secur32/LsaRegisterLogonProcess.ps1

function LsaRegisterLogonProcess
{
    <#
    .SYNOPSIS
 
    The LsaLookupAuthenticationPackage function obtains the unique identifier of an authentication package.
 
    .DESCRIPTION
 
    The authentication package identifier is used in calls to authentication functions such as LsaLogonUser and LsaCallAuthenticationPackage.
 
    .NOTES
 
    Author: Jared Atkinson (@jaredcatkinson)
    License: BSD 3-Clause
    Required Dependencies: PSReflect, LsaNtStatusToWinError (Function), LSA_STRING (Structure)
    Optional Dependencies: None
 
    (func secur32 LsaRegisterLogonProcess ([UInt32]) @(
        $LSA_STRING.MakeByRefType() #_In_ PLSA_STRING LogonProcessName,
        [IntPtr].MakeByRefType() #_Out_ PHANDLE LsaHandle,
        [UInt64].MakeByRefType() #_Out_ PLSA_OPERATIONAL_MODE SecurityMode
    ) -EntryPoint LsaRegisterLogonProcess)
 
    .LINK
 
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa378297(v=vs.85).aspx
 
    .EXAMPLE
 
    $hLsa = LsaRegisterLogonProcess
    #>


    $lsaStringArray = [System.Text.Encoding]::ASCII.GetBytes("INVOKE-IR")
    [int]$size = $lsaStringArray.Length
    [IntPtr]$pnt = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($size) 
    [System.Runtime.InteropServices.Marshal]::Copy($lsaStringArray, 0, $pnt, $lsaStringArray.Length)
    
    $lsaString = [Activator]::CreateInstance($LSA_STRING)
    $lsaString.Length = [UInt16]$lsaStringArray.Length
    $lsaString.MaximumLength = [UInt16]$lsaStringArray.Length
    $lsaString.Buffer = $pnt

    $LsaHandle = [IntPtr]::Zero
    $SecurityMode = [UInt64]0

    $SUCCESS = $Secur32::LsaRegisterLogonProcess([ref]$lsaString, [ref]$LsaHandle, [ref]$SecurityMode)

    [System.Runtime.InteropServices.Marshal]::FreeHGlobal($pnt)

    if($SUCCESS -ne 0)
    {
        $WinErrorCode = LsaNtStatusToWinError -NtStatus $success
        $LastError = [ComponentModel.Win32Exception]$WinErrorCode
        throw "LsaRegisterLogonProcess Error: $($LastError.Message)"
    }

    Write-Output $LsaHandle
}