ntifs.h

/*
    This is a free version of the file ntifs.h, release 53.
    The purpose of this include file is to build file system and
    file system filter drivers for Windows NT®, Windows® 2000,
    Windows® XP and Windows® Server 2003.
    Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 Bo Brantén.
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

    The GNU General Public License is also available from:
    http://www.gnu.org/copyleft/gpl.html

    Windows and Windows NT are either registered trademarks or trademarks of
    Microsoft Corporation in the United States and/or other countries.

    DISCLAIMER: I do not encourage anyone to use this include file to build
    drivers used in production. The information in this include file is
    incomplete and intended only as an studying companion. The information
    has been found in books, magazines, on the Internet and received from
    contributors. Some of the information in this file may not be available
    in other publications intended for similar use, these should be used with
    extra care. Some of the information in this file may have different names
    than in other publications even though they describe the same thing.

    Please send comments, corrections and contributions to bosse@acc.umu.se

    The most recent version of this file is available from:
    http://www.acc.umu.se/~bosse/ntifs.h

    Thanks to:
      Andrey Shedel, Luigi Mori, Louis Joubert, Itai Shaham, David Welch,
      Emanuele Aliberti, Anton Altaparmakov, Dan Partelly, Mamaich, Yossi
      Yaffe, Gunnar André Dalsnes, Vadim V Vorobev, Ashot Oganesyan K, Oleg
      Nikityenko, Matt Wu, Tomas Olsson, Raaf, Anthony Choi, Alexey Logachyov,
      Marc-Antoine Ruel, Vyacheslav I. Levtchenko, Yuri Polyakov, Bruno Milot,
      Alex Vlasov, Dan Fulger, Petr Semerad and Darja Isaksson.

    Revision history:

    53. 2005-11-06
        Added:
          Function prototypes:
            RtlRandom
            RtlRandomEx
            RtlSecondsSince1980ToTime
            RtlTimeToSecondsSince1980

    52. 2005-11-05
        Corrected:
          OBJECT_NAME
          TOKEN_OBJECT

    51. 2005-10-16
        Corrected:
          ETHREAD
          GDI_TEB_BATCH
          MMADDRESS_NODE
          TEB

    50. 2005-10-15
        Added:
          Data types:
            READ_LIST
          Function prototypes:
            IoAttachDeviceToDeviceStackSafe
            IoCheckQuerySetFileInformation
            IoCheckQuerySetVolumeInformation
            IoCreateFileSpecifyDeviceObjectHint
            IoCreateStreamFileObjectEx
            IoEnumerateDeviceObjectList
            IoGetDeviceAttachmentBaseRef
            IoGetDiskDeviceObject
            IoGetLowerDeviceObject
            IoIsFileOriginRemote
            IoQueryFileDosDeviceName
            IoQueueThreadIrp
            IoSetFileOrigin
            KeAcquireQueuedSpinLock
            KeInitializeMutant
            KeReadStateMutant
            KeReleaseMutant
            KeReleaseQueuedSpinLock
            KeSetIdealProcessorThread
            KeSetKernelStackSwapEnable
            KeTryToAcquireQueuedSpinLock
            MmPrefetchPages
            ObDereferenceSecurityDescriptor
            ObLogSecurityDescriptor
            ObReferenceSecurityDescriptor
            PoQueueShutdownWorkItem
            RtlxUnicodeStringToAnsiSize
            SeAuditHardLinkCreation
            SeAuditingHardLinkEvents
            SeFilterToken

    49. 2005-10-09
        Corrected:
          EPROCESS
          KTHREAD
          MMSUPPORT_FLAGS
          MMSUPPORT
          OBJECT_HEADER
          OBJECT_TYPE_INITIALIZER
          OBJECT_TYPE
          TEB
          KeInsertQueueApc
        Added:
          Defines:
            OB_FLAG_XXX
            OB_SECURITY_CHARGE
          Data types:
            ACTIVATION_CONTEXT_STACK
            GDI_TEB_BATCH
            HANDLE_INFO
            KGUARDED_MUTEX
            MMADDRESS_NODE
            MM_AVL_TABLE
            OBJECT_CREATE_INFORMATION
            OBJECT_CREATOR_INFO
            OBJECT_DIRECTORY
            OBJECT_DIRECTORY_ITEM
            OBJECT_HANDLE_DB
            OBJECT_HANDLE_DB_LIST
            OBJECT_HEADER_FLAGS
            OBJECT_NAME
            OBJECT_QUOTA_CHARGES
            OBJECT_QUOTA_INFO
            QUOTA_BLOCK
            RTL_ACTIVATION_CONTEXT_STACK_FRAME
            TEB_ACTIVE_FRAME
            TEB_ACTIVE_FRAME_CONTEXT
            Wx86ThreadState
          Function prototypes:
            FsRtlAcquireFileExclusive
            FsRtlBalanceReads
            FsRtlDissectDbcs
            FsRtlDoesDbcsContainWildCards
            FsRtlIsDbcsInExpression
            FsRtlIsFatDbcsLegal
            FsRtlIsHpfsDbcsLegal
            FsRtlIsPagingFile
            FsRtlIsTotalDeviceFailure
            FsRtlMdlReadDev
            FsRtlPostPagingFileStackOverflow
            FsRtlPostStackOverflow
            FsRtlPrepareMdlWriteDev
            FsRtlReleaseFile

    48. 2005-04-16
        Added:
          Data types:
            THREAD_BASIC_INFORMATION
          Function prototypes:
            ZwQueryInformationThread

    47. 2005-03-08
        Corrected:
          SYSTEM_PROCESSES_INFORMATION
          TOKEN_OBJECT
          KeInsertQueueApc

    46. 2004-06-08
        Added:
          Data types:
            TOKEN_OBJECT

    45. 2004-06-06
        Corrected:
          SERVICE_DESCRIPTOR_TABLE
        Added:
          Defines:
            TOKEN_SESSION_NOT_REFERENCED
            TOKEN_SANDBOX_INERT
            TOKEN_HAS_IMPERSONATE_PRIVILEGE
          Function prototypes:
            FsRtlDissectName
            RtlOemStringToCountedUnicodeSize
            RtlOemStringToUnicodeSize
            RtlOemStringToUnicodeString
            RtlUnicodeStringToOemSize
            RtlUnicodeStringToOemString
            RtlxOemStringToUnicodeSize
            RtlxUnicodeStringToOemSize

    44. 2003-05-06
        Added:
          Function prototypes:
            InbvAcquireDisplayOwnership
            InbvCheckDisplayOwnership
            InbvDisplayString
            InbvEnableBootDriver
            InbvEnableDisplayString
            InbvInstallDisplayStringFilter
            InbvIsBootDriverInstalled
            InbvNotifyDisplayOwnershipLost
            InbvResetDisplay
            InbvSetScrollRegion
            InbvSetTextColor
            InbvSolidColorFill

    43. 2003-04-07
        Added:
          Data types:
            MCB
          Function prototypes:
            FsRtlAddMcbEntry
            FsRtlInitializeMcb
            FsRtlLookupLastMcbEntry
            FsRtlLookupMcbEntry
            FsRtlNotifyFilterChangeDirectory
            FsRtlNotifyFilterReportChange
            FsRtlNumberOfRunsInMcb
            FsRtlRemoveMcbEntry
            FsRtlTruncateMcb
            FsRtlUninitializeMcb

    42. 2003-03-30
        Corrected:
          SYSTEM_CACHE_INFORMATION
          SYSTEM_INFORMATION_CLASS
        Added:
          Data types:
            SYSTEM_XXX_INFORMATION
            THREAD_STATE

    41. 2003-01-03
        Corrected:
          CcMapData
          PsDereferenceImpersonationToken
          PsDereferencePrimaryToken
          PsGetProcessExitTime
          PsReferencePrimaryToken
        Added:
          Defines:
            MAP_XXX
          Function prototypes:
            CcMdlWriteAbort
            PsAssignImpersonationToken
            PsChargeProcessNonPagedPoolQuota
            PsChargeProcessPagedPoolQuota
            PsChargeProcessPoolQuota
            PsDisableImpersonation
            PsImpersonateClient
            PsIsSystemThread
            PsRestoreImpersonation
            SeDeleteAccessState
            ZwOpenProcessTokenEx
            ZwOpenThreadTokenEx

    40. 2002-10-02
        Corrected:
          HANDLE_TABLE_ENTRY
        Added:
          Defines:
            FSRTL_FLAG_ADVANCED_HEADER
            FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
            FSRTL_FLAG2_PURGE_WHEN_MAPPED
          Data types:
            FILE_ID_BOTH_DIR_INFORMATION
            FILE_ID_FULL_DIR_INFORMATION

    39. 2002-08-04
        Added:
          Data types:
            LARGE_MCB
          Function prototypes:
            FsRtlAddLargeMcbEntry
            FsRtlGetNextLargeMcbEntry
            FsRtlInitializeLargeMcb
            FsRtlLookupLargeMcbEntry
            FsRtlLookupLastLargeMcbEntry
            FsRtlLookupLastLargeMcbEntryAndIndex
            FsRtlNumberOfRunsInLargeMcb
            FsRtlRemoveLargeMcbEntry
            FsRtlResetLargeMcb
            FsRtlSplitLargeMcb
            FsRtlTruncateLargeMcb
            FsRtlUninitializeLargeMcb

    38. 2002-06-30
        Added:
          Defines:
            FILE_READ_ONLY_VOLUME
          Function prototypes:
            FsRtlAllocateResource
            FsRtlIncrementCcFastReadNotPossible
            FsRtlIncrementCcFastReadNoWait
            FsRtlIncrementCcFastReadResourceMiss
            FsRtlIncrementCcFastReadWait
            KeIsAttachedProcess
            KeIsExecutingDpc
            KeRevertToUserAffinityThread
            KeUpdateSystemTime
            PsGetCurrentProcessSessionId
            PsGetCurrentThreadPreviousMode
            PsGetCurrentThreadStackBase
            PsGetCurrentThreadStackLimit
            RtlGetNtGlobalFlags

    37. 2002-05-18
        Uppdated for Windows XP:
          EPROCESS
          ETHREAD
          KPROCESS
          KTHREAD
          MMSUPPORT_FLAGS
          MMSUPPORT
          PRIVATE_CACHE_MAP_FLAGS
          PRIVATE_CACHE_MAP
          SHARED_CACHE_MAP
        Corrected:
          VACB
        Added:
          Data types:
            EPROCESS_QUOTA_ENTRY
            EPROCESS_QUOTA_BLOCK
            EX_FAST_REF
            EX_PUSH_LOCK
            EX_RUNDOWN_REF
            PAGEFAULT_HISTORY
            SE_AUDIT_PROCESS_CREATION_INFO
            SECTION_OBJECT
            TERMINATION_PORT

    36. 2002-05-14
        Corrected:
          FILE_FS_FULL_SIZE_INFORMATION

    35. 2002-03-23
        Added:
          Defines:
            COMPRESSION_XXX
          Data types:
            COMPRESSED_DATA_INFO
            OBJECT_HEADER
            VAD_HEADER
          Function prototypes:
            CcWaitForCurrentLazyWriterActivity
            FsRtlCheckOplock
            FsRtlCurrentBatchOplock
            FsRtlDeregisterUncProvider
            FsRtlInitializeOplock
            FsRtlOplockFsctrl
            FsRtlOplockIsFastIoPossible
            FsRtlRegisterUncProvider
            FsRtlUninitializeOplock
            RtlCompressBuffer
            RtlCompressChunks
            RtlDecompressBuffer
            RtlDecompressChunks
            RtlDecompressFragment
            RtlDescribeChunk
            RtlGetCompressionWorkSpaceSize
            RtlReserveChunk

    34. 2002-02-14
        Corrected:
          HARDWARE_PTE
          Changed the use of _WIN32_WINNT to VER_PRODUCTBUILD since _WIN32_WINNT
          is incorrectly defined in the Windows 2000 build environment included
          in the Windows XP DDK.

    33. 2002-01-20
        Added:
          Function prototypes:
            PsDereferenceImpersonationToken
            PsDereferencePrimaryToken

    32. 2002-01-18
        Corrected:
          ObReferenceObjectByName
          FILE_FS_OBJECT_ID_INFORMATION
          FILE_OBJECTID_INFORMATION
        Added:
          Externals:
            IoDriverObjectType
            SeExports
          Defines:
            FILE_ACTION_XXX
            FSCTL_XXX
            IO_FILE_OBJECT_XXX
            IRP_BEING_VERIFIED
            TOKEN_XXX
          Data types:
            DEVICE_MAP
            FILE_TRACKING_INFORMATION
            SE_EXPORTS
          Function prototypes:
            SeEnableAccessToExports

    31. 2001-12-23
        Corrected:
          QueryQuota in EXTENDED_IO_STACK_LOCATION
          FILE_LOCK
          CcPinMappedData
          CcPinRead
          CcPreparePinWrite
          FsRtlFastUnlockAll
          FsRtlFastUnlockAllByKey
          FsRtlFastUnlockSingle
          FsRtlInitializeFileLock
          FsRtlPrivateLock
          FsRtlProcessFileLock
          MmForceSectionClosed
          MmIsRecursiveIoFault
          SeImpersonateClient
          SeImpersonateClientEx
        Added:
          Defines:
            More FSRTL_FLAG_XXX
            PIN_XXX
            VACB_XXX
          Data types:
            REPARSE_DATA_BUFFER
          Function prototypes:
            CcCopyWriteWontFlush
            CcGetFileSizePointer
            CcGetFlushedValidData
            CcIsFileCached
            CcRemapBcb
            ExDisableResourceBoostLite
            ExQueryPoolBlockSize
            FsRtlAllocateFileLock
            FsRtlAreThereCurrentFileLocks
            FsRtlFastLock
            FsRtlFreeFileLock
            IoCheckDesiredAccess
            IoCheckEaBufferValidity
            IoCheckFunctionAccess
            IoCheckQuotaBufferValidity
            IoCreateStreamFileObjectLite
            IoFastQueryNetworkAttributes
            IoGetRequestorProcessId
            IoIsFileOpenedExclusively
            IoIsSystemThread
            IoIsValidNameGraftingBuffer
            IoSynchronousPageWrite
            IoThreadToProcess
            KeInitializeQueue
            KeInsertHeadQueue
            KeInsertQueue
            KeReadStateQueue
            KeRemoveQueue
            KeRundownQueue
            MmSetAddressRangeModified
            ObGetObjectPointerCount
            ObMakeTemporaryObject
            ObQueryObjectAuditingByHandle
            PsChargePoolQuota
            PsReturnPoolQuota
            SeAppendPrivileges
            SeAuditingFileEvents
            SeAuditingFileOrGlobalEvents
            SeCreateClientSecurity
            SeCreateClientSecurityFromSubjectContext
            SeDeleteClientSecurity
            SeDeleteObjectAuditAlarm
            SeFreePrivileges
            SeLockSubjectContext
            SeOpenObjectAuditAlarm
            SeOpenObjectForDeleteAuditAlarm
            SePrivilegeCheck
            SeQueryAuthenticationIdToken
            SeQuerySecurityDescriptorInfo
            SeQuerySessionIdToken
            SeSetAccessStateGenericMapping
            SeSetSecurityDescriptorInfo
            SeSetSecurityDescriptorInfoEx
            SeTokenIsAdmin
            SeTokenIsRestricted
            SeTokenType
            SeUnlockSubjectContext

    30. 2001-10-24
        Corrected:
          KINTERRUPT
          OBJECT_TYPE
        Added:
          Defines:
            More FSCTL_XXX
          Data types:
            BITMAP_RANGE
            CreateMailslot in EXTENDED_IO_STACK_LOCATION
            CreatePipe in EXTENDED_IO_STACK_LOCATION
            QueryQuota in EXTENDED_IO_STACK_LOCATION
            MAILSLOT_CREATE_PARAMETERS
            MBCB
            NAMED_PIPE_CREATE_PARAMETERS
            PRIVATE_CACHE_MAP_FLAGS
            PRIVATE_CACHE_MAP
            SECURITY_CLIENT_CONTEXT
            SHARED_CACHE_MAP
            VACB
          Function prototypes:
            HalQueryRealTimeClock
            HalSetRealTimeClock
            PsGetProcessExitTime
            PsIsThreadTerminating
            PsLookupProcessThreadByCid
            PsLookupThreadByThreadId
            SeQueryAuthenticationIdToken
          Externals:
            KeServiceDescriptorTable
            SePublicDefaultDacl
            SeSystemDefaultDacl

    29. 2001-10-06
        Added:
          Defines:
            FSRTL_VOLUME_XXX
          Function prototypes:
            FsRtlNotifyChangeDirectory
            FsRtlNotifyReportChange
            FsRtlNotifyVolumeEvent

    28. 2001-09-16
        Added:
          Function prototypes:
            FsRtlNotifyInitializeSync
            FsRtlNotifyUninitializeSync
            SeImpersonateClientEx
            SeReleaseSubjectContext

    27. 2001-08-25
        Corrected:
          KPROCESS
          FILE_LOCK_ANCHOR
          FsRtlNormalizeNtstatus
          RtlSecondsSince1970ToTime
          RtlTimeToSecondsSince1970
          SeQueryInformationToken
        Added:
          Defines:
            FS_LFN_APIS
          Data types:
            FILE_LOCK_ENTRY
            FILE_SHARED_LOCK_ENTRY
            FILE_EXCLUSIVE_LOCK_ENTRY
          Function prototypes:
            FsRtlCheckLockForReadAccess
            FsRtlCheckLockForWriteAccess
            FsRtlFastUnlockAll
            FsRtlFastUnlockAllByKey
            FsRtlFastUnlockSingle
            FsRtlGetFileSize
            FsRtlGetNextFileLock
            FsRtlInitializeFileLock
            FsRtlPrivateLock
            FsRtlProcessFileLock
            FsRtlUninitializeFileLock
            IoUnregisterFsRegistrationChange
            PsLookupProcessByProcessId
            SeQuerySubjectContextToken

    26. 2001-04-28
        Added:
          Defines:
            FSCTL_XXX
          Data types:
            RTL_SPLAY_LINKS
            TUNNEL
          Function prototypes:
            FsRtlAddToTunnelCache
            FsRtlDeleteKeyFromTunnelCache
            FsRtlDeleteTunnelCache
            FsRtlFindInTunnelCache
            FsRtlInitializeTunnelCache
            IoSetDeviceToVerify
            KeInitializeApc
            KeInsertQueueApc
            SeQueryInformationToken

    25. 2001-04-05
        Corrected:
          RtlImageNtHeader
          LPC_XXX
          OBJECT_BASIC_INFO
        Added:
          Defines:
            SID_REVISION
          Data types:
            DIRECTORY_BASIC_INFORMATION
            KINTERRUPT
            OBJECT_HANDLE_ATTRIBUTE_INFO
            PROCESS_PRIORITY_CLASS
            SECTION_BASIC_INFORMATION
            SECTION_IMAGE_INFORMATION
            SECTION_INFORMATION_CLASS
          Function prototypes:
            RtlSecondsSince1970ToTime
            RtlTimeToSecondsSince1970
            ZwAdjustPrivilegesToken
            ZwAlertThread
            ZwAccessCheckAndAuditAlarm
            ZwClearEvent
            ZwCloseObjectAuditAlarm
            ZwCreateSection
            ZwCreateSymbolicLinkObject
            ZwDuplicateToken
            ZwFlushInstructionCache
            ZwFlushVirtualMemory
            ZwInitiatePowerAction
            ZwLoadKey
            ZwNotifyChangeKey
            ZwOpenThread
            ZwPowerInformation
            ZwPulseEvent
            ZwQueryDefaultLocale
            ZwQueryDefaultUILanguage
            ZwQueryInformationProcess
            ZwQueryInstallUILanguage
            ZwQuerySection
            ZwReplaceKey
            ZwResetEvent
            ZwRestoreKey
            ZwSaveKey
            ZwSetDefaultLocale
            ZwSetDefaultUILanguage
            ZwSetEvent
            ZwSetInformationObject
            ZwSetInformationProcess
            ZwSetSecurityObject
            ZwSetSystemTime
            ZwTerminateProcess
            ZwUnloadKey
            ZwWaitForSingleObject
            ZwWaitForMultipleObjects
            ZwYieldExecution
        Removed functions that is not exported in kernel mode:
          CcZeroEndOfLastPage
          RtlAllocateAndInitializeSid
          ZwAcceptConnectPort
          ZwCompleteConnectPort
          ZwCreatePort
          ZwCreateProcess
          ZwCreateThread
          ZwFlushBuffersFile
          ZwGetContextThread
          ZwImpersonateClientOfPort
          ZwListenPort
          ZwLockFile
          ZwNotifyChangeDirectoryFile
          ZwQueryInformationPort
          ZwReadRequestData
          ZwReplyPort
          ZwReplyWaitReceivePort
          ZwReplyWaitReplyPort
          ZwRequestPort
          ZwUnlockFile
          ZwWriteRequestData

    24. 2001-03-08
        Corrected:
          EPROCESS
          ETHREAD
          FAST_IO_POSSIBLE
          QueryEa in EXTENDED_IO_STACK_LOCATION
        Added:
          Defines:
            Some more flags for FileSystemAttributes
          Data types:
            EXCEPTION_REGISTRATION_RECORD
            FILE_FS_FULL_SIZE_INFORMATION
            FILE_FS_OBJECT_ID_INFORMATION
            HANDLE_TABLE_ENTRY
            IO_CLIENT_EXTENSION
            PS_IMPERSONATION_INFORMATION
            SetEa and SetQuota in EXTENDED_IO_STACK_LOCATION
          Function prototypes:
            IoPageRead
            KeStackAttachProcess
            KeUnstackDetachProcess
            MmMapViewOfSection
            RtlSelfRelativeToAbsoluteSD
            SeCreateAccessState

    23. 2001-01-29
        Corrected:
          FSCTL_GET_VOLUME_INFORMATION
          FSCTL_READ_MFT_RECORD
          HARDWARE_PTE
          EPROCESS
          ETHREAD
          KAPC_STATE
          KPROCESS
          KTHREAD
          MMSUPPORT
        Added:
          Data types:
            KGDTENTRY
            KIDTENTRY
            MMSUPPORT_FLAGS

    22. 2000-12-23
        Corrected:
          EPROCESS
          KPROCESS
        Added:
          Data types:
            HARDWARE_PTE
            MMSUPPORT

    21. 2000-12-12
        Added:
          Defines:
            IO_TYPE_XXX
            OB_TYPE_XXX
            THREAD_STATE_XXX
          Data types:
            EPROCESS
            ETHREAD
            KAPC_STATE
            KEVENT_PAIR
            KPROCESS
            KTHREAD
            KQUEUE
            SERVICE_DESCRIPTOR_TABLE
            TEB

    20. 2000-12-03
        Added:
          Data types:
            OBJECT_TYPE
          Function prototypes:
            ObCreateObject
            ObInsertObject
            ObReferenceObjectByName

    19. 2000-11-25
        Removed a name from credits since the person want to be anonymous.

    18. 2000-10-13
        Corrected:
          PsReferenceImpersonationToken
        Added:
          Defines:
            FILE_PIPE_XXX
            LPC_XXX
            MAILSLOT_XXX
            PORT_XXX
            FSCTL_GET_VOLUME_INFORMATION
            FSCTL_READ_MFT_RECORD
            FSCTL_MAILSLOT_PEEK
            FSCTL_PIPE_XXX
          Data types:
            PORT_INFORMATION_CLASS
            BITMAP_DESCRIPTOR
            FILE_MAILSLOT_XXX
            FILE_PIPE_XXX
            MAPPING_PAIR
            GET_RETRIEVAL_DESCRIPTOR
            LPC_XXX
            MOVEFILE_DESCRIPTOR
          Function prototypes:
            InitializeMessageHeader
            MmForceSectionClosed
            ZwAcceptConnectPort
            ZwCompleteConnectPort
            ZwConnectPort
            ZwCreateEvent
            ZwCreatePort
            ZwImpersonateClientOfPort
            ZwListenPort
            ZwQueryInformationPort
            ZwReadRequestData
            ZwReplyPort
            ZwReplyWaitReceivePort
            ZwReplyWaitReplyPort
            ZwRequestPort
            ZwRequestWaitReplyPort
            ZwWriteRequestData

    17. 2000-05-21
        Added:
          Function prototypes:
            PsRevertToSelf
            SeCreateClientSecurity
            SeImpersonateClient
            ZwDuplicateObject

    16. 2000-03-28
        Added:
          Defines:
            FILE_STORAGE_TYPE_XXX
            FILE_VC_XXX
            IO_CHECK_CREATE_PARAMETERS
            IO_ATTACH_DEVICE
            IO_ATTACH_DEVICE_API
            IO_COMPLETION_XXX
          Data types:
            IO_COMPLETION_INFORMATION_CLASS
            OBJECT_INFO_CLASS
            SYSTEM_INFORMATION_CLASS
            FILE_LOCK_ANCHOR
            IO_COMPLETION_BASIC_INFORMATION
            OBJECT_BASIC_INFO
            OBJECT_NAME_INFO
            OBJECT_PROTECTION_INFO
            OBJECT_TYPE_INFO
            OBJECT_ALL_TYPES_INFO
            SYSTEM_CACHE_INFORMATION
          Function prototypes:
            FsRtlAllocatePool
            FsRtlAllocatePoolWithQuota
            FsRtlAllocatePoolWithQuotaTag
            FsRtlAllocatePoolWithTag
            FsRtlAreNamesEqual
            FsRtlFastCheckLockForRead
            FsRtlFastCheckLockForWrite
            FsRtlMdlReadComplete
            FsRtlMdlWriteComplete
            FsRtlNormalizeNtstatus
            RtlAllocateHeap
            RtlCreateHeap
            RtlDestroyHeap
            RtlFreeHeap
            RtlImageNtHeader
            ZwQueryObject
            ZwQuerySystemInformation
            ZwSetSystemInformation

    15. 2000-03-15
        Corrected:
          Renamed IoQueryFileVolumeInformation to IoQueryVolumeInformation
        Comment on:
          CcZeroEndOfLastPage

    14. 2000-03-12
        Corrected:
          IoCreateFile
        Added:
          #if (_WIN32_WINNT < 0x0500)/#endif around stuff that is included in
          the Windows 2000 DDK but is missing in the Windows NT 4.0 DDK.
          ZwOpenEvent

    13. 2000-02-08
        Corrected:
          PsReferenceImpersonationToken
        Comment on:
          RtlAllocateAndInitializeSid

    12. 1999-10-18
        Corrected:
          FILE_COMPRESSION_INFORMATION
        Added:
          Defines:
            ACCESS_ALLOWED_ACE_TYPE
            ACCESS_DENIED_ACE_TYPE
            SYSTEM_AUDIT_ACE_TYPE
            SYSTEM_ALARM_ACE_TYPE
            ANSI_DOS_STAR/QM/DOT
            DOS_STAR/QM/DOT
            FILE_EA_TYPE_XXX
            FILE_NEED_EA
            FILE_OPBATCH_BREAK_UNDERWAY
            SECURITY_WORLD_SID_AUTHORITY
            SECURITY_WORLD_RID
          Data types:
            POBJECT
            FILE_STORAGE_TYPE
            FILE_COMPLETION_INFORMATION
            FILE_COPY_ON_WRITE_INFORMATION
            FILE_FS_CONTROL_INFORMATION
            FILE_GET_EA_INFORMATION
            FILE_GET_QUOTA_INFORMATION
            FILE_OBJECTID_INFORMATION
            FILE_OLE_CLASSID_INFORMATION
            FILE_OLE_ALL_INFORMATION
            FILE_OLE_DIR_INFORMATION
            FILE_OLE_INFORMATION
            FILE_OLE_STATE_BITS_INFORMATION
            FILE_QUOTA_INFORMATION
          Function prototypes:
            HalDisplayString
            HalMakeBeep
            IoGetRequestorProcess
            ObQueryNameString
            ProbeForWrite
            RtlAbsoluteToSelfRelativeSD
            RtlGetDaclSecurityDescriptor
            RtlGetGroupSecurityDescriptor
            RtlGetOwnerSecurityDescriptor
            RtlInitializeSid
            RtlSetGroupSecurityDescriptor
            RtlSetOwnerSecurityDescriptor
            RtlSetSaclSecurityDescriptor
            ZwDeleteValueKey
            ZwDisplayString
            ZwQueryDirectoryObject

