The NT status code.
Hide the thread from debug events.
The set the thread's impersonation token
The impersonation token to set
True to throw on error.
The NT status code.
The set the thread's impersonation token
The impersonation token to set
Impersonate the anonymous token
True to throw on error.
The impersonation context. Dispose to revert to self
Impersonate the anonymous token
The impersonation context. Dispose to revert to self
Impersonate a token
True to throw on error.
The token to impersonate.
The impersonation context. Dispose to revert to self
Impersonate a token
The token to impersonate.
The impersonation context. Dispose to revert to self
Impersonate another thread.
The thread to impersonate.
The impersonation security quality of service.
True to throw on error.
The imperonsation context. Dispose to revert to self.
Impersonate another thread's security context.
The thread to impersonate.
The impersonation level for the token.
True to throw on error.
The imperonsation context. Dispose to revert to self.
Impersonate another thread's security context.
The thread to impersonate.
The impersonation level for the token.
The imperonsation context. Dispose to revert to self.
Impersonate another thread's security context at impersonation level.
The thread to impersonate.
True to throw on error.
The imperonsation context. Dispose to revert to self.
Impersonate another thread's security context at impersonation level.
The thread to impersonate.
The imperonsation context. Dispose to revert to self.
Open the thread's token
The token, null if no token available
Queue a special user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
True to throw on error.
The NT status code.
Queue a special user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
The NT status code.
Queue a special user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
True to throw on error.
The NT status code.
Queue a special user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
The NT status code.
Queue a user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
True to throw on error.
The NT status code.
Queue a user APC to the thread.
The APC callback pointer.
Context parameter.
System argument 1.
System argument 2.
Queue a user APC to the thread.
The APC callback delegate.
Context parameter.
System argument 1.
System argument 2.
True to throw on error.
The NT status code.
This is only for APCs in the current process. You also must ensure the delegate is
valid at all times as this method doesn't take a reference to the delegate to prevent it being
garbage collected.
Queue a user APC to the thread.
The APC callback delegate.
Context parameter.
System argument 1.
System argument 2.
This is only for APCs in the current process. You also must ensure the delegate is
valid at all times as this method doesn't take a reference to the delegate to prevent it being
garbage collected.
Get next thread for process relative to current thread.
The process handle to get the threads.
The desired access for the thread.
The next thread, or null if no more available.
Get the thread context.
Flags for context parts to get.
True to throw on error.
An instance of an IContext object. Needs to be cast to correct type to access.
Get the thread context.
Flags for context parts to get.
An instance of an IContext object. Needs to be cast to correct type to access.
Set the thread's context.
The thread context to set.
True to throw on error.
The NT status code.
Set the thread's context.
The thread context to set.
Get current waiting server information.
True to throw on error.
The thread ALPC server information.
Get current waiting server information.
The thread ALPC server information.
Get the process ID associated with the thread.
True to throw on error.
The process ID.
Get the thread ID.
True to throw on error.
The thread ID.
Cancel all synchronous IO for this thread.
True to throw on error.
The NT status.
Get a partial TEB for the thread.
The partial TEB.
Get the work on behalf ticket for a thread.
True to throw on error.
The work on behalf ticket.
Get the work on behalf ticket for a thread.
The work on behalf ticket.
Get the effective container ID for the thread.
True to throw on error.
The effective container ID.
Get priority boost disable value.
True to throw on error.
True if priority base
Set priority boost disable value.
True to disable priority boost.
True to throw on error.
The NT status code.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get thread ID
Get process ID
Get name of process.
Get or set the thread's current priority
Get or set the thread's base priority
Get or set the thread's affinity mask.
Get the thread's TEB base address.
Get or set whether thread is allowed to create dynamic code.
Set can only be done on the current thread.
Get whether thread is impersonating another token.
Note that this tries to open the thread's token and return true if it could open. A return of false
might just indicate that the caller doesn't have permission to open the token, not that it's not impersonating.
Get name of the thread.
Get or set a thread's description.
Get the Win32 start address for the thread.
Get the current Instruction Pointer for the thread.
Get last system call on the thread.
Get the thread's suspend count.
Get whether the thread has pending IO.
Get the creation time of the thread.
Get the exit time of the thread (0 if not exited)
Get the time spent in the kernel.
Get the time spent in user mode.
Get thread information.
Get thread exit status.
Get thread exit status.
Get the effective container ID.
Should be called on the current thread psuedo handle.
Get or set priority boost disabled.
Delegate for APC callbacks.
Context parameter.
System argument 1.
System argument 2.
Class to represent an NT Timer object
Create a timer object
The path to the event
The root object for relative path names
The type of the timer.
The timer object
Create a timer object
The timer object attributes
The type of the event
The desired access for the timer
The timer object
Create a timer object
The timer object attributes
The type of the timer
The desired access for the timer
True to throw an exception on error.
The NT status code and object result.
Create a timer object
The path to the timer
The type of the timer
The timer object
Create a timer object
The type of the timer
The timer object
Create a timer object
The timer object
Open a timer object
The path to the timer
The root object for relative path names
The desired access for the timer
The timer object
Open a timer object
The path to the timer
The root object for relative path names
The desired access for the timer
True to throw on error.
The timer object
Open a timer object
The timer object attributes
The desired access for the timer
The timer object.
Open a timer object
The event object attributes
The desired access for the timer
True to throw an exception on error.
The NT status code and object result.
Open a timer object
The path to the timer
The root object for relative path names
The timer object
Open a timer object
The path to the timer
The timer object
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Set timer state.
The due time for the timer.
Optional APC routine.
Optional APC context pointer.
True to resume.
Period time.
True throw on error.
The NT result and previous state.
Set timer state.
The due time for the timer.
Optional APC routine.
Optional APC context pointer.
True to resume.
Period time.
The previous state.
Set timer state.
The due time for the timer.
The previous state.
Set timer state in milliseconds.
The due time for the timer in milliseconds.
The previous state.
Cancel the timer.
True to throw on error.
The previous state.
Cancel the timer.
The previous state.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Remaining time for the timer.
Signal state of the timer.
Delegate for Timer APC callbacks.
Context parameter.
Low value of timer.
High value of timer.
Enumeration for querying group list using QueryGroups.
The default group list.
The restrict group list.
The capability group list.
The device group list.
The restricted device list.
Specify type of security attributes to query.
Local security attributes.
User security attributes.
Restricted user security attributes.
Device security attributes.
Restricted device security attributes.
Singleton device security attributes.
Data from the TSA://ProcUnique security attribute.
The index entry for the process.
The value for the entry.
Class representing a Token object
Duplicate token as specific type.
The token type
The impersonation level us type is Impersonation
Open with the desired access.
The object attributes for the token.
The security descriptor for the token.
If true then throw an exception on error.
The new token
Thrown on error
Duplicate token as specific type.
The token type
The impersonation level us type is Impersonation
Open with the desired access.
The object attributes for the token.
The security descriptor for the token.
The new token
Thrown on error
Duplicate token as specific type.
The token type
The impersonation level us type is Impersonation
Open with the desired access.
If true then throw an exception on error.
The new token
Thrown on error
Duplicate token as specific type
The token type
The impersonation level us type is Impersonation
Open with the desired access.
The new token
Thrown on error
Duplicate the token as the same token type.
The new token.
Thrown on error
Duplicate the token as the same token type.
True to throw on error.
The new token.
Thrown on error
Duplicate token as an impersonation token with a specific level
The token impersonation level
The new token
Thrown on error
Set a privilege state
The name of the privilege (e.g. SeDebugPrivilege)
True to enable the privilege, false to disable
True to throw on error.
True if successfully changed the state of the privilege
Set a privilege state
The name of the privilege (e.g. SeDebugPrivilege)
True to enable the privilege, false to disable
True if successfully changed the state of the privilege
Set a privilege state
The luid of the privilege
The privilege attributes to set.
True to throw on error.
True if successfully changed the state of the privilege
Set a privilege state
The luid of the privilege
The privilege attributes to set.
True if successfully changed the state of the privilege
Set a privilege state
The value of the privilege
The privilege attributes to set.
True to throw on error.
True if successfully changed the state of the privilege
Set a privilege state
The value of the privilege
The privilege attributes to set.
True if successfully changed the state of the privilege
Remove a privilege.
The value of the privilege to remove.
True if successfully removed the privilege.
Remove a privilege.
The LUID of the privilege to remove.
True if successfully removed the privilege.
Create a LowBox token from the current token.
The package SID
The created LowBox token.
Thrown on error.
Create a LowBox token from the current token.
The package SID
List of handles to capture with the token
The created LowBox token.
Thrown on error.
Create a LowBox token from the current token.
The package SID
List of handles to capture with the token
List of capability sids to add.
Desired token access.
The created LowBox token.
Thrown on error.
Filter a token to remove groups/privileges and add restricted SIDs
Filter token flags
List of SIDs to disable
List of privileges to delete
List of restricted SIDs to add
The new token.
Filter a token to remove groups/privileges and add restricted SIDs
Filter token flags
List of SIDs to disable
List of privileges to delete
List of restricted SIDs to add
The new token.
Filter a token to remove privileges and groups.
Filter token flags
The new filtered token.
Set the state of a group
The group SID to set
The attributes to set
Set the state of a group
The group SID to set
The attributes to set
True to throw on error.
The NT status code.
Set the state of a group
The groups to set
The attributes to set
True to throw on error.
The NT status code.
Set the state of a group
The groups to set
The attributes to set
Reset all groups to their default state.
True to throw on error.
The NT status code.
Reset all groups to their default state.
Set the session ID of a token
The session ID
Set a token's default DACL
The DACL to set.
Set the origin logon session ID.
The origin logon session ID.
Set virtualization enabled
True to enable virtualization
True to throw on error.
Set virtualization enabled
True to enable virtualization
Set UI Access flag.
True to enable UI Access.
Get the linked token
True to throw on error.
The linked token
Get the linked token
The linked token
Set the linked token.
The token to set.
Requires SeCreateTokenPrivilege.
Impersonate the token.
An impersonation context, dispose to revert to process token
Thrown on error.
Impersonate the token.
Impersonation level for token.
An impersonation context, dispose to revert to process token
Thrown on error.
Run a function under impersonation.
The return type.
The callback to run.
The return value from the callback.
Thrown on error.
Run an action under impersonation.
The callback to run.
Thrown on error.
Run a function under impersonation.
The return type.
The callback to run.
Impersonation level for token.
The return value from the callback.
Thrown on error.
Run an action under impersonation.
The callback to run.
Impersonation level for token.
Thrown on error.
Get a security attribute by name.
Specify the type of security attributes to query.
The name of the security attribute, such as WIN://PKG
The expected type of the security attribute. If None return ignore type check.
The security attribute or null if not found.
Get a security attribute by name.
The name of the security attribute, such as WIN://PKG
The expected type of the security attribute. If None return ignore type check.
The security attribute or null if not found.
Get a security attribute by name.
The name of the security attribute, such as WIN://PKG
The security attribute or null if not found.
Get token's security attributes
Specify the type of security attributes to query.
Throw on error.
The security attributes.
Get token's security attributes.
Throw on error.
The security attributes.
Get token's security attributes
Specify the type of security attributes to query.
The security attributes.
Get token's security attributes
The security attributes.
Set security attributes on the token.
The list of attributes.
The operation to perform on the attribute.
Throw on error.
The array of attributes aand operations must be the same size. You need SeTcbPrivilege to call this API.
The NT Status code.
Set security attributes on the token.
The list of attributes.
The operation to perform on the attribute.
The array of attributes aand operations must be the same size. You need SeTcbPrivilege to call this API.
Add security attributes to the token.
The list of attributes.
Throw on error.
You need SeTcbPrivilege to call this API.
The NT Status code.
Add security attributes to the token.
The list of attributes.
You need SeTcbPrivilege to call this API.
Replace security attributes in the token.
The list of attributes.
Throw on error.
You need SeTcbPrivilege to call this API.
The NT Status code.
Replace security attributes in the token.
The list of attributes.
You need SeTcbPrivilege to call this API.
Replace all security attributes in the token.
The list of attributes.
Throw on error.
You need SeTcbPrivilege to call this API.
The NT Status code.
Replace security attributes in the token.
The list of attributes.
You need SeTcbPrivilege to call this API.
Remove security attributes by name.
The attribute names to remove.
Throw on error.
The NT Status code.
Remove security attributes by name.
The attribute names to remove.
Set the token's integrity level.
The level to set.
Set the token's integrity level.
The level to set.
Get the state of a privilege.
The privilege to get the state of.
The privilege, or null if it can't be found
Thrown if can't query privileges
Get the state of a privilege.
The privilege to get the state of.
The privilege, or null if it can't be found
True to throw on error
Thrown if can't query privileges
Compare two tokens.
The other token to compare.
True if tokens are equal.
Get the App Policy for this token.
The type of app policy.
The policy value.
Disable No Child process policy on the token.
Needs SeTcbPrivilege.
Query a list of groups from the token.
The type of groups to query.
True to throw on error.
The list of groups.
Query a list of groups from the token.
The type of groups to query.
The list of groups.
Get the user from the token.
True to throw on error.
The user group information.
Do a privilege check on a token.
The list of privileges to check.
True to require all necessary privileges.
True to throw on error.
The privilege check result.
Do a privilege check on a token.
The list of privileges to check.
True to require all necessary privileges.
The privilege check result.
Do a privilege check on a token.
The list of privileges to check.
True to require all necessary privileges.
True to throw on error.
The privilege check result.
Do a privilege check on a token.
The list of privileges to check.
True to require all necessary privileges.
The privilege check result.
Do a privilege check for a single privilege.
The privilege to check.
True if the privilege is enabled.
Do a privilege check for a single privilege.
The privilege to check.
True if the privilege is enabled.
Get token privileges.
True to throw on error.
The list of privileges.
Perform a capability check for a token.
The name of the capability to check.
True to throw on error.
True if the token has the capability.
Perform a capability check for a token.
The name of the capability to check.
True if the token has the capability.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get the logon SID for the token.
True to throw on error.
The logon SID.
Get token user
Get token groups
Get list of enabled groups.
Get list of deny only groups.
Get count of groups in this token.
Get the authentication ID for the token
Get the token's type
Get the token's expiration time.
Get the Token's Id
Get the Token's modified Id.
Get/set the token's owner.
Get/set the token's primary group
Get/set the token's default DACL
Get the token's source
Get token's restricted sids
Get count of restricted sids
Get token's impersonation level
Get/set token's session ID
Get whether token has sandbox inert flag set.
Get/set token's origin
Get token's elevation type
Get whether token is elevated
Get whether token has restrictions
Get/set token UI access flag
Get or set whether virtualization is allowed
Get/set whether virtualization is enabled
Get whether token is restricted
Get whether token is write restricted.
Get whether token is filtered.
Get whether token is not low.
Token access flags.
Get whether token can be used for new child processes.
Get token capabilities.
Get or set the token mandatory policy
Get token logon sid
Get token's integrity level sid
Get token's App Container number.
Get or set token's integrity level.
Get token's security attributes
Get token's device claims.
Get token's user claims.
Get token's restricted user claims.
Unsupported, at least on Windows 10.
Get token's restricted user claims.
Unsupported, at least on Windows 10.
Get whether a token is an AppContainer token
Get whether the token is configured for low privilege.
Get token's AppContainer sid
Get token's AppContainer package name (if available).
Returns an empty string if not an AppContainer.
Get token's device groups
Get token's restricted device groups.
Get list of privileges for token
The list of privileges
Thrown if can't query privileges
Get full path to token
Get the token's trust level. Will be null if no trust level present.
Returns true if this is a pseudo token.
Get whether this token is a sandboxed token.
Query the token's full package name.
Query the token's appid.
Get the list of policies for this App.
Get the list of policies for this App in a table.
Get the BaseNamedObjects isolation prefix if enabled.
Get the token's package identity.
Get or set the token audit policy.
Needs SeSecurityPrivilege to query and SeTcbPrivilege to set.
Get or set if token is in a private namespace.
Get if the token is restricted.
Get the TSA://ProcUnique attribute.
Enable debug privilege for the current process token.
True if set the debug privilege
Enable a privilege of the effective token.
The privilege to enable.
True if set the privilege.
Open the process token of another process
The process to open the token for
The desired access for the token
Attribute flags for the handle.
If true then throw an exception on error.
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
The desired access for the token
Attribute flags for the handle.
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
The desired access for the token
If true then throw an exception on error.
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
The desired access for the token
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
True to duplicate the token before returning
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
True to duplicate the token before returning
The desired access for the token
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
True to duplicate the token before returning
The desired access for the token
True to throw on error.
The opened token
Thrown if cannot open token
Open the process token of another process
The process to open the token for
The opened token
Thrown if cannot open token
Open the process token of the current process
The opened token
Thrown if cannot open token
Open the process token of the current process
True to duplicate the token before returning
The opened token
Thrown if cannot open token
Open the process token of the current process
True to duplicate the token before returning
The desired access for the token
The opened token
Thrown if cannot open token
Open the process token of another process
The id of the process to open the token for
True to duplicate the token before returning
The opened token
Thrown if cannot open token
Open the process token of another process
The id of the process to open the token for
True to duplicate the token before returning
The desired access for the token
The opened token
Thrown if cannot open token
Open the process token of another process
The id of the process to open the token for
True to duplicate the token before returning
The desired access for the token
True to throw on error.
The opened token
Thrown if cannot open token
Open the process token of another process
The id of the process to open the token for
The opened token
Thrown if cannot open token
Open the thread token
The thread to open the token for
Open the token as the current identify rather than the impersonated one
The desired access for the token
If true then throw an exception on error.
The opened token result
Thrown if cannot open token
Open the thread token
The thread to open the token for
Open the token as the current identify rather than the impersonated one
True to duplicate the token before returning.
The desired access for the token
True to throw on error.
The opened token, if no token return null
Thrown if cannot open token
Open the thread token
The thread to open the token for
Open the token as the current identify rather than the impersonated one
True to duplicate the token before returning
The desired access for the token
The opened token, if no token return null
Thrown if cannot open token
Open the thread token
The ID of the thread to open the token for
Open the token as the current identify rather than the impersonated one
True to duplicate the token before returning
The desired access for the token
The opened token, if no token return null
Thrown if cannot open token
Open the thread token
The thread to open the token for
Open the token as the current identify rather than the impersonated one
True to duplicate the token before returning
The opened token, if no token return null
Thrown if cannot open token
Open the thread token
The thread to open the token for
The opened token, if no token return null
Thrown if cannot open token
Open the current thread token
True to duplicate the token before returning
The opened token, if no token return null
Thrown if cannot open token
Open the current thread token
The opened token, if no token return null
Thrown if cannot open token
Open the effective token, thread if available or process
The thread to open the token for
True to duplicate the token before returning
Desired access for token.
Open token as self.
True to throw on error.
The opened token
Thrown if cannot open token
Open the effective token, thread if available or process
The thread to open the token for
True to duplicate the token before returning
Desired access for token.
Open token as self.
The opened token
Thrown if cannot open token
Open the effective token, thread if available or process
The thread to open the token for
True to duplicate the token before returning
True to throw on error.
The opened token
Thrown if cannot open token
Open the effective token, thread if available or process
The thread to open the token for
True to duplicate the token before returning
The opened token
Thrown if cannot open token
Open the current effective token, thread if available or process
The opened token
Thrown if cannot open token
Open the current effective token, thread if available or process
True to throw on error.
The opened token
Thrown if cannot open token
Create a token. Needs SeCreateTokenPrivilege.
The desired access for the token.
Object attributes, used to pass SecurityDescriptor or SQOS for impersonation token.
The type of token.
The authentication ID for the token.
The expiration time for the token.
The user for the token.
The groups for the token.
The privileges for the token.
The owner of the token.
The primary group for the token.
The default dacl for the token.
The source for the token.
Optional device attributes.
Optional device groups.
Optional mandatory policy.
Optional user attributes.
True to throw on error.
The token object.
Create a token. Needs SeCreateTokenPrivilege.
The desired access for the token.
Object attributes, used to pass SecurityDescriptor or SQOS for impersonation token.
The type of token.
The authentication ID for the token.
The expiration time for the token.
The user for the token.
The groups for the token.
The privileges for the token.
The owner of the token.
The primary group for the token.
The default dacl for the token.
The source for the token.
Optional device attributes.
Optional device groups.
Optional mandatory policy.
Optional user attributes.
The token object.
Create a token. Needs SeCreateTokenPrivilege.
The desired access for the token.
Object attributes, used to pass SecurityDescriptor or SQOS for impersonation token.
The type of token.
The authentication ID for the token.
The expiration time for the token.
The user for the token.
The groups for the token.
The privileges for the token.
The owner of the token.
The primary group for the token.
The default dacl for the token.
The source for the token.
True to throw on error.
The token object.
Create a token. Needs SeCreateTokenPrivilege.
The desired access for the token.
Object attributes, used to pass SecurityDescriptor or SQOS for impersonation token.
The type of token.
The authentication ID for the token.
The expiration time for the token.
The user for the token.
The groups for the token.
The privileges for the token.
The owner of the token.
The primary group for the token.
The default dacl for the token.
The source for the token.
The token object.
Create a token. Needs SeCreateTokenPrivilege.
The user for the token.
The groups for the token.
The privileges for the token.
The token object.
Create a token. Needs SeCreateTokenPrivilege.
The user for the token.
The token object.
Impersonate another process' token
The impersonation level
Process ID of the other process
An impersonation context, dispose to revert to process token
Get the current user.
True to throw on error.
The current user.
Do a single privilege check on the effective token.
The privilege to check.
True to throw on error.
True if the privilege is enabled.
Do a single privilege check on the effective token.
The privilege to check.
True if the privilege is enabled.
Get the current user.
Get authentication ID for LOCAL SYSTEM
Get authentication ID for LOCAL SERVICE
Get authentication ID for NETWORK SERVICE
Get authentication ID for ANONYMOUS
Get a pseudo handle to the primary token.
Only useful for querying information.
Get a pseudo handle to the impersonation token.
Only useful for querying information.
Get a pseudo handle to the effective token.
Only useful for querying information.
Static methods to interact with the ETW subsystem.
Issue a trace control request.
The trace control function code.
The optional input buffer.
The optional output buffer.
True to throw on error.
The output length.
Issue a trace control request.
The trace control function code.
The optional input buffer.
The optional output buffer.
The output length.
Access rights for Trace
The security trace provider GUID.
The default security GUID.
Class to represent a kernel transaction.
Create a transaction
The object attributes
Desired access for the handle
True to throw an exception on error.
Transaction creation options.
Optional description of the transaction.
Isolation flags.
Isolation level.
Optional transaction timeout.
Optional transaction manager.
Optional UOW.
The NT status code and object result.
Create a transaction
The object attributes
Desired access for the handle
Transaction creation options.
Optional description of the transaction.
Isolation flags.
Isolation level.
Optional transaction timeout.
Optional transaction manager.
Optional UOW.
The NT status code and object result.
Create a transaction
The object attributes
Desired access for the handle
True to throw an exception on error.
The NT status code and object result.
Create a transaction
The object attributes
Desired access for the handle
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
Desired access for the handle
Transaction creation options.
Optional description of the transaction.
Isolation flags.
Isolation level.
Optional transaction timeout.
Optional transaction manager.
Optional UOW.
True to throw an exception on error.
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
Desired access for the handle
Transaction creation options.
Optional description of the transaction.
Isolation flags.
Isolation level.
Optional transaction timeout.
Optional transaction manager.
Optional UOW.
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
Desired access for the handle
True to throw an exception on error.
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
Desired access for the handle
The opened transaction
Create a transaction
The path of the transaction
The root if path is relative
The opened transaction
Create a transaction
The path of the transaction
The opened transaction
Create a transaction
The opened transaction
Open a transaction object.
The object attributes for the object
The desired access for the object
Optional transaction manager.
UOW Guid.
True to throw an exception on error.
The NT status code and object result.
Open a transaction object.
The object attributes for the object
The desired access for the object
Optional transaction manager.
UOW Guid.
The object result.
Open a transaction object.
The desired access for the object
Optional transaction manager.
UOW Guid.
The object result.
Open a transaction object.
Optional transaction manager.
UOW Guid.
The object result.
Open a transaction object.
UOW Guid.
The object result.
Get a list of all accessible transaction objects.
The object attributes for the object
Optional transaction manager.
The access for the transaction objects.
The list of all accessible transaction objects.
Get a list of all accessible transaction objects.
The access for the transaction objects.
The list of all accessible transaction objects.
Get a list of all accessible transaction objects.
The list of all accessible transaction objects.
Get the current thread's transaction.
Commit the transaction
Wait for transaction to commit.
True to throw an exception on error.
The NT status code.
Commit the transaction
Wait for transaction to commit.
Commit the transaction
Rollback the transaction
Wait for transaction to rollback.
True to throw an exception on error.
The NT status code.
Rollback the transaction
Wait for transaction to rollback.
Rollback the transaction
Enable the transaction for anything in the current thread context.
The transaction context. This should be disposed to disable the transaction.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get the ID of the transaction.
Get the Unit of Work ID of the transaction. Same as transaction ID.
Get the state of the transaction.
Get the outcome of the transaction.
Get or set the transaction description.
Get or set the transaction isolation level.
Get or set the transaction isolation flags.
Get or set transaction timeout.
Query list of enlistments for this transaction.
Query the superior enlistment for this transaction.
Class to represent a kernel transaction manager.
Create a new transaction manager object.
The object attributes
Desired access for the handle
True to throw an exception on error.
The CLFS log file to create if not volatile.
Creation options flags.
Commit strength, set to 0.
The NT status code and object result.
Create a new transaction manager object.
The object attributes
Desired access for the handle
The CLFS log file to create if not volatile.
Creation options flags.
Commit strength, set to 0.
The object result.
Create a new transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
The CLFS log file to create if not volatile.
Creation options flags.
True to throw an exception on error.
The object result.
Create a new transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
The CLFS log file to create if not volatile.
Creation options flags.
The object result.
Create a new volatile transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
The object result.
Create a new volatile transaction manager object.
The path to the transaction manager.
The root if path is relative.
The object result.
Create a new volatile transaction manager object.
The path to the transaction manager.
The object result.
Create a new volatile transaction manager object.
The object result.
Open a existing transaction manager object.
The object attributes
Desired access for the handle
The CLFS log file to create if not volatile.
Identity of the transaction manager.
Open options flags.
True to throw an exception on error.
The NT status code and object result.
Open a existing transaction manager object.
The object attributes
Desired access for the handle
Identity of the transaction manager.
The CLFS log file to create if not volatile.
Open options flags.
The object result.
Open an existing transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
Identity of the transaction manager.
The CLFS log file to create if not volatile.
Open options flags.
True to throw an exception on error.
The object result.
Open an existing transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
Identity of the transaction manager.
The CLFS log file to create if not volatile.
Open options flags.
The object result.
Open an existing transaction manager object.
The path to the transaction manager.
The root if path is relative.
Desired access for the handle
The object result.
Open an existing transaction manager object.
The path to the transaction manager.
The root if path is relative.
The object result.
Open an existing transaction manager object.
The path to the transaction manager.
The object result.
Rename transaction manager object. The new identity can be queried with the Identity property on the object.
The path to the transaction log file.
The existing transaction manager identity.
True to throw an exception on error.
The NT status code
Get a list of all accessible transaction manager objects.
Object attributes for opened handle.
The access for the transaction manager objects.
Open options.
The list of all accessible transaction manager objects.
Get a list of all accessible transaction manager objects.
The access for the transaction manager objects.
The list of all accessible transaction manager objects.
Get a list of all accessible transaction manager objects.
The list of all accessible transaction manager objects.
Get the Transaction Manager identity.
Get the Transaction Manager virtual clock.
Get the Transaction Manager log identity.
Get the Transaction Manager log path.
Get Transaction Manager last recovered Log Sequence Number.
Get whether the transaction manager is volatile.
Rename transaction manager object. The new identity can be queried with the Identity property on the object.
True to throw an exception on error.
The NT status code
Rename transaction manager object. The new identity can be queried with the Identity property on the object.
Recover the transaction manager.
True to throw an exception on error.
The NT status code
Recover the transaction manager.
Rollforward the transaction manager.
Optional virtual block value to rollforward to.
True to throw an exception on error.
The NT status code
Rollforward the transaction manager.
True to throw an exception on error.
The NT status code
Rollforward the transaction manager.
Optional virtual block value to rollforward to.
Rollforward the transaction manager.
Create a resource manager for this transaction manager.
The resource manager GUID to assign.
Creation options.
True to throw on error.
The resource manager and NT status.
Create a resource manager for this transaction manager.
The resource manager GUID to assign.
Creation options.
The resource manager .
Create a resource manager for this transaction manager.
The resource manager GUID to assign.
The resource manager.
Create a volatile resource manager for this transaction manager with a auto-generated GUID.
The resource manager.
Method to query information for this object type.
The information class.
The buffer to return data in.
Return length from the query.
The NT status code for the query.
Method to set information for this object type.
The information class.
The buffer to set data from.
The NT status code for the set.
Query the information class as an object.
The information class.
True to throw on error.
The information class as an object.
Get a list of all accessible transaction objects owned by this transaction manager.
The access for the transaction objects.
The list of all accessible transaction objects.
Get a list of all accessible transaction objects owned by this transaction manager.
The list of all accessible transaction objects.
Get a list of all accessible resource manager objects owned by this transaction manager.
Object attributes for opened handle.
The access for the resource manager objects.
The list of all accessible resource manager objects.
Get a list of all accessible resource manager objects owned by this transaction manager.
The access for the resource manager objects.
The list of all accessible resource manager objects.
Get a list of all accessible resource manager objects owned by this transaction manager.
The list of all accessible resource manager objects.
General utilities for the kernel transaction manager.
Enumerate transaction objects of a specific type from a root handle.
The root handle to enumearate from.
The type of object to query.
The list of enumerated transaction object GUIDs.
Enumerate all transaction objects of a specific type.
The type of object to query.
The list of enumerated transaction object GUIDs.
Freeze all transactions. Needs SeRestorePrivilege.
The freeze wait timeout.
The thaw wait timeout.
Throw exception on error.
The NT status code.
Freeze all transactions. Needs SeRestorePrivilege.
The freeze wait timeout.
The thaw wait timeout.
Thaw transactions. Needs SeRestorePrivilege.
Throw exception on error.
The NT status code.
Thaw transactions. Needs SeRestorePrivilege.
The NT status code.
