This module adds a provider and cmdlets to access the NT object manager namespace.
Minimum PowerShell version
(c) 2016, 2017, 2018 Google Inc. All rights reserved.
Add-NtKey Get-NtDirectory Get-NtEvent Get-NtFile Get-NtFileReparsePoint Get-NtHandle Get-NtKey Get-NtMutant Get-NtNamedPipeFile Get-NtObject Get-NtProcess Get-NtSemaphore Get-NtStatus Get-NtSymbolicLink Get-NtSymbolicLinkTarget Get-NtThread Get-NtToken Get-NtType New-NtDirectory New-NtEvent New-NtFile New-NtKey New-NtMailslotFile New-NtMutant New-NtNamedPipeFile New-NtSecurityDescriptor New-NtSemaphore New-NtSymbolicLink Remove-NtFileReparsePoint Start-NtWait Use-NtObject Get-NtSid Get-NtSection New-NtSection Get-AccessibleAlpcPort Get-AccessibleKey Get-AccessibleProcess Get-AccessibleFile Get-AccessibleObject Get-NtAccessMask Get-AccessibleDevice Get-AccessibleNamedPipe Get-NtGrantedAccess Get-NtJob New-NtJob Get-AccessibleService Get-AccessibleHandle Remove-NtKey New-NtToken Remove-NtFile Get-NtDirectoryChild Get-NtKeyChild Add-DosDevice Remove-DosDevice Get-NtFileChild Set-NtFileReparsePoint
Get-AccessibleAlpcPort Set-NtTokenPrivilege Set-NtTokenIntegrityLevel Get-NtProcessMitigations New-NtKernelCrashDump New-NtObjectAttributes New-NtSecurityQualityOfService Get-NtLicenseValue Get-NtSystemEnvironmentValue New-Win32Process New-NtEaBuffer New-NtSectionImage New-Win32ProcessConfig Get-NtTokenFromProcess Get-ExecutableManifest New-NtProcess New-NtProcessConfig Get-NtFilePath Show-NtTokenEffective Show-NtSecurityDescriptor Get-NtIoControlCode Import-NtObject Export-NtObject Get-ExecutionAlias New-ExecutionAlias Show-NtToken Show-NtSection Resolve-NtObjectAddress Invoke-NtToken Get-NtFilteredToken Get-NtLowBoxToken Get-NtSecurityDescriptor Set-NtSecurityDescriptor Add-NtVirtualMemory Get-NtVirtualMemory Remove-NtVirtualMemory Set-NtVirtualMemory Read-NtVirtualMemory Write-NtVirtualMemory Get-EmbeddedAuthenticodeSignature Get-NtSidName New-SymbolResolver New-NdrParser Format-NdrComplexType Format-NdrProcedure Format-NdrComProxy Get-NdrComProxy
This module has no dependencies.
* Added basic support for transaction objects.
* Minor fixes for ALPC support.
* Implemented OOP NDR parsing.
* Added NDR parsing and formatting powershell functions such as New-NdrParser and Format-NdrComProxy
* Fix for display of NDR arrays from 1orenz0.
* Print NDR correlation descriptors during formatting.
* Added support to read out COM proxies.
* Fixed bug in Get-NtToken for sandboxed tokens.
* Extended support for Job objects.
* Added Set-NtFileReparsePoint cmdlet.
* Added support for viewing a file with Show-NtSection
* Added support for DuplicateTo methods from rosalie.lecart.
* Improved support for Win32 Desktop and WindowStation objects.
* ScriptBlock support for the $_ argument.
* Added SID -> Name cache to improve performance.
* Fixed user marshallers in NDR for Windows 7.
* Added internal security descriptor viewer control.
* Added basic NDR parser.
* Added basic symbol resolver.
* Added method to read a security descriptor from another process.
* Improved process memory read and writing methods.
* Added virtual memory cmdlets to allocate, release and modify memory.
* Added Get-EmbeddedAuthenticodeSignature function.
* Added Get and Set NtSecurityDescriptor functions.
* Added ProcessTrustLabel to basic security information set.
* Added Get-NtFileChild cmdlet.
* Added Get-NtKeyChild cmdlet.
* Added Get-NtDirectoryChild cmdlet.
* Added name lookup to NtIoControlCode.
* Added NtNamedPipeFile type with implementations of basic pipe functions.
* Added ADd-DosDevice and Remove-DosDevice cmdlets.
* Added file directory and stream visitors.
* Merged Get-NtLowBoxToken and Get-NtFilteredToken into Get-NtToken.
* Modified Show-NtSection to also display an arbitrary byte array.
* Added an Invoke-NtToken cmdlet to run a script block under impersonation.
* Added Remove-NtFile cmdlet.
* Added case sensitive property for RS4.
* Added flags for NtCreateDirectoryObjectEx.
* Added pseudo option to Get-NtToken.
* Improved conditional ACE support.
* Improved New-NtToken including adding missing IL
* Added new NTSTATUS codes from 1709
* Changes to native process creation
* Added OverrideChildProcessCreation for Win32 process
* Added display of process trust labels from tokens.
* Fixed IsChildProcessRestricted on 1709 and above (changed structure)
* Fixed named pipe server in TokenViewer
* Added -All parameter to Show-NtToken to display list of tokens.
* Added support for extended handle information to allow for PIDs > 64k.
* Added basic New-NtToken cmdlet and system call.
