Styris
/
trusted-uninstaller-cli

﻿using System;using System.Collections.Generic;using System.ComponentModel;using System.Diagnostics;using System.Linq;using System.Runtime.ConstrainedExecution;using System.Runtime.InteropServices;using System.Runtime.Versioning;using System.Security;using System.Security.Permissions;using System.Text;using Microsoft.Win32.SafeHandles;using TrustedUninstaller.Shared;using TrustedUninstaller.Shared.Actions;using TrustedUninstaller.Shared.Tasks;
namespace TrustedUninstaller.Shared{    public static class Win32    {        public static class Service        {            [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]            public static extern IntPtr CreateService(                IntPtr hSCManager,                string lpServiceName,                string lpDisplayName,                uint dwDesiredAccess,                uint dwServiceType,                uint dwStartType,                uint dwErrorControl,                string lpBinaryPathName,                [Optional] string lpLoadOrderGroup,                [Optional] string lpdwTagId,    // only string so we can pass null
                [Optional] string lpDependencies,                [Optional] string lpServiceStartName,                [Optional] string lpPassword);                        [DllImport("advapi32.dll", SetLastError = true)]            [return: MarshalAs(UnmanagedType.Bool)]            public static extern bool DeleteService(IntPtr hService);
            [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]            public static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, SERVICE_ACCESS dwDesiredAccess);
            [DllImport("advapi32.dll", EntryPoint = "OpenSCManagerW", ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)]            public static extern IntPtr OpenSCManager(string machineName, string databaseName, SCM_ACCESS dwDesiredAccess);                        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]            public static extern bool QueryServiceStatusEx(IntPtr Service, int InfoLevel,                ref SERVICE_STATUS_PROCESS ServiceStatus, int BufSize, out int BytesNeeded);
            [DllImport("advapi32.dll", SetLastError = true)]            [return: MarshalAs(UnmanagedType.Bool)]            public static extern bool CloseServiceHandle(IntPtr hSCObject);                        [DllImport("Advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]            public static extern bool EnumServicesStatusEx(                IntPtr hSCManager,                uint InfoLevel,                SERVICE_TYPE dwServiceType,                uint dwServiceState,                IntPtr lpServices,                int cbBufSize,                out int pcbBytesNeeded,                out int lpServicesReturned,                ref int lpResumeHandle,                string pszGroupName            );                        public struct ENUM_SERVICE_STATUS_PROCESS {                [MarshalAs(UnmanagedType.LPWStr)]                public string lpServiceName;                [MarshalAs(UnmanagedType.LPWStr)]                public string lpDisplayName;                public SERVICE_STATUS_PROCESS ServiceStatusProcess;            }                        [StructLayout(LayoutKind.Sequential)]            public struct SERVICE_STATUS_PROCESS            {                public SERVICE_TYPE ServiceType;                public SERVICE_STATE CurrentState;                public SERVICE_ACCEPT ControlsAccepted;                public int Win32ExitCode;                public int ServiceSpecificExitCode;                public int CheckPoint;                public int WaitHint;                public int ProcessID;                public SERVICE_FLAGS ServiceFlags;            }                        public enum SERVICE_STATE : int            {                ContinuePending = 0x5,                PausePending = 0x6,                Paused = 0x7,                Running = 0x4,                StartPending = 0x2,                StopPending = 0x3,                Stopped = 0x1            }                        public enum SERVICE_ACCEPT : int            {                NetBindChange = 0x10,                ParamChange = 0x8,                PauseContinue = 0x2,                PreShutdown = 0x100,                Shutdown = 0x4,                Stop = 0x1,                HardwareProfileChange = 0x20,                PowerEvent = 0x40,                SessionChange = 0x80            }                        public enum SERVICE_FLAGS : int            {                None = 0,                RunsInSystemProcess = 0x1            }                        /// <summary>
            /// Service types.
            /// </summary>
            [Flags]            public enum SERVICE_TYPE : uint            {                /// <summary>
                /// Driver service.
                /// </summary>
                SERVICE_KERNEL_DRIVER = 0x00000001,                /// <summary>
                /// File system driver service.
                /// </summary>
                SERVICE_FILE_SYSTEM_DRIVER = 0x00000002,                /// <summary>
                /// Service that runs in its own process.
                /// </summary>
                SERVICE_WIN32_OWN_PROCESS = 0x00000010,                /// <summary>
                /// Service that shares a process with one or more other services.
                /// </summary>
                SERVICE_WIN32_SHARE_PROCESS = 0x00000020,                /// <summary>
                /// The service can interact with the desktop.
                /// </summary>
                SERVICE_INTERACTIVE_PROCESS = 0x00000100,            }
            /// <summary>
            /// Service start options
            /// </summary>
            public enum SERVICE_START : uint            {                /// <summary>
                /// A device driver started by the system loader. This value is valid
                /// only for driver services.
                /// </summary>
                SERVICE_BOOT_START = 0x00000000,                /// <summary>
                /// A device driver started by the IoInitSystem function. This value
                /// is valid only for driver services.
                /// </summary>
                SERVICE_SYSTEM_START = 0x00000001,                /// <summary>
                /// A service started automatically by the service control manager
                /// during system startup. For more information, see Automatically
                /// Starting Services.
                /// </summary>        
                SERVICE_AUTO_START = 0x00000002,                /// <summary>
                /// A service started by the service control manager when a process
                /// calls the StartService function. For more information, see
                /// Starting Services on Demand.
                /// </summary>
                SERVICE_DEMAND_START = 0x00000003,                /// <summary>
                /// A service that cannot be started. Attempts to start the service
                /// result in the error code ERROR_SERVICE_DISABLED.
                /// </summary>
                SERVICE_DISABLED = 0x00000004,            }
            /// <summary>
            /// Severity of the error, and action taken, if this service fails
            /// to start.
            /// </summary>
            public enum SERVICE_ERROR            {                /// <summary>
                /// The startup program ignores the error and continues the startup
                /// operation.
                /// </summary>
                SERVICE_ERROR_IGNORE = 0x00000000,                /// <summary>
                /// The startup program logs the error in the event log but continues
                /// the startup operation.
                /// </summary>
                SERVICE_ERROR_NORMAL = 0x00000001,                /// <summary>
                /// The startup program logs the error in the event log. If the
                /// last-known-good configuration is being started, the startup
                /// operation continues. Otherwise, the system is restarted with
                /// the last-known-good configuration.
                /// </summary>
                SERVICE_ERROR_SEVERE = 0x00000002,                /// <summary>
                /// The startup program logs the error in the event log, if possible.
                /// If the last-known-good configuration is being started, the startup
                /// operation fails. Otherwise, the system is restarted with the
                /// last-known good configuration.