Class representing an NT object type
The name of the type
The mapping from generic to specific object rights
The valid access mask
True if the object needs security even if unnamed
Total number of objects (when originally retrieved)
Total number of handles (when originally retrieved)
Total paged pool usage (when originally retrieved)
Total non-paged pool usage (when originally retrieved)
Total name pool usage (when originally retrieved)
Total handle table usage (when originally retrieved)
Maximum number of objects (when originally retrieved)
Maximum number of handles (when originally retrieved)
Maximum paged pool usage (when originally retrieved)
Maximum non-paged pool usage (when originally retrieved)
Maximum name pool usage (when originally retrieved)
Maximum handle table usage (when originally retrieved)
The attributes flags which are invalid
Indicates whether handle count is mainted
Indicates the type list maintained
Indicates the type of pool used in allocations
Current paged pool usage
Current non-pages pool usage
Type Index
Generic Read Access rights
Generic Read Access rights
Generic Read Access rights
Generic Read Access rights
Get the maximum access mask for the type's default mandatory access policy.
Get implemented object type for this NT type.
Get the access rights enumerated type for this NT type.
Get the access rights enumerated type for this NT type if it's a container.
There's only one known type at the moment which uses this, File.
Can this type of open be opened by name
Get the valid access rights for this Type.
Get the valid read access rights for this Type.
Get the valid write access rights for this Type.
Get the valid execute access rights for this Type.
Get the valid all access rights for this Type.
Get the valid mandatory access rights for this Type.
Get defined query information classes for a type.
Get defined set information classes for a type.
Open this NT type by name (if CanOpen is true)
The object attributes to open.
Desired access when opening.
True to throw an exception on error.
The NT status code and object result.
Open this NT type by name (if CanOpen is true)
The name of the object to open.
The root object for opening, if name is relative
Desired access when opening.
The created object.
Thrown on error
Open this NT type by name (if CanOpen is true)
The name of the object to open.
The root object for opening, if name is relative
The created object.
Thrown on error
Open this NT type by name (if CanOpen is true)
The name of the object to open.
The created object.
Thrown on error
Get object from an existing handle.
The existing handle.
The new object.
Get object from an existing handle.
The existing handle.
True to own the handle.
The new object.
Get object from an existing handle.
The existing handle.
The call doesn't own the handle. The returned object can't be used to close the handle.
The new object.
Convert an enumerable access rights to a string
True to use the container access type.
The granted access mask.
True to try and convert to generic rights where possible.
Set to true to use SDK style names.
The string format of the access rights
Convert an enumerable access rights to a string
True to use the container access type.
The granted access mask.
True to try and convert to generic rights where possible.
The string format of the access rights
Convert an enumerable access rights to a string
The granted access mask.
True to try and convert to generic rights where possible.
The string format of the access rights
Convert an enumerable access rights to a string
The granted access mask.
The string format of the access rights
Checks if an access mask represents a read permission on this type
The access mask to check
True if it has read permissions
Checks if an access mask represents a write permission on this type
The access mask to check
True if it has write permissions
Checks if an access mask represents a execute permission on this type
The access mask to check
True if it has execute permissions
Checks if an access mask represents a full permission on this type
The access mask to check
True if it has full permissions
Map generic access rights to specific access rights for this type
The access mask to map
The mapped access mask
Unmap specific access rights to generic access rights for this type
The access mask to unmap
The unmapped access mask
Checks if an access mask is valid for access of this object type.
The access mask to check
True if it valid access
Get the maximum access mask for the type's default mandatory access policy.
The allowed access mask for the type with the default policy.
Overridden ToString method.
Returns the type as a string.
Create an NtType object by name.
The name of the NT type.
This will always return a cached type.
Invalid NT type name.
Get a type object by index
The index
The object type, null if not found
Get a type object by index
The index, must be >= 0.
True to get a cached type, false to return a live types.
The object type, null if not found
Get a type object by name
The name of the type
True to create a fake type if needed.
True to get a cached type, false to return a live types.
The object type, null if not found
Get a type object by name
The name of the type
True to create a fake type if needed.
The object type, null if not found
Get a type object by name
The name of the type
The object type, null if not found
Get a type object by a kernel handle.
The kernel handle.
True to create a fake type if needed.
The object type, null if not found
Get an NT type based on the implemented .NET type.
A type derived from NtObject
True to get a cached type, false to return a live types.
The NtType represented by this .NET type. Note if a type is represented with multiple
names only return the first one we find.
Thrown if there exists no .NET type which maps to this type.
Get an NT type based on the implemented .NET type.
A type derived from NtObject
The NtType represented by this .NET type. Note if a type is represented with multiple
names only return the first one we find.
Thrown if there exists no .NET type which maps to this type.
Get a fake type object. This can be used in access checking for operations which need an NtType object
but there's no real NT object.
The name of the fake type. Informational only.
The GENERIC_MAPPING for security checking.
The access rights enumeration type.
The access rights enumeration type of the object is a container.
The mandatory label policy.
The fake NT type object.
Get a fake type object. This can be used in access checking for operations which need an NtType object
but there's no real NT object.
The name of the fake type. Informational only.
The GENERIC_MAPPING for security checking.
The access rights enumeration type.
The access rights enumeration type of the object is a container.
The fake NT type object.
Get a fake type object. This can be used in access checking for operations which need an NtType object
but there's no real NT object.
The name of the fake type. Informational only.
The GENERIC_MAPPING for security checking.
The access rights enumeration type.
The fake NT type object.
Get a fake type object. This can be used in access checking for operations which need an NtType object
but there's no real NT object.
The name of the fake type. Informational only.
The GENERIC_READ for security checking.
The GENERIC_WRITE for security checking.
The GENERIC_EXECUTE for security checking.
The GENERIC_ALL for security checking.
The access rights enumeration type.
The access rights enumeration type of the object is a container.
The fake NT type object.
Get a fake type object. This can be used in access checking for operations which need an NtType object
but there's no real NT object.
The name of the fake type. Informational only.
The GENERIC_READ for security checking.
The GENERIC_WRITE for security checking.
The GENERIC_EXECUTE for security checking.
The GENERIC_ALL for security checking.
The access rights enumeration type.
The fake NT type object.
Get a list of all types.
The list of types.
Get a list of all types.
True to get the cached list of types, false to return a live list of all types.
True to include fake types such as WNF or Service
The list of types.
Get a list of all types.
True to get the cached list of types, false to return a live list of all types.
The list of types.
Get the NT type from a path.
The object manager path.
Optional root object.
The NT type. Returns null if not available or unknown.
Converted user process parameters.
Static class to access virtual memory functions of NT.
Query section name,
The process to query from.
The base address to query.
True to throw on error
The result of the query.
Query section name,
The process to query from.
The base address to query.
The result of the query.
Query memory information for a process.
The process to query.
The base address.
True to throw on error.
The memory information for the region.
Thrown on error.
Query memory information for a process.
The process to query.
The base address.
The memory information for the region.
Thrown on error.
Query all memory information regions in process memory.
The list of memory regions.
Thrown on error.
Query a list of mapped files in a process.
The process to query.
The list of mapped images
Thrown on error.
Read memory from a process.
The process to read from.
The base address in the process.
The length to read.
The array of bytes read from the location.
If a read is short then returns fewer bytes than requested.
Thrown on error.
Write memory to a process.
The process to write to.
The base address in the process.
The data to write.
The number of bytes written to the location
Thrown on error.
Read structured memory from a process.
The process to read from.
The base address in the process.
The read structure.
Thrown on error.
Type of structure to read.
Write structured memory to a process.
The process to write to.
The base address in the process.
The data to write.
Thrown on error.
Type of structure to write.
Read structured memory array from a process.
The process to read from.
The base address in the process.
The number of elements in the array to read.
The read structure.
Thrown on error.
Type of structure to read.
Write structured memory array to a process.
The process to write to.
The base address in the process.
The data array to write.
Thrown on error.
Type of structure to write.
Allocate virtual memory in a process.
The process to allocate in.
Optional base address, if 0 will automatically select a base.
The region size to allocate.
The type of allocation.
The allocation protection.
True to throw on error.
The address of the allocated region.
Thrown on error.
Allocate virtual memory in a process.
The process to allocate in.
Optional base address, if 0 will automatically select a base.
The region size to allocate.
The type of allocation.
The allocation protection.
The address of the allocated region.
Thrown on error.
Free virtual emmory in a process.
The process to free in.
Base address of region to free
The size of the region.
The type to free.
Thrown on error.
Free virtual emmory in a process.
The process to free in.
Base address of region to free
The size of the region.
The type to free.
True to throw on error.
Thrown on error.
Change protection on a region of memory.
The process to change memory protection
The base address
The size of the memory region.
The new protection type.
The old protection for the region.
Thrown on error.
Change protection on a region of memory.
The process to change memory protection
The base address
The size of the memory region.
The new protection type.
True to throw on error.
The old protection for the region.
Thrown on error.
Query working set information for an address in a process.
The process to query.
The base address to query.
True to throw on error
The working set information.
Thrown on error.
Query working set information for an address in a process.
The process to query.
The base address to query.
The working set information.
Thrown on error.
Query image information for an address in a process.
The process to query.
The base address to query.
True to throw on error
The image information.
Thrown on error.
Query image information for an address in a process.
The process to query.
The base address to query.
The image information.
Thrown on error.
Determine if two addresses are the same mapped file.
The first address.
The second address.
True to throw on error.
True if the mapped memory is the same file.
Determine if two addresses are the same mapped file.
The first address.
The second address.
True if the mapped memory is the same file.
Flush instruction cache.
The process to flush the cache in.
The address to flush.
The number of bytes to flush/
True to throw on error.
The NT status code.
Flush instruction cache.
The process to flush the cache in.
The address to flush.
The number of bytes to flush/
Native Wait methods.
Wait on a single object to become signaled
The object to wait on
Whether the thread should be alertable
The timeout to wait for
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
Wait on multiple objects to become signaled
The objects to wait on
Whether the thread should be alerable
True to wait for all objects to be signaled
The timeout to wait for
The success status of the wait, such as STATUS_WAIT_OBJECT_0 or STATUS_TIMEOUT
Signal an object then wait for another to become signaled.
The object to signal
The object to wait on.
Whether the thread should be alertable
The timeout to wait for
The success status of the wait, such as STATUS_SUCCESS or STATUS_TIMEOUT
A .NET wait handle to use for interop.
Create a .NET wait handle from an object.
The object to create the wait handle on
Wait asynchronously for the handle to be signaled.
Timeout in milliseconds.
Cancellation token for wait.
A task to wait on. If result is true then event was signaled.
Wait asynchronously for the handle to be signaled.
Timeout in milliseconds.
A task to wait on. If result is true then event was signaled.
Wait asynchronously for the handle to be signaled.
Will wait an infinite time.
A task to wait on.
Class to represent an NT timeout
Get a timeout which will wait indefinitely.
Get a relative timeout in seconds.
The number of seconds to wait.
An instance of the timeout class.
Get a relative timeout in milliseconds.
The number of milliseconds to wait.
An instance of the timeout class.
Get an absolute time out from system start.
The absolute time to wait until.
An instance of the timeout class.
Get a relative time out from the current time.
The relative time to wait in units of 100ns.
An instance of the timeout class.
Create an absolute wait timeout from a datetime.
The time for the timeout to complete.
An instance of the timeout class.
The timeout as a long.
Overridden ToString method.
The timeout as a string.
Well-known IO Control codes.
Convert a control code to a known name.
The control code.
The known name, or an empty string.
Get a list of known control codes.
The list of known control codes.
Get a list of known control codes.
The control code.
Thrown if can't find name.
Structure to represent a Window.
The Window Handle.
Get Process ID for the Window.
Get the Thread ID for the Window.
Get the real owner Process ID of the Window.
Get the class name for the Window.
Send a message to the Window, Unicode.
The message to send.
The WPARAM.
The LPARAM.
The send result.
Send a message to the Window, ANSI.
The message to send.
The WPARAM.
The LPARAM.
The send result.
Post a message to the Window, Unicode.
The message to send.
The WPARAM.
The LPARAM.
True to throw on error.
The send result.
Post a message to the Window, Unicode.
The message to send.
The WPARAM.
The LPARAM.
The send result.
Send a message to the Window, ANSI.
The message to send.
The WPARAM.
The LPARAM.
True to throw on error.
The send result.
Send a message to the Window, ANSI.
The message to send.
The WPARAM.
The LPARAM.
The send result.
Constructor.
Window handle.
Constructor.
Window handle.
Get the NULL window handle.
Get the desktop window.
Get the broadcast window.
Get all Top Level windows.
Enumerate window handles.
Desktop containing the Windows. Optional.
The parent Window. Optional.
True to enumerate child Windows.
Hide immersive Windows.
The thread ID that owns the Window.
True to throw on error.
The enumerated Window Handles.
Enumerate window handles.
Desktop containing the Windows. Optional.
The parent Window. Optional.
True to enumerate child Windows.
Hide immersive Windows.
The thread ID that owns the Window.
The enumerated Window Handles.
Class which represents a window station object.
Open a window station by name.
The object attributes for opening.
Desired access.
True to throw on error.
The instance of the window station
Thrown on error.
Open a window station by name.
The object attributes for opening.
Desired access.
The instance of the window station
Thrown on error.
Open a window station by name.
The name of the window station
Optional root object
The instance of the window station
Thrown on error.
Open a window station by name.
The instance of the window station
Thrown on error.
Create a Window Station by name.
Object attributes for the Window Station.
Desired access for the Window Station.
Path to Keyboard DLL e.g. kbusa.dll.
Locale ID, e.g. 0x4090409.
Language ID e.g. 0x409.
True to throw on error.
The Window Station.
Create a Window Station by name.
Object attributes for the Window Station.
Desired access for the Window Station.
Path to Keyboard DLL e.g. kbusa.dll.
Locale ID, e.g. 0x4090409.
Language ID e.g. 0x409.
The Window Station.
Create a Window Station by name.
The name of the Window Station.
The Window Station.
Get a list of desktops for this Window Station.
Enumerate name of Window Stations in current session.
Get a list of accessible Window Station objects.
The desired access for the Window Stations.
The list of desktops.
Get a list of accessible Window Station objects.
The list of desktops.
Get a list of accessible desktop objects.
The desired access for the desktops.
The list of desktops.
Get a list of accessible desktop objects.
The list of desktops.
Close the Window Stations. This is different from normal Close as it destroys the Window Station.
True to throw on error.
The NT status.
Set the Window Station for the Process.
True to throw on error.
The NT status.
Open the current process Window Station.
True to throw on error.
The instance of the window station
The returned object is no owned by the caller.
Thrown on error.
Open the current process Window Station.
Get the Window Station directory for a session.
The session ID.
The path to the Window Station directory.
Get the Window Station directory for the current session.
The path to the Window Station directory.
NT WNF object.
Get the generic mapping for a
Fake NT type name for WNF.
Create a new WNF state name.
The lifetime of the name.
The scope of the data.
Whether to persist data.
Optional type ID.
Maximum state size.
Mandatory security descriptor.
True to throw on error.
The created object.
Kernel derived key which is used to mask the state name.
Create a new WNF state name.
The lifetime of the name.
The scope of the data.
Whether to persist data.
Optional type ID.
Maximum state size.
Mandatory security descriptor.
The created object.
Open a state name. Doesn't check if it exists.
The statename to open.
True to check state name exists.
True to throw on error.
The created object.
Open a state name. Doesn't check if it exists.
The statename to open.
True to check state name exists.
The created object.
Open a state name. Doesn't check if it exists.
The statename to open.
The created object.
Open a state name. Doesn't check if it exists.
The name to open.
True to check state name exists.
The created object.
Open a state name. Doesn't check if it exists.
The name to open.
The created object.
Get registered notifications.
The list of registered notifications.
Get the state name for this WNF entry.
The state name decoded.
Get the associated lifetime for the state name.
Version of the WNF state name.
Data scope of WNF state name.
Is WNF state name persistent.
Unique identifier of WNF state name,
Get if the state has subscribers.
Get the security descriptor for this object, if known.
Get a name for the WNF notification.
Query state data for the WNF object.
Optional Type ID.
Optional explicit scope.
True to throw on error.
The state data.
Query state data for the WNF object.
Optional Type ID.
Optional explicit scope.
The state data.
Query state data for the WNF object.
The state data.
Update state data for the WNF object.
The data to set.
Optional Type ID.
Optional explicit scope.
Optional matching changestamp.
True to throw on error.
The status from the update.
Update state data for the WNF object.
The data to set.
Delete the state data for the WNF object.
Optional explicit scope.
True to throw on error.
The NT status code.
Delete the state data for the WNF object.
Optional explicit scope.
Delete the state data for the WNF object.
Overridden ToString method.
The string representation.
Get dictionary of well known WNF state names.
This was dumped from perf_nt_c.dll 10.0.18362.1 using https://github.com/ionescu007/wnfun.
Get the state name to name mappings.
Get the name to state name mappings.
Get the name of a state name if known.
The state name.
The name of the state name, or null if unknown.
Flags for OBJECT_ATTRIBUTES
None
Handle is protected from closing.
The handle created can be inherited
Audit handle close.
The object created is marked as permanent
The object must be created exclusively
The object name lookup should be done case insensitive
Open the object if it already exists
Open the object as a link
Create as a kernel handle (not used in user-mode)
Force an access check to occur (not used in user-mode)
Ignore impersonated device map when looking up object
Fail if a reparse is encountered
A class which represents OBJECT_ATTRIBUTES
Constructor. Sets flags to None
Constructor
The name of the object
Attribute flags
Constructor
The name of the object
Attribute flags
A root object to lookup a relative path
Constructor
Attribute flags
Constructor
The name of the object
Constructor
An object ID.
The object attribute flags.
An optional root handle, can be SafeKernelObjectHandle.Null. Will duplicate the handle.
An optional security quality of service.
An optional security descriptor.
Constructor
The object name, can be null.
The object attribute flags.
An optional root handle, can be SafeKernelObjectHandle.Null. Will duplicate the handle.
An optional security quality of service.
An optional security descriptor.
Constructor
The object name, can be null.
The object attribute flags.
An optional root handle, Will duplicate the handle.
An optional security quality of service.
An optional security descriptor.
Create an Object Attributes structure with a raw name. Useful for Object ID handling.
The name of the object in raw bytes.
The object attribute flags.
An optional root handle, Will duplicate the handle.
An optional security quality of service.
An optional security descriptor.
The created object attributes.
Dispose
Object type entry for an access check.
The object level.
The object type GUID.
The name of the object.
Constructor.
Constructor.
The object type GUID.
The object level.
The name of the object type entry.
Constructor.
The object type GUID.
The object level.
Constructor.
The object type GUID.
Overridden ToString method.
The object formatted.
This class allows a function to specify an optional Guid
Optional Guid
Constructor
The GUID to initialize
Constructor
Implicit conversion
The value
This class allows a function to specify an optional uint16.
Optional value
Constructor
The value
Constructor
Implicit conversion
The value
This class allows a function to specify an optional int32.
Optional value
Constructor
The value
Constructor
Implicit conversion
The value
This class allows a function to specify an optional int64.
Optional value
Constructor
The value
Constructor
Implicit conversion
The value
This class allows a function to specify an optional length as a SizeT
Optional length
Constructor
The length value
Constructor
The length value
Constructor
The length value
Implicit conversion
The length value
This class allows a function to specify an optional pointer.
Optional length
Constructor
The value
Constructor
Implicit conversion
The value
Optional value.
Optional value.
Constructor
The value
Constructor
Implicit conversion
The value.
Optional value.
Optional value.
Constructor
The value
Constructor
Implicit conversion
The value.
Optional value.
Optional value.
Constructor
The value
Constructor
Implicit conversion
The value.
Optional value.
Optional value.
Constructor
The value
Constructor
Implicit conversion
The value.
The result of a privilege check.
The list of privileges from the result.
The list of enabled privileges.
True indicates all privileges were held.
A single process module.
The module section.
Mapped base.
Image base.
Image size.
Flags.
Load order index.
Init order index.
Load count.
Full path name.
File name.
Reparse Tag value.
Base class for a reparse buffer.
The reparse tag in the buffer.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Constructor.
The reparse tag to assign.
Get a reparse buffer from a byte array.
The byte array to parse
The reparse buffer.
Get a reparse buffer from a byte array.
The byte array to parse
True to return an opaque buffer if
the tag isn't known, otherwise try and parse as a generic buffer
The reparse buffer.
Convert reparse buffer to a byte array in REPARSE_DATA_BUFFER format.
The reparse buffer as a byte array.
Convert reparse buffer to a byte array in the REPARSE_DATA_BUFFER_EX format.
Flags for the buffer.
Existing GUID to match against.
Existing tag to matcha against.
The reparse buffer as a byte array.
Get if a reparse tag is a Microsoft defined one.
Get if a reparse tag is a name surrogate.
True if it's a surrogate reparse tag.
Get if a reparse tag is a directory.
Generic GUID reparse buffer.
Constructor.
The reparse tag.
The reparse GUID
Additional reparse data.
Constructor.
The reparse tag.
The reparse GUID
Additional reparse data.
The reparse GUID.
Additional reparse data.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Reparse buffer with an opaque data blob.
Constructor.
The reparse tag.
The opaque data blob.
The opaque data blob.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Reparse buffer for an NTFS mount point.
Constructor.
Substitution name to reparse to when accessing mount point.
Printable name for the mount point.
Substitution name to reparse to when accessing mount point.
Printable name for the mount point.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Symlink flags.
None.
Substitution name is relative to the symlink.
Reparse buffer for an NTFS symlink.
Constructor.
Substitution name to reparse to when accessing symlink.
Printable name for the symlink.
Symlink flags.
Constructor.
Substitution name to reparse to when accessing symlink.
Printable name for the symlink.
Symlink flags.
Create a global symlink rather than a normal symlink.
Substitution name to reparse to when accessing symlink.
Printable name for the symlink.
Symlink flags.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Application type for execution alias.
Desktop bridge application.
UWP type 1
UWP type 2
UWP type 3
Reparse buffer for an execution alias.
The execution alias version.
The name of the application package.
The entry point in the package.
The target executable.
Application type for the alias.
Flags, obsolete.
Constructor.
The execution alias version.
The name of the application package.
The entry point in the package.
The target executable.
Apptype for the alias.
Get reparse buffer data as a byte array (not including header).
The reparse buffer data.
Function to initialize this class by parsing the reparse buffer data (not including header).
The length of the data to read.
The stream to read from.
Safe buffer for an ALPC data view.
Flags for the data view.
Get the port section handle.
Convert the section view to a message attribute.
The message attribute.
Release the data view handle.
True if successfully released.
Safe buffer to contain an ALPC port message.
Constructor.
The port message header.
The total length of allocated memory excluding the header.
Constructor. Creates a receive buffer with a set length.
The total length of allocated memory excluding the header.
Get a NULL safe buffer.
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Safe handle for a port section.
Release handle.
True if handle released successfully.
Safe handle for an ALPC security context.
Attribute flags.
Security quality of service.
Get the security context as a message attribute.
The message attribute.
Get whether handle is invalid.
Release handle.
True if handle released successfully.
Revoke the security context attribute.
True to throw on error.
The NT status code.
Revoke the security context attribute.
Safe buffer to contain a list of structures.
The count of elements of the array.
Constructor.
Array of elements.
Additional data to place after the array.
Constructor.
Array of elements.
Get a reference to the additional data.
Get a NULL safe array buffer.
Dispose buffer.
True if disposing.
Safe buffer which acts as a base class for all other SafeBuffer types in the library.
Constructor
Size of the buffer.
An existing pointer to a buffer.
Specify whether safe handle owns the buffer.
Inidicates if the underlying buffer is writable.
Constructor
Size of the buffer.
An existing pointer to a buffer.
Specify whether safe handle owns the buffer.
Length of the allocation.
Length of the allocation as a long.
Get the length as an IntPtr
Convert the safe handle to an array of bytes.
The data contained in the allocaiton.
Read a NUL terminated string for the byte offset.
The byte offset to read from.
The string read from the buffer without the NUL terminator
Read a NUL terminated string
The string read from the buffer without the NUL terminator
Read a NUL terminated ANSI string for the byte offset.
The byte offset to read from.
Text encoding for the string.
The string read from the buffer without the NUL terminator
Read a NUL terminated ANSI string
Text encoding for the string.
The string read from the buffer without the NUL terminator
Read a NUL terminated ANSI string for the byte offset.
The byte offset to read from.
The string read from the buffer without the NUL terminator
Read a NUL terminated ANSI string
The string read from the buffer without the NUL terminator
Read a unicode string from the buffer.
The offset into the buffer to read.
The number of characters to read.
The read unicode string.
Read a unicode string from the buffer.
The number of characters to read.
The read unicode string.
Write a unicode string to the buffer.
The offset into the buffer to write.
The value to write.
Write a unicode string to the buffer.
The value to write.
Read an array of bytes from the buffer.
The offset into the buffer.
The number of bytes to read.
The read bytes.
Read an array of bytes from the buffer.
The number of bytes to read.
The read bytes.
Write an array of bytes to the buffer.
The offset into the buffer.
The bytes to write.
Write an array of bytes to the buffer.
The bytes to write.
Read array from the buffer.
The type to read.
The offset into the buffer.
The number of elements to read.
The read array.
Read an array of complex structures which can contain references. Doing this from a buffer is a dangerous operation.
The buffer type.
The offset into the buffer.
The number of elements.
The array structures.
This doesn't bounds check the buffer size for the array or embedded structures so could easily crash the application.
Zero an entire buffer.
Fill an entire buffer with a specific byte value.
The fill value.
Get a structured buffer object at a specified offset.
The type of structure.
The offset into the buffer.
The structured buffer object.
Get the buffer as a memory stream
Create a view accessor over the full buffer.
The view accessor.
Create a view accessor.
Offset into the buffer
Size of view.
The view accessor.
Create a view accessor.
Offset into the buffer
Size of view.
True to make the view writable. False for read-only
The view accessor.
A safe handle to an allocated global buffer.
Constructor
Size of the buffer to allocate.
Constructor
The length of data to allocate.
The total length to reflect in the Length property.
Constructor
Size of the buffer.
An existing pointer to an existing HGLOBAL allocated buffer.
Specify whether safe handle owns the buffer.
Constructor
Initialization data for the buffer.
Get a buffer which represents NULL.
Resize the SafeBuffer.
Overridden ReleaseHandle method.
True if successfully released the memory.
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Detaches the current buffer and allocates a new one.
Specify a new length for the detached buffer. Must be <= Length.
The detached buffer.
The original buffer will become invalid after this call.
Non-generic buffer to hold an IO_STATUS_BLOCK.
Constructor.
Get a buffer which represents NULL.
Safe handle which represents a kernel handle.
Constructor.
An existing kernel handle.
True to own the kernel handle.
Overridden ReleaseHandle method.
True if successfully released the handle.
Overridden IsInvalid method.
Get a handle which represents NULL.
Get or set whether the handle is inheritable.
Get or set whether the handle is protected from closing.
Get the NT type name for this handle.
The NT type name.
Overridden ToString method.
The handle as a string.
Class which is allocated from the process heap.
Constructor
Size of the buffer to allocate.
Constructor
Initialization data for the buffer.
Constructor
The length of data to allocate.
The total length to reflect in the Length property.
Constructor
Size of the buffer.
An existing pointer to an existing HGLOBAL allocated buffer.
Specify whether safe handle owns the buffer.
Get a buffer which represents NULL.
Overridden ReleaseHandle method.
True if successfully released the memory.
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Detaches the current buffer and allocates a new one.
Specify a new length for the detached buffer. Must be <= Length.
The detached buffer.
The original buffer will become invalid after this call.
Safe SID buffer.
This is used to return values from the RTL apis which need to be freed using RtlFreeSid
Safe handle for an in/out structure buffer.
The type of structure as the base of the memory allocation.
Constructor
Structure value to initialize the buffer.
Constructor, initializes buffer with a default structure.
Constructor
Size of the buffer.
An existing pointer to an existing HGLOBAL allocated buffer.
Specify whether safe handle owns the buffer.
Constructor
Additional data to add to structure buffer.
If true additional_size is added to structure size, otherwise reflects the total size.
An existing pointer to an existing HGLOBAL allocated buffer.
Specify whether safe handle owns the buffer.
Constructor, initializes buffer with a default structure.
Additional data to add to structure buffer.
If true additional_size is added to structure size, otherwise reflects the total size.
Constructor
Structure value to initialize the buffer.
Additional data to add to structure buffer.
If true additional_size is added to structure size, otherwise reflects the total size.
Get a buffer which represents NULL.
Overridden ReleaseHandle method.
True if successfully released the memory.
Get or set the result structure in the memory buffer.
Get a reference to the additional data.
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Detaches the current buffer and allocates a new one.
Specify a new length for the detached buffer. Must be <= Length.
The detached buffer.
The original buffer will become invalid after this call.
Safe buffer for a list of Token groups.
Constructor.
The list of SID and attributes.
The list of allocated SIDs.
NULL safe buffer.
Create a buffer from a list of groups.
The group list.
The safe buffer.
Dispose.
True if disposing.
Safe buffer for token privileges.
Constructor.
List of privileges.
NULL safe buffer.
Security descriptor control flags.
Security descriptor.
Discretionary access control list (can be null)
System access control list (can be null)
Owner (can be null)
Group (can be null)
Get or set Control flags. This is computed based on the current state of the SD.
Revision value
The resource manager control flags.
Get or set an associated NT type for this security descriptor.
Get or set mandatory label. Returns a medium label if it doesn't exist.
Get the process trust label.
Get list of access filters.
Get list of resource attributes.
Get the scoped policy ID.
Get or set the integrity level
Get or set the server security flag.
Get or set the DACL untrusted flag.
Get whether the DACL is present.
Get count of ACEs in DACL.
Get whether the SACL is present.
Get count of ACEs in DACL.
Indicates if the security descriptor was constructed from a self relative format.
Indicates if the SD's DACL is canonical.
Indicates if the SD's SACL is canonical.
Indicates if the SD's DACL is defaulted.
Indicates if the SD's SACL is defaulted.
Indicates if the SD's DACL is auto-inherited.
Indicates if the SD's SACL is auto-inherited.
Indicates if the SD came from a container.
Indicates the SD has audit ACEs present.
Indicates the SD has a mandatory label ACE present.
Indicates the SD has a NULL DACL.
Indicates the SD has a NULL SACL.
Get the access rights enum type for this SD based on the NT Type property.
Get the mandatory label. Returns null if it doesn't exist.
True to include InheritOnly ACEs in the search.
The valid mandatory ACE for this security descriptor. Or null if it doesn't exist.
Get the mandatory label. Returns null if it doesn't exist.
The valid mandatory ACE for this security descriptor. Or null if it doesn't exist.
Convert security descriptor to a byte array
The binary security descriptor
Convert security descriptor to SDDL string
The parts of the security descriptor to return
True to throw on error.
The SDDL string
Convert security descriptor to SDDL string
The parts of the security descriptor to return
The SDDL string
Convert security descriptor to SDDL string
True to throw on error.