* Added Resolve-NtObjectAdddress cmdlet to resolve the addresses of a list of objects.
* Added generic object ReOpen method.
* Added vistor method to object directories to enumerate recursively with a callback.
* Added display of process trust labels.
* Fix for bug when querying extended process information on Windows 7/8.
* Add OneDrive file attributes from thierry.franzetti.
* Added support for displaying child AppContainer names.
* Various improvements to section editor including integer data inspectors.
* Better support for relative paths in the cmdlets including supporting ones based on the current directory.
* RenameEx and DispositionEx support from fllombard.
* Added Key value deletion and fixes from rsiestrunck.
* Fixed bug in NtOpenSession prototype.
* Added support for adding additional groups to a token in Get-NtToken if user has SeTcbPrivilege.
* Added Show-NtToken to display a token in the GUI, renamed old whois style token viewer to Show-NtTokenEffective.
* Added PowerShell functions to get and create execution alias reparse points.
* Added section viewer and editor with Show-NtSection function.
* Added projects to build NtObjectManager for PowerShell Core 6.0
* Added additional techniques to open process tokens in access checking cmdlets.
* Fixed issues with Add-NtKey and added Remove-NtKey cmdlets.
* Minor fixes from fllombard
* Added change notify key with asynchronous support
* Added kernel LUID allocation
* Added support for child process policy and desktop app policy to Win32ProcessConfig.
* Added new mitigation options from Win10 1709.
* Fix a couple of crashes.1.1.5
* Fixed crash on 32 bit Windows when enumerating NT types.
* Merged ManagedHandleUtils assembly into main NtApiDotNet under the Win32 namespace.
* Added Show-NtSecurityDescriptor function.
* Added support for modifying security descriptors in the UI.
* Cleanup of access mask when being displayed in the UI.
* Added opaque reparse buffer.
* Added Show-NtToken function.
* Added basic version checking for certain functions which can't be accessed on Windows 7.
* Fixed referenced System.Management.Automation assembly version to run properly with no PS2.
* Fixed some bugs in token structures which preventing being used with multiple values.
* Added support to Win32Process for LPAC.
* Added Get-AccessibleHandle cmdlet.
* Support for oplock levels.
* Added support to set inherit and protect on close flags to objects.
* Added Get-NtFilePath function.
* Fix to native protected process creation.
* Added functions to create native NT processes.
* Removed check tools, excluding CheckNetworkAccess.
* Added basic Job object cmdlets.
* Added creation of protected processes in Win32Process.
* Added service access checking cmdlet.
* Added get executable manifest cmdlet.
* Made New-Win32Process more generic and added support for Win32k filter enable.
* Added function to capture token from a process using impersonation.
* Added basic support for Desktop and WindowStation objects using Win32u.dll exports.
* Added file locking implementation including async.
* Added hardlink enumeration.
* Added NTFS stream enumeration.
* Deprecated most of the old standalone utilities in favour of PS cmdlets.
* Added cmdlets to create a kernel memory dump, system environment and licensing.
* Additional system calls implemented.
* Added access to secure boot policies and code integrity policies.
* Made Win32 Process creation more generic and added cmdlet.
* Added access check by type including SELF SID.
* Added new cmdlets to do access checking. Many of the old standalone utilities are now deprecated.
* Added cmdlets to create lowbox tokens
* Added list of known capability SIDs and resolve them during name lookup
* Added cmdlet to get a SID
* Added cmdlet to do a standalone access checking
* Reworked the APIs to include non-throwing versions of many of the core Open/Create methods.
* Made NtType more inspectable, includes access enumeration and rationalizes the opening methods.
* Various additional properties such as extended process flags, checking for LPAC
* Rework of access mask handling. Now all low-level APIs use an AccessMask structure which has
conversion operators to and from other enumerations.
* Various other bug fixes.
* Added cmdlet to filter a Token object.
* Cleanups to various components to make them easier to use from PS
* Added additional Known SIDs
* Unified the variant Get-NtToken* cmdlets into one.
* Added additional token cmdlets such as Logon and Clipboard.
* Added initial support for IO Completion Ports
* Added object creation time property
* Added support to set a process device map
* Added top level CanSynchronize property to NtObject
* Bugs fixes from Rustam Agametov
* Support getting and setting file EA buffe
* Added cmdlet to get NTSTATUS code information
* Support to toggle UIAccess and Virtualization flags on tokens
* Added asynchronous support for file operations using Task APIs
* Added support for virtual memory functions
* Added cmdlet to create named pipes and mailslots.
* Added support for specifying SD as SDDL directly to cmdlets.
* Added thread descriptions for Anniversary edition and above.
* Fixed small bug in handling of IO_STATUS_BLOCK which could result in memory corruption.
* Added support to list directory entries for a file directory.
* Added support to do basic read and writes to a file.
* Added support to disable dynamic code policy on a process.
* Added cmdlets for reparse points.
* Fixes for EA buffer.
* Added service SIDs.
* Added support for removing token privileges.
* Fixed token security attribute parsing.
* Fixed bug in Get-NtThread with -ProcessId
* Added support for FilterScript for Get-NtThread
* Added support for querying thread dynamic code opt-out policy
* Added support for RFG mitigation
* NT Object Manager drive provider
* Cmdlets to directory work with Directorys, Files, Symbolic Links, Events, Semaphores, Processes, Threads, Tokens etc.
|1.1.14 (current version)||292||5/1/2018|