                /// </summary>
                SERVICE_ERROR_CRITICAL = 0x00000003,            }
            [Flags]            public enum SERVICE_ACCESS : uint            {                STANDARD_RIGHTS_REQUIRED = 0xF0000,                SERVICE_QUERY_CONFIG = 0x00001,                SERVICE_CHANGE_CONFIG = 0x00002,                SERVICE_QUERY_STATUS = 0x00004,                SERVICE_ENUMERATE_DEPENDENTS = 0x00008,                SERVICE_START = 0x00010,                SERVICE_STOP = 0x00020,                SERVICE_PAUSE_CONTINUE = 0x00040,                SERVICE_INTERROGATE = 0x00080,                SERVICE_USER_DEFINED_CONTROL = 0x00100,                SERVICE_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | SERVICE_QUERY_CONFIG | SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_START | SERVICE_STOP |                    SERVICE_PAUSE_CONTINUE | SERVICE_INTERROGATE | SERVICE_USER_DEFINED_CONTROL)            }
            [Flags]            public enum SCM_ACCESS : uint            {                STANDARD_RIGHTS_REQUIRED = 0xF0000,                SC_MANAGER_CONNECT = 0x00001,                SC_MANAGER_CREATE_SERVICE = 0x00002,                SC_MANAGER_ENUMERATE_SERVICE = 0x00004,                SC_MANAGER_LOCK = 0x00008,                SC_MANAGER_QUERY_LOCK_STATUS = 0x00010,                SC_MANAGER_MODIFY_BOOT_CONFIG = 0x00020,                SC_MANAGER_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_ENUMERATE_SERVICE | SC_MANAGER_LOCK | SC_MANAGER_QUERY_LOCK_STATUS |                    SC_MANAGER_MODIFY_BOOT_CONFIG            }        }        public static class ServiceEx {            public static bool IsPendingDeleteOrDeleted(string serviceName)            {                var manager = Service.OpenSCManager(null, null, Service.SCM_ACCESS.SC_MANAGER_ALL_ACCESS);                if (manager == IntPtr.Zero)                    return new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + serviceName, Value = "DeleteFlag", Type = RegistryValueType.REG_DWORD, Data = 1 }.GetStatus() == UninstallTaskStatus.Completed ||                         new RegistryKeyAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + serviceName, Operation = RegistryKeyOperation.Delete }.GetStatus() == UninstallTaskStatus.Completed;
                var handle = Service.CreateService(manager, serviceName, "AME Deletion Check",                    (uint)Service.SERVICE_ACCESS.SERVICE_ALL_ACCESS,                    (uint)Service.SERVICE_TYPE.SERVICE_WIN32_OWN_PROCESS, (uint)Service.SERVICE_START.SERVICE_DISABLED,                    (uint)Service.SERVICE_ERROR.SERVICE_ERROR_IGNORE, @"ame-deletion-check");                if (handle == IntPtr.Zero)                {                    if (Marshal.GetLastWin32Error() == 0x00000430)                    {                        return true;                    }                    return new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + serviceName, Value = "DeleteFlag", Type = RegistryValueType.REG_DWORD, Data = 1 }.GetStatus() == UninstallTaskStatus.Completed ||                         new RegistryKeyAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + serviceName, Operation = RegistryKeyOperation.Delete }.GetStatus() == UninstallTaskStatus.Completed;                }                Service.DeleteService(handle);                Service.CloseServiceHandle(handle);                Service.CloseServiceHandle(manager);                return true;            }            public static bool IsPendingStopOrStopped(string serviceName, out bool pending)            {                pending = false;                var manager = Service.OpenSCManager(null, null, Service.SCM_ACCESS.SC_MANAGER_ENUMERATE_SERVICE);                if (manager == IntPtr.Zero)                    return false;
                var handle = Service.OpenService(manager, serviceName,                     Service.SERVICE_ACCESS.SERVICE_QUERY_STATUS);
                if (handle == IntPtr.Zero)                    return true;                                Service.SERVICE_STATUS_PROCESS status = new Service.SERVICE_STATUS_PROCESS();                                if (!Service.QueryServiceStatusEx(handle, 0, ref status, Marshal.SizeOf(status), out int retLen))                {                    Service.CloseServiceHandle(handle);                    Service.CloseServiceHandle(manager);                    return false;                }
                Service.CloseServiceHandle(handle);                Service.CloseServiceHandle(manager);
                pending = status.CurrentState == Service.SERVICE_STATE.StopPending;                return pending || status.CurrentState == Service.SERVICE_STATE.Stopped;            }
            public static int GetServiceProcessId(string serviceName)            {                var manager = Service.OpenSCManager(null, null, Service.SCM_ACCESS.SC_MANAGER_ENUMERATE_SERVICE);                if (manager == IntPtr.Zero)                    throw new Exception("Error opening service manager.");
                var handle = Service.OpenService(manager, serviceName,                     Service.SERVICE_ACCESS.SERVICE_QUERY_STATUS);                                Service.SERVICE_STATUS_PROCESS status = new Service.SERVICE_STATUS_PROCESS();                                if (!Service.QueryServiceStatusEx(handle, 0, ref status, Marshal.SizeOf(status), out int retLen))                {                    Service.CloseServiceHandle(handle);                    Service.CloseServiceHandle(manager);                    throw new Exception("Error querying service ProcessId: " + Marshal.GetLastWin32Error());                }                Service.CloseServiceHandle(handle);                Service.CloseServiceHandle(manager);                                return status.ProcessID == 0 ? -1 : status.ProcessID;            }            public static IEnumerable<string> GetServicesFromProcessId(int processId)            {                return GetServices(Service.SERVICE_TYPE.SERVICE_WIN32_OWN_PROCESS |                                   Service.SERVICE_TYPE.SERVICE_WIN32_SHARE_PROCESS).Where(x => x.ServiceStatusProcess.ProcessID == processId).Select(x => x.lpServiceName);            }            private static Service.ENUM_SERVICE_STATUS_PROCESS[] GetServices(Service.SERVICE_TYPE serviceTypes)            {                IntPtr handle = Service.OpenSCManager(null, null, Service.SCM_ACCESS.SC_MANAGER_ENUMERATE_SERVICE);                if (handle == IntPtr.Zero)                    throw new Exception("Could not open service manager.");                                int iBytesNeeded = 0;                int iServicesReturned = 0;                int iResumeHandle = 0;
                Service.EnumServicesStatusEx(handle,                    0,                    Service.SERVICE_TYPE.SERVICE_WIN32_OWN_PROCESS | Service.SERVICE_TYPE.SERVICE_WIN32_SHARE_PROCESS,                    1,                    IntPtr.Zero,                    0,                    out iBytesNeeded,                    out iServicesReturned,                    ref iResumeHandle,                    null);
                IntPtr buffer = Marshal.AllocHGlobal((int)iBytesNeeded);
                Service.EnumServicesStatusEx(handle,                    0,                    Service.SERVICE_TYPE.SERVICE_WIN32_OWN_PROCESS | Service.SERVICE_TYPE.SERVICE_WIN32_SHARE_PROCESS,                    1,                    buffer,                    iBytesNeeded,                    out iBytesNeeded,                    out iServicesReturned,                    ref iResumeHandle,                    null);
                var services = new Service.ENUM_SERVICE_STATUS_PROCESS[iServicesReturned];                var serviceSize = Marshal.SizeOf(typeof(Service.ENUM_SERVICE_STATUS_PROCESS));                for (int i = 0; i < iServicesReturned; i++)                {                    var servicePtr = new IntPtr(buffer.ToInt64() + i * serviceSize);                    services[i] = Marshal.PtrToStructure<Service.ENUM_SERVICE_STATUS_PROCESS>(servicePtr);                }                                Marshal.FreeHGlobal(buffer);
                return services;            }        }                public static class Tokens        {            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool OpenProcessToken(IntPtr hProcess, TokenAccessFlags DesiredAccess,                out TokensEx.SafeTokenHandle hToken);
            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool GetTokenInformation(TokensEx.SafeTokenHandle TokenHandle,                TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, int TokenInformationLength,                out int ReturnLength);                        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]            [return: MarshalAs(UnmanagedType.Bool)]            public static extern bool SetTokenInformation(                TokensEx.SafeTokenHandle hToken,                TOKEN_INFORMATION_CLASS tokenInfoClass,                IntPtr pTokenInfo,                int tokenInfoLength);                        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]            [return: MarshalAs(UnmanagedType.Bool)]            public static extern bool SetTokenInformation(                TokensEx.SafeTokenHandle hToken,                TOKEN_INFORMATION_CLASS tokenInfoClass,                ref uint pTokenInfo,                int tokenInfoLength);