The SDDL string
Convert security descriptor to SDDL string
The SDDL string
Converts the security to a base64 string.
True to insert line breaks in the base64.
The relative SD as a base64 string.
Converts the security to a base64 string.
The relative SD as a base64 string.
Convert security descriptor to a safe buffer.
True to return an absolute security descriptor, false for self-relative.
True to throw on error.
A safe buffer for the security descriptor.
Convert security descriptor to a safe buffer.
True to return an absolute security descriptor, false for self-relative.
A safe buffer for the security descriptor.
Convert security descriptor to a safe buffer.
A safe buffer for the security descriptor.
This returns a self-relative security descriptor.
Add an ACE to the DACL, creating the DACL if needed.
The ACE to add to the DACL.
Add an ACE to the SACL, creating the SACL if needed.
The ACE to add to the SACL.
Add an access allowed ACE to the DACL
The access mask
The ACE flags
The SID in SDDL form
Add an access allowed ACE to the DACL
The access mask
The SID in SDDL form
Add an access allowed ACE to the DACL
The access mask
The ACE flags
The SID
Add an access allowed ACE to the DACL
The access mask
The SID
Add an access denied ACE to the DACL
The access mask
The ACE flags
The SID in SDDL form
Add an access denied ACE to the DACL
The access mask
The SID in SDDL form
Add an access denied ACE to the DACL
The access mask
The SID
Add an access denied ACE to the DACL
The access mask
The ACE flags
The SID
Add an audit success ACE to the SACL
The access mask
The SID in SDDL form
Add an audit success ACE to the SACL
The access mask
The SID
Add an access denied ACE to the DACL
The access mask
The SID in SDDL form
Add an audit fail ACE to the SACL
The access mask
The SID
Add mandatory integrity label to SACL
The integrity level
Add mandatory integrity label to SACL
The integrity level
The mandatory label policy
Add mandatory integrity label to SACL
The integrity level
The ACE flags.
The mandatory label policy
Add mandatory integrity label to SACL
The integrity label SID
The ACE flags.
The mandatory label policy
Removes the mandatory label if it exists.
Map all generic access in this security descriptor to the default type specified by NtType.
Map all generic access in this security descriptor to a specific type.
The type to get the generic mapping from.
Map all generic access in this security descriptor to a specific type.
The generic mapping.
Unmap all generic access in this security descriptor to the default type specified by NtType.
Unmap all generic access in this security descriptor to a specific type.
The type to get the generic mapping from.
Unap all generic access in this security descriptor to a specific type.
The generic mapping.
Modifies a security descriptor from a new descriptor.
The security descriptor to update with.
The parts of the security descriptor to update.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
True to throw on error.
The NT status code.
Modifies a security descriptor from a new descriptor.
The security descriptor to update with.
The parts of the security descriptor to update.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
Converts the SD to an Auto-Inherit security descriptor.
The parent security descriptor.
Optional object type GUID.
True if a directory.
Generic mapping for the object.
True to throw on error.
The NT status code.
Converts the SD to an Auto-Inherit security descriptor.
The parent security descriptor.
Optional object type GUID.
True if a directory.
Generic mapping for the object.
Canonicalize the DACL if it exists.
Canonicalize the SACL if it exists.
Standardize security descriptor according to Active Directory rules.
Clone the security descriptor.
The cloned security descriptor.
Overridden ToString method.
The security descriptor as an SDDL string.
Constructor.
Native pointer to security descriptor.
Constructor.
The process containing the security descriptor.
Native pointer to security descriptor.
Constructor
Constructor.
The NT type for the security descriptor.
Constructor
Binary form of security descriptor
Optional NT type for security descriptor.
Constructor
Binary form of security descriptor
Constructor from a token default DACL and ownership values.
The token to use for its default DACL.
Constructor
Base object for security descriptor
Token for determining user rights
True if a directory security descriptor
Constructor from an SDDL string
The SDDL string
Thrown if invalid SDDL
Constructor from an SDDL string
The SDDL string
Optional NT type for security descriptor.
Thrown if invalid SDDL
Parse a security descriptor.
Native pointer to security descriptor.
The NT type for the security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Native pointer to security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Safe buffer to security descriptor.
The NT type for the security descriptor.
True if the security descriptor is from a container.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Safe buffer to security descriptor.
The NT type for the security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Safe buffer to security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Binary form of security descriptor
The NT type for the security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
Binary form of security descriptor
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
The SDDL form of the security descriptor.
The NT type for the security descriptor.
True if the security descriptor is from a container.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor.
The SDDL form of the security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor from a base64 string
The base64 string.
The NT type for the security descriptor.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor from a base64 string
The base64 string.
True to throw on error.
The parsed Security Descriptor.
Parse a security descriptor from a base64 string
The base64 string.
The parsed Security Descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
Optional list of object type GUIDs.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
True to throw on error.
The new security descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
Optional list of object type GUIDs.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
The new security descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
True to throw on error.
The new security descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
The new security descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
True to throw on error.
The new security descriptor.
Create a new security descriptor from a parent.
The parent security descriptor. Can be null.
The creator security descriptor.
True if the objec to assign is a directory.
Auto inherit flags.
Optional token for the security descriptor.
Generic mapping.
The new security descriptor.
A security descriptor SID which maintains defaulted state.
The SID.
Indicates whether the SID was defaulted or not.
Constructor from existing SID.
The SID.
Whether the SID was defaulted or not.
Convert to a string.
The string form of the SID
Clone the security descriptor SID.
The cloned SID.
The type of the security attribute name.
Class to represent an attribute name operand.
The type of attribute.
The name of the attribute.
Constructor.
The type of the attribute.
The name of the attribute.
Overridden ToString method.
The object as a string.
Class to represent a composite conditional operand.
List of operands.
Constructor.
Overridden ToString method.
The object as a string.
Class to represent a conditional expression.
Serialize the expression to a byte array.
The expression as a byte array.
Overridden ToString method.
The object as a string.
Parse a binary conditional expression.
The data to parse.
True to throw on error.
The parsed conditional expression.
Parse a binary conditional expression.
The data to parse.
The parsed conditional expression.
Parse an SDDL conditional expression.
The SDDL expression to parse.
True to throw on error.
The parsed conditional expression.
Parse an SDDL conditional expression.
The SDDL expression to parse.
The parsed conditional expression.
Get list of the conditional operands.
Size of conditional integer operand.
Sign of conditional integer operand.
Base of conditional integer operand.
Class to represent a conditional integer operand.
Size of the integer.
Value of the integer.
Sign of the integer.
Base of the integer.
Constructor.
Overridden ToString method.
The object as a string.
Class to represent an octet string conditional operand.
The value of the operand.
Constructor.
The value of the operand.
Overridden ToString method.
The object as a string.
Abstract class to represent a conditional expression operand.
Conditional operator type.
Class to represent a conditional operator operand.
The type of operator.
Constructor.
The type of operator.
Overridden ToString method.
The object as a string.
Class to represent a SID conditional operand.
The SID value.
Constructor.
The SID value.
Overridden ToString method.
The object as a string.
Class to represent a string conditional operand.
The string value.
Constructor.
The string value.
Overridden ToString method.
The object as a string.
Interface for an NT object to query and set a security descriptor.
Get the name of the object.
Get the NtType for this object.
The NtType for the object.
Get the object's security descriptor.
Get whether the object is a container.
Check if access is granted to a set of rights
The access rights to check
True if all the access rights are granted
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status code.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Class representing a Central Access Policy.
The CAP SID.
CAP Flags.
Name of the CAP.
Description of the CAP.
Change ID. Normally a date time when changed.
The list of rules associated with this policy.
Parse the policy from the registry.
The base key for the registry policy.
True to throw on error.
The list of Central Access Policies.
Parse the policy from the registry.
True to throw on error.
The list of Central Access Policies.
Parse the policy from the registry.
The list of Central Access Policies.
Parse the policy from the Local Security Authority.
True to throw on error.
The list of Central Access Policies.
Parse the policy from the Local Security Authority.
The list of Central Access Policies.
Class representing a Central Access Rule.
CAP Rule Flags.
Name of the CAP Rule.
Description of the CAP Rule.
Change ID. Normally a date time when changed.
Conditional Expression to determine who to applie the rule to.
The CAP Rule security descriptor.
The CAP Rule staged security descriptor.
Class to represent a Security Identifier.
Maximum size of a SID buffer.
The SIDs authority.
List of the SIDs sub authorities.
Get the account name of the SID or the SDDL form if no corresponding name.
Constructor for authority and sub authorities.
The identifier authority.
The sub authorities.
Constructor for authority and sub authorities.
The identifier authority.
The sub authorities.
Constructor from an unmanged buffer.
A pointer to a buffer containing a valid SID.
Thrown if the buffer is not valid.
Constructor from an unmanged buffer.
A safe buffer containing a valid SID.
Thrown if the buffer is not valid.
Constructor from a safe SID handle.
A safe SID handle containing a valid SID.
Thrown if the buffer is not valid.
Constructor from an manged buffer.
A buffer containing a valid SID.
Thrown if the buffer is not valid.
Constructor from existing Sid.
The existing Sid.
Constructor from an SDDL string.
The SID in SDDL format.
new Sid("S-1-0-0");
new Sid("WD");
Constructor from a SID name.
The SID name.
Construct a SID from a binary reader.
The binary reader.
Convert the SID to a safe buffer.
The safe buffer containing the SID.
Convert to a managed byte array.
The managed byte array.
Compares two sids to see if their prefixes are the same. The sids must have the same number of subauthorities.
The sid to compare against
True if the sids share a prefix.
Compare two Sids.
The other Sid to compare.
True if the Sids are equal.
Equality operator.
Sid 1
Sid 2
True if the Sids are equal.
Inequality operator.
Sid 1
Sid 2
True if the Sids are not equal.
Get hash code.
The hash code.
Convert to an SDDL format string.
The SDDL format string (e.g. S-1-1-0)
Does this SID dominate another.
The other SID.
True to throw on error.
True if the sid dominates.
Does this SID dominate another.
The other SID.
True if the sid dominates.
Does this SID dominate another for trust.
The other SID.
True to throw on error.
True if the sid dominates.
Does this SID dominate another for trust.
The other SID.
True if the sid dominates.
Checks if the SID starts with the specified SID.
The specified SID to check against.
True if the current SID starts with the specified SID.
Create a SID relative to this one.
The list of RIDs.
The relative SID.
Create a SID sibling to this SID.
The RIDs to replace the final RID with.
The sibling SID.
This replaces the final RID with one or more addditional RIDs.
Get the SID name for this SID.
True to bypass the SID name cache.
The SID name.
Get the SID name for this SID.
The SID name.
Convert an SDDL SID string to a Sid
The SDDL SID string
True to throw on error.
The converted Sid
Thrown if cannot convert from a SDDL string.
Convert an SDDL SID string to a Sid
The SDDL SID string
The converted Sid
Thrown if cannot convert from a SDDL string.
Parse a byte array.
The byte array to parse.
True to throw on error.
The parsed SID.
Parse a byte array.
The pointer to parse.
True to throw on error.
The parsed SID.
Predefined security authorities
Represents an identifier authority for a SID.
Get a reference to the identifier authority. This can be used to modify the value
Constructor.
Construct from an existing authority array.
The authority, must be 6 bytes in length.
Thrown if authority is not the correct length.
Constructor from a simple predefined authority.
The predefined authority.
Construct from an Int64.
The authority as an Int64.
Compares authority to another.
The other authority to compare against.
True if authority is equal.
Get hash code.
The authority hash code.
Determines if this is a specific security authority.
The security authority.
True if the security authority.
Convert authority to a 64 bit integer.
The authority as a 64 bit integer.
Overridden ToString method.
The security authority as a string.
Source for a SID name.
SDDL string.
LSASS lookup.
Named capability.
Package name SID.
From a process trust level.
Well known SID.
Scoped policy SID.
Manually added name.
Represents a name for a SID.
The qualified name of the SID. Either the combination of
Domain and Name or the SDDL SID.
The domain name, if present.
The user name.
The source of name.
The use of the name.
The SDDL format of the SID.
Used for caching. Indicates the lookup name was denied rather than not available.
Disposable class to scope an impersonation context.
Revert impersonation back to the current user.
Class to represent the state of a token privilege
Privilege attributes
Privilege LUID
Get the token privilege value enum.
Get the name of the privilege
The privilege name
Get the display name/description of the privilege
The display name
Get whether privilege is enabled
Get whether privilege is enabled
Constructor
The privilege LUID
The privilege attributes
Constructor
The privilege value
The privilege attributes
Constructor
The privilege name.
The privilege attributes
Constructor
The privilege name.
Conver to a string
The privilege name.
Standard UNICODE_STRING class
Standard UNICODE_STRING class based on a SecureString class.
Structure to use when passing in a unicode string as a sub-structure with a seure string.
Standard ANSI_STRING class
This class is used when the UNICODE_STRING is an output parameter.
The allocatation of the buffer is handled elsewhere.
Convert unicode string to an array.
The unicode string data as an array.
This class is used when the UNICODE_STRING is an output parameter.
The allocatation of the buffer is handled elsewhere.
Structure to use when passing in a unicode string as a sub-structure.
This class is used when the UNICODE_STRING needs to be preallocated
and then returned back from a caller.
Implements a UnicodeString which contains raw bytes.
Constructor.
The bytes for the name.
Get a null safe buffer.
Class to represent a user group
The SID of the user group
The attributes of the user group
Get whether the user group is enabled
Get whether the user group is mandatory
Get whether the user group is used for deny only
Get the resolved name of the SID.
Constructor
The SID
The attributes
Constructor from a SID.
The SID
Constructor from a SID or account name.
The SID or account name.
Convert to a string
The account name if available or the SDDL SID
Basic utilities for ASN1 support.
Format an array of ASN.1 DER to a string.
The ASN.1 data in DER format.
Initial identation depth.
The formatted DER data.
Format an file containing of ASN.1 DER to a string.
The path to the file containing ASN.1 data in DER format.
Initial identation depth.
The formatted DER data.
Class to do basic ASN1 DER generation.
Constructor.
The stream to write the DER data to.
Constructor.
Write an object ID.
The object ID to write.
Write raw bytes to the stream.
The bytes to write.
Write an octet-string to the stream.
The octet string.
Write a NULL value.
Write a 32-bit integer.
The integer value.
Write a 64-bit integer.
The integer value.
Write an arbitrary integer.
The integer value.
Write a sequence based on the contents of another DER builder.
The builder for the contents.
Write a sequence based on the contents of another DER builder.
The build function for the contents.
Write a sequence based on the contents of another DER builder.
Write a sequence of fixed values.
The build function for the contents.
Create a sequence builder.
The created builder.
You should call Close or dispose on the created builder to write the tag.
Write an application specific tag with contents from the builder.
The ID of the application specific tag.
The builder for the contents.
Write an application specific tag with contents from the builder.
The ID of the application specific tag.
The build function for the contents.
Create an application specific builder.
The ID of the application specific tag.
The created builder.
You should call Close or dispose on the created builder to write the tag.
Write a context specific tag with specified contents.
The ID of the context specific tag.
The contents of the context specific value.
Write a context specific tag with contents from the builder.
The ID of the context specific tag.
The builder for the contents.
Write an application specific tag with contents from the builder.
The ID of the context specific tag.
The build function for the contents.
Create a context specific builder.
The ID of the context specific tag.
The created builder.
You should call Close or dispose on the created builder to write the tag.
Write a general encoded string.
The string
The encoding to covert to.
Write a general encoded string using ASCII encoding.
The string
Write a UTF8 string.
The UTF8 string
Write an IA5 string.
The IA5 string
Write a generalized time.
The time to write.
Convert builder to a byte array.
The DER encoded data.
A DER builder for a sub-structure..
You should call Close or dispose the builder to write the sub-structure.
Close the builder and write its contents to the parent builder.
Static class for DER builder utility functions.
A basic ASN.1 DER parser to process Kerberos and SPNEGO Tokens.
Class containing known OID values.
Class to implement a scoped file lock.
Lock part of a file.
The file to lock.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
True to throw on error.
The NT status code.
Lock part of a file.
The file to lock.
The offset into the file to lock
The number of bytes to lock
True to fail immediately if the lock can't be taken
True to do an exclusive lock
The NT status code.
Unlock the file.
IMemoryReader implementation for a process.
Class to compress and decompress buffers using RtlCompressionBuffer.
Decompress a buffer.
The compression format used.
The compressed buffer.
The expected uncompressed length.
True to throw on error.
The uncompressed buffer.
Decompress a buffer.
The compression format used.
The compressed buffer.
The expected uncompressed length.
The uncompressed buffer.
IMemoryReader implementation for a process.
Class which calls a delegate on dispose.
Constructor.
The delegate to call on dispose.
Dispose and call the action.
A container which can detach an innner reference.
Get the contained value.
Detach the object so the original isn't disposed.
Detached object.
Miscellaneous utilities.
Convert a disposable object to a detachable object.
The disposable object type.
The disposable object.
The disposable container.
Utilities for reflection.
Get the SDK name for a type, if available.
The type to get the name for.
The SDK name. Returns the name of the type if not available.
Get the SDK name for an enum, if available.
The enum to get the name for.
The SDK name. If the enum is a flags enum then will return the names joined with commas.
Get the SDK name an object.
The object to get the name from. If this isn't an Enum or Type then the Type of the object is used.
The SDK name.
Class to create a view. This never owns the handle.
Detaches the current handle and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
A buffer which contains an array of GUID pointers.
The count of GUIDs.
Constructor.
The list of GUIDs.
Get NULL safe buffer.
Basic implementation of ARC4.
Encrypt, or decrypt an ARC4 stream.
The data to encrypt/decrypt.
Offset into the data to decrypt.
Length of data to decrypt.
The key to decrypt.
The resulting bytes.
Encrypt, or decrypt an ARC4 stream.
The data to encrypt/decrypt.
The key to decrypt.
The resulting bytes.
Basic implementation of MD4.
This could have called out to the CNG APIs or dug into the
internals of the existing .NET crypto APIs but as MD4 is so
simple and it doesn't need to be secure (seriously don't use
this). This uses the reference implementation from RFC1320.
Calculate the MD4 hash of an input.
The input bytes.
The MD4 hash.
Calculate the MD4 hash of a string.
The input string.
Encoding for the string.
The MD4 hash.
Calculate the MD4 hash of a unicode string.
The input string.
The MD4 hash.
Class to perform the n-fold operation for Kerberos key derivation.
Perform an n-fold operation.
The input data as a string.
The output length in bytes.
The computed n-folded byte array.
Perform an n-fold operation.
The input data.
The output length in bytes.
The computed n-folded byte array.
A tree of Object Types.
Constructor.
Entries to setup in the tree.
Contructor.
The object type GUID.
The name of the root object.
Contructor.
The object type GUID.
Contructor.
The object type GUID as a string.
List of child nodes in the tree.
The parent of this tree.
The Object Type GUID.
Optional access mask for use in access checking.
Optional label for this tree entry.
Indicates the number of total entries this tree contains.
Add a new object type to the tree.
The object type.
The name of the node.
The added tree object.
Add a new object type to the tree.
The object type.
The added tree object.
Add an existing node to the tree.
The node to add.
Add an existing list of nodes to the tree.
The nodes to add.
Removes all object types from the tree.
The object type.
The removed tree object.
Removes all object types from the tree.
The object type.
The removed tree object.
Remove the current tree entry from the parent.
Convert the tree to an array.
The array of ObjectTypeEntry objects.
Clone the object type tree.
The cloned tree.
Set the access mask of this tree node and all children.
The mask to set.
Remove access mask from this tree node and children and propgate that up the tree.
The mask to remove.
Find an object type tree entry based on a GUID.
The object type GUID.
The first entry found, null if doesn't exist.
Split the tree up to reduce the maximum number of entries.
This will try and keep whole branches together if at all possible,
but might split them up. This could result in incorrect access checking.
The maximum number of entries per tree.
One or more split trees.
Overridden ToString method.
The object formatted.
Encoding object which converts 1 to 1 with bytes.
Default instance of the encoding.
Get the encoding name.
Get byte count for characters.
The character array.
Index into the array.
Number of characters in the array to use.
The number of bytes this character array requires.
Get bytes for characters.
The character array.
Index into the array.
Number of characters in the array to use.
The index into the byte array.
The byte array to copy into.
The number of bytes generated.
Get the character count for bytes.
The byte array.
Index into the array.
Number of bytes in the array to use.
The number of characters this byte array requires.
Get byte count for characters.
The character array.
Index into the array.
Number of bytes in the array to use.
The index into the byte array.
The byte array to copy into.
The number of characters generated.
Get maximum bytes for a number of characters.
Get maximum characters for a number of bytes.
Indicates if the encoding is a single byte.
A single extract string instance.
The string value.
The offset in the buffer.
True if the string was 16-bit Unicode.
Source of the string. Empty if was from a byte array.
Overridden ToString method.
The value of the extracted string.
Specify types of strings to extract.
Extract ASCII strings.
Extract Unicode strings.
Class to build a hex dump from a stream of bytes.
Append an array of bytes to the hex dump.
The byte array.
The length of the bytes to append from the array.
The start offset in the bytes to append.
Append an array of bytes to the hex dump.
The byte array.
Append a file or part of a file.
The path to the file.
The length of the file to append. If 0 will append all remaining data.
The start offset in the file to append.
Append a file or part of a file.
The path to the file.
Complete the hex dump string.
Finish builder and convert to a string.
The hex dump.
Constructor.
Print a header.
Print the address.
Print the ASCII text.
Hide repeating lines.
Offset for address printing.
Constructor.
The safe buffer to print.
The length to display.
The offset into the buffer to display.
Print a header.
Print the address.
Print the ASCII text.
Hide repeating lines.
Constructor.
The safe buffer to print.
Print a header.
Print the address.
Print the ASCII text.
Hide repeating lines.
Constructor.
The stream to print.
Print a header.
Print the address.
Print the ASCII text.
Hide repeating lines.
Offset for address printing.
Constructor.
Parse a hex dump into a byte array.
The hex string. Can contain non-hex characters.
The parsed string as a byte array.
This won't necessarily parse correctly an arbitary hex dump, but it will if you just use the hex of the bytes.
Parse a hex string into a byte array.
The hex string. Can contain non-hex characters.
The parsed string as a byte array.
True if the parse was successful.
This won't necessarily parse correctly an arbitary hex dump, but it will if you just use the hex of the bytes.
Utility class to extract strings from a byte value.
Extracts strings from a binary buffer.
The data to search.
The length of the data to search.
The minimum string length.
The offset into the data to search.
The type of strings to search for.
The list of extracted strings.
Extracts strings from a binary buffer.
The data to search.
The minimum string length.
The type of strings to search for.
The list of extracted strings.
Extracts strings from a stream.
The stream to extract strings from.
The minimum string length.
The type of strings to search for.
The list of extracted strings.
Extracts strings from a file.
The file to search.
The minimum string length.
The type of strings to search for.
The list of extracted strings.
Extracts strings from a safe buffer.
Safe buffer to extract the value from.
The minimum string length.
The type of strings to search for.
The list of extracted strings.
Extracts strings from a safe buffer.
Safe buffer to extract the value from.
The minimum string length.
The type of strings to search for.
The length of the data to search.
The offset into the data to search.
The list of extracted strings.
Class to call NT functions for manipulating strings.
Upper case a character according to the internal NTDLL string routines.
The character to upper case.
The upper case character.
Upper case a string according to the internal NTDLL string routines.
The string to upper case.
True to throw on error.
The upper case string.
Upper case a string according to the internal NTDLL string routines.
The string to upper case.
The upper case string.
Lower case a character according to the internal NTDLL string routines.
The character to lower case.
The lower case character.
Lower case a string according to the internal NTDLL string routines.
The string to lower case.
True to throw on error.
The lower case string.
Lower case a string according to the internal NTDLL string routines.
The string to lower case.
The lower case string.
Builder for a claim security attribute.
Name of the security attribute.
Attribute flags.
The value type.
The current list of values.
Convert build to a claim attribute.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
The name of the security attribute.
The attribute flags.
The value for the attribute.
The builder instance.
Create a claim security attribute builder.
An existing attribute to clone.
The builder instance.
A class which represents an AppContainer profile.
Create a new AppContainerProfile.
The name of the AppContainer.
A display name.
An optional description.
An optional list of capability SIDs.
True to throw on error.
The created AppContainer profile.
If the profile already exists then it'll be opened instead.
Create a new AppContainerProfile.
The name of the AppContainer.
A display name.
An optional description.
An optional list of capability SIDs.
The created AppContainer profile.
If the profile already exists then it'll be opened instead.
Create a temporary AppContainer profile.
List of capabilities for the AppContainer profile.
The created AppContainer profile.
The profile will be marked to DeleteOnClose. In order to not leak the profile you
should wait till the process has exited and dispose this profile.
Create a temporary AppContainer profile.
The created AppContainer profile.
The profile will be marked to DeleteOnClose. In order to not leak the profile you
should wait till the process has exited and dispose this profile.
Opens an AppContainerProfile.
The name of the AppContainer.
True to throw no error.
The opened AppContainer profile.
This method doesn't check the profile exists.
Opens an AppContainerProfile.
The name of the AppContainer.
The opened AppContainer profile.
This method doesn't check the profile exists.
Opens an AppContainerProfile and checks it exists.
The name of the AppContainer.
True to throw no error.
The opened AppContainer profile.
This checks for the existence of the profile and also populates the additional information.
Opens an AppContainerProfile and checks it exists.
The name of the AppContainer.
The opened AppContainer profile.
This checks for the existence of the profile and also populates the additional information.
Delete an existing profile.
The AppContainer name.
True to throw on error.
The HRESULT from the delete operation.
Delete an existing profile.
The AppContainer name.
Enumerate all AppContainer profiles.
True to throw on error.
The list of appcontainer profiles.
Enumerate all AppContainer profiles.
The list of appcontainer profiles.
Delete an existing profile.
True to throw on error.
The HRESULT from the delete operation.
Delete an existing profile.
Dispose of the AppContainer profile. If DeleteOnClose is set then the profile will be deleted.
Close an AppContainer profile. If DeleteOnClose is set then the profile will be deleted.
Open the AppContainer key.
The desired access for the key.
True to throw on error.
The opened key.
The AppContainer name.
The package SID
Path to the AppContainer profile directory.
Path to the AppContainer key.
Set to true to delete the profile when closed.
Get list of capabilities assigned to this AppContainer profile.
The display name for the AppContainer profile.
The description for the AppContainer profile.
Utilities for AppModel applications.
Activate an application from its Application Model ID.
The app model ID.
Arguments for the activation.
True to throw on error.
The PID of the process.
Activate an application from its Application Model ID.
The app model ID.
Arguments for the activation.
The PID of the process.
Get the list of package SIDs with a loopback exception.
True to throw on error.
The list of package SIDs with a loopback exception.
Get the list of package SIDs with a loopback exception.
The list of package SIDs with a loopback exception.
Add a loopback exception to the list.
The package SID to add.
True to throw on error.
The NT status code.
Add a loopback exception to the list.
The package SID to add.
Remove a loopback exception from the list.
The package SID to remove.
True to throw on error.
The NT status code.
Remove a loopback exception to the list.
The package SID to remove.
State of the console session.
User logged on to WinStation
WinStation connected to client
In the process of connecting to client
Shadowing another WinStation
WinStation logged on without client
Waiting for client to connect
WinStation is listening for connection
WinStation is being reset
WinStation is down due to error
WinStation in initialization
Class to represent a console session.
The session ID.
The Session Name.
The Username if any user authenticated.
The Domain Name for the User.
The Console Session State.
The hostname for the client.
The Farm name for Virtual Machine Farm.
Get the FQ User Name.
Type information for an array.
Get array element type.
Get number of array elements.
Type information for a base type.
Symbol information for a data value.
Address of the symbol.
Enumerated type value.
Name of the value.
The value as an int64.
Symbol information for an enumerated type.
Get the values for the enumerated type.
Class for a function parameter.
Name of the parameter.
Type of the parameter.
Type information for a function.
Type for the return type.
List of function parameters.
Interface for symbol type resolver.
Query types in a module.
The base address of the module.
The list of types.
Query names of types in a module.
The base address of the module.
The list of type names.
Get a type by name.
The base address of the module containing the type.
The name of the type.
Query types by name
The base address of the module containing the type.
A mask string for the type name. e.g. mod!ABC*
The list of types.
Get the address of a symbol.
The name of the symbol, should include the module name, e.g. modulename!MySymbol.
The symbol type.
Get the address of a symbol.
The address of the symbol.
The symbol type.
Type information for a pointer value.
Get the type this pointer references.
Indicates this pointer is a reference.
The name of the symbol.
Class to represent a symbol information.
The name of the symbol.
Size of the symbol.
Get the loaded module for the symbol.
Type of the symbol.
Internal type index.
Overridden ToString method.
Returns the symbol name.
Enumeration for symbol type information.
None.
UDT.
Enumerated type.
A base type.
A function type.
A pointer type.
Undefined.
Flags for the symbol resolver.
No flags.
Trace symbol file loading
Disable resolving export symbols if no PDB can be found.
Enable a symbol server fallback. If the copy of dbghelp doesn't have a symsrv.dll
then download from a public symbol URL to a local cache directory during symbol
resolving.
Symbol information for a type.
Represents a member of a UDT.
The type of the member.
The name of the member.
The offset into the UDT.
The size of the member.
Represents a bit field member of a UDT.
If a bit field then this is the bit start position.
If a bit field this is the bit length.
Symbol information for an enumerated type.
The members of the UDT.
Indicates the UDT is a union.
Class to capture Win32 debug output.
Create an instance of the Win32 debug console.
The session ID for the console. Set to 0 to capture global output.
True to throw on error.
The Win32 debug console.
Create an instance of the Win32 debug console.
The session ID for the console. Set to 0 to capture global output.
The Win32 debug console.
Create an instance of the Win32 debug console for current session.
True to throw on error.
The Win32 debug console.
Create an instance of the Win32 debug console for current session.
The Win32 debug console.
Create an instance of the Win32 debug console for the global session.
True to throw on error.
The Win32 debug console.
Create an instance of the Win32 debug console for the global session.
The Win32 debug console.
Read a debug string from for the console asynchronously.
The timeout in milliseconds.
Cancellation token.
The Win32 debug string. If timed out then Output property is null.
Read a debug string from for the console asynchronously.
The timeout in milliseconds.
The Win32 debug string. If timed out then Output property is null.
Read a debug string from for the console asynchronously.
The Win32 debug string. If timed out then Output property is null.
Read a debug string from for the console.
The timeout in milliseconds.
The Win32 debug string. If timed out then Output property is null.
Read a debug string from for the console.
The Win32 debug string. If timed out then Output property is null.
