|
|
- using System.IO;
- using System.Windows;
- using TrustedUninstaller.Shared.Actions;
- using TrustedUninstaller.Shared.Tasks;
- using System;
- using System.Collections.Generic;
- using System.Diagnostics;
- using System.Linq;
- using System.Runtime.InteropServices;
- using System.Security.Principal;
- using System.ServiceProcess;
- using System.Text;
- using System.Threading;
- using Microsoft.Win32;
-
- namespace TrustedUninstaller.Shared
- {
- public static class Defender
- {
- private static KeyValuePair<string, ProcessType>[] DefenderItems =
- {
- new KeyValuePair<string, ProcessType>("CompatTelRunner", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("DWWIN", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("DeviceCensus", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("GameBarPresenceWriter", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("SecurityHealthHost", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("SecurityHealthService", ProcessType.Exe), // SecurityHealthService
- new KeyValuePair<string, ProcessType>("SecurityHealthSystray", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("smartscreen", ProcessType.Exe),
- //new KeyValuePair<string, ProcessType>("MpCmdRun", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("NisSrv", ProcessType.Exe),
- new KeyValuePair<string, ProcessType>("wscsvc", ProcessType.Service), // Windows Security Center
- new KeyValuePair<string, ProcessType>("WinDefend", ProcessType.Service), // Microsoft Defender Antivirus Service
- new KeyValuePair<string, ProcessType>("Sense", ProcessType.Service), // Windows Defender Advanced Threat Protection Service
- new KeyValuePair<string, ProcessType>("WdNisSvc", ProcessType.Service), // Microsoft Defender Antivirus Network Inspection Service
- new KeyValuePair<string, ProcessType>("WdNisDrv", ProcessType.Device), // Microsoft Defender Antivirus Network Inspection Driver
- //new KeyValuePair<string, ProcessType>("WdFilter", ProcessType.Device), // Windows Defender Disk inspection Minifilter,
- };
-
- //[DllImport("Unlocker.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode)]
- //private static extern bool EzUnlockFileW(string path);
-
- private static readonly string[] defenderDirs =
- {
- Environment.ExpandEnvironmentVariables(@"%ProgramData%\Microsoft\Windows Defender"),
- Environment.ExpandEnvironmentVariables(@"%ProgramFiles%\Windows Defender"),
- Environment.ExpandEnvironmentVariables(@"%ProgramFiles%\Windows Defender Advanced Threat Protection")
- };
-
- private static void RenameAllChildFiles(string dir, bool reset)
- {
- foreach (var subDir in Directory.GetDirectories(dir))
- {
- try
- {
- RenameAllChildFiles(subDir, reset);
- }
- catch (Exception e)
- {
- }
- }
-
- foreach (var file in Directory.GetFiles(dir, reset ? "*.oldx" : "*", SearchOption.TopDirectoryOnly))
- {
- try
- {
- File.Move(file, reset ? file.Substring(0, file.Length - 4) : file + ".oldx");
- }
- catch (Exception e)
- {
- }
- }
- }
- public static void Cripple()
- {
- foreach (var defenderDir in defenderDirs)
- {
- try
- {
- RenameAllChildFiles(defenderDir, false);
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("Error renaming files: " + e.GetType() + " " + e.Message, null, "Defender cripple warning", defenderDir);
- }
- }
- }
-
-
- public static void DeCripple()
- {
- foreach (var defenderDir in defenderDirs)
- {
- try
- {
- RenameAllChildFiles(defenderDir, true);
- }
- catch (Exception e)
- {
- }
- }
- }
-
- public static bool Disable()
- {
- bool restartRequired = true;
-
- foreach (var service in DefenderItems.Where(x => x.Value == ProcessType.Service || x.Value == ProcessType.Device).Select(x => x.Key))
- {
- AmeliorationUtil.SafeRunAction(new RegistryValueAction()
- { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + service, Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD, Operation = RegistryValueOperation.Set }).Wait();
- }
-
- AmeliorationUtil.SafeRunAction(new RegistryValueAction()
- { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }).Wait();
- AmeliorationUtil.SafeRunAction(new RegistryValueAction()
- { KeyName = @"HKLM\SOFTWARE\Policies\Microsoft\Windows\System", Value = "EnableSmartScreen", Data = 0, Type = RegistryValueType.REG_DWORD }).Wait();
-
- try
- {
- new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "ProductAppDataPath", Operation = RegistryValueOperation.Delete }.RunTask().Wait();
- new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "InstallLocation", Operation = RegistryValueOperation.Delete }.RunTask().Wait();
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("Error removing Defender install values: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\" /v \"ProductAppDataPath\" /f &" +
- " reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\" /v \"InstallLocation\" /f\"",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "InstallLocation", Operation = RegistryValueOperation.Delete }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Could not remove defender install values.");
- }
-
- try
- {
- new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.RunTask().Wait();
-
- if (new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Unknown reason");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First WinDefend service removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg delete \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\" /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- {
- ErrorLogger.WriteToErrorLog("WinDefend service removal failed." + e.GetType(), null, "Defender disable warning");
-
- try
- {
- new RegistryValueAction()
- { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.RunTask().Wait();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Unknown reason");
- }
- catch (Exception ex)
- {
- ErrorLogger.WriteToErrorLog("First WinDefend disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\" /v \"Start\" /t REG_DWORD /d 4 /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Could not disable WinDefend service.");
- }
- }
- }
-
- try
- {
- // MpOAV.dll is normally in use by a lot of processes. This prevents that.
- new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.RunTask().Wait();
-
- if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Unknown reason");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First MpOAV mapping removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = @"-U:T -P:E -M:S -Priority:RealTime -ShowWindowMode:Hide -Wait reg delete ""HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32"" /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- ErrorLogger.WriteToErrorLog("Could not remove MpOAV mapping.", null, "Defender disable warning");
- }
-
- try
- {
- // smartscreenps.dll is sometimes in use by a lot of processes. This prevents that.
- new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.RunTask().Wait();
-
- // This may not be important.