    11. 1999-10-13
        Corrected:
          ZwOpenProcessToken
          ZwOpenThreadToken
        Added:
          Function prototypes:
            RtlAllocateAndInitializeSid
            RtlCopySid
            RtlEqualSid
            RtlFillMemoryUlong
            RtlIsNameLegalDOS8Dot3
            RtlLengthRequiredSid
            RtlLengthSid
            RtlNtStatusToDosError
            RtlSubAuthorityCountSid
            RtlSubAuthoritySid
            RtlValidSid

    10. 1999-07-15
        Corrected:
          RtlConvertSidToUnicodeString
        Added:
          Externals:
            FsRtlLegalAnsiCharacterArray
            NtBuildNumber
          Defines:
            FSRTL_WILD_CHARACTER
            FlagOn
            FsRtlIsUnicodeCharacterWild
          Structures:
            FILE_ACCESS_INFORMATION
            FILE_MODE_INFORMATION
            GENERATE_NAME_CONTEXT
          Function prototypes:
            FsRtlDoesNameContainWildCards
            FsRtlIsNameInExpression
            IoSetInformation
            RtlGenerate8dot3Name
            ZwQuerySecurityObject

    9. 1999-07-12
       Corrected:
         EXTENDED_IO_STACK_LOCATION
         QueryDirectory in EXTENDED_IO_STACK_LOCATION
         ZwCreateThread
       Added:
         Structures:
           INITIAL_TEB
         Function prototypes:
           ZwQuerySymbolicLinkObject

    8. 1999-06-07
       Corrected:
         ZwOpenProcessToken
         ZwOpenThreadToken
       Added:
         Defines:
           FILE_OPLOCK_BROKEN_TO_LEVEL_2
           FILE_OPLOCK_BROKEN_TO_NONE
           FILE_CASE_SENSITIVE_SEARCH
           FILE_CASE_PRESERVED_NAMES
           FILE_UNICODE_ON_DISK
           FILE_PERSISTENT_ACLS
           FILE_FILE_COMPRESSION
           FILE_VOLUME_IS_COMPRESSED
           FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX
           FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH
           IOCTL_REDIR_QUERY_PATH
         Structures:
           FILE_FS_LABEL_INFORMATION
           PATHNAME_BUFFER
         In IO_STACK_LOCATION:
           FileSystemControl
           LockControl
           SetVolume
         Function prototypes:
           FsRtlCopyRead
           FsRtlCopyWrite
           IoVerifyVolume

    7. 1999-06-05
       Added:
         defines for TOKEN_XXX
         SID_NAME_USE
         TOKEN_INFORMATION_CLASS
         TOKEN_TYPE
         FILE_FS_ATTRIBUTE_INFORMATION
         FILE_FS_SIZE_INFORMATION
         SID_IDENTIFIER_AUTHORITY
         SID
         SID_AND_ATTRIBUTES
         TOKEN_CONTROL
         TOKEN_DEFAULT_DACL
         TOKEN_GROUPS
         TOKEN_OWNER
         TOKEN_PRIMARY_GROUP
         TOKEN_PRIVILEGES
         TOKEN_SOURCE
         TOKEN_STATISTICS
         TOKEN_USER
         IoCreateFile
         IoGetAttachedDevice
         IoGetBaseFileSystemDeviceObject
         PsReferenceImpersonationToken
         PsReferencePrimaryToken
         RtlConvertSidToUnicodeString
         SeCaptureSubjectContext
         SeMarkLogonSessionForTerminationNotification
         SeRegisterLogonSessionTerminatedRoutine
         SeUnregisterLogonSessionTerminatedRoutine
         ZwOpenProcessToken
         ZwOpenThreadToken
         ZwQueryInformationToken

    6. 1999-05-10
       Corrected declarations of Zw functions.
       Added:
         ZwCancelIoFile
         ZwDeleteFile
         ZwFlushBuffersFile
         ZwFsControlFile
         ZwLockFile
         ZwNotifyChangeDirectoryFile
         ZwOpenFile
         ZwQueryEaFile
         ZwSetEaFile
         ZwSetVolumeInformationFile
         ZwUnlockFile

    5. 1999-05-09
       Added:
         defines for FILE_ACTION_XXX and FILE_NOTIFY_XXX
         FILE_FS_VOLUME_INFORMATION
         RETRIEVAL_POINTERS_BUFFER
         STARTING_VCN_INPUT_BUFFER
         FsRtlNotifyFullReportChange

    4. 1999-04-11
       Corrected:
         ZwCreateThread
       Added:
         define _GNU_NTIFS_

    3. 1999-03-30
       Added:
         defines for MAP_XXX, MEM_XXX and SEC_XXX
         FILE_BOTH_DIR_INFORMATION
         FILE_DIRECTORY_INFORMATION
         FILE_FULL_DIR_INFORMATION
         FILE_NAMES_INFORMATION
         FILE_NOTIFY_INFORMATION
         FsRtlNotifyCleanup
         KeAttachProcess
         KeDetachProcess
         MmCreateSection
         ZwCreateProcess
         ZwCreateThread
         ZwDeviceIoControlFile
         ZwGetContextThread
         ZwLoadDriver
         ZwOpenDirectoryObject
         ZwOpenProcess
         ZwOpenSymbolicLinkObject
         ZwQueryDirectoryFile
         ZwUnloadDriver

    2. 1999-03-15
       Added:
         FILE_COMPRESSION_INFORMATION
         FILE_STREAM_INFORMATION
         FILE_LINK_INFORMATION
         FILE_RENAME_INFORMATION
         EXTENDED_IO_STACK_LOCATION
         IoQueryFileInformation
         IoQueryFileVolumeInformation
         ZwQueryVolumeInformationFile
       Moved include of ntddk.h to inside extern "C" block.

    1. 1999-03-11
       Initial release.
*/

#ifndef _NTIFS_
#define _NTIFS_
#define _GNU_NTIFS_

#ifdef __cplusplus
extern "C" {
#endif


#include <ntddk.h>
#include <ntverp.h>

typedef struct _SERVICE_DESCRIPTOR_TABLE    *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _SE_EXPORTS                  *PSE_EXPORTS;

extern PUCHAR                       *FsRtlLegalAnsiCharacterArray;
extern POBJECT_TYPE                 *IoDriverObjectType;
extern PSERVICE_DESCRIPTOR_TABLE    KeServiceDescriptorTable;
extern PSHORT                       NtBuildNumber;
extern PSE_EXPORTS                  SeExports;
extern PACL                         SePublicDefaultDacl;
extern PACL                         SeSystemDefaultDacl;

#define ACCESS_ALLOWED_ACE_TYPE         (0x0)
#define ACCESS_DENIED_ACE_TYPE          (0x1)
#define SYSTEM_AUDIT_ACE_TYPE           (0x2)
#define SYSTEM_ALARM_ACE_TYPE           (0x3)

#define ANSI_DOS_STAR                   ('<')
#define ANSI_DOS_QM                     ('>')
#define ANSI_DOS_DOT                    ('"')

#define DOS_STAR                        (L'<')
#define DOS_QM                          (L'>')
#define DOS_DOT                         (L'"')

#define COMPRESSION_FORMAT_NONE         (0x0000)
#define COMPRESSION_FORMAT_DEFAULT      (0x0001)
#define COMPRESSION_FORMAT_LZNT1        (0x0002)
#define COMPRESSION_ENGINE_STANDARD     (0x0000)
#define COMPRESSION_ENGINE_MAXIMUM      (0x0100)
#define COMPRESSION_ENGINE_HIBER        (0x0200)

#define FILE_ACTION_ADDED                   0x00000001
#define FILE_ACTION_REMOVED                 0x00000002
#define FILE_ACTION_MODIFIED                0x00000003
#define FILE_ACTION_RENAMED_OLD_NAME        0x00000004
#define FILE_ACTION_RENAMED_NEW_NAME        0x00000005
#define FILE_ACTION_ADDED_STREAM            0x00000006
#define FILE_ACTION_REMOVED_STREAM          0x00000007
#define FILE_ACTION_MODIFIED_STREAM         0x00000008
#define FILE_ACTION_REMOVED_BY_DELETE       0x00000009
#define FILE_ACTION_ID_NOT_TUNNELLED        0x0000000A
#define FILE_ACTION_TUNNELLED_ID_COLLISION  0x0000000B

#define FILE_EA_TYPE_BINARY             0xfffe
#define FILE_EA_TYPE_ASCII              0xfffd
#define FILE_EA_TYPE_BITMAP             0xfffb
#define FILE_EA_TYPE_METAFILE           0xfffa
#define FILE_EA_TYPE_ICON               0xfff9
#define FILE_EA_TYPE_EA                 0xffee
#define FILE_EA_TYPE_MVMT               0xffdf
#define FILE_EA_TYPE_MVST               0xffde
#define FILE_EA_TYPE_ASN1               0xffdd
#define FILE_EA_TYPE_FAMILY_IDS         0xff01

#define FILE_NEED_EA                    0x00000080

#define FILE_NOTIFY_CHANGE_FILE_NAME    0x00000001
#define FILE_NOTIFY_CHANGE_DIR_NAME     0x00000002
#define FILE_NOTIFY_CHANGE_NAME         0x00000003
#define FILE_NOTIFY_CHANGE_ATTRIBUTES   0x00000004
#define FILE_NOTIFY_CHANGE_SIZE         0x00000008
#define FILE_NOTIFY_CHANGE_LAST_WRITE   0x00000010
#define FILE_NOTIFY_CHANGE_LAST_ACCESS  0x00000020
#define FILE_NOTIFY_CHANGE_CREATION     0x00000040
#define FILE_NOTIFY_CHANGE_EA           0x00000080
#define FILE_NOTIFY_CHANGE_SECURITY     0x00000100
#define FILE_NOTIFY_CHANGE_STREAM_NAME  0x00000200
#define FILE_NOTIFY_CHANGE_STREAM_SIZE  0x00000400
#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
#define FILE_NOTIFY_VALID_MASK          0x00000fff

#define FILE_OPLOCK_BROKEN_TO_LEVEL_2   0x00000007
#define FILE_OPLOCK_BROKEN_TO_NONE      0x00000008

#define FILE_OPBATCH_BREAK_UNDERWAY     0x00000009

#define FILE_CASE_SENSITIVE_SEARCH      0x00000001
#define FILE_CASE_PRESERVED_NAMES       0x00000002
#define FILE_UNICODE_ON_DISK            0x00000004
#define FILE_PERSISTENT_ACLS            0x00000008
#define FILE_FILE_COMPRESSION           0x00000010
#define FILE_VOLUME_QUOTAS              0x00000020
#define FILE_SUPPORTS_SPARSE_FILES      0x00000040
#define FILE_SUPPORTS_REPARSE_POINTS    0x00000080
#define FILE_SUPPORTS_REMOTE_STORAGE    0x00000100
#define FS_LFN_APIS                     0x00004000
#define FILE_VOLUME_IS_COMPRESSED       0x00008000
#define FILE_SUPPORTS_OBJECT_IDS        0x00010000
#define FILE_SUPPORTS_ENCRYPTION        0x00020000
#define FILE_NAMED_STREAMS              0x00040000
#define FILE_READ_ONLY_VOLUME           0x00080000

#define FILE_PIPE_BYTE_STREAM_TYPE      0x00000000
#define FILE_PIPE_MESSAGE_TYPE          0x00000001

#define FILE_PIPE_BYTE_STREAM_MODE      0x00000000
#define FILE_PIPE_MESSAGE_MODE          0x00000001

#define FILE_PIPE_QUEUE_OPERATION       0x00000000
#define FILE_PIPE_COMPLETE_OPERATION    0x00000001

#define FILE_PIPE_INBOUND               0x00000000
#define FILE_PIPE_OUTBOUND              0x00000001
#define FILE_PIPE_FULL_DUPLEX           0x00000002

#define FILE_PIPE_DISCONNECTED_STATE    0x00000001
#define FILE_PIPE_LISTENING_STATE       0x00000002
#define FILE_PIPE_CONNECTED_STATE       0x00000003
#define FILE_PIPE_CLOSING_STATE         0x00000004

#define FILE_PIPE_CLIENT_END            0x00000000
#define FILE_PIPE_SERVER_END            0x00000001

#define FILE_PIPE_READ_DATA             0x00000000
#define FILE_PIPE_WRITE_SPACE           0x00000001

#define FILE_STORAGE_TYPE_SPECIFIED             0x00000041  // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
#define FILE_STORAGE_TYPE_DEFAULT               (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DIRECTORY             (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_FILE                  (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DOCFILE               (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_JUNCTION_POINT        (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_CATALOG               (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STRUCTURED_STORAGE    (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_EMBEDDING             (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STREAM                (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
#define FILE_MINIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_DEFAULT
#define FILE_MAXIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_STREAM
#define FILE_STORAGE_TYPE_MASK                  0x000f0000
#define FILE_STORAGE_TYPE_SHIFT                 16

#define FILE_VC_QUOTA_NONE              0x00000000
#define FILE_VC_QUOTA_TRACK             0x00000001
#define FILE_VC_QUOTA_ENFORCE           0x00000002
#define FILE_VC_QUOTA_MASK              0x00000003

#define FILE_VC_QUOTAS_LOG_VIOLATIONS   0x00000004
#define FILE_VC_CONTENT_INDEX_DISABLED  0x00000008

#define FILE_VC_LOG_QUOTA_THRESHOLD     0x00000010
#define FILE_VC_LOG_QUOTA_LIMIT         0x00000020
#define FILE_VC_LOG_VOLUME_THRESHOLD    0x00000040
#define FILE_VC_LOG_VOLUME_LIMIT        0x00000080

#define FILE_VC_QUOTAS_INCOMPLETE       0x00000100
#define FILE_VC_QUOTAS_REBUILDING       0x00000200

#define FILE_VC_VALID_MASK              0x000003ff

#define FSRTL_FLAG_FILE_MODIFIED        (0x01)
#define FSRTL_FLAG_FILE_LENGTH_CHANGED  (0x02)
#define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
#define FSRTL_FLAG_USER_MAPPED_FILE     (0x20)
#define FSRTL_FLAG_ADVANCED_HEADER      (0x40)
#define FSRTL_FLAG_EOF_ADVANCE_ACTIVE   (0x80)

#define FSRTL_FLAG2_DO_MODIFIED_WRITE           (0x01)
#define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS    (0x02)
#define FSRTL_FLAG2_PURGE_WHEN_MAPPED           (0x04)

#define FSRTL_FSP_TOP_LEVEL_IRP         (0x01)
#define FSRTL_CACHE_TOP_LEVEL_IRP       (0x02)
#define FSRTL_MOD_WRITE_TOP_LEVEL_IRP   (0x03)
#define FSRTL_FAST_IO_TOP_LEVEL_IRP     (0x04)
#define FSRTL_MAX_TOP_LEVEL_IRP_FLAG    (0x04)

#define FSRTL_VOLUME_DISMOUNT           1
#define FSRTL_VOLUME_DISMOUNT_FAILED    2
#define FSRTL_VOLUME_LOCK               3
#define FSRTL_VOLUME_LOCK_FAILED        4
#define FSRTL_VOLUME_UNLOCK             5
#define FSRTL_VOLUME_MOUNT              6

#define FSRTL_WILD_CHARACTER            0x08

#ifdef _X86_
#define HARDWARE_PTE    HARDWARE_PTE_X86
#define PHARDWARE_PTE   PHARDWARE_PTE_X86
#else

#define HARDWARE_PTE    ULONG
#define PHARDWARE_PTE   PULONG
#endif


#define IO_CHECK_CREATE_PARAMETERS      0x0200
#define IO_ATTACH_DEVICE                0x0400

#define IO_ATTACH_DEVICE_API            0x80000000

#define IO_COMPLETION_QUERY_STATE       0x0001
#define IO_COMPLETION_MODIFY_STATE      0x0002
#define IO_COMPLETION_ALL_ACCESS        (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)

#define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE    64
#define IO_FILE_OBJECT_PAGED_POOL_CHARGE        1024

#define IO_TYPE_APC                     18
#define IO_TYPE_DPC                     19
#define IO_TYPE_DEVICE_QUEUE            20
#define IO_TYPE_EVENT_PAIR              21
#define IO_TYPE_INTERRUPT               22
#define IO_TYPE_PROFILE                 23

#define IRP_BEING_VERIFIED              0x10

#define MAILSLOT_CLASS_FIRSTCLASS       1
#define MAILSLOT_CLASS_SECONDCLASS      2

#define MAILSLOT_SIZE_AUTO              0

#define MAP_PROCESS                     1L
#define MAP_SYSTEM                      2L

#define MEM_DOS_LIM                     0x40000000
#define MEM_IMAGE                       SEC_IMAGE

#define OB_FLAG_CREATE_INFO     0x01 /* Object header has OBJECT_CREATE_INFO */
#define OB_FLAG_KERNEL_MODE     0x02 /* Created by kernel */
#define OB_FLAG_CREATOR_INFO    0x04 /* Object header has OBJECT_CREATOR_INFO */
#define OB_FLAG_EXCLUSIVE       0x08 /* OBJ_EXCLUSIVE */
#define OB_FLAG_PERMAMENT       0x10 /* OBJ_PERMAMENT */
#define OB_FLAG_SECURITY        0x20 /* Object header has SecurityDescriptor != NULL */
#define OB_FLAG_SINGLE_PROCESS  0x40 /* absent HandleDBList */

#define OB_SECURITY_CHARGE      0x00000800

#define OB_TYPE_TYPE                    1
#define OB_TYPE_DIRECTORY               2
#define OB_TYPE_SYMBOLIC_LINK           3
#define OB_TYPE_TOKEN                   4
#define OB_TYPE_PROCESS                 5
#define OB_TYPE_THREAD                  6
#define OB_TYPE_EVENT                   7
#define OB_TYPE_EVENT_PAIR              8
#define OB_TYPE_MUTANT                  9
#define OB_TYPE_SEMAPHORE               10
#define OB_TYPE_TIMER                   11
#define OB_TYPE_PROFILE                 12
#define OB_TYPE_WINDOW_STATION          13
#define OB_TYPE_DESKTOP                 14
#define OB_TYPE_SECTION                 15
#define OB_TYPE_KEY                     16
#define OB_TYPE_PORT                    17
#define OB_TYPE_ADAPTER                 18
#define OB_TYPE_CONTROLLER              19
#define OB_TYPE_DEVICE                  20
#define OB_TYPE_DRIVER                  21
#define OB_TYPE_IO_COMPLETION           22
#define OB_TYPE_FILE                    23

#define PIN_WAIT                        (1)
#define PIN_EXCLUSIVE                   (2)
#define PIN_NO_READ                     (4)
#define PIN_IF_BCB                      (8)

#define MAP_WAIT                        (1)
#define MAP_NO_READ                     (16)


#define PORT_CONNECT                    0x0001
#define PORT_ALL_ACCESS                 (STANDARD_RIGHTS_ALL |\
                                         PORT_CONNECT)

#define SEC_BASED                       0x00200000
#define SEC_NO_CHANGE                   0x00400000
#define SEC_FILE                        0x00800000
#define SEC_IMAGE                       0x01000000
#define SEC_COMMIT                      0x08000000
#define SEC_NOCACHE                     0x10000000

#define SECURITY_WORLD_SID_AUTHORITY    {0,0,0,0,0,1}
#define SECURITY_WORLD_RID              (0x00000000L)

#define SID_REVISION                    1

#define THREAD_STATE_INITIALIZED        0
#define THREAD_STATE_READY              1
#define THREAD_STATE_RUNNING            2
#define THREAD_STATE_STANDBY            3
#define THREAD_STATE_TERMINATED         4
#define THREAD_STATE_WAIT               5
#define THREAD_STATE_TRANSITION         6
#define THREAD_STATE_UNKNOWN            7

#define TOKEN_ASSIGN_PRIMARY            (0x0001)
#define TOKEN_DUPLICATE                 (0x0002)
#define TOKEN_IMPERSONATE               (0x0004)
#define TOKEN_QUERY                     (0x0008)
#define TOKEN_QUERY_SOURCE              (0x0010)
#define TOKEN_ADJUST_PRIVILEGES         (0x0020)
#define TOKEN_ADJUST_GROUPS             (0x0040)
#define TOKEN_ADJUST_DEFAULT            (0x0080)

#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
                          TOKEN_ASSIGN_PRIMARY     |\
                          TOKEN_DUPLICATE          |\
                          TOKEN_IMPERSONATE        |\
                          TOKEN_QUERY              |\
                          TOKEN_QUERY_SOURCE       |\
                          TOKEN_ADJUST_PRIVILEGES  |\
                          TOKEN_ADJUST_GROUPS      |\
                          TOKEN_ADJUST_DEFAULT)

#define TOKEN_READ       (STANDARD_RIGHTS_READ     |\
                          TOKEN_QUERY)

#define TOKEN_WRITE      (STANDARD_RIGHTS_WRITE    |\
                          TOKEN_ADJUST_PRIVILEGES  |\
                          TOKEN_ADJUST_GROUPS      |\
                          TOKEN_ADJUST_DEFAULT)

#define TOKEN_EXECUTE    (STANDARD_RIGHTS_EXECUTE)

#define TOKEN_SOURCE_LENGTH 8

#define TOKEN_HAS_TRAVERSE_PRIVILEGE    0x01
#define TOKEN_HAS_BACKUP_PRIVILEGE      0x02
#define TOKEN_HAS_RESTORE_PRIVILEGE     0x04
#define TOKEN_HAS_ADMIN_GROUP           0x08
#define TOKEN_IS_RESTRICTED             0x10
#define TOKEN_SESSION_NOT_REFERENCED    0x20
#define TOKEN_SANDBOX_INERT             0x40
#define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x80

#define VACB_MAPPING_GRANULARITY        (0x40000)
#define VACB_OFFSET_SHIFT               (18)

#define FSCTL_REQUEST_OPLOCK_LEVEL_1    CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  0, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_OPLOCK_LEVEL_2    CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  1, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_BATCH_OPLOCK      CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  2, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE  CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  3, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  4, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_NOTIFY       CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  5, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_LOCK_VOLUME               CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  6, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_UNLOCK_VOLUME             CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  7, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DISMOUNT_VOLUME           CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  8, METHOD_BUFFERED, FILE_ANY_ACCESS)

#define FSCTL_IS_VOLUME_MOUNTED         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_IS_PATHNAME_VALID         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_MARK_VOLUME_DIRTY         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)

#define FSCTL_QUERY_RETRIEVAL_POINTERS  CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_GET_COMPRESSION           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SET_COMPRESSION           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)


#define FSCTL_MARK_AS_SYSTEM_HIVE       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_ACK_NO_2     CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_INVALIDATE_VOLUMES        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_QUERY_FAT_BPB             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_FILTER_OPLOCK     CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS)

#if (VER_PRODUCTBUILD >= 1381)

#define FSCTL_GET_NTFS_VOLUME_DATA      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_NTFS_FILE_RECORD      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_VOLUME_BITMAP         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_GET_RETRIEVAL_POINTERS    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_MOVE_FILE                 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_IS_VOLUME_DIRTY           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_HFS_INFORMATION       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_ALLOW_EXTENDED_DASD_IO    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER,  FILE_ANY_ACCESS)

#endif // (VER_PRODUCTBUILD >= 1381)

#if (VER_PRODUCTBUILD >= 2195)

#define FSCTL_READ_PROPERTY_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_WRITE_PROPERTY_DATA       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_FIND_FILES_BY_SID         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS)

#define FSCTL_DUMP_PROPERTY_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_SET_OBJECT_ID             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_GET_OBJECT_ID             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_OBJECT_ID          CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_REPARSE_POINT         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_GET_REPARSE_POINT         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_REPARSE_POINT      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_ENUM_USN_DATA             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_SECURITY_ID_CHECK         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_READ_USN_JOURNAL          CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_SET_OBJECT_ID_EXTENDED    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_CREATE_OR_GET_OBJECT_ID   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SET_SPARSE                CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_ZERO_DATA             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_QUERY_ALLOCATED_RANGES    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_ENABLE_UPGRADE            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_ENCRYPTION            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_ENCRYPTION_FSCTL_IO       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_WRITE_RAW_ENCRYPTED       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_READ_RAW_ENCRYPTED        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56,  METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_CREATE_USN_JOURNAL        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_READ_FILE_USN_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_WRITE_USN_CLOSE_RECORD    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59,  METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_EXTEND_VOLUME             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_QUERY_USN_JOURNAL         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_USN_JOURNAL        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_MARK_HANDLE               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SIS_COPYFILE              CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SIS_LINK_FILES            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_HSM_MSG                   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_NSS_CONTROL               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_HSM_DATA                  CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_RECALL_FILE               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NSS_RCONTROL              CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_READ_FROM_PLEX            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA)
#define FSCTL_FILE_PREFETCH             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

#endif // (VER_PRODUCTBUILD >= 2195)

#define FSCTL_MAILSLOT_PEEK             CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA)

#define FSCTL_NETWORK_SET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONNECTION_INFO       CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_ENUMERATE_CONNECTIONS     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_DELETE_CONNECTION         CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_STATISTICS            CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_SET_DOMAIN_NAME           CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)

#define FSCTL_PIPE_ASSIGN_EVENT         CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_DISCONNECT           CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_LISTEN               CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_PEEK                 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_QUERY_EVENT          CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_TRANSCEIVE           CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER,  FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_WAIT                 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_IMPERSONATE          CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_CLIENT_PROCESS   CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_INTERNAL_READ        CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_INTERNAL_WRITE       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_TRANSCEIVE  CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)

#define IOCTL_REDIR_QUERY_PATH          CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS)

typedef PVOID PEJOB;
typedef PVOID PNOTIFY_SYNC;
typedef PVOID OPLOCK, *POPLOCK;
typedef PVOID PWOW64_PROCESS;

typedef ULONG LBN;
typedef LBN *PLBN;

typedef ULONG VBN;
typedef VBN *PVBN;

typedef struct _CACHE_MANAGER_CALLBACKS         *PCACHE_MANAGER_CALLBACKS;
typedef struct _EPROCESS_QUOTA_BLOCK            *PEPROCESS_QUOTA_BLOCK;
typedef struct _FILE_GET_QUOTA_INFORMATION      *PFILE_GET_QUOTA_INFORMATION;
typedef struct _HANDLE_TABLE                    *PHANDLE_TABLE;
typedef struct _KEVENT_PAIR                     *PKEVENT_PAIR;
typedef struct _KPROCESS                        *PKPROCESS;
typedef struct _KQUEUE                          *PKQUEUE;
typedef struct _KTRAP_FRAME                     *PKTRAP_FRAME;
typedef struct _LPC_MESSAGE                     *PLPC_MESSAGE;
typedef struct _MAILSLOT_CREATE_PARAMETERS      *PMAILSLOT_CREATE_PARAMETERS;
typedef struct _MMWSL                           *PMMWSL;
typedef struct _NAMED_PIPE_CREATE_PARAMETERS    *PNAMED_PIPE_CREATE_PARAMETERS;
typedef struct _OBJECT_DIRECTORY                *POBJECT_DIRECTORY;
typedef struct _PAGEFAULT_HISTORY               *PPAGEFAULT_HISTORY;
typedef struct _PEB                             *PPEB;
typedef struct _PS_IMPERSONATION_INFORMATION    *PPS_IMPERSONATION_INFORMATION;
typedef struct _SECTION_OBJECT                  *PSECTION_OBJECT;
typedef struct _SERVICE_DESCRIPTOR_TABLE        *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _SHARED_CACHE_MAP                *PSHARED_CACHE_MAP;
typedef struct _TERMINATION_PORT                *PTERMINATION_PORT;
typedef struct _VACB                            *PVACB;
typedef struct _VAD_HEADER                      *PVAD_HEADER;

