Process Hacker
ntseapi.h
Go to the documentation of this file.
1 #ifndef _NTSEAPI_H
2 #define _NTSEAPI_H
3 
4 // Privileges
5 
6 #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
7 #define SE_CREATE_TOKEN_PRIVILEGE (2L)
8 #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
9 #define SE_LOCK_MEMORY_PRIVILEGE (4L)
10 #define SE_INCREASE_QUOTA_PRIVILEGE (5L)
11 
12 #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
13 #define SE_TCB_PRIVILEGE (7L)
14 #define SE_SECURITY_PRIVILEGE (8L)
15 #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
16 #define SE_LOAD_DRIVER_PRIVILEGE (10L)
17 #define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
18 #define SE_SYSTEMTIME_PRIVILEGE (12L)
19 #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
20 #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
21 #define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
22 #define SE_CREATE_PERMANENT_PRIVILEGE (16L)
23 #define SE_BACKUP_PRIVILEGE (17L)
24 #define SE_RESTORE_PRIVILEGE (18L)
25 #define SE_SHUTDOWN_PRIVILEGE (19L)
26 #define SE_DEBUG_PRIVILEGE (20L)
27 #define SE_AUDIT_PRIVILEGE (21L)
28 #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
29 #define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
30 #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
31 #define SE_UNDOCK_PRIVILEGE (25L)
32 #define SE_SYNC_AGENT_PRIVILEGE (26L)
33 #define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
34 #define SE_MANAGE_VOLUME_PRIVILEGE (28L)
35 #define SE_IMPERSONATE_PRIVILEGE (29L)
36 #define SE_CREATE_GLOBAL_PRIVILEGE (30L)
37 #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
38 #define SE_RELABEL_PRIVILEGE (32L)
39 #define SE_INC_WORKING_SET_PRIVILEGE (33L)
40 #define SE_TIME_ZONE_PRIVILEGE (34L)
41 #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
42 #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
43 
44 
45 // Authz
46 
47 // begin_rev
48 
49 // Types
50 
51 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
52 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
53 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
54 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
55 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
56 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
57 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
58 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
59 
60 // Flags
61 
62 #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
63 #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
64 #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
65 #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
66 #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
67 #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
68 
69 #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
70  TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
71  TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
72  TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
73  TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
74  TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
75  TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
76 
77 #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
78 
79 // end_rev
80 
81 // private
82 typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
83 {
84  ULONG64 Version;
85  UNICODE_STRING Name;
86 } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
87 
88 // private
89 typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
90 {
91  PVOID pValue;
92  ULONG ValueLength;
93 } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
94 
95 // private
96 typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
97 {
98  UNICODE_STRING Name;
99  USHORT ValueType;
100  USHORT Reserved;
101  ULONG Flags;
102  ULONG ValueCount;
103  union
104  {
105  PLONG64 pInt64;
106  PULONG64 pUint64;
107  PUNICODE_STRING pString;
108  PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
109  PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
110  } Values;
111 } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
112 
113 // rev
114 #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
115 // rev
116 #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
117 
118 // private
119 typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
120 {
121  USHORT Version;
122  USHORT Reserved;
123  ULONG AttributeCount;
124  union
125  {
126  PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
127  } Attribute;
128 } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
129 