- new RegistryKeyAction() { KeyName = @"HKCR\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.RunTask().Wait();
- new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService" }.RunTask().Wait();
- new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.EventLogger" }.RunTask().Wait();
- new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.UriReputationService" }.RunTask().Wait();
-
- if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- throw new Exception("Unknown reason");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First smartscreenps mapping removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"reg delete \"HKCR\\CLSID\\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\\InprocServer32\" /f &" +
- "reg delete \"HKCR\\WOW6432Node\\CLSID\\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\\InprocServer32\" /f &" +
- "reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.AppReputationService\" /f &" +
- "reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.EventLogger\" /f &" +
- "reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.UriReputationService\" /f\"",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.GetStatus() !=
- UninstallTaskStatus.Completed)
- ErrorLogger.WriteToErrorLog("Could not remove smartscreenps mapping.", null, "Defender disable warning");
- }
-
-
- try
- {
- // Can cause ProcessHacker driver warnings without this
- new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.RunTask().Wait();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- throw new Exception("Unknown error");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First memory integrity disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments =
- @"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"" /v Enabled /d 0 /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- ErrorLogger.WriteToErrorLog("Could not disable memory integrity.", null, "Defender disable warning");
- }
-
- try
- {
- // Can cause ProcessHacker driver warnings without this
- new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.RunTask().Wait();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- throw new Exception("Unknown error");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First memory integrity disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments =
- @"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"" /v Enabled /d 0 /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- ErrorLogger.WriteToErrorLog("Could not disable memory integrity.", null, "Defender disable warning");
- }
-
- try
- {
- // Can cause ProcessHacker driver warnings without this
- new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.RunTask().Wait();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- throw new Exception("Unknown error");
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("First blocklist disable failed: " + e.GetType() + " " + e.Message, null, "Kernel driver preparation warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments =
- @"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\CI\Config"" /v VulnerableDriverBlocklistEnable /d 0 /f",
- CreateWindow = false
- }.RunTaskOnMainThread();
-
- if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.GetStatus()
- != UninstallTaskStatus.Completed)
- ErrorLogger.WriteToErrorLog("Could not disable blocklist.", null, "Kernel driver preparation error");
- }
-
- return restartRequired;
- }
-
- public static void GetDefenderPrivileges()
- {
- IntPtr impersonatedTokenHandle = IntPtr.Zero;
-
- ImpersonateProcessByName("winlogon", ref impersonatedTokenHandle);
-
- ImpersonateProcessByName("lsass", ref impersonatedTokenHandle);
-
- impersonatedTokenHandle = CreateWinDefendToken(impersonatedTokenHandle, false);
-
- PInvoke.ImpersonateLoggedOnUser(impersonatedTokenHandle);
- }
-
- public static IntPtr StartElevatedProcess(string exe, string command)
- {
- IntPtr impersonatedTokenHandle = IntPtr.Zero;
-
- ImpersonateProcessByName("winlogon", ref impersonatedTokenHandle);
-
- ImpersonateProcessByName("lsass", ref impersonatedTokenHandle);
-
- impersonatedTokenHandle = CreateWinDefendToken(impersonatedTokenHandle, true);
-
- var startupInfo = new PInvoke.STARTUPINFO();
- startupInfo.cb = Marshal.SizeOf(startupInfo);
- startupInfo.lpDesktop = "Winsta0\\Default";
-
- if (!String.IsNullOrEmpty(command))
- command = command.Insert(0, " ");
-
- if (!PInvoke.CreateProcessWithToken(
- impersonatedTokenHandle,
- PInvoke.LogonFlags.WithProfile,
- null,
- $@"""{exe}""{command}",
- 0,
- IntPtr.Zero,
- Environment.CurrentDirectory,
- ref startupInfo,
- out PInvoke.PROCESS_INFORMATION processInformation))
- {
- throw new Exception(Marshal.GetLastWin32Error().ToString());
- }
-
- PInvoke.CloseHandle(processInformation.hThread);
-
- return processInformation.hProcess;
- }
-
- public static uint WaitForProcessExit(IntPtr hProcess, uint timeout = uint.MaxValue)
- {
-
- PInvoke.WaitForSingleObject(hProcess, timeout);
- if (!PInvoke.GetExitCodeProcess(hProcess, out uint exitCode))
- {
- PInvoke.CloseHandle(hProcess);
- throw new Exception("Process timeout exceeded: " + Marshal.GetLastWin32Error());
- }
- PInvoke.CloseHandle(hProcess);
-
- return exitCode;
- }
-
- public
-
- enum ProcessType
- {
- Service = 1,
- Device = 2,
- Exe = 3,
- }
- public static bool Kill()
- {
- try
- {
- GetDefenderPrivileges();
-
- AmeliorationUtil.SafeRunAction(new RegistryValueAction()
- {
- KeyName = $"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications",
- Value = "DisableNotifications",
- Data = 1,
- Type = RegistryValueType.REG_DWORD
- }).Wait();
- AmeliorationUtil.SafeRunAction(new RegistryValueAction()
- {
- KeyName = @"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance",
- Value = "Enabled",
- Data = 0,
- Scope = Scope.CurrentUser,
- Type = RegistryValueType.REG_DWORD
- }).Wait();
-
- var services = ServiceController.GetServices();
- var devices = ServiceController.GetDevices();
-
- var stopped = new List<ServiceController>();
- var notStopped = new List<ServiceController>();