#if (VER_PRODUCTBUILD < 2195)
typedef ULONG SIZE_T, *PSIZE_T;
#endif


typedef enum _FAST_IO_POSSIBLE {
    FastIoIsNotPossible,
    FastIoIsPossible,
    FastIoIsQuestionable
} FAST_IO_POSSIBLE;

typedef enum _FILE_STORAGE_TYPE {
    StorageTypeDefault = 1,
    StorageTypeDirectory,
    StorageTypeFile,
    StorageTypeJunctionPoint,
    StorageTypeCatalog,
    StorageTypeStructuredStorage,
    StorageTypeEmbedding,
    StorageTypeStream
} FILE_STORAGE_TYPE;

typedef enum _IO_COMPLETION_INFORMATION_CLASS {
    IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS;

#if (VER_PRODUCTBUILD == 2195)

typedef enum _KSPIN_LOCK_QUEUE_NUMBER {
    LockQueueDispatcherLock,
    LockQueueContextSwapLock,
    LockQueuePfnLock,
    LockQueueSystemSpaceLock,
    LockQueueVacbLock,
    LockQueueMasterLock,
    LockQueueNonPagedPoolLock,
    LockQueueIoCancelLock,
    LockQueueWorkQueueLock,
    LockQueueIoVpbLock,
    LockQueueIoDatabaseLock,
    LockQueueIoCompletionLock,
    LockQueueNtfsStructLock,
    LockQueueAfdWorkQueueLock,
    LockQueueBcbLock,
    LockQueueMaximumLock
} KSPIN_LOCK_QUEUE_NUMBER;

#endif // (VER_PRODUCTBUILD == 2195)

typedef enum _LPC_TYPE {
    LPC_NEW_MESSAGE,
    LPC_REQUEST,
    LPC_REPLY,
    LPC_DATAGRAM,
    LPC_LOST_REPLY,
    LPC_PORT_CLOSED,
    LPC_CLIENT_DIED,
    LPC_EXCEPTION,
    LPC_DEBUG_EVENT,
    LPC_ERROR_EVENT,
    LPC_CONNECTION_REQUEST
} LPC_TYPE;

typedef enum _MMFLUSH_TYPE {
    MmFlushForDelete,
    MmFlushForWrite
} MMFLUSH_TYPE;

typedef enum _OBJECT_INFO_CLASS {
    ObjectBasicInfo,
    ObjectNameInfo,
    ObjectTypeInfo,
    ObjectAllTypesInfo,
    ObjectProtectionInfo
} OBJECT_INFO_CLASS;

typedef enum _PORT_INFORMATION_CLASS {
    PortNoInformation
} PORT_INFORMATION_CLASS;

typedef enum _SECTION_INFORMATION_CLASS {
    SectionBasicInformation,
    SectionImageInformation
} SECTION_INFORMATION_CLASS;

typedef enum _SID_NAME_USE {
    SidTypeUser = 1,
    SidTypeGroup,
    SidTypeDomain,
    SidTypeAlias,
    SidTypeWellKnownGroup,
    SidTypeDeletedAccount,
    SidTypeInvalid,
    SidTypeUnknown
} SID_NAME_USE;

typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemNotImplemented1,
    SystemProcessesAndThreadsInformation,
    SystemCallCounts,
    SystemConfigurationInformation,
    SystemProcessorTimes,
    SystemGlobalFlag,
    SystemNotImplemented2,
    SystemModuleInformation,
    SystemLockInformation,
    SystemNotImplemented3,
    SystemNotImplemented4,
    SystemNotImplemented5,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPagefileInformation,
    SystemInstructionEmulationCounts,
    SystemInvalidInfoClass1,
    SystemCacheInformation,
    SystemPoolTagInformation,
    SystemProcessorStatistics,
    SystemDpcInformation,
    SystemNotImplemented6,
    SystemLoadImage,
    SystemUnloadImage,
    SystemTimeAdjustment,
    SystemNotImplemented7,
    SystemNotImplemented8,
    SystemNotImplemented9,
    SystemCrashDumpInformation,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemLoadAndCallImage,
    SystemPrioritySeparation,
    SystemNotImplemented10,
    SystemNotImplemented11,
    SystemInvalidInfoClass2,
    SystemInvalidInfoClass3,
    SystemTimeZoneInformation,
    SystemLookasideInformation,
    SystemSetTimeSlipEvent,
    SystemCreateSession,
    SystemDeleteSession,
    SystemInvalidInfoClass4,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemAddVerifier,
    SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef enum _THREAD_STATE {
    StateInitialized,
    StateReady,
    StateRunning,
    StateStandby,
    StateTerminated,
    StateWait,
    StateTransition,
    StateUnknown
} THREAD_STATE;

typedef enum _TOKEN_INFORMATION_CLASS {
    TokenUser = 1,
    TokenGroups,
    TokenPrivileges,
    TokenOwner,
    TokenPrimaryGroup,
    TokenDefaultDacl,
    TokenSource,
    TokenType,
    TokenImpersonationLevel,
    TokenStatistics,
    TokenRestrictedSids
} TOKEN_INFORMATION_CLASS;

typedef enum _TOKEN_TYPE {
    TokenPrimary = 1,
    TokenImpersonation
} TOKEN_TYPE;

typedef struct _HARDWARE_PTE_X86 {
    ULONG Valid             : 1;
    ULONG Write             : 1;
    ULONG Owner             : 1;
    ULONG WriteThrough      : 1;
    ULONG CacheDisable      : 1;
    ULONG Accessed          : 1;
    ULONG Dirty             : 1;
    ULONG LargePage         : 1;
    ULONG Global            : 1;
    ULONG CopyOnWrite       : 1;
    ULONG Prototype         : 1;
    ULONG reserved          : 1;
    ULONG PageFrameNumber   : 20;
} HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;

typedef struct _KAPC_STATE {
    LIST_ENTRY  ApcListHead[2];
    PKPROCESS   Process;
    BOOLEAN     KernelApcInProgress;
    BOOLEAN     KernelApcPending;
    BOOLEAN     UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

typedef struct _KGDTENTRY {
    USHORT LimitLow;
    USHORT BaseLow;
    union {
        struct {
            UCHAR BaseMid;
            UCHAR Flags1;
            UCHAR Flags2;
            UCHAR BaseHi;
        } Bytes;
        struct {
            ULONG BaseMid       : 8;
            ULONG Type          : 5;
            ULONG Dpl           : 2;
            ULONG Pres          : 1;
            ULONG LimitHi       : 4;
            ULONG Sys           : 1;
            ULONG Reserved_0    : 1;
            ULONG Default_Big   : 1;
            ULONG Granularity   : 1;
            ULONG BaseHi        : 8;
        } Bits;
    } HighWord;
} KGDTENTRY, *PKGDTENTRY;

typedef struct _KIDTENTRY {
    USHORT Offset;
    USHORT Selector;
    USHORT Access;
    USHORT ExtendedOffset;
} KIDTENTRY, *PKIDTENTRY;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _KPROCESS {
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               Unused;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               VdmTrapcHandler;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    CHAR                BasePriority;
    CHAR                ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
    UCHAR               PowerState;
    BOOLEAN             DisableQuantum;
    UCHAR               IdealNode;
    UCHAR               Spare;
} KPROCESS, *PKPROCESS;

#else


typedef struct _KPROCESS {
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               VdmFlag;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               Reserved1;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    UCHAR               BasePriority;
    UCHAR               ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
#if (VER_PRODUCTBUILD >= 2195)
    UCHAR               PowerState;
    BOOLEAN             DisableQuantum;
    UCHAR               IdealNode;
    UCHAR               Spare;
#endif // (VER_PRODUCTBUILD >= 2195)
} KPROCESS, *PKPROCESS;

#endif


#if (VER_PRODUCTBUILD >= 3790)

typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead; // 0x10
    PVOID                       InitialStack; // 0x18
    PVOID                       StackLimit; // 0x1c
    PVOID                       KernelStack; // 0x20
    ULONG                       ThreadLock; // 0x24
    ULONG                       ContextSwitches; // 0x28
    UCHAR                       State; // 0x2c
    UCHAR                       NpxState; // 0x2d
    UCHAR                       WaitIrql; // 0x2e
    CHAR                        WaitMode; // 0x2f
    struct _TEB                 *Teb; // 0x30
    KAPC_STATE                  ApcState; // 0x34
    KSPIN_LOCK                  ApcQueueLock; // 0x4c
    NTSTATUS                    WaitStatus; // 0x50
    PKWAIT_BLOCK                WaitBlockList; // 0x54
    BOOLEAN                     Alertable; // 0x58
    UCHAR                       WaitNext; // 0x59
    UCHAR                       WaitReason; // 0x5a
    CHAR                        Priority; // 0x5b
    BOOLEAN                     EnableStackSwap; // 0x5c
    BOOLEAN                     SwapBusy; // 0x5d
    UCHAR                       Alerted[2]; // 0x5e
    union {
        LIST_ENTRY              WaitListEntry; // 0x60
        SINGLE_LIST_ENTRY       SwapListEntry; // 0x60
    };
    PKQUEUE                     Queue; // 0x68
    ULONG                       WaitTime; // 0x6c
    union {
        struct {
            USHORT              KernelApcDisable; // 0x70
            USHORT              SpecialApcDisable; // 0x72
        };
        USHORT                  CombinedApcDisable; // 0x70
    };
    KTIMER                      Timer; // 0x78
    KWAIT_BLOCK                 WaitBlock[4]; // 0xa0
    LIST_ENTRY                  QueueListEntry; // 0x100
    UCHAR                       ApcStateIndex; // 0x108
    BOOLEAN                     ApcQueueable; // 0x109
    BOOLEAN                     Preempted; // 0x10a
    BOOLEAN                     ProcessReadyQueue; // 0x10b
    BOOLEAN                     KernelStackResident; // 0x10c
    CHAR                        Saturation; // 0x10d
    UCHAR                       IdealProcessor; // 0x10e
    UCHAR                       NextProcessor; // 0x10f
    CHAR                        BasePriority; // 0x110
    UCHAR                       Spare4; // 0x111
    CHAR                        PriorityDecrement; // 0x112
    CHAR                        Quantum; // 0x113
    BOOLEAN                     SystemAffinityActive; // 0x114
    CHAR                        PreviousMode; // 0x115
    UCHAR                       ResourceIndex; // 0x116
    BOOLEAN                     DisableBoost; // 0x117
    ULONG                       UserAffinity; // 0x118
    PKPROCESS                   Process; // 0x11c
    ULONG                       Affinity; // 0x120
    PSERVICE_DESCRIPTOR_TABLE   ServiceTable; // 0x124
    PKAPC_STATE                 ApcStatePointer[2]; // 0x128
    KAPC_STATE                  SavedApcState; // 0x130
    PVOID                       CallbackStack; // 0x148
    PVOID                       Win32Thread; // 0x14c
    PKTRAP_FRAME                TrapFrame; // 0x150
    ULONG                       KernelTime; // 0x154
    ULONG                       UserTime; // 0x158
    PVOID                       StackBase; // 0x15c
    KAPC                        SuspendApc; // 0x160
    KSEMAPHORE                  SuspendSemaphore; // 0x190
    PVOID                       TlsArray; // 0x1a4
    PVOID                       LegoData; // 0x1a8
    LIST_ENTRY                  ThreadListEntry; // 0x1ac
    BOOLEAN                     LargeStack; // 0x1b4
    UCHAR                       PowerState; // 0x1b5
    UCHAR                       NpxIrql; // 0x1b6
    UCHAR                       Spare5; // 0x1b7
    BOOLEAN                     AutoAlignment; // 0x1b8
    UCHAR                       Iopl; // 0x1b9
    CHAR                        FreezeCount; // 0x1ba
    CHAR                        SuspendCount; // 0x1bb
    UCHAR                       Spare0[1]; // 0x1bc
    UCHAR                       UserIdealProcessor; // 0x1bd
    UCHAR                       DeferredProcessor; // 0x1be
    UCHAR                       AdjustReason; // 0x1bf
    CHAR                        AdjustIncrement; // 0x1c0
    UCHAR                       Spare2[3]; // 0x1c1
} KTHREAD, *PKTHREAD;

#elif (VER_PRODUCTBUILD >= 2600)

typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    UCHAR                       Alerted[2];
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    CHAR                        Saturation;
    CHAR                        Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    UCHAR                       IdleSwapBlock;
    UCHAR                       Spare0[3];
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    CHAR                        WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    union {
        LIST_ENTRY              WaitListEntry;
        SINGLE_LIST_ENTRY       SwapListEntry;
    };
    ULONG                       WaitTime;
    CHAR                        BasePriority;
    UCHAR                       DecrementCount;
    CHAR                        PriorityDecrement;
    CHAR                        Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    PVOID                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       InitialNode;
    PSERVICE_DESCRIPTOR_TABLE   ServiceTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       SoftAffinity;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
    CHAR                        PreviousMode;
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    CHAR                        FreezeCount;
    CHAR                        SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD, *PKTHREAD;

#else


typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    USHORT                      Alerted;
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    UCHAR                       Saturation;
    UCHAR                       Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    UCHAR                       WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    LIST_ENTRY                  WaitListEntry;
    ULONG                       WaitTime;
    UCHAR                       BasePriority;
    UCHAR                       DecrementCount;
    UCHAR                       PriorityDecrement;
    UCHAR                       Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    ULONG                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
#if (VER_PRODUCTBUILD < 2195)
    UCHAR                       Pad[3];
#else // (VER_PRODUCTBUILD >= 2195)
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       Pad[1];
#endif // (VER_PRODUCTBUILD >= 2195)
    PSERVICE_DESCRIPTOR_TABLE   ServiceDescriptorTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
#if (VER_PRODUCTBUILD >= 2195)
    UCHAR                       PreviousMode;
#endif // (VER_PRODUCTBUILD >= 2195)
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
#if (VER_PRODUCTBUILD < 2195)
    UCHAR                       PreviousMode;
#endif // (VER_PRODUCTBUILD < 2195)
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    UCHAR                       FreezeCount;
    UCHAR                       SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD, *PKTHREAD;

#endif


#if (VER_PRODUCTBUILD >= 3790)

typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace              : 1;
    ULONG BeingTrimmed              : 1;
    ULONG SessionLeader             : 1;
    ULONG TrimHard                  : 1;
    ULONG MaximumWorkingSetHard     : 1;
    ULONG ForceTrim                 : 1;
    ULONG MinimumWorkingSetHard     : 1;
    ULONG Available0                : 1;
    ULONG MemoryPriority            : 8;
    ULONG GrowWsleHash              : 1;
    ULONG AcquiredUnsafe            : 1;
    ULONG Available                 : 14;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#elif (VER_PRODUCTBUILD >= 2600)

typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace              : 1;
    ULONG BeingTrimmed              : 1;
    ULONG SessionLeader             : 1;
    ULONG TrimHard                  : 1;
    ULONG WorkingSetHard            : 1;
    ULONG AddressSpaceBeingDeleted  : 1;
    ULONG Available                 : 10;
    ULONG AllowWorkingSetAdjustment : 8;
    ULONG MemoryPriority            : 8;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#else


typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace      : 1;
    ULONG BeingTrimmed      : 1;
    ULONG ProcessInSession  : 1;
    ULONG SessionLeader     : 1;
    ULONG TrimHard          : 1;
    ULONG WorkingSetHard    : 1;
    ULONG WriteWatch        : 1;
    ULONG Filler            : 25;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#endif


#if (VER_PRODUCTBUILD >= 3790)

typedef struct _KGUARDED_MUTEX {
    LONG            Count;
    PKTHREAD        Owner; // 0x4
    ULONG           Contention; // 0x8
    KEVENT          Event; // 0xc
    union {
        struct {
            USHORT  KernelApcDisable; // 0x1c
            USHORT  SpecialApcDisable; // 0x1e
        };
        USHORT      CombinedApcDisable; // 0x1c
    };
} KGUARDED_MUTEX, *PKGUARDED_MUTEX;

typedef struct _MMSUPPORT {
    LIST_ENTRY      WorkingSetExpansionLinks;
    LARGE_INTEGER   LastTrimTime; // 0x8
    MMSUPPORT_FLAGS Flags; // 0x10
    ULONG           PageFaultCount; // 0x14
    ULONG           PeakWorkingSetSize; // 0x18
    ULONG           GrowthSinceLastEstimate; // 0x1c
    ULONG           MinimumWorkingSetSize; // 0x20
    ULONG           MaximumWorkingSetSize; // 0x24
    PMMWSL          VmWorkingSetList; // 0x28 
    ULONG           Claim; // 0x2c
    ULONG           NextEstimationSlot; // 0x30
    ULONG           NextAgingSlot; // 0x34
    ULONG           EstimatedAvailable; // 0x38
    ULONG           WorkingSetSize;  //0x3c
    KGUARDED_MUTEX  Mutex; // 0x40
} MMSUPPORT, *PMMSUPPORT;

#elif (VER_PRODUCTBUILD >= 2600)

typedef struct _MMSUPPORT {
    LARGE_INTEGER   LastTrimTime;
    MMSUPPORT_FLAGS Flags;
    ULONG           PageFaultCount;
    ULONG           PeakWorkingSetSize;
    ULONG           WorkingSetSize;
    ULONG           MinimumWorkingSetSize;
    ULONG           MaximumWorkingSetSize;
    PMMWSL          VmWorkingSetList;
    LIST_ENTRY      WorkingSetExpansionLinks;
    ULONG           Claim;
    ULONG           NextEstimationSlot;
    ULONG           NextAgingSlot;
    ULONG           EstimatedAvailable;
    ULONG           GrowthSinceLastEstimate;
} MMSUPPORT, *PMMSUPPORT;

#else


typedef struct _MMSUPPORT {
    LARGE_INTEGER   LastTrimTime;
    ULONG           LastTrimFaultCount;
    ULONG           PageFaultCount;
    ULONG           PeakWorkingSetSize;
    ULONG           WorkingSetSize;
    ULONG           MinimumWorkingSetSize;
    ULONG           MaximumWorkingSetSize;
    PMMWSL          VmWorkingSetList;
    LIST_ENTRY      WorkingSetExpansionLinks;
    BOOLEAN         AllowWorkingSetAdjustment;
    BOOLEAN         AddressSpaceBeingDeleted;
    UCHAR           ForegroundSwitchCount;
    UCHAR           MemoryPriority;
#if (VER_PRODUCTBUILD >= 2195)
    union {
        ULONG           LongFlags;
        MMSUPPORT_FLAGS Flags;
    } u;
    ULONG           Claim;
    ULONG           NextEstimationSlot;
    ULONG           NextAgingSlot;
    ULONG           EstimatedAvailable;
    ULONG           GrowthSinceLastEstimate;
#endif // (VER_PRODUCTBUILD >= 2195)
} MMSUPPORT, *PMMSUPPORT;

#endif


typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
    POBJECT_NAME_INFORMATION ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;

typedef struct _SID_IDENTIFIER_AUTHORITY {
    UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;

typedef struct _SID {
    UCHAR                       Revision;
    UCHAR                       SubAuthorityCount;
    SID_IDENTIFIER_AUTHORITY    IdentifierAuthority;
    ULONG                       SubAuthority[1];
} SID, *PREAL_SID;

typedef struct _BITMAP_DESCRIPTOR {
    ULONGLONG   StartLcn;
    ULONGLONG   ClustersToEndOfVol;
    UCHAR       Map[1];
} BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR; 

typedef struct _BITMAP_RANGE {
    LIST_ENTRY      Links;
    LARGE_INTEGER   BasePage;
    ULONG           FirstDirtyPage;
    ULONG           LastDirtyPage;
    ULONG           DirtyPages;
    PULONG          Bitmap;
} BITMAP_RANGE, *PBITMAP_RANGE;

typedef struct _CACHE_UNINITIALIZE_EVENT {
    struct _CACHE_UNINITIALIZE_EVENT    *Next;
    KEVENT                              Event;
} CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT;

typedef struct _CC_FILE_SIZES {
    LARGE_INTEGER AllocationSize;
    LARGE_INTEGER FileSize;
    LARGE_INTEGER ValidDataLength;
} CC_FILE_SIZES, *PCC_FILE_SIZES;

typedef struct _COMPRESSED_DATA_INFO {
    USHORT  CompressionFormatAndEngine;
    UCHAR   CompressionUnitShift;
    UCHAR   ChunkShift;
    UCHAR   ClusterShift;
    UCHAR   Reserved;
    USHORT  NumberOfChunks;
    ULONG   CompressedChunkSizes[ANYSIZE_ARRAY];
} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;

typedef struct _DEVICE_MAP {
    POBJECT_DIRECTORY   DosDevicesDirectory;
    POBJECT_DIRECTORY   GlobalDosDevicesDirectory;
    ULONG               ReferenceCount;
    ULONG               DriveMap;
    UCHAR               DriveType[32];
} DEVICE_MAP, *PDEVICE_MAP; 

typedef struct _DIRECTORY_BASIC_INFORMATION {
    UNICODE_STRING ObjectName;
    UNICODE_STRING ObjectTypeName;
} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _EX_FAST_REF {
    union {
        PVOID Object;
        ULONG RefCnt : 3;
        ULONG Value;
    };
} EX_FAST_REF, *PEX_FAST_REF;

typedef struct _EX_PUSH_LOCK {
    union {
        struct {
            ULONG   Waiting     : 1;
            ULONG   Exclusive   : 1;
            ULONG   Shared      : 30;
        };
        ULONG   Value;
        PVOID   Ptr;
    };
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;

typedef struct _EX_RUNDOWN_REF {
    union {
        ULONG Count;
        PVOID Ptr;
    };
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;

#endif // (VER_PRODUCTBUILD >= 2600)

#if (VER_PRODUCTBUILD >= 3790)

typedef struct _MM_ADDRESS_NODE {
    union {
        ULONG                   Balance : 2;
        struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
    };
    struct _MM_ADDRESS_NODE     *LeftChild;
    struct _MM_ADDRESS_NODE     *RightChild;
    ULONG_PTR                   StartingVpn;
    ULONG_PTR                   EndingVpn;
} MMADDRESS_NODE, *PMMADDRESS_NODE;

typedef struct _MM_AVL_TABLE {
    MMADDRESS_NODE  BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
    ULONG           DepthOfTree : 5; // 0x14
    ULONG           Unused : 3;
    ULONG           NumberGenericTableElements : 24; // total number of nodes
    PVOID           NodeHint; // 0x18 (0x270 in _EPROCESS)
    PVOID           NodeFreeHint; // 0x1c
} MM_AVL_TABLE, *PMM_AVL_TABLE;

typedef struct _EPROCESS {
    KPROCESS                        Pcb; // +0x000
    EX_PUSH_LOCK                    ProcessLock; // +0x06c
    LARGE_INTEGER                   CreateTime; // +0x070
    LARGE_INTEGER                   ExitTime; // +0x078
    EX_RUNDOWN_REF                  RundownProtect; // +0x080
    ULONG                           UniqueProcessId; // +0x084
    LIST_ENTRY                      ActiveProcessLinks; // +0x088
    ULONG                           QuotaUsage[3]; // +0x090
    ULONG                           QuotaPeak[3]; // +0x09c
    ULONG                           CommitCharge; // +0x0a8
    ULONG                           PeakVirtualSize; // +0x0ac
    ULONG                           VirtualSize; // +0x0b0
    LIST_ENTRY                      SessionProcessLinks; // +0x0b4
    PVOID                           DebugPort; // +0x0bc
    PVOID                           ExceptionPort; // +0x0c0
    PHANDLE_TABLE                   ObjectTable; // +0x0c4
    EX_FAST_REF                     Token; // +0x0c8
    ULONG                           WorkingSetPage; // +0x0cc
    KGUARDED_MUTEX                  AddressCreationLock; // +0x0d0
    ULONG                           HyperSpaceLock; // +0x0f0
    PETHREAD                        ForkInProgress; // +0x0f4
    ULONG                           HardwareTrigger; // +0x0f8
    PMM_AVL_TABLE                   PhysicalVadRoot; // +0x0fc
    PVOID                           CloneRoot; // +0x100
    ULONG                           NumberOfPrivatePages; // +0x104
    ULONG                           NumberOfLockedPages; // +0x108
    PVOID                           Win32Process; // +0x10c
    PEJOB                           Job; // +0x110
    PVOID                           SectionObject; // +0x114
    PVOID                           SectionBaseAddress; // +0x118
    PEPROCESS_QUOTA_BLOCK           QuotaBlock; // +0x11c
    PPAGEFAULT_HISTORY              WorkingSetWatch; // +0x120
    PVOID                           Win32WindowStation; // +0x124
    ULONG                           InheritedFromUniqueProcessId; // +0x128
    PVOID                           LdtInformation; // +0x12c
    PVOID                           VadFreeHint; // +0x130
    PVOID                           VdmObjects; // +0x134
    PVOID                           DeviceMap; // +0x138
    PVOID                           Spare0[3]; // +0x13c
    union {
        HARDWARE_PTE                PageDirectoryPte; // +0x148
        UINT64                      Filler; // +0x148
    };
    PVOID                           Session; // +0x150
    UCHAR                           ImageFileName[16]; // +0x154
    LIST_ENTRY                      JobLinks; // +0x164
    PVOID                           LockedPagesList; // +0x16c
    LIST_ENTRY                      ThreadListHead; // +0x170
    PVOID                           SecurityPort; // +0x178
    PVOID                           PaeTop; // +0x17c
    ULONG                           ActiveThreads; // +0x180
    ULONG                           GrantedAccess; // +0x184
    ULONG                           DefaultHardErrorProcessing; // +0x188
    SHORT                           LastThreadExitStatus; // +0x18c
    PPEB                            Peb; // +0x190
    EX_FAST_REF                     PrefetchTrace; // +0x194
    LARGE_INTEGER                   ReadOperationCount; // +0x198
    LARGE_INTEGER                   WriteOperationCount; // +0x1a0
    LARGE_INTEGER                   OtherOperationCount; // +0x1a8
    LARGE_INTEGER                   ReadTransferCount; // +0x1b0
    LARGE_INTEGER                   WriteTransferCount; // +0x1b8
    LARGE_INTEGER                   OtherTransferCount; // +0x1c0
    ULONG                           CommitChargeLimit; // +0x1c8
    ULONG                           CommitChargePeak; // +0x1cc
    PVOID                           AweInfo; // +0x1d0
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo; // +0x1d4
    MMSUPPORT                       Vm; // +0x1d8
    LIST_ENTRY                      MmProcessLinks; // +0x238
    ULONG                           ModifiedPageCount; // +0x240
    ULONG                           JobStatus; // +0x244
    union {
        ULONG                       Flags; // 0x248
        struct {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   Wow64VaSpace4Gb             : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   VmTopDown                   : 1;
            ULONG                   ImageNotifyDone             : 1;
            ULONG                   PdeUpdateNeeded             : 1;
            ULONG                   VdmAllowed                  : 1;
            ULONG                   Unused                      : 7;
        };
    };
    NTSTATUS                        ExitStatus; // +0x24c
    USHORT                          NextPageColor; // +0x250
    union {
        struct {
            UCHAR                   SubSystemMinorVersion; // +0x252
            UCHAR                   SubSystemMajorVersion; // +0x253
        };
        USHORT                      SubSystemVersion; // +0x252
    };
    UCHAR                           PriorityClass; // +0x254
    MM_AVL_TABLE                    VadRoot; // +0x258
} EPROCESS, *PEPROCESS; // 0x278 in total