130 // Tokens
131 
132 NTSYSCALLAPI
133 NTSTATUS
134 NTAPI
135 NtCreateToken(
136  _Out_ PHANDLE TokenHandle,
137  _In_ ACCESS_MASK DesiredAccess,
138  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
139  _In_ TOKEN_TYPE TokenType,
140  _In_ PLUID AuthenticationId,
141  _In_ PLARGE_INTEGER ExpirationTime,
142  _In_ PTOKEN_USER User,
143  _In_ PTOKEN_GROUPS Groups,
144  _In_ PTOKEN_PRIVILEGES Privileges,
145  _In_opt_ PTOKEN_OWNER Owner,
146  _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
147  _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
148  _In_ PTOKEN_SOURCE TokenSource
149  );
150 
151 #if (PHNT_VERSION >= PHNT_WIN8)
152 NTSYSCALLAPI
153 NTSTATUS
154 NTAPI
155 NtCreateLowBoxToken(
156  _Out_ PHANDLE TokenHandle,
157  _In_ HANDLE ExistingTokenHandle,
158  _In_ ACCESS_MASK DesiredAccess,
159  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
160  _In_ PSID PackageSid,
161  _In_ ULONG CapabilityCount,
162  _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
163  _In_ ULONG HandleCount,
164  _In_reads_opt_(HandleCount) HANDLE *Handles
165  );
166 #endif
167 
168 #if (PHNT_VERSION >= PHNT_WIN8)
169 NTSYSCALLAPI
170 NTSTATUS
171 NTAPI
172 NtCreateTokenEx(
173  _Out_ PHANDLE TokenHandle,
174  _In_ ACCESS_MASK DesiredAccess,
175  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
176  _In_ TOKEN_TYPE TokenType,
177  _In_ PLUID AuthenticationId,
178  _In_ PLARGE_INTEGER ExpirationTime,
179  _In_ PTOKEN_USER User,
180  _In_ PTOKEN_GROUPS Groups,
181  _In_ PTOKEN_PRIVILEGES Privileges,
182  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
183  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
184  _In_opt_ PTOKEN_GROUPS DeviceGroups,
185  _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
186  _In_opt_ PTOKEN_OWNER Owner,
187  _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
188  _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
189  _In_ PTOKEN_SOURCE TokenSource
190  );
191 #endif
192 
193 NTSYSCALLAPI
194 NTSTATUS
195 NTAPI
196 NtOpenProcessToken(
197  _In_ HANDLE ProcessHandle,
198  _In_ ACCESS_MASK DesiredAccess,
199  _Out_ PHANDLE TokenHandle
200  );
201 
202 NTSYSCALLAPI
203 NTSTATUS
204 NTAPI
205 NtOpenProcessTokenEx(
206  _In_ HANDLE ProcessHandle,
207  _In_ ACCESS_MASK DesiredAccess,
208  _In_ ULONG HandleAttributes,
209  _Out_ PHANDLE TokenHandle
210  );
211 
212 NTSYSCALLAPI
213 NTSTATUS
214 NTAPI
215 NtOpenThreadToken(
216  _In_ HANDLE ThreadHandle,
217  _In_ ACCESS_MASK DesiredAccess,
218  _In_ BOOLEAN OpenAsSelf,
219  _Out_ PHANDLE TokenHandle
220  );
221 
222 NTSYSCALLAPI
223 NTSTATUS
224 NTAPI
225 NtOpenThreadTokenEx(
226  _In_ HANDLE ThreadHandle,
227  _In_ ACCESS_MASK DesiredAccess,
228  _In_ BOOLEAN OpenAsSelf,
229  _In_ ULONG HandleAttributes,
230  _Out_ PHANDLE TokenHandle
231  );
232 
233 #if (PHNT_VERSION >= PHNT_WIN8)
234 NTSYSCALLAPI
235 NTSTATUS
236 NTAPI
237 NtOpenJobObjectToken(
238  _In_ HANDLE JobHandle,
239  _In_ ACCESS_MASK DesiredAccess,
240  _Out_ PHANDLE TokenHandle
241  );
242 #endif
243 
244 NTSYSCALLAPI
245 NTSTATUS
246 NTAPI
247 NtDuplicateToken(
248  _In_ HANDLE ExistingTokenHandle,
249  _In_ ACCESS_MASK DesiredAccess,
250  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
251  _In_ BOOLEAN EffectiveOnly,
252  _In_ TOKEN_TYPE TokenType,
253  _Out_ PHANDLE NewTokenHandle
254  );
255 
256 NTSYSCALLAPI
257 NTSTATUS
258 NTAPI
259 NtQueryInformationToken(
260  _In_ HANDLE TokenHandle,
261  _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
262  _Out_writes_bytes_(TokenInformationLength) PVOID TokenInformation,
263  _In_ ULONG TokenInformationLength,
264  _Out_ PULONG ReturnLength
265  );
266 
267 NTSYSCALLAPI
268 NTSTATUS
269 NTAPI
270 NtSetInformationToken(
271  _In_ HANDLE TokenHandle,
272  _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
273  _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
274  _In_ ULONG TokenInformationLength
275  );
276 
277 NTSYSCALLAPI
278 NTSTATUS
279 NTAPI
280 NtAdjustPrivilegesToken(
281  _In_ HANDLE TokenHandle,
282  _In_ BOOLEAN DisableAllPrivileges,
283  _In_opt_ PTOKEN_PRIVILEGES NewState,
284  _In_ ULONG BufferLength,
285  _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
286  _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
287  );
288 
289 NTSYSCALLAPI
290 NTSTATUS
291 NTAPI
292 NtAdjustGroupsToken(
293  _In_ HANDLE TokenHandle,
294  _In_ BOOLEAN ResetToDefault,
295  _In_opt_ PTOKEN_GROUPS NewState,
296  _In_opt_ ULONG BufferLength,
297  _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
298  _Out_ PULONG ReturnLength
299  );
300 
