en-US/about_NtObjectManagerProvider.help.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
TOPIC
    about_NtObjectManagerProvider

SHORT DESCRIPTION
    The NtObjectManager Module includes a PS drive provider to inspect and manipulate the object
    manager namespace.

LONG DESCRIPTION
    Under the hood of the Win32 API is the NT Object Manager which acts similar to a filesystem.
    This is normally hidden from view and requires specialist tools such as WinObj to inspect it.
    This NtObjectManager Module comes with a PS drive provider which allows you to enumerate entries
    and modify certain properties in the name space.

    By default two new drives will be created, NtObject: which can be used to access the root namespace,
    and NtObjectSession: which points to the current user session's BaseNamedObjects directory. It's
    also possible to add other drives with different roots if needed. The root name for the drive provider
    is nt:\path.

    The provider also supports Registry Keys. The root of the Registry is mapped under the NtKey: drive
    while the current user hive is mapped to NtKeyUser:. If you create a new drive with SeBackupPrivilege
    enabled it will set backup mode which bypasses most access control for the Registry.

    Accessing the namespace works just like other PS driver providers. You can use Get-ChildItems to
    enumerate items Get-Item to get an individual object. Get/Set-Acl and wildcards are also supported.
    The items returned are directory entries which contain basic information such as the name,
    type name and security descriptor of the object. To get a handle to the object to work with you
    must call the ToObject method. Ensure you call the Close method after you've finished with the
    handle to prevent a leak.
    
    As an additional feature it's possible to map Private Namespaces assuming you known the boundary
    descriptor required. The format of the drive root name must be of the form:
    ntpriv:[SID[:SID]@]NAME
    SIDs are optional and can are specified in SDDL format (either S-X-X-X or short forms such as BA).

    New-Item is supported for a limited number of object types, Event, Directory, SymbolicLink (link),
    Mutant and Semaphore. You need to specify the type using the -ItemType parameter, and for reasons
    for symbolic links you need to use the name link otherwise it will fail. SymbolicLink and Semaphore
    take an additional Value, the link target for the former and the maximum semaphore count for the latter.
    Also note that the return value of New-Item is a handle to the underlying object (like you would get from
    calling ToObject on a directory entry). This is because without a handle reference by default the
    kernel will delete the named object.

EXAMPLES
    Example 1: List child items of object manager namespace root.
    Get-ChildItem NtObject:\

    Example 2: List maximum allowed access for objects.
    Get-ChildItem NtObject:\Dir | Select-Object Name,MaximumGrantedAccess

    Example 3: List symbolic links in a directory and print their targets.
    Get-ChildItem NtObject:\Dir | Where-Object IsSymbolicLink -eq $True | Select-Object Name,SymbolicLinkTarget

    Example 4: Get an event object and Set it.
    $event = Get-Item NtObjectSession:\Eventname
    $event_obj = $event.ToObject()
    $event_obj.Set()
    $event_obj.Close()

    Example 5: Create a new directory ABC in the user's base named objects.
    $obj = New-Item NtObjectSession:\ABC -ItemType Directory
    # Do something with directory.
    # ...
    $obj.Close()

    Example 6: Create a new symbolic link ABC in the user's base named objects pointer to \BaseNamedObjects
    $obj = New-Item NtObjectSession:\ABC -ItemType Link -Value \BaseNamedObjects
    # Do something
    # ...
    $obj.Close()

    Example 7: Create a new event ABC in the user's base named objects
    $obj = New-Item NtObjectSession:\ABC -ItemType Event
    # Do something
    # ...
    $obj.Close()

    Example 8: Create a new semaphore ABC in the user's base named objects with max count of 10
    $obj = New-Item NtObjectSession:\ABC -ItemType Semaphore -Value 10
    # Do something
    # ...
    $obj.Close()

    Example 9: Create a new mutant ABC in the user's base named objects
    $obj = New-Item NtObjectSession:\ABC -ItemType Mutant
    # Do something
    # ...
    $obj.Close()

    Example 10: Mount an existing global directory.
    New-PSDrive -PSProvider NtObjectManager -Name BNO -Root nt:BaseNamedObjects

    Example 11: Mount an existing private namespace, with name ABC and SIDs Everyone and Low Mandatory Level.
    New-PSDrive -PSProvider NtObjectManager -Name PrivNS -Root ntpriv:WD:LW@ABC

    Example 12: Mount the Machine Registry KEY.
    New-PSDrive -PSProvider NtObjectManager -Name MACHINEKEY -Root ntkey:MACHINE

KEYWORDS
    Objects, ObjectManager.