#elif (VER_PRODUCTBUILD >= 2600)

typedef struct _EPROCESS {
    KPROCESS                        Pcb;
    EX_PUSH_LOCK                    ProcessLock;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    EX_RUNDOWN_REF                  RundownProtect;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONG                           QuotaUsage[3];
    ULONG                           QuotaPeak[3];
    ULONG                           CommitCharge;
    ULONG                           PeakVirtualSize;
    ULONG                           VirtualSize;
    LIST_ENTRY                      SessionProcessLinks;
    PVOID                           DebugPort;
    PVOID                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    EX_FAST_REF                     Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD                        ForkInProgress;
    ULONG                           HardwareTrigger;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    PVOID                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    PVOID                           Win32Process;
    PEJOB                           Job;
    PSECTION_OBJECT                 SectionObject;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    PPAGEFAULT_HISTORY              WorkingSetWatch;
    PVOID                           Win32WindowStation;
    PVOID                           InheritedFromUniqueProcessId;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    PDEVICE_MAP                     DeviceMap;
    LIST_ENTRY                      PhysicalVadList;
    union {
        HARDWARE_PTE                PageDirectoryPte;
        ULONGLONG                   Filler;
    };
    PVOID                           Session;
    UCHAR                           ImageFileName[16];
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    LIST_ENTRY                      ThreadListHead;
    PVOID                           SecurityPort;
    PVOID                           PaeTop;
    ULONG                           ActiveThreads;
    ULONG                           GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    NTSTATUS                        LastThreadExitStatus;
    PPEB                            Peb;
    EX_FAST_REF                     PrefetchTrace;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    PVOID                           AweInfo;
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo;
    MMSUPPORT                       Vm;
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    ULONG                           NumberOfVads;
    ULONG                           JobStatus;
    union {
        ULONG                       Flags;
        struct {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   HasPhysicalVad              : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   Unused                      : 11;
        };
    };
    NTSTATUS                        ExitStatus;
    USHORT                          NextPageColor;
    union {
        struct {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    UCHAR                           PriorityClass;
    BOOLEAN                         WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;

#else


typedef struct _EPROCESS {
    KPROCESS                        Pcb;
    NTSTATUS                        ExitStatus;
    KEVENT                          LockEvent;
    ULONG                           LockCount;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    PKTHREAD                        LockOwner;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONGLONG                       QuotaPeakPoolUsage;
    ULONGLONG                       QuotaPoolUsage;
    ULONG                           PagefileUsage;
    ULONG                           CommitCharge;
    ULONG                           PeakPagefileUsage;
    ULONG                           PeakVirtualSize;
    ULONGLONG                       VirtualSize;
    MMSUPPORT                       Vm;
#if (VER_PRODUCTBUILD < 2195)
    ULONG                           LastProtoPteFault;
#else // (VER_PRODUCTBUILD >= 2195)
    LIST_ENTRY                      SessionProcessLinks;
#endif // (VER_PRODUCTBUILD >= 2195)
    ULONG                           DebugPort;
    ULONG                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    PACCESS_TOKEN                   Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    BOOLEAN                         ProcessOutswapEnabled;
    BOOLEAN                         ProcessOutswapped;
    BOOLEAN                         AddressSpaceInitialized;
    BOOLEAN                         AddressSpaceDeleted;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD                        ForkInProgress;
    USHORT                          VmOperation;
    BOOLEAN                         ForkWasSuccessful;
    UCHAR                           MmAgressiveWsTrimMask;
    PKEVENT                         VmOperationEvent;
#if (VER_PRODUCTBUILD < 2195)
    HARDWARE_PTE                    PageDirectoryPte;
#else // (VER_PRODUCTBUILD >= 2195)
    PVOID                           PaeTop;
#endif // (VER_PRODUCTBUILD >= 2195)
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    ULONG                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    USHORT                          NextPageColor;
    BOOLEAN                         ExitProcessCalled;
    BOOLEAN                         CreateProcessReported;
    HANDLE                          SectionHandle;
    PPEB                            Peb;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    NTSTATUS                        LastThreadExitStatus;
    PPROCESS_WS_WATCH_INFORMATION   WorkingSetWatch;
    HANDLE                          Win32WindowStation;
    HANDLE                          InheritedFromUniqueProcessId;
    ACCESS_MASK                     GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
#if (VER_PRODUCTBUILD < 2195)
    KMUTANT                         ProcessMutant;
#else // (VER_PRODUCTBUILD >= 2195)
    PDEVICE_MAP                     DeviceMap;
    ULONG                           SessionId;
    LIST_ENTRY                      PhysicalVadList;
    HARDWARE_PTE                    PageDirectoryPte;
    ULONG                           Filler;
    ULONG                           PaePageDirectoryPage;
#endif // (VER_PRODUCTBUILD >= 2195)
    UCHAR                           ImageFileName[16];
    ULONG                           VmTrimFaultValue;
    UCHAR                           SetTimerResolution;
    UCHAR                           PriorityClass;
    union {
        struct {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    PVOID                           Win32Process;
#if (VER_PRODUCTBUILD >= 2195)
    PEJOB                           Job;
    ULONG                           JobStatus;
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    PVOID                           SecurityPort;
    PWOW64_PROCESS                  Wow64Process;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    LIST_ENTRY                      ThreadListHead;
    PRTL_BITMAP                     VadPhysicalPagesBitMap;
    ULONG                           VadPhysicalPages;
    ULONG                           AweLock;
#endif // (VER_PRODUCTBUILD >= 2195)
} EPROCESS, *PEPROCESS;

#endif


#if (VER_PRODUCTBUILD >= 2600)

typedef struct _ETHREAD {
    KTHREAD                         Tcb;
    union {
        LARGE_INTEGER               CreateTime;
        struct {
            ULONG                   NestedFaultCount    : 2;
            ULONG                   ApcNeeded           : 1;
        };
    };
    union {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
        LIST_ENTRY                  KeyedWaitChain;
    };
    union {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    union {
        PTERMINATION_PORT           TerminationPort;
        PETHREAD                    ReaperLink;
        PVOID                       KeyedWaitValue;
    };
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    union {
        KSEMAPHORE                  LpcReplySemaphore;
        KSEMAPHORE                  KeyedWaitSemaphore;
    };
    union {
        PLPC_MESSAGE                LpcReplyMessage;
        PVOID                       LpcWaitingOnPort;
    };
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    ULONG                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    PEPROCESS                       ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    LIST_ENTRY                      ThreadListEntry;
    EX_RUNDOWN_REF                  RundownProtect;
    EX_PUSH_LOCK                    ThreadLock;
    ULONG                           LpcReplyMessageId;
    ULONG                           ReadClusterSize;
    ACCESS_MASK                     GrantedAccess;
    union {
        ULONG                       CrossThreadFlags;
        struct {
            ULONG                   Terminated              : 1;
            ULONG                   DeadThread              : 1;
            ULONG                   HideFromDebugger        : 1;
            ULONG                   ActiveImpersonationInfo : 1;
            ULONG                   SystemThread            : 1;
            ULONG                   HardErrorsAreDisabled   : 1;
            ULONG                   BreakOnTermination      : 1;
            ULONG                   SkipCreationMsg         : 1;
            ULONG                   SkipTerminationMsg      : 1;
        };
    };
    union {
        ULONG                       SameThreadPassiveFlags;
        struct {
            ULONG                   ActiveExWorker          : 1;
            ULONG                   ExWorkerCanWaitUser     : 1;
            ULONG                   MemoryMaker             : 1;
            ULONG                   KeyedEventInUse         : 1;
        };
    };
    union {
        ULONG                       SameThreadApcFlags;
        struct {
            BOOLEAN                 LpcReceivedMsgIdValid   : 1;
            BOOLEAN                 LpcExitThreadCalled     : 1;
            BOOLEAN                 AddressSpaceOwner       : 1;
        };
    };
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
} ETHREAD, *PETHREAD;

#else


typedef struct _ETHREAD {
    KTHREAD                         Tcb;
    LARGE_INTEGER                   CreateTime;
    union {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
    };
    union {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    LIST_ENTRY                      TerminationPortList;
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    KSEMAPHORE                      LpcReplySemaphore;
    PLPC_MESSAGE                    LpcReplyMessage;
    ULONG                           LpcReplyMessageId;
    ULONG                           PerformanceCountLow;
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    PVOID                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    ULONG                           ReadClusterSize;
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
    BOOLEAN                         DeadThread;
#if (VER_PRODUCTBUILD >= 2195)
    BOOLEAN                         HideFromDebugger;
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD < 2195)
    BOOLEAN                         HasTerminated;
#else // (VER_PRODUCTBUILD >= 2195)
    ULONG                           HasTerminated;
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD < 2195)
    PKEVENT_PAIR                    EventPair;
#endif // (VER_PRODUCTBUILD < 2195)
    ACCESS_MASK                     GrantedAccess;
    PEPROCESS                       ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    BOOLEAN                         LpcExitThreadCalled;
    BOOLEAN                         HardErrorsAreDisabled;
    BOOLEAN                         LpcReceivedMsgIdValid;
    BOOLEAN                         ActiveImpersonationInfo;
    ULONG                           PerformanceCountHigh;
#if (VER_PRODUCTBUILD >= 2195)
    LIST_ENTRY                      ThreadListEntry;
#endif // (VER_PRODUCTBUILD >= 2195)
} ETHREAD, *PETHREAD;

#endif


typedef struct _EPROCESS_QUOTA_ENTRY {
    ULONG Usage;
    ULONG Limit;
    ULONG Peak;
    ULONG Return;
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;

typedef struct _EPROCESS_QUOTA_BLOCK {
    EPROCESS_QUOTA_ENTRY    QuotaEntry[3];
    LIST_ENTRY              QuotaList;
    ULONG                   ReferenceCount;
    ULONG                   ProcessCount;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;

typedef struct _EXCEPTION_REGISTRATION_RECORD {
   struct _EXCEPTION_REGISTRATION_RECORD    *Next;
   PVOID                                    Handler;
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

/*
 * When needing these parameters cast your PIO_STACK_LOCATION to
 * PEXTENDED_IO_STACK_LOCATION
 */
#if !defined(_ALPHA_)
#include <pshpack4.h>
#endif

typedef struct _EXTENDED_IO_STACK_LOCATION {

    /* Included for padding */
    UCHAR MajorFunction;
    UCHAR MinorFunction;
    UCHAR Flags;
    UCHAR Control;

    union {

       struct {
          PIO_SECURITY_CONTEXT              SecurityContext;
          ULONG                             Options;
          USHORT                            Reserved;
          USHORT                            ShareAccess;
          PMAILSLOT_CREATE_PARAMETERS       Parameters;
       } CreateMailslot;

        struct {
            PIO_SECURITY_CONTEXT            SecurityContext;
            ULONG                           Options;
            USHORT                          Reserved;
            USHORT                          ShareAccess;
            PNAMED_PIPE_CREATE_PARAMETERS   Parameters;
        } CreatePipe;

        struct {
            ULONG                           OutputBufferLength;
            ULONG                           InputBufferLength;
            ULONG                           FsControlCode;
            PVOID                           Type3InputBuffer;
        } FileSystemControl;

        struct {
            PLARGE_INTEGER                  Length;
            ULONG                           Key;
            LARGE_INTEGER                   ByteOffset;
        } LockControl;

        struct {
            ULONG                           Length;
            ULONG                           CompletionFilter;
        } NotifyDirectory;

        struct {
            ULONG                           Length;
            PUNICODE_STRING                 FileName;
            FILE_INFORMATION_CLASS          FileInformationClass;
            ULONG                           FileIndex;
        } QueryDirectory;

        struct {
            ULONG                           Length;
            PVOID                           EaList;
            ULONG                           EaListLength;
            ULONG                           EaIndex;
        } QueryEa;

        struct {
            ULONG                           Length;
            PSID                            StartSid;
            PFILE_GET_QUOTA_INFORMATION     SidList;
            ULONG                           SidListLength;
        } QueryQuota;

        struct {
            ULONG                           Length;
        } SetEa;

        struct {
            ULONG                           Length;
        } SetQuota;

        struct {
            ULONG                           Length;
            FS_INFORMATION_CLASS            FsInformationClass;
        } SetVolume;

    } Parameters;

} EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
#if !defined(_ALPHA_)
#include <poppack.h>
#endif


typedef struct _FILE_ACCESS_INFORMATION {
    ACCESS_MASK AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;

typedef struct _FILE_ALLOCATION_INFORMATION {
    LARGE_INTEGER AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;

typedef struct _FILE_BOTH_DIR_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    ULONG           EaSize;
    CCHAR           ShortNameLength;
    WCHAR           ShortName[12];
    WCHAR           FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

typedef struct _FILE_COMPLETION_INFORMATION {
    HANDLE  Port;
    ULONG   Key;
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;

typedef struct _FILE_COMPRESSION_INFORMATION {
    LARGE_INTEGER   CompressedFileSize;
    USHORT          CompressionFormat;
    UCHAR           CompressionUnitShift;
    UCHAR           ChunkShift;
    UCHAR           ClusterShift;
    UCHAR           Reserved[3];
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;

typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE  RootDirectory;
    ULONG   FileNameLength;
    WCHAR   FileName[1];
} FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;

typedef struct _FILE_DIRECTORY_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    WCHAR           FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;

typedef struct _FILE_EA_INFORMATION {
    ULONG EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;

typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
    ULONG   FileSystemAttributes;
    ULONG   MaximumComponentNameLength;
    ULONG   FileSystemNameLength;
    WCHAR   FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;

typedef struct _FILE_FS_CONTROL_INFORMATION {
    LARGE_INTEGER   FreeSpaceStartFiltering;
    LARGE_INTEGER   FreeSpaceThreshold;
    LARGE_INTEGER   FreeSpaceStopFiltering;
    LARGE_INTEGER   DefaultQuotaThreshold;
    LARGE_INTEGER   DefaultQuotaLimit;
    ULONG           FileSystemControlFlags;
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;

typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
    LARGE_INTEGER   TotalAllocationUnits;
    LARGE_INTEGER   CallerAvailableAllocationUnits;
    LARGE_INTEGER   ActualAvailableAllocationUnits;
    ULONG           SectorsPerAllocationUnit;
    ULONG           BytesPerSector;
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;

typedef struct _FILE_FS_LABEL_INFORMATION {
    ULONG VolumeLabelLength;
    WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;

#if (VER_PRODUCTBUILD >= 2195)

typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
    UCHAR ObjectId[16];
    UCHAR ExtendedInfo[48];
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;

#endif // (VER_PRODUCTBUILD >= 2195)

typedef struct _FILE_FS_SIZE_INFORMATION {
    LARGE_INTEGER   TotalAllocationUnits;
    LARGE_INTEGER   AvailableAllocationUnits;
    ULONG           SectorsPerAllocationUnit;
    ULONG           BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;

typedef struct _FILE_FS_VOLUME_INFORMATION {
    LARGE_INTEGER   VolumeCreationTime;
    ULONG           VolumeSerialNumber;
    ULONG           VolumeLabelLength;
    BOOLEAN         SupportsObjects;
    WCHAR           VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;

typedef struct _FILE_FULL_DIR_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    ULONG           EaSize;
    WCHAR           FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;

typedef struct _FILE_GET_EA_INFORMATION {
    ULONG   NextEntryOffset;
    UCHAR   EaNameLength;
    CHAR    EaName[1];
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;

typedef struct _FILE_GET_QUOTA_INFORMATION {
    ULONG   NextEntryOffset;
    ULONG   SidLength;
    SID     Sid;
} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;

typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    ULONG           EaSize;
    CCHAR           ShortNameLength;
    WCHAR           ShortName[12];
    LARGE_INTEGER   FileId;
    WCHAR           FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;

typedef struct _FILE_ID_FULL_DIR_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    ULONG           EaSize;
    LARGE_INTEGER   FileId;
    WCHAR           FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;

typedef struct _FILE_INTERNAL_INFORMATION {
    LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;

typedef struct _FILE_LINK_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE  RootDirectory;
    ULONG   FileNameLength;
    WCHAR   FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;

typedef struct _FILE_LOCK_INFO {
    LARGE_INTEGER   StartingByte;
    LARGE_INTEGER   Length;
    BOOLEAN         ExclusiveLock;
    ULONG           Key;
    PFILE_OBJECT    FileObject;
    PEPROCESS       Process;
    LARGE_INTEGER   EndingByte;
} FILE_LOCK_INFO, *PFILE_LOCK_INFO;

// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_SHARED_LOCK_ENTRY {
    PVOID           Unknown1;
    PVOID           Unknown2;
    FILE_LOCK_INFO  FileLock;
} FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;

// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
    LIST_ENTRY      ListEntry;
    PVOID           Unknown1;
    PVOID           Unknown2;
    FILE_LOCK_INFO  FileLock;
} FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;

typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) (
    IN PVOID    Context,
    IN PIRP     Irp
);

typedef VOID (*PUNLOCK_ROUTINE) (
    IN PVOID            Context,
    IN PFILE_LOCK_INFO  FileLockInfo
);

typedef struct _FILE_LOCK {
    PCOMPLETE_LOCK_IRP_ROUTINE  CompleteLockIrpRoutine;
    PUNLOCK_ROUTINE             UnlockRoutine;
    BOOLEAN                     FastIoIsQuestionable;
    BOOLEAN                     Pad[3];
    PVOID                       LockInformation;
    FILE_LOCK_INFO              LastReturnedLockInfo;
    PVOID                       LastReturnedLock;
} FILE_LOCK, *PFILE_LOCK;

typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
    ULONG ReadDataAvailable;
    ULONG NumberOfMessages;
    ULONG MessageLength;
} FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;

typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
    ULONG           MaximumMessageSize;
    ULONG           MailslotQuota;
    ULONG           NextMessageSize;
    ULONG           MessagesAvailable;
    LARGE_INTEGER   ReadTimeout;
} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;

typedef struct _FILE_MAILSLOT_SET_INFORMATION {
    PLARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;

typedef struct _FILE_MODE_INFORMATION {
    ULONG Mode;
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;

// This structure is included in the Windows 2000 DDK but is missing in the
// Windows NT 4.0 DDK
#if (VER_PRODUCTBUILD < 2195)
typedef struct _FILE_NAME_INFORMATION {
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
#endif // (VER_PRODUCTBUILD < 2195)

typedef struct _FILE_ALL_INFORMATION {
    FILE_BASIC_INFORMATION      BasicInformation;
    FILE_STANDARD_INFORMATION   StandardInformation;
    FILE_INTERNAL_INFORMATION   InternalInformation;
    FILE_EA_INFORMATION         EaInformation;
    FILE_ACCESS_INFORMATION     AccessInformation;
    FILE_POSITION_INFORMATION   PositionInformation;
    FILE_MODE_INFORMATION       ModeInformation;
    FILE_ALIGNMENT_INFORMATION  AlignmentInformation;
    FILE_NAME_INFORMATION       NameInformation;
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;

typedef struct _FILE_NAMES_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;

typedef struct _FILE_NOTIFY_INFORMATION {
    ULONG NextEntryOffset;
    ULONG Action;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;

typedef struct _FILE_OBJECTID_INFORMATION {
    LONGLONG        FileReference;
    UCHAR           ObjectId[16];
    union {
        struct {
            UCHAR   BirthVolumeId[16];
            UCHAR   BirthObjectId[16];
            UCHAR   DomainId[16];
        } ;
        UCHAR       ExtendedInfo[48];
    };
} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;

typedef struct _FILE_OLE_CLASSID_INFORMATION {
    GUID ClassId;
} FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;

typedef struct _FILE_OLE_ALL_INFORMATION {
    FILE_BASIC_INFORMATION          BasicInformation;
    FILE_STANDARD_INFORMATION       StandardInformation;
    FILE_INTERNAL_INFORMATION       InternalInformation;
    FILE_EA_INFORMATION             EaInformation;
    FILE_ACCESS_INFORMATION         AccessInformation;
    FILE_POSITION_INFORMATION       PositionInformation;
    FILE_MODE_INFORMATION           ModeInformation;
    FILE_ALIGNMENT_INFORMATION      AlignmentInformation;
    USN                             LastChangeUsn;
    USN                             ReplicationUsn;
    LARGE_INTEGER                   SecurityChangeTime;
    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
    FILE_STORAGE_TYPE               StorageType;
    ULONG                           OleStateBits;
    ULONG                           OleId;
    ULONG                           NumberOfStreamReferences;
    ULONG                           StreamIndex;
    ULONG                           SecurityId;
    BOOLEAN                         ContentIndexDisable;
    BOOLEAN                         InheritContentIndexDisable;
    FILE_NAME_INFORMATION           NameInformation;
} FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;

typedef struct _FILE_OLE_DIR_INFORMATION {
    ULONG               NextEntryOffset;
    ULONG               FileIndex;
    LARGE_INTEGER       CreationTime;
    LARGE_INTEGER       LastAccessTime;
    LARGE_INTEGER       LastWriteTime;
    LARGE_INTEGER       ChangeTime;
    LARGE_INTEGER       EndOfFile;
    LARGE_INTEGER       AllocationSize;
    ULONG               FileAttributes;
    ULONG               FileNameLength;
    FILE_STORAGE_TYPE   StorageType;
    GUID                OleClassId;
    ULONG               OleStateBits;
    BOOLEAN             ContentIndexDisable;
    BOOLEAN             InheritContentIndexDisable;
    WCHAR               FileName[1];
} FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;

typedef struct _FILE_OLE_INFORMATION {
    LARGE_INTEGER                   SecurityChangeTime;
    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
    FILE_STORAGE_TYPE               StorageType;
    ULONG                           OleStateBits;
    BOOLEAN                         ContentIndexDisable;
    BOOLEAN                         InheritContentIndexDisable;
} FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;

typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
    ULONG StateBits;
    ULONG StateBitsMask;
} FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;

typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER {
    HANDLE  EventHandle;
    ULONG   KeyValue;
} FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER;

typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER {
    PVOID ClientSession;
    PVOID ClientProcess;
} FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER;

typedef struct _FILE_PIPE_EVENT_BUFFER {
    ULONG NamedPipeState;
    ULONG EntryType;
    ULONG ByteCount;
    ULONG KeyValue;
    ULONG NumberRequests;
} FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER;

typedef struct _FILE_PIPE_INFORMATION {
    ULONG ReadMode;
    ULONG CompletionMode;
} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;

typedef struct _FILE_PIPE_LOCAL_INFORMATION {
    ULONG NamedPipeType;
    ULONG NamedPipeConfiguration;
    ULONG MaximumInstances;
    ULONG CurrentInstances;
    ULONG InboundQuota;
    ULONG ReadDataAvailable;
    ULONG OutboundQuota;
    ULONG WriteQuotaAvailable;
    ULONG NamedPipeState;
    ULONG NamedPipeEnd;
} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;

typedef struct _FILE_PIPE_PEEK_BUFFER {
    ULONG   NamedPipeState;
    ULONG   ReadDataAvailable;
    ULONG   NumberOfMessages;
    ULONG   MessageLength;
    CHAR    Data[1];
} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;

typedef struct _FILE_PIPE_REMOTE_INFORMATION {
    LARGE_INTEGER   CollectDataTime;
    ULONG           MaximumCollectionCount;
} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;

typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
    LARGE_INTEGER   Timeout;
    ULONG           NameLength;
    BOOLEAN         TimeoutSpecified;
    WCHAR           Name[1];
} FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;

typedef struct _FILE_QUOTA_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           SidLength;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   QuotaUsed;
    LARGE_INTEGER   QuotaThreshold;
    LARGE_INTEGER   QuotaLimit;
    SID             Sid;
} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;

typedef struct _FILE_RENAME_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE  RootDirectory;
    ULONG   FileNameLength;
    WCHAR   FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;

typedef struct _FILE_STREAM_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           StreamNameLength;
    LARGE_INTEGER   StreamSize;
    LARGE_INTEGER   StreamAllocationSize;
    WCHAR           StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;

typedef struct _FILE_TRACKING_INFORMATION {
    HANDLE  DestinationFile;
    ULONG   ObjectInformationLength;
    CHAR    ObjectInformation[1];
} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;

typedef struct _FSRTL_COMMON_FCB_HEADER {
    CSHORT          NodeTypeCode;
    CSHORT          NodeByteSize;
    UCHAR           Flags;
    UCHAR           IsFastIoPossible;
#if (VER_PRODUCTBUILD >= 1381)
    UCHAR           Flags2;
    UCHAR           Reserved;
#endif // (VER_PRODUCTBUILD >= 1381)
    PERESOURCE      Resource;
    PERESOURCE      PagingIoResource;
    LARGE_INTEGER   AllocationSize;
    LARGE_INTEGER   FileSize;
    LARGE_INTEGER   ValidDataLength;
} FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER;

typedef struct _GENERATE_NAME_CONTEXT {
    USHORT  Checksum;
    BOOLEAN CheckSumInserted;
    UCHAR   NameLength;
    WCHAR   NameBuffer[8];
    ULONG   ExtensionLength;
    WCHAR   ExtensionBuffer[4];
    ULONG   LastIndexValue;
} GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;

typedef struct _HANDLE_INFO {       // Information about open handles
    union {
        PEPROCESS   Process;        // Pointer to PEPROCESS owning the Handle
        ULONG       Count;          // Count of HANDLE_INFO structures following this structure
    } HandleInfo;
    USHORT          HandleCount;
} HANDLE_INFO, *PHANDLE_INFO;

typedef struct _HANDLE_TABLE_ENTRY_INFO {
    ULONG AuditMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;

typedef struct _HANDLE_TABLE_ENTRY {
    union {
        PVOID                       Object;
        ULONG                       ObAttributes;
        PHANDLE_TABLE_ENTRY_INFO    InfoTable;
        ULONG                       Value;
    };
    union {
        ULONG                       GrantedAccess;
        USHORT                      GrantedAccessIndex;
        LONG                        NextFreeTableEntry;
    };
    USHORT                          CreatorBackTraceIndex;
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _MAPPING_PAIR {
    ULONGLONG Vcn;
    ULONGLONG Lcn;
} MAPPING_PAIR, *PMAPPING_PAIR;

typedef struct _GET_RETRIEVAL_DESCRIPTOR {
    ULONG           NumberOfPairs;
    ULONGLONG       StartVcn;
    MAPPING_PAIR    Pair[1];
} GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;

typedef struct _INITIAL_TEB {
    ULONG Unknown_1;
    ULONG Unknown_2;
    PVOID StackTop;
    PVOID StackBase;
    PVOID Unknown_3;
} INITIAL_TEB, *PINITIAL_TEB;

typedef struct _IO_CLIENT_EXTENSION {
    struct _IO_CLIENT_EXTENSION *NextExtension;
    PVOID                       ClientIdentificationAddress;
} IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;

typedef struct _IO_COMPLETION_BASIC_INFORMATION {
    LONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;

typedef struct _KEVENT_PAIR {
    USHORT Type;
    USHORT Size;
    KEVENT Event1;
    KEVENT Event2;
} KEVENT_PAIR, *PKEVENT_PAIR;