301 #if (PHNT_VERSION >= PHNT_WIN8)
302 NTSYSCALLAPI
303 NTSTATUS
304 NTAPI
305 NtAdjustTokenClaimsAndDeviceGroups(
306  _In_ HANDLE TokenHandle,
307  _In_ BOOLEAN UserResetToDefault,
308  _In_ BOOLEAN DeviceResetToDefault,
309  _In_ BOOLEAN DeviceGroupsResetToDefault,
310  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
311  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
312  _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
313  _In_ ULONG UserBufferLength,
314  _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
315  _In_ ULONG DeviceBufferLength,
316  _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
317  _In_ ULONG DeviceGroupsBufferLength,
318  _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
319  _Out_opt_ PULONG UserReturnLength,
320  _Out_opt_ PULONG DeviceReturnLength,
321  _Out_opt_ PULONG DeviceGroupsReturnBufferLength
322  );
323 #endif
324 
325 NTSYSCALLAPI
326 NTSTATUS
327 NTAPI
328 NtFilterToken(
329  _In_ HANDLE ExistingTokenHandle,
330  _In_ ULONG Flags,
331  _In_opt_ PTOKEN_GROUPS SidsToDisable,
332  _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
333  _In_opt_ PTOKEN_GROUPS RestrictedSids,
334  _Out_ PHANDLE NewTokenHandle
335  );
336 
337 #if (PHNT_VERSION >= PHNT_WIN8)
338 NTSYSCALLAPI
339 NTSTATUS
340 NTAPI
341 NtFilterTokenEx(
342  _In_ HANDLE ExistingTokenHandle,
343  _In_ ULONG Flags,
344  _In_opt_ PTOKEN_GROUPS SidsToDisable,
345  _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
346  _In_opt_ PTOKEN_GROUPS RestrictedSids,
347  _In_ ULONG DisableUserClaimsCount,
348  _In_opt_ PUNICODE_STRING UserClaimsToDisable,
349  _In_ ULONG DisableDeviceClaimsCount,
350  _In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
351  _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
352  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
353  _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
354  _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
355  _Out_ PHANDLE NewTokenHandle
356  );
357 #endif
358 
359 NTSYSCALLAPI
360 NTSTATUS
361 NTAPI
362 NtCompareTokens(
363  _In_ HANDLE FirstTokenHandle,
364  _In_ HANDLE SecondTokenHandle,
365  _Out_ PBOOLEAN Equal
366  );
367 
368 NTSYSCALLAPI
369 NTSTATUS
370 NTAPI
371 NtPrivilegeCheck(
372  _In_ HANDLE ClientToken,
373  _Inout_ PPRIVILEGE_SET RequiredPrivileges,
374  _Out_ PBOOLEAN Result
375  );
376 
377 NTSYSCALLAPI
378 NTSTATUS
379 NTAPI
380 NtImpersonateAnonymousToken(
381  _In_ HANDLE ThreadHandle
382  );
383 
384 #if (PHNT_VERSION >= PHNT_WIN7)
385 // rev
386 NTSYSCALLAPI
387 NTSTATUS
388 NTAPI
389 NtQuerySecurityAttributesToken(
390  _In_ HANDLE TokenHandle,
391  _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
392  _In_ ULONG NumberOfAttributes,
393  _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
394  _In_ ULONG Length,
395  _Out_ PULONG ReturnLength
396  );
397 #endif
398 
399 // Access checking
400 
401 NTSYSCALLAPI
402 NTSTATUS
403 NTAPI
404 NtAccessCheck(
405  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
406  _In_ HANDLE ClientToken,
407  _In_ ACCESS_MASK DesiredAccess,
408  _In_ PGENERIC_MAPPING GenericMapping,
409  _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
410  _Inout_ PULONG PrivilegeSetLength,
411  _Out_ PACCESS_MASK GrantedAccess,
412  _Out_ PNTSTATUS AccessStatus
413  );
414 
415 NTSYSCALLAPI
416 NTSTATUS
417 NTAPI
418 NtAccessCheckByType(
419  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
420  _In_opt_ PSID PrincipalSelfSid,
421  _In_ HANDLE ClientToken,
422  _In_ ACCESS_MASK DesiredAccess,
423  _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
424  _In_ ULONG ObjectTypeListLength,
425  _In_ PGENERIC_MAPPING GenericMapping,
426  _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
427  _Inout_ PULONG PrivilegeSetLength,
428  _Out_ PACCESS_MASK GrantedAccess,
429  _Out_ PNTSTATUS AccessStatus
430  );
431 
432 NTSYSCALLAPI
433 NTSTATUS
434 NTAPI
435 NtAccessCheckByTypeResultList(
436  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
437  _In_opt_ PSID PrincipalSelfSid,
438  _In_ HANDLE ClientToken,
439  _In_ ACCESS_MASK DesiredAccess,
440  _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
441  _In_ ULONG ObjectTypeListLength,
442  _In_ PGENERIC_MAPPING GenericMapping,
443  _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
444  _Inout_ PULONG PrivilegeSetLength,
445  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
446  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
447  );
448 
449 // Signing
450 
451 // rev
452 typedef ULONG SE_SIGNING_LEVEL, *PSE_SIGNING_LEVEL; // ?