-
-
- foreach (var item in DefenderItems)
- {
- try
- {
- if (item.Value == ProcessType.Exe)
- {
- var process = Process.GetProcessesByName(item.Key).FirstOrDefault();
- if (process != null)
- process.Kill();
-
- continue;
- }
-
- var controller = item.Value == ProcessType.Service ?
- services.FirstOrDefault(x => x.ServiceName == item.Key) :
- devices.FirstOrDefault(x => x.ServiceName == item.Key);
-
- if (controller == null || controller.Status == ServiceControllerStatus.Stopped)
- continue;
- try
- {
- controller.Stop();
- stopped.Add(controller);
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("Service stop error: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName);
- notStopped.Add(controller);
- }
- } catch (Exception e)
- { ErrorLogger.WriteToErrorLog("Error during service kill loop: " + e.GetType() + " " + e.Message, e.StackTrace, "Defender kill warning", item.Key); }
- }
-
- foreach (var controller in stopped)
- {
- try
- {
- controller.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(5));
- } catch (Exception e)
- { ErrorLogger.WriteToErrorLog("Error waiting for service: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName); }
- }
-
- if (notStopped.Count > 0)
- {
- Thread.Sleep(1000);
-
- foreach (var controller in notStopped)
- {
- try
- {
- controller.Stop();
- controller.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(7));
- }
- catch (Exception e)
- { ErrorLogger.WriteToErrorLog("Service stop re-try error: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName); }
- }
- }
-
- if (Process.GetProcessesByName("MsMpEng").Any())
- {
- ErrorLogger.WriteToErrorLog("First Defender stop failed", null, "Defender kill warning");
-
- new RunAction()
- {
- RawPath = Directory.GetCurrentDirectory(),
- Exe = $"NSudoLC.exe",
- Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"" +
- "sc sdset \"WinDefend\" \"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"&" +
- "sc config WinDefend start=disabled&" +
- "net stop WinDefend\"",
- CreateWindow = false,
- Timeout = 7500,
- }.RunTaskOnMainThread();
- }
-
- return !Process.GetProcessesByName("MsMpEng").Any();
- }
- catch (Exception e)
- {
- ErrorLogger.WriteToErrorLog("Unknown error: " + e.GetType() + " " + e.Message, e.StackTrace, "Defender kill error");
- return false;
- }
- }
-
- private static IntPtr CreateWinDefendToken(IntPtr handle, bool primary)
- {
- var privileges = new string[] {
- PInvoke.SE_CREATE_TOKEN_NAME,
- PInvoke.SE_ASSIGNPRIMARYTOKEN_NAME,
- PInvoke.SE_LOCK_MEMORY_NAME,
- PInvoke.SE_INCREASE_QUOTA_NAME,
- PInvoke.SE_MACHINE_ACCOUNT_NAME,
- PInvoke.SE_TCB_NAME,
- PInvoke.SE_SECURITY_NAME,
- PInvoke.SE_TAKE_OWNERSHIP_NAME,
- PInvoke.SE_LOAD_DRIVER_NAME,
- PInvoke.SE_SYSTEM_PROFILE_NAME,
- PInvoke.SE_SYSTEMTIME_NAME,
- PInvoke.SE_PROFILE_SINGLE_PROCESS_NAME,
- PInvoke.SE_INCREASE_BASE_PRIORITY_NAME,
- PInvoke.SE_CREATE_PAGEFILE_NAME,
- PInvoke.SE_CREATE_PERMANENT_NAME,
- PInvoke.SE_BACKUP_NAME,
- PInvoke.SE_RESTORE_NAME,
- PInvoke.SE_SHUTDOWN_NAME,
- PInvoke.SE_DEBUG_NAME,
- PInvoke.SE_AUDIT_NAME,
- PInvoke.SE_SYSTEM_ENVIRONMENT_NAME,
- PInvoke.SE_CHANGE_NOTIFY_NAME,
- PInvoke.SE_REMOTE_SHUTDOWN_NAME,
- PInvoke.SE_UNDOCK_NAME,
- PInvoke.SE_SYNC_AGENT_NAME,
- PInvoke.SE_ENABLE_DELEGATION_NAME,
- PInvoke.SE_MANAGE_VOLUME_NAME,
- PInvoke.SE_IMPERSONATE_NAME,
- PInvoke.SE_CREATE_GLOBAL_NAME,
- PInvoke.SE_TRUSTED_CREDMAN_ACCESS_NAME,
- PInvoke.SE_RELABEL_NAME,
- PInvoke.SE_INCREASE_WORKING_SET_NAME,
- PInvoke.SE_TIME_ZONE_NAME,
- PInvoke.SE_CREATE_SYMBOLIC_LINK_NAME,
- PInvoke.SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME
- };
-
- PInvoke.ConvertStringSidToSid("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464", out IntPtr tiSid);
- PInvoke.ConvertStringSidToSid("S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736", out IntPtr defSid);
-
- PInvoke.SidIdentifierAuthority NtAuthority = new PInvoke.SidIdentifierAuthority();
- NtAuthority.Value = new byte[] { 0, 0, 0, 0, 0, PInvoke.NtSecurityAuthority };
-
- PInvoke.TOKEN_USER tokenUser = new PInvoke.TOKEN_USER();
-
- PInvoke.AllocateAndInitializeSid(ref NtAuthority, 1, 18, 0, 0, 0, 0, 0, 0, 0, out IntPtr pLocalSystem);
-
- tokenUser.User.Sid = pLocalSystem;
- tokenUser.User.Attributes = 0;
- tokenUser.User.Attributes = 0;
-
- var pTokenPrivileges = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenPrivileges);
- var pTokenGroups = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenGroups);
- var pTokenPrimaryGroup = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
- var pTokenDefaultDacl = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
-
- if (primary || !PInvoke.CreateTokenPrivileges(
- privileges,
- out PInvoke.TOKEN_PRIVILEGES tokenPrivileges))
- {
- tokenPrivileges =
- (PInvoke.TOKEN_PRIVILEGES)Marshal.PtrToStructure(pTokenPrivileges, typeof(PInvoke.TOKEN_PRIVILEGES));
- }
-
- var tokenGroups = (PInvoke.TOKEN_GROUPS)Marshal.PtrToStructure(
- pTokenGroups,
- typeof(PInvoke.TOKEN_GROUPS));
- var tokenOwner = new PInvoke.TOKEN_OWNER(pLocalSystem);
- var tokenPrimaryGroup = (PInvoke.TOKEN_PRIMARY_GROUP)
- Marshal.PtrToStructure(
- pTokenPrimaryGroup,
- typeof(PInvoke.TOKEN_PRIMARY_GROUP));
- var tokenDefaultDacl = (PInvoke.TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(
- pTokenDefaultDacl,
- typeof(PInvoke.TOKEN_DEFAULT_DACL));
- Console.WriteLine(tokenGroups.GroupCount + ":" + tokenGroups.Groups.Length);
- for (var idx = 0; idx < tokenGroups.GroupCount - 1; idx++)
- {
- PInvoke.ConvertSidToStringSid(
- tokenGroups.Groups[idx].Sid,
- out string strSid);
-
- if (string.Compare(strSid, PInvoke.DOMAIN_ALIAS_RID_ADMINS, StringComparison.OrdinalIgnoreCase) == 0)
- {
- tokenGroups.Groups[idx].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
- }
- else
- {
- tokenGroups.Groups[idx].Attributes &= ~(uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_OWNER;
- }
- }
-
- tokenGroups.Groups[tokenGroups.GroupCount].Sid = tiSid;
- tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
- tokenGroups.GroupCount++;
-
- tokenGroups.Groups[tokenGroups.GroupCount].Sid = defSid;
- tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_OWNER;
- tokenGroups.GroupCount++;
-
- var authId = PInvoke.SYSTEM_LUID;
-
- var tokenSource = new PInvoke.TOKEN_SOURCE("*SYSTEM*") { SourceIdentifier = { LowPart = 0, HighPart = 0 } };
-
- var expirationTime = new PInvoke.LARGE_INTEGER(-1L);
- var sqos = new PInvoke.SECURITY_QUALITY_OF_SERVICE(primary ? PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification : PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
- PInvoke.SECURITY_STATIC_TRACKING,
- 0);
- var oa = new PInvoke.OBJECT_ATTRIBUTES(string.Empty, 0);
- IntPtr pSqos = Marshal.AllocHGlobal(Marshal.SizeOf(sqos));
- Marshal.StructureToPtr(sqos, pSqos, true);
- oa.SecurityQualityOfService = pSqos;
-
- var status = PInvoke.ZwCreateToken(
- out IntPtr elevatedToken,
- PInvoke.TokenAccessFlags.TOKEN_ALL_ACCESS,
- ref oa,
- primary ? PInvoke.TOKEN_TYPE.TokenPrimary : PInvoke.TOKEN_TYPE.TokenImpersonation,
- ref authId,
- ref expirationTime,
- ref tokenUser,
- ref tokenGroups,
- ref tokenPrivileges,
- ref tokenOwner,
- ref tokenPrimaryGroup,
- ref tokenDefaultDacl,
- ref tokenSource
- );
-
- PInvoke.LocalFree(pTokenGroups);
- PInvoke.LocalFree(pTokenDefaultDacl);
- PInvoke.LocalFree(pTokenPrivileges);
- PInvoke.LocalFree(pTokenPrimaryGroup);
-
- PInvoke.FreeSid(pLocalSystem);
- PInvoke.FreeSid(tiSid);
- PInvoke.FreeSid(defSid);
-
- return elevatedToken;
- }
-
- private static IntPtr GetInfoFromToken(IntPtr currentToken, PInvoke.TOKEN_INFORMATION_CLASS tic)
- {
- int length;
-
- PInvoke.GetTokenInformation(currentToken, tic, IntPtr.Zero, 0, out length);
-
- IntPtr info = Marshal.AllocHGlobal(length);
- PInvoke.GetTokenInformation(currentToken, tic, info, length, out length);
- return info;
- }
-
- private static void ImpersonateProcessByName(string name, ref IntPtr handle)
- {
- var processHandle = Process.GetProcessesByName(name).First().Handle;
-
- PInvoke.OpenProcessToken(processHandle,
- PInvoke.TokenAccessFlags.TOKEN_DUPLICATE | PInvoke.TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
- PInvoke.TokenAccessFlags.TOKEN_QUERY |
- PInvoke.TokenAccessFlags.TOKEN_IMPERSONATE, out IntPtr tokenHandle);
-
- PInvoke.DuplicateTokenEx(tokenHandle, PInvoke.TokenAccessFlags.TOKEN_ALL_ACCESS,
- IntPtr.Zero, PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
- PInvoke.TOKEN_TYPE.TokenImpersonation,
- out handle);
-
- PInvoke.ImpersonateLoggedOnUser(handle);
-
- PInvoke.CloseHandle(tokenHandle);
- PInvoke.CloseHandle(processHandle);
- }
-
- private static class PInvoke
- {
- [DllImport("kernel32.dll", SetLastError = true)]
- [return: MarshalAs(UnmanagedType.Bool)]
- internal static extern bool GetExitCodeProcess(IntPtr hProcess, out uint lpExitCode);
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct PROCESS_INFORMATION
- {
- public IntPtr hProcess;
- public IntPtr hThread;
- public int dwProcessId;
- public int dwThreadId;
- }
-
- [DllImport("kernel32.dll", SetLastError = true)]
- internal static extern uint WaitForSingleObject(
- IntPtr hHandle,
- uint dwMilliseconds);
-
- [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Auto)]
- internal static extern bool CreateProcessWithToken(
- IntPtr hToken,
- LogonFlags dwLogonFlags,
- string lpApplicationName,
- string lpCommandLine,
- ProcessCreationFlags dwCreationFlags,
- IntPtr lpEnvironment,
- string lpCurrentDirectory,
- ref STARTUPINFO lpStartupInfo,
- out PROCESS_INFORMATION lpProcessInformation);
- internal enum LogonFlags
- {
- WithProfile = 1,
- NetCredentialsOnly
- }
-
- [Flags]
- internal enum ProcessCreationFlags : uint
- {
- DEBUG_PROCESS = 0x00000001,
- DEBUG_ONLY_THIS_PROCESS = 0x00000002,
- CREATE_SUSPENDED = 0x00000004,
- DETACHED_PROCESS = 0x00000008,
- CREATE_NEW_CONSOLE = 0x00000010,
- CREATE_NEW_PROCESS_GROUP = 0x00000200,
- CREATE_UNICODE_ENVIRONMENT = 0x00000400,
- CREATE_SEPARATE_WOW_VDM = 0x00000800,
- CREATE_SHARED_WOW_VDM = 0x00001000,
- INHERIT_PARENT_AFFINITY = 0x00010000,
- CREATE_PROTECTED_PROCESS = 0x00040000,
- EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
- CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
- CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
- CREATE_DEFAULT_ERROR_MODE = 0x04000000,
- CREATE_NO_WINDOW = 0x08000000,
- }
- [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
- internal struct STARTUPINFO
- {
- public int cb;
- public string lpReserved;
- public string lpDesktop;
- public string lpTitle;
- public int dwX;
- public int dwY;
- public int dwXSize;
- public int dwYSize;
- public int dwXCountChars;
- public int dwYCountChars;
- public int dwFillAttribute;
- public int dwFlags;
- public short wShowWindow;
- public short cbReserved2;
- public IntPtr lpReserved2;
- public IntPtr hStdInput;
- public IntPtr hStdOutput;
- public IntPtr hStdError;
- }
-
-
- internal static bool CreateTokenPrivileges(
- string[] privs,
- out TOKEN_PRIVILEGES tokenPrivileges)
- {
- int error;
- int sizeOfStruct = Marshal.SizeOf(typeof(TOKEN_PRIVILEGES));
- IntPtr pPrivileges = Marshal.AllocHGlobal(sizeOfStruct);
-
- tokenPrivileges = (TOKEN_PRIVILEGES)Marshal.PtrToStructure(
- pPrivileges,
- typeof(TOKEN_PRIVILEGES));
- tokenPrivileges.PrivilegeCount = privs.Length;
-
- for (var idx = 0; idx < tokenPrivileges.PrivilegeCount; idx++)
- {
- if (!LookupPrivilegeValue(
- null,
- privs[idx],
- out LUID luid))
- {
- return false;
- }
-
- tokenPrivileges.Privileges[idx].Attributes = (uint)(
- SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED |
- SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED_BY_DEFAULT);
- tokenPrivileges.Privileges[idx].Luid = luid;
- }
-
- return true;
- }
-
- [DllImport("advapi32.dll", SetLastError = true)]
- static extern bool LookupPrivilegeValue(
- string lpSystemName,
- string lpName,
- out LUID lpLuid);
-
- [Flags]
- enum SE_PRIVILEGE_ATTRIBUTES : uint
- {
- SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001,
- SE_PRIVILEGE_ENABLED = 0x00000002,
- SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000,
- }
-
-
- [DllImport("kernel32.dll", SetLastError = true)]