typedef struct _KINTERRUPT {
    CSHORT              Type;
    CSHORT              Size;
    LIST_ENTRY          InterruptListEntry;
    PKSERVICE_ROUTINE   ServiceRoutine;
    PVOID               ServiceContext;
    KSPIN_LOCK          SpinLock;
    ULONG               TickCount;
    PKSPIN_LOCK         ActualLock;
    PVOID               DispatchAddress;
    ULONG               Vector;
    KIRQL               Irql;
    KIRQL               SynchronizeIrql;
    BOOLEAN             FloatingSave;
    BOOLEAN             Connected;
    CHAR                Number;
    UCHAR               ShareVector;
    KINTERRUPT_MODE     Mode;
    ULONG               ServiceCount;
    ULONG               DispatchCount;
    ULONG               DispatchCode[106];
} KINTERRUPT, *PKINTERRUPT;

typedef struct _KQUEUE {
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          EntryListHead;
    ULONG               CurrentCount;
    ULONG               MaximumCount;
    LIST_ENTRY          ThreadListHead;
} KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE;

typedef struct _LARGE_MCB {
    PFAST_MUTEX FastMutex;
    ULONG       MaximumPairCount;
    ULONG       PairCount;
    POOL_TYPE   PoolType;
    PVOID       Mapping;
} LARGE_MCB, *PLARGE_MCB;

typedef struct _LPC_MESSAGE {
    USHORT      DataSize;
    USHORT      MessageSize;
    USHORT      MessageType;
    USHORT      VirtualRangesOffset;
    CLIENT_ID   ClientId;
    ULONG       MessageId;
    ULONG       SectionSize;
    UCHAR       Data[1];
} LPC_MESSAGE, *PLPC_MESSAGE;

typedef struct _LPC_SECTION_READ {
    ULONG Length;
    ULONG ViewSize;
    PVOID ViewBase;
} LPC_SECTION_READ, *PLPC_SECTION_READ;

typedef struct _LPC_SECTION_WRITE {
    ULONG   Length;
    HANDLE  SectionHandle;
    ULONG   SectionOffset;
    ULONG   ViewSize;
    PVOID   ViewBase;
    PVOID   TargetViewBase;
} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;

typedef struct _MAILSLOT_CREATE_PARAMETERS {
    ULONG           MailslotQuota;
    ULONG           MaximumMessageSize;
    LARGE_INTEGER   ReadTimeout;
    BOOLEAN         TimeoutSpecified;
} MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;

typedef struct _MBCB {
    CSHORT          NodeTypeCode;
    CSHORT          NodeIsInZone;
    ULONG           PagesToWrite;
    ULONG           DirtyPages;
    ULONG           Reserved;
    LIST_ENTRY      BitmapRanges;
    LONGLONG        ResumeWritePage;
    BITMAP_RANGE    BitmapRange1;
    BITMAP_RANGE    BitmapRange2;
    BITMAP_RANGE    BitmapRange3;
} MBCB, *PMBCB;

typedef struct _MCB {
    LARGE_MCB LargeMcb;
} MCB, *PMCB;

typedef struct _MOVEFILE_DESCRIPTOR {
     HANDLE         FileHandle; 
     ULONG          Reserved;   
     LARGE_INTEGER  StartVcn; 
     LARGE_INTEGER  TargetLcn;
     ULONG          NumVcns; 
     ULONG          Reserved1;  
} MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;

typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
    ULONG           NamedPipeType;
    ULONG           ReadMode;
    ULONG           CompletionMode;
    ULONG           MaximumInstances;
    ULONG           InboundQuota;
    ULONG           OutboundQuota;
    LARGE_INTEGER   DefaultTimeout;
    BOOLEAN         TimeoutSpecified;
} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;

typedef struct _QUOTA_BLOCK {
    KSPIN_LOCK  QuotaLock;
    ULONG       ReferenceCount; // Number of processes using this block
    ULONG       PeakNonPagedPoolUsage;
    ULONG       PeakPagedPoolUsage;
    ULONG       NonPagedpoolUsage;
    ULONG       PagedPoolUsage;
    ULONG       NonPagedPoolLimit;
    ULONG       PagedPoolLimit;
    ULONG       PeakPagefileUsage;
    ULONG       PagefileUsage;
    ULONG       PageFileLimit;
} QUOTA_BLOCK, *PQUOTA_BLOCK;

typedef struct _OBJECT_BASIC_INFO {
    ULONG           Attributes;
    ACCESS_MASK     GrantedAccess;
    ULONG           HandleCount;
    ULONG           ReferenceCount;
    ULONG           PagedPoolUsage;
    ULONG           NonPagedPoolUsage;
    ULONG           Reserved[3];
    ULONG           NameInformationLength;
    ULONG           TypeInformationLength;
    ULONG           SecurityDescriptorLength;
    LARGE_INTEGER   CreateTime;
} OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;

typedef struct _OBJECT_CREATE_INFORMATION {
    ULONG                           Attributes;
    HANDLE                          RootDirectory; // 0x4
    PVOID                           ParseContext; // 0x8
    KPROCESSOR_MODE                 ProbeMode; // 0xc
    ULONG                           PagedPoolCharge; // 0x10
    ULONG                           NonPagedPoolCharge; // 0x14
    ULONG                           SecurityDescriptorCharge; // 0x18
    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x1c
    PSECURITY_QUALITY_OF_SERVICE    SecurityQos; // 0x20
    SECURITY_QUALITY_OF_SERVICE     SecurityQualityOfService; // 0x24
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;

typedef struct _OBJECT_CREATOR_INFO {
    LIST_ENTRY  Creator;
    ULONG       UniqueProcessId; // Creator's Process ID
    ULONG       Reserved; // Alignment
} OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;

typedef struct _OBJECT_DIRECTORY_ITEM {
    struct _OBJECT_DIRECTORY_ITEM   *Next;
    PVOID                           Object;
} OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;

typedef struct _OBJECT_DIRECTORY {
    POBJECT_DIRECTORY_ITEM  HashEntries[0x25];
    POBJECT_DIRECTORY_ITEM  LastHashAccess;
    ULONG                   LastHashResult;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
    BOOLEAN Inherit;
    BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO;

typedef struct _OBJECT_HANDLE_DB {
    union {
        struct _EPROCESS                *Process;
        struct _OBJECT_HANDLE_DB_LIST   *HandleDBList;
    };
    ULONG                               HandleCount;
} OBJECT_HANDLE_DB, *POBJECT_HANDLE_DB;

typedef struct _OBJECT_HANDLE_DB_LIST {
    ULONG               Count;
    OBJECT_HANDLE_DB    Entries[1];
} OBJECT_HANDLE_DB_LIST, *POBJECT_HANDLE_DB_LIST;

typedef struct _OBJECT_HEADER_FLAGS {
    ULONG NameInfoOffset     : 8;
    ULONG HandleInfoOffset   : 8;
    ULONG QuotaInfoOffset    : 8;
    ULONG QuotaBlock         : 1;   // QuotaBlock/ObjectInfo
    ULONG KernelMode         : 1;   // UserMode/KernelMode
    ULONG CreatorInfo        : 1;
    ULONG Exclusive          : 1;
    ULONG Permanent          : 1;
    ULONG SecurityDescriptor : 1;
    ULONG HandleInfo         : 1;
    ULONG Reserved           : 1;
} OBJECT_HEADER_FLAGS, *POBJECT_HEADER_FLAGS;

typedef struct _OBJECT_HEADER {
    ULONG                           ReferenceCount;
    union {
        ULONG                       HandleCount;
        PSINGLE_LIST_ENTRY          NextToFree;
    }; // 0x4
    POBJECT_TYPE                    ObjectType; // 0x8
    OBJECT_HEADER_FLAGS             Flags; // 0xc
    union {
        POBJECT_CREATE_INFORMATION  ObjectCreateInfo;
        PQUOTA_BLOCK                QuotaBlock;
    }; // 0x10
    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x14
    QUAD                            Body; // 0x18
} OBJECT_HEADER, *POBJECT_HEADER;

typedef struct _OBJECT_NAME {
    POBJECT_DIRECTORY   Directory; 
    UNICODE_STRING      ObjectName;
    ULONG               Reserved;
} OBJECT_NAME, *POBJECT_NAME;

typedef struct _OBJECT_NAME_INFO {
    UNICODE_STRING  ObjectName;
    WCHAR           ObjectNameBuffer[1];
} OBJECT_NAME_INFO, *POBJECT_NAME_INFO;

typedef struct _OBJECT_PROTECTION_INFO {
    BOOLEAN Inherit;
    BOOLEAN ProtectHandle;
} OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO;

typedef struct _OBJECT_QUOTA_CHARGES {
    ULONG PagedPoolCharge;
    ULONG NonPagedPoolCharge;
    ULONG SecurityCharge;
    ULONG Reserved;
} OBJECT_QUOTA_CHARGES, *POBJECT_QUOTA_CHARGES;

typedef struct _OBJECT_QUOTA_INFO {
    ULONG       PagedPoolQuota;
    ULONG       NonPagedPoolQuota;
    ULONG       QuotaInformationSize;
    PEPROCESS   Process; // Owning process
} OBJECT_QUOTA_INFO, *POBJECT_QUOTA_INFO;

typedef struct _OBJECT_TYPE_INITIALIZER {
    USHORT          Length;
    BOOLEAN         UseDefaultObject;
    BOOLEAN         Reserved1;
    ULONG           InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ACCESS_MASK     ValidAccessMask;
    BOOLEAN         SecurityRequired;
    BOOLEAN         MaintainHandleCount;  /* OBJECT_HANDLE_DB */
    BOOLEAN         MaintainTypeList;     /* OBJECT_CREATOR_INFO */
    UCHAR           Reserved2;
    BOOLEAN         PagedPool;
    ULONG           DefaultPagedPoolCharge;
    ULONG           DefaultNonPagedPoolCharge;
    PVOID           DumpProcedure;
    PVOID           OpenProcedure;
    PVOID           CloseProcedure;
    PVOID           DeleteProcedure;
    PVOID           ParseProcedure;
    PVOID           SecurityProcedure;    /* SeDefaultObjectMethod */
    PVOID           QueryNameProcedure;
    PVOID           OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
    ERESOURCE               Lock;
    LIST_ENTRY              ObjectListHead; /* OBJECT_CREATOR_INFO */
    UNICODE_STRING          ObjectTypeName;
    union {
        PVOID               DefaultObject;  /* ObpDefaultObject */
        ULONG               Code; /* File: 5C, WaitablePort: A0 */
    };
    ULONG                   ObjectTypeIndex; /* OB_TYPE_INDEX_* */
    ULONG                   ObjectCount;
    ULONG                   HandleCount;
    ULONG                   PeakObjectCount;
    ULONG                   PeakHandleCount;
    OBJECT_TYPE_INITIALIZER TypeInfo;
    ULONG                   ObjectTypeTag;   /* OB_TYPE_TAG_* */
} OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OBJECT_TYPE_INFO {
    UNICODE_STRING  ObjectTypeName;
    UCHAR           Unknown[0x58];
    WCHAR           ObjectTypeNameBuffer[1];
} OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO;

typedef struct _OBJECT_ALL_TYPES_INFO {
    ULONG               NumberOfObjectTypes;
    OBJECT_TYPE_INFO    ObjectsTypeInfo[1];
} OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO;

typedef struct _PAGEFAULT_HISTORY {
    ULONG                           CurrentIndex;
    ULONG                           MaxIndex;
    KSPIN_LOCK                      SpinLock;
    PVOID                           Reserved;
    PROCESS_WS_WATCH_INFORMATION    WatchInfo[1];
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;

typedef struct _PATHNAME_BUFFER {
    ULONG PathNameLength;
    WCHAR Name[1];
} PATHNAME_BUFFER, *PPATHNAME_BUFFER;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _PRIVATE_CACHE_MAP_FLAGS {
    ULONG DontUse           : 16;
    ULONG ReadAheadActive   : 1;
    ULONG ReadAheadEnabled  : 1;
    ULONG Available         : 14;
} PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS;

typedef struct _PRIVATE_CACHE_MAP {
    union {
        CSHORT                  NodeTypeCode;
        PRIVATE_CACHE_MAP_FLAGS Flags;
        ULONG                   UlongFlags;
    };
    ULONG                       ReadAheadMask;
    PFILE_OBJECT                FileObject;
    LARGE_INTEGER               FileOffset1;
    LARGE_INTEGER               BeyondLastByte1;
    LARGE_INTEGER               FileOffset2;
    LARGE_INTEGER               BeyondLastByte2;
    LARGE_INTEGER               ReadAheadOffset[2];
    ULONG                       ReadAheadLength[2];
    KSPIN_LOCK                  ReadAheadSpinLock;
    LIST_ENTRY                  PrivateLinks;
} PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP;

#endif


typedef struct _PROCESS_PRIORITY_CLASS {
    BOOLEAN Foreground;
    UCHAR   PriorityClass;
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;

typedef struct _PS_IMPERSONATION_INFORMATION {
    PACCESS_TOKEN                   Token;
    BOOLEAN                         CopyOnOpen;
    BOOLEAN                         EffectiveOnly;
    SECURITY_IMPERSONATION_LEVEL    ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;

typedef struct _PUBLIC_BCB {
    CSHORT          NodeTypeCode;
    CSHORT          NodeByteSize;
    ULONG           MappedLength;
    LARGE_INTEGER   MappedFileOffset;
} PUBLIC_BCB, *PPUBLIC_BCB;

typedef struct _QUERY_PATH_REQUEST {
    ULONG                   PathNameLength;
    PIO_SECURITY_CONTEXT    SecurityContext;
    WCHAR                   FilePathName[1];
} QUERY_PATH_REQUEST, *PQUERY_PATH_REQUEST;

typedef struct _QUERY_PATH_RESPONSE {
    ULONG LengthAccepted;
} QUERY_PATH_RESPONSE, *PQUERY_PATH_RESPONSE;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _READ_LIST {
    PFILE_OBJECT            FileObject;
    ULONG                   NumberOfEntries;
    LOGICAL                 IsImage;
    FILE_SEGMENT_ELEMENT    List[ANYSIZE_ARRAY];
} READ_LIST, *PREAD_LIST;

#endif // (VER_PRODUCTBUILD >= 2600)

typedef struct _REPARSE_DATA_BUFFER {

    ULONG  ReparseTag;
    USHORT ReparseDataLength;
    USHORT Reserved;

    union {

        struct {
            USHORT  SubstituteNameOffset;
            USHORT  SubstituteNameLength;
            USHORT  PrintNameOffset;
            USHORT  PrintNameLength;
            WCHAR   PathBuffer[1];
        } SymbolicLinkReparseBuffer;

        struct {
            USHORT  SubstituteNameOffset;
            USHORT  SubstituteNameLength;
            USHORT  PrintNameOffset;
            USHORT  PrintNameLength;
            WCHAR   PathBuffer[1];
        } MountPointReparseBuffer;

        struct {
            UCHAR   DataBuffer[1];
        } GenericReparseBuffer;
    };

} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;

typedef struct _RETRIEVAL_POINTERS_BUFFER {
    ULONG               ExtentCount;
    LARGE_INTEGER       StartingVcn;
    struct {
        LARGE_INTEGER   NextVcn;
        LARGE_INTEGER   Lcn;
    } Extents[1];
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;

typedef struct _RTL_SPLAY_LINKS {
    struct _RTL_SPLAY_LINKS *Parent;
    struct _RTL_SPLAY_LINKS *LeftChild;
    struct _RTL_SPLAY_LINKS *RightChild;
} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;

typedef struct _SE_EXPORTS {

    LUID    SeCreateTokenPrivilege;
    LUID    SeAssignPrimaryTokenPrivilege;
    LUID    SeLockMemoryPrivilege;
    LUID    SeIncreaseQuotaPrivilege;
    LUID    SeUnsolicitedInputPrivilege;
    LUID    SeTcbPrivilege;
    LUID    SeSecurityPrivilege;
    LUID    SeTakeOwnershipPrivilege;
    LUID    SeLoadDriverPrivilege;
    LUID    SeCreatePagefilePrivilege;
    LUID    SeIncreaseBasePriorityPrivilege;
    LUID    SeSystemProfilePrivilege;
    LUID    SeSystemtimePrivilege;
    LUID    SeProfileSingleProcessPrivilege;
    LUID    SeCreatePermanentPrivilege;
    LUID    SeBackupPrivilege;
    LUID    SeRestorePrivilege;
    LUID    SeShutdownPrivilege;
    LUID    SeDebugPrivilege;
    LUID    SeAuditPrivilege;
    LUID    SeSystemEnvironmentPrivilege;
    LUID    SeChangeNotifyPrivilege;
    LUID    SeRemoteShutdownPrivilege;

    PSID    SeNullSid;
    PSID    SeWorldSid;
    PSID    SeLocalSid;
    PSID    SeCreatorOwnerSid;
    PSID    SeCreatorGroupSid;

    PSID    SeNtAuthoritySid;
    PSID    SeDialupSid;
    PSID    SeNetworkSid;
    PSID    SeBatchSid;
    PSID    SeInteractiveSid;
    PSID    SeLocalSystemSid;
    PSID    SeAliasAdminsSid;
    PSID    SeAliasUsersSid;
    PSID    SeAliasGuestsSid;
    PSID    SeAliasPowerUsersSid;
    PSID    SeAliasAccountOpsSid;
    PSID    SeAliasSystemOpsSid;
    PSID    SeAliasPrintOpsSid;
    PSID    SeAliasBackupOpsSid;

    PSID    SeAuthenticatedUsersSid;

    PSID    SeRestrictedSid;
    PSID    SeAnonymousLogonSid;

    LUID    SeUndockPrivilege;
    LUID    SeSyncAgentPrivilege;
    LUID    SeEnableDelegationPrivilege;

} SE_EXPORTS, *PSE_EXPORTS;

typedef struct _SECTION_BASIC_INFORMATION {
    PVOID           BaseAddress;
    ULONG           Attributes;
    LARGE_INTEGER   Size;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SECTION_IMAGE_INFORMATION {
    PVOID   EntryPoint;
    ULONG   Unknown1;
    ULONG   StackReserve;
    ULONG   StackCommit;
    ULONG   Subsystem;
    USHORT  MinorSubsystemVersion;
    USHORT  MajorSubsystemVersion;
    ULONG   Unknown2;
    ULONG   Characteristics;
    USHORT  ImageNumber;
    BOOLEAN Executable;
    UCHAR   Unknown3;
    ULONG   Unknown4[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

typedef struct _SECTION_OBJECT {
    PVOID                   StartingVa;
    PVOID                   EndingVa;
    struct _SECTION_OBJECT  *Parent;
    struct _SECTION_OBJECT  *LeftChild;
    struct _SECTION_OBJECT  *RightChild;
    PVOID                   Segment;
} SECTION_OBJECT, *PSECTION_OBJECT;

typedef struct _SEP_AUDIT_POLICY {
    // _SEP_AUDIT_POLICY_CATEGORIES
    ULONGLONG System                    : 4;
    ULONGLONG Logon                     : 4;
    ULONGLONG ObjectAccess              : 4;
    ULONGLONG PrivilegeUse              : 4;
    ULONGLONG DetailedTracking          : 4;
    ULONGLONG PolicyChange              : 4;
    ULONGLONG AccountManagement         : 4;
    ULONGLONG DirectoryServiceAccess    : 4;
    ULONGLONG AccountLogon              : 4;
    // _SEP_AUDIT_POLICY_OVERLAY
    ULONGLONG SetBit                    : 1;
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;

typedef struct _SERVICE_DESCRIPTOR_TABLE {
    /*
     * Table containing cServices elements of pointers to service handler
     * functions, indexed by service ID.
     */
    PVOID   *ServiceTable;
    /*
     * Table that counts how many times each service is used. This table
     * is only updated in checked builds.
     */
    PULONG  CounterTable;
    /*
     * Number of services contained in this table.
     */
    ULONG   TableSize;
    /*
     * Table containing the number of bytes of parameters the handler
     * function takes.
     */
    PUCHAR  ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _SHARED_CACHE_MAP {
    CSHORT                      NodeTypeCode;
    CSHORT                      NodeByteSize;
    ULONG                       OpenCount;
    LARGE_INTEGER               FileSize;
    LIST_ENTRY                  BcbList;
    LARGE_INTEGER               SectionSize;
    LARGE_INTEGER               ValidDataLength;
    LARGE_INTEGER               ValidDataGoal;
    PVACB                       InitialVacbs[4];
    PVACB                       *Vacbs;
    PFILE_OBJECT                FileObject;
    PVACB                       ActiveVacb;
    PVOID                       NeedToZero;
    ULONG                       ActivePage;
    ULONG                       NeedToZeroPage;
    KSPIN_LOCK                  ActiveVacbSpinLock;
    ULONG                       VacbActiveCount;
    ULONG                       DirtyPages;
    LIST_ENTRY                  SharedCacheMapLinks;
    ULONG                       Flags;
    NTSTATUS                    Status;
    PMBCB                       Mbcb;
    PVOID                       Section;
    PKEVENT                     CreateEvent;
    PKEVENT                     WaitOnActiveCount;
    ULONG                       PagesToWrite;
    LONGLONG                    BeyondLastFlush;
    PCACHE_MANAGER_CALLBACKS    Callbacks;
    PVOID                       LazyWriteContext;
    LIST_ENTRY                  PrivateList;
    PVOID                       LogHandle;
    PVOID                       FlushToLsnRoutine;
    ULONG                       DirtyPageThreshold;
    ULONG                       LazyWritePassCount;
    PCACHE_UNINITIALIZE_EVENT   UninitializeEvent;
    PVACB                       NeedToZeroVacb;
    KSPIN_LOCK                  BcbSpinLock;
    PVOID                       Reserved;
    KEVENT                      Event;
    EX_PUSH_LOCK                VacbPushLock;
    PRIVATE_CACHE_MAP           PrivateCacheMap;
} SHARED_CACHE_MAP, *PSHARED_CACHE_MAP;

#endif


typedef struct _SID_AND_ATTRIBUTES {
    PSID    Sid;
    ULONG   Attributes;
} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;

typedef struct _STARTING_VCN_INPUT_BUFFER {
    LARGE_INTEGER StartingVcn;
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;

// SystemBasicInformation
typedef struct _SYSTEM_BASIC_INFORMATION {
    ULONG Unknown;
    ULONG MaximumIncrement;
    ULONG PhysicalPageSize;
    ULONG NumberOfPhysicalPages;
    ULONG LowestPhysicalPage;
    ULONG HighestPhysicalPage;
    ULONG AllocationGranularity;
    ULONG LowestUserAddress;
    ULONG HighestUserAddress;
    ULONG ActiveProcessors;
    UCHAR NumberProcessors;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

// SystemProcessorInformation
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
    USHORT  ProcessorArchitecture;
    USHORT  ProcessorLevel;
    USHORT  ProcessorRevision;
    USHORT  Unknown;
    ULONG   FeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;

// SystemPerformanceInformation
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
    LARGE_INTEGER   IdleTime;
    LARGE_INTEGER   ReadTransferCount;
    LARGE_INTEGER   WriteTransferCount;
    LARGE_INTEGER   OtherTransferCount;
    ULONG           ReadOperationCount;
    ULONG           WriteOperationCount;
    ULONG           OtherOperationCount;
    ULONG           AvailablePages;
    ULONG           TotalCommittedPages;
    ULONG           TotalCommitLimit;
    ULONG           PeakCommitment;
    ULONG           PageFaults;
    ULONG           WriteCopyFaults;
    ULONG           TransistionFaults;
    ULONG           Reserved1;
    ULONG           DemandZeroFaults;
    ULONG           PagesRead;
    ULONG           PageReadIos;
    ULONG           Reserved2[2];
    ULONG           PagefilePagesWritten;
    ULONG           PagefilePageWriteIos;
    ULONG           MappedFilePagesWritten;
    ULONG           MappedFilePageWriteIos;
    ULONG           PagedPoolUsage;
    ULONG           NonPagedPoolUsage;
    ULONG           PagedPoolAllocs;
    ULONG           PagedPoolFrees;
    ULONG           NonPagedPoolAllocs;
    ULONG           NonPagedPoolFrees;
    ULONG           TotalFreeSystemPtes;
    ULONG           SystemCodePage;
    ULONG           TotalSystemDriverPages;
    ULONG           TotalSystemCodePages;
    ULONG           SmallNonPagedLookasideListAllocateHits;
    ULONG           SmallPagedLookasideListAllocateHits;
    ULONG           Reserved3;
    ULONG           MmSystemCachePage;
    ULONG           PagedPoolPage;
    ULONG           SystemDriverPage;
    ULONG           FastReadNoWait;
    ULONG           FastReadWait;
    ULONG           FastReadResourceMiss;
    ULONG           FastReadNotPossible;
    ULONG           FastMdlReadNoWait;
    ULONG           FastMdlReadWait;
    ULONG           FastMdlReadResourceMiss;
    ULONG           FastMdlReadNotPossible;
    ULONG           MapDataNoWait;
    ULONG           MapDataWait;
    ULONG           MapDataNoWaitMiss;
    ULONG           MapDataWaitMiss;
    ULONG           PinMappedDataCount;
    ULONG           PinReadNoWait;
    ULONG           PinReadWait;
    ULONG           PinReadNoWaitMiss;
    ULONG           PinReadWaitMiss;
    ULONG           CopyReadNoWait;
    ULONG           CopyReadWait;
    ULONG           CopyReadNoWaitMiss;
    ULONG           CopyReadWaitMiss;
    ULONG           MdlReadNoWait;
    ULONG           MdlReadWait;
    ULONG           MdlReadNoWaitMiss;
    ULONG           MdlReadWaitMiss;
    ULONG           ReadAheadIos;
    ULONG           LazyWriteIos;
    ULONG           LazyWritePages;
    ULONG           DataFlushes;
    ULONG           DataPages;
    ULONG           ContextSwitches;
    ULONG           FirstLevelTbFills;
    ULONG           SecondLevelTbFills;
    ULONG           SystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;

// SystemTimeOfDayInformation
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
    LARGE_INTEGER   BootTime;
    LARGE_INTEGER   CurrentTime;
    LARGE_INTEGER   TimeZoneBias;
    ULONG           CurrentTimeZoneId;
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;

typedef struct _SYSTEM_THREADS_INFORMATION {
    LARGE_INTEGER   KernelTime;
    LARGE_INTEGER   UserTime;
    LARGE_INTEGER   CreateTime;
    ULONG           WaitTime;
    PVOID           StartAddress;
    CLIENT_ID       ClientId;
    KPRIORITY       Priority;
    KPRIORITY       BasePriority;
    ULONG           ContextSwitchCount;
    THREAD_STATE    State;
    KWAIT_REASON    WaitReason;
} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;

// SystemProcessesAndThreadsInformation
typedef struct _SYSTEM_PROCESSES_INFORMATION {
    ULONG                       NextEntryDelta;
    ULONG                       ThreadCount;
    ULONG                       Reserved1[6];
    LARGE_INTEGER               CreateTime;
    LARGE_INTEGER               UserTime;
    LARGE_INTEGER               KernelTime;
    UNICODE_STRING              ProcessName;
    KPRIORITY                   BasePriority;
    ULONG                       ProcessId;
    ULONG                       InheritedFromProcessId;
    ULONG                       HandleCount;
    ULONG                       SessionId;
    ULONG                       Reserved2;
    VM_COUNTERS                 VmCounters;
#if (VER_PRODUCTBUILD >= 2195)
    IO_COUNTERS                 IoCounters;
#endif // (VER_PRODUCTBUILD >= 2195)
    SYSTEM_THREADS_INFORMATION  Threads[1];
} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;

// SystemCallCounts
typedef struct _SYSTEM_CALL_COUNTS {
    ULONG Size;
    ULONG NumberOfDescriptorTables;
    ULONG NumberOfRoutinesInTable[1];
    // On checked build this is followed by a ULONG CallCounts[1] variable length array.
} SYSTEM_CALL_COUNTS, *PSYSTEM_CALL_COUNTS;

