NtObjectManager

1.1.30

This module adds a provider and cmdlets to access the NT object manager namespace.

Minimum PowerShell version

3.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name NtObjectManager -RequiredVersion 1.1.30

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

James Forshaw

Copyright

(c) 2016-2020 Google Inc. All rights reserved.

Owners

Tags

security defence offence sandbox

Cmdlets

Add-NtKeyHive Get-NtDirectory Get-NtEvent Get-NtFile Get-NtFileReparsePoint Get-NtHandle Get-NtKey Get-NtMutant Get-NtNamedPipeFile Get-NtObject Get-NtProcess Get-NtSemaphore Get-NtStatus Get-NtSymbolicLink Get-NtSymbolicLinkTarget Get-NtThread Get-NtToken Get-NtType New-NtDirectory New-NtEvent New-NtFile New-NtKey New-NtMailslotFile New-NtMutant New-NtNamedPipeFile New-NtSecurityDescriptor New-NtSemaphore New-NtSymbolicLink Remove-NtFileReparsePoint Start-NtWait Use-NtObject Get-NtSid Get-NtSection New-NtSection Get-AccessibleAlpcPort Get-AccessibleKey Get-AccessibleProcess Get-AccessibleFile Get-AccessibleObject Get-NtAccessMask Get-AccessibleDevice Get-AccessibleNamedPipe Get-NtGrantedAccess Get-NtJob New-NtJob Get-AccessibleService Get-AccessibleHandle Remove-NtKeyHive New-NtToken Remove-NtFile Get-NtDirectoryChild Get-NtKeyChild Add-DosDevice Remove-DosDevice Get-NtFileChild Set-NtFileReparsePoint Get-NtPartition New-NtPartition Get-NtWaitTimeout New-NtTransaction Get-NtTransaction New-NtTransactionManager Get-NtTransactionManager Connect-NtAlpcClient New-NtAlpcServer New-NtAlpcPortAttributes New-NtAlpcMessage Send-NtAlpcMessage Receive-NtAlpcMessage Connect-NtAlpcServer New-NtAlpcReceiveAttributes New-NtAlpcSendAttributes New-NtAlpcPortSection New-NtAlpcDataView New-NtAlpcSecurityContext New-NtDebug Get-NtDebug Start-NtDebugWait Add-NtDebugProcess Remove-NtDebugProcess Copy-NtObject New-NtResourceManager Get-NtResourceManager Get-NtTransactionGuid Get-NtEnlistment New-NtEnlistment Get-RpcServerName Set-RpcServerName New-NtFileHardlink Test-NetworkAccess Get-AccessibleScheduledTask Compare-RpcServer Select-RpcServer Add-NtTokenSecurityAttribute Remove-NtTokenSecurityAttribute Get-AccessibleEventTrace Test-NtTokenImpersonation Get-AccessibleToken Set-NtProcessJob Get-AccessibleWnf Get-AccessibleWindowStation Get-NtProcessJob Get-NtWindowStation Get-NtDesktop New-NtWindowStation New-NtDesktop Get-Win32Error Set-NtKeyValue Remove-NtKey Get-NtObjectInformation Set-NtObjectInformation Test-NtTokenPrivilege Format-NtJob Add-NtSecurityDescriptorAce New-NtSecurityAttribute Remove-NtSecurityDescriptorAce Invoke-NtToken Set-Win32SecurityDescriptor Reset-Win32SecurityDescriptor Search-Win32SecurityDescriptor Get-Win32SecurityDescriptor Compare-NtSid Test-NtAceCondition Test-NtTokenGroup Test-NtAccessMask Grant-NtAccessMask Revoke-NtAccessMask Select-NtSecurityDescriptorAce Write-NtAudit New-AuthZResourceManager New-AuthZContext Get-AuthZGrantedAccess Add-AuthZSid Remove-AuthZSid Set-NtToken Get-NtTokenDefaultDacl Set-NtTokenDefaultDacl Get-NtKeySymbolicLinkTarget New-NtKeySymbolicLink Rename-NtFile Get-NtFileVolumeInformation Set-NtFileVolumeInformation Send-NtFileControl Get-NtFileAttribute Set-NtFileAttribute Get-NtFileShareProcess Get-NtFileCompression Set-NtFileCompression Get-NtFileLink Get-NtFileStream Get-NtFileObjectId Get-NtFileId Set-NtFileObjectId Remove-NtFileObjectId Get-NtFileFinalPath Add-NtThreadApc New-NtThread New-NtEnclave Get-RandomByte Get-RunningScheduledTask