- internal static extern bool CloseHandle(IntPtr hObject);
-
- [DllImport("kernel32.dll", SetLastError = true)]
- internal static extern IntPtr LocalFree(IntPtr hMem);
-
- [Flags]
- internal enum SE_GROUP_ATTRIBUTES : uint
- {
- SE_GROUP_MANDATORY = 0x00000001,
- SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
- SE_GROUP_ENABLED = 0x00000004,
- SE_GROUP_OWNER = 0x00000008,
- SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
- SE_GROUP_INTEGRITY = 0x00000020,
- SE_GROUP_INTEGRITY_ENABLED = 0x00000040,
- SE_GROUP_RESOURCE = 0x20000000,
- SE_GROUP_LOGON_ID = 0xC0000000
- }
-
- [DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]
- internal static extern bool ConvertSidToStringSid(IntPtr pSid, out string strSid);
-
- // Windows Struct
- [StructLayout(LayoutKind.Explicit, Size = 8)]
- internal struct LARGE_INTEGER
- {
- [FieldOffset(0)]
- public int Low;
- [FieldOffset(4)]
- public int High;
- [FieldOffset(0)]
- public long QuadPart;
-
- public LARGE_INTEGER(int _low, int _high)
- {
- QuadPart = 0L;
- Low = _low;
- High = _high;
- }
-
- public LARGE_INTEGER(long _quad)
- {
- Low = 0;
- High = 0;
- QuadPart = _quad;
- }
-
- public long ToInt64()
- {
- return ((long)this.High << 32) | (uint)this.Low;
- }
-
- public static LARGE_INTEGER FromInt64(long value)
- {
- return new LARGE_INTEGER
- {
- Low = (int)(value),
- High = (int)((value >> 32))
- };
- }
- }
-
-
- [DllImport("ntdll.dll")]
- internal static extern int ZwCreateToken(
- out IntPtr TokenHandle,
- TokenAccessFlags DesiredAccess,
- ref OBJECT_ATTRIBUTES ObjectAttributes,
- TOKEN_TYPE TokenType,
- ref LUID AuthenticationId,
- ref LARGE_INTEGER ExpirationTime,
- ref TOKEN_USER TokenUser,
- ref TOKEN_GROUPS TokenGroups,
- ref TOKEN_PRIVILEGES TokenPrivileges,
- ref TOKEN_OWNER TokenOwner,
- ref TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
- ref TOKEN_DEFAULT_DACL TokenDefaultDacl,
- ref TOKEN_SOURCE TokenSource);
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_DEFAULT_DACL
- {
- internal IntPtr DefaultDacl; // PACL
- }
-
- [Flags]
- internal enum TokenAccessFlags : uint
- {
- TOKEN_ADJUST_DEFAULT = 0x0080,
- TOKEN_ADJUST_GROUPS = 0x0040,
- TOKEN_ADJUST_PRIVILEGES = 0x0020,
- TOKEN_ADJUST_SESSIONID = 0x0100,
- TOKEN_ASSIGN_PRIMARY = 0x0001,
- TOKEN_DUPLICATE = 0x0002,
- TOKEN_EXECUTE = 0x00020000,
- TOKEN_IMPERSONATE = 0x0004,
- TOKEN_QUERY = 0x0008,
- TOKEN_QUERY_SOURCE = 0x0010,
- TOKEN_READ = 0x00020008,
- TOKEN_WRITE = 0x000200E0,
- TOKEN_ALL_ACCESS = 0x000F01FF,
- MAXIMUM_ALLOWED = 0x02000000
- }
-
-
- [DllImport("advapi32.dll", SetLastError = true)]
- internal static extern bool ConvertStringSidToSid(
- string StringSid,
- out IntPtr ptrSid
- );
-
- [StructLayout(LayoutKind.Sequential, Pack = 4)]
- internal struct LUID_AND_ATTRIBUTES
- {
- internal LUID Luid;
- internal UInt32 Attributes;
- }
-
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_PRIVILEGES
- {
- public int PrivilegeCount;
- [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]
- public LUID_AND_ATTRIBUTES[] Privileges;
-
- public TOKEN_PRIVILEGES(int privilegeCount)
- {
- PrivilegeCount = privilegeCount;
- Privileges = new LUID_AND_ATTRIBUTES[36];
- }
- }
-
- [DllImport("advapi32.dll", SetLastError = true)]
- internal static extern bool OpenProcessToken(
- IntPtr hProcess,
- TokenAccessFlags DesiredAccess,
- out IntPtr hToken);
-
- internal enum SECURITY_IMPERSONATION_LEVEL
- {
- SecurityAnonymous,
- SecurityIdentification,
- SecurityImpersonation,
- SecurityDelegation
- }
-
- internal enum TOKEN_TYPE
- {
- TokenPrimary = 1,
- TokenImpersonation
- }
-
- [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
- internal static extern bool DuplicateTokenEx(
- IntPtr hExistingToken,
- TokenAccessFlags dwDesiredAccess,
- IntPtr lpTokenAttributes,
- SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
- TOKEN_TYPE TokenType,
- out IntPtr phNewToken);
-
- [DllImport("advapi32.dll", SetLastError = true)]
- internal static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
-
- [DllImport("advapi32.dll", SetLastError = true)]
- internal static extern bool GetTokenInformation(
- IntPtr TokenHandle,
- TOKEN_INFORMATION_CLASS TokenInformationClass,
- IntPtr TokenInformation,
- int TokenInformationLength,
- out int ReturnLength);
-
- internal enum TOKEN_INFORMATION_CLASS
- {
- TokenUser = 1,
- TokenGroups,
- TokenPrivileges,
- TokenOwner,
- TokenPrimaryGroup,
- TokenDefaultDacl,
- TokenSource,
- TokenType,
- TokenImpersonationLevel,
- TokenStatistics,
- TokenRestrictedSids,
- TokenSessionId,
- TokenGroupsAndPrivileges,
- TokenSessionReference,
- TokenSandBoxInert,
- TokenAuditPolicy,
- TokenOrigin
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct UNICODE_STRING : IDisposable
- {
- internal ushort Length;
- internal ushort MaximumLength;
- private IntPtr buffer;
-
- internal UNICODE_STRING(string s)
- {
- Length = (ushort)(s.Length * 2);
- MaximumLength = (ushort)(Length + 2);
- buffer = Marshal.StringToHGlobalUni(s);
- }
-
- public void Dispose()
- {
- Marshal.FreeHGlobal(buffer);
- buffer = IntPtr.Zero;
- }
-
- public override string ToString()
- {
- return Marshal.PtrToStringUni(buffer);
- }
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct SECURITY_QUALITY_OF_SERVICE
- {
- public int Length;
- public SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
- public byte ContextTrackingMode;
- public byte EffectiveOnly;
-
- public SECURITY_QUALITY_OF_SERVICE(
- SECURITY_IMPERSONATION_LEVEL _impersonationLevel,
- byte _contextTrackingMode,
- byte _effectiveOnly)
- {
- Length = 0;
- ImpersonationLevel = _impersonationLevel;
- ContextTrackingMode = _contextTrackingMode;
- EffectiveOnly = _effectiveOnly;
-
- Length = Marshal.SizeOf(this);
- }
- }
-
- // Windows Consts
- internal const int STATUS_SUCCESS = 0;
- internal static readonly int STATUS_INFO_LENGTH_MISMATCH = Convert.ToInt32("0xC0000004", 16);
- internal const int ERROR_BAD_LENGTH = 0x00000018;
- internal const int ERROR_INSUFFICIENT_BUFFER = 0x0000007A;
- internal static readonly IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