// SystemConfigurationInformation
typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
    ULONG DiskCount;
    ULONG FloppyCount;
    ULONG CdRomCount;
    ULONG TapeCount;
    ULONG SerialCount;
    ULONG ParallelCount;
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;

// SystemProcessorTimes
typedef struct _SYSTEM_PROCESSOR_TIMES {
    LARGE_INTEGER   IdleTime;
    LARGE_INTEGER   KernelTime;
    LARGE_INTEGER   UserTime;
    LARGE_INTEGER   DpcTime;
    LARGE_INTEGER   InterruptTime;
    ULONG           InterruptCount;
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;

// SystemGlobalFlag
typedef struct _SYSTEM_GLOBAL_FLAG {
    ULONG GlobalFlag;
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;

// SystemModuleInformation
typedef struct _SYSTEM_MODULE_INFORMATION {
    ULONG   Reserved[2];
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT  Index;
    USHORT  Unknown;
    USHORT  LoadCount;
    USHORT  ModuleNameOffset;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

// SystemLockInformation
typedef struct _SYSTEM_LOCK_INFORMATION {
    PVOID   Address;
    USHORT  Type;
    USHORT  Reserved1;
    ULONG   ExclusiveOwnerThreadId;
    ULONG   ActiveCount;
    ULONG   ContentionCount;
    ULONG   Reserved2[2];
    ULONG   NumberOfSharedWaiters;
    ULONG   NumberOfExclusiveWaiters;
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;

// SystemHandleInformation
typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG       ProcessId;
    UCHAR       ObjectTypeNumber;
    UCHAR       Flags;
    USHORT      Handle;
    PVOID       Object;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

// SystemObjectInformation
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           ObjectCount;
    ULONG           HandleCount;
    ULONG           TypeNumber;
    ULONG           InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ACCESS_MASK     ValidAccessMask;
    POOL_TYPE       PoolType;
    UCHAR           Unknown;
    UNICODE_STRING  Name;
} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;

typedef struct _SYSTEM_OBJECT_INFORMATION {
    ULONG                   NextEntryOffset;
    PVOID                   Object;
    ULONG                   CreatorProcessId;
    USHORT                  Unknown;
    USHORT                  Flags;
    ULONG                   PointerCount;
    ULONG                   HandleCount;
    ULONG                   PagedPoolUsage;
    ULONG                   NonPagedPoolUsage;
    ULONG                   ExclusiveProcessId;
    PSECURITY_DESCRIPTOR    SecurityDescriptor;
    UNICODE_STRING          Name;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;

// SystemPagefileInformation
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           CurrentSize;
    ULONG           TotalUsed;
    ULONG           PeakUsed;
    UNICODE_STRING  FileName;
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;

// SystemInstructionEmulationCounts
typedef struct _SYSTEM_INSTRUCTION_EMULATION_COUNTS {
    ULONG GenericInvalidOpcode;
    ULONG TwoByteOpcode;
    ULONG ESprefix;
    ULONG CSprefix;
    ULONG SSprefix;
    ULONG DSprefix;
    ULONG FSPrefix;
    ULONG GSprefix;
    ULONG OPER32prefix;
    ULONG ADDR32prefix;
    ULONG INSB;
    ULONG INSW;
    ULONG OUTSB;
    ULONG OUTSW;
    ULONG PUSHFD;
    ULONG POPFD;
    ULONG INTnn;
    ULONG INTO;
    ULONG IRETD;
    ULONG FloatingPointOpcode;
    ULONG INBimm;
    ULONG INWimm;
    ULONG OUTBimm;
    ULONG OUTWimm;
    ULONG INB;
    ULONG INW;
    ULONG OUTB;
    ULONG OUTW;
    ULONG LOCKprefix;
    ULONG REPNEprefix;
    ULONG REPprefix;
    ULONG CLI;
    ULONG STI;
    ULONG HLT;
} SYSTEM_INSTRUCTION_EMULATION_COUNTS, *PSYSTEM_INSTRUCTION_EMULATION_COUNTS;

// SystemCacheInformation
typedef struct _SYSTEM_CACHE_INFORMATION {
    ULONG SystemCacheWsSize;
    ULONG SystemCacheWsPeakSize;
    ULONG SystemCacheWsFaults;
    ULONG SystemCacheWsMinimum;
    ULONG SystemCacheWsMaximum;
    ULONG TransitionSharedPages;
    ULONG TransitionSharedPagesPeak;
    ULONG Reserved[2];
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;

// SystemPoolTagInformation
typedef struct _SYSTEM_POOL_TAG_INFORMATION {
    CHAR    Tag[4];
    ULONG   PagedPoolAllocs;
    ULONG   PagedPoolFrees;
    ULONG   PagedPoolUsage;
    ULONG   NonPagedPoolAllocs;
    ULONG   NonPagedPoolFrees;
    ULONG   NonPagedPoolUsage;
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;

// SystemProcessorStatistics
typedef struct _SYSTEM_PROCESSOR_STATISTICS {
    ULONG ContextSwitches;
    ULONG DpcCount;
    ULONG DpcRequestRate;
    ULONG TimeIncrement;
    ULONG DpcBypassCount;
    ULONG ApcBypassCount;
} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;

// SystemDpcInformation
typedef struct _SYSTEM_DPC_INFORMATION {
    ULONG Reserved;
    ULONG MaximumDpcQueueDepth;
    ULONG MinimumDpcRate;
    ULONG AdjustDpcThreshold;
    ULONG IdealDpcRate;
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;

// SystemLoadImage
typedef struct _SYSTEM_LOAD_IMAGE {
    UNICODE_STRING  ModuleName;
    PVOID           ModuleBase;
    PVOID           Unknown;
    PVOID           EntryPoint;
    PVOID           ExportDirectory;
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;

// SystemUnloadImage
typedef struct _SYSTEM_UNLOAD_IMAGE {
    PVOID ModuleBase;
} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;

// SystemTimeAdjustment
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
    ULONG   TimeAdjustment;
    ULONG   MaximumIncrement;
    BOOLEAN TimeSynchronization;
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;

// SystemTimeAdjustment
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
    ULONG   TimeAdjustment;
    BOOLEAN TimeSynchronization;
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;

// SystemCrashDumpInformation
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
    HANDLE CrashDumpSectionHandle;
#if (VER_PRODUCTBUILD >= 2195)
    HANDLE Unknown;
#endif // (VER_PRODUCTBUILD >= 2195)
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;

// SystemExceptionInformation
typedef struct _SYSTEM_EXCEPTION_INFORMATION {
    ULONG AlignmentFixupCount;
    ULONG ExceptionDispatchCount;
    ULONG FloatingEmulationCount;
    ULONG Reserved;
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;

// SystemCrashDumpStateInformation
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
    ULONG ValidCrashDump;
#if (VER_PRODUCTBUILD >= 2195)
    ULONG Unknown;
#endif // (VER_PRODUCTBUILD >= 2195)
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;

// SystemKernelDebuggerInformation
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
    BOOLEAN DebuggerEnabled;
    BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;

// SystemContextSwitchInformation
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
    ULONG ContextSwitches;
    ULONG ContextSwitchCounters[11];
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;

// SystemRegistryQuotaInformation
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
    ULONG RegistryQuota;
    ULONG RegistryQuotaInUse;
    ULONG PagedPoolSize;
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;

// SystemLoadAndCallImage
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
    UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

// SystemPrioritySeparation
typedef struct _SYSTEM_PRIORITY_SEPARATION {
    ULONG PrioritySeparation;
} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;

// SystemTimeZoneInformation
typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
    LONG        Bias;
    WCHAR       StandardName[32];
    TIME_FIELDS StandardDate;
    LONG        StandardBias;
    WCHAR       DaylightName[32];
    TIME_FIELDS DaylightDate;
    LONG        DaylightBias;
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;

// SystemLookasideInformation
typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
    USHORT      Depth;
    USHORT      MaximumDepth;
    ULONG       TotalAllocates;
    ULONG       AllocateMisses;
    ULONG       TotalFrees;
    ULONG       FreeMisses;
    POOL_TYPE   Type;
    ULONG       Tag;
    ULONG       Size;
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;

// SystemSetTimeSlipEvent
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
    HANDLE TimeSlipEvent;
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;

// SystemCreateSession
typedef struct _SYSTEM_CREATE_SESSION {
    ULONG Session;
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;

// SystemDeleteSession
typedef struct _SYSTEM_DELETE_SESSION {
    ULONG Session;
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;

// SystemRangeStartInformation
typedef struct _SYSTEM_RANGE_START_INFORMATION {
    PVOID SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;

// SystemSessionProcessesInformation
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION {
    ULONG SessionId;
    ULONG BufferSize;
    PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;

typedef struct _GDI_TEB_BATCH {
    ULONG Offset;
    ULONG HDC;
    ULONG Buffer[(VER_PRODUCTBUILD >= 2195) ? 0x133 : 0x136];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;

#if (VER_PRODUCTBUILD >= 2600)

typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
    struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
    struct _ACTIVATION_CONTEXT*                 ActivationContext; // 0x4
    ULONG                                       Flags; // 0x8
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;

typedef struct _ACTIVATION_CONTEXT_STACK {
    ULONG                               Flags;
    ULONG                               NextCookieSequenceNumber;
    PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; // 0x8
    LIST_ENTRY                          FrameListCache; // 0xc
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;

#endif // (VER_PRODUCTBUILD >= 2600)

typedef struct _Wx86ThreadState {
    PULONG  CallBx86Eip;
    PVOID   DeallocationCpu;
    UCHAR   UseKnownWx86Dll; // 0x8
    UCHAR   OleStubInvoked; // 0x9
} Wx86ThreadState, *PWx86ThreadState;

typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
    ULONG Flags;
    PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;

typedef struct _TEB_ACTIVE_FRAME {
    ULONG                       Flags;
    struct _TEB_ACTIVE_FRAME    *Previous;
    PTEB_ACTIVE_FRAME_CONTEXT   Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;

typedef struct _TEB // from Reactos, Native API; checked and corrected for 2003 and nt 4.0
                    // should also work on XP and 2000
                    // the reactos version was probably from NT 3.51 SP3
{
   NT_TIB Tib;                         /* 00h */
   PVOID EnvironmentPointer;           /* 1Ch */
   CLIENT_ID Cid;                      /* 20h */
   HANDLE RpcHandle;                   /* 28h */
   PVOID *ThreadLocalStorage;          /* 2Ch */
   PPEB Peb;                           /* 30h */
   ULONG LastErrorValue;               /* 34h */
   ULONG CountOfOwnedCriticalSections; /* 38h */
   PVOID CsrClientThread;              /* 3Ch */
   struct _W32THREAD* Win32ThreadInfo; /* 40h */    
   ULONG User32Reserved[26];           /* 44h */
   ULONG UserReserved[5];              /* ACh */
   PVOID WOW32Reserved;                /* C0h */
   LCID CurrentLocale;                 /* C4h */
   ULONG FpSoftwareStatusRegister;     /* C8h */
   PVOID SystemReserved1[0x36];        /* CCh */
#if (VER_PRODUCTBUILD <= 1381)
   PVOID Spare1;                       /* 1A4h */
#endif

   LONG ExceptionCode;                 /* 1A4h */
#if (VER_PRODUCTBUILD >= 2600)
   ACTIVATION_CONTEXT_STACK 
        ActivationContextStack;        /* 1A8h */
   UCHAR SpareBytes1[24];              /* 1BCh */
#elif (VER_PRODUCTBUILD >= 2195)
   UCHAR SpareBytes1[0x2c];            /* 1A8h */
#else /* nt 4.0 */
   ULONG SpareBytes1[0x14];            /* 1ACh */
#endif

   GDI_TEB_BATCH GdiTebBatch;          /* 1D4h */ /* 1FC for nt 4.0 */
   ULONG gdiRgn;                       /* 6A8h */ /* 6DCh for nt 4.0 */
   ULONG gdiPen;                       /* 6ACh */
   ULONG gdiBrush;                     /* 6B0h */
   CLIENT_ID RealClientId;             /* 6B4h */ /* 6E8h for nt 4.0 */
   PVOID GdiCachedProcessHandle;       /* 6BCh */
   ULONG GdiClientPID;                 /* 6C0h */
   ULONG GdiClientTID;                 /* 6C4h */
   PVOID GdiThreadLocaleInfo;          /* 6C8h */
#if (VER_PRODUCTBUILD == 1381)
   PVOID Win32ClientInfo[5];           /* 700h */
   PVOID glDispatchTable[0x118];       /* 714h */
   ULONG glReserved1[0x1a];            /* B74h */   
#else

   PVOID Win32ClientInfo[0x3e];        /* 6CCh */
   PVOID glDispatchTable[0xe9];        /* 7C4h */
   ULONG glReserved1[0x1d];            /* B68h */
#endif

   PVOID glReserved2;                  /* BDCh */
   PVOID glSectionInfo;                /* BE0h */
   PVOID glSection;                    /* BE4h */
   PVOID glTable;                      /* BE8h */
   PVOID glCurrentRC;                  /* BECh */
   PVOID glContext;                    /* BF0h */
   NTSTATUS LastStatusValue;           /* BF4h */
   UNICODE_STRING StaticUnicodeString; /* BF8h */
   WCHAR StaticUnicodeBuffer[0x105];   /* C00h */
   PVOID DeallocationStack;            /* E0Ch */
   PVOID TlsSlots[0x40];               /* E10h */
   LIST_ENTRY TlsLinks;                /* F10h */
   PVOID Vdm;                          /* F18h */
   PVOID ReservedForNtRpc;             /* F1Ch */
   PVOID DbgSsReserved[0x2];           /* F20h */
   ULONG HardErrorDisabled;            /* F28h */
   PVOID Instrumentation[0x10];        /* F2Ch */
   PVOID WinSockData;                  /* F6Ch */
   ULONG GdiBatchCount;                /* F70h */
   BOOLEAN InDbgPrint;                 /* F74h */
   BOOLEAN FreeStackOnTermination;     /* F75h */
   BOOLEAN HasFiberData;               /* F76h */
   UCHAR IdealProcessor;               /* F77h */
   ULONG Spare3;                       /* F78h */
   ULONG ReservedForPerf;              /* F7Ch */
   PVOID ReservedForOle;               /* F80h */
   ULONG WaitingOnLoaderLock;          /* F84h */
#if (VER_PRODUCTBUILD >= 2195)
   Wx86ThreadState Wx86Thread;         /* F88h */
   PVOID* TlsExpansionSlots;           /* F94h */
   ULONG ImpersonationLocale;          /* F98h */
   ULONG IsImpersonating;              /* F9Ch */
   PVOID NlsCache;                     /* FA0h */
   PVOID pShimData;                    /* FA4h */
   ULONG HeapVirtualAffinity;          /* FA8h */
   PVOID CurrentTransactionHandle;     /* FACh */
   PTEB_ACTIVE_FRAME ActiveFrame;      /* FB0h*/
   PVOID FlsSlots;                     /* FB4h */
#endif

} TEB, *PTEB;

typedef struct _TERMINATION_PORT {
    struct _TERMINATION_PORT*   Next;
    PVOID                       Port;
} TERMINATION_PORT, *PTERMINATION_PORT;

typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS    ExitStatus;
    PVOID       TebBaseAddress;
    ULONG       UniqueProcessId;
    ULONG       UniqueThreadId;
    KAFFINITY   AffinityMask;
    KPRIORITY   BasePriority;
    ULONG       DiffProcessPriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

typedef struct _TOKEN_SOURCE {
    CCHAR   SourceName[TOKEN_SOURCE_LENGTH];
    LUID    SourceIdentifier;
} TOKEN_SOURCE, *PTOKEN_SOURCE;

typedef struct _TOKEN_CONTROL {
    LUID            TokenId;
    LUID            AuthenticationId;
    LUID            ModifiedId;
    TOKEN_SOURCE    TokenSource;
} TOKEN_CONTROL, *PTOKEN_CONTROL;

typedef struct _TOKEN_DEFAULT_DACL {
    PACL DefaultDacl;
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;

typedef struct _TOKEN_GROUPS {
    ULONG               GroupCount;
    SID_AND_ATTRIBUTES  Groups[1];
} TOKEN_GROUPS, *PTOKEN_GROUPS;

/* XP SP2 has same TOKEN_OBJECT structure as Windows Server 2003 (stucture K23 in union). */
#include <pshpack1.h>
typedef union
{
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10, *SYSTEM* id == 0 */
    LUID TokenId;         /* 0x10: */
    LUID AuthenticationId;    /* 0x18: */
    LARGE_INTEGER ExpirationTime; /* 0x20: -1 no expired. *SYSTEM* has expired? */
    LUID ModifiedId;          /* 0x28: */
    ULONG UserAndGroupCount;      /* 0x30: 3 */
    ULONG PrivilegeCount;     /* 0x34: 14 */
    ULONG VariableLength;     /* 0x38: 0x37C */
    ULONG DynamicCharged;     /* 0x3C: 0x1F4 */
    ULONG DynamicAvailable;   /* 0x40: 0x1A4 */
    ULONG DefaultOwnerIndex;      /* 0x44: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups;/* 0x48: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID  PrimaryGroup;       /* 0x4C: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x50: */
    PULONG DynamicPart;       /* 0x54: */
    PACL   DefaultDacl;       /* 0x58: */
    TOKEN_TYPE TokenType;     /* 0x5C: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x60: 0 */
    UCHAR   TokenFlags;       /* 0x64: 1 */
    BOOLEAN TokenInUse;       /* 0x65: 1 */
    USHORT  Alignment;        /* 0x66: 0 */
    PVOID   ProxyData;        /* 0x68: 0 */
    PVOID   AuditData;        /* 0x6C: 0 */
    ULONG VariablePart;       /* 0x70: */
   } NT;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    LUID ModifiedId;          /* 0x30: */
    ULONG SessionId;          /* 0x38: 0 */
    ULONG UserAndGroupCount;      /* 0x3C: 9 */
    ULONG RestrictedSidCount;     /*+0x40: 0 */
    ULONG PrivilegeCount;     /* 0x44: 11 */
    ULONG VariableLength;     /* 0x48: 0x1F0 */
    ULONG DynamicCharged;     /* 0x4C: 0x1F4 */
    ULONG DynamicAvailable;   /* 0x50: 0x1A4 */
    ULONG DefaultOwnerIndex;      /* 0x54: 3 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x58: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x5C: 0 */
    PSID  PrimaryGroup;       /* 0x60: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x64: */
    PULONG DynamicPart;       /* 0x68: */
    PACL   DefaultDacl;       /* 0x6C: */
    TOKEN_TYPE TokenType;     /* 0x70: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x74: 0 */
    UCHAR   TokenFlags;       /* 0x78: 9 */
    BOOLEAN TokenInUse;       /* 0x79: 1 */
    USHORT  Alignment;        /* 0x7A: 0 */
    PVOID   ProxyData;        /* 0x7C: 0 */
    PVOID   AuditData;        /* 0x80: 0 */
    ULONG VariablePart;           /* 0x84: */
   } K2;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: 0x6F68 */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
    LUID ModifiedId;          /* 0x34: */
    ULONG SessionId;          /* 0x3C: 0x6F6A */
    ULONG UserAndGroupCount;      /* 0x40: 4 */
    ULONG RestrictedSidCount;     /*+0x44: 0 */
    ULONG VariableLength;     /* 0x48: 0x160 */
    ULONG DynamicCharged;     /* 0x4C: 0x164 */
    ULONG DynamicAvailable;   /* 0x50: 0x1F4 */
    ULONG PrivilegeCount;     /* 0x54: 0 */
    ULONG DefaultOwnerIndex;      /* 0x58: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x5C: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x60: 0 */
    PSID  PrimaryGroup;       /* 0x64: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x68: */
    PULONG DynamicPart;       /* 0x6C: */
    PACL   DefaultDacl;       /* 0x70: */
    TOKEN_TYPE TokenType;     /* 0x74: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x78: 0 */
    UCHAR   TokenFlags;       /* 0x7C: 9 */
    BOOLEAN TokenInUse;       /* 0x7D: 1 */
    USHORT  Alignment;        /* 0x7E: 4BB4 */
    PVOID   ProxyData;        /* 0x80: 0 */
    PVOID   AuditData;        /* 0x84: 0 */
    ULONG VariablePart;       /* 0x88: */
   } XP;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: 0x6F68 */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
    ULONG Padding64;          /*+0x34: 0xXxxxxxxxx */
    SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
    LUID ModifiedId;          /*+0x040: 0x6F6A */
    ULONG SessionId;          /*+0x048: */
    ULONG UserAndGroupCount;      /* 0x4C: 4 */
    ULONG RestrictedSidCount;     /*+0x50: 0 */
    ULONG VariableLength;     /* 0x54: 0x18 */
    ULONG DynamicCharged;     /* 0x58: 0x17C */
    ULONG DynamicAvailable;   /* 0x5C: 0x1F4 */
    ULONG PrivilegeCount;     /* 0x60: 0 */
    ULONG DefaultOwnerIndex;      /* 0x64: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
    PSID  PrimaryGroup;       /* 0x70: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
    PULONG DynamicPart;       /* 0x78: */
    PACL   DefaultDacl;       /* 0x7C: */
    TOKEN_TYPE TokenType;     /* 0x80: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
    UCHAR   TokenFlags;       /* 0x88: 9 */
    BOOLEAN TokenInUse;       /* 0x89: 1 */
    USHORT  Alignment;        /* 0x8A: 4BB4 */
    PVOID   ProxyData;        /* 0x8C: 0x8xxxxxxxx */
    PVOID   AuditData;        /* 0x90: 0 */
    ULONG VariablePart;       /* 0x94: */
   } K23;
  struct
   {
    TOKEN_SOURCE TokenSource;     /*+0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /*+0x10: 0x6F68 */
    LUID AuthenticationId;    /*+0x18: */
    LUID ParentTokenId;       /*+0x20: 0 */
    LARGE_INTEGER ExpirationTime; /*+0x28: -1 no expired */
    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
    ULONG Padding64;          /*+0x34: 0xXxxxxxxxx */
    SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
    LUID ModifiedId;          /*+0x040: 0x6F6A */
    ULONG SessionId;          /*+0x048: */
    ULONG UserAndGroupCount;      /*+0x04c: 4 */
    ULONG RestrictedSidCount;     /*+0x050: 0 */
    ULONG PrivilegeCount;     /*+0x054: 0x18 */
    ULONG VariableLength;     /*+0x058: 0x17C */
    ULONG DynamicCharged;     /*+0x05c: 0x1F4 */
    ULONG DynamicAvailable;   /*+0x060: 0 */
    ULONG DefaultOwnerIndex;      /*+0x064: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
    PSID  PrimaryGroup;       /* 0x70: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
    PULONG DynamicPart;       /* 0x78: */
    PACL   DefaultDacl;       /* 0x7C: */
    TOKEN_TYPE TokenType;     /* 0x80: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
    UCHAR   TokenFlags;       /* 0x88: 9 */
    BOOLEAN TokenInUse;       /* 0x89: 1 */
    USHORT  Alignment;        /* 0x8A: 4BB4 */
    PVOID   ProxyData;        /* 0x8C: 0x8xxxxxxxx */
    PVOID   AuditData;        /* 0x90: 0 */
    PVOID LogonSession;       /* 0x94: */
    LUID  OriginatingLogonSession;/* 0x98: */
    ULONG VariablePart;       /* 0xa0: */
   } K23SP1;
  /* VariablePart */
} TOKEN_OBJECT, *PTOKEN_OBJECT;
#include <poppack.h>

typedef struct _TOKEN_OWNER {
    PSID Owner;
} TOKEN_OWNER, *PTOKEN_OWNER;

typedef struct _TOKEN_PRIMARY_GROUP {
    PSID PrimaryGroup;
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;

typedef struct _TOKEN_PRIVILEGES {
    ULONG               PrivilegeCount;
    LUID_AND_ATTRIBUTES Privileges[1];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;

typedef struct _TOKEN_STATISTICS {
    LUID                            TokenId;
    LUID                            AuthenticationId;
    LARGE_INTEGER                   ExpirationTime;
    TOKEN_TYPE                      TokenType;
    SECURITY_IMPERSONATION_LEVEL    ImpersonationLevel;
    ULONG                           DynamicCharged;
    ULONG                           DynamicAvailable;
    ULONG                           GroupCount;
    ULONG                           PrivilegeCount;
    LUID                            ModifiedId;
} TOKEN_STATISTICS, *PTOKEN_STATISTICS;

typedef struct _TOKEN_USER {
    SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;

typedef struct _SECURITY_CLIENT_CONTEXT {
    SECURITY_QUALITY_OF_SERVICE SecurityQos;
    PACCESS_TOKEN               ClientToken;
    BOOLEAN                     DirectlyAccessClientToken;
    BOOLEAN                     DirectAccessEffectiveOnly;
    BOOLEAN                     ServerIsRemote;
    TOKEN_CONTROL               ClientTokenControl;
} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;

typedef struct _TUNNEL {
    FAST_MUTEX          Mutex;
    PRTL_SPLAY_LINKS    Cache;
    LIST_ENTRY          TimerQueue;
    USHORT              NumEntries;
} TUNNEL, *PTUNNEL;

typedef struct _VACB {
    PVOID               BaseAddress;
    PSHARED_CACHE_MAP   SharedCacheMap;
    union {
        LARGE_INTEGER   FileOffset;
        USHORT          ActiveCount;
    } Overlay;
    LIST_ENTRY          LruList;
} VACB, *PVACB;

typedef struct _VAD_HEADER {
    PVOID       StartVPN;
    PVOID       EndVPN;
    PVAD_HEADER ParentLink;
    PVAD_HEADER LeftLink;
    PVAD_HEADER RightLink;
    ULONG       Flags;          // LSB = CommitCharge
    PVOID       ControlArea;
    PVOID       FirstProtoPte;
    PVOID       LastPTE;
    ULONG       Unknown;
    LIST_ENTRY  Secured;
} VAD_HEADER, *PVAD_HEADER;

NTKERNELAPI
BOOLEAN
CcCanIWrite (
    IN PFILE_OBJECT FileObject,
    IN ULONG        BytesToWrite,
    IN BOOLEAN      Wait,
    IN BOOLEAN      Retrying
);

NTKERNELAPI
BOOLEAN
CcCopyRead (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    IN BOOLEAN              Wait,
    OUT PVOID               Buffer,
    OUT PIO_STATUS_BLOCK    IoStatus
);

NTKERNELAPI
BOOLEAN
CcCopyWrite (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
    IN BOOLEAN          Wait,
    IN PVOID            Buffer
);

#define CcCopyWriteWontFlush(FO, FOFF, LEN) ((LEN) <= 0x10000)

typedef VOID (*PCC_POST_DEFERRED_WRITE) (
    IN PVOID Context1,
    IN PVOID Context2
);

NTKERNELAPI
VOID
CcDeferWrite (
    IN PFILE_OBJECT             FileObject,
    IN PCC_POST_DEFERRED_WRITE  PostRoutine,
    IN PVOID                    Context1,
    IN PVOID                    Context2,
    IN ULONG                    BytesToWrite,
    IN BOOLEAN                  Retrying
);

NTKERNELAPI
VOID
CcFastCopyRead (
    IN PFILE_OBJECT         FileObject,
    IN ULONG                FileOffset,
    IN ULONG                Length,
    IN ULONG                PageCount,
    OUT PVOID               Buffer,
    OUT PIO_STATUS_BLOCK    IoStatus
);

NTKERNELAPI
VOID
CcFastCopyWrite (
    IN PFILE_OBJECT FileObject,
    IN ULONG        FileOffset,
    IN ULONG        Length,
    IN PVOID        Buffer
);