            [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]            public static extern bool DuplicateTokenEx(TokensEx.SafeTokenHandle hExistingToken, TokenAccessFlags dwDesiredAccess,                IntPtr lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType,                out TokensEx.SafeTokenHandle phNewToken);
            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool ImpersonateLoggedOnUser(TokensEx.SafeTokenHandle hToken);
            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool LookupPrivilegeValue(IntPtr lpSystemName, string lpName, out LUID lpLuid);                        [DllImport("ntdll.dll", SetLastError = true)]            public static extern IntPtr RtlAdjustPrivilege(LUID privilege, bool bEnablePrivilege, bool isThreadPrivilege,                out bool previousValue);
            [DllImport("ntdll.dll")]            public static extern int ZwCreateToken(out TokensEx.SafeTokenHandle TokenHandle, TokenAccessFlags DesiredAccess,                ref OBJECT_ATTRIBUTES ObjectAttributes, TOKEN_TYPE TokenType, ref LUID AuthenticationId,                ref LARGE_INTEGER ExpirationTime, ref TOKEN_USER TokenUser, ref TOKEN_GROUPS TokenGroups,                ref TOKEN_PRIVILEGES TokenPrivileges, ref TOKEN_OWNER TokenOwner,                ref TOKEN_PRIMARY_GROUP TokenPrimaryGroup, ref TOKEN_DEFAULT_DACL TokenDefaultDacl,                ref TOKEN_SOURCE TokenSource);
            [StructLayout(LayoutKind.Sequential)]            public struct OBJECT_ATTRIBUTES : IDisposable            {                public int Length;                public IntPtr RootDirectory;                private IntPtr objectName;                public uint Attributes;                public IntPtr SecurityDescriptor;                public IntPtr SecurityQualityOfService;
                public OBJECT_ATTRIBUTES(string name, uint attrs)                {                    Length = 0;                    RootDirectory = IntPtr.Zero;                    objectName = IntPtr.Zero;                    Attributes = attrs;                    SecurityDescriptor = IntPtr.Zero;                    SecurityQualityOfService = IntPtr.Zero;                    Length = Marshal.SizeOf(this);                    ObjectName = new UNICODE_STRING(name);                }
                public UNICODE_STRING ObjectName                {                    get => (UNICODE_STRING)Marshal.PtrToStructure(objectName, typeof(UNICODE_STRING));                    set                    {                        var fDeleteOld = objectName != IntPtr.Zero;                        if (!fDeleteOld) objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));                        Marshal.StructureToPtr(value, objectName, fDeleteOld);                    }                }
                public void Dispose()                {                    if (objectName != IntPtr.Zero)                    {                        Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));                        Marshal.FreeHGlobal(objectName);                        objectName = IntPtr.Zero;                    }                }            }
            [Flags]            public enum TokenAccessFlags : uint            {                TOKEN_ADJUST_DEFAULT = 0x0080,                TOKEN_ADJUST_GROUPS = 0x0040,                TOKEN_ADJUST_PRIVILEGES = 0x0020,                TOKEN_ADJUST_SESSIONID = 0x0100,                TOKEN_ASSIGN_PRIMARY = 0x0001,                TOKEN_DUPLICATE = 0x0002,                TOKEN_EXECUTE = 0x00020000,                TOKEN_IMPERSONATE = 0x0004,                TOKEN_QUERY = 0x0008,                TOKEN_QUERY_SOURCE = 0x0010,                TOKEN_READ = 0x00020008,                TOKEN_WRITE = 0x000200E0,                TOKEN_ALL_ACCESS = 0x000F01FF,                MAXIMUM_ALLOWED = 0x02000000            }
            public enum TOKEN_TYPE            {                TokenPrimary = 1,                TokenImpersonation            }
            public enum TOKEN_INFORMATION_CLASS            {                /// <summary>
                /// The buffer receives a TOKEN_USER structure that contains the user account of the token.
                /// </summary>
                TokenUser = 1,
                /// <summary>
                /// The buffer receives a TOKEN_GROUPS structure that contains the group accounts associated with the token.
                /// </summary>
                TokenGroups,
                /// <summary>
                /// The buffer receives a TOKEN_PRIVILEGES structure that contains the privileges of the token.
                /// </summary>
                TokenPrivileges,
                /// <summary>
                /// The buffer receives a TOKEN_OWNER structure that contains the default owner security identifier (SID) for newly created objects.
                /// </summary>
                TokenOwner,
                /// <summary>
                /// The buffer receives a TOKEN_PRIMARY_GROUP structure that contains the default primary group SID for newly created objects.
                /// </summary>
                TokenPrimaryGroup,
                /// <summary>
                /// The buffer receives a TOKEN_DEFAULT_DACL structure that contains the default DACL for newly created objects.
                /// </summary>
                TokenDefaultDacl,
                /// <summary>
                /// The buffer receives a TOKEN_SOURCE structure that contains the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information.
                /// </summary>
                TokenSource,
                /// <summary>
                /// The buffer receives a TOKEN_TYPE value that indicates whether the token is a primary or impersonation token.
                /// </summary>
                TokenType,
                /// <summary>
                /// The buffer receives a SECURITY_IMPERSONATION_LEVEL value that indicates the impersonation level of the token. If the access token is not an impersonation token, the function fails.
                /// </summary>
                TokenImpersonationLevel,
                /// <summary>
                /// The buffer receives a TOKEN_STATISTICS structure that contains various token statistics.
                /// </summary>
                TokenStatistics,
                /// <summary>
                /// The buffer receives a TOKEN_GROUPS structure that contains the list of restricting SIDs in a restricted token.
                /// </summary>
                TokenRestrictedSids,
                /// <summary>
                /// The buffer receives a DWORD value that indicates the Terminal Services session identifier that is associated with the token.
                /// </summary>
                TokenSessionId,
                /// <summary>
                /// The buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token.
                /// </summary>
                TokenGroupsAndPrivileges,
                /// <summary>
                /// Reserved.
                /// </summary>
                TokenSessionReference,
                /// <summary>
                /// The buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag.
                /// </summary>
                TokenSandBoxInert,
                /// <summary>
                /// Reserved.
                /// </summary>
                TokenAuditPolicy,
                /// <summary>
                /// The buffer receives a TOKEN_ORIGIN value.
                /// </summary>
                TokenOrigin,
                /// <summary>
                /// The buffer receives a TOKEN_ELEVATION_TYPE value that specifies the elevation level of the token.
                /// </summary>
                TokenElevationType,
                /// <summary>
                /// The buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token.
                /// </summary>
                TokenLinkedToken,
                /// <summary>
                /// The buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated.
                /// </summary>
                TokenElevation,
                /// <summary>
                /// The buffer receives a DWORD value that is nonzero if the token has ever been filtered.
                /// </summary>
                TokenHasRestrictions,
                /// <summary>
                /// The buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token.
                /// </summary>
                TokenAccessInformation,
                /// <summary>
                /// The buffer receives a DWORD value that is nonzero if virtualization is allowed for the token.
                /// </summary>
                TokenVirtualizationAllowed,
                /// <summary>
                /// The buffer receives a DWORD value that is nonzero if virtualization is enabled for the token.
                /// </summary>
                TokenVirtualizationEnabled,
                /// <summary>
                /// The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
                /// </summary>
                TokenIntegrityLevel,
                /// <summary>
                /// The buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set.
                /// </summary>
                TokenUIAccess,
                /// <summary>
                /// The buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy.
                /// </summary>
                TokenMandatoryPolicy,
                /// <summary>
                /// The buffer receives the token's logon security identifier (SID).