453 
454 #if (PHNT_VERSION >= PHNT_THRESHOLD)
455 
456 NTSYSCALLAPI
457 NTSTATUS
458 NTAPI
459 NtSetCachedSigningLevel(
460  _In_ ULONG Flags,
461  _In_ SE_SIGNING_LEVEL InputSigningLevel,
462  _In_reads_(SourceFileCount) PHANDLE SourceFiles,
463  _In_ ULONG SourceFileCount,
464  _In_opt_ HANDLE TargetFile
465  );
466 
467 NTSYSCALLAPI
468 NTSTATUS
469 NTAPI
470 NtGetCachedSigningLevel(
471  _In_ HANDLE File,
472  _Out_ PULONG Flags,
473  _Out_ PSE_SIGNING_LEVEL SigningLevel,
474  _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
475  _Inout_opt_ PULONG ThumbprintSize,
476  _Out_opt_ PULONG ThumbprintAlgorithm
477  );
478 
479 #endif
480 
481 // Audit alarm
482 
483 NTSYSCALLAPI
484 NTSTATUS
485 NTAPI
486 NtAccessCheckAndAuditAlarm(
487  _In_ PUNICODE_STRING SubsystemName,
488  _In_opt_ PVOID HandleId,
489  _In_ PUNICODE_STRING ObjectTypeName,
490  _In_ PUNICODE_STRING ObjectName,
491  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
492  _In_ ACCESS_MASK DesiredAccess,
493  _In_ PGENERIC_MAPPING GenericMapping,
494  _In_ BOOLEAN ObjectCreation,
495  _Out_ PACCESS_MASK GrantedAccess,
496  _Out_ PNTSTATUS AccessStatus,
497  _Out_ PBOOLEAN GenerateOnClose
498  );
499 
500 NTSYSCALLAPI
501 NTSTATUS
502 NTAPI
503 NtAccessCheckByTypeAndAuditAlarm(
504  _In_ PUNICODE_STRING SubsystemName,
505  _In_opt_ PVOID HandleId,
506  _In_ PUNICODE_STRING ObjectTypeName,
507  _In_ PUNICODE_STRING ObjectName,
508  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
509  _In_opt_ PSID PrincipalSelfSid,
510  _In_ ACCESS_MASK DesiredAccess,
511  _In_ AUDIT_EVENT_TYPE AuditType,
512  _In_ ULONG Flags,
513  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
514  _In_ ULONG ObjectTypeListLength,
515  _In_ PGENERIC_MAPPING GenericMapping,
516  _In_ BOOLEAN ObjectCreation,
517  _Out_ PACCESS_MASK GrantedAccess,
518  _Out_ PNTSTATUS AccessStatus,
519  _Out_ PBOOLEAN GenerateOnClose
520  );
521 
522 NTSYSCALLAPI
523 NTSTATUS
524 NTAPI
525 NtAccessCheckByTypeResultListAndAuditAlarm(
526  _In_ PUNICODE_STRING SubsystemName,
527  _In_opt_ PVOID HandleId,
528  _In_ PUNICODE_STRING ObjectTypeName,
529  _In_ PUNICODE_STRING ObjectName,
530  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
531  _In_opt_ PSID PrincipalSelfSid,
532  _In_ ACCESS_MASK DesiredAccess,
533  _In_ AUDIT_EVENT_TYPE AuditType,
534  _In_ ULONG Flags,
535  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
536  _In_ ULONG ObjectTypeListLength,
537  _In_ PGENERIC_MAPPING GenericMapping,
538  _In_ BOOLEAN ObjectCreation,
539  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
540  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
541  _Out_ PBOOLEAN GenerateOnClose
542  );
543 
544 NTSYSCALLAPI
545 NTSTATUS
546 NTAPI
547 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