Attach the debug console to another session.
The session ID.
True to throw on error.
The NT status code.
Attach the debug console to another session.
The session ID.
Dispose debug console.
Structure for a debug string event.
The process ID.
The output string.
Class to hold known bus type GUIDs.
Class to represent a device interface.
The name of the interface class.
The device interface GUID.
The list of device interface instances.
The list of all device interface properties.
The device interface properties.
Class containing well known device interface class GUIDs.
Convert interface class GUID to a string.
The name of the interface class GUID.
Get the list of known interface GUIDs.
The list of known interface guids.
Class to represent a device interface instance.
The instance path to the device.
The raw device path.
The device interface class GUID.
The device instance ID for the device node.
Overridden ToString method.
The Win32Path.
The list of all device interface instance properties.
The device interface instance properties.
Device property types.
Class representing a device node.
The name of the device instance.
The device setup class GUID.
The device instance ID.
Get the device PDO name.
Get the device INF name.
Get the device INF path.
Get the device stack.
The the device stack as a list of driver paths.
Indicates if this is a per-session device. If null then not defined.
Indicates if this instance is present.
Indicates the name of the SCM service for the driver.
Get path to the driver.
Get driver start type.
Get the parent device node.
The parent device node. Returns null if reached the root.
List of upper filters.
List of lower filters.
Container ID.
Type of bus for the device.
Get if the device is a user-mode device.
The list of all device properties.
The device properties.
Get the setup class for this instance.
Returns the setup class.
Thrown if invalid setup GUID.
Get list of parent nodes.
The list of parent nodes.
Overridden ToString method.
Optional security descriptor for device node.
Indicates the device node has a security descriptor.
Device property.
The name of the property, if known.
The FMTID Guid.
The PID.
The device property type.
Property data.
Format the data according to type.
The formatted data.
ToString method.
The property as a string.
Class to represent a device setup class.
The friendly name of the device.
The name of the device class.
The device class installer Guid.
The security descriptor for the device (if available).
Indicates the device setup class has a security descriptor.
The device type.
The device characteristics.
List of upper filters.
List of lower filters.
The list of all device setup properties.
The device setup properties.
Get device instances.
Return all devices.
The list of devices instances.
Get device instances.
The list of devices instances.
Enumerated type for device stack type.
Unknown type.
Entry is for the function driver.
Entry is for the bus driver.
Entry is for an upper filter.
Entry is for the lower filter.
Entry is for a filter.
Class to represent an entry on the stack.
Name of the driver.
Path to the driver.
Stack entry type.
Overridden ToString method.
The name of the driver in the stack.
Class to represent a node in a device tree.
List of child nodes.
Indicates if the node has any children.
Get the parent device node.
The parent device node. Returns null if reached the root.
Utilities for interacting with Device, Configuration and Setup APIs.
Get a list of device interfaces from an Interface GUID.
The interface class GUID for the device.
Optional device ID.
True to get all devices, otherwise just present devices.
List of device interfaces.
Get a list of present device interfaces from an Inteface GUID.
The interface class GUID for the device.
List of device interfaces.
Enumerate installer class GUIDs.
The list of installer class GUIDs.
Enumerate interface class GUIDs.
The list of interface class GUIDs.
Query the security descriptor for a device.
The installer device class.
True to throw on error.
The security descriptor.
Query the security descriptor for a device.
The installer device class.
The security descriptor.
Get list of registered device setup classes.
The list of device setup classes.
Get a device setup class by GUID.
The class GUID.
The device setup class.
Get list of registered device interfaces.
True to return all devices.
The list of device interfaces.
Get list of registered device interfaces.
The list of device interfaces.
Get a device interface class by GUID.
The class GUID.
True to return all devices.
The device interface class.
Get a device interface class by GUID.
The class GUID.
The device interface class.
Get list of device nodes.
Return all devices including ones which aren't present.
The list of device nodes.
Get list of present device nodes.
The list of device entries.
Get list of device entries.
Specify the Device Setup Class GUID.
Only return present devices.
The list of device entries.
Get list of present device entries.
Specify the Device Setup Class GUID.
The list of device entries.
Get the device node from a device ID.
The instance ID to lookup..
The device node.
Get device tree.
The device tree's root node.
Get the node from a device instance ID.
The instance ID to start from.
The root device node.
Get all device interface instances.
Get all device interface instances for a given interface class GUID.
Get an interface instance from the interface instance path.
The path to the interface symbolic link. e.g. \??\SOME$VALUE.
Interface to indicate the device object has properties.
The list of all device properties.
The device properties.
Access rights for Active Directory Services.
Class to represent a binding to a directory service.
Crack one or more names on the domain controller.
Flags for the cracking.
Format of the names.
Desired format of the names.
The list of names to crack.
True to throw on error.
The cracked names.
Crack one or more names on the domain controller.
Flags for the cracking.
Format of the names.
Desired format of the names.
The list of names to crack.
The cracked names.
Crack a name on the domain controller.
Flags for the cracking.
Format of the name.
Desired format of the name.
The name to crack.
True to throw on error.
The cracked name.
Crack a name on the domain controller.
Flags for the cracking.
Format of the name.
Desired format of the name.
The name to crack.
The cracked name.
Get naming contexts for domain.
True to throw on error.
The naming contexts.
Get naming contexts for domain.
The naming contexts.
Bind to a directory service.
The name of the domain controller. Can be null.
The DNS domain name.
True to throw on error.
The directory service binding.
Bind to a directory service.
The name of the domain controller. Can be null.
The DNS domain name.
The directory service binding.
Bind to the current directory service.
The directory service binding.
Dispose the binding.
Class to represent an directory service extended right queries from the current domain.
The common name of the extended right.
The distinguished name for the extended right.
The domain name searched for this extended right.
The rights GUID for this extended right.
The list of applies to GUIDs.
The valid accesses for this extended right.
Get list of properties if a property set.
True if this a property set extended right.
True if this is a validated write extended right.
True if this is a control extended right.
Overridden ToString method.
The name of the extended right.
Convert the extended right to an object type tree.
The tree of object types.
Convert the extended right to an object type tree.
The extended right to convert.
The tree of object types.
Flags and settings from the dSHeuristics attribute.
The fSupFirstLastANR flag.
The fSupLastFirstANR flag.
The fDoListObject flag.
The fLDAPBlockAnonOps flag.
The fAllowAnonNSPI flag.
The fDontStandardizeSDs flag.
The raw value for the dsHeuristics attribute.
The domain where the value was read.
Directory services name error.
Directory services name flags.
Directory services name format.
Structure to represent a directory service name.
Status of the name.
Domain of the name.
Name of the name.
Native methods for directory services.
Object type level for a directory object.
Object type.
Property set type.
Property type.
Class to represent an a class which is referenced from another. For example auxiliary or superior classes.
The name of the class.
Whether the class is a system class.
Get the full schema class for this reference.
The schema class.
Class to represent a directory service schema attribute.
The attributes syntax.
The OM syntax.
The OM object class.
The name of the attribute syntax type if known.
The GUID of the containing property set, if it exists.
Indicates if the attribute is in a property set.
Class to represent a directory service schema class.
The subclass schema name.
List of attributes the class can contain.
The default security descriptor.
The default security descriptor in SDDL format.
The list of auxiliary classes for this class.
The category of schema class.
The list of possible superior classes for this class.
Possible inferiors of the class.
Structure to represent an attribute for a class.
The name of the attribute.
True if the attribute is required.
True if the attribute can only be modified by system.
Get the hash code for the attribute.
The hash code.
Check attributes for equality.
The other attribute to check.
True if equal.
Overridden ToString method.
The name of the attribute.
Represents the type of schema class.
Legacy class.
Structure class (can be created).
Abstract class.
Auxiliary class.
Base class for a schema class or attribute object.
The GUID of the schema class.
The name of the schema class.
The LDAP display name.
The object class for the schema class.
The distinguished name for the schema class.
The domain name searched for this schema class.
The admin description for the object.
Indicates if this schema object is system only.
Overridden ToString method.
The name of the schema class.
Convert the schema class to an object type tree.
The tree of object types.
Convert the extended right to an object type tree.
The schema class to convert.
The tree of object types.
Class to represent a security principal in the directory.
Distinguished name of the group.
The SID of the object.
Overridden Equals.
The other object to test.
True if equal.
Overridden GetHashCode.
The hash code.
User flags.
Class implementing various utilities for directory services.
Name for the fake Directory Service NT type.
Get the generic mapping for directory services.
The directory services generic mapping.
Get a fake NtType for Directory Services.
The fake Directory Services NtType
Get the default property set.
Get the schema class for a GUID.
Specify the domain to get the schema class for.
The GUID for the schema class.
The schema class, or null if not found.
Get the schema class for a GUID.
The GUID for the schema class.
The schema class, or null if not found.
Get the schema class for a LDAP name.
Specify the domain to get the schema class for.
The LDAP name for the schema class.
The schema class, or null if not found.
Get the schema class for a LDAP name.
The LDAP name for the schema class.
The schema class, or null if not found.
Get the inferior schema class for a LDAP name.
Specify the domain to get the schema class for.
The LDAP name for the parent schema class.
The schema classes.
Get the inferior schema class for a LDAP name.
The LDAP name for the schema class.
The schema classes.
Get the auxiliary schema classes for a LDAP name.
Specify the domain to get the schema class for.
The LDAP name for the parent schema class.
The schema classes.
Get the auxiliary schema classes for a LDAP name.
The LDAP name for the schema class.
The schema classes.
Get all schema classes.
Specify the domain to get the schema classes for.
The list of schema classes.
Get all schema classes.
The list of schema classes.
Get all schema classes in a hierarchy.
Specify the domain to get the schema classes for.
Specify to include auxiliary classes in the list.
The name of the base schema class.
The list of schema classes.
Get all schema classes in a hierarchy.
Specify to include auxiliary classes in the list.
The name of the base schema class.
The list of schema classes.
Get the common name of an schema object class.
Specify the domain to get the schema class for.
The GUID for the schema class.
The common name of the schema class, or null if not found.
Get the common name of an schema object class.
The GUID for the schema class.
The common name of the schema class, or null if not found.
Get the schema attribute for a GUID.
Specify the domain to get the schema attribute for.
The GUID for the schema attribute.
The schema attribute, or null if not found.
Get the schema attribute for a GUID.
The GUID for the schema attribute.
The schema attribute, or null if not found.
Get the schema attribute for a LDAP name.
Specify the domain to get the schema attribute for.
The LDAP name for the schema attribute.
The schema attribute, or null if not found.
Get the schema attribute for a LDAP name.
The LDAP name for the schema attribute.
The schema attribute, or null if not found.
Get all schema attributes.
Specify the domain to get the schema attributes for.
The list of schema attributes.
Get all schema attributes.
The list of schema attributes.
Get the common name of a schema attribute.
Specify the domain to get the schema attribute for.
The GUID for the schema attribute.
The common name of the schema attribute, or null if not found.
Get the common name of a schema attribute.
The GUID for the schema attribute.
The common name of the schema attribute, or null if not found.
Get the extended right name by GUID.
Specify the domain for the extended right.
The GUID for the extended right.
If true and the right is a property set, expand the name.
The name of the extended right, or null if not found.
Get the extended right name by GUID.
The GUID for the extended right.
If true and the right is a property set, expand the name.
The name of the extended right, or null if not found.
Get an extended right by GUID.
Specify the domain to get the extended right for.
The GUID for the extended right.
The extended right, or null if not found.
Get an extended right by GUID.
The GUID for the extended right.
The extended right, or null if not found.
Get an extended right by common name.
Specify the domain to get the extended right for.
The common name for the extended right.
The extended right, or null if not found.
Get an extended right by common name.
The common name for the extended right.
The extended right, or null if not found.
Get a list of all extended rights in the current domain.
Specify the domain to get the extended rights from.
The list of extended rights.
Get a list of all extended rights in the current domain.
The list of extended rights.
Get a list of extended rights applied to a schema class.
Specify the domain to get the extended rights from.
The schema class identifier.
The list of extended rights applies to the schema class.
Get a list of extended rights applied to a schema class in the current domain.
The schema class identifier.
The list of extended rights applies to the schema class.
Create an object type entry for an access check.
The object type level.
The object type GUID.
An optional name.
The object type entry.
Get the object SID from a directory object.
The directory entry.
The object SID. Returns null if no object SID exists.
Get the object SID from a directory object.
The domain name for the object.
The distinguished name of the object.
The object SID. Returns null if no object SID exists.
Get the object SID from a directory object.
The distinguished name of the object.
The object SID. Returns null if no object SID exists.
Get a directory object.
The domain name for the object.
The distinguished name of the object.
The object entry.
Get a directory object.
The distinguished name of the object.
The object entry.
Standardize security descriptor to the rules of Active Directory.
The security descriptor.
The standardized security descriptor.
Get the value for the dsHeuristics attribute.
The domain to read the dsHeuristics from.
The dsHeuristics value.
Get the value for the dsHeuristics attribute.
The dsHeuristics value.
Get the value for an object's sDRightsEffective attribute.
The domain for the object.
The distinguished name of the object.
The sDRightsEffective value.
Get the value for an object's sDRightsEffective attribute.
The distinguished name of the object.
The sDRightsEffective value.
Try and find the an object from its SID.
Specify the domain to search.
The SID to find.
The distinguished name of the object, null if not found.
Try and find the token groups for an object.
Domain name for the lookup.
The distinguished name to find.
True to return all groups including BUILTIN on the server. False for just universal and global groups.
The list of member SIDs.
Try and find the token groups for an object using the SID.
Sid to use for the object.
True to return all groups including BUILTIN on the server. False for just universal and global groups.
The list of member SIDs.
Try and find the membership of groups for a name.
Domain name for the lookup.
The distinguished name to find as member.
The list of groups.
Call to pre-cache the schema for a domain, could take a long time to load.
The domain to cache.
True if the schema was cached successfully.
Call to pre-cache the schema for the current domain, could take a long time to load.
True if the schema was cached successfully.
Interface to convert a directory object to a tree for access checking.
The name of the object.
The ID of the object.
Convert the schema class to an object type tree.
The tree of object types.
DLL characteristic flags.
Reserved
Reserved
Reserved
Reserved
Reserved
Image can handle a high entropy 64-bit virtual address space.
DLL can be relocated at load time.
Code Integrity checks are enforced.
Image is NX compatible.
Isolation aware, but do not isolate the image.
Does not use structured exception (SE) handling. No SE handler may be called in this image.
Do not bind the image.
Image must execute in an AppContainer.
A WDM driver.
Image supports Control Flow Guard.
Terminal Server aware.
CodeView debug data for an executable.
The magic identifier.
The unique identifier.
Age of debug information.
Path to PDB file.
Identifier path to use when looking up symbol file.
Get just the name of the PDB file.
Get the symbol server path.
The symbol URL, either a local path or a remote URL.
The symbol server path.
Single DLL export entry.
The name of the export. If an ordinal this is #ORD.
The ordinal number.
Address of the exported entry. Can be 0 if a forwarded function.
Name of the forwarder, if used.
Get the module this was exported from.
Overridden ToString method.
The name of the export.
Single DLL import.
The name of the DLL importing from.
List of DLL imported functions.
List of names imported.
Could of functions
True of the imports are delay loaded.
The path to the executable this import came from.
Overridden ToString method.
The DLL name and count.
Single DLL import function.
The name of the DLL importing from.
The name of the imported function. If an ordinal this is #ORD.
Address of the imported function. Can be 0 if not a bound DLL.
Ordinal of import, if imported by ordinal. -1 if not.
Overridden ToString method.
The name of the imported function.
Simple class for an event trace.
Write an empty event.
Dispose method.
Level for trace event.
Critical level.
Error level.
Warning level.
Information level.
Verbose level.
Descriptor for an enabled trace provider.
Pointer to descriptor data.
Size of descriptor data.
Type of descriptor data.
An Event Trace Log.
Enable a provider.
The GUID of the provider.
The level for the events.
Any keywords to match.
All keywords to match.
The timeout.
List of optional descriptors.
True to throw on error.
The resulting status code.
Get allocated session GUID.
Get name of the session.
Finalizer.
Dispose the event trace log.
Source of an event trace provider.
Unknown source.
From WMI.
From NtTraceControl.
From the security key.
Class to represent an Event Trace Provider.
The ID of the provider.
The name of the provider.
Whether the provider is defined as an XML file or a MOF.
The provider security descriptor (only available as admin).
Indicates the source of the provider.
Class to access event tracing methods.
Query security of an event.
The event GUID to query.
True to throw on error.
The event security descriptor.
Query security of an event.
The event GUID to query.
The event security descriptor.
Query the default security for events.
True to throw on error.
The default security descriptor.
Query the default security for events.
The default security descriptor.
Modify trace security.
The event trace GUID.
The operation to perform.
The SID to set.
The access mask to set.
True to allow, false to deny.
True to throw on error.
The NT status code.
Modify trace security.
The event trace GUID.
The operation to perform.
The SID to set.
The access mask to set.
True to allow, false to deny.
Adds DACL ACE for an event trace.
The event trace GUID.
The SID to set.
The access mask to set.
True to allow, false to deny.
True to throw on error.
The NT status code.
Adds DACL ACE for an event trace.
The event trace GUID.
The SID to set.
The access mask to set.
True to allow, false to deny.
Clears DACL and adds ACE for an event trace.
The event trace GUID.
The SID to set.
The access mask to set.
True to allow, false to deny.
True to throw on error.
The NT status code.
lears DACL and adds ACE for an event trace.
The event trace GUID.
The SID to set.
The access mask to set.
True to allow, false to deny.
Remove security for an event trace.
The event trace GUID.
True to throw on error.
The NT status code.
Remove security for an event trace.
The event trace GUID.
Register an event trace with a specific GUID.
The event trace GUID.
True to throw on error.
The event trace.
Start an event trace log.
The path to the log file.
Session GUID.
The name of the logging session.
True to throw on error.
The event trace log.
Start an event trace log.
The path to the log file.
Session GUID.
The name of the logging session.
The event trace log.
Register an event trace with a specific GUID.
The event trace GUID.
The event trace.
Get the list of registered trace GUIDs.
The list of trace GUIDs.
Get the list of registered trace providers.
Specify true to return a list of cached providers.
The list of trace providers.
Get the list of registered trace providers.
The list of trace providers.
Returns a cached list of providers, if you want to check the current list use GetProviders(bool).
Get the name of a provider.
The ID of the provider.
The name of the provider. Returns null if the provider had no name or doesn't exist.
Contains information about a manifest file.
True if parsing the XML manifest failed.
Full path to the manifest location.
The name of the manifest.
True if the manifest indicates UI access.
The execution level from the manifest.
True if the manifest indicates auto elevation.
The manifest XML.
True if the manifest indicates long path awareness.
Get the manifests from a file.
The file to extract the manifests from.
The list of manifests.
Overridden ToString method.
The manifest as a string.
A class to represent filter communication port.
Open a filter communications port.
The port name, e.g. \FilterName
Make the handle synchronous.
Optional context data.
True to throw on error.
The filter communications port.
Open a filter communications port.
The port name, e.g. \FilterName
Make the handle synchronous.
Optional context data.
The filter communications port.
Open a filter communications port.
The port name, e.g. \FilterName
The filter communications port.
Get message from port.
The maximum message size to receive.
True to throw on error.
The returned message.
Get message from port.
The maximum message size to receive.
The returned message.
Reply to message.
The NT status code.
The message ID from GetMessage.
The data to send.
True to throw on error.
The NT status code.
Reply to message.
The NT status code.
The message ID from GetMessage.
The data to send.
Send a message to the filter.
The input buffer.
The output buffer.
True to throw on error.
The bytes in the output buffer.
Send a message to the filter.
The input buffer.
The output buffer.
The bytes in the output buffer.
Send a message to the filter.
The input buffer.
The maximum size of the output buffer.
true to throw on error.
The output buffer.
Send a message to the filter.
The input buffer.
The maximum size of the output buffer.
The output buffer.
Class to represent a filter communications port message.
The message ID.
The returned data.
The length of the reply to send.
Class to represent a filter drive.
True if a mini-filter, false if a legacy-filter.
Flags, if any.
The frame ID.
Number of instances if a mini-filter.
Name of the filter driver.
Altitude of the filter driver.
Class to represent a mini-filter instance.
The name of the instance.
The altitude of the instance.
The volume name.
The filter name.
Filter filesystem type.
an UNKNOWN file system type
Microsoft's RAW file system (\FileSystem\RAW)
Microsoft's NTFS file system (\FileSystem\Ntfs)
Microsoft's FAT file system (\FileSystem\Fastfat)
Microsoft's CDFS file system (\FileSystem\Cdfs)
Microsoft's UDFS file system (\FileSystem\Udfs)
Microsoft's LanMan Redirector (\FileSystem\MRxSmb)
Microsoft's WebDav redirector (\FileSystem\MRxDav)
Microsoft's Terminal Server redirector (\Driver\rdpdr)
Microsoft's NFS file system (\FileSystem\NfsRdr)
Microsoft's NetWare redirector (\FileSystem\nwrdr)
Novell's NetWare redirector
The BsUDF CD-ROM driver (\FileSystem\BsUDF)
Microsoft's Mup redirector (\FileSystem\Mup)
Microsoft's WinFS redirector (\FileSystem\RsFxDrv)
Roxio's UDF writeable file system (\FileSystem\cdudf_xp)
Roxio's UDF readable file system (\FileSystem\UdfReadr_xp)
Roxio's DVD file system (\FileSystem\DVDVRRdr_xp)
Tacit FileSystem (\Device\TCFSPSE)
Microsoft's File system recognizer (\FileSystem\Fs_rec)
Nero's InCD file system (\FileSystem\InCDfs)
Nero's InCD FAT file system (\FileSystem\InCDFat)
Microsoft's EXFat FILE SYSTEM (\FileSystem\exfat)
PolyServ's file system (\FileSystem\psfs)
IBM General Parallel File System (\FileSystem\gpfs)
Microsoft's Named Pipe file system(\FileSystem\npfs)
Microsoft's Mailslot file system (\FileSystem\msfs)
Microsoft's Cluster Shared Volume file system (\FileSystem\csvfs)
Microsoft's ReFS file system (\FileSystem\Refs or \FileSystem\Refsv1)
OpenAFS file system (\Device\AFSRedirector)
Composite Image file system (\FileSystem\cimfs)
Methods for accessing Filter Manager information.
Enumerate the list of filter drivers.
The list of filter drivers.
Enumerate the list of filter driver instances.
The name of the filter driver.
The list of filter driver instances.
Enumerate the list of filter driver instances for all filter drivers.
The list of filter driver instances.
Enumerate the list of filter drivers attached to a volume.
The name of volume, e.g. C:\
The list of filter volume instances.
Enumerate the list of filter drivers attached for all volumes.
The list of filter volume instances.
Enumerate the list of filter volumes.
The list of filter volumes
Attach a filter to a volume.
The filter name.
The volume name.
Optional altitude of the filter.
Optional instance name.
True to throw on error.
The created instance name.
Attach a filter to a volume.
The filter name.
The volume name.
Optional altitude of the filter.
Optional instance name.
The created instance name.
Attach a filter to a volume.
The filter name.
The volume name.
Optional altitude of the filter.
The created instance name.
Attach a filter to a volume.
The filter name.
The volume name.
The created instance name.
Attach a filter to a volume.
The filter name.
The volume name.
Optional instance name.
True to throw on error.
The NT status code.
Attach a filter to a volume.
The filter name.
The volume name.
Optional instance name.
The NT status code.
Attach a filter to a volume.
The filter name.
The volume name.
The NT status code.
Class to represent a filter volume.
Is the filter detached from the volume.
Filter frame ID.
Filesystem type.
Filter volume name.
Class which represents a section from a loaded PE file.
The name of the section.
Buffer to the data.
Relative Virtual address of the data from the library base.
Image section characteristics.
Get the data as an array.
The data as an array. If can't read the section returns an empty array.
Characteristic flags for image section.
None.
Section is code.
Section is initialized data.
Section is uninitialized data.
Section is shared.
Section is executable.
Section is readable.
Section is writable.
Class to represent a resource in an image.
The name of the resource.
The type of the resource.
The size of the resource.
Get the resource as a byte array.
The resource as a byte array.
Image resource type.
The name of the resource as a string.
The well known type, is available (otherwise set to UNKNOWN)
Overridden ToString method.
The name of the type.
Known image resource types.
Interface for a symbol resolver.
Get list of loaded modules.
The list of loaded modules
Note this will cache the results so subsequent calls won't necessarily see new modules.
Get list of loaded modules and optionally refresh the list.
True to refresh the current cached list of modules.
The list of loaded modules
Get module at an address.
The address for the module.
The module, or null if not found.
Note this will cache the results so subsequent calls won't necessarily see new modules.
Get module at an address.
The address for the module.
True to refresh the current cached list of modules.
The module, or null if not found.
Get a string representation of a relative address to a module.
The address to get the string for,
The string form of the address, e.g. modulename+0x100
Note this will cache the results so subsequent calls won't necessarily see new modules.
Get a string representation of a relative address to a module.
The address to get the string for,
True to refresh the current cached list of modules.
The string form of the address, e.g. modulename+0x100
Get the address of a symbol.
The name of the symbol, should include the module name, e.g. modulename!MySymbol.
The address of the symbol
Get the symbol name for an address.
The address of the symbol.
The symbol name.
Get the symbol name for an address, with no fallback.
The address of the symbol.
If true then generate a fake symbol.
The symbol name. If |generate_fake_symbol| is true and the symbol doesn't exist one is generated based on module name.
Get the symbol name for an address, with no fallback.
The address of the symbol.
If true then generate a fake symbol.
If true then return only the name of the symbols (such as C++ symbol name) rather than full symbol.
The symbol name. If |generate_fake_symbol| is true and the symbol doesn't exist one is generated based on module name.
Reload the list of modules for this symbol resolver.
Load a specific module into the symbol resolver.
The path to the module.
The base address of the loaded module.
Flags for loading a library.
None.
Don't resolve DLL references
Load library as a data file.
Load with an altered search path.
Ignore code authz level.
Load library as an image resource.
Load library as a data file exclusively.
Add the DLL's directory temporarily to the search list.
Search application directory for the DLL.
Search the user's directories for the DLL.
Search system32 for the DLL.
Search the default directories for the DLL.
Logon type
This is used to specify an undefined logon type
Interactively logged on (locally or remotely)
Accessing system via network
Started via a batch queue
Service started by service controller
Proxy logon
Unlock workstation
Network logon with cleartext credentials
Clone caller, new default credentials
Remove interactive.
Cached Interactive.
Cached Remote Interactive.
Cached unlock.
Specify what account rights to get.
Get all account rights.
Get all privilege account rights.
Get logon account rights.
Utilities for user logon.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
True to throw on error.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
Additional groups to add. Needs SeTcbPrivilege.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
Additional groups to add. Needs SeTcbPrivilege.
True to throw on error.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
Additional groups to add. Needs SeTcbPrivilege.
The logged on token.
Logon user using Kerberos Ticket.
The type of logon token.
The service ticket.
Optional TGT.
True to throw on error.
The logged on token.
Logon user using Kerberos Ticket.
The type of logon token.
The service ticket.
Optional TGT.
The logged on token.
Logon user using Kerberos Ticket.
The type of logon token.
The service ticket.
Optional TGT.
True to throw on error.
The logged on token.
Logon user using Kerberos Ticket.
The type of logon token.
The service ticket.
Optional TGT.
The logged on token.
Logon user using S4U
The username.
The user's realm.
The type of logon token.
The name of the auth package to user.
True to throw on error.
The logged on token.
Logon user using S4U
The username.
The user's realm.
The type of logon token.
The name of the auth package to user.
The logged on token.
Logon user using S4U
The username.
The user's realm.
The type of logon token.
The logged on token.
Logon user using S4U
The username.
The user's realm.
The type of logon token.
The logged on token.
Get a logon session.
The logon session ID.
True to thrown on error.
The logon session.
Get a logon session.
The logon session ID.
The logon session.
Get the logon session LUIDs
True throw on error.
The list of logon sessions. Only returns ones you can access.
Get the logon session LUIDs
The list of logon sessions. Only returns ones you can access.
Get the logon sessions.
True throw on error.
The list of logon sessions. Only returns ones you can access.
Get the logon sessions.
The list of logon sessions.
Get account rights assigned to a SID.
The SID to query.
True to throw on error.
The list of account rights.
Get account rights assigned to a SID.
The SID to query.
The list of account rights.
Get SIDs associated with an account right.
The name of the account right, such as SeImpersonatePrivilege.
True to throw on error.
The list of SIDs assigned to the account right.
Get SIDs associated with an account right.
The name of the account right, such as SeImpersonatePrivilege.
The list of SIDs assigned to the account right.
Get SIDs associated with an account right.
The account right privilege to query.
True to throw on error.
The list of SIDs assigned to the account right.
Get SIDs associated with an account right.
The account right privilege to query.
The list of SIDs assigned to the account right.
Get SIDs associated with an account right.
The logon account right to query.
True to throw on error.
The list of SIDs assigned to the account right.
Get SIDs associated with an account right.
The logon account right to query.
The list of SIDs assigned to the account right.
Get account rights.
Specify the type of account rights to get.
Account rights.
Get all account rights.
All account rights.
Add account rights to the user.
The user SID to add.
The list of account rights.
True to throw on error.
The NT status code.
Add account rights to the user.
The user SID to add.
The list of account rights.
The NT status code.
Add account rights as privileges.
The user SID to add.
The list of account privileges.
True to throw on error.
The NT status code.
Add account rights as privileges.
The user SID to add.
The list of account privileges.
Add account rights as privileges.
The user SID to add.
The list of account logon types.
True to throw on error.
The NT status code.
Add account rights as privileges.
The user SID to add.
The list of account logon types.
Remove account rights from a user.
The user SID to remove.
The list of account rights.
True to throw on error.
The NT status code.
Remove account rights from a user.
The user SID to remove.
The list of account rights.
Remove account rights from a user.
The user SID to remove.
The list of privileges.
True to throw on error.
The NT status code.
Remove account rights from a user.
The user SID to remove.
The list of account privileges.
Remove account rights from a user.
The user SID to remove.
The list of account rights.
True to throw on error.
The NT status code.
Remove account rights from a user.
The user SID to remove.
The list of account rights.
Win32 memory utils.
Write memory to a process.
The process to write to.
The base address in the process.
The data to write.
The number of bytes written to the location
Thrown on error.
Write memory to a process.
The process to write to.
The base address in the process.
The data to write.
The number of bytes written to the location
Thrown on error.
Class to represent a TCP listener with process ID.
Gets the local endpoint of a Transmission Control Protocol (TCP) connection.
An instance that contains the IP address and port on the local computer.