                /// </summary>
                TokenLogonSid,
                /// <summary>
                /// The maximum value for this enumeration
                /// </summary>
                MaxTokenInfoClass            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_GROUPS            {                public int GroupCount;
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]                public SID.SID_AND_ATTRIBUTES[] Groups;
                public TOKEN_GROUPS(int privilegeCount)                {                    GroupCount = privilegeCount;                    Groups = new SID.SID_AND_ATTRIBUTES[32];                }            }
            public struct TOKEN_PRIMARY_GROUP            {                public IntPtr PrimaryGroup; // PSID

                public TOKEN_PRIMARY_GROUP(IntPtr _sid)                {                    PrimaryGroup = _sid;                }            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_SOURCE            {                public TOKEN_SOURCE(string name)                {                    SourceName = new byte[8];                    Encoding.GetEncoding(1252).GetBytes(name, 0, name.Length, SourceName, 0);                    if (!SID.AllocateLocallyUniqueId(out SourceIdentifier)) throw new Win32Exception();                }
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]                public byte[] SourceName;
                public LUID SourceIdentifier;            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_USER            {                public SID.SID_AND_ATTRIBUTES User;
                public TOKEN_USER(IntPtr _sid)                {                    User = new SID.SID_AND_ATTRIBUTES { Sid = _sid, Attributes = 0 };                }            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_OWNER            {                public IntPtr Owner; // PSID

                public TOKEN_OWNER(IntPtr _owner)                {                    Owner = _owner;                }            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_DEFAULT_DACL            {                public IntPtr DefaultDacl; // PACL
            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_PRIVILEGES            {                public int PrivilegeCount;
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]                public LUID_AND_ATTRIBUTES[] Privileges;
                public TOKEN_PRIVILEGES(int privilegeCount)                {                    PrivilegeCount = privilegeCount;                    Privileges = new LUID_AND_ATTRIBUTES[36];                }            }
            public enum SECURITY_IMPERSONATION_LEVEL            {                SecurityAnonymous,                SecurityIdentification,                SecurityImpersonation,                SecurityDelegation            }
            [StructLayout(LayoutKind.Sequential)]            public struct SECURITY_QUALITY_OF_SERVICE            {                public int Length;                public SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;                public byte ContextTrackingMode;                public byte EffectiveOnly;
                public SECURITY_QUALITY_OF_SERVICE(SECURITY_IMPERSONATION_LEVEL _impersonationLevel,                    byte _contextTrackingMode, byte _effectiveOnly)                {                    Length = 0;                    ImpersonationLevel = _impersonationLevel;                    ContextTrackingMode = _contextTrackingMode;                    EffectiveOnly = _effectiveOnly;                    Length = Marshal.SizeOf(this);                }            }
            [Flags]            public enum SE_PRIVILEGE_ATTRIBUTES : uint            {                SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001,                SE_PRIVILEGE_ENABLED = 0x00000002,                SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000            }
            [Flags]            public enum SE_GROUP_ATTRIBUTES : uint            {                SE_GROUP_MANDATORY = 0x00000001,                SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,                SE_GROUP_ENABLED = 0x00000004,                SE_GROUP_OWNER = 0x00000008,                SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,                SE_GROUP_INTEGRITY = 0x00000020,                SE_GROUP_INTEGRITY_ENABLED = 0x00000040,                SE_GROUP_RESOURCE = 0x20000000,                SE_GROUP_LOGON_ID = 0xC0000000,            }
            [StructLayout(LayoutKind.Sequential)]            public struct TOKEN_MANDATORY_LABEL            {                public SID.SID_AND_ATTRIBUTES Label;            }
            public const byte SECURITY_STATIC_TRACKING = 0;            public static readonly LUID ANONYMOUS_LOGON_LUID = new LUID { LowPart = 0x3e6, HighPart = 0 };            public static readonly LUID SYSTEM_LUID = new LUID { LowPart = 0x3e7, HighPart = 0 };            public const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege";            public const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";            public const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege";            public const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";            public const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege";            public const string SE_TCB_NAME = "SeTcbPrivilege";            public const string SE_SECURITY_NAME = "SeSecurityPrivilege";            public const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege";            public const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";            public const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege";            public const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege";            public const string SE_PROFILE_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege";            public const string SE_INCREASE_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege";            public const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege";            public const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege";            public const string SE_BACKUP_NAME = "SeBackupPrivilege";            public const string SE_RESTORE_NAME = "SeRestorePrivilege";            public const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege";            public const string SE_DEBUG_NAME = "SeDebugPrivilege";            public const string SE_AUDIT_NAME = "SeAuditPrivilege";            public const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege";            public const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege";            public const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege";            public const string SE_UNDOCK_NAME = "SeUndockPrivilege";            public const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege";            public const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege";            public const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege";            public const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege";            public const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege";            public const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege";            public const string SE_RELABEL_NAME = "SeRelabelPrivilege";            public const string SE_INCREASE_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege";            public const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege";            public const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege";
            public const string SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME =                "SeDelegateSessionUserImpersonatePrivilege";        }
        public static class TokensEx        {            public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid            {                // A default constructor is required for P/Invoke to instantiate the class
                public SafeTokenHandle(IntPtr preexistingHandle)                    : base(ownsHandle: true)                {                    this.SetHandle(preexistingHandle);                }                public SafeTokenHandle()                    : base(ownsHandle: true)                {                }                            protected override bool ReleaseHandle()                {                    return Win32.CloseHandle(handle);                }            }                        public static bool CreateTokenPrivileges(string[] privs, out Tokens.TOKEN_PRIVILEGES tokenPrivileges)            {                var sizeOfStruct = Marshal.SizeOf(typeof(Tokens.TOKEN_PRIVILEGES));                var pPrivileges = Marshal.AllocHGlobal(sizeOfStruct);                tokenPrivileges = (Tokens.TOKEN_PRIVILEGES)Marshal.PtrToStructure(                    pPrivileges, typeof(Tokens.TOKEN_PRIVILEGES));                tokenPrivileges.PrivilegeCount = privs.Length;                for (var idx = 0; idx < tokenPrivileges.PrivilegeCount; idx++)                {                    if (!Win32.Tokens.LookupPrivilegeValue(IntPtr.Zero, privs[idx], out var luid)) return false;                    tokenPrivileges.Privileges[idx].Attributes =                        (uint)(Tokens.SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED |                               Tokens.SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED_BY_DEFAULT);                    tokenPrivileges.Privileges[idx].Luid = luid;                }