- internal const string DOMAIN_ALIAS_RID_ADMINS = "S-1-5-32-544";
-
- internal const string TRUSTED_INSTALLER_RID =
- "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
-
- internal const string UNTRUSTED_MANDATORY_LEVEL = "S-1-16-0";
- internal const string LOW_MANDATORY_LEVEL = "S-1-16-4096";
- internal const string MEDIUM_MANDATORY_LEVEL = "S-1-16-8192";
- internal const string MEDIUM_PLUS_MANDATORY_LEVEL = "S-1-16-8448";
- internal const string HIGH_MANDATORY_LEVEL = "S-1-16-12288";
- internal const string SYSTEM_MANDATORY_LEVEL = "S-1-16-16384";
- internal const string LOCAL_SYSTEM_RID = "S-1-5-18";
- internal const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege";
- internal const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";
- internal const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege";
- internal const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";
- internal const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege";
- internal const string SE_TCB_NAME = "SeTcbPrivilege";
- internal const string SE_SECURITY_NAME = "SeSecurityPrivilege";
- internal const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege";
- internal const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";
- internal const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege";
- internal const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege";
- internal const string SE_PROFILE_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege";
- internal const string SE_INCREASE_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege";
- internal const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege";
- internal const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege";
- internal const string SE_BACKUP_NAME = "SeBackupPrivilege";
- internal const string SE_RESTORE_NAME = "SeRestorePrivilege";
- internal const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege";
- internal const string SE_DEBUG_NAME = "SeDebugPrivilege";
- internal const string SE_AUDIT_NAME = "SeAuditPrivilege";
- internal const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege";
- internal const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege";
- internal const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege";
- internal const string SE_UNDOCK_NAME = "SeUndockPrivilege";
- internal const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege";
- internal const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege";
- internal const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege";
- internal const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege";
- internal const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege";
- internal const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege";
- internal const string SE_RELABEL_NAME = "SeRelabelPrivilege";
- internal const string SE_INCREASE_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege";
- internal const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege";
- internal const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege";
-
- internal const string SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME =
- "SeDelegateSessionUserImpersonatePrivilege";
-
- internal const byte SECURITY_STATIC_TRACKING = 0;
- internal static readonly LUID ANONYMOUS_LOGON_LUID = new LUID(0x3e6, 0);
- internal static readonly LUID SYSTEM_LUID = new LUID(0x3e7, 0);
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct LUID
- {
- public uint LowPart;
- public uint HighPart;
-
- public LUID(uint _lowPart, uint _highPart)
- {
- LowPart = _lowPart;
- HighPart = _highPart;
- }
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct OBJECT_ATTRIBUTES : IDisposable
- {
- internal int Length;
- internal IntPtr RootDirectory;
- private IntPtr objectName;
- internal uint Attributes;
- internal IntPtr SecurityDescriptor;
- internal IntPtr SecurityQualityOfService;
-
- internal OBJECT_ATTRIBUTES(string name, uint attrs)
- {
- Length = 0;
- RootDirectory = IntPtr.Zero;
- objectName = IntPtr.Zero;
- Attributes = attrs;
- SecurityDescriptor = IntPtr.Zero;
- SecurityQualityOfService = IntPtr.Zero;
-
- Length = Marshal.SizeOf(this);
- ObjectName = new UNICODE_STRING(name);
- }
-
- internal UNICODE_STRING ObjectName
- {
- get
- {
- return (UNICODE_STRING)Marshal.PtrToStructure(
- objectName, typeof(UNICODE_STRING));
- }
-
- set
- {
- bool fDeleteOld = objectName != IntPtr.Zero;
- if (!fDeleteOld)
- objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));
- Marshal.StructureToPtr(value, objectName, fDeleteOld);
- }
- }
-
- public void Dispose()
- {
- if (objectName != IntPtr.Zero)
- {
- Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));
- Marshal.FreeHGlobal(objectName);
- objectName = IntPtr.Zero;
- }
- }
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_GROUPS
- {
- public int GroupCount;
- [MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]
- public SID_AND_ATTRIBUTES[] Groups;
-
- public TOKEN_GROUPS(int privilegeCount)
- {
- GroupCount = privilegeCount;
- Groups = new SID_AND_ATTRIBUTES[32];
- }
- };
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct SID_AND_ATTRIBUTES
- {
- internal IntPtr Sid;
- internal uint Attributes;
- }
- internal struct TOKEN_PRIMARY_GROUP
- {
- public IntPtr PrimaryGroup; // PSID
-
- public TOKEN_PRIMARY_GROUP(IntPtr _sid)
- {
- PrimaryGroup = _sid;
- }
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_SOURCE
- {
- public TOKEN_SOURCE(string name)
- {
- SourceName = new byte[8];
- Encoding.GetEncoding(1252).GetBytes(name, 0, name.Length, SourceName, 0);
- if (!AllocateLocallyUniqueId(out SourceIdentifier))
- throw new System.ComponentModel.Win32Exception();
- }
-
- [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
- public byte[] SourceName;
- public LUID SourceIdentifier;
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_USER
- {
- public SID_AND_ATTRIBUTES User;
-
- public TOKEN_USER(IntPtr _sid)
- {
- User = new SID_AND_ATTRIBUTES
- {
- Sid = _sid,
- Attributes = 0