NTKERNELAPI
VOID
CcFlushCache (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
    IN PLARGE_INTEGER           FileOffset OPTIONAL,
    IN ULONG                    Length,
    OUT PIO_STATUS_BLOCK        IoStatus OPTIONAL
);

typedef VOID (*PDIRTY_PAGE_ROUTINE) (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
    IN PLARGE_INTEGER   OldestLsn,
    IN PLARGE_INTEGER   NewestLsn,
    IN PVOID            Context1,
    IN PVOID            Context2
);

NTKERNELAPI
LARGE_INTEGER
CcGetDirtyPages (
    IN PVOID                LogHandle,
    IN PDIRTY_PAGE_ROUTINE  DirtyPageRoutine,
    IN PVOID                Context1,
    IN PVOID                Context2
);

NTKERNELAPI
PFILE_OBJECT
CcGetFileObjectFromBcb (
    IN PVOID Bcb
);

NTKERNELAPI
PFILE_OBJECT
CcGetFileObjectFromSectionPtrs (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer
);

#define CcGetFileSizePointer(FO) (                                     \
    ((PLARGE_INTEGER)((FO)->SectionObjectPointer->SharedCacheMap) + 1) \
)

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
LARGE_INTEGER
CcGetFlushedValidData (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
    IN BOOLEAN                  BcbListHeld
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
LARGE_INTEGER
CcGetLsnForFileObject (
    IN PFILE_OBJECT     FileObject,
    OUT PLARGE_INTEGER  OldestLsn OPTIONAL
);

typedef BOOLEAN (*PACQUIRE_FOR_LAZY_WRITE) (
    IN PVOID    Context,
    IN BOOLEAN  Wait
);

typedef VOID (*PRELEASE_FROM_LAZY_WRITE) (
    IN PVOID Context
);

typedef BOOLEAN (*PACQUIRE_FOR_READ_AHEAD) (
    IN PVOID    Context,
    IN BOOLEAN  Wait
);

typedef VOID (*PRELEASE_FROM_READ_AHEAD) (
    IN PVOID Context
);

typedef struct _CACHE_MANAGER_CALLBACKS {
    PACQUIRE_FOR_LAZY_WRITE     AcquireForLazyWrite;
    PRELEASE_FROM_LAZY_WRITE    ReleaseFromLazyWrite;
    PACQUIRE_FOR_READ_AHEAD     AcquireForReadAhead;
    PRELEASE_FROM_READ_AHEAD    ReleaseFromReadAhead;
} CACHE_MANAGER_CALLBACKS, *PCACHE_MANAGER_CALLBACKS;

NTKERNELAPI
VOID
CcInitializeCacheMap (
    IN PFILE_OBJECT             FileObject,
    IN PCC_FILE_SIZES           FileSizes,
    IN BOOLEAN                  PinAccess,
    IN PCACHE_MANAGER_CALLBACKS Callbacks,
    IN PVOID                    LazyWriteContext
);

#define CcIsFileCached(FO) (                                                         \
    ((FO)->SectionObjectPointer != NULL) &&                                          \
    (((PSECTION_OBJECT_POINTERS)(FO)->SectionObjectPointer)->SharedCacheMap != NULL) \
)

NTKERNELAPI
BOOLEAN
CcIsThereDirtyData (
    IN PVPB Vpb
);

NTKERNELAPI
BOOLEAN
CcMapData (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
#if (VER_PRODUCTBUILD >= 2600)
    IN ULONG            Flags,
#else

    IN BOOLEAN          Wait,
#endif

    OUT PVOID           *Bcb,
    OUT PVOID           *Buffer
);

NTKERNELAPI
VOID
CcMdlRead (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    OUT PMDL                *MdlChain,
    OUT PIO_STATUS_BLOCK    IoStatus
);

NTKERNELAPI
VOID
CcMdlReadComplete (
    IN PFILE_OBJECT FileObject,
    IN PMDL         MdlChain
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
CcMdlWriteAbort (
    IN PFILE_OBJECT FileObject,
    IN PMDL         MdlChain
);

#endif


NTKERNELAPI
VOID
CcMdlWriteComplete (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN PMDL             MdlChain
);

NTKERNELAPI
BOOLEAN
CcPinMappedData (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
#if (VER_PRODUCTBUILD >= 2195)
    IN ULONG            Flags,
#else

    IN BOOLEAN          Wait,
#endif

    IN OUT PVOID        *Bcb
);

NTKERNELAPI
BOOLEAN
CcPinRead (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
#if (VER_PRODUCTBUILD >= 2195)
    IN ULONG            Flags,
#else

    IN BOOLEAN          Wait,
#endif

    OUT PVOID           *Bcb,
    OUT PVOID           *Buffer
);

NTKERNELAPI
VOID
CcPrepareMdlWrite (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    OUT PMDL                *MdlChain,
    OUT PIO_STATUS_BLOCK    IoStatus
);

NTKERNELAPI
BOOLEAN
CcPreparePinWrite (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length,
    IN BOOLEAN          Zero,
#if (VER_PRODUCTBUILD >= 2195)
    IN ULONG            Flags,
#else

    IN BOOLEAN          Wait,
#endif

    OUT PVOID           *Bcb,
    OUT PVOID           *Buffer
);

NTKERNELAPI
BOOLEAN
CcPurgeCacheSection (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
    IN PLARGE_INTEGER           FileOffset OPTIONAL,
    IN ULONG                    Length,
    IN BOOLEAN                  UninitializeCacheMaps
);

#define CcReadAhead(FO, FOFF, LEN) (                \
    if ((LEN) >= 256) {                             \
        CcScheduleReadAhead((FO), (FOFF), (LEN));   \
    }                                               \
)

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PVOID
CcRemapBcb (
    IN PVOID Bcb
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
CcRepinBcb (
    IN PVOID Bcb
);

NTKERNELAPI
VOID
CcScheduleReadAhead (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN ULONG            Length
);

NTKERNELAPI
VOID
CcSetAdditionalCacheAttributes (
    IN PFILE_OBJECT FileObject,
    IN BOOLEAN      DisableReadAhead,
    IN BOOLEAN      DisableWriteBehind
);

NTKERNELAPI
VOID
CcSetBcbOwnerPointer (
    IN PVOID Bcb,
    IN PVOID OwnerPointer
);

NTKERNELAPI
VOID
CcSetDirtyPageThreshold (
    IN PFILE_OBJECT FileObject,
    IN ULONG        DirtyPageThreshold
);

NTKERNELAPI
VOID
CcSetDirtyPinnedData (
    IN PVOID            BcbVoid,
    IN PLARGE_INTEGER   Lsn OPTIONAL
);

NTKERNELAPI
VOID
CcSetFileSizes (
    IN PFILE_OBJECT     FileObject,
    IN PCC_FILE_SIZES   FileSizes
);

typedef VOID (*PFLUSH_TO_LSN) (
    IN PVOID            LogHandle,
    IN PLARGE_INTEGER   Lsn
);

NTKERNELAPI
VOID
CcSetLogHandleForFile (
    IN PFILE_OBJECT     FileObject,
    IN PVOID            LogHandle,
    IN PFLUSH_TO_LSN    FlushToLsnRoutine
);

NTKERNELAPI
VOID
CcSetReadAheadGranularity (
    IN PFILE_OBJECT FileObject,
    IN ULONG        Granularity     // default: PAGE_SIZE
                                    // allowed: 2^n * PAGE_SIZE
);

NTKERNELAPI
BOOLEAN
CcUninitializeCacheMap (
    IN PFILE_OBJECT                 FileObject,
    IN PLARGE_INTEGER               TruncateSize OPTIONAL,
    IN PCACHE_UNINITIALIZE_EVENT    UninitializeCompleteEvent OPTIONAL
);

NTKERNELAPI
VOID
CcUnpinData (
    IN PVOID Bcb
);

NTKERNELAPI
VOID
CcUnpinDataForThread (
    IN PVOID            Bcb,
    IN ERESOURCE_THREAD ResourceThreadId
);

NTKERNELAPI
VOID
CcUnpinRepinnedBcb (
    IN PVOID                Bcb,
    IN BOOLEAN              WriteThrough,
    OUT PIO_STATUS_BLOCK    IoStatus
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
CcWaitForCurrentLazyWriterActivity (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
CcZeroData (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   StartOffset,
    IN PLARGE_INTEGER   EndOffset,
    IN BOOLEAN          Wait
);

NTKERNELAPI
VOID
ExDisableResourceBoostLite (
    IN PERESOURCE Resource
);

NTKERNELAPI
ULONG
ExQueryPoolBlockSize (
    IN PVOID        PoolBlock,
    OUT PBOOLEAN    QuotaCharged
);

#define FlagOn(x, f) ((x) & (f))

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
FsRtlAcquireFileExclusive (
    IN PFILE_OBJECT FileObject
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
FsRtlAddLargeMcbEntry (
    IN PLARGE_MCB   Mcb,
    IN LONGLONG     Vbn,
    IN LONGLONG     Lbn,
    IN LONGLONG     SectorCount
);

NTKERNELAPI
BOOLEAN
FsRtlAddMcbEntry (
    IN PMCB     Mcb,
    IN VBN      Vbn,
    IN LBN      Lbn,
    IN ULONG    SectorCount
);

NTKERNELAPI
VOID
FsRtlAddToTunnelCache (
    IN PTUNNEL          Cache,
    IN ULONGLONG        DirectoryKey,
    IN PUNICODE_STRING  ShortName,
    IN PUNICODE_STRING  LongName,
    IN BOOLEAN          KeyByShortName,
    IN ULONG            DataLength,
    IN PVOID            Data
);

#if (VER_PRODUCTBUILD >= 2195)

PFILE_LOCK
FsRtlAllocateFileLock (
    IN PCOMPLETE_LOCK_IRP_ROUTINE   CompleteLockIrpRoutine OPTIONAL,
    IN PUNLOCK_ROUTINE              UnlockRoutine OPTIONAL
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PVOID
FsRtlAllocatePool (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes
);

NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuota (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes
);

NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuotaTag (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes,
    IN ULONG        Tag
);

NTKERNELAPI
PVOID
FsRtlAllocatePoolWithTag (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes,
    IN ULONG        Tag
);

NTKERNELAPI
PVOID
FsRtlAllocateResource (
    VOID
);

NTKERNELAPI
BOOLEAN
FsRtlAreNamesEqual (
    IN PUNICODE_STRING  Name1,
    IN PUNICODE_STRING  Name2,
    IN BOOLEAN          IgnoreCase,
    IN PWCHAR           UpcaseTable OPTIONAL
);

#define FsRtlAreThereCurrentFileLocks(FL) ( \
    ((FL)->FastIoIsQuestionable)            \
)

NTKERNELAPI
NTSTATUS
FsRtlBalanceReads (
    IN PDEVICE_OBJECT TargetDevice
);

/*
  FsRtlCheckLockForReadAccess:

  All this really does is pick out the lock parameters from the irp (io stack
  location?), get IoGetRequestorProcess, and pass values on to
  FsRtlFastCheckLockForRead.
*/
NTKERNELAPI
BOOLEAN
FsRtlCheckLockForReadAccess (
    IN PFILE_LOCK   FileLock,
    IN PIRP         Irp
);

/*
  FsRtlCheckLockForWriteAccess:

  All this really does is pick out the lock parameters from the irp (io stack
  location?), get IoGetRequestorProcess, and pass values on to
  FsRtlFastCheckLockForWrite.
*/
NTKERNELAPI
BOOLEAN
FsRtlCheckLockForWriteAccess (
    IN PFILE_LOCK   FileLock,
    IN PIRP         Irp
);

typedef
VOID
(*POPLOCK_WAIT_COMPLETE_ROUTINE) (
    IN PVOID    Context,
    IN PIRP     Irp
);

typedef
VOID
(*POPLOCK_FS_PREPOST_IRP) (
    IN PVOID    Context,
    IN PIRP     Irp
);

NTKERNELAPI
NTSTATUS
FsRtlCheckOplock (
    IN POPLOCK                          Oplock,
    IN PIRP                             Irp,
    IN PVOID                            Context,
    IN POPLOCK_WAIT_COMPLETE_ROUTINE    CompletionRoutine OPTIONAL,
    IN POPLOCK_FS_PREPOST_IRP           PostIrpRoutine OPTIONAL
);

NTKERNELAPI
BOOLEAN
FsRtlCopyRead (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    IN BOOLEAN              Wait,
    IN ULONG                LockKey,
    OUT PVOID               Buffer,
    OUT PIO_STATUS_BLOCK    IoStatus,
    IN PDEVICE_OBJECT       DeviceObject
);

NTKERNELAPI
BOOLEAN
FsRtlCopyWrite (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    IN BOOLEAN              Wait,
    IN ULONG                LockKey,
    IN PVOID                Buffer,
    OUT PIO_STATUS_BLOCK    IoStatus,
    IN PDEVICE_OBJECT       DeviceObject
);

NTKERNELAPI
BOOLEAN
FsRtlCurrentBatchOplock (
    IN POPLOCK Oplock
);

NTKERNELAPI
VOID
FsRtlDeleteKeyFromTunnelCache (
    IN PTUNNEL      Cache,
    IN ULONGLONG    DirectoryKey
);

NTKERNELAPI
VOID
FsRtlDeleteTunnelCache (
    IN PTUNNEL Cache
);

NTKERNELAPI
VOID
FsRtlDeregisterUncProvider (
    IN HANDLE Handle
);

NTKERNELAPI
VOID
FsRtlDissectDbcs (
    IN ANSI_STRING      InputName,
    OUT PANSI_STRING    FirstPart,
    OUT PANSI_STRING    RemainingPart
);

NTKERNELAPI
VOID
FsRtlDissectName (
    IN UNICODE_STRING   Path,
    OUT PUNICODE_STRING FirstName,
    OUT PUNICODE_STRING RemainingName
);

NTKERNELAPI
BOOLEAN
FsRtlDoesDbcsContainWildCards (
    IN PANSI_STRING Name
);

NTKERNELAPI
BOOLEAN
FsRtlDoesNameContainWildCards (
    IN PUNICODE_STRING Name
);

#define FsRtlEnterFileSystem    KeEnterCriticalRegion

#define FsRtlExitFileSystem     KeLeaveCriticalRegion

NTKERNELAPI
BOOLEAN
FsRtlFastCheckLockForRead (
    IN PFILE_LOCK           FileLock,
    IN PLARGE_INTEGER       FileOffset,
    IN PLARGE_INTEGER       Length,
    IN ULONG                Key,
    IN PFILE_OBJECT         FileObject,
    IN PEPROCESS            Process
);

NTKERNELAPI
BOOLEAN
FsRtlFastCheckLockForWrite (
    IN PFILE_LOCK           FileLock,
    IN PLARGE_INTEGER       FileOffset,
    IN PLARGE_INTEGER       Length,
    IN ULONG                Key,
    IN PFILE_OBJECT         FileObject,
    IN PEPROCESS            Process
);

#define FsRtlFastLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11) (       \
     FsRtlPrivateLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, NULL, A10, A11)   \
)

NTKERNELAPI
NTSTATUS
FsRtlFastUnlockAll (
    IN PFILE_LOCK           FileLock,
    IN PFILE_OBJECT         FileObject,
    IN PEPROCESS            Process,
    IN PVOID                Context OPTIONAL
);
//ret: STATUS_RANGE_NOT_LOCKED

NTKERNELAPI
NTSTATUS
FsRtlFastUnlockAllByKey (
    IN PFILE_LOCK           FileLock,
    IN PFILE_OBJECT         FileObject,
    IN PEPROCESS            Process,
    IN ULONG                Key,
    IN PVOID                Context OPTIONAL
);  
//ret: STATUS_RANGE_NOT_LOCKED

NTKERNELAPI
NTSTATUS
FsRtlFastUnlockSingle (
    IN PFILE_LOCK           FileLock,
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN PLARGE_INTEGER       Length,
    IN PEPROCESS            Process,
    IN ULONG                Key,
    IN PVOID                Context OPTIONAL,
    IN BOOLEAN              AlreadySynchronized
);                      
//ret:  STATUS_RANGE_NOT_LOCKED

NTKERNELAPI
BOOLEAN
FsRtlFindInTunnelCache (
    IN PTUNNEL          Cache,
    IN ULONGLONG        DirectoryKey,
    IN PUNICODE_STRING  Name,
    OUT PUNICODE_STRING ShortName,
    OUT PUNICODE_STRING LongName,
    IN OUT PULONG       DataLength,
    OUT PVOID           Data
);

#if (VER_PRODUCTBUILD >= 2195)

VOID
FsRtlFreeFileLock (
    IN PFILE_LOCK FileLock
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
FsRtlGetFileSize (
    IN PFILE_OBJECT         FileObject,
    IN OUT PLARGE_INTEGER   FileSize
);

/*
  FsRtlGetNextFileLock:

  ret: NULL if no more locks

  Internals:
    FsRtlGetNextFileLock uses FileLock->LastReturnedLockInfo and
    FileLock->LastReturnedLock as storage.
    LastReturnedLock is a pointer to the 'raw' lock inkl. double linked
    list, and FsRtlGetNextFileLock needs this to get next lock on subsequent
    calls with Restart = FALSE.
*/
NTKERNELAPI
PFILE_LOCK_INFO
FsRtlGetNextFileLock (
    IN PFILE_LOCK   FileLock,
    IN BOOLEAN      Restart
);

NTKERNELAPI
BOOLEAN
FsRtlGetNextLargeMcbEntry (
    IN PLARGE_MCB   Mcb,
    IN ULONG        RunIndex,
    OUT PLONGLONG   Vbn,
    OUT PLONGLONG   Lbn,
    OUT PLONGLONG   SectorCount
);

NTKERNELAPI
BOOLEAN
FsRtlGetNextMcbEntry (
    IN PMCB     Mcb,
    IN ULONG    RunIndex,
    OUT PVBN    Vbn,
    OUT PLBN    Lbn,
    OUT PULONG  SectorCount
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
FsRtlIncrementCcFastReadNotPossible (
    VOID
);

NTKERNELAPI
VOID
FsRtlIncrementCcFastReadNoWait (
    VOID
);

NTKERNELAPI
VOID
FsRtlIncrementCcFastReadResourceMiss (
    VOID
);

NTKERNELAPI
VOID
FsRtlIncrementCcFastReadWait (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
FsRtlInitializeFileLock (
    IN PFILE_LOCK                   FileLock,
    IN PCOMPLETE_LOCK_IRP_ROUTINE   CompleteLockIrpRoutine OPTIONAL,
    IN PUNLOCK_ROUTINE              UnlockRoutine OPTIONAL
);

NTKERNELAPI
VOID
FsRtlInitializeLargeMcb (
    IN PLARGE_MCB   Mcb,
    IN POOL_TYPE    PoolType
);

NTKERNELAPI
VOID
FsRtlInitializeMcb (
    IN PMCB         Mcb,
    IN POOL_TYPE    PoolType
);

NTKERNELAPI
VOID
FsRtlInitializeOplock (
    IN OUT POPLOCK Oplock
);

NTKERNELAPI
VOID
FsRtlInitializeTunnelCache (
    IN PTUNNEL Cache
);

NTKERNELAPI
BOOLEAN
FsRtlIsDbcsInExpression (
    IN PANSI_STRING Expression,
    IN PANSI_STRING Name
);

NTKERNELAPI
BOOLEAN
FsRtlIsFatDbcsLegal (
    IN ANSI_STRING  DbcsName,
    IN BOOLEAN      WildCardsPermissible,
    IN BOOLEAN      PathNamePermissible,
    IN BOOLEAN      LeadingBackslashPermissible
);

NTKERNELAPI
BOOLEAN
FsRtlIsHpfsDbcsLegal (
    IN ANSI_STRING  DbcsName,
    IN BOOLEAN      WildCardsPermissible,
    IN BOOLEAN      PathNamePermissible,
    IN BOOLEAN      LeadingBackslashPermissible
);

NTKERNELAPI
BOOLEAN
FsRtlIsNameInExpression (
    IN PUNICODE_STRING  Expression,
    IN PUNICODE_STRING  Name,
    IN BOOLEAN          IgnoreCase,
    IN PWCHAR           UpcaseTable OPTIONAL
);

NTKERNELAPI
BOOLEAN
FsRtlIsNtstatusExpected (
    IN NTSTATUS Ntstatus
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
FsRtlIsPagingFile (
    IN PFILE_OBJECT FileObject
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
FsRtlIsTotalDeviceFailure (
    IN NTSTATUS Status
);

#define FsRtlIsUnicodeCharacterWild(C) (                                    \
    (((C) >= 0x40) ?                                                        \
    FALSE :                                                                 \
    FlagOn((*FsRtlLegalAnsiCharacterArray)[(C)], FSRTL_WILD_CHARACTER ))    \
)

NTKERNELAPI
BOOLEAN
FsRtlLookupLargeMcbEntry (
    IN PLARGE_MCB   Mcb,
    IN LONGLONG     Vbn,
    OUT PLONGLONG   Lbn OPTIONAL,
    OUT PLONGLONG   SectorCountFromLbn OPTIONAL,
    OUT PLONGLONG   StartingLbn OPTIONAL,
    OUT PLONGLONG   SectorCountFromStartingLbn OPTIONAL,
    OUT PULONG      Index OPTIONAL
);

NTKERNELAPI
BOOLEAN
FsRtlLookupLastLargeMcbEntry (
    IN PLARGE_MCB Mcb,
    OUT PLONGLONG Vbn,
    OUT PLONGLONG Lbn
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
FsRtlLookupLastLargeMcbEntryAndIndex (
    IN PLARGE_MCB   OpaqueMcb,
    OUT PLONGLONG   LargeVbn,
    OUT PLONGLONG   LargeLbn,
    OUT PULONG      Index
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
FsRtlLookupLastMcbEntry (
    IN PMCB     Mcb,
    OUT PVBN    Vbn,
    OUT PLBN    Lbn
);

NTKERNELAPI
BOOLEAN
FsRtlLookupMcbEntry (
    IN PMCB     Mcb,
    IN VBN      Vbn,
    OUT PLBN    Lbn,
    OUT PULONG  SectorCount OPTIONAL,
    OUT PULONG  Index
);

NTKERNELAPI
BOOLEAN
FsRtlMdlReadComplete (
    IN PFILE_OBJECT     FileObject,
    IN PMDL             MdlChain
);

NTKERNELAPI
BOOLEAN
FsRtlMdlReadCompleteDev (
    IN PFILE_OBJECT     FileObject,
    IN PMDL             MdlChain,
    IN PDEVICE_OBJECT   DeviceObject
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
BOOLEAN
FsRtlMdlReadDev (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    IN ULONG                LockKey,
    OUT PMDL                *MdlChain,
    OUT PIO_STATUS_BLOCK    IoStatus,
    IN PDEVICE_OBJECT       DeviceObject
);

#endif // (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
BOOLEAN
FsRtlMdlWriteComplete (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN PMDL             MdlChain
);

NTKERNELAPI
BOOLEAN
FsRtlMdlWriteCompleteDev (
    IN PFILE_OBJECT     FileObject,
    IN PLARGE_INTEGER   FileOffset,
    IN PMDL             MdlChain,
    IN PDEVICE_OBJECT   DeviceObject
);

NTKERNELAPI
NTSTATUS
FsRtlNormalizeNtstatus (
    IN NTSTATUS Exception,
    IN NTSTATUS GenericException
);

NTKERNELAPI
VOID
FsRtlNotifyChangeDirectory (
    IN PNOTIFY_SYNC NotifySync,
    IN PVOID        FsContext,
    IN PSTRING      FullDirectoryName,
    IN PLIST_ENTRY  NotifyList,
    IN BOOLEAN      WatchTree,
    IN ULONG        CompletionFilter,
    IN PIRP         NotifyIrp
);

NTKERNELAPI
VOID
FsRtlNotifyCleanup (
    IN PNOTIFY_SYNC NotifySync,
    IN PLIST_ENTRY  NotifyList,
    IN PVOID        FsContext
);

typedef BOOLEAN (*PCHECK_FOR_TRAVERSE_ACCESS) (
    IN PVOID                        NotifyContext,
    IN PVOID                        TargetContext,
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext
);

#if (VER_PRODUCTBUILD >= 2600)

typedef BOOLEAN (*PFILTER_REPORT_CHANGE) (
    IN PVOID NotifyContext,
    IN PVOID FilterContext
);

NTKERNELAPI
VOID
FsRtlNotifyFilterChangeDirectory (
    IN PNOTIFY_SYNC                 NotifySync,
    IN PLIST_ENTRY                  NotifyList,
    IN PVOID                        FsContext,
    IN PSTRING                      FullDirectoryName,
    IN BOOLEAN                      WatchTree,
    IN BOOLEAN                      IgnoreBuffer,
    IN ULONG                        CompletionFilter,
    IN PIRP                         NotifyIrp,
    IN PCHECK_FOR_TRAVERSE_ACCESS   TraverseCallback OPTIONAL,
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext OPTIONAL,
    IN PFILTER_REPORT_CHANGE        FilterCallback OPTIONAL
);

NTKERNELAPI
VOID
FsRtlNotifyFilterReportChange (
    IN PNOTIFY_SYNC NotifySync,
    IN PLIST_ENTRY  NotifyList,
    IN PSTRING      FullTargetName,
    IN USHORT       TargetNameOffset,
    IN PSTRING      StreamName OPTIONAL,
    IN PSTRING      NormalizedParentName OPTIONAL,
    IN ULONG        FilterMatch,
    IN ULONG        Action,
    IN PVOID        TargetContext,
    IN PVOID        FilterContext
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
FsRtlNotifyFullChangeDirectory (
    IN PNOTIFY_SYNC                 NotifySync,
    IN PLIST_ENTRY                  NotifyList,
    IN PVOID                        FsContext,
    IN PSTRING                      FullDirectoryName,
    IN BOOLEAN                      WatchTree,
    IN BOOLEAN                      IgnoreBuffer,
    IN ULONG                        CompletionFilter,
    IN PIRP                         NotifyIrp,
    IN PCHECK_FOR_TRAVERSE_ACCESS   TraverseCallback OPTIONAL,
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext OPTIONAL
);

NTKERNELAPI
VOID
FsRtlNotifyFullReportChange (
    IN PNOTIFY_SYNC NotifySync,
    IN PLIST_ENTRY  NotifyList,
    IN PSTRING      FullTargetName,
    IN USHORT       TargetNameOffset,
    IN PSTRING      StreamName OPTIONAL,
    IN PSTRING      NormalizedParentName OPTIONAL,
    IN ULONG        FilterMatch,
    IN ULONG        Action,
    IN PVOID        TargetContext
);

NTKERNELAPI
VOID
FsRtlNotifyInitializeSync (
    IN PNOTIFY_SYNC *NotifySync
);

NTKERNELAPI
VOID
FsRtlNotifyReportChange (
    IN PNOTIFY_SYNC NotifySync,
    IN PLIST_ENTRY  NotifyList,
    IN PSTRING      FullTargetName,
    IN PUSHORT      FileNamePartLength,
    IN ULONG        FilterMatch
);

NTKERNELAPI
VOID
FsRtlNotifyUninitializeSync (
    IN PNOTIFY_SYNC *NotifySync
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
FsRtlNotifyVolumeEvent (
    IN PFILE_OBJECT FileObject,
    IN ULONG        EventCode
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
ULONG
FsRtlNumberOfRunsInLargeMcb (
    IN PLARGE_MCB Mcb
);

NTKERNELAPI
ULONG
FsRtlNumberOfRunsInMcb (
    IN PMCB Mcb
);

NTKERNELAPI
NTSTATUS
FsRtlOplockFsctrl (
    IN POPLOCK  Oplock,
    IN PIRP     Irp,
    IN ULONG    OpenCount
);

NTKERNELAPI
BOOLEAN
FsRtlOplockIsFastIoPossible (
    IN POPLOCK Oplock
);

typedef
VOID
(*PFSRTL_STACK_OVERFLOW_ROUTINE) (
    IN PVOID    Context,
    IN PKEVENT  Event
    );

NTKERNELAPI
VOID
FsRtlPostPagingFileStackOverflow (
    IN PVOID                            Context,
    IN PKEVENT                          Event,
    IN PFSRTL_STACK_OVERFLOW_ROUTINE    StackOverflowRoutine
);

NTKERNELAPI
VOID
FsRtlPostStackOverflow (
    IN PVOID                            Context,
    IN PKEVENT                          Event,
    IN PFSRTL_STACK_OVERFLOW_ROUTINE    StackOverflowRoutine
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
BOOLEAN
FsRtlPrepareMdlWriteDev (
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN ULONG                Length,
    IN ULONG                LockKey,
    OUT PMDL                *MdlChain,
    OUT PIO_STATUS_BLOCK    IoStatus,
    IN PDEVICE_OBJECT       DeviceObject
);

#endif // (VER_PRODUCTBUILD >= 1381)

/*
  FsRtlPrivateLock:

  ret: IoStatus->Status: STATUS_PENDING, STATUS_LOCK_NOT_GRANTED

  Internals: 
    -Calls IoCompleteRequest if Irp
    -Uses exception handling / ExRaiseStatus with STATUS_INSUFFICIENT_RESOURCES
*/
NTKERNELAPI
BOOLEAN
FsRtlPrivateLock (
    IN PFILE_LOCK           FileLock,
    IN PFILE_OBJECT         FileObject,
    IN PLARGE_INTEGER       FileOffset,
    IN PLARGE_INTEGER       Length,
    IN PEPROCESS            Process,
    IN ULONG                Key,
    IN BOOLEAN              FailImmediately, 
    IN BOOLEAN              ExclusiveLock,
    OUT PIO_STATUS_BLOCK    IoStatus, 
    IN PIRP                 Irp OPTIONAL,
    IN PVOID                Context,
    IN BOOLEAN              AlreadySynchronized
);

/*
  FsRtlProcessFileLock:

  ret:
    -STATUS_INVALID_DEVICE_REQUEST
    -STATUS_RANGE_NOT_LOCKED from unlock routines.
    -STATUS_PENDING, STATUS_LOCK_NOT_GRANTED from FsRtlPrivateLock
    (redirected IoStatus->Status).