                return true;            }
            public static void AdjustCurrentPrivilege(string privilege)            {                Win32.Tokens.LookupPrivilegeValue(IntPtr.Zero, privilege, out LUID luid);                Win32.Tokens.RtlAdjustPrivilege(luid, true, true, out _);            }                        public static IntPtr GetInfoFromToken(SafeTokenHandle token, Win32.Tokens.TOKEN_INFORMATION_CLASS information)            {                Win32.Tokens.GetTokenInformation(token, information, IntPtr.Zero, 0, out int length);                var result = Marshal.AllocHGlobal(length);                Win32.Tokens.GetTokenInformation(token, information, result, length, out length);                return result;            }        }
        public static class Process        {            [DllImport("kernel32.dll", SetLastError = true)]            public static extern IntPtr GetCurrentProcess();
            [DllImport("kernel32.dll", SetLastError = true)]            [return: MarshalAs(UnmanagedType.Bool)]            public static extern bool GetExitCodeProcess(IntPtr hProcess, out uint lpExitCode);
            [DllImport("kernel32.dll", SetLastError = true)]            public static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
            [DllImport("userenv.dll", SetLastError = true)]            public static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, TokensEx.SafeTokenHandle hToken, bool bInherit);            [DllImport("userenv.dll", SetLastError = true)]            public static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);
            [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]            public static extern bool CreateProcessAsUser(Win32.TokensEx.SafeTokenHandle hToken, string lpApplicationName, StringBuilder lpCommandLine, SECURITY_ATTRIBUTES lpProcessAttributes, SECURITY_ATTRIBUTES lpThreadAttributes,                bool bInheritHandles, int dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, STARTUPINFO lpStartupInfo, PROCESS_INFORMATION lpProcessInformation);
            [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Auto)]            public static extern bool CreateProcessWithToken(TokensEx.SafeTokenHandle hToken, LogonFlags dwLogonFlags,                string lpApplicationName, string lpCommandLine, ProcessCreationFlags dwCreationFlags,                IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo,                out PROCESS_INFORMATION lpProcessInformation);                        [DllImport("kernel32.dll", SetLastError = true)]            internal static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess,                bool bInheritHandle, int dwProcessId);                        [Flags]            internal enum ProcessAccessFlags : uint            {                All = 0x001F0FFF,                Terminate = 0x00000001,                CreateThread = 0x00000002,                VirtualMemoryOperation = 0x00000008,                VirtualMemoryRead = 0x00000010,                VirtualMemoryWrite = 0x00000020,                DuplicateHandle = 0x00000040,                CreateProcess = 0x000000080,                SetQuota = 0x00000100,                SetInformation = 0x00000200,                QueryInformation = 0x00000400,                QueryLimitedInformation = 0x00001000,                Synchronize = 0x00100000            }                        public enum LogonFlags            {                WithProfile = 1,                NetCredentialsOnly            }
            [StructLayout(LayoutKind.Sequential)]            public struct PROCESS_INFORMATION            {                public IntPtr hProcess;                public IntPtr hThread;                public int dwProcessId;                public int dwThreadId;            }
            [Flags]            public enum ProcessCreationFlags : uint            {                DEBUG_PROCESS = 0x00000001,                DEBUG_ONLY_THIS_PROCESS = 0x00000002,                CREATE_SUSPENDED = 0x00000004,                DETACHED_PROCESS = 0x00000008,                CREATE_NEW_CONSOLE = 0x00000010,                CREATE_NEW_PROCESS_GROUP = 0x00000200,                CREATE_UNICODE_ENVIRONMENT = 0x00000400,                CREATE_SEPARATE_WOW_VDM = 0x00000800,                CREATE_SHARED_WOW_VDM = 0x00001000,                INHERIT_PARENT_AFFINITY = 0x00010000,                CREATE_PROTECTED_PROCESS = 0x00040000,                EXTENDED_STARTUPINFO_PRESENT = 0x00080000,                CREATE_BREAKAWAY_FROM_JOB = 0x01000000,                CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,                CREATE_DEFAULT_ERROR_MODE = 0x04000000,                CREATE_NO_WINDOW = 0x08000000            }
            [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]            public struct STARTUPINFO            {                public int cb;                public string lpReserved;                public string lpDesktop;                public string lpTitle;                public int dwX;                public int dwY;                public int dwXSize;                public int dwYSize;                public int dwXCountChars;                public int dwYCountChars;                public int dwFillAttribute;                public int dwFlags;                public short wShowWindow;                public short cbReserved2;                public IntPtr lpReserved2;                public IntPtr hStdInput;                public IntPtr hStdOutput;                public IntPtr hStdError;            }        }
        public static class IO        {            [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]            public static extern IntPtr CreateFile([MarshalAs(UnmanagedType.LPTStr)] string filename,                [MarshalAs(UnmanagedType.U4)] FileAccess access, [MarshalAs(UnmanagedType.U4)] FileShare share,                IntPtr securityAttributes, // optional SECURITY_ATTRIBUTES struct or IntPtr.Zero
                [MarshalAs(UnmanagedType.U4)] FileMode creationDisposition,                [MarshalAs(UnmanagedType.U4)] FileAttributes flagsAndAttributes, IntPtr templateFile);
            [Flags]            public enum FileAccess : uint            {                AccessSystemSecurity = 0x1000000,                MaximumAllowed = 0x2000000,                Delete = 0x10000,                ReadControl = 0x20000,                WriteDAC = 0x40000,                WriteOwner = 0x80000,                Synchronize = 0x100000,                StandardRightsRequired = 0xF0000,                StandardRightsRead = ReadControl,                StandardRightsWrite = ReadControl,                StandardRightsExecute = ReadControl,                StandardRightsAll = 0x1F0000,                SpecificRightsAll = 0xFFFF,                FILE_READ_DATA = 0x0001, // file & pipe
                FILE_LIST_DIRECTORY = 0x0001, // directory
                FILE_WRITE_DATA = 0x0002, // file & pipe
                FILE_ADD_FILE = 0x0002, // directory
                FILE_APPEND_DATA = 0x0004, // file
                FILE_ADD_SUBDIRECTORY = 0x0004, // directory
                FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe
                FILE_READ_EA = 0x0008, // file & directory
                FILE_WRITE_EA = 0x0010, // file & directory
                FILE_EXECUTE = 0x0020, // file
                FILE_TRAVERSE = 0x0020, // directory
                FILE_DELETE_CHILD = 0x0040, // directory
                FILE_READ_ATTRIBUTES = 0x0080, // all
                FILE_WRITE_ATTRIBUTES = 0x0100, // all

                //
                // Generic Section
                //
                GenericRead = 0x80000000,                GenericWrite = 0x40000000,                GenericExecute = 0x20000000,                GenericAll = 0x10000000,                SPECIFIC_RIGHTS_ALL = 0x00FFFF,                FILE_ALL_ACCESS = StandardRightsRequired | Synchronize | 0x1FF,
                FILE_GENERIC_READ = StandardRightsRead | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA |                                    Synchronize,
                FILE_GENERIC_WRITE = StandardRightsWrite | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA |                                     FILE_APPEND_DATA | Synchronize,                FILE_GENERIC_EXECUTE = StandardRightsExecute | FILE_READ_ATTRIBUTES | FILE_EXECUTE | Synchronize            }