Gets the remote endpoint of a Transmission Control Protocol (TCP) connection.
An instance that contains the IP address and port on the remote computer.
Gets the state of this Transmission Control Protocol (TCP) connection.
One of the enumeration values.
Get local address.
Get local port.
Get remote address.
Get remote port.
Gets the process ID of the listener on the local system.
Gets the time the socket was created.
Gets the owner of the module. This could be an executable path or a service name.
Class to represent a UDP listener with process ID.
Gets the local endpoint of a Transmission Control Protocol (TCP) connection.
An instance that contains the IP address and port on the local computer.
Get local address.
Get local port.
Gets the process ID of the listener on the local system.
Gets the time the socket was created.
Gets the owner of the module. This could be an executable path or a service name.
Gets if the UDP socket is bound to a specific port.
Utilities for Win32 network APIs.
Get a list of TCP listeners with process IDs.
The address family to query.
True to throw on error.
The list of TCP listeners.
The built-in System.Net.NetworkInformation.SystemIPGlobalProperties.GetActiveTcpListeners doesn't expose the PID member so we have to reimplement it.
Get a list of TCP listeners with process IDs.
The address family to query.
The list of TCP listeners.
The built-in System.Net.NetworkInformation.SystemIPGlobalProperties.GetActiveTcpListeners doesn't expose the PID member so we have to reimplement it.
Get a list of TCP listeners with process IDs. Returns both IPv4 and IPv6 listeners.
The list of TCP listeners.
The built-in System.Net.NetworkInformation.SystemIPGlobalProperties.GetActiveTcpListeners doesn't expose the PID member so we have to reimplement it.
Get a TCP listener for a TCP port.
The address family of the IP address.
The TCP port.
The listener information, or null if not found.
Get a list of UDP listeners with process IDs.
The address family to query.
True to throw on error.
The list of UDP listeners.
Get a list of UDP listeners with process IDs.
The address family to query.
The list of UDP listeners.
Get a list of UDP listeners with process IDs. Returns both IPv4 and IPv6 listeners.
The list of UDP listeners.
APPX Package Architecture.
X86
ARM
X64
Neutral
ARM64
APPX Package Origin.
Unknown origin.
Unsigned.
Inbox.
Store.
Developer unsigned.
Developer signed.
Line-of-business.
Class which represents an AppContainer package identity.
Process architecture.
Package version.
Package family name.
Publisher (not always available).
Resource ID.
Published ID.
Full package name.
Package origin.
Package family name.
Package install path.
The list of application model IDs.
Get the GetStagedPackageOrigin method as a delegate. It's supposed to be exposed by kernel32,
but actually doesn't seem to be.
Create from a package full name.
The package full name.
Query for full information (needs to be installed for the current user).
True to throw on error.
The package identity.
Create from a package full name.
The package full name.
Query for full information (needs to be installed for the current user).
The package identity.
Create from a token.
The AppContainer token.
Query for full information (needs to be installed for the current user).
True to throw on error.
The package identity.
Create from a token.
The AppContainer token.
Query for full information (needs to be installed for the current user).
The package identity.
Class to represent a printer object.
Dispose the printer object.
Open a printer or server.
The name of the printer or server. If this is null or empty then it's the local server.
The desired access on the printer.
True to throw on error.
The opened printer.
Open a printer.
The name of the printer.
The desired access on the printer.
The opened printer.
Open a printer.
The name of the printer.
The opened printer.
Get security descriptor for the printer.
True to throw on error.
The printer's security descriptor.
Get security descriptor for the printer.
The printer's security descriptor.
Access rights for a print spooler object.
Utils for print spooler.
Name for the fake printer NT type.
Name for the fake print server NT type.
Name for the fake print server NT type.
Get the generic mapping for printer objects.
The printer objects generic mapping.
Get the generic mapping for job objects.
The job objects generic mapping.
Get the generic mapping for server objects.
The server objects generic mapping.
Get the appropriate NT type for the printer path.
The printer path, e.g. \\server\printer.
The NT type.
Class representing an RPC ALPC server.
The PID of the process which contains the ALPC server.
The name of the process which contains the ALPC server.
List of known endpoints potentially accessible via this RPC server.
The number of endpoints.
The name of the ALPC server.
The security descriptor of the ALPC server.
Get RPC ALPC servers for a specific process.
The ID of the process.
The list of RPC ALPC servers.
If the process is suspended or frozen this call can hang.
Get a list of all RPC ALPC servers.
This works by discovering any server ALPC ports owned by the process and querying for interfaces.
This will ignore any frozen processes (primarily UWP) as they can't respond to the endpoint enumeration.
The list of RPC ALPC servers.
Get the RPC ALPC server for an ALPC port object path.
The object manager path to the ALPC port.
The ALPC RPC server.
Needs an API which is only available from Windows 10 19H1.
Overridden ToString method.
Formatted string.
Generic RPC client.
Constructor.
The interface ID.
Version of the interface.
Constructor.
The RPC server to bind to.
Send and receive an RPC message.
The procedure number.
Marshal NDR buffer for the call.
Unmarshal NDR buffer for the result.
Class to represent an RPC endpoint.
The interface ID of the endpoint.
The interface version.
The object UUID.
Optional annotation.
RPC binding string.
Endpoint protocol sequence.
Endpoint network address.
Endpoint name.
Endpoint network options.
The endpoint path.
Indicates this endpoint is registered with the endpoint mapper.
Overridden ToString method.
String form of the object.
Get information about the server process.
Static class to access information from the RPC mapper.
Query all endpoints registered on the local system.
List of endpoints.
Query all endpoints registered based on a binding string.
The binding string for the server to search on. If null or empty will search localhost.
List of endpoints.
Query for endpoints registered on the local system for an RPC endpoint.
The binding string for the server to search on. If null or empty will search localhost.
Interface UUID to lookup.
Interface version lookup.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint.
Interface UUID to lookup.
Interface version lookup.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint ignoring the version.
The binding string for the server to search on. If null or empty will search localhost.
Interface UUID to lookup.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint ignoring the version.
Interface UUID to lookup.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint.
The server interface.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint via ALPC.
Interface UUID to lookup.
Interface version lookup.
The list of registered RPC endpoints.
Query for endpoints registered on the local system for an RPC endpoint via ALPC.
The server interface.
The list of registered RPC endpoints.
Query for endpoints for a RPC binding.
The ALPC port to query. Can be a full path as long as it contains \RPC Control\ somewhere.
True to throw on error.
The list of endpoints on the RPC binding.
Query for endpoints for a RPC binding.
The ALPC port to query. Can be a full path as long as it contains \RPC Control\ somewhere.
The list of endpoints on the RPC binding.
Query for endpoints for a RPC binding.
The RPC binding to query, e.g. ncalrpc:[PORT]
True to throw on error.
The list of endpoints on the RPC binding.
Query for endpoints for a RPC binding.
The RPC binding to query, e.g. ncalrpc:[PORT]
The list of endpoints on the RPC binding.
Resolve the local binding string for this service from the local Endpoint Mapper and return the endpoint.
The protocol sequence to lookup.
Interface UUID to lookup.
Interface version lookup.
The mapped endpoint.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
Resolve the local binding string for this service from the local Endpoint Mapper and return the endpoint.
The protocol sequence to lookup.
The network address for the lookup.
Interface UUID to lookup.
Interface version lookup.
The mapped endpoint.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
Resolve the local binding string for this service from the local Endpoint Mapper and return the endpoint.
The string binding to map.
Interface UUID to lookup.
Interface version lookup.
The mapped endpoint.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
Resolve the local binding string for this service from the local Endpoint Mapper and return the ALPC port path.
Interface UUID to lookup.
Interface version lookup.
The mapped endpoint.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
Resolve the local binding string for this service from the local Endpoint Mapper and return the ALPC port path.
The server interface.
The mapped endpoint.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
Finds ALPC endpoints which allows for the server binding. This brute forces all ALPC ports to try and find
something which will accept the bind.
This could hang if the ALPC port is owned by a suspended process.
Interface UUID to lookup.
Interface version lookup.
A list of RPC endpoints which can bind the interface.
Throws on error.
Finds an ALPC endpoint which allows for the server binding. This brute forces all ALPC ports to try and find
something which will accept the bind.
This could hang if the ALPC port is owned by a suspended process.
Interface UUID to lookup.
Interface version lookup.
The first RPC endpoints which can bind the interface. Throws exception if nothing found.
Throws on error.
Resolve the binding string for this service from the Endpoint Mapper.
The binding string to map.
Interface UUID to lookup.
Interface version lookup.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
The RPC binding string. Empty string if it doesn't exist or the lookup failed.
Resolve the binding string for this service from the the Endpoint Mapper.
The protocol sequence to lookup.
The network address to lookup the endpoint.
Interface UUID to lookup.
Interface version lookup.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
The RPC binding string. Empty string if it doesn't exist or the lookup failed.
Resolve the binding string for this service from the local Endpoint Mapper.
The protocol sequence to lookup.
Interface UUID to lookup.
Interface version lookup.
This only will return a valid value if the service is running and registered with the Endpoint Mapper. It can also hang.
The RPC binding string. Empty string if it doesn't exist or the lookup failed.
A class to represent an RPC server.
Resolve the current running endpoint for this server.
Format the RPC server as text.
The formatted RPC server.
Format the RPC server as text.
True to remove comments from the output.
The formatted RPC server.
Format the RPC server as text.
True to remove comments from the output.
Formating using C++ pseduo syntax.
The formatted RPC server.
Serialize the RPC server to a stream.
The stream to hold the serialized server.
Only use the output of this method with the Deserialize method. No guarantees of compatibility is made between
versions of the library or the specific format used.
Serialize the RPC server to a byte array.
The serialized data.
Only use the output of this method with the Deserialize method. No guarantees of compatibility is made between
versions of the library or the specific format used.
The RPC server interface UUID.
The RPC server interface version.
The RPC transfer syntax GUID.
The RPC transfer syntax version.
The number of RPC procedures.
The list of RPC procedures.
The NDR RPC server.
List of parsed complext types.
Path to the PE file this server came from (if known)
Name of the the PE file this server came from (if known)
Offset into the PE file this server was parsed from.
Name of the service this server would run in (if known).
Display name of the service this server would run in (if known).
True if the service is currently running.
List of endpoints for this service if running.
Count of endpoints for this service if running.
This parsed interface represents a client.
Parse all RPC servers from a PE file.
The PE file to parse.
Path to a DBGHELP DLL to resolve symbols.
Symbol path for DBGHELP
This only works for PE files with the same bitness as the current process.
A list of parsed RPC server.
Parse all RPC servers from a PE file.
The PE file to parse.
Path to a DBGHELP DLL to resolve symbols.
Symbol path for DBGHELP
True to parse client RPC interfaces.
This only works for PE files with the same bitness as the current process.
A list of parsed RPC server.
Parse all RPC servers from a PE file.
The PE file to parse.
Path to a DBGHELP DLL to resolve symbols.
Symbol path for DBGHELP
True to parse client RPC interfaces.
Ignore symbol resolving.
This only works for PE files with the same bitness as the current process.
A list of parsed RPC server.
Parse all RPC servers from a PE file.
The PE file to parse.
Path to a DBGHELP DLL to resolve symbols.
Symbol path for DBGHELP
Flags for the RPC parser.
This only works for PE files with the same bitness as the current process.
A list of parsed RPC server.
Deserialize an RPC server instance from a stream.
The stream to deserialize from.
The RPC server instance.
The data used by this method should only use the output from serialize. No guarantees of compatibility is made between
versions of the library or the specific format used.
Deserialize an RPC server instance from a byte array.
The byte array to deserialize from.
The RPC server instance.
The data used by this method should only use the output from serialize. No guarantees of compatibility is made between
versions of the library or the specific format used.
Get the default RPC server security descriptor.
The default security descriptor.
Flags for the RPC server parser.
None.
Parse client entries.
Ignore symbols when parsing.
Try and resolve structure names. Needs private symbols.
Enable a symbol server fallback. If the copy of dbghelp doesn't have a symsrv.dll
then download from a public symbol URL to a local cache directory during symbol
resolving.
Base class for a RPC client.
Constructor.
The interface ID.
Version of the interface.
Constructor.
The interface ID as a string.
Major version of the interface.
Minor version of the interface.
Send and receive an RPC message.
The procedure number.
The NDR data representation.
Marshal NDR buffer for the call.
List of handles marshaled into the buffer.
Unmarshal NDR buffer for the result.
Method to call to check if the transport supports synchronous pipes.
Method to call to check if the transport supports asynchronous pipes.
Get whether the client is connected or not.
Get the endpoint that we connected to.
Get the protocol sequence that we connected to.
Get or set the current Object UUID used for calls.
The RPC interface ID.
The RPC interface version.
Get the client transport object.
Connect the client to a RPC endpoint.
The endpoint for RPC server.
The transport security for the connection.
Connect the client to a RPC endpoint.
The endpoint for RPC server.
The security quality of service for the connection.
Connect the client to a RPC endpoint.
The protocol sequence for the transport.
The endpoint for the protocol sequence.
The network address for the protocol sequence.
The security quality of service for the connection.
Connect the client to a RPC endpoint.
The protocol sequence for the transport.
The endpoint for the protocol sequence.
The network address for the protocol sequence.
The transport security for the connection.
Connect the client to a RPC endpoint.
The protocol sequence for the transport.
The endpoint for the protocol sequence.
The security quality of service for the connection.
Connect the client to a RPC endpoint.
The protocol sequence for the transport.
The endpoint for the protocol sequence.
The transport security for the connection.
Connect the client to an ALPC RPC port.
The path to the ALPC RPC port.
The security quality of service for the port.
Connect the client to a RPC endpoint.
The binding string for the RPC server.
The transport security for the connection.
Connect the client to an ALPC RPC port.
The path to the ALPC RPC port. If an empty string the endpoint will be looked up in the endpoint mapper.
Connect the client to an ALPC RPC port.
The ALPC endpoint will be looked up in the endpoint mapper.
Dispose of the client.
Disconnect the client.
Builder to create an RPC client from an RpcServer class.
Build a source file for the RPC client.
The RPC server to base the client on.
Additional builder arguments.
The code generation options, can be null.
The code dom provider, such as CSharpDomProvider
The source code file.
Build a C# source file for the RPC client.
The RPC server to base the client on.
Additional builder arguments.
The C# source code file.
Build a C# source file for the RPC client.
The RPC server to base the client on.
The C# source code file.
Build a source file for RPC complex types.
The RPC complex types to build the encoders from.
Name of the decoder class. Can be null or empty to use default.
Name of the encoder class. Can be null or empty to use default.
Name of the generated namespace. Null or empty specified no namespace.
The code generation options, can be null.
The code dom provider, such as CSharpDomProvider
True to wrap complex decoders in a unique pointer.
The source code file.
Build a source file for RPC complex types.
The RPC complex types to build the encoders from.
Name of the decoder class. Can be null or empty to use default.
Name of the encoder class. Can be null or empty to use default.
Name of the generated namespace. Null or empty specified no namespace.
The code generation options, can be null.
The code dom provider, such as CSharpDomProvider
The source code file.
Build a source file for RPC complex types.
The RPC complex types to build the encoders from.
Name of the decoder class. Can be null or empty to use default.
Name of the encoder class. Can be null or empty to use default.
Name of the generated namespace. Null or empty specified no namespace.
True to wrap complex decoders in a unique pointer.
The source code file.
Build a source file for RPC complex types.
The RPC complex types to build the encoders from.
Name of the decoder class. Can be null or empty to use default.
Name of the encoder class. Can be null or empty to use default.
Name of the generated namespace. Null or empty specified no namespace.
The source code file.
Build a source file for RPC complex types.
The RPC complex types to build the encoders from.
The C# source code file.
Compile an in-memory assembly for the RPC client.
The RPC server to base the client on.
Additional builder arguments.
True to ignore cached assemblies.
Code DOM provider to compile the assembly.
The compiled assembly.
This method will cache the results of the compilation against the RpcServer.
Compile an in-memory assembly for the RPC client.
The RPC server to base the client on.
Additional builder arguments.
True to ignore cached assemblies.
The compiled assembly.
This method will cache the results of the compilation against the RpcServer.
Compile an in-memory assembly for the RPC client.
The RPC server to base the client on.
Additional builder arguments.
The compiled assembly.
This method will cache the results of the compilation against the RpcServer.
Compile an in-memory assembly for the RPC client.
The RPC server to base the client on.
True to ignore cached assemblies.
The compiled assembly.
This method will cache the results of the compilation against the RpcServer.
Compile an in-memory assembly for the RPC client.
The RPC server to base the client on.
The compiled assembly.
This method will cache the results of the compilation against the RpcServer.
Create an instance of an RPC client.
The RPC server to base the client on.
True to ignore cached assemblies.
Additional builder arguments.
Code DOM provider to compile the assembly.
The created RPC client.
This method will cache the results of the compilation against the RpcServer.
Create an instance of an RPC client.
The RPC server to base the client on.
True to ignore cached assemblies.
Additional builder arguments.
The created RPC client.
This method will cache the results of the compilation against the RpcServer.
Create an instance of an RPC client.
The RPC server to base the client on.
Additional builder arguments.
The created RPC client.
This method will cache the results of the compilation against the RpcServer.
Create an instance of an RPC client.
The RPC server to base the client on.
The created RPC client.
This method will cache the results of the compilation against the RpcServer.
Flags for the RPC client builder.
None.
Generate public properties on the client to create defined complex types.
If not specified then constructors will be defined on the types themselves.
Insert breakpoints into the start of every generated method. Also enables debugging.
Disable calculated correlation information. This will prevent automatic updating of array and
string lengths based on other parameters or fields. This might result in unexpected behavior or
call failures. This won't disable correlations for union types or constant correlations.
Don't emit any namespace, normally not specifying a namespace will auto-generate one.
Output FC_CHAR as if the original compiler had specified unsigned char types. Basically converts
System.SByte to System.Byte where needed which makes the methods easier to use.
Return ref/out parameters via a structure rather than requiring ref/out parameters in client
methods.
When using StructureReturn hide the original out/ref methods.
Generate encode/decode methods for complex types.
Exclude any text in the source code which can change between generations.
Wrap complex type decoders with a unique pointer.
Marshal pipe parameters using arrays.
Arguments for the RPC client builder.
Builder flags.
The namespace for the client class.
The class name of the client.
The class name of the complex type encoding class.
The class name of the complex type decoder class.
Enable debugging on built code.
GetHashCode implementation.
The hash code.
Equals implementation.
The object to compare against.
True if the object is equal.
Response data from an RPC client call.
The marshaled NDR data from the response.
Any object handles returned in the response. (only for ALPC).
Indicates the NDR data representation for the response.
Class to represent details about a server process.
The server process ID.
The server session ID.
The name of the process.
Get the process image path.
Overridden ToString method.
Some addition internal utilities for RPC code.
Specify RPC trace level.
Specify the RPC trace level.
This dumps NDR data. Verbose dumps the binary data.
Specify RPC transport trace level.
Specify the RPC transport trace level.
Verbose dumps the transport binary data.
Helper to dereference a type.
The type to dereference.
The value to dereference.
The dereferenced result.
Helper to dereference a type.
The type to dereference.
The value to dereference.
The dereferenced result.
Helper to check for NULL.
The type to check.
The object to check.
The name of the value to check.
The checked value.
Helper to check for NULL.
The type to check.
The object to check.
The name of the value to check.
The checked value.
Helper to check for NULL.
The type to check.
The object to check.
The name of the value to check.
The checked value.
Helper to dereference a type.
The type to dereference.
The value to dereference.
The dereferenced result.
Helper to perform a plus unary operation.
The value to apply the operator to.
The result.
Helper to perform a minus unary operation.
The value to apply the operator to.
The result.
Helper to perform a complement unary operation.
The value to apply the operator to.
The result.
Perform a ternary operation.
The condition to evaluate as != 0.
The result if true.
The result if false.
The result.
Perform ADD.
The left operand.
The right operand.
The result.
Perform SUB.
The left operand.
The right operand.
The result.
Perform MUL.
The left operand.
The right operand.
The result.
Perform DIV.
The left operand.
The right operand.
The result.
Perform MOD.
The left operand.
The right operand.
The result.
Perform Bitwise AND.
The left operand.
The right operand.
The result.
Perform Bitwise OR.
The left operand.
The right operand.
The result.
Perform bitwise XOR. Needed as Code DOM doesn't support XOR.
The left operand.
The right operand.
The result.
Perform bitwise LEFTSHIFT.
The left operand.
The right operand.
The result.
Perform bitwise RIGHTSHIFT.
The left operand.
The right operand.
The result.
Perform logical AND.
The left operand.
The right operand.
The result.
Perform logical OR.
The left operand.
The right operand.
The result.
Perform EQUAL.
The left operand.
The right operand.
The result.
Perform NOTEQUAL.
The left operand.
The right operand.
The result.
Perform GREATER.
The left operand.
The right operand.
The result.
Perform GREATEREQUAL.
The left operand.
The right operand.
The result.
Perform LESS.
The left operand.
The right operand.
The result.
Perform LESSEQUAL.
The left operand.
The right operand.
Returns left LESSEQUAL right.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The value
True if value != 0.
Convert value to a boolean.
The nullable value
True if value has a value set.
Convert value to a boolean.
The nullable value
True if value has a value set.
Compose a string binding from its parts.
The object UUID.
The protocol sequence.
The network address.
The endpoint.
The options.
The composed binding string.
Interface to implement an RPC client transport.
Bind the RPC transport to a specified interface.
The interface ID to bind to.
The interface version to bind to.
The transfer syntax to use.
The transfer syntax version to use.
Send and receive an RPC message.
The procedure number.
The object UUID for the call.
NDR data representation.
Marshal NDR buffer for the call.
List of handles marshaled into the buffer.
Client response from the send.
Add and authenticate a new security context.
The transport security for the context.
The created security context.
Disconnect the transport.
Get whether the client is connected or not.
Get the endpoint the client is connected to.
Get the transport protocol sequence.
Get whether the client has been authenticated.
Get the transport's authentication type.
Get the transport's authentication level.
Get information about the local server process, if known.
Get the current Call ID.
Indicates if this connection supported multiple security context.
Get the list of negotiated security context.
Get or set the current security context.
Get whether the transport supports synchronous pipes.
RPC client transport over ALPC.
Constructor.
The path to connect. The format depends on the transport.
The security quality of service for the connection.
Constructor.
The path to connect. The format depends on the transport.
The security quality of service for the connection.
Timeout for connection.
Bind the RPC transport to an interface.
The interface ID to bind to.
The interface version to bind to.
The transfer syntax to use.
The transfer syntax version to use.
Send and receive an RPC message.
The procedure number.
The object UUID for the call.
NDR data representation.
Marshal NDR buffer for the call.
List of handles marshaled into the buffer.
Client response from the send.
Dispose of the client.
Disconnect the client.
Add and authenticate a new security context.
The transport security for the context.
The created security context.
Get whether the client is connected or not.
Get the ALPC port path that we connected to.
Get the current Call ID.
Get the transport protocol sequence.
Get information about the local server process, if known.
Get whether the client has been authenticated.
Get the transports authentication type.
Get the transports authentication level.
Indicates if this connection supported multiple security context.
Get the list of negotiated security context.
Get or set the current security context.
Get whether the transport supports synchronous pipes.
Flags to specify RPC authentication capabilities.
None.
Enable mutual authentication.
Enable a NULL session authentication.
Enable delegation of credentials if supported.
Authentication level for RPC transport.
Default.
None.
Connect only.
Call only.
Packet only.
Packet integrity.
Packer privacy and integrity.
RPC authentication type.
Default. Uses WinNT.
No authentication.
DCE private.
DCE public.
DEC public.
SPNEGO authentication.
WinNT authentication, i.e. NTLM.
Secure channel.
Kerberos.
DPA.
MSN.
Digest.
Kernel.
SPNEGO extender.
PKU2U
LiveSSP
LiveXP SSP.
CloudAP.
Netlogon.
MS Online.
Message Queue.
Interface to implement an RPC client transport factory.
Connect a new RPC client transport.
The RPC endpoint.
The transport security for the connection.
The connected transport.
Factory for RPC client transports.
Add a new transport factory.
The protocol sequence to add.
The transport factory.
Connect a client transport from an endpoint.
The RPC endpoint.
The security quality of service for the connection.
The connected client transport.
Thrown if protocol sequence unsupported.
Other exceptions depending on the connection.
Connect a client transport from an endpoint.
The RPC endpoint.
The transport security for the connection.
The connected client transport.
Thrown if protocol sequence unsupported.
Other exceptions depending on the connection.
Base class for a DCE/RPC connected client transport. This implements the common functions
of the DCE/RPC specs for connected network based RPC transports.
Constructor.
The initial maximum receive fragment length.
The initial maximum send fragment length.
The transport security for the connection.
The data representation.
Read the next fragment from the transport.
The maximum receive fragment length.
The read fragment.
Write the fragment to the transport.
The fragment to write.
True if successfully wrote the fragment.
Get whether the client is connected or not.
Get the endpoint the client is connected to.
Get the transport protocol sequence.
Get information about the server process, if known.
Get whether the client has been authenticated.
Get the transports authentication type.
Get the transports authentication level.
Get the transport authentication context.
Indicates if this connection supported multiple security context.
Get the list of negotiated security context.
Get or set the current security context.
Get the current Call ID.
Get maximum receive fragment.
Get maximum send fragment.
Get association group ID.
Get whether the transport supports synchronous pipes.
Bind the RPC transport to a specified interface.
The interface ID to bind to.
The interface version to bind to.
The transfer syntax to use.
The transfer syntax version to use.
Add and authenticate a new security context.
The transport security for the context.
The created security context.
Send and receive an RPC message.
The procedure number.
The object UUID for the call.
NDR data representation.
Marshal NDR buffer for the call.
List of handles marshaled into the buffer.
Client response from the send.
Disconnect the transport.
Enable or disable bind time feature negotiation. You need to enable this to
use multiple security context.
Should be set before connecting an RPC client.
Dispose the transport.
Extended error information.
Computer name.
Process ID.
Timestamp.
Generating component.
Status code.
Detection location.
Flags.
Extra parameters.
Exception for RPC fault conditions.
Constructor.
The RPC status code.
Get extended error information.
RPC client transport over HyperV sockets.
Constructor.
The HyperV socket endpoint to connect to.
The transport security for the connection.
Get the transport protocol sequence.
RPC client transport over named pipes.
Constructor.
The NT pipe path to connect. e.g. \??\pipe\ABC.
The transport security for the connection.
Dispose of the client.
Disconnect the client.
Read the next fragment from the transport.
The maximum receive fragment length.
The read fragment.
Write the fragment to the transport.
The fragment to write.
True if successfully wrote the fragment.
Get whether the client is connected or not.
Get the named pipe port path that we connected to.
Get the transport protocol sequence.
Get information about the local server process, if known.
Class to implement a RPC client transport based on a stream.
Constructor.
The stream to use to communicate with the transport.
The initial maximum receive fragment length.
The initial maximum send fragment length.
The transport security for the connection.
The data representation.
Read the next fragment from the transport.
The maximum receive fragment length.
The read fragment.
Write the fragment to the transport.
The fragment to write.
True if successfully wrote the fragment.
Class to implement RPC over a stream based socket.
Constructor.
The socket to use to communicate.
The initial maximum receive fragment length.
The initial maximum send fragment length.
The transport security for the connection.
The data representation.
Disconnect the client.
Dispose of the client.
Get whether the client is connected or not.
Get the named pipe port path that we connected to.
RPC client transport over TCP/IP;
Get the server process information.
The server process information.
Constructor.
The hostname to connect to.
The TCP port to connect to.
The transport security for the connection.
Get the transport protocol sequence.
Get information about the local server process, if known.
Exception generated by the RPC transport.
Constructor.
Constructor.
Exception message.
Constructor.
Exception message.
Inner exception.
Class to represent the RPC transport security.
Security quality of service.
Authentication level.
Authentication type.
Authentication credentials.
The SPN for the authentication.
Authentication capabilities.
Constructor.
Factory to create a non-standard authentication context.
You can use this version to create a mechanism to pass existing tokens such as pass-the-hash or sending arbitrary Kerberos tickets.
Constructor.
Security quality of service.
Query the service principal name for the server.
The binding string for the server.
The authentication service to query.
True to throw on error.
The service principal name.
Query the service principal name for the server.
The binding string for the server.
The authentication service to query.
The service principal name.
Class to represent an RPC transport security context.
The ID of the security context.
The RPC transport security settings.
The authentication context.
The negotiated authentication type.
The authentication level.
Dummy class to mark the old name as obsolete.
Detaches the current buffer and allocates a new one.
The detached buffer.
The original buffer will become invalid after this call.
Safe handle for a loaded library.
Constructor
The handle to the library
True if the handle is owned by this object.
Release handle.
True if handle released.
Get the address of an exported function, throw if the function doesn't exist.
The name of the exported function.
True to throw on error.
Pointer to the exported function.
Thrown if the name doesn't exist.
Get the address of an exported function from an ordinal.
The ordinal of the exported function.
True to throw on error.
Pointer to the exported function.
Thrown if the ordinal doesn't exist.
Get the address of an exported function.
The name of the exported function.
Pointer to the exported function, or IntPtr.Zero if it can't be found.
Get the address of an exported function from an ordinal.
The ordinal of the exported function.
Pointer to the exported function, or IntPtr.Zero if it can't be found.
Get a delegate which points to an unmanaged function.
The delegate type.
The name of the function to lookup.
True to throw on error.
The delegate.
Get a delegate which points to an unmanaged function.
The delegate type. The name of the delegate is used to lookup the name of the function.
True to throw on error.
The delegate.
Get a delegate which points to an unmanaged function.
The delegate type.
The name of the function to lookup.
The delegate.
Get a delegate which points to an unmanaged function.
The delegate type. The name of the delegate is used to lookup the name of the function.
The delegate.
Pin the library into memory. This prevents FreeLibrary unloading the library until
the process exits.
Parse a library's delayed import information.
A dictionary containing the location of import information keyed against the IAT address.
Get the image sections from a loaded library.
The list of image sections.
Load the resource's bytes from the module.
The name of the resource.
The type of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type name of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The well known type of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type of the resource.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type name of the resource.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The well known type of the resource.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type name of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The well known type of the resource.
True to throw on error.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type of the resource.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The type name of the resource.
The bytes for the resource.
Load the resource's bytes from the module.
The name of the resource.
The well known type of the resource.
The bytes for the resource.
Get list of resource types from the loaded library.
The list of resource types.
Get list of resource types from the loaded library.
The type for the resources.
True to load the resource data.
The list of resource types.
Get list of resource types from the loaded library.
The type for the resources.
The list of resource types.
This always loads resource data into memory.
Get list of resource types from the loaded library.