548  _In_ PUNICODE_STRING SubsystemName,
549  _In_opt_ PVOID HandleId,
550  _In_ HANDLE ClientToken,
551  _In_ PUNICODE_STRING ObjectTypeName,
552  _In_ PUNICODE_STRING ObjectName,
553  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
554  _In_opt_ PSID PrincipalSelfSid,
555  _In_ ACCESS_MASK DesiredAccess,
556  _In_ AUDIT_EVENT_TYPE AuditType,
557  _In_ ULONG Flags,
558  _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
559  _In_ ULONG ObjectTypeListLength,
560  _In_ PGENERIC_MAPPING GenericMapping,
561  _In_ BOOLEAN ObjectCreation,
562  _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
563  _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
564  _Out_ PBOOLEAN GenerateOnClose
565  );
566 
567 NTSYSCALLAPI
568 NTSTATUS
569 NTAPI
570 NtOpenObjectAuditAlarm(
571  _In_ PUNICODE_STRING SubsystemName,
572  _In_opt_ PVOID HandleId,
573  _In_ PUNICODE_STRING ObjectTypeName,
574  _In_ PUNICODE_STRING ObjectName,
575  _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
576  _In_ HANDLE ClientToken,
577  _In_ ACCESS_MASK DesiredAccess,
578  _In_ ACCESS_MASK GrantedAccess,
579  _In_opt_ PPRIVILEGE_SET Privileges,
580  _In_ BOOLEAN ObjectCreation,
581  _In_ BOOLEAN AccessGranted,
582  _Out_ PBOOLEAN GenerateOnClose
583  );
584 
585 NTSYSCALLAPI
586 NTSTATUS
587 NTAPI
588 NtPrivilegeObjectAuditAlarm(
589  _In_ PUNICODE_STRING SubsystemName,
590  _In_opt_ PVOID HandleId,
591  _In_ HANDLE ClientToken,
592  _In_ ACCESS_MASK DesiredAccess,
593  _In_ PPRIVILEGE_SET Privileges,
594  _In_ BOOLEAN AccessGranted
595  );
596 
597 NTSYSCALLAPI
598 NTSTATUS
599 NTAPI
600 NtCloseObjectAuditAlarm(
601  _In_ PUNICODE_STRING SubsystemName,
602  _In_opt_ PVOID HandleId,
603  _In_ BOOLEAN GenerateOnClose
604  );
605 
606 NTSYSCALLAPI
607 NTSTATUS
608 NTAPI
609 NtDeleteObjectAuditAlarm(
610  _In_ PUNICODE_STRING SubsystemName,
611  _In_opt_ PVOID HandleId,
612  _In_ BOOLEAN GenerateOnClose
613  );
614 
615 NTSYSCALLAPI
616 NTSTATUS
617 NTAPI
618 NtPrivilegedServiceAuditAlarm(
619  _In_ PUNICODE_STRING SubsystemName,
620  _In_ PUNICODE_STRING ServiceName,
621  _In_ HANDLE ClientToken,
622  _In_ PPRIVILEGE_SET Privileges,
623  _In_ BOOLEAN AccessGranted
624  );
625 
626 // Misc.
627 
628 typedef enum _FILTER_BOOT_OPTION_OPERATION
629 {
630  FilterBootOptionOperationOpenSystemStore,
631  FilterBootOptionOperationSetElement,
632  FilterBootOptionOperationDeleteElement,
633  FilterBootOptionOperationMax
634 } FILTER_BOOT_OPTION_OPERATION;
635 
636 #if (PHNT_VERSION >= PHNT_THRESHOLD)
637 NTSYSCALLAPI
638 NTSTATUS
639 NTAPI
640 NtFilterBootOption(
641  _In_ FILTER_BOOT_OPTION_OPERATION FilterOperation,
642  _In_ ULONG ObjectType,
643  _In_ ULONG ElementType,
644  _In_reads_bytes_opt_(DataSize) PVOID Data,
645  _In_ ULONG DataSize
646  );
647 #endif
648 
649 #endif