            [Flags]            public enum FileShare : uint            {                None = 0x00000000,                Read = 0x00000001,                Write = 0x00000002,                Delete = 0x00000004            }
            public enum FileMode : uint            {                New = 1,                CreateAlways = 2,                OpenExisting = 3,                OpenAlways = 4,                TruncateExisting = 5            }
            [Flags]            public enum FileAttributes : uint            {                Readonly = 0x00000001,                Hidden = 0x00000002,                System = 0x00000004,                Directory = 0x00000010,                Archive = 0x00000020,                Device = 0x00000040,                Normal = 0x00000080,                Temporary = 0x00000100,                SparseFile = 0x00000200,                ReparsePoint = 0x00000400,                Compressed = 0x00000800,                Offline = 0x00001000,                NotContentIndexed = 0x00002000,                Encrypted = 0x00004000,                Write_Through = 0x80000000,                Overlapped = 0x40000000,                NoBuffering = 0x20000000,                RandomAccess = 0x10000000,                SequentialScan = 0x08000000,                DeleteOnClose = 0x04000000,                BackupSemantics = 0x02000000,                PosixSemantics = 0x01000000,                OpenReparsePoint = 0x00200000,                OpenNoRecall = 0x00100000,                FirstPipeInstance = 0x00080000            }        }
        public static class SID        {            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool AllocateAndInitializeSid(ref SID_IDENTIFIER_AUTHORITY pIdentifierAuthority,                byte nSubAuthorityCount, int dwSubAuthority0, int dwSubAuthority1, int dwSubAuthority2,                int dwSubAuthority3, int dwSubAuthority4, int dwSubAuthority5, int dwSubAuthority6, int dwSubAuthority7,                out IntPtr pSid);
            [DllImport("advapi32.dll")]            public static extern bool AllocateLocallyUniqueId(out LUID allocated);
            [DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]            public static extern bool ConvertSidToStringSid(IntPtr pSid, out string strSid);
            [DllImport("advapi32.dll", SetLastError = true)]            public static extern bool ConvertStringSidToSid(string StringSid, out IntPtr ptrSid);
            [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]            public static extern int GetLengthSid(IntPtr pSid);                        [DllImport("advapi32.dll")]            public static extern IntPtr FreeSid(IntPtr pSid);
            [StructLayout(LayoutKind.Sequential)]            public struct SID_AND_ATTRIBUTES            {                public IntPtr Sid;                public uint Attributes;            }
            [StructLayout(LayoutKind.Sequential)]            public struct SID_IDENTIFIER_AUTHORITY            {                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 6, ArraySubType = UnmanagedType.I1)]                public byte[] Value;                                public SID_IDENTIFIER_AUTHORITY(byte[] value)                {                    this.Value = value;                }            }                        public enum SECURITY_MANDATORY_LABEL            {                Untrusted = 0x00000000,                Low = 0x00001000,                Medium = 0x00002000,                MediumPlus = 0x00002100,                High = 0x00003000,                System = 0x00004000,            }
            public static SID_IDENTIFIER_AUTHORITY SECURITY_MANDATORY_LABEL_AUTHORITY =                new SID_IDENTIFIER_AUTHORITY(new byte[] { 0, 0, 0, 0, 0, 16 });            public const int NtSecurityAuthority = 5;            public const int AuthenticatedUser = 11;                        public const string DOMAIN_ALIAS_RID_ADMINS = "S-1-5-32-544";            public const string DOMAIN_ALIAS_RID_LOCAL_AND_ADMIN_GROUP = "S-1-5-114";            public const string TRUSTED_INSTALLER_RID =                "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";                        public const string INTEGRITY_UNTRUSTED_SID = "S-1-16-0";            public const string INTEGRITY_LOW_SID = "S-1-16-4096";            public const string INTEGRITY_MEDIUM_SID = "S-1-16-8192";            public const string INTEGRITY_MEDIUMPLUS_SID = "S-1-16-8448";            public const string INTEGRITY_HIGH_SID = "S-1-16-12288";            public const string INTEGRITY_SYSTEM_SID = "S-1-16-16384";            public const string INTEGRITY_PROTECTEDPROCESS_SID = "S-1-16-20480";        }
        public static class WTS        {            [DllImport("wtsapi32.dll", SetLastError = true)]            public static extern int WTSEnumerateSessions(IntPtr hServer, int Reserved, int Version,                ref IntPtr ppSessionInfo, ref int pCount);
            [DllImport("wtsapi32.dll", SetLastError = true)]            public static extern bool WTSEnumerateProcesses(IntPtr serverHandle, Int32 reserved, Int32 version,                ref IntPtr ppProcessInfo, ref Int32 pCount);
            [DllImport("kernel32.dll")]            public static extern uint WTSGetActiveConsoleSessionId();
            [DllImport("wtsapi32.dll", SetLastError = true)]            public static extern bool WTSQueryUserToken(UInt32 sessionId, out TokensEx.SafeTokenHandle Token);
            [DllImport("wtsapi32.dll")]            public static extern void WTSFreeMemory(IntPtr pMemory);
            [StructLayout(LayoutKind.Sequential)]            public struct WTS_SESSION_INFO            {                public Int32 SessionID;                [MarshalAs(UnmanagedType.LPStr)]                 public String pWinStationName;                public WTS_CONNECTSTATE_CLASS State;            }
            public enum WTS_CONNECTSTATE_CLASS            {                WTSActive,                WTSConnected,                WTSConnectQuery,                WTSShadow,                WTSDisconnected,                WTSIdle,                WTSListen,                WTSReset,                WTSDown,                WTSInit            }
            public struct WTS_PROCESS_INFO            {                public int SessionID;                public int ProcessID;                public IntPtr ProcessName;                public IntPtr UserSid;            }        }
        public static class LSA        {            [DllImport("secur32.dll", SetLastError = false)]            public static extern uint LsaFreeReturnBuffer(IntPtr buffer);
            [DllImport("secur32.dll", SetLastError = false)]            public static extern uint LsaEnumerateLogonSessions(out ulong LogonSessionCount,                out IntPtr LogonSessionList);
            [DllImport("secur32.dll", SetLastError = false)]            public static extern uint LsaGetLogonSessionData(IntPtr luid, out IntPtr ppLogonSessionData);
            [StructLayout(LayoutKind.Sequential)]            public struct LSA_UNICODE_STRING            {                public UInt16 Length;                public UInt16 MaximumLength;                public IntPtr buffer;            }
            [StructLayout(LayoutKind.Sequential)]            public struct SECURITY_LOGON_SESSION_DATA            {                public UInt32 Size;                public LUID LoginID;                public LSA_UNICODE_STRING Username;                public LSA_UNICODE_STRING LoginDomain;                public LSA_UNICODE_STRING AuthenticationPackage;                public UInt32 LogonType;                public UInt32 Session;                public IntPtr PSiD;                public UInt64 LoginTime;                public LSA_UNICODE_STRING LogonServer;                public LSA_UNICODE_STRING DnsDomainName;                public LSA_UNICODE_STRING Upn;            }
            public enum SECURITY_LOGON_TYPE : uint            {                Interactive = 2, //The security principal is logging on interactively.
                Network, //The security principal is logging using a network.
                Batch, //The logon is for a batch process.
                Service, //The logon is for a service account.
                Proxy, //Not supported.
                Unlock, //The logon is an attempt to unlock a workstation.
                NetworkCleartext, //The logon is a network logon with cleartext credentials.
                NewCredentials, // Allows the caller to clone its current token and specify new credentials for outbound connections.
                RemoteInteractive, // A terminal server session that is both remote and interactive.
                CachedInteractive, // Attempt to use the cached credentials without going out across the network.