- };
- }
- }
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct TOKEN_OWNER
- {
- public IntPtr Owner; // PSID
-
- public TOKEN_OWNER(IntPtr _owner)
- {
- Owner = _owner;
- }
- }
-
- [DllImport("advapi32.dll", SetLastError = true)]
- internal static extern bool AllocateAndInitializeSid(
- ref SidIdentifierAuthority pIdentifierAuthority,
- byte nSubAuthorityCount,
- int dwSubAuthority0, int dwSubAuthority1,
- int dwSubAuthority2, int dwSubAuthority3,
- int dwSubAuthority4, int dwSubAuthority5,
- int dwSubAuthority6, int dwSubAuthority7,
- out IntPtr pSid);
-
- [StructLayout(LayoutKind.Sequential)]
- internal struct SidIdentifierAuthority
- {
- [MarshalAs(UnmanagedType.ByValArray, SizeConst = 6, ArraySubType = UnmanagedType.I1)]
- internal byte[] Value;
- }
-
- internal const int NtSecurityAuthority = 5;
- internal const int AuthenticatedUser = 11;
-
- [DllImport("advapi32.dll")]
- internal static extern bool AllocateLocallyUniqueId(out LUID allocated);
-
- [DllImport("advapi32.dll")]
- internal static extern IntPtr FreeSid(IntPtr pSid);
-
- internal enum NtStatus : uint
- {
- // Success
- Success = 0x00000000,
- Wait0 = 0x00000000,
- Wait1 = 0x00000001,
- Wait2 = 0x00000002,
- Wait3 = 0x00000003,
- Wait63 = 0x0000003f,
- Abandoned = 0x00000080,
- AbandonedWait0 = 0x00000080,
- AbandonedWait1 = 0x00000081,
- AbandonedWait2 = 0x00000082,
- AbandonedWait3 = 0x00000083,
- AbandonedWait63 = 0x000000bf,
- UserApc = 0x000000c0,
- KernelApc = 0x00000100,
- Alerted = 0x00000101,
- Timeout = 0x00000102,
- Pending = 0x00000103,
- Reparse = 0x00000104,
- MoreEntries = 0x00000105,
- NotAllAssigned = 0x00000106,
- SomeNotMapped = 0x00000107,
- OpLockBreakInProgress = 0x00000108,
- VolumeMounted = 0x00000109,
- RxActCommitted = 0x0000010a,
- NotifyCleanup = 0x0000010b,
- NotifyEnumDir = 0x0000010c,
- NoQuotasForAccount = 0x0000010d,
- PrimaryTransportConnectFailed = 0x0000010e,
- PageFaultTransition = 0x00000110,
- PageFaultDemandZero = 0x00000111,
- PageFaultCopyOnWrite = 0x00000112,
- PageFaultGuardPage = 0x00000113,
- PageFaultPagingFile = 0x00000114,
- CrashDump = 0x00000116,
- ReparseObject = 0x00000118,
- NothingToTerminate = 0x00000122,
- ProcessNotInJob = 0x00000123,
- ProcessInJob = 0x00000124,
- ProcessCloned = 0x00000129,
- FileLockedWithOnlyReaders = 0x0000012a,
- FileLockedWithWriters = 0x0000012b,
-
- // Informational
- Informational = 0x40000000,
- ObjectNameExists = 0x40000000,
- ThreadWasSuspended = 0x40000001,
- WorkingSetLimitRange = 0x40000002,
- ImageNotAtBase = 0x40000003,
- RegistryRecovered = 0x40000009,
-
- // Warning
- Warning = 0x80000000,
- GuardPageViolation = 0x80000001,
- DatatypeMisalignment = 0x80000002,
- Breakpoint = 0x80000003,
- SingleStep = 0x80000004,
- BufferOverflow = 0x80000005,
- NoMoreFiles = 0x80000006,
- HandlesClosed = 0x8000000a,
- PartialCopy = 0x8000000d,
- DeviceBusy = 0x80000011,
- InvalidEaName = 0x80000013,
- EaListInconsistent = 0x80000014,
- NoMoreEntries = 0x8000001a,
- LongJump = 0x80000026,
- DllMightBeInsecure = 0x8000002b,
-
- // Error
- Error = 0xc0000000,
- Unsuccessful = 0xc0000001,
- NotImplemented = 0xc0000002,
- InvalidInfoClass = 0xc0000003,
- InfoLengthMismatch = 0xc0000004,
- AccessViolation = 0xc0000005,
- InPageError = 0xc0000006,
- PagefileQuota = 0xc0000007,
- InvalidHandle = 0xc0000008,
- BadInitialStack = 0xc0000009,
- BadInitialPc = 0xc000000a,
- InvalidCid = 0xc000000b,
- TimerNotCanceled = 0xc000000c,
- InvalidParameter = 0xc000000d,
- NoSuchDevice = 0xc000000e,
- NoSuchFile = 0xc000000f,
- InvalidDeviceRequest = 0xc0000010,
- EndOfFile = 0xc0000011,
- WrongVolume = 0xc0000012,
- NoMediaInDevice = 0xc0000013,
- NoMemory = 0xc0000017,
- NotMappedView = 0xc0000019,
- UnableToFreeVm = 0xc000001a,
- UnableToDeleteSection = 0xc000001b,
- IllegalInstruction = 0xc000001d,
- AlreadyCommitted = 0xc0000021,
- AccessDenied = 0xc0000022,
- BufferTooSmall = 0xc0000023,
- ObjectTypeMismatch = 0xc0000024,
- NonContinuableException = 0xc0000025,
- BadStack = 0xc0000028,
- NotLocked = 0xc000002a,
- NotCommitted = 0xc000002d,
- InvalidParameterMix = 0xc0000030,
- ObjectNameInvalid = 0xc0000033,
- ObjectNameNotFound = 0xc0000034,
- ObjectNameCollision = 0xc0000035,
- ObjectPathInvalid = 0xc0000039,
- ObjectPathNotFound = 0xc000003a,
- ObjectPathSyntaxBad = 0xc000003b,
- DataOverrun = 0xc000003c,
- DataLate = 0xc000003d,
- DataError = 0xc000003e,
- CrcError = 0xc000003f,
- SectionTooBig = 0xc0000040,
- PortConnectionRefused = 0xc0000041,
- InvalidPortHandle = 0xc0000042,
- SharingViolation = 0xc0000043,
- QuotaExceeded = 0xc0000044,
- InvalidPageProtection = 0xc0000045,
- MutantNotOwned = 0xc0000046,
- SemaphoreLimitExceeded = 0xc0000047,
- PortAlreadySet = 0xc0000048,
- SectionNotImage = 0xc0000049,
- SuspendCountExceeded = 0xc000004a,
- ThreadIsTerminating = 0xc000004b,
- BadWorkingSetLimit = 0xc000004c,
- IncompatibleFileMap = 0xc000004d,
- SectionProtection = 0xc000004e,
- EasNotSupported = 0xc000004f,
- EaTooLarge = 0xc0000050,
- NonExistentEaEntry = 0xc0000051,
- NoEasOnFile = 0xc0000052,
- EaCorruptError = 0xc0000053,
- FileLockConflict = 0xc0000054,
- LockNotGranted = 0xc0000055,
- DeletePending = 0xc0000056,
- CtlFileNotSupported = 0xc0000057,
- UnknownRevision = 0xc0000058,
- RevisionMismatch = 0xc0000059,
- InvalidOwner = 0xc000005a,
- InvalidPrimaryGroup = 0xc000005b,
- NoImpersonationToken = 0xc000005c,
- CantDisableMandatory = 0xc000005d,
- NoLogonServers = 0xc000005e,
- NoSuchLogonSession = 0xc000005f,
- NoSuchPrivilege = 0xc0000060,
- PrivilegeNotHeld = 0xc0000061,
- InvalidAccountName = 0xc0000062,
- UserExists = 0xc0000063,
- NoSuchUser = 0xc0000064,
- GroupExists = 0xc0000065,
- NoSuchGroup = 0xc0000066,
- MemberInGroup = 0xc0000067,
- MemberNotInGroup = 0xc0000068,
- LastAdmin = 0xc0000069,
- WrongPassword = 0xc000006a,
- IllFormedPassword = 0xc000006b,
- PasswordRestriction = 0xc000006c,
- LogonFailure = 0xc000006d,
- AccountRestriction = 0xc000006e,
- InvalidLogonHours = 0xc000006f,
- InvalidWorkstation = 0xc0000070,
- PasswordExpired = 0xc0000071,