Functions

Get-AccessibleAlpcPort Set-NtTokenPrivilege Set-NtTokenIntegrityLevel Get-NtProcessMitigations New-NtKernelCrashDump New-NtObjectAttributes New-NtSecurityQualityOfService Get-NtLicenseValue Get-NtSystemEnvironmentValue New-Win32Process New-NtEaBuffer New-NtSectionImage New-Win32ProcessConfig Get-NtTokenFromProcess Get-ExecutableManifest New-NtProcess New-NtProcessConfig Get-NtFilePath Show-NtTokenEffective Show-NtSecurityDescriptor Get-NtIoControlCode Import-NtObject Export-NtObject Get-ExecutionAlias Set-ExecutionAlias Show-NtToken Show-NtSection Resolve-NtObjectAddress Get-NtSecurityDescriptor Get-NtSecurityDescriptorIntegrityLevel Set-NtSecurityDescriptor Add-NtVirtualMemory Get-NtVirtualMemory Remove-NtVirtualMemory Set-NtVirtualMemory Read-NtVirtualMemory Write-NtVirtualMemory Get-EmbeddedAuthenticodeSignature Get-NtSidName New-SymbolResolver New-NdrParser Format-NdrComplexType Format-NdrProcedure Format-NdrComProxy Get-NdrComProxy Get-NdrRpcServerInterface Format-NdrRpcServerInterface Get-NtMappedSection Get-NtWnf Get-NtCachedSigningLevel Add-NtSecurityDescriptorDaclAce Get-NtFilePathType New-NtType Get-NtAlpcServer Get-RpcEndpoint Get-RpcServer Set-GlobalSymbolResolver Get-RunningService Copy-NtToken Get-RpcAlpcServer Get-NtObjectFromHandle Start-Win32ChildProcess Get-NtKeyValue Start-NtFileOplock Format-RpcServer Get-NtProcessMitigationPolicy Set-NtProcessMitigationPolicy Format-NtSecurityDescriptor Get-AppContainerProfile New-AppContainerProfile Get-RpcClient Format-RpcClient Set-RpcServer Connect-RpcClient New-RpcContextHandle Format-RpcComplexType Get-Win32File Close-NtObject Start-AccessibleScheduledTask Get-NtFileEa Set-NtFileEa Suspend-NtProcess Resume-NtProcess Stop-NtProcess Suspend-NtThread Resume-NtThread Stop-NtThread Format-NtToken Remove-NtTokenPrivilege Get-NtTokenPrivilege Get-NtLocallyUniqueId Get-NtTokenGroup Get-NtTokenSid Set-NtTokenSid Set-NtTokenGroup Get-NtDesktopName Get-NtWindowStationName Get-NtWindow Out-HexDump Get-NtTypeAccess Get-NtAtom Add-NtAtom Remove-NtAtom Import-Win32Module Get-Win32Module Get-Win32ModuleExport Get-Win32ModuleImport Get-NtDirectoryEntry Remove-NtKeyValue Read-AuthCredential Get-AuthPackage Get-AuthCredentialHandle Get-AuthServerContext Get-AuthClientContext Update-AuthServerContext Update-AuthClientContext Get-AuthAccessToken Get-NtKernelModule Get-NtObjectInformationClass Add-NtSection Remove-NtSection Compare-NtObject Edit-NtSecurityDescriptor Set-NtSecurityDescriptorOwner Set-NtSecurityDescriptorGroup Set-NtSecurityDescriptorIntegrityLevel ConvertFrom-NtAceCondition ConvertFrom-NtSecurityDescriptor Remove-NtSecurityDescriptorOwner Remove-NtSecurityDescriptorGroup New-NtUserGroup New-NtAcl Set-NtSecurityDescriptorDacl Set-NtSecurityDescriptorSacl Copy-NtSecurityDescriptor Test-NtSecurityDescriptor Get-NtSecurityDescriptorOwner Get-NtSecurityDescriptorGroup Get-NtSecurityDescriptorDacl Get-NtSecurityDescriptorSacl Set-NtSecurityDescriptorControl Get-NtSecurityDescriptorControl Remove-NtSecurityDescriptorDacl Remove-NtSecurityDescriptorSacl Remove-NtSecurityDescriptorIntegrityLevel Add-NtSecurityDescriptorControl Remove-NtSecurityDescriptorControl Format-Win32SecurityDescriptor New-ObjectTypeTree Add-ObjectTypeTree ConvertTo-NtAceCondition Get-NtTokenMandatoryPolicy Clear-NtSecurityDescriptorDacl Clear-NtSecurityDescriptorSacl Get-CentralAccessPolicy Remove-ObjectTypeTree Set-ObjectTypeTreeAccess Revoke-ObjectTypeTreeAccess Select-ObjectTypeTree Test-NtObject Get-NtTokenIntegrityLevel Get-NtAuditPolicy Set-NtAuditPolicy Get-NtAuditSecurity Set-NtAuditSecurity Format-AuthToken Get-AuthToken Test-AuthContext Get-NtLogonSession Get-NtAccountRight Get-NtAccountRightSid Get-NtConsoleSession Get-ServicePrincipalName Get-NtTokenId Get-AuthCredential Export-AuthToken Import-AuthToken Get-MD4Hash Format-ASN1DER Import-KerberosKeyTab Export-KerberosKeyTab New-KerberosKey Get-KerberosKey Unprotect-AuthToken Get-KerberosTicket Get-NdrComplexType Get-NtProcessUser Get-NtProcessEnvironment Split-Win32CommandLine Send-NtWindowMessage Get-NtKeyHive Backup-NtKey Restore-NtKey Enable-NtTokenVirtualization Disable-NtTokenVirtualization Read-NtFile Write-NtFile Get-FilterConnectionPort Get-FilterDriver Get-FilterDriverInstance Get-FilterDriverVolume Get-FilterDriverVolumeInstance Add-NtEaBuffer Remove-NtFileEa Get-NtDeviceSetupClass Get-NtDeviceNode Get-NtDeviceInterfaceClass Get-NtDeviceProperty Get-NtDeviceNodeChild Get-NtDeviceInterfaceInstance Get-NtDeviceNodeParent Get-NtDeviceNodeStack Get-NtFileItem Get-NtFileChange Lock-NtFile Unlock-NtFile Get-NtFileDisposition Set-NtFileDisposition Wait-AsyncTaskResult Get-NtFile8dot3Name Send-FilterConnectionPort Test-NtFileDriverPath Get-NtMountPoint New-NtFileReparseBuffer Get-NtFileQuota Set-NtFileQuota Read-NtFileUsnJournal Confirm-NtFileOplock Start-AppModelApplication Get-NtThreadContext Set-NtThreadContext Remove-AppContainerProfile Get-AppModelApplicationPolicy Test-NtProcessJob Get-AppxDesktopBridge Stop-NtJob Get-NtThreadWorkOnBehalfTicket Set-NtThreadWorkOnBehalfTicket Get-NtThreadContainerId Set-NtThreadContainer Clear-NtThreadWorkOnBehalfTicket Compare-NtSigningLevel Get-NtSystemInformation Get-NtSigningLevel Get-X509Certificate Set-NtCachedSigningLevel Invoke-NtEnclave Add-NtAccountRight Remove-NtAccountRight Start-Win32DebugConsole Get-Win32Service Test-NtProcess Get-NtApiSet Clear-NtSidName Add-NtSidName Remove-NtSidName New-Win32Service Remove-Win32Service Test-NtTokenCapability New-Win32DebugConsole Read-Win32DebugConsole Get-Win32ServiceSecurityDescriptor