The typename for the resources.
True to load the resource data.
The list of resource types.
Get list of resource types from the loaded library.
The typename for the resources.
The list of resource types.
This always loads resource data into memory.
Get list of resource types from the loaded library.
The well known type for the resources.
True to load the resource data.
The list of resource types.
Get list of resource types from the loaded library.
The well known type for the resources.
The list of resource types.
This always loads resource data into memory.
Get list of resource types from the loaded library.
True to load the resource data.
The list of resource types.
Get list of resource types from the loaded library.
The list of resource types.
This always loads resource data into memory.
Load a string for the library's string resource table.
The ID of the string.
True to throw on error.
The loaded string.
Load a string for the library's string resource table.
The ID of the string.
The loaded string.
Increases the reference count and returns a new instance.
Get path to loaded module.
Get the module name.
Whether this library is mapped as an image.
Whether this library is mapped as a datafile.
Get current mapped image base.
Get original image base address.
Get image entry point RVA.
Get image entry point address as mapped.
Get whether the image is 64 bit or not.
Get the image's DLL characteristics flags.
Get exports from the DLL.
Get imports from the DLL.
Return resolved API set imports for the DLL.
Get CodeView Debug Data from DLL.
Get image signing level.
Get embedded enclave configuration.
Load a library into memory.
The path to the library.
Additonal flags to pass to LoadLibraryEx
True to throw on error.
Handle to the loaded library.
Load a library into memory.
The path to the library.
Additonal flags to pass to LoadLibraryEx
Handle to the loaded library.
Load a library into memory.
The path to the library.
Handle to the loaded library.
Get the handle to an existing loading library by name.
The name of the module.
The handle to the loaded library.
Thrown if the module can't be found.
This will take a reference on the library, you should dispose the handle after use.
Get the handle to an existing loading library by name.
The name of the module.
The handle to the loaded library. Returns Null if not found.
This will take a reference on the library, you should dispose the handle after use.
Get the handle to an existing loading library by an address in the module.
An address inside the module.
The handle to the loaded library, null if the address isn't inside a valid module.
This will take a reference on the library, you should dispose the handle after use.
Pin the library into memory. This prevents FreeLibrary unloading the library until
the process exits.
The name of the module to pin.
Pin the library into memory. This prevents FreeLibrary unloading the library until
the process exits.
The address of the module to pin.
NULL load library handle.
Represents an impersonation safe win32 exception, which resolves the win32 message when Message is called.
Constructor.
Constructor.
Win32 error.
The message for the exception.
Access rights for system audit policy.
System Audit Category.
System Audit Category.
The user for the per-user category.
System Audit Category base class.
The ID of the category.
The name of the category.
List of sub categories.
Convert to string.
The name of the category.
Set audit policy on all sub categories.
The flags to set.
True to throw on error.
The audit policy flags.
Set audit policy on all sub categories.
The flags to set.
The audit policy flags.
Type of global SACL to query or set.
File type.
Key type.
Policy audit event type.
Audit policy flags.
Set unchanged.
Audit on success.
Audit on failure.
Audit nothing.
Per user policy flags.
Set unchanged.
Audit on success included.
Audit on success excluded.
Audit on failure included.
Audit on failure excluded.
Audit nothing.
Utilities for security auditing policy.
Name for the fake Audit NT type.
Get the generic mapping for directory services.
The directory services generic mapping.
Get a fake NtType for System Audit Policy.
The fake Directory Services NtType
Query the Auditing Security Descriptor.
The security information to query.
True to throw on error.
The security descriptor.
Query the Auditing Security Descriptor.
The security information to query.
The security descriptor.
Query the Auditing Security Descriptor.
The security descriptor.
Set the Auditing Security Descriptor.
The security information to set.
The security descriptor to set.
True to throw on error.
The NT status code.
Set the Auditing Security Descriptor.
The security information to set.
The security descriptor to set.
The NT status code.
Query the global SACL.
The global SACL type.
True to throw on error.
The global SACL in a Security Descriptor.
Query the global SACL.
The global SACL type.
The global SACL in a Security Descriptor.
Set the global SACL.
The global SACL type.
The SACL to set in an Security Descriptor.
True to throw on error.
The NT status code.
Set the global SACL.
The global SACL type.
The SACL to set in an Security Descriptor.
The NT status code.
Get list of Audit Policy categories.
True to throw on error.
The list of categories.
Get list of Audit Policy categories.
The list of categories.
Get a single category.
The category type.
The audit category.
Get a single category.
The category GUID.
The audit category.
Get all per-user categories for denied users.
True to throw on error.
The list of per-user categories.
Get all per-user categories for denied users.
The list of per-user categories.
Get list of per-user Audit Policy categories.
The user SID to query.
True to throw on error.
The list of categories.
Get list of per-user Audit Policy categories.
The user SID to query.
The list of categories.
Get a single per-user category.
The user SID to query.
The category type.
The audit category.
Get a single per-user category.
The user SID to query.
The category GUID.
The audit category.
Class representing an Audit Sub Category.
The category.
Class representing an Audit Sub Category.
The category.
The user for the per-user category.
Class representing an Audit Sub Category. Base class.
Enum type for the Policy flags.
The ID of the sub category.
The name of the sub category.
The Current Audit Policy
Convert to string.
The name of the subcategory.
Query audit policy.
True to throw on error.
The audit policy flags.
Set audit policy.
The flags to set.
True to throw on error.
The audit policy flags.
Set audit policy.
The flags to set.
The audit policy flags.
Authentication token constructed from ASN1.
Format the Authentication Token.
The Formatted Token.
Try and parse data into an ASN1 authentication token.
The data to parse.
The ASN1 authentication token.
True if this is a token from a client.
The token count number.
True if parsed successfully.
Base class for authentication credentials.
Security data representation.
Native representation.
Network representation.
Credital flags.
Inbound credentials.
Outbound credentials.
Both credentials direction.
Default.
Auto logon restricted. Don't use automatic credentials.
Only process policy.
Initialize context request flags.
Initialize context return flags.
Access context request flags.
Accept context return flags.
Security package capability flags.
Supports integrity on messages
Supports privacy (confidentiality)
Only security token needed
Datagram RPC support
Connection oriented RPC support
Full 3-leg required for re-auth.
Server side functionality not available
Supports extended error msgs
Supports impersonation
Accepts Win32 names
Supports stream semantics
Can be used by the negotiate package
GSS Compatibility Available
Supports common LsaLogonUser
Token Buffers are in ASCII
Package can fragment to fit
Package can perform mutual authentication
Package can delegate
Supports integrity readonly checksum buffers.
Package supports restricted callers
This package extends SPNEGO, there is at most one
This package is negotiated under the NegoExtender
This package receives all calls from appcontainer apps
this package receives calls from appcontainer apps
if the following checks succeed
1. Caller has domain auth capability or
2. Target is a proxy server or
3. The caller has supplied creds
This package is running with Credential Guard enabled
this package supports reliable detection of loopback
1.) The client and server see the same sequence of tokens
2.) The server enforces a unique exchange for each
non-anonymous authentication. (Replay detection)
Impersonation context for a server authentication.
Base class which represents an authentication key.
An authentication package entry.
Authentication package name for MSV1.0
Authentication package name for Kerberos.
Authentication package name for Negotiate.
Authentication package name for NTLM.
Authentication package name for Digest.
Authentication package name for SChannel.
Authentication package name for CredSSP.
Capabilities of the package.
Version of the package.
RPC DCE ID.
Max token size.
Name of the package.
Comment for the package.
Get authentication packages.
The list of authentication packages.
Get authentication package names.
The list of authentication package names.
Get an authentication package by name.
The name of the package.
The authentication package.
Base class to represent an authentication token.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Convert the authentication token to a byte array.
The byte array.
Get the length of the token in bytes.
Format the authentication token.
The token as a formatted string.
Constructor.
The authentication token data.
Parse a structured authentication token.
The authentication context.
The token to parse.
The parsed authentication token. If can't parse any other format returns
a raw AuthenticationToken.
Parse a structured authentication token.
The package name to parse as.
True if the token is from a client.
The token to parse.
The parsed authentication token. If can't parse any other format returns
a raw AuthenticationToken.
Class to represent a client authentication context.
The current authentication token.
Whether the authentication is done.
Current request attribute flags.
Current return attribute flags.
Current data representation.
Current target name.
Current channel binding.
Current status flags.
Expiry of the authentication.
Get the Session Key for this context.
Get the maximum signature size of this context.
Get the size of the security trailer for this context.
Size of any header when using a stream protocol such as Schannel.
Size of any trailer when using a stream protocol such as Schannel.
Number of buffers needed when using a stream protocol such as Schannel.
Maximum message size when using a stream protocol such as Schannel.
Preferred block size when using a stream protocol such as Schannel.
Get the local certificate. Only used for Schannel related authentication.
Get the remote certificate. Only used for Schannel related authentication.
Get the last token status for the client context.
Get the name of the authentication package.
Get connection information for the schannel connection.
Get whether the authentication context is for loopback.
Get or set whether the context owns the credentials object or not. If true
then the credentials are disposed with the context.
Constructor.
Credential handle.
Request attribute flags.
Target SPN (optional).
Data representation.
Optional channel binding token.
Specify to default initialize the context. Must call Continue with an auth token to initialize.
Constructor.
Credential handle.
Request attribute flags.
Target SPN (optional).
Data representation.
Optional channel binding token.
Constructor.
Credential handle.
Request attribute flags.
Target SPN (optional).
Data representation.
Constructor.
Credential handle.
Request attribute flags.
Data representation.
Constructor.
Credential handle.
Continue the authentication with the server token.
The server token to continue authentication.
Continue the authentication..
The server token to continue authentication.
Additional input buffers for the continue, does not need to include the token.
Continue the authentication.
The server token to continue authentication.
Additional input buffers for the continue, does not need to include the token.
Additional output buffers, does not need to include the token.
Continue the authentication without any token.
Input buffers for the continue. Does not contain a token.
Specify additional output buffers, does not need to include the token.
True to throw on error.
This sends the input buffers directly to the initialize call, it does not contain any token.
Continue the authentication without any token.
Input buffers for the continue. Does not contain a token.
Specify additional output buffers, does not need to include the token.
This sends the input buffers directly to the initialize call, it does not contain any token.
Continue the authentication. Will not pass any buffers to the initialize call.
Make a signature for this context.
The message buffers to sign.
The sequence number.
The signature blob.
Make a signature for this context.
The message to sign.
The sequence number.
The signature blob.
Verify a signature for this context.
The message to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Verify a signature for this context.
The messages to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Encrypt a message for this context.
The message to encrypt.
Quality of protection flags.
The encrypted message.
The sequence number.
Encrypt a message for this context.
The messages to encrypt.
Quality of protection flags.
The signature for the messages.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
The sequence number.
Encrypt a message for this context with no specific signature.
The messages to encrypt.
Quality of protection flags.
The sequence number.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
If you need to return a signature then it must be specified in a buffer.
Decrypt a message for this context.
The message to decrypt.
The sequence number.
The decrypted message.
Decrypt a message for this context.
The messages to decrypt.
The sequence number.
The signature for the messages.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
Decrypt a message for this context.
The messages to decrypt.
The sequence number.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
If you need to specify a signature you need to add a buffer.
Query the context's package info.
The authentication package info,
Export and delete the current security context.
The exported security context.
The security context will not longer be usable afterwards.
Dispose the client context.
Finalizer.
Class to represent a credential handle.
Name of the authentication package used.
Expiry of the credentials.
Constructor.
User principal.
The package name.
Optional authentication ID for the user.
Credential user flags.
Optional authentication data.
Create a new credential handle.
User principal.
The package name.
Optional authentication ID for the user.
Credential user flags.
Optional credentials.
The credential handle.
Create a new credential handle.
The package name.
Optional authentication ID for the user.
Credential user flags.
Optional credentials.
The credential handle.
Create a new credential handle.
The package name.
Credential user flags.
Optional credentials.
The credential handle.
Create a new credential handle.
The package name.
Credential user flags.
The credential handle.
Dispose.
Finalizer.
Credentials for the CredSSP package.
This is only needed if you must have both schannel and user credentials. Otherwise use UserCredentials or SchannelCredentials.
Constructor.
The credentials for the Schannel connection.
The credentials for the user.
Constructor.
The credentials for the user.
Authentication token for a digest token.
The digest token as a string.
Format the authentication token.
An encrypted message.
The encrypted message.
The signature for the message.
Constructor.
The encrypted message.
The signature for the message.
Class to represent an exported security context.
The name of the package for this security context.
The serialized context.
The context's token.
Dispose the exported context.
A class which represents an GSS-API Token.
Interface for authentication contexts.
The current authentication token.
Whether the authentication is done.
Expiry of the authentication.
Session key for the context.
Make a signature for this context.
The message to sign.
The sequence number.
The signature blob.
Verify a signature for this context.
The message to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Make a signature for this context.
The message buffers to sign.
The sequence number.
The signature blob.
Verify a signature for this context.
The messages to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Encrypt a message for this context.
The message to encrypt.
Quality of protection flags.
The encrypted message.
The sequence number.
Encrypt a message for this context.
The messages to encrypt.
Quality of protection flags.
The signature for the messages.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
The sequence number.
Encrypt a message for this context with no specific signature.
The messages to encrypt.
Quality of protection flags.
The sequence number.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
If you need to return a signature then it must be specified in a buffer.
Decrypt a message for this context.
The message to decrypt.
The sequence number.
The decrypted message.
Decrypt a message for this context.
The messages to decrypt.
The signature for the messages.
The sequence number.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
Decrypt a message for this context.
The messages to decrypt.
The sequence number.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
If you need to specify a signature you need to add a buffer.
Export and delete the current security context.
The exported security context.
The security context will not longer be usable afterwards.
Query the context's package info.
The authentication package info,
Get the name of the authentication package.
Continue the authentication with the token.
The token to continue authentication.
Continue the authentication..
The token to continue authentication.
Additional input buffers for the continue, does not need to include the token.
Continue the authentication.
The token to continue authentication.
Additional input buffers for the continue, does not need to include the token.
Specify additional output buffers, does not need to include the token.
Continue the authentication.
Additional input buffers for the continue. Does not contain a token.
Specify additional output buffers, does not need to include the token.
This sends the input buffers directly to the initialize call, it does not contain any token.
Continue the authentication. Will not pass any buffers to the accept call.
Get the maximum signature size of this context.
Get the size of the security trailer for this context.
Interface for a client authentication context.
Get the last token status for the client context.
Placeholder interface for a server authentication context.
Utilities for building Kerberos structures.
Class to represent a Kerberos AP Reply.
Encrypted mutual authentication data.
Format the Authentication Token.
The Formatted Token.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
Encrypted part for AP-REP messages.
Client uS.
Client time.
Subkey.
Sequence number.
Options for AP Request
None.
Use Session Key.
Mutual authentication required.
Class to represent a Kerberos AP Request.
AP Request Options.
The Kerberos Ticket.
Authenticator data.
Format the Authentication Token.
The Formatted Token.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
A single kerberos key.
The Key encryption type.
The key.
The key name type.
The Realm for the key.
The name components for the key.
Principal name as a string.
Timestamp when key was created.
Key Version Number (KVNO).
Constructor.
The Key encryption type.
The key.
The key name type.
The Realm for the key.
The name components for the key.
Timestamp when key was created.
Key Version Number (KVNO).
Constructor.
The Key encryption type.
The key.
The key name type.
The Realm for the key.
The name components for the key.
Timestamp when key was created.
Key Version Number (KVNO).
Constructor.
The Key encryption type.
The key.
The key name type.
Principal for key, in form TYPE/name@realm.
Timestamp when key was created.
Key Version Number (KVNO).
Constructor.
The Key encryption type.
The key as a hex string.
The key name type.
Principal for key, in form TYPE/name@realm.
Timestamp when key was created.
Key Version Number (KVNO).
Derive a key from a password.
Not all encryption types are supported.
The key encryption to use.
The password to derice from.
Iterations for the password derivation.
The key name type.
Principal for key, in form TYPE/name@realm.
Salt for the key.
Key Version Number (KVNO).
Authentication Token for Kerberos.
Protocol version.
Message type.
Parse bytes into a kerberos token.
The kerberos token in bytes.
The Kerberos token.
Try and parse data into an Kerberos authentication token.
The data to parse.
The Kerberos authentication token.
True if this is a token from a client.
The token count number.
True if parsed successfully.
Class to represent an unencrypted kerberos authenticator.
Authenticator version.
Client realm.
Client name.
Checksum value.
Client uS.
Client time.
Subkey.
Sequence number.
Authorization data.
Type of Authorization Data.
Class representing Kerberos authentication data.
Type of authentication data.
Data bytes.
Flags for the AD-AUTH-DATA-AP-OPTIONS authorization data.
Class to represent the AD-AUTH-DATA-AP-OPTIONS authorization data.
Flags for the AD-AUTH-DATA-AP-OPTIONS authorization data.
Class to represent AD_ETYPE_NEGOTIATION type.
List of supported encryption types.
Class to represent a KERB_LOCAL authorization data value.
The security context identifier for the KERB_LOCAL value.
Class to represent AD_WIN2K_PAC type.
List of PAC entries.
Source of a set of claims.
From Active Directory.
From a certificate.
A single claim set.
The source of the claims array.
The list of claim attributes.
Class representing a Claims Set in the PAC.
List of claims arrays.
Class to represent PAC Client Info.
Client ID.
Name of client.
Class to represent PAC Device Info.
Sid of the Device.
Primary group SID.
List of account groups.
List of extra SIDs.
List of domain groups.
Type for the PAC Entry.
Single PAC Entry.
Type of PAC entry.
The PAC data.
User account control flags.
User flags for kerberos authentication.
Class to represent PAC Logon Information.
Logon time.
Logoff time.
Kick off time.
Time password last set.
Time password can change.
Time password must change.
Effective name.
Full name.
Logon script path.
Profile path.
Home directory path.
Home directory drive.
Logon count.
Bad password count.
User SID.
Primary group SID.
Group list.
User flags.
User session key.
Logon server name.
Logon domain name.
Logon domain sid.
Extra SIDs.
User account control flags.
Resource domain group SID.
Resource groups.
Class to represent a PAC signature.
Signature type.
Signature.
Read-only Domain Controller Identifier.
Flags for the UPN_DNS_INFO.
No flags.
The user has no UPN.
Class to represent UPN_DNS_INFO.
Flags.
The User Principal Name.
The DNS Domain Name.
Flags for KerberosAuthorizationDataRestrictionEntry
Full UAC token.
Limited UAC token.
Class to represent the KERB_AD_RESTRICTION_ENTRY AD type.
Flags.
Token IL.
Machine ID.
Class to represent the AD-AUTH-DATA-TARGET-NAME authorization data.
The target name.
Class to represent a Kerberos Checksum.
Type of kerberos checksum.
The checksum value.
Flags for GSSAPI Checksum.
A kerberos checksum in GSS API Format.
Channel binding hash.
Flags for checksum.
Delegation option identifier.
KRB_CRED structure when in delegation.
Additional extension data.
Kerberos Checksum Type.
Class representing a KRB-CRED structure.
List of tickets in this credential.
Encrypted part contains sesssion keys etc.
Format the Authentication Token.
The Formatted Token.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
Class to represent Kerberos Encrypted Data.
Encryption type for the CipherText.
Key version number.
Cipher Text.
Kerberos Encryption Type.
Class to represent a Kerberos Error.
Client time.
Client micro-seconds.
Server time.
Server micro-seconds.
Error code.
Client realm.
Client name.
Server realm.
Server name,
Error text.
Error data.
Format the Authentication Token.
The Formatted Token.
Create a new KRB-ERROR authentication token.
Optional client time.
Server time.
Error code.
Optional client realm.
Optional client name.
Server realm
Server name.
Optional error text.
Optional error data.
The KRB-ERROR authentication token.
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
Kerberos Error Type.
Class to represent a cached external ticket.
Service name.
Target name.
Client name.
Domain name.
Target domain name.
Alt target domain name.
Session key for ticket.
Ticket flags.
Additional reserved flags.
Key expiration time.
Ticket start time.
Ticket end time.
Ticket renew time.
Time skew.
Ticket.
Type of Kerberos Host Address.
Class representing a Kerberos Host Address.
Type of host address.
Address bytes.
ToString Method.
The formatted string.
A set of Kerberos Keys.
Get keys which match the encryption type.
The encryption type.
The list of keys which match the encryption type.
Add a key to the key set.
The key to add.
True if the key was added, false if the key already existed.
Remove a key from the key set.
The key to remove.
True if the key was removed.
Find a key based on various parameters.
The encryption type.
The name type.
The principal.
The key version.
Read keys from a MIT KeyTab file.
The file stream.
The key set.
Throw if invalid file.
Read keys from a MIT KeyTab file.
The file path.
The key set.
Throw if invalid file.
Constructor.
Constructor.
The single kerberos key.
Constructor.
A list of kerberos keys.
Key usage for kernel encryption.
Kerberos Message Type.
Kerberos Name Type.
Kerberos Pre-Authentication Data Types.
A Kerberos Principal Name.
The name type.
The names for the principal.
Full name.
ToString method.
String of the object.
Get principal name with a realm.
The realm for the principal.
The principal.
Constructor.
The type of the principal name.
The list of names for the principal.
Class to represent a User to User TGT Reply.
The Kerberos Ticket.
Format the Authentication Token.
The Formatted Token.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Create a new TGT-REP authentication token.
The TGT ticket to embed in the token.
The
Create a new TGT-REP authentication token.
The TGT ticket to embed in the token.
The
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
Class to represent a User to User TGT Request.
Realm.
Server name.
Format the Authentication Token.
The Formatted Token.
Create a new TGT-REQ authentication token.
Optional realm string.
Optional server name.
The new TGT-REQ authentication token.
Create a new TGT-REQ authentication token without the GSS-API wrapper.
Optional realm string.
Optional server name.
The new TGT-REQ authentication token.
Try and parse data into an ASN1 authentication token.
The data to parse.
The Negotiate authentication token.
Parsed DER Values.
Class to represent a Kerberos ticket.
Version number for the ticket.
Realm.
Server name.
Encrypted data for the ticket.
Get the principal for the ticket.
Indicates that the ticket has been decrypted.
Decrypt the kerberos ticket.
The Kerberos key set containing the keys.
The key usage for the decryption.
The decrypted kerberos ticket.
Format the ticket to a string.
The ticket as a string.
Convert the ticket to an array.
The ticket as an array.
Class to query the Kerberos Ticket Cache from LSASS.
Get a Kerberos Ticket.
The target service for the Ticket.
True to only query for cached tickets.
True to throw on error.
The Kerberos Ticket.
Get a Kerberos Ticket.
The target service for the Ticket.
True to only query for cached tickets.
The Kerberos Ticket.
Get a Kerberos Ticket.
The target service for the Ticket.
The Kerberos Ticket.
Query Kerberos Ticket cache.
The Logon Session ID to query.
True to throw on error.
The list of cached tickets.
Query Kerberos Ticket cache.
The Logon Session ID to query.
The list of cached tickets.
Query Kerberos Ticket cache for the current logon session.
The list of cached tickets.
Flags for a Kerberos Ticket.
Class to represent a Decrypted Kerberos ticket.
Ticket flags.
Client Realm.
Client name.
Authentication time,
Start time.
End time.
Renew till time.
The kerberos session key.
The ticket transited type information.
List of host addresses for ticket.
List of authorization data.
The supported transited encoding types.
None.
X.500 Compress.
Class to represent a Kerberos Transiting Encoding.
Transited encoding type.
Transited encoding data.
Utilities for Kerberos authentication.
Read keys from a MIT KeyTab file.
The file stream.
The list of keys.
Throw if invalid file.
Read keys from a MIT KeyTab file.
The file path.
The list of keys.
Throw if invalid file.
Write keys to a MIT KeyTab file.
The file stream.
List of key entries.
Write keys to a MIT KeyTab file.
The file path.
List of key entries.
Generate an MIT KeyTab file.
List of key entries.
The keytab file as bytes.
Class to represent a Local Logon Session.
Logon/Authentication ID for session.
Username.
Logon domain.
Get the FQ User Name.
Authentication package.
Logon type.
Session ID.
User SID.
Logon Time.
Logon Server.
DNS Domain Name.
User Principal Name.
User Flags.
Last successful logon.
Last failed logon.
Count of failed logon attempts.
Logon script path.
Profile path.
Home directory.
Home directory drive.
Logoff time.
Kickoff Time.
Time password last set.
Password can change.
Password must change.
Get a logon session.
The logon session ID.
True to thrown on error.
The logon session.
Get the logon session LUIDs
True throw on error.
The list of logon sessions. Only returns ones you can access.
Get the logon sessions.
True throw on error.
The list of logon sessions. Only returns ones you can access.
Class to represent an LSA logon handle.
Connect to the LSA untrusted.
True to throw on error.
The LSA logon handle.
Connect to the LSA untrusted.
The LSA logon handle.
Connect to LSA and register as a logon process.
The arbitrary name of the process.
True to throw on error.
The LSA logon handle.
Connect to LSA and register as a logon process.
The arbitrary name of the process.
The LSA logon handle.
Logon a user.
The type of logon.
The authentication package to use.
The name of the origin.
The token source context.
The authentication credentials buffer.
Additional local groups.
True to throw on error.
The LSA logon result.
Logon a user.
The type of logon.
The authentication package to use.
The name of the origin.
The token source context.
The authentication credentials buffer.
Additional local groups.
The LSA logon result.
Dispose of the LSA logon handle.
Result from an LsaLogonUser call.
The user's token.
The user's profile information. Format depends on the authentication package.
The authentication ID of the logon session.
Paged pool quota.
Non paged pool quota.
Minimum working set size.
Maximum working set size.
Page file limit.
Process time limit.
Dispose the LSA logon result.
SPNEGO Authentication Token.
The negotiated authentication token.
Optional message integrity code.
Decrypt the Authentication Token using a keyset.
The set of keys to decrypt the
The decrypted token, or the same token if nothing could be decrypted.
Format the authentication token.
The token as a formatted string.
Parse bytes into a negotiate token.
The negotiate token in bytes.
The Negotiate token.
Try and parse data into an Negotiate authentication token.
The data to parse.
The Negotiate authentication token.
True if this is a token from a client.
The token count number.
True if parsed successfully.
Flags for negotiation context.
Class to represent the negTokenInit message in SPNEGO.
List of supported negotiation mechanisms.
Context flags.
State of the Negotiate state.
Negotiate completed.
Negotiate incomplete.
Negotiate rejected.
Request Message Integrity Code.
Class to represent the negTokenResp message in SPNEGO.
Supported mechanism for the token, optional.
Current state of the negotiation.
Class to represent an NTLM AUTHENTICATE token for NTLMv1.
Domain name.
Workstation name.
Username.
NTLM version.
Encrypted session key.
LM Challenge Response.
LM Challenge Response.
Message integrity code.
Message integrity code offset into the token data.
Format the authentication token.
The formatted token.
Class to represent an NTLM AUTHENTICATE token for NTLMv2.
NT Proof Response.
Challenge version.
Maximum challenge version.
Reserved field.
Reserved field.
Timestamp.
Client challenge.
Reserved field.
NTLM Target Information.
Flags for NTLM negotiation.
NTLM message type.
Base class to represent an NTLM authentication token.
Type of NTLM message.
NTLM negotitation flags.
Try and parse data into an NTLM authentication token.
The data to parse.
The NTLM authentication token.
True if this is a token from a client.
The token count number.
True if parsed successfully.
Try and parse data into an NTLM authentication token.
The data to parse.
The NTLM authentication token.
The type of the AV_PAIR.
MS AV Flags.
An NTLM AV_PAIR.
The type of the AV Pair value.
An NTLM AV_PAIR with a string value.
The string value.
ToString method.
Pair as a string.
An NTLM AV_PAIR with a timestamp value;
The timestamp value.
ToString method.
Pair as a string.
An NTLM AV_PAIR with a bytes value.
The value.
ToString method.
Pair as a string.
An NTLM AV_PAIR with a flags value.
The value.
ToString method.
Pair as a string.
An NTLM AV_PAIR with a flags value.
The the Z4 data.
Custom data blob.
Machine ID.
ToString method.
Pair as a string.
Class to represent an NTLM CHALLENGE token.
Target name.
Server challenge.
Reserved.
NTLM version.
NTLM Target Information.
Format the authentication token.
The formatted token.
Class to represent an NTLM NEGOTIATE token.
Domain name.
Workstation name.
NTLM version.
Format the authentication token.
The formatted token.
Algorithm identifiers for the crypto APIs and Schannel.
Authentication token for Schannel and CredSSP.
This is a simple parser for the TLS record format.
List of TLS records.
Format the authentication token.
The token as a formatted string.
Try and parse data into an SChannel authentication token.
The data to parse.
The SChannel authentication token.
True if this is a token from a client.
The token count number.
True if parsed successfully.
Negotiated connection information for Schannel.
The protocol used by Schannel.
The negotitated cipher algorithm.
The negotiated cipher strength in bits.
The negotiated hash algorithm.
The negotiated hash string.
The negotiated key exchange algorithm.
The negotiated key exchange strength.
Credentials for the Schannel package.
Lifespan of a session in milliseconds.
Specify flags for credentials.
Specify the supported protocols.
Set the minimum cipher strength.
Set the maximum cipher strength.
Add a certificate the the credentials. This should contain a private key.
The certificate to add.
Add an algorithm type to the credentials.
The algorithm type.
Dispose the credentials.
Flags for the Schannel credentials.
Protocol type for Schannel.
Flags for message encryption.
None.
Wrap out of bound data.
Wrap but don't encrypt.
Class to represent a server authentication context.
The current authentication token.
Whether the authentication is done.
Current request attributes.
Current data representation.
Current channel bindings.
Current return attributes.
Current status flags.
Expiry of the authentication.
Get the client name supplied by the Client.
Get the Session Key for this context.
Get the maximum signature size of this context.
Get the size of the security trailer for this context.
Size of any header when using a stream protocol such as Schannel.
Size of any trailer when using a stream protocol such as Schannel.
Number of buffers needed when using a stream protocol such as Schannel.
Maximum message size when using a stream protocol such as Schannel.
Preferred block size when using a stream protocol such as Schannel.
Get the name of the authentication package.
Get connection information for the schannel connection.
Get the local certificate. Only used for Schannel related authentication.
Get the remote certificate. Only used for Schannel related authentication.
Get whether the authentication context is for loopback.
Get or set whether the context owns the credentials object or not. If true
then the credentials are disposed with the context.
Get an access token for the authenticated user.
The user's access token.
Impersonate the security context.
The disposable context to revert the impersonation.
Continue the authentication with the client token.
The client token to continue authentication.
Continue the authentication..