- AccountDisabled = 0xc0000072,
- NoneMapped = 0xc0000073,
- TooManyLuidsRequested = 0xc0000074,
- LuidsExhausted = 0xc0000075,
- InvalidSubAuthority = 0xc0000076,
- InvalidAcl = 0xc0000077,
- InvalidSid = 0xc0000078,
- InvalidSecurityDescr = 0xc0000079,
- ProcedureNotFound = 0xc000007a,
- InvalidImageFormat = 0xc000007b,
- NoToken = 0xc000007c,
- BadInheritanceAcl = 0xc000007d,
- RangeNotLocked = 0xc000007e,
- DiskFull = 0xc000007f,
- ServerDisabled = 0xc0000080,
- ServerNotDisabled = 0xc0000081,
- TooManyGuidsRequested = 0xc0000082,
- GuidsExhausted = 0xc0000083,
- InvalidIdAuthority = 0xc0000084,
- AgentsExhausted = 0xc0000085,
- InvalidVolumeLabel = 0xc0000086,
- SectionNotExtended = 0xc0000087,
- NotMappedData = 0xc0000088,
- ResourceDataNotFound = 0xc0000089,
- ResourceTypeNotFound = 0xc000008a,
- ResourceNameNotFound = 0xc000008b,
- ArrayBoundsExceeded = 0xc000008c,
- FloatDenormalOperand = 0xc000008d,
- FloatDivideByZero = 0xc000008e,
- FloatInexactResult = 0xc000008f,
- FloatInvalidOperation = 0xc0000090,
- FloatOverflow = 0xc0000091,
- FloatStackCheck = 0xc0000092,
- FloatUnderflow = 0xc0000093,
- IntegerDivideByZero = 0xc0000094,
- IntegerOverflow = 0xc0000095,
- PrivilegedInstruction = 0xc0000096,
- TooManyPagingFiles = 0xc0000097,
- FileInvalid = 0xc0000098,
- InstanceNotAvailable = 0xc00000ab,
- PipeNotAvailable = 0xc00000ac,
- InvalidPipeState = 0xc00000ad,
- PipeBusy = 0xc00000ae,
- IllegalFunction = 0xc00000af,
- PipeDisconnected = 0xc00000b0,
- PipeClosing = 0xc00000b1,
- PipeConnected = 0xc00000b2,
- PipeListening = 0xc00000b3,
- InvalidReadMode = 0xc00000b4,
- IoTimeout = 0xc00000b5,
- FileForcedClosed = 0xc00000b6,
- ProfilingNotStarted = 0xc00000b7,
- ProfilingNotStopped = 0xc00000b8,
- NotSameDevice = 0xc00000d4,
- FileRenamed = 0xc00000d5,
- CantWait = 0xc00000d8,
- PipeEmpty = 0xc00000d9,
- CantTerminateSelf = 0xc00000db,
- InternalError = 0xc00000e5,
- InvalidParameter1 = 0xc00000ef,
- InvalidParameter2 = 0xc00000f0,
- InvalidParameter3 = 0xc00000f1,
- InvalidParameter4 = 0xc00000f2,
- InvalidParameter5 = 0xc00000f3,
- InvalidParameter6 = 0xc00000f4,
- InvalidParameter7 = 0xc00000f5,
- InvalidParameter8 = 0xc00000f6,
- InvalidParameter9 = 0xc00000f7,
- InvalidParameter10 = 0xc00000f8,
- InvalidParameter11 = 0xc00000f9,
- InvalidParameter12 = 0xc00000fa,
- MappedFileSizeZero = 0xc000011e,
- TooManyOpenedFiles = 0xc000011f,
- Cancelled = 0xc0000120,
- CannotDelete = 0xc0000121,
- InvalidComputerName = 0xc0000122,
- FileDeleted = 0xc0000123,
- SpecialAccount = 0xc0000124,
- SpecialGroup = 0xc0000125,
- SpecialUser = 0xc0000126,
- MembersPrimaryGroup = 0xc0000127,
- FileClosed = 0xc0000128,
- TooManyThreads = 0xc0000129,
- ThreadNotInProcess = 0xc000012a,
- TokenAlreadyInUse = 0xc000012b,
- PagefileQuotaExceeded = 0xc000012c,
- CommitmentLimit = 0xc000012d,
- InvalidImageLeFormat = 0xc000012e,
- InvalidImageNotMz = 0xc000012f,
- InvalidImageProtect = 0xc0000130,
- InvalidImageWin16 = 0xc0000131,
- LogonServer = 0xc0000132,
- DifferenceAtDc = 0xc0000133,
- SynchronizationRequired = 0xc0000134,
- DllNotFound = 0xc0000135,
- IoPrivilegeFailed = 0xc0000137,
- OrdinalNotFound = 0xc0000138,
- EntryPointNotFound = 0xc0000139,
- ControlCExit = 0xc000013a,
- PortNotSet = 0xc0000353,
- DebuggerInactive = 0xc0000354,
- CallbackBypass = 0xc0000503,
- PortClosed = 0xc0000700,
- MessageLost = 0xc0000701,
- InvalidMessage = 0xc0000702,
- RequestCanceled = 0xc0000703,
- RecursiveDispatch = 0xc0000704,
- LpcReceiveBufferExpected = 0xc0000705,
- LpcInvalidConnectionUsage = 0xc0000706,
- LpcRequestsNotAllowed = 0xc0000707,
- ResourceInUse = 0xc0000708,
- ProcessIsProtected = 0xc0000712,
- VolumeDirty = 0xc0000806,
- FileCheckedOut = 0xc0000901,
- CheckOutRequired = 0xc0000902,
- BadFileType = 0xc0000903,
- FileTooLarge = 0xc0000904,
- FormsAuthRequired = 0xc0000905,
- VirusInfected = 0xc0000906,
- VirusDeleted = 0xc0000907,
- TransactionalConflict = 0xc0190001,
- InvalidTransaction = 0xc0190002,
- TransactionNotActive = 0xc0190003,
- TmInitializationFailed = 0xc0190004,
- RmNotActive = 0xc0190005,
- RmMetadataCorrupt = 0xc0190006,
- TransactionNotJoined = 0xc0190007,
- DirectoryNotRm = 0xc0190008,
- CouldNotResizeLog = 0xc0190009,
- TransactionsUnsupportedRemote = 0xc019000a,
- LogResizeInvalidSize = 0xc019000b,
- RemoteFileVersionMismatch = 0xc019000c,
- CrmProtocolAlreadyExists = 0xc019000f,
- TransactionPropagationFailed = 0xc0190010,
- CrmProtocolNotFound = 0xc0190011,
- TransactionSuperiorExists = 0xc0190012,
- TransactionRequestNotValid = 0xc0190013,
- TransactionNotRequested = 0xc0190014,
- TransactionAlreadyAborted = 0xc0190015,
- TransactionAlreadyCommitted = 0xc0190016,
- TransactionInvalidMarshallBuffer = 0xc0190017,
- CurrentTransactionNotValid = 0xc0190018,
- LogGrowthFailed = 0xc0190019,
- ObjectNoLongerExists = 0xc0190021,
- StreamMiniversionNotFound = 0xc0190022,
- StreamMiniversionNotValid = 0xc0190023,
- MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
- CantOpenMiniversionWithModifyIntent = 0xc0190025,
- CantCreateMoreStreamMiniversions = 0xc0190026,
- HandleNoLongerValid = 0xc0190028,
- NoTxfMetadata = 0xc0190029,
- LogCorruptionDetected = 0xc0190030,
- CantRecoverWithHandleOpen = 0xc0190031,
- RmDisconnected = 0xc0190032,
- EnlistmentNotSuperior = 0xc0190033,
- RecoveryNotNeeded = 0xc0190034,
- RmAlreadyStarted = 0xc0190035,
- FileIdentityNotPersistent = 0xc0190036,
- CantBreakTransactionalDependency = 0xc0190037,
- CantCrossRmBoundary = 0xc0190038,
- TxfDirNotEmpty = 0xc0190039,
- IndoubtTransactionsExist = 0xc019003a,
- TmVolatile = 0xc019003b,
- RollbackTimerExpired = 0xc019003c,
- TxfAttributeCorrupt = 0xc019003d,
- EfsNotAllowedInTransaction = 0xc019003e,
- TransactionalOpenNotAllowed = 0xc019003f,
- TransactedMappingUnsupportedRemote = 0xc0190040,
- TxfMetadataAlreadyPresent = 0xc0190041,
- TransactionScopeCallbacksNotSet = 0xc0190042,
- TransactionRequiredPromotion = 0xc0190043,
- CannotExecuteFileInTransaction = 0xc0190044,
- TransactionsNotFrozen = 0xc0190045,
-
- MaximumNtStatus = 0xffffffff
- }
- }
- }
- }
-
|