Dependencies

This module has no dependencies.

Release Notes

1.1.30
--------
* Fixed issue when displaying only a SACL with Format-NtSecurityDescriptor.
* Added basic named pipe support for RPC clients.
* Fixed issue enumerating per-user audit rules.
* Added view accessor for safe buffers.
* Improved debug tracing for RPC clients.
* Improved handling of paths with local files commands.
* Fixed path issue with Set-Win32SecurityDescriptor.
* Added querying trace providers from the WMI security key.

Version History

Version Downloads Last updated
1.1.31 3,645 3/16/2021
1.1.30 (current version) 933 1/15/2021
1.1.29 744 11/23/2020
1.1.28 2,148 6/30/2020
1.1.27 2,137 2/10/2020
1.1.26 420 1/21/2020
1.1.25 430 1/2/2020
1.1.24 478 12/10/2019
1.1.23 922 10/15/2019
1.1.22 2,483 4/30/2019
1.1.21 93 4/23/2019
1.1.20 477 3/9/2019
1.1.19 181 2/4/2019
1.1.18 20 2/4/2019
1.1.17 629 9/9/2018
1.1.16 164 8/1/2018
1.1.15 202 6/18/2018
1.1.14 291 5/1/2018
1.1.13 98 4/4/2018
1.1.12 231 3/19/2018
1.1.11 98 3/4/2018
1.1.10 25 3/1/2018
1.1.9 59 2/22/2018
1.1.8 77 2/6/2018
1.1.7 85 1/11/2018
1.1.6 92 12/3/2017
1.1.5 36 11/23/2017
1.1.4 58 11/14/2017
1.1.3 44 11/5/2017
1.1.2 95 10/11/2017
1.1.1 183 8/30/2017
1.1.0 11 8/30/2017
1.0.9 77 8/19/2017
1.0.8 50 8/7/2017
1.0.7 161 6/14/2017
1.0.6 241 5/24/2017
1.0.5 16 5/24/2017
1.0.4 29 5/17/2017
1.0.3 81 2/23/2017
1.0.2 34 2/8/2017
1.0.1 225 11/3/2016
1.0 108 11/1/2016