The client token to continue authentication.
Specify additional input buffers, does not need to include the token.
Continue the authentication.
The client token to continue authentication.
Specify additional input buffers, does not need to include the token.
Specify additional output buffers, does not need to include the token.
Continue the authentication.
Additional input buffers for the continue. Does not contain a token.
Specify additional output buffers, does not need to include the token.
True to throw on error.
This sends the input buffers directly to the initialize call, it does not contain any token.
Continue the authentication.
Additional input buffers for the continue. Does not contain a token.
Specify additional output buffers, does not need to include the token.
This sends the input buffers directly to the initialize call, it does not contain any token.
Continue the authentication. Will not pass any buffers to the accept call.
Make a signature for this context.
The message buffers to sign.
The sequence number.
The signature blob.
Make a signature for this context.
The message to sign.
The sequence number.
The signature blob.
Verify a signature for this context.
The message to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Verify a signature for this context.
The messages to verify.
The signature blob for the message.
The sequence number.
True if the signature is valid, otherwise false.
Encrypt a message for this context.
The message to encrypt.
Quality of protection flags.
The encrypted message.
The sequence number.
Encrypt a message for this context.
The messages to encrypt.
Quality of protection flags.
The signature for the messages.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
The sequence number.
Encrypt a message for this context with no specific signature.
The messages to encrypt.
Quality of protection flags.
The sequence number.
The messages are encrypted in place. You can add buffers with the ReadOnly flag to prevent them being encrypted.
If you need to return a signature then it must be specified in a buffer.
Decrypt a message for this context.
The messages to decrypt.
The sequence number.
The signature for the messages.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
Decrypt a message for this context.
The messages to decrypt.
The sequence number.
The messages are decrypted in place. You can add buffers with the ReadOnly flag to prevent them being decrypted.
If you need to specify a signature you need to add a buffer.
Decrypt a message for this context.
The message to decrypt.
The sequence number.
The decrypted message.
Query the context's package info.
The authentication package info,
Export and delete the current security context.
The exported security context.
The security context will not longer be usable afterwards.
Constructor.
Credential handle.
Request attribute flags.
Optional channel binding token.
Data representation.
Constructor.
Credential handle.
Request attribute flags.
Data representation.
Constructor.
Credential handle.
Dispose the client context.
Finalizer.
Class to represent a service principal name.
SPN service class.
SPN service name.
SPN instance name.
SPN instance port.
SPN referrer.
Constructor.
The service class name.
The name of the instance.
Parse an SPN string to a class.
The SPN string.
The parsed class.
Thrown in invalid SPN.
Try and parse an SPN string to a class.
The SPN string.
The result class.
True if the SPN was parsed successfully.
Thrown in invalid SPN.
Convert SPN to a string.
The SPN string.
Class to hold user credentials.
The user name.
The domain.
The password as a secure string.
Constructor.
Username.
Domain name.
Password.
Set the password as in plain text.
The password in plain text.
Constructor.
Username.
Domain name.
Password.
Constructor.
Username.
Domain name.
Constructor.
Username.
Constructor.
Dispose method.
Class to represent a single authenticode certificate entry.
The list of certificates in the entry.
Whethe the entry contains page hashes.
Utilities for authenticode.
Get certificates from a PE file.
The PE file.
True the throw on error.
The list of authenticode certificate entries.
Get certificates from a PE file.
The path to the PE file.
True the throw on error.
The list of authenticode certificate entries.
Get certificates from a PE file.
The path to the PE file, native path format.
The list of authenticode certificate entries.
Gets wether the PE file has page hash entries.
The path to the PE file, native path format.
True if the file contains page hashes.
Query ELAM information from a driver's resource section.
The path to the file.
True to throw on error.
The ELAM information if present.
Query ELAM information from a driver's resource section.
The path to the file.
The ELAM information if present.
Get the VSM enclave configuration.
The path to the file.
True to throw on error.
The VSM enclave configuration.
Get the VSM enclave configuration.
The path to the file.
The VSM enclave configuration.
ELAM information.
The hash of the certificate.
The hash algorithm.
List of optional EKUs.
Overridden ToString method.
The ELAM information as a string.
Class to represent a VSM enclave configuration.
Minimum required configuration size.
Policy flags.
List of enclave imports.
Family ID.
Image ID.
Image version.
Security version.
Size of the enclave.
Number of threads for the enclave.
Enclave flags.
Is the enclave debuggable.
Is this a primary image.
Path to the image file.
Name of the image file.
ToString method.
The object as a string.
Class to represent an enclave import.
Match type for the import.
Minimum security version.
Unique or author ID.
Family ID.
Image ID.
Import name.
ToString method.
The name of the import.
Image policy entry.
Type of entry.
Policy ID.
Value of entry.
Image policy ID.
Class to represnt image policy metadata.
Version of the metadata.
The ID of the trustlet.
The optional policies for the trustlet.
Overridden ToString method.
The object as a string.
Extract image policy metadata from an image file.
The path to the image file. Should be a win32 path.
True to throw on error.
The image policy metadata.
Extract image policy metadata from an image file.
The path to the image file. Should be a win32 path.
The image policy metadata.
Access check result from AuthZ.
The Win32 error code from the access check.
Class to represent an AuthZ client context.
Get AuthZ user
Get AuthZ context groups.
Get AuthZ context restricted SIDs.
Get AuthZ context device groups.
Get AuthZ context capability SIDs.
Get AuthZ context's security attributes
Get AuthZ context's device claims.
Get AuthZ context's user claims.
Get list of privileges for the AuthZ context.
The list of privileges
Thrown if can't query privileges
Get AppContainer SID.
Indicates if this context is connected to a remote access server.
Set AppContainer Information to Context.
The package SID.
List of capabilities.
True to throw on error
The NT status code.
Set AppContainer Information to Context.
The package SID.
List of capabilities.
Modify groups in the context.
The type of group to modify.
The list of groups to modify.
The list of operations. Should be same size of group list.
True to throw on error.
The NT status code.
Modify groups in the context.
The type of group to modify.
The list of groups to modify.
The list of operations. Should be same size of group list.
Modify groups in the context.
The type of group to modify.
The list of SIDs to modify.
The attributes for the SIDs.
The operation for the SIDs.
Modify groups in the context.
The type of group to modify.
The list of SIDs to modify.
The operation for the SIDs.
Add a SID to the context.
The SID to add.
Add a Device SID to the context.
The SID to add.
Add a Device SID to the context.
The SID to add.
Add a list of SIDs to the context.
The list of SIDS.
Get list of groups for the AuthZ context.
The group type.
True to throw on error.
The list of groups.
Get list of groups for the AuthZ context.
The group type.
The list of groups.
Get the user from the AuthZ context.
True to throw on error.
The user group information.
Get the AppContainer SID from the AuthZ context.
True to throw on error.
The AppContainer SID.
Get AuthZ context's security attributes
Specify the type of security attributes to query.
Throw on error.
The security attributes.
Get token privileges.
True to throw on error.
The list of privileges.
Perform an Access Check.
The security descriptor for the check.
Optional list of security descriptors to merge.
The desired access.
Optional Principal SID.
Optional list of object types.
NT Type for access checking.
True to throw on error.
The list of access check results.
The list of object types is restricted to 256 entries for remote access checks.
Perform an Access Check.
The security descriptor for the check.
Optional list of security descriptors to merge.
The desired access.
Optional Principal SID.
Optional list of object types.
NT Type for access checking.
The list of access check results.
The list of object types is restricted to 256 entries for remote access checks.
Dispose client context.
Clone the current context.
True to throw on error.
The new client context.
Clone the current context.
The new client context.
Flags to initialize a client context from a SID.
None.
Skip gathering token groups.
Require S4U logon.
Computer token privileges.
Specify the type of SIDs.
Normal Group SIDs.
Restricted SIDs.
Device Group SIDs.
Capability SIDs.
Delegate to handle a callback ACE.
The ACE to handle.
True if the ACE should be processed.
Class to represent a AuthZ Resource Manager.
The name of the resource manager if any.
Indicates if this resource manager is connected to a remote access server.
Dispose the resource manager.
Create a client context from a Token.
The token to create the context from.
True to throw on error.
The created client context.
Create a client context from a Token.
The token to create the context from.
The created client context.
Create a client context from a Token.
The sid to create the context from.
Flags for intialization.
True to throw on error.
The created client context.
Create a client context from a Token.
The sid to create the context from.
Flags for intialization.
The created client context.
Create a new AuthZ resource manager.
The name of the resource manager, optional.
Optional flags for the resource manager.
Optional callback to handle callback ACEs.
True to throw on error.
The created AuthZ resource manager.
Create a new AuthZ resource manager.
The name of the resource manager, optional.
Optional flags for the resource manager.
Optional callback to handle callback ACEs.
The created AuthZ resource manager.
Create a new AuthZ resource manager. Will not enable auditing.
The created AuthZ resource manager.
Create a remote AuthZ resource manager from a raw binding string.
The RPC string binding for the server.
The SPN for the server.
True to throw on error.
The created AuthZ resource manager.
Create a remote AuthZ resource manager from a raw binding string.
The RPC string binding for the server.
The SPN for the server.
The created AuthZ resource manager.
Create a remote AuthZ resource manager from a raw binding string.
The address of the server.
The SPN for the server.
Specify the type of
True to throw on error.
The created AuthZ resource manager.
Create a remote AuthZ resource manager from a raw binding string.
The network address of the server.
The SPN for the server.
Specify the type of
The created AuthZ resource manager.
Initialization flags for resource manager.
None
Disable auditing.
Initialize using impersonation token.
Disable central access policies.
Type of remote service to access.
Default, no evaluation of CAPs.
Evaluates CAPs.
Security Attribute type.
Token Security Attributes.
Device Claims.
User Claims.
SID operation for an AuthZ client context.
None.
Replace all SIDs.
Add SIDs.
Delete SIDs.
Replace SIDs.
Progress invoke setting for tree security.
The source of inheritance for a resource.
The depth between the resource and the parent.
The name of the ancestor.
The security descriptor if accessible.
The original ACE which was inherited.
The SID of the original ACE.
Access mask as a formatted string.
Generic access mask as a formatted string.
The type of the ACE.
The object type of the ACE.
The inherited object type.
Enumeration for object type.
Tree security mode.
Progress function for tree named security info.
The name of the object.
The operation status.
The current invoke setting.
True if security is set.
The invoke setting. Return original invoke_setting if no change.
Base security buffer storage.
Type of the security buffer.
Is the buffer read-only.
Is the buffer read-only with checksum.
Convert to buffer back to an array.
The buffer as an array.
Overridden ToString method.
The buffer as a string.
Class to represent a security buffer we expect to be allocated by the SSPI.
Constructor.
The type of the buffer.
Convert to buffer back to an array.
The buffer as an array.
Security buffer for a channel binding.
Constructor.
The channel bindings token.
Convert to buffer back to an array.
The buffer as an array.
A security buffer which can be an input and output.
If you create with the ReadOnly or ReadOnlyWithCheck types then the
array will not be updated.
Constructor.
The type of buffer.
The data for the input.
Constructor.
The type of buffer.
The data for the input.
The offset into the array.
Number of bytes in the input.
Convert to buffer back to an array.
The buffer as an array.
A security buffer which can only be an output.
Constructor.
The type of buffer.
The size of the output buffer.
Convert to buffer back to an array.
The buffer as an array.
A security buffer which takes a raw pointer. The lifetime of the pointer
should be managed manually by the caller.
Constructor.
The type of buffer.
The raw pointer.
The size of the raw pointer.
The size of the buffer.
The pointer for the buffer. The lifetime needs to be manually managed.
This will free pointer using the SSPI APIs. Used to release automatically allocated
buffers. If you control the value of the Pointer you don't need to release it.
Convert to buffer back to an array.
The buffer as an array.
Security buffer type.
Class to represent a credential manager credential.
Credential flags.
Credential type.
Target name for the credentials.
Comment for the credentials.
Time the credentials was last written.
Credential blob.
Credential as a string, if available.
Credential persistence.
Credential attributes.
Target alias.
Username.
Class to represent a credential attribute.
Attribute keyword.
Attribute flags.
Attribute value.
Overridden ToString method.
Flags for a credential attribute.
No flags.
Flags for enumeration credentials.
None.
Get all credentials.
Flags for a credential.
Class to access credential manager APIs.
Get credentials for user from credential manager.
A filter for the target name, for example DOMAIN*. If null or empty returns all credentials.
Flags for the enumeration.
True to throw on error.
The list of credentials.
Get credentials for user from credential manager.
A filter for the target name, for example DOMAIN*. If null or empty returns all credentials.
Flags for the enumeration.
The list of credentials.
Get credentials for user from credential manager.
A filter for the target name, for example DOMAIN*. If null or empty returns all credentials.
The list of credentials.
Get all credentials for user from credential manager.
The list of credentials.
Get a credential by name.
The name of the credential.
The type of credential.
True to throw on error.
The read credential.
Get a credential by name.
The name of the credential.
The type of credential.
The read credential.
Backup a user's credentials.
The user's token.
The key for the data, typically a unicode password. Optional
True if the key is already encoded.
Caller needs SeTrustedCredmanAccessPrivilege enabled.
Specify credential persistence.
Identifies the type of credentials.
Information class for a SAM domain object.
Logon32 provider
Default.
Windows NT 3.5.
Windows NT 4.0.
Windows NT 5.0.
Virtual provider.
Logon UserFlags.
Indicates the last client token status for the client context.
Yes it's the last token.
No it's not the last token.
It might be, who knows?
Status code for SSPI interface calls.
Class to represent an Account Right assigned to a user.
The name of the account right.
The display name, if known.
Get list of SIDS assigned to this access right.
ToString method.
The name of the account right.
List of account rights. Not the same as privileges.
Class to represent an LSA account object.
Get the account SID.
Get or set system access flags.
Get account privileges.
Get system access flags.
True to throw on error.
The system access flags.
Set system access flags.
The flags to set.
True to throw on error.
The system access flags.
Enumerate privileges for the account.
True to throw on error.
The list of token privileges.
Access rights for an LSA account.
Flags for looking up SIDs by name.
Flags for looking up SID names.
Base class for an LSA object.
Get the NT type for the object.
Get the object name for the object.
Get whether the object is a container.
Get the object's security descriptor.
Is an access mask granted to the object.
The access to check.
True if all access is granted.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status code.
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Delete the object.
True to throw on error.
The NT status code.
Delete the object.
Get the system name for the policy.
Dispose the policy.
Class to represent the LSA policy.
Lookup names for SIDs.
The list of SIDs to lookup.
True to throw on error.
The list of looked up SID names.
Lookup names for SIDs.
The list of SIDs to lookup.
The list of looked up SID names.
Lookup name for a SID.
The SID to lookup.
Lookup names for SIDs.
The list of SIDs to lookup.
Lookup options flags.
True to throw on error.
The list of looked up SID names.
Lookup names for SIDs.
The list of SIDs to lookup.
Lookup options flags.
The list of looked up SID names.
Lookup names from the LSA policy.
The names to lookup.
Flags for the lookup.
True to throw on error.
The list of SID names.
Lookup names from the LSA policy.
The names to lookup.
Flags for the lookup.
The list of SID names.
Lookup names from the LSA policy.
The names to lookup.
The list of SID names.
Lookup names from the LSA policy.
The name to lookup.
The looked up SID name.
Enumerate accounts with a user right.
The name of the user right.
True to throw on error.
The list of SIDs with the user right.
Enumerate accounts with a user right.
The name of the user right.
The list of SIDs with the user right.
Enumerate account rights for a SID.
The SID to enumerate for.
True to throw on error.
The list of assigned account rights.
Enumerate account rights for a SID.
The SID to enumerate for.
The list of assigned account rights.
Add account rights to an account.
The SID of the account.
The list of account rights to add.
True to throw on error.
The NT status code.
Add account rights to an account.
The SID of the account.
The list of account rights to add.
Remove account rights from an account.
The SID of the account.
True to remove all rights.
The account rights to add.
True to throw on error.
The NT status code.
Remove account rights from an account.
The SID of the account.
True to remove all rights.
The account rights to add.
Retrieve LSA privilege data.
The name of the key.
True to throw on error.
The private data as bytes.
Retrieve LSA privilege data.
The name of the key.
The private data as bytes.
Store LSA private data.
The name of the key.
The data to store. If you pass null then the value will be deleted.
True to throw on error.
The NT status code.
Store LSA private data.
The name of the key.
The data to store. If you pass null then the value will be deleted.
Open an LSA secret object.
The name of the secret.
The desired access for the secret.
True to throw on error.
The opened secret.
Open an LSA secret object.
The name of the secret.
The desired access for the secret.
The opened secret.
Open an LSA secret object with maximum access.
The name of the secret.
The opened secret.
Create an LSA secret object.
The name of the secret.
The desired access for the secret.
True to throw on error.
The created secret.
Create an LSA secret object.
The name of the secret.
The desired access for the secret.
The created secret.
Create an LSA secret object with maximum access.
The name of the secret.
The created secret.
Delete an LSA secret object.
The name of the secret.
True to throw on error.
The NT status code.
Delete an LSA secret object.
The name of the secret.
Open an LSA account object.
The SID of the account.
The desired access for the account.
True to throw on error.
The opened account.
Open an LSA account object.
The SID of the account.
The desired access for the account.
The opened account.
Open an LSA account object with maximum access.
The SID of the account.
The opened account.
Create an LSA account object.
The SID of the account.
The desired access for the account.
True to throw on error.
The created account.
Create an LSA account object.
The SID of the account.
The desired access for the account.
The created account.
Create an LSA account object with maximum access.
The SID of the account.
The created account.
Delete an LSA account object.
The SID of the account.
True to throw on error.
The NT status code.
Delete an LSA account object.
The SID of the account.
Enumerate account SIDs in policy.
True to throw on error.
The list of account SIDs.
Enumerate account SIDs in policy.
The list of account SIDs.
Enumerate and open accessible account objects in policy.
The desired access for the opened accounts.
True to throw on error.
The list of accessible accounts.
Enumerate and open accessible account objects in policy.
The desired access for the opened accounts.
Enumerate and open accessible account objects in policy with maximum access.
Enumerate trusted domain information.
True to throw on error.
The list of trusted domain information.
Enumerate trusted domain information.
The list of trusted domain information.
Open trusted domain object.
The SID of the trusted domain.
The desired access for the object.
True to throw on error.
The trusted domain object.
Open trusted domain object.
The SID of the trusted domain.
The desired access for the object.
The trusted domain object.
Open trusted domain object.
The name of the trusted domain.
The desired access for the object.
True to throw on error.
The trusted domain object.
Open trusted domain object.
The name of the trusted domain.
The desired access for the object.
The trusted domain object.
Enumerate and open accessible trusted domain objects in policy.
The desired access for the opened trusted domains.
True to throw on error.
The list of accessible trusted domains.
Enumerate and open accessible trusted domain objects in policy.
The desired access for the opened trusted domains.
The list of accessible trusted domains.
Enumerate and open accessible trusted domain objects in policy.
The list of accessible trusted domains.
Open an LSA policy.
The system name for the LSA.
The desired access on the policy.
True to throw on error.
The opened policy.
Open an LSA policy.
The desired access on the policy.
True to throw on error.
The opened policy.
Open an LSA policy.
The system name for the LSA.
The desired access on the policy.
The opened policy.
Open an LSA policy.
The desired access on the policy.
The opened policy.
Open an LSA policy with maximum allowed access.
The opened policy.
Access rights for the LSA policy.
Utilities for an LSA policy.
The name of the fake NT type for a LSA policy.
The name of the fake NT type for a LSA secret.
The name of the fake NT type for a LSA account.
The name of the fake NT type for a LSA trusted domain.
Generic generic mapping for LSA policy security.
The generic mapping for the LSA policy.
Generic generic mapping for LSA secret security.
The generic mapping for the LSA secret.
Generic generic mapping for LSA account security.
The generic mapping for the LSA account.
Generic generic mapping for LSA trusted domain security.
The generic mapping for the LSA trusted domain.
Class to represent an LSA secret.
Query the value of the secret.
True to throw on error.
The value of the secret.
Query the value of the secret.
The value of the secret.
Query the current value of the secret.
True to throw on error.
The current value of the secret.
Query the current value of the secret.
The current value of the secret.
Query the old value of the secret.
True to throw on error.
The old value of the secret.
Query the old value of the secret.
The old value of the secret.
Set the value of the secret.
The current value to set.
The old value to set.
True to throw on error.
The NT status code.
Set the value of the secret.
The current value to set.
The old value to set.
Access rights for an LSA secret.
Class to represent an LSA secret value.
The current value of the secret.
The set time for the current value.
The old value of the secret.
The set time for the old value.
Flags for an account's system access.
Trust attribute flags for a trusted domain.
Direction of trust for a trusted domain.
Class to represent an LSA trusted domain.
Flat name (NETBIOS) of domain.
Domain SID.
Name of the domain.
Domain trust direction.
Domain trust type.
Domain trust attributes.
Access rights for an LSA trusted domain.
Information for a trusted domain.
DNS name of domain.
Flat name (NETBIOS) of domain.
Domain SID.
Domain trust direction.
Domain trust type.
Domain trust attributes.
Trust type for a trusted domain.
Class to represent a SAM alias.
Get members of the alias.
True to throw on error.
The list of alias members.
Get members of the alias.
The list of alias members.
The alias name.
The SID of the alias.
Access rights for a SAM alias object.
Class to represent a SAM domain object.
The domain name.
The domain SID.
Get domain password information
Lookup names in a domain.
The list of names to lookup.
True to throw on error.
The list of looked up SID names.
Lookup names in a domain.
The list of names to lookup.
The list of looked up SID names.
Lookup a name in a domain.
The name to lookup.
True to throw on error.
The SID name.
Lookup a name in a domain.
The name to lookup.
The SID name.
Lookup relative IDs in a domain.
The list of relative IDs to lookup.
True to throw on error.
The list of looked up SID names.
Lookup relative IDs in a domain.
The list of relative IDs to lookup.
The list of looked up SID names.
Lookup a rid in a domain.
The relative ID to lookup.
True to throw on error.
The SID name.
Lookup a rid in a domain.
The relative ID to lookup.
The SID name.
Enumerate users in a domain.
User account control flags.
True to throw on error.
The list of users.
Enumerate users in a domain.
User account control flags.
The list of users.
Enumerate users in a domain.
The list of users.
Enumerate groups in a domain.
True to throw on error.
The list of groups.
Enumerate groups in a domain.
The list of groups.
Enumerate aliases in a domain.
True to throw on error.
The list of aliases.
Enumerate aliases in a domain.
The list of aliases.
Get alias membership for a set of SIDs.
The SIDs to check.
True to throw on error.
The alias enumeration.
Get alias membership for a set of SIDs.
The SIDs to check.
The alias enumeration.
Get alias membership for a SID.
The SID to check.
The alias enumeration.
Open a user by relative ID.
The user ID for the user.
The desired access for the user object.
True to throw on error.
The SAM user object.
Open a user by relative ID.
The user ID for the user.
The desired access for the user object.
The SAM user object.
Open a user by SID.
The sid for the user.
The desired access for the user object.
True to throw on error.
The SAM user object.
Open a user by SID.
The sid for the user.
The desired access for the user object.
The SAM user object.
Open a user by name.
The user name for the user.
The desired access for the user object.
True to throw on error.
The SAM user object.
Open a user by name.
The user name for the user.
The desired access for the user object.
The SAM user object.
Open a group by relative ID.
The ID for the group.
The desired access for the group object.
True to throw on error.
The SAM group object.
Open a group by relative ID.
The ID for the group.
The desired access for the group object.
The SAM group object.
Open a group by SID.
The sid for the group.
The desired access for the group object.
True to throw on error.
The SAM group object.
Open a group by SID.
The sid for the group.
The desired access for the group object.
The SAM group object.
Open a group by name.
The name for the group.
The desired access for the group object.
True to throw on error.
The SAM group object.
Open a group by name.
The name for the group.
The desired access for the group object.
The SAM group object.
Create a new group object.
The name of the group.
The desired access for the group object.
True to throw on error.
The SAM group object.
Create a new group object.
The name of the group.
The desired access for the group object.
The SAM group object.
Create a new group object.
The name of the group.
The SAM group object.
Create a new user in the SAM.
The name of the user.
The type of account.
Desired access for new user.
True to throw on error.
The SAM user object.
Create a new user in the SAM.
The name of the user.
The type of account.
Desired access for new user.
The SAM user object.
Open an alias by relative ID.
The ID for the alias.
The desired access for the alias object.
True to throw on error.
The SAM alias object.
Open an alias by relative ID.
The ID for the alias.
The desired access for the alias object.
The SAM alias object.
Open an alias by SID.
The sid for the alias.
The desired access for the alias object.
True to throw on error.
The SAM alias object.
Open an alias by SID.
The sid for the alias.
The desired access for the alias object.
The SAM alias object.
Open an alias by name.
The name for the alias.
The desired access for the alias object.
True to throw on error.
The SAM alias object.
Open an alias by name.
The name for the alias.
The desired access for the alias object.
The SAM alias object.
Enumerate and open accessible user objects.
User account control flags.
The desired access for the opened users.
True to throw on error.
The list of accessible users.
Enumerate and open accessible user objects.
User account control flags.
The desired access for the opened users.
The list of accessible users.
Enumerate and open accessible user objects with maximum access.
The list of accessible users.
Enumerate and open accessible group objects.
The desired access for the opened groups.
True to throw on error.
The list of accessible groups.
Enumerate and open accessible group objects.
The desired access for the opened groups.
The list of accessible groups.
Enumerate and open accessible group objects with maximum access.
The list of accessible groups.
Enumerate and open accessible alias objects.
The desired access for the opened aliases.
True to throw on error.
The list of accessible aliases.
Enumerate and open accessible alias objects.
The desired access for the opened aliases.
The list of accessible aliases.
Enumerate and open accessible alias objects with maximum access.
The list of accessible aliases.
Convert a RID to a SID for the current object.
The relative ID.
True to throw on error.
The converted SID.
Convert a RID to a SID for the current object.
The relative ID.
The converted SID.
Get password information.
True to throw on error.
Access rights for a SAM domain object.
The domain password policy.
Minimum password length.
Password history length.
Password properties flags.
Maximum password age.
Minimum password age.
Flags for password properties.
Class to represent a SAM group.
Get members of the group.
True to throw on error.
The list of group members.
Get members of the group.
The list of group members.
Query group attribute flags.
True to throw on error.
The group attribute flags.
Set the group attribute flags.
The attributes to set.
True to throw on error.
The NT status code.
Delete the group object.
True to throw on error.
The NT status code.
Delete the group object.
The group name.
The SID of the group.
Get or set the group attribute flags.
Access rights for the SAM group.
Membership entry for a group.
The group relative ID.
The attributes for the group.
Base class for a SAM object.
The name of the server that we've connected to.
Get the NT type for the object.
Get the object name for the object.
Get whether the object is a container.
Get the object's security descriptor.
Is an access mask granted to the object.
The access to check.
True if all access is granted.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
The NT status code.
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Dispose the policy.
Represents information for a SAM relative value.
The name of the domain.
The RID of the domain.
Class to represent a connection to a SAM server.
Enumerate domains in the SAM.
True to throw on error.
The list of domains.
Enumerate domains in the SAM.
The list of domains.
Lookup the domain SID for a domain name.
The name of the domain.
True to throw on error.
The domain SID.
Lookup the domain SID for a domain name.
The name of the domain.
The domain SID.
Open a SAM domain object.
The domain SID.
The desired access for the object.
True to throw on error.
The SAM domain object.
Open a SAM domain object.
The domain SID.
The desired access for the object.
The SAM domain object.
Open a SAM domain object.
The name of the domain.
The desired access for the object.
True to throw on error.
The SAM domain object.
Open a SAM domain object.
The name of the domain.
The desired access for the object.
The SAM domain object.
Enumerate and open accessible domain objects.
The desired access for the opened domains.
True to throw on error.
The list of accessible domains.
Enumerate and open accessible domain objects.
The desired access for the opened domains.
The list of accessible domains.
Opens the builtin domain on the server.
The desired access for the object.
True to throw on error.
The SAM domain object.
Opens the builtin domain on the server.
The desired access for the object.
The SAM domain object.
Opens the user domain on the server.
The desired access for the object.
True to throw on error.
The SAM domain object.
Opens the user domain on the server.
The desired access for the object.
The SAM domain object.
Connect to a SAM server.
The name of the server. Set to null for local connection.
The desired access on the SAM server.
True to throw on error.
The server connection.
Connect to a SAM server.
The name of the server. Set to null for local connection.
The desired access on the SAM server.
The server connection.
Connect to a SAM server.
The desired access on the SAM server.
The server connection.
Connect to a SAM server with maximum access.
The server connection.
Access rights for the SAM server.
Class to represent a SAM user.
Get full name for the user.
True to throw on error.
The full name of the user.
Get home directory for the user.
True to throw on error.
The home directory of the user.
Get primary group ID for the user.
True to throw on error.
The primary group ID of the user.
Get user account control flags for the user.
True to throw on error.
The user account control flags of the user.
Change a user's password.
The old password.
The new password.
True to throw on error.
The NT status code.
Change a user's password.
The old password.
The new password.
Set a user's password.
The password to set.
Whether the password has expired.
True to throw on error.
The NT status code.
Set a user's password.
The password to set.
Whether the password has expired.
The user name.
The SID of the user.
Get full name for the user.
Get home directory for the user.
Get user account control flags for the user.
Is the account disabled?
Get the primary group SID.
Access rights for a SAM user object.
Type of user account to create.
A user account.
A workstation trust account.
A server trust account.
A temporary duplicate account.
Inter domain trust account.
User account control flags.
Security utilities which call the Win32 APIs.
Set security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
True to throw on error.
The NT status code.
Set security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
Specify to indicate when to execute progress function.
The security operation to perform on the tree.
Progress function.
Set security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
Specify to indicate when to execute progress function.
The security operation to perform on the tree.
Progress function.
True to throw on error.
The NT status code.
Set security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
The Win32 Error Code.
Set security using an object handle.
The handle of the object.
The type of object.
The security information to set.
The security descriptor to set.
True to throw on error.
The NT status code.
Set security using an object handle.
The handle of the object.
The type of object.
The security information to set.
The security descriptor to set.
Set security using an object handle.
The handle of the object.
The type of object.
The security information to set.
The security descriptor to set.
True to throw on error.
The NT status code.
Set security using an object handle.
The handle of the object.
The type of object.
The security information to set.
The security descriptor to set.
Reset security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
True to keep explicit ACEs.
Specify to indicate when to execute progress function.
Progress function.
Reset security using a named object.
The name of the object.
The type of named object.
The security information to set.
The security descriptor to set.
Specify to indicate when to execute progress function.