                CachedRemoteInteractive, // Same as RemoteInteractive, except used publicly for auditing purposes.
                CachedUnlock // The logon is an attempt to unlock a workstation.
            }        }
        [DllImport("kernel32.dll", SetLastError = true)]        public static extern IntPtr LocalFree(IntPtr hMem);
        [DllImport("kernel32.dll", SetLastError = true)]        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]        [SuppressUnmanagedCodeSecurity]        [return: MarshalAs(UnmanagedType.Bool)]        public static extern bool CloseHandle(IntPtr hObject);
        [StructLayout(LayoutKind.Sequential)]        public struct LUID        {            public UInt32 LowPart;            public UInt32 HighPart;        }
        [StructLayout(LayoutKind.Sequential, Pack = 4)]        public struct LUID_AND_ATTRIBUTES        {            public LUID Luid;            public UInt32 Attributes;        }
        [StructLayout(LayoutKind.Sequential)]        public class SECURITY_ATTRIBUTES        {            public int nLength = 12;            public SafeLocalMemHandle lpSecurityDescriptor = new SafeLocalMemHandle(IntPtr.Zero, false);            public bool bInheritHandle;        }                [HostProtection(MayLeakOnAbort = true)]        [SuppressUnmanagedCodeSecurityAttribute]        public sealed class SafeLocalMemHandle : SafeHandleZeroOrMinusOneIsInvalid        {            [SecurityPermission(SecurityAction.LinkDemand, UnmanagedCode = true)]            internal SafeLocalMemHandle(IntPtr existingHandle, bool ownsHandle) : base(ownsHandle)            {                SetHandle(existingHandle);            }            [DllImport("kernel32.dll")]            [ResourceExposure(ResourceScope.None)]            [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]            private static extern IntPtr LocalFree(IntPtr hMem);            override protected bool ReleaseHandle()            {                return LocalFree(handle) == IntPtr.Zero;            }        }
        [StructLayout(LayoutKind.Explicit, Size = 8)]        public struct LARGE_INTEGER        {            [FieldOffset(0)] public int Low;            [FieldOffset(4)] public int High;            [FieldOffset(0)] public long QuadPart;
            public LARGE_INTEGER(long _quad)            {                Low = 0;                High = 0;                QuadPart = _quad;            }
            public long ToInt64()            {                return ((long)High << 32) | (uint)Low;            }
            public static LARGE_INTEGER FromInt64(long value)            {                return new LARGE_INTEGER { Low = (int)value, High = (int)(value >> 32) };            }        }
        [StructLayout(LayoutKind.Sequential)]        public struct UNICODE_STRING : IDisposable        {            public ushort Length;            public ushort MaximumLength;            private IntPtr buffer;
            public UNICODE_STRING(string s)            {                Length = (ushort)(s.Length * 2);                MaximumLength = (ushort)(Length + 2);                buffer = Marshal.StringToHGlobalUni(s);            }
            public void Dispose()            {                Marshal.FreeHGlobal(buffer);                buffer = IntPtr.Zero;            }
            public override string ToString()            {                return Marshal.PtrToStringUni(buffer);            }        }                public const int STATUS_SUCCESS = 0;        public static readonly int STATUS_INFO_LENGTH_MISMATCH = Convert.ToInt32("0xC0000004", 16);        public const int ERROR_BAD_LENGTH = 0x00000018;        public const int ERROR_INSUFFICIENT_BUFFER = 0x0000007A;        public static readonly IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
        public enum NtStatus : uint        {            // Success
            Success = 0x00000000,            Wait0 = 0x00000000,            Wait1 = 0x00000001,            Wait2 = 0x00000002,            Wait3 = 0x00000003,            Wait63 = 0x0000003f,            Abandoned = 0x00000080,            AbandonedWait0 = 0x00000080,            AbandonedWait1 = 0x00000081,            AbandonedWait2 = 0x00000082,            AbandonedWait3 = 0x00000083,            AbandonedWait63 = 0x000000bf,            UserApc = 0x000000c0,            KernelApc = 0x00000100,            Alerted = 0x00000101,            Timeout = 0x00000102,            Pending = 0x00000103,            Reparse = 0x00000104,            MoreEntries = 0x00000105,            NotAllAssigned = 0x00000106,            SomeNotMapped = 0x00000107,            OpLockBreakInProgress = 0x00000108,            VolumeMounted = 0x00000109,            RxActCommitted = 0x0000010a,            NotifyCleanup = 0x0000010b,            NotifyEnumDir = 0x0000010c,            NoQuotasForAccount = 0x0000010d,            PrimaryTransportConnectFailed = 0x0000010e,            PageFaultTransition = 0x00000110,            PageFaultDemandZero = 0x00000111,            PageFaultCopyOnWrite = 0x00000112,            PageFaultGuardPage = 0x00000113,            PageFaultPagingFile = 0x00000114,            CrashDump = 0x00000116,            ReparseObject = 0x00000118,            NothingToTerminate = 0x00000122,            ProcessNotInJob = 0x00000123,            ProcessInJob = 0x00000124,            ProcessCloned = 0x00000129,            FileLockedWithOnlyReaders = 0x0000012a,            FileLockedWithWriters = 0x0000012b,
            // Informational
            Informational = 0x40000000,            ObjectNameExists = 0x40000000,            ThreadWasSuspended = 0x40000001,            WorkingSetLimitRange = 0x40000002,            ImageNotAtBase = 0x40000003,            RegistryRecovered = 0x40000009,
            // Warning
            Warning = 0x80000000,            GuardPageViolation = 0x80000001,            DatatypeMisalignment = 0x80000002,            Breakpoint = 0x80000003,            SingleStep = 0x80000004,            BufferOverflow = 0x80000005,            NoMoreFiles = 0x80000006,            HandlesClosed = 0x8000000a,            PartialCopy = 0x8000000d,            DeviceBusy = 0x80000011,            InvalidEaName = 0x80000013,            EaListInconsistent = 0x80000014,            NoMoreEntries = 0x8000001a,            LongJump = 0x80000026,            DllMightBeInsecure = 0x8000002b,
            // Error
            Error = 0xc0000000,            Unsuccessful = 0xc0000001,            NotImplemented = 0xc0000002,            InvalidInfoClass = 0xc0000003,            InfoLengthMismatch = 0xc0000004,            AccessViolation = 0xc0000005,            InPageError = 0xc0000006,            PagefileQuota = 0xc0000007,            InvalidHandle = 0xc0000008,            BadInitialStack = 0xc0000009,            BadInitialPc = 0xc000000a,            InvalidCid = 0xc000000b,            TimerNotCanceled = 0xc000000c,            InvalidParameter = 0xc000000d,            NoSuchDevice = 0xc000000e,            NoSuchFile = 0xc000000f,            InvalidDeviceRequest = 0xc0000010,            EndOfFile = 0xc0000011,            WrongVolume = 0xc0000012,            NoMediaInDevice = 0xc0000013,            NoMemory = 0xc0000017,            NotMappedView = 0xc0000019,            UnableToFreeVm = 0xc000001a,            UnableToDeleteSection = 0xc000001b,            IllegalInstruction = 0xc000001d,            AlreadyCommitted = 0xc0000021,            AccessDenied = 0xc0000022,            BufferTooSmall = 0xc0000023,            ObjectTypeMismatch = 0xc0000024,            NonContinuableException = 0xc0000025,            BadStack = 0xc0000028,            NotLocked = 0xc000002a,            NotCommitted = 0xc000002d,            InvalidParameterMix = 0xc0000030,            ObjectNameInvalid = 0xc0000033,            ObjectNameNotFound = 0xc0000034,            ObjectNameCollision = 0xc0000035,            ObjectPathInvalid = 0xc0000039,            ObjectPathNotFound = 0xc000003a,            ObjectPathSyntaxBad = 0xc000003b,            DataOverrun = 0xc000003c,            DataLate = 0xc000003d,            DataError = 0xc000003e,            CrcError = 0xc000003f,            SectionTooBig = 0xc0000040,            PortConnectionRefused = 0xc0000041,            InvalidPortHandle = 0xc0000042,            SharingViolation = 0xc0000043,            QuotaExceeded = 0xc0000044,            InvalidPageProtection = 0xc0000045,            MutantNotOwned = 0xc0000046,            SemaphoreLimitExceeded = 0xc0000047,            PortAlreadySet = 0xc0000048,            SectionNotImage = 0xc0000049,            SuspendCountExceeded = 0xc000004a,            ThreadIsTerminating = 0xc000004b,            BadWorkingSetLimit = 0xc000004c,            IncompatibleFileMap = 0xc000004d,            SectionProtection = 0xc000004e,            EasNotSupported = 0xc000004f,            EaTooLarge = 0xc0000050,            NonExistentEaEntry = 0xc0000051,            NoEasOnFile = 0xc0000052,            EaCorruptError = 0xc0000053,            FileLockConflict = 0xc0000054,            LockNotGranted = 0xc0000055,            DeletePending = 0xc0000056,            CtlFileNotSupported = 0xc0000057,            UnknownRevision = 0xc0000058,            RevisionMismatch = 0xc0000059,            InvalidOwner = 0xc000005a,            InvalidPrimaryGroup = 0xc000005b,            NoImpersonationToken = 0xc000005c,            CantDisableMandatory = 0xc000005d,            NoLogonServers = 0xc000005e,            NoSuchLogonSession = 0xc000005f,            NoSuchPrivilege = 0xc0000060,            PrivilegeNotHeld = 0xc0000061,            InvalidAccountName = 0xc0000062,            UserExists = 0xc0000063,            NoSuchUser = 0xc0000064,            GroupExists = 0xc0000065,            NoSuchGroup = 0xc0000066,            MemberInGroup = 0xc0000067,            MemberNotInGroup = 0xc0000068,            LastAdmin = 0xc0000069,            WrongPassword = 0xc000006a,            IllFormedPassword = 0xc000006b,            PasswordRestriction = 0xc000006c,            LogonFailure = 0xc000006d,            AccountRestriction = 0xc000006e,            InvalidLogonHours = 0xc000006f,            InvalidWorkstation = 0xc0000070,            PasswordExpired = 0xc0000071,            AccountDisabled = 0xc0000072,            NoneMapped = 0xc0000073,            TooManyLuidsRequested = 0xc0000074,            LuidsExhausted = 0xc0000075,            InvalidSubAuthority = 0xc0000076,            InvalidAcl = 0xc0000077,            InvalidSid = 0xc0000078,            InvalidSecurityDescr = 0xc0000079,            ProcedureNotFound = 0xc000007a,            InvalidImageFormat = 0xc000007b,            NoToken = 0xc000007c,            BadInheritanceAcl = 0xc000007d,            RangeNotLocked = 0xc000007e,            DiskFull = 0xc000007f,            ServerDisabled = 0xc0000080,            ServerNotDisabled = 0xc0000081,            TooManyGuidsRequested = 0xc0000082,            GuidsExhausted = 0xc0000083,            InvalidIdAuthority = 0xc0000084,            AgentsExhausted = 0xc0000085,            InvalidVolumeLabel = 0xc0000086,            SectionNotExtended = 0xc0000087,            NotMappedData = 0xc0000088,            ResourceDataNotFound = 0xc0000089,            ResourceTypeNotFound = 0xc000008a,            ResourceNameNotFound = 0xc000008b,            ArrayBoundsExceeded = 0xc000008c,            FloatDenormalOperand = 0xc000008d,            FloatDivideByZero = 0xc000008e,            FloatInexactResult = 0xc000008f,            FloatInvalidOperation = 0xc0000090,            FloatOverflow = 0xc0000091,            FloatStackCheck = 0xc0000092,            FloatUnderflow = 0xc0000093,            IntegerDivideByZero = 0xc0000094,            IntegerOverflow = 0xc0000095,            PrivilegedInstruction = 0xc0000096,            TooManyPagingFiles = 0xc0000097,            FileInvalid = 0xc0000098,            InstanceNotAvailable = 0xc00000ab,            PipeNotAvailable = 0xc00000ac,            InvalidPipeState = 0xc00000ad,            PipeBusy = 0xc00000ae,            IllegalFunction = 0xc00000af,            PipeDisconnected = 0xc00000b0,            PipeClosing = 0xc00000b1,            PipeConnected = 0xc00000b2,            PipeListening = 0xc00000b3,            InvalidReadMode = 0xc00000b4,            IoTimeout = 0xc00000b5,            FileForcedClosed = 0xc00000b6,            ProfilingNotStarted = 0xc00000b7,            ProfilingNotStopped = 0xc00000b8,            NotSameDevice = 0xc00000d4,            FileRenamed = 0xc00000d5,            CantWait = 0xc00000d8,            PipeEmpty = 0xc00000d9,            CantTerminateSelf = 0xc00000db,            InternalError = 0xc00000e5,            InvalidParameter1 = 0xc00000ef,            InvalidParameter2 = 0xc00000f0,            InvalidParameter3 = 0xc00000f1,            InvalidParameter4 = 0xc00000f2,            InvalidParameter5 = 0xc00000f3,            InvalidParameter6 = 0xc00000f4,            InvalidParameter7 = 0xc00000f5,            InvalidParameter8 = 0xc00000f6,            InvalidParameter9 = 0xc00000f7,            InvalidParameter10 = 0xc00000f8,            InvalidParameter11 = 0xc00000f9,            InvalidParameter12 = 0xc00000fa,            MappedFileSizeZero = 0xc000011e,            TooManyOpenedFiles = 0xc000011f,            Cancelled = 0xc0000120,            CannotDelete = 0xc0000121,            InvalidComputerName = 0xc0000122,            FileDeleted = 0xc0000123,            SpecialAccount = 0xc0000124,            SpecialGroup = 0xc0000125,            SpecialUser = 0xc0000126,            MembersPrimaryGroup = 0xc0000127,            FileClosed = 0xc0000128,            TooManyThreads = 0xc0000129,            ThreadNotInProcess = 0xc000012a,            TokenAlreadyInUse = 0xc000012b,            PagefileQuotaExceeded = 0xc000012c,            CommitmentLimit = 0xc000012d,            InvalidImageLeFormat = 0xc000012e,            InvalidImageNotMz = 0xc000012f,            InvalidImageProtect = 0xc0000130,            InvalidImageWin16 = 0xc0000131,            LogonServer = 0xc0000132,            DifferenceAtDc = 0xc0000133,            SynchronizationRequired = 0xc0000134,            DllNotFound = 0xc0000135,            IoPrivilegeFailed = 0xc0000137,            OrdinalNotFound = 0xc0000138,            EntryPointNotFound = 0xc0000139,            ControlCExit = 0xc000013a,            PortNotSet = 0xc0000353,            DebuggerInactive = 0xc0000354,            CallbackBypass = 0xc0000503,            PortClosed = 0xc0000700,            MessageLost = 0xc0000701,            InvalidMessage = 0xc0000702,            RequestCanceled = 0xc0000703,            RecursiveDispatch = 0xc0000704,            LpcReceiveBufferExpected = 0xc0000705,            LpcInvalidConnectionUsage = 0xc0000706,            LpcRequestsNotAllowed = 0xc0000707,            ResourceInUse = 0xc0000708,            ProcessIsProtected = 0xc0000712,            VolumeDirty = 0xc0000806,            FileCheckedOut = 0xc0000901,            CheckOutRequired = 0xc0000902,            BadFileType = 0xc0000903,            FileTooLarge = 0xc0000904,            FormsAuthRequired = 0xc0000905,            VirusInfected = 0xc0000906,            VirusDeleted = 0xc0000907,            TransactionalConflict = 0xc0190001,            InvalidTransaction = 0xc0190002,            TransactionNotActive = 0xc0190003,            TmInitializationFailed = 0xc0190004,            RmNotActive = 0xc0190005,            RmMetadataCorrupt = 0xc0190006,            TransactionNotJoined = 0xc0190007,            DirectoryNotRm = 0xc0190008,            CouldNotResizeLog = 0xc0190009,            TransactionsUnsupportedRemote = 0xc019000a,            LogResizeInvalidSize = 0xc019000b,            RemoteFileVersionMismatch = 0xc019000c,            CrmProtocolAlreadyExists = 0xc019000f,            TransactionPropagationFailed = 0xc0190010,            CrmProtocolNotFound = 0xc0190011,            TransactionSuperiorExists = 0xc0190012,            TransactionRequestNotValid = 0xc0190013,            TransactionNotRequested = 0xc0190014,            TransactionAlreadyAborted = 0xc0190015,            TransactionAlreadyCommitted = 0xc0190016,            TransactionInvalidMarshallBuffer = 0xc0190017,            CurrentTransactionNotValid = 0xc0190018,            LogGrowthFailed = 0xc0190019,            ObjectNoLongerExists = 0xc0190021,            StreamMiniversionNotFound = 0xc0190022,            StreamMiniversionNotValid = 0xc0190023,            MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,            CantOpenMiniversionWithModifyIntent = 0xc0190025,            CantCreateMoreStreamMiniversions = 0xc0190026,            HandleNoLongerValid = 0xc0190028,            NoTxfMetadata = 0xc0190029,            LogCorruptionDetected = 0xc0190030,            CantRecoverWithHandleOpen = 0xc0190031,            RmDisconnected = 0xc0190032,            EnlistmentNotSuperior = 0xc0190033,            RecoveryNotNeeded = 0xc0190034,            RmAlreadyStarted = 0xc0190035,            FileIdentityNotPersistent = 0xc0190036,            CantBreakTransactionalDependency = 0xc0190037,            CantCrossRmBoundary = 0xc0190038,            TxfDirNotEmpty = 0xc0190039,            IndoubtTransactionsExist = 0xc019003a,            TmVolatile = 0xc019003b,            RollbackTimerExpired = 0xc019003c,            TxfAttributeCorrupt = 0xc019003d,            EfsNotAllowedInTransaction = 0xc019003e,            TransactionalOpenNotAllowed = 0xc019003f,            TransactedMappingUnsupportedRemote = 0xc0190040,            TxfMetadataAlreadyPresent = 0xc0190041,            TransactionScopeCallbacksNotSet = 0xc0190042,            TransactionRequiredPromotion = 0xc0190043,            CannotExecuteFileInTransaction = 0xc0190044,            TransactionsNotFrozen = 0xc0190045,            MaximumNtStatus = 0xffffffff        }    }}