True to keep explicit ACEs.
Progress function.
True to throw on error.
The NT status code.
Get the source of inherited ACEs.
The name of the resource.
The type of the resource.
Whether the resource is a container.
Optional list of object types.
The security descriptor for the resource.
True to check the SACL otherwise checks the DACL.
Generic mapping for the resource.
Query security descriptors for sources.
True to throw on error.
The list of inheritance sources.
Get the source of inherited ACEs.
The name of the resource.
The type of the resource.
Whether the resource is a container.
Optional list of object types.
The security descriptor for the resource.
True to check the SACL otherwise checks the DACL.
Generic mapping for the resource.
Query security descriptors for sources.
The list of inheritance sources.
Get the security descriptor for a named resource.
The name of the resource.
The type of the resource.
The security information to get.
True to throw on error.
The security descriptor.
Get the security descriptor for a named resource.
The name of the resource.
The type of the resource.
The security information to get.
The security descriptor.
Get the security descriptor for a resource.
The handle to the resource.
The type of the resource.
The security information to get.
True to throw on error.
The security descriptor.
Get the security descriptor for a resource.
The handle to the resource.
The type of the resource.
The security information to get.
The security descriptor.
Get the NT type for a SE Object Type.
The type of the resource.
The NT type if known, otherwise null.
Lookup a privilege display name.
The system name to do the lookup on.
The privilege name.
The display name. Empty string on error.
Add a SID to name mapping with LSA.
The domain name for the SID. The SID must be in the NT authority.
The account name for the SID. Can be null for a domain SID.
The SID to add.
True to throw on error.
The NT status result.
Add a SID to name mapping with LSA.
The domain name for the SID.
The account name for the SID. Can be null for a domain SID.
The SID to add.
The NT status result.
Remove a SID to name mapping with LSA.
The domain name for the SID.
The account name for the SID. Can be null for a domain SID.
True to throw on error.
The NT status result.
Remove a SID to name mapping with LSA.
The domain name for the SID.
The account name for the SID. Can be null for a domain SID.
The NT status result.
Remove a SID to name mapping with LSA.
The SID to remove.
The NT status result.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
True to throw on error.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
Additional groups to add. Needs SeTcbPrivilege.
The logged on token.
Logon a user with a username and password.
The username.
The user's domain.
The user's password.
The type of logon token.
The Logon provider.
Additional groups to add. Needs SeTcbPrivilege.
True to throw on error.
The logged on token.
Lookup a SID's internet name.
The SID to lookup.
True to throw on error.
The name of the sid as an internet account.
This still might return the normal NT4 style account name if the user is not an internet user.
Lookup a SID's internet name.
The SID to lookup.
The name of the sid as an internet account.
This still might return the normal NT4 style account name if the user is not an internet user.
Retrieve LSA private data.
The system containing the LSA instance.
The name of the key.
True to throw on error.
The private data as bytes.
Retrieve LSA private data.
The system containing the LSA instance.
The name of the key.
The private data as bytes.
Retrieve LSA private data.
The name of the key.
The private data as bytes.
Store LSA private data.
The system containing the LSA instance.
The name of the key.
The data to store.
True to throw on error.
The NT status code.
Store LSA private data.
The system containing the LSA instance.
The name of the key.
The data to store.
Store LSA private data.
The name of the key.
The data to store.
Delete LSA private data.
The system containing the LSA instance.
The name of the key.
True to throw on error.
The NT status code.
Delete LSA private data.
The system containing the LSA instance.
The name of the key.
Delete LSA private data.
The name of the key.
Virtual Key enumeration.
Left mouse button
Right mouse button
Control-break processing
Middle mouse button (three-button mouse)
Windows 2000/XP: X1 mouse button
Windows 2000/XP: X2 mouse button
BACKSPACE key
TAB key
CLEAR key
ENTER key
SHIFT key
CTRL key
ALT key
PAUSE key
CAPS LOCK key
Input Method Editor (IME) Kana mode
IME Hangul mode
IME Junja mode
IME final mode
IME Hanja mode
IME Kanji mode
ESC key
IME convert
IME nonconvert
IME accept
IME mode change request
SPACEBAR
PAGE UP key
PAGE DOWN key
END key
HOME key
LEFT ARROW key
UP ARROW key
RIGHT ARROW key
DOWN ARROW key
SELECT key
PRINT key
EXECUTE key
PRINT SCREEN key
INS key
DEL key
HELP key
0 key
1 key
2 key
3 key
4 key
5 key
6 key
7 key
8 key
9 key
A key
B key
C key
D key
E key
F key
G key
H key
I key
J key
K key
L key
M key
N key
O key
P key
Q key
R key
S key
T key
U key
V key
W key
X key
Y key
Z key
Left Windows key (Microsoft Natural keyboard)
Right Windows key (Natural keyboard)
Applications key (Natural keyboard)
Computer Sleep key
Numeric keypad 0 key
Numeric keypad 1 key
Numeric keypad 2 key
Numeric keypad 3 key
Numeric keypad 4 key
Numeric keypad 5 key
Numeric keypad 6 key
Numeric keypad 7 key
Numeric keypad 8 key
Numeric keypad 9 key
Multiply key
Add key
Separator key
Subtract key
Decimal key
Divide key
F1 key
F2 key
F3 key
F4 key
F5 key
F6 key
F7 key
F8 key
F9 key
F10 key
F11 key
F12 key
F13 key
F14 key
F15 key
F16 key
F17 key
F18 key
F19 key
F20 key
F21 key
F22 key, (PPC only) Key used to lock device.
F23 key
F24 key
NUM LOCK key
SCROLL LOCK key
Left SHIFT key
Right SHIFT key
Left CONTROL key
Right CONTROL key
Left MENU key
Right MENU key
Windows 2000/XP: Browser Back key
Windows 2000/XP: Browser Forward key
Windows 2000/XP: Browser Refresh key
Windows 2000/XP: Browser Stop key
Windows 2000/XP: Browser Search key
Windows 2000/XP: Browser Favorites key
Windows 2000/XP: Browser Start and Home key
Windows 2000/XP: Volume Mute key
Windows 2000/XP: Volume Down key
Windows 2000/XP: Volume Up key
Windows 2000/XP: Next Track key
Windows 2000/XP: Previous Track key
Windows 2000/XP: Stop Media key
Windows 2000/XP: Play/Pause Media key
Windows 2000/XP: Start Mail key
Windows 2000/XP: Select Media key
Windows 2000/XP: Start Application 1 key
Windows 2000/XP: Start Application 2 key
Used for miscellaneous characters; it can vary by keyboard.
Windows 2000/XP: For any country/region, the '+' key
Windows 2000/XP: For any country/region, the ',' key
Windows 2000/XP: For any country/region, the '-' key
Windows 2000/XP: For any country/region, the '.' key
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Used for miscellaneous characters; it can vary by keyboard.
Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard
Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key
Windows 2000/XP: Used to pass Unicode characters as if they were keystrokes.
The VK_PACKET key is the low word of a 32-bit Virtual Key value used for non-keyboard input methods. For more information,
see Remark in KEYBDINPUT, SendInput, WM_KEYDOWN, and WM_KEYUP
Attn key
CrSel key
ExSel key
Erase EOF key
Play key
Zoom key
Reserved
PA1 key
Clear key
Class representing the information about a service.
The name of the service.
The security descriptor of the service.
The list of triggers for the service.
The service SID setting.
The service launch protected setting.
The service required privileges.
The service type.
Service start type.
Error control.
Binary path name.
Load order group.
Tag ID for load order.
Dependencies.
Display name.
Service start name. For user mode services this is the username, for drivers it's the driver name.
Indicates this service is set to delayed automatic start.
The user name this service runs under.
Type of service host when using Win32Share.
Service main function when using Win32Share.
Image path for the service.
Get name of the target image, either the ServiceDll or ImagePath.
Service DLL if a shared process server.
The name of the machine this service was found on.
Indicates if this service process is grouped with others.
Class to represent custom data for a service trigger.
The type of data.
The raw custom data.
The custom data as a string.
The custom data as an array of strings (only useful for String type).
Overidden ToString method.
The data as a string.
Trigger information for a service.
The type of service trigger.
The service trigger action.
The sub-type GUID.
The description of the sub type.
Custom data.
Overridden ToString method.
The trigger as a string.
Trigger the service.
Service trigger type.
Represents an action that the service control manager can perform.
The action to be performed.
The time to wait before performing the specified action, in milliseconds.
The action to be performed.
The time to wait before performing the specified action, in milliseconds.
Utilities for accessing services.
The name of the fake NT type for a service.
The name of the fake NT type for the SCM.
Get the generic mapping for the SCM.
The SCM generic mapping.
Get the generic mapping for a service.
The service generic mapping.
Get the security descriptor of the SCM.
The SCM security descriptor.
Get the security descriptor of the SCM.
The name of a target computer. Can be null or empty to specify local machine.
Parts of the security descriptor to return.
True to throw on error.
The SCM security descriptor.
Get the security descriptor of the SCM.
The name of a target computer. Can be null or empty to specify local machine.
Parts of the security descriptor to return.
The SCM security descriptor.
Get the security descriptor of the SCM.
Parts of the security descriptor to return.
True to throw on error.
The SCM security descriptor.
Get the security descriptor of the SCM.
Parts of the security descriptor to return.
The SCM security descriptor.
Get the security descriptor for a service.
The name of the service.
Parts of the security descriptor to return.
True to throw on error.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor.
Get the security descriptor for a service.
The name of the service.
Parts of the security descriptor to return.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor.
Get the security descriptor for a service.
The name of the service.
Parts of the security descriptor to return.
True to throw on error.
The security descriptor.
Get the security descriptor for a service.
The name of the service.
Parts of the security descriptor to return.
The security descriptor.
Set the SCM security descriptor.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor to set.
The parts of the security descriptor to set.
True to throw on error.
The NT status code.
Set the SCM security descriptor.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor to set.
The parts of the security descriptor to set.
Set the SCM security descriptor.
The security descriptor to set.
The parts of the security descriptor to set.
True to throw on error.
The NT status code.
Set the SCM security descriptor.
The security descriptor to set.
The parts of the security descriptor to set.
Get the information about a service.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
True to throw on error.
The service information.
Get the information about a service.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
The service information.
Get the information about a service.
The name of the service.
True to throw on error.
The service information.
Set the security descriptor for a service.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor to set.
The security information to set.
True to throw on error.
The NT status.
Set the security descriptor for a service.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
The security descriptor to set.
The security information to set.
Set the security descriptor for a service.
The name of the service.
The security descriptor to set.
The security information to set.
True to throw on error.
The NT status.
Set the security descriptor for a service.
The name of the service.
The security descriptor to set.
The security information to set.
Get the information about a service.
The name of the service.
The service information.
Get the information about all services.
The name of a target computer. Can be null or empty to specify local machine.
The types of services to return.
The list of service information.
Get the information about all services.
The types of services to return.
The list of service information.
Get the PID of a running service.
The name of the service.
Returns the PID of the running service, or 0 if not running.
Thrown on error.
Get the PIDs of a list of running service.
The names of the services.
Returns the PID of the running service, or 0 if not running.
Thrown on error.
Get a running service by name.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
True to throw on error.
The running service.
This will return active and non-active services as well as drivers.
Get a running service by name.
The name of the service.
The name of a target computer. Can be null or empty to specify local machine.
The running service.
This will return active and non-active services as well as drivers.
Get a running service by name.
The name of the service.
The running service.
True to throw on error.
This will return active and non-active services as well as drivers.
Get a running service by name.
The name of the service.
The running service.
This will return active and non-active services as well as drivers.
Get a list of all registered services.
The name of a target computer. Can be null or empty to specify local machine.
Specify state of services to get.
Specify the type filter for services.
A list of registered services.
Get a list of all registered services.
Specify state of services to get.
Specify the type filter for services.
A list of registered services.
Get flags for all user service types.
The flags for user service types.
Get flags for all kernel driver types.
The flags for kernel driver types.
Get a list of all registered services.
A list of registered services.
Get a list of all active running services with their process IDs.
A list of all active running services with process IDs.
Get a list of all drivers.
A list of all drivers.
Get a list of all active running drivers.
A list of all active running drivers.
Get a list of all services and drivers.
A list of all services and drivers.
Get a list of all services and drivers.
A list of all services and drivers.
Get a fake NtType for a service.
Service returns the service type, SCM returns SCM type.
The fake service NtType. Returns null if not a recognized type.
Create a new service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
True to throw on error.
The registered service information.
Create a new service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
The registered service information.
Create a new service.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
True to throw on error.
The registered service information.
Create a new service.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
The registered service information.
Delete a service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
True to throw on error.
The NT status.
Delete a service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The NT status.
Delete a service.
The name of the service.
True to throw on error.
The NT status.
Delete a service.
The name of the service.
Send a control code to a service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The control code to send. If >= 128 will be sent as a custom control code.
True to throw on error.
The NT status code.
Send a control code to a service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The control code to send. If >= 128 will be sent as a custom control code.
Send a control code to a service.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The control code to send. If >= 128 will be sent as a custom control code.
Send a control code to a service.
The name of the service.
The control code to send. If >= 128 will be sent as a custom control code.
Send a control code to a service.
The name of the service.
The control code to send. If >= 128 will be sent as a custom control code.
Change service configuration.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
Load group order.
The tag ID.
List of service dependencies.
The username for the service.
Password for the username if needed.
True to throw on error.
The NT status code.
Change service configuration.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
The tag ID.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
Change service configuration.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
The tag ID.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
True to throw on error.
The NT status code.
Change service configuration.
The name of the service.
The display name for the service.
The service type.
The service start type.
Error control.
Path to the service executable.
The tag ID.
Load group order.
List of service dependencies.
The username for the service.
Password for the username if needed.
Start a service by name.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
Optional arguments to pass to the service.
True to throw on error.
The status code for the service.
Start a service by name.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
Optional arguments to pass to the service.
Start a service by name.
The name of the service.
Optional arguments to pass to the service.
True to throw on error.
The status code for the service.
Start a service by name.
The name of the service.
Optional arguments to pass to the service.
The status code for the service.
Set a service's SID type.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The SID type to set.
True to throw on error.
The NT status code.
Set a service's SID type.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The SID type to set.
Set a service's SID type.
The name of the service.
The SID type to set.
True to throw on error.
The NT status code.
Set a service's SID type.
The name of the service.
The SID type to set.
Set a service's delayed auto-start.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
If true, the service is started after other auto-start services are started plus a short delay. Otherwise, the service is started during system boot.
True to throw on error.
The NT status code.
Set a service's failure recover actions.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
Actions to be performed on service failure.
If this value is null, is ignored.
If this value is empty, the reset period and array of failure actions are deleted.
The time after which to reset the failure count to zero if there are no failures, in seconds. Specify -1 to indicate that this value should never be reset.
The command line of the process for the CreateProcess function to execute in response to the command run service controller action.
This process runs under the same account as the service.
If this value is null, the command is unchanged.
If the value is an empty string (""), the command is deleted and no program is run when the service fails.
The message to be broadcast to server users before rebooting in response to the reboot action service controller action.
If this value is null, the reboot message is unchanged.
If the value is an empty string (""), the reboot message is deleted and no message is broadcast.
This member can specify a localized string using the following format: @[path]dllname,-strID
The string with identifier strID is loaded from dllname; path is optional.
True to throw on error.
The NT status code.
Set a service's required privileges.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The required privileges.
True to throw on error.
The NT status code.
Set a service's required privileges.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The required privileges.
Set a service's required privileges.
The name of the service.
The required privileges.
True to throw on error.
The NT status code.
Set a service's required privileges.
The name of the service.
The required privileges.
Set a service's launch protected type.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The protected type.
True to throw on error.
The NT status code.
Set a service's launch protected type.
The name of a target computer. Can be null or empty to specify local machine.
The name of the service.
The protected type.
Set a service's required privileges.
The name of the service.
The protected type.
True to throw on error.
The NT status code.
Set a service's SID type.
The name of the service.
The protected type.
A service trigger for an ETW event.
The security descriptor for the ETW event. Needs administrator privileges.
Trigger the service.
Service trigger for firewall port interface.
The port for the firewall service trigger.
The protocol for the firewall service trigger.
The protocol for the firewall service trigger.
The protocol for the firewall service trigger.
Service trigger for a named pipe.
The path to the named pipe.
Service trigger for an RPC interface.
List of interface ID for the RPC server.
Class to represent a handle to the SCM.
Active services database.
Failed services database.
Open an instance of the SCM.
The machine name for the SCM.
The database name. Specify SERVICES_ACTIVE_DATABASE or SERVICES_FAILED_DATABASE.
If null then SERVICES_ACTIVE_DATABASE is used.
The desired access for the SCM connection.
True to throw on error.
The SCM instance.
Open an instance of the SCM.
The machine name for the SCM.
The database name. Specify SERVICES_ACTIVE_DATABASE or SERVICES_FAILED_DATABASE.
If null then SERVICES_ACTIVE_DATABASE is used.
The desired access for the SCM connection.
The SCM instance.
Open an instance of the SCM.
The machine name for the SCM.
The desired access for the SCM connection.
The SCM instance.
Get the Win32 services for the SCM.
The state of the services to return.
The types of services to return.
True throw on error.
The list of services.
SCM must have been opened with EnumerateService access.
Get the Win32 services for the SCM.
The state of the services to return.
The types of services to return.
The list of services.
SCM must have been opened with EnumerateService access.
Dispose the object.
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
True to throw on error.
The security descriptor
Get the security descriptor specifying which parts to retrieve
What parts of the security descriptor to retrieve
The security descriptor
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
True to throw on error.
Set the object's security descriptor
The security descriptor to set.
What parts of the security descriptor to set
Service trigger for a WNF event.
The WNF name.
Represents a loaded module from the symbol resolver.
The name of the module.
The base address of the module.
The image size of the module.
Get the path to the loaded PDB file is known.
True indicates this module only has export symbols.
Query names of types for this module.
The list of type names.
Query types in a module.
The list of types.
Get a type by name.
The name of the type.
Query types by name
A mask string for the type name. e.g. mod!ABC*
The list of types.
Returns the name of the module.
The name of the module.
Static class for creating symbolic resolvers.
Create a new instance of a symbol resolver.
The process in which the symbols should be resolved.
The path to dbghelp.dll, ideally should use the one which comes with Debugging Tools for Windows.
The symbol path.
Flags for the symbol resolver.
A text writer for output when specifying the TraceSymbolLoading flag.
The instance of a symbol resolver. Should be disposed when finished.
Create a new instance of a symbol resolver.
The process in which the symbols should be resolved.
The path to dbghelp.dll, ideally should use the one which comes with Debugging Tools for Windows.
The symbol path.
The instance of a symbol resolver. Should be disposed when finished.
Create a new instance of a symbol resolver. Uses the system dbghelp library and symbol path
from _NT_SYMBOL_PATH environment variable.
The process in which the symbols should be resolved.
The instance of a symbol resolver. Should be disposed when finished.
Enumeration for safer level.
Constrained.
Fully trusted.
Normal user.
Untrusted.
Class to access tokens through various mechanisms.
Logon a user using S4U
The username.
The user's realm.
The logged on token.
Get the anonymous token.
The access rights for the opened token.
The anonymous token.
Get the anonymous token.
The anonymous token.
Logon a user.
The username.
The user's domain.
The user's password.
The logon token's type.
Optional list of additonal groups to add.
The logged on token.
Logon a user.
The username.
The user's domain.
The user's password.
The logon token's type.
Optional list of additonal groups to add.
The Logon provider.
The logged on token.
Logon a user.
The username.
The user's domain.
The user's password.
The logon token's type.
Optional list of additonal groups to add.
The Logon provider.
True to throw on error.
The logged on token.
Open the current clipboard token.
Get the token from the clipboard.
The access rights for the opened token.
The clipboard token.
Get the token from the clipboard.
The clipboard token.
Derive a package sid from a name.
The name of the package.
True to throw on error.
The derived Sid
Derive a package sid from a name.
The name of the package.
The derived Sid
Derive a restricted package sid from an existing pacakge sid.
The base package sid.
The restricted name for the sid.
True to throw on error.
The derived Sid.
Derive a restricted package sid from an existing pacakge sid.
The base package sid.
The restricted name for the sid.
The derived Sid.
Derive a restricted package sid from an existing package sid.
The base package name.
The restricted name for the sid.
The derived Sid.
Get the package SID from a name.
The name of the package, can be either an SDDL SID or a package name.
The derived SID.
Get a safer token.
The base token.
The safer level to use.
True to make the token inert.
The safer token.
Get session token for a session ID.
The session ID.
The session token.
Get tokens for all logged on sessions.
Needs SeTcbPrivilege to work.
The list of session tokens.
Create an AppContainer token using the CreateAppContainerToken API.
The token to base the new token on. Can be null.
The AppContainer package SID.
List of capabilities.
True to throw on error.
The appcontainer token.
This exported function was only introduced in RS3
Create an AppContainer token using the CreateAppContainerToken API.
The token to base the new token on. Can be null.
The AppContainer package SID.
List of capabilities.
The appcontainer token.
This exported function was only introduced in RS3
Create an AppContainer token using the CreateAppContainerToken API.
The AppContainer package SID.
List of capabilities.
The appcontainer token.
This exported function was only introduced in RS3
Win32 Error Codes.
Flags for DefineDosDevice
None
Specify a raw target path
Remove existing definition
Only remove exact matches to the target
Don't broadcast changes to the system
Disposition values for CreateFile.
Create a new file. Fail if it exists.
Always create a new file, overwrite if it exists.
Open a file, fail if it doesn't exist.
Open a file, create if it doesn't exist.
Truncate existing file.
Flags for GetWin32PathName.
No flags.
GUID format.
NT format.
No specific format.
Opened file name.
Class representing a win32 process.
Create process with a token.
The token to create the process with.
The process configuration.
The created win32 process.
Create process with a token.
The token to create the process with.
The path to the executable.
The process command line.
Process creation flags.
The desktop name.
The created win32 process.
Create process with a token from a user logon.
The username.
The user's domain.
The user's password.
Logon flags.
The process configuration.
The created win32 process.
Create process with a token from a user logon.
The user's credentials.
Logon flags.
The process configuration.
True to throw on error.
The created win32 process.
Create process with a token from a user logon.
The user's credentials.
Logon flags.
The process configuration.
The created win32 process.
Create process with a token from a user logon.
The username.
The user's domain.
The user's password.
Logon flags.
The process configuration.
The created win32 process.
Create process with a token from a user logon.
The username.
The user's domain.
The user's password.
Logon flags.
The path to the executable.
The process command line.
Process creation flags.
The desktop name.
The created win32 process.
Create process with a token.
The token to create the process with.
The process configuration.
The created win32 process.
Create process.
The process configuration.
The created win32 process.
Create process.
Optional parent process.
The path to the executable.
The process command line.
Process creation flags.
The desktop name.
The created win32 process.
Dispose the process.
Resume the entire process.
Suspend the entire process.
Terminate the process
The exit code for the termination
The handle to the process.
The handle to the initial thread.
The process ID of the process.
The thread ID of the initial thread.
True to terminate process when disposed.
Get the process' exit status.
Get the process' exit status as an NtStatus code.
Explicit conversion operator to an NtThread object.
The win32 process
Explicit conversion operator to an NtProcess object.
The win32 process
Specify the CreateProcess API to use with a Token.
Use CreateProcessAsUser, if that fails use CreateProcessWithToken.
Use only CreateProcessAsUser.
User only CreateProcessWithToken.
Win32 process creation configuration.
Specify security descriptor of process.
Specify process handle is inheritable.
Specify security descriptor of thread.
Specify thread handle is inheritable.
Specify to inherit handles.
Specify parent process.
Specify path to application executable.
Specify command line.
Specify creation flags.
Specify environment block.
Specify current directory.
Specify desktop name.
Specify window title.
True to terminate the process when it's disposed.
Specify the mitigation options.
Specify the mitigation options 2.
Specify win32k filter flags.
Specify win32k filter level.
Specify PP level.
Specify list of handles to inherit.
Specify the appcontainer Sid.
Specify the appcontainer capabilities.
Specify LPAC.
Restrict the process from creating child processes.
Override child process creation restriction.
Set child process mitigation flags.
Specify new process policy when creating a desktop bridge application.
Specify a token to use for the new process.
Specify a stdin handle for the new process (you must inherit the handle).
Specify a stdout handle for the new process (you must inherit the handle).
Specify a stderror handle for the new process (you must inherit the handle).
Specify the package name to use.
Specify handle to pseudo console.
Specify Base Named Objects isolation prefix.
Specify the safe open prompt original claim.
When specifying the debug flags use this debug object instead of the current thread's object.
When specified do not fallback to using CreateProcessWithToken if CreateProcessWithUser fails.
Specify additional extended flags.
Specify list of handles to inherit.
Specify a service window station and desktop.
Specify authentication credentials for CreateProcessWithLogon.
Specify logon flags for the Credentials or when calling CreateProcessWithToken.
Specify the type of API to call when specifying a token.
Specify component filter flags.
Add an object's handle to the list of inherited handles.
The object to add.
The raw handle value.
Note that this doesn't maintain a reference to the object. It should be kept
alive until the process has been created.
Add an AppContainer capability by name.
The name of the capability.
Add an AppContainer capability by name.
The capability SID.
Set AppContainer SID from a package name.
The package name.
Constructor.
Flags for create process.
No flags.
Debug process.
Debug only this process.
Create suspended.
Detach process.
Create a new console.
Normal priority class.
Idle priority class.
High priority class.
Realtime priority class.
Create a new process group.
Create from a unicode environment.
Create a separate WOW VDM.
Share the WOW VDM.
Force DOS process.
Below normal priority class.
Above normal priority class.
Inherit parent affinity.
Inherit caller priority (deprecated)
Create a protected process.
Specify extended startup information is present.
Process mode background begin.
Process mode background end.
Create a secure process.
Breakaway from a job object.
Preserve code authz level.
Default error mode.
No window.
Profile user.
Profile kernel.
Profile server.
Ignore system default.
Flags for CreateProcessWithLogon
No flags.
With a profile.
Using network credentials.
Win32k filter flags.
No flags.
Enable filter.
Audit filter.
Flags for create thread.
No flags.
Create suspended.
Stack size is a reservation.
Specify PPL level.
None
Safe level as parent.
Tcb PPL
Windows PP
Windows PPL
Antimalware PPL
LSA PPL
Tcb PP
Code Generation PPL
Authenticode PP
App PPL
Extended process flags.
No flags.
Log elevation failure.
Ignore elevation requirements.
Force job breakaway (needs TCB privilege).
Process mitigation option flags.
Process mitigation option 2 flags.
Class representing a service instance.
The name of the service.
The description of the service.
Type of service.
Image path for the service.
Command line for the service.
Service DLL if a shared process server.
Current service status.
What controls are accepted by the service.
Whether the service can be stopped.
The Win32 exit code.
The service specific exit code, if Win32ExitCode is Win32Error.ERROR_SERVICE_SPECIFIC_ERROR.
The checkpoint while starting.
Waiting hint time.
Service flags.
Process ID of the running service.
The security descriptor of the service.
The list of triggers for the service.
The service SID type.
The service launch protected setting.
The service required privileges.
Service start type.
Whether the service is a delayed auto start service.
Error control.
Load order group.
Tag ID for load order.
Dependencies.
The user name this service runs under.
Type of service host when using Win32Share.
Service main function when using Win32Share.
Indicates if this service process is grouped with others.
The name of the machine this service was found on.
Overridden ToString method.
The name of the service.
Utilities for Win32 APIs.
Get a mask dictionary for a type.
The enumerated type to query for names.
The valid access.
A dictionary mapping a mask value to a name.
Get a mask dictionary for a type.
The enumerated type to query for names.
The valid access.
Specify to get the SDK name instead of a formatting enumerated name.
A dictionary mapping a mask value to a name.
Display the edit security dialog.
Parent window handle.
NT object to display the security.
The name of the object to display.
True to force the UI to read only.
Display the edit security dialog.
Parent window handle.
The name of the object to display.
The security descriptor to display.
The NT type of the object.
Display the edit security dialog.
Parent window handle.
The name of the object to display.
The security descriptor to display.
An enumerated type for the access mask.
Generic mapping for the access rights.
Valid access mask for the access rights.
Define a new DOS device.
The dos device flags.
The device name to define.
The target path.
Get Windows INVALID_HANDLE_VALUE.
Parse a command line into arguments.
The parsed command line.
The list of arguments.
Get the image path from a command line.
The command line to parse.
The image path, returns the original command line if can't find a valid image path.
Get Win32 path name for a file.
The file to get the path from.
Flags for the path to return.
True to throw on error.
The win32 path.
Get Win32 path name for a file.
The file to get the path from.
Flags for the path to return.
The win32 path.
Format a message.
The module containing the message.
The ID of the message.
The message. Empty string on error.
Format a message.
The ID of the message.
The message. Empty string on error.
Open a file with the Win32 CreateFile API.
The filename to open.
The desired access.
The share mode.
Optional security descriptor.
True to set the handle as inheritable.
Creation disposition.
Flags and attributes.
Optional template file.
True to throw on error.
The opened file handle.
Open a file with the Win32 CreateFile API.
The filename to open.
The desired access.
The share mode.
Optional security descriptor.
True to set the handle as inheritable.
Creation disposition.
Flags and attributes.
Optional template file.
The opened file handle.
Open a file with the Win32 CreateFile API.
The filename to open.
The desired access.
The share mode.
Creation disposition.
Flags and attributes.
True to throw on error.
The opened file handle.
Open a file with the Win32 CreateFile API.
The filename to open.
The desired access.
The share mode.
Creation disposition.
Flags and attributes.
The opened file handle.
Send key down events.
The key codes to send.
Send key down events.
The key codes to send.
Send key down then up events.
The key codes to send.
This will send all keys down first, then all up.
This creates a Window Station using the User32 API.
The name of the Window Station.
The Window Station.
Create a remote thread.
The process to create the thread in.
The thread security descriptor.
Whether the handle should be inherited.
The size of the stack. 0 for default.
Start address for the thread.
Parameter to pass to the thread.
The flags for the thread creation.
True to throw on error.
The created thread.
Thrown on error.
Create a remote thread.
The process to create the thread in.
The thread security descriptor.
Whether the handle should be inherited.
The size of the stack. 0 for default.
Start address for the thread.
Parameter to pass to the thread.
The flags for the thread creation.
The created thread.
Thrown on error.
Create a remote thread.
The process to create the thread in.
Start address for the thread.
Parameter to pass to the thread.
The flags for the thread creation.
The created thread.
Thrown on error.
Get a list of all console sessions.
True to throw on error.
The list of console sessions.
Get a list of all console sessions.
The list of console sessions.
Write debug string to output.
The debug string to write.