  Internals: 
    -switch ( Irp->CurrentStackLocation->MinorFunction )
        lock: return FsRtlPrivateLock;
        unlocksingle: return FsRtlFastUnlockSingle;
        unlockall: return FsRtlFastUnlockAll;
        unlockallbykey: return FsRtlFastUnlockAllByKey;
        default: IofCompleteRequest with STATUS_INVALID_DEVICE_REQUEST;
                 return STATUS_INVALID_DEVICE_REQUEST;

    -'AllwaysZero' is passed thru as 'AllwaysZero' to lock / unlock routines.
    -'Irp' is passet thru as 'Irp' to FsRtlPrivateLock.
*/
NTKERNELAPI
NTSTATUS
FsRtlProcessFileLock (
    IN PFILE_LOCK   FileLock,
    IN PIRP         Irp,
    IN PVOID        Context OPTIONAL
);

NTKERNELAPI
NTSTATUS
FsRtlRegisterUncProvider (
    IN OUT PHANDLE      MupHandle,
    IN PUNICODE_STRING  RedirectorDeviceName,
    IN BOOLEAN          MailslotsSupported
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
FsRtlReleaseFile (
    IN PFILE_OBJECT FileObject
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
FsRtlRemoveLargeMcbEntry (
    IN PLARGE_MCB   Mcb,
    IN LONGLONG     Vbn,
    IN LONGLONG     SectorCount
);

NTKERNELAPI
VOID
FsRtlRemoveMcbEntry (
    IN PMCB     Mcb,
    IN VBN      Vbn,
    IN ULONG    SectorCount
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
FsRtlResetLargeMcb (
    IN PLARGE_MCB   Mcb,
    IN BOOLEAN      SelfSynchronized
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
FsRtlSplitLargeMcb (
    IN PLARGE_MCB   Mcb,
    IN LONGLONG     Vbn,
    IN LONGLONG     Amount
);

NTKERNELAPI
VOID
FsRtlTruncateLargeMcb (
    IN PLARGE_MCB   Mcb,
    IN LONGLONG     Vbn
);

NTKERNELAPI
VOID
FsRtlTruncateMcb (
    IN PMCB Mcb,
    IN VBN  Vbn
);

NTKERNELAPI
VOID
FsRtlUninitializeFileLock (
    IN PFILE_LOCK FileLock
);

NTKERNELAPI
VOID
FsRtlUninitializeLargeMcb (
    IN PLARGE_MCB Mcb
);

NTKERNELAPI
VOID
FsRtlUninitializeMcb (
    IN PMCB Mcb
);

NTKERNELAPI
VOID
FsRtlUninitializeOplock (
    IN OUT POPLOCK Oplock
);

//
// If using HalDisplayString during boot on Windows 2000 or later you must
// first call InbvEnableDisplayString.
//
NTSYSAPI
VOID
NTAPI
HalDisplayString (
    IN PCHAR String
);

NTSYSAPI
VOID
NTAPI
HalQueryRealTimeClock (
    IN OUT PTIME_FIELDS TimeFields
);

NTSYSAPI
VOID
NTAPI
HalSetRealTimeClock (
    IN PTIME_FIELDS TimeFields
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
InbvAcquireDisplayOwnership (
    VOID
);

NTKERNELAPI
BOOLEAN
InbvCheckDisplayOwnership (
    VOID
);

NTKERNELAPI
BOOLEAN
InbvDisplayString (
    IN PCHAR String
);

NTKERNELAPI
VOID
InbvEnableBootDriver (
    IN BOOLEAN Enable
);

NTKERNELAPI
BOOLEAN
InbvEnableDisplayString (
    IN BOOLEAN Enable
);

NTKERNELAPI
VOID
InbvInstallDisplayStringFilter (
    IN PVOID Unknown
);

NTKERNELAPI
BOOLEAN
InbvIsBootDriverInstalled (
    VOID
);

NTKERNELAPI
VOID
InbvNotifyDisplayOwnershipLost (
    IN PVOID Callback
);

NTKERNELAPI
BOOLEAN
InbvResetDisplay (
    VOID
);

NTKERNELAPI
VOID
InbvSetScrollRegion (
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height
);

NTKERNELAPI
VOID
InbvSetTextColor (
    IN ULONG Color
);

NTKERNELAPI
VOID
InbvSolidColorFill (
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height,
    IN ULONG Color
);

#endif // (VER_PRODUCTBUILD >= 2195)

#define InitializeMessageHeader(m, l, t) {                  \
    (m)->Length = (USHORT)(l);                              \
    (m)->DataLength = (USHORT)(l - sizeof( LPC_MESSAGE ));  \
    (m)->MessageType = (USHORT)(t);                         \
    (m)->DataInfoOffset = 0;                                \
}

NTKERNELAPI
VOID
IoAcquireVpbSpinLock (
    OUT PKIRQL Irql
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoAttachDeviceToDeviceStackSafe (
    IN PDEVICE_OBJECT   SourceDevice,
    IN PDEVICE_OBJECT   TargetDevice,
    OUT PDEVICE_OBJECT  *AttachedToDeviceObject
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoCheckDesiredAccess (
    IN OUT PACCESS_MASK DesiredAccess,
    IN ACCESS_MASK      GrantedAccess
);

NTKERNELAPI
NTSTATUS
IoCheckEaBufferValidity (
    IN PFILE_FULL_EA_INFORMATION    EaBuffer,
    IN ULONG                        EaLength,
    OUT PULONG                      ErrorOffset
);

NTKERNELAPI
NTSTATUS
IoCheckFunctionAccess (
    IN ACCESS_MASK              GrantedAccess,
    IN UCHAR                    MajorFunction,
    IN UCHAR                    MinorFunction,
    IN ULONG                    IoControlCode,
    IN PFILE_INFORMATION_CLASS  FileInformationClass OPTIONAL,
    IN PFS_INFORMATION_CLASS    FsInformationClass OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
IoCheckQuerySetFileInformation (
    IN FILE_INFORMATION_CLASS   FileInformationClass,
    IN ULONG                    Length,
    IN BOOLEAN                  SetOperation
);

NTKERNELAPI
NTSTATUS
IoCheckQuerySetVolumeInformation (
    IN FS_INFORMATION_CLASS     FsInformationClass,
    IN ULONG                    Length,
    IN BOOLEAN                  SetOperation
);

NTKERNELAPI
NTSTATUS
IoCheckQuotaBufferValidity (
    IN PFILE_QUOTA_INFORMATION  QuotaBuffer,
    IN ULONG                    QuotaLength,
    OUT PULONG                  ErrorOffset
);

#endif // (VER_PRODUCTBUILD >= 2195)

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoCreateFileSpecifyDeviceObjectHint (
    OUT PHANDLE             FileHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN PLARGE_INTEGER       AllocationSize OPTIONAL,
    IN ULONG                FileAttributes,
    IN ULONG                ShareAccess,
    IN ULONG                Disposition,
    IN ULONG                CreateOptions,
    IN PVOID                EaBuffer OPTIONAL,
    IN ULONG                EaLength,
    IN CREATE_FILE_TYPE     CreateFileType,
    IN PVOID                ExtraCreateParameters OPTIONAL,
    IN ULONG                Options,
    IN PVOID                DeviceObject
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObject (
    IN PFILE_OBJECT     FileObject OPTIONAL,
    IN PDEVICE_OBJECT   DeviceObject OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObjectEx (
    IN PFILE_OBJECT     FileObject OPTIONAL,
    IN PDEVICE_OBJECT   DeviceObject OPTIONAL,
    OUT PHANDLE         FileObjectHandle OPTIONAL
);

#endif // (VER_PRODUCTBUILD >= 2600)

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObjectLite (
    IN PFILE_OBJECT     FileObject OPTIONAL,
    IN PDEVICE_OBJECT   DeviceObject OPTIONAL
);

#endif // (VER_PRODUCTBUILD >= 2195)

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoEnumerateDeviceObjectList (
    IN PDRIVER_OBJECT   DriverObject,
    IN PDEVICE_OBJECT   *DeviceObjectList,
    IN ULONG            DeviceObjectListSize,
    OUT PULONG          ActualNumberDeviceObjects
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
IoFastQueryNetworkAttributes (
    IN POBJECT_ATTRIBUTES               ObjectAttributes,
    IN ACCESS_MASK                      DesiredAccess,
    IN ULONG                            OpenOptions,
    OUT PIO_STATUS_BLOCK                IoStatus,
    OUT PFILE_NETWORK_OPEN_INFORMATION  Buffer
);

NTKERNELAPI
PDEVICE_OBJECT
IoGetAttachedDevice (
    IN PDEVICE_OBJECT DeviceObject
);

NTKERNELAPI
PDEVICE_OBJECT
IoGetBaseFileSystemDeviceObject (
    IN PFILE_OBJECT FileObject
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
PDEVICE_OBJECT
IoGetDeviceAttachmentBaseRef (
    IN PDEVICE_OBJECT DeviceObject
);

NTKERNELAPI
NTSTATUS
IoGetDiskDeviceObject (
    IN PDEVICE_OBJECT   FileSystemDeviceObject,
    OUT PDEVICE_OBJECT  *DiskDeviceObject
);

NTKERNELAPI
PDEVICE_OBJECT
IoGetLowerDeviceObject (
    IN PDEVICE_OBJECT DeviceObject
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
PEPROCESS
IoGetRequestorProcess (
    IN PIRP Irp
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
ULONG
IoGetRequestorProcessId (
    IN PIRP Irp
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PIRP
IoGetTopLevelIrp (
    VOID
);

#define IoIsFileOpenedExclusively(FileObject) ( \
    (BOOLEAN) !(                                \
    (FileObject)->SharedRead ||                 \
    (FileObject)->SharedWrite ||                \
    (FileObject)->SharedDelete                  \
    )                                           \
)

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
IoIsFileOriginRemote (
    IN PFILE_OBJECT FileObject
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
IoIsOperationSynchronous (
    IN PIRP Irp
);

NTKERNELAPI
BOOLEAN
IoIsSystemThread (
    IN PETHREAD Thread
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
IoIsValidNameGraftingBuffer (
    IN PIRP                 Irp,
    IN PREPARSE_DATA_BUFFER ReparseBuffer
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
IoPageRead (
    IN PFILE_OBJECT         FileObject,
    IN PMDL                 Mdl,
    IN PLARGE_INTEGER       Offset,
    IN PKEVENT              Event,
    OUT PIO_STATUS_BLOCK    IoStatusBlock
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoQueryFileDosDeviceName (
    IN PFILE_OBJECT                 FileObject,
    OUT POBJECT_NAME_INFORMATION    *ObjectNameInformation
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
IoQueryFileInformation (
    IN PFILE_OBJECT             FileObject,
    IN FILE_INFORMATION_CLASS   FileInformationClass,
    IN ULONG                    Length,
    OUT PVOID                   FileInformation,
    OUT PULONG                  ReturnedLength
);

NTKERNELAPI
NTSTATUS
IoQueryVolumeInformation (
    IN PFILE_OBJECT         FileObject,
    IN FS_INFORMATION_CLASS FsInformationClass,
    IN ULONG                Length,
    OUT PVOID               FsInformation,
    OUT PULONG              ReturnedLength
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
VOID
IoQueueThreadIrp (
    IN PIRP Irp
);

#endif // (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
VOID
IoRegisterFileSystem (
    IN OUT PDEVICE_OBJECT DeviceObject
);

#if (VER_PRODUCTBUILD >= 1381)

typedef VOID (*PDRIVER_FS_NOTIFICATION) (
    IN PDEVICE_OBJECT DeviceObject,
    IN BOOLEAN        DriverActive
);

NTKERNELAPI
NTSTATUS
IoRegisterFsRegistrationChange (
    IN PDRIVER_OBJECT           DriverObject,
    IN PDRIVER_FS_NOTIFICATION  DriverNotificationRoutine
);

#endif // (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
VOID
IoReleaseVpbSpinLock (
    IN KIRQL Irql
);

NTKERNELAPI
VOID
IoSetDeviceToVerify (
    IN PETHREAD         Thread,
    IN PDEVICE_OBJECT   DeviceObject
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
IoSetFileOrigin (
    IN PFILE_OBJECT FileObject,
    IN BOOLEAN      Remote
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
IoSetInformation (
    IN PFILE_OBJECT             FileObject,
    IN FILE_INFORMATION_CLASS   FileInformationClass,
    IN ULONG                    Length,
    IN PVOID                    FileInformation
);

NTKERNELAPI
VOID
IoSetTopLevelIrp (
    IN PIRP Irp
);

NTKERNELAPI
NTSTATUS
IoSynchronousPageWrite (
    IN PFILE_OBJECT         FileObject,
    IN PMDL                 Mdl,
    IN PLARGE_INTEGER       FileOffset,
    IN PKEVENT              Event,
    OUT PIO_STATUS_BLOCK    IoStatusBlock
);

NTKERNELAPI
PEPROCESS
IoThreadToProcess (
    IN PETHREAD Thread
);

NTKERNELAPI
VOID
IoUnregisterFileSystem (
    IN OUT PDEVICE_OBJECT DeviceObject
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
NTSTATUS
IoUnregisterFsRegistrationChange (
    IN PDRIVER_OBJECT           DriverObject,
    IN PDRIVER_FS_NOTIFICATION  DriverNotificationRoutine
);

#endif // (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
NTSTATUS
IoVerifyVolume (
    IN PDEVICE_OBJECT   DeviceObject,
    IN BOOLEAN          AllowRawMount
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
KIRQL
FASTCALL
KeAcquireQueuedSpinLock (
    IN KSPIN_LOCK_QUEUE_NUMBER Number
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
KeAttachProcess (
    IN PEPROCESS Process
);

NTKERNELAPI
VOID
KeDetachProcess (
    VOID
);

NTKERNELAPI
VOID
KeInitializeApc (
    PKAPC               Apc,
    PKTHREAD            Thread,
    UCHAR               StateIndex,
    PKKERNEL_ROUTINE    KernelRoutine,
    PKRUNDOWN_ROUTINE   RundownRoutine,
    PKNORMAL_ROUTINE    NormalRoutine,
    KPROCESSOR_MODE     ApcMode,
    PVOID               NormalContext
);

NTKERNELAPI
VOID
KeInitializeMutant (
    IN PRKMUTANT    Mutant,
    IN BOOLEAN      InitialOwner
);

NTKERNELAPI
VOID
KeInitializeQueue (
    IN PRKQUEUE Queue,
    IN ULONG    Count OPTIONAL
);

NTKERNELAPI
LONG
KeInsertHeadQueue (
    IN PRKQUEUE     Queue,
    IN PLIST_ENTRY  Entry
);

NTKERNELAPI
LONG
KeInsertQueue (
    IN PRKQUEUE     Queue,
    IN PLIST_ENTRY  Entry
);

NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
    IN PKAPC        Apc,
    IN PVOID        SystemArgument1,
    IN PVOID        SystemArgument2,
    IN KPRIORITY    Increment
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
KeIsAttachedProcess (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
KeIsExecutingDpc (
    VOID
);

NTKERNELAPI
LONG
KeReadStateMutant (
    IN PRKMUTANT Mutant
);

NTKERNELAPI
LONG
KeReadStateQueue (
    IN PRKQUEUE Queue
);

NTKERNELAPI
LONG
KeReleaseMutant (
    IN PRKMUTANT    Mutant,
    IN KPRIORITY    Increment,
    IN BOOLEAN      Abandoned,
    IN BOOLEAN      Wait
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
FASTCALL
KeReleaseQueuedSpinLock (
    IN KSPIN_LOCK_QUEUE_NUMBER  Number,
    IN KIRQL                    OldIrql
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PLIST_ENTRY
KeRemoveQueue (
    IN PRKQUEUE         Queue,
    IN KPROCESSOR_MODE  WaitMode,
    IN PLARGE_INTEGER   Timeout OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
KeRevertToUserAffinityThread (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
PLIST_ENTRY
KeRundownQueue (
    IN PRKQUEUE Queue
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
CCHAR
KeSetIdealProcessorThread (
    IN PKTHREAD Thread,
    IN CCHAR    Processor
);

NTKERNELAPI
BOOLEAN
KeSetKernelStackSwapEnable (
    IN BOOLEAN Enable
);

#endif // (VER_PRODUCTBUILD >= 1381)

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
KeStackAttachProcess (
    IN PKPROCESS    Process,
    OUT PKAPC_STATE ApcState
);

NTKERNELAPI
LOGICAL
FASTCALL
KeTryToAcquireQueuedSpinLock (
    IN KSPIN_LOCK_QUEUE_NUMBER  Number,
    IN PKIRQL                   OldIrql
);

NTKERNELAPI
VOID
KeUnstackDetachProcess (
    IN PKAPC_STATE ApcState
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
KeUpdateSystemTime (
    VOID
);

NTKERNELAPI
BOOLEAN
MmCanFileBeTruncated (
    IN PSECTION_OBJECT_POINTERS     SectionObjectPointer,
    IN PLARGE_INTEGER               NewFileSize
);

NTKERNELAPI
NTSTATUS
MmCreateSection (
    OUT PVOID               *SectionObject,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN PLARGE_INTEGER       MaximumSize,
    IN ULONG                SectionPageProtection,
    IN ULONG                AllocationAttributes,
    IN HANDLE               FileHandle OPTIONAL,
    IN PFILE_OBJECT         FileObject OPTIONAL
);

NTKERNELAPI
BOOLEAN
MmFlushImageSection (
    IN PSECTION_OBJECT_POINTERS     SectionObjectPointer,
    IN MMFLUSH_TYPE                 FlushType
);

NTKERNELAPI
BOOLEAN
MmForceSectionClosed (
    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
    IN BOOLEAN                  DelayClose
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
BOOLEAN
MmIsRecursiveIoFault (
    VOID
);

#else


#define MmIsRecursiveIoFault() (                            \
    (PsGetCurrentThread()->DisablePageFaultClustering) |    \
    (PsGetCurrentThread()->ForwardClusterOnly)              \
)

#endif


NTKERNELAPI
NTSTATUS
MmMapViewOfSection (
    IN PVOID                SectionObject,
    IN PEPROCESS            Process,
    IN OUT PVOID            *BaseAddress,
    IN ULONG                ZeroBits,
    IN ULONG                CommitSize,
    IN OUT PLARGE_INTEGER   SectionOffset OPTIONAL,
    IN OUT PULONG           ViewSize,
    IN SECTION_INHERIT      InheritDisposition,
    IN ULONG                AllocationType,
    IN ULONG                Protect
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
MmPrefetchPages (
    IN ULONG        NumberOfLists,
    IN PREAD_LIST   *ReadLists
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
MmSetAddressRangeModified (
    IN PVOID    Address,
    IN SIZE_T   Length
);

NTKERNELAPI
NTSTATUS
ObCreateObject (
    IN KPROCESSOR_MODE      ObjectAttributesAccessMode OPTIONAL,
    IN POBJECT_TYPE         ObjectType,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN KPROCESSOR_MODE      AccessMode,
    IN OUT PVOID            ParseContext OPTIONAL,
    IN ULONG                ObjectSize,
    IN ULONG                PagedPoolCharge OPTIONAL,
    IN ULONG                NonPagedPoolCharge OPTIONAL,
    OUT PVOID               *Object
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
ObDereferenceSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ULONG                Count
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
ULONG
ObGetObjectPointerCount (
    IN PVOID Object
);

NTKERNELAPI
NTSTATUS
ObInsertObject (
    IN PVOID            Object,
    IN PACCESS_STATE    PassedAccessState OPTIONAL,
    IN ACCESS_MASK      DesiredAccess,
    IN ULONG            AdditionalReferences,
    OUT PVOID           *ReferencedObject OPTIONAL,
    OUT PHANDLE         Handle
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
ObLogSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR     InputSecurityDescriptor,
    OUT PSECURITY_DESCRIPTOR    *OutputSecurityDescriptor,
    IN ULONG                    RefBias
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
ObMakeTemporaryObject (
    IN PVOID Object
);

NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer (
    IN PVOID            Object,
    IN ULONG            HandleAttributes,
    IN PACCESS_STATE    PassedAccessState OPTIONAL,
    IN ACCESS_MASK      DesiredAccess OPTIONAL,
    IN POBJECT_TYPE     ObjectType OPTIONAL,
    IN KPROCESSOR_MODE  AccessMode,
    OUT PHANDLE         Handle
);

NTKERNELAPI
NTSTATUS
ObQueryNameString (
    IN PVOID                        Object,
    OUT POBJECT_NAME_INFORMATION    ObjectNameInfo,
    IN ULONG                        Length,
    OUT PULONG                      ReturnLength
);

NTKERNELAPI
NTSTATUS
ObQueryObjectAuditingByHandle (
    IN HANDLE       Handle,
    OUT PBOOLEAN    GenerateOnClose
);

NTKERNELAPI
NTSTATUS
ObReferenceObjectByName (
    IN PUNICODE_STRING  ObjectName,
    IN ULONG            Attributes,
    IN PACCESS_STATE    PassedAccessState OPTIONAL,
    IN ACCESS_MASK      DesiredAccess OPTIONAL,
    IN POBJECT_TYPE     ObjectType,
    IN KPROCESSOR_MODE  AccessMode,
    IN OUT PVOID        ParseContext OPTIONAL,
    OUT PVOID           *Object
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
ObReferenceSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ULONG                Count
);

NTKERNELAPI
NTSTATUS
PoQueueShutdownWorkItem (
    IN PWORK_QUEUE_ITEM WorkItem
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
PsAssignImpersonationToken (
    IN PETHREAD Thread,
    IN HANDLE   Token
);

NTKERNELAPI
VOID
PsChargePoolQuota (
    IN PEPROCESS    Process,
    IN POOL_TYPE    PoolType,
    IN ULONG        Amount
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
PsChargeProcessNonPagedPoolQuota (
    IN PEPROCESS Process,
    IN ULONG_PTR Amount
);

NTKERNELAPI
NTSTATUS
PsChargeProcessPagedPoolQuota (
    IN PEPROCESS Process,
    IN ULONG_PTR Amount
);

NTKERNELAPI
NTSTATUS
PsChargeProcessPoolQuota (
    IN PEPROCESS Process,
    IN POOL_TYPE PoolType,
    IN ULONG_PTR Amount
);

#endif // (VER_PRODUCTBUILD >= 2600)

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
PsDereferenceImpersonationToken (
    IN PACCESS_TOKEN ImpersonationToken
);

NTKERNELAPI
VOID
PsDereferencePrimaryToken (
    IN PACCESS_TOKEN PrimaryToken
);

#else


#define PsDereferenceImpersonationToken(T)  \
            {if (ARGUMENT_PRESENT(T)) {     \
                (ObDereferenceObject((T))); \
            } else {                        \
                ;                           \
            }                               \
}

#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))

#endif


#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
PsDisableImpersonation (
    IN PETHREAD                 Thread,
    IN PSE_IMPERSONATION_STATE  ImpersonationState
);

#endif // (VER_PRODUCTBUILD >= 2195)

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
ULONG
PsGetCurrentProcessSessionId (
    VOID
);

NTKERNELAPI
KPROCESSOR_MODE
PsGetCurrentThreadPreviousMode (
    VOID
);

NTKERNELAPI
PVOID
PsGetCurrentThreadStackBase (
    VOID
);

NTKERNELAPI
PVOID
PsGetCurrentThreadStackLimit (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
LARGE_INTEGER
PsGetProcessExitTime (
    VOID
);

NTKERNELAPI
NTSTATUS
PsImpersonateClient (
    IN PETHREAD                     Thread,
    IN PACCESS_TOKEN                Token,
    IN BOOLEAN                      CopyOnOpen,
    IN BOOLEAN                      EffectiveOnly,
    IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
);

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
PsIsSystemThread (
    IN PETHREAD Thread
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
BOOLEAN
PsIsThreadTerminating (
    IN PETHREAD Thread
);

//
// PsLookupProcessByProcessId returns a referenced pointer to the process
// that should be dereferenced after use with a call to ObDereferenceObject.
//
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
    IN PVOID        ProcessId,
    OUT PEPROCESS   *Process
);

NTKERNELAPI
NTSTATUS
PsLookupProcessThreadByCid (
    IN PCLIENT_ID   Cid,
    OUT PEPROCESS   *Process OPTIONAL,
    OUT PETHREAD    *Thread
);

NTKERNELAPI
NTSTATUS
PsLookupThreadByThreadId (
    IN PVOID        UniqueThreadId,
    OUT PETHREAD    *Thread
);

NTKERNELAPI
PACCESS_TOKEN
PsReferenceImpersonationToken (
    IN PETHREAD                         Thread,
    OUT PBOOLEAN                        CopyOnOpen,
    OUT PBOOLEAN                        EffectiveOnly,
    OUT PSECURITY_IMPERSONATION_LEVEL   ImpersonationLevel
);

NTKERNELAPI
PACCESS_TOKEN
PsReferencePrimaryToken (
    IN PEPROCESS Process
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
PsRestoreImpersonation (
    IN PETHREAD                 Thread,
    IN PSE_IMPERSONATION_STATE  ImpersonationState
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
PsReturnPoolQuota (
    IN PEPROCESS    Process,
    IN POOL_TYPE    PoolType,
    IN ULONG        Amount
);

#if (VER_PRODUCTBUILD >= 1381)

NTKERNELAPI
VOID
PsRevertToSelf (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 1381)

NTSYSAPI
NTSTATUS
NTAPI
RtlAbsoluteToSelfRelativeSD (
    IN PSECURITY_DESCRIPTOR     AbsoluteSecurityDescriptor,
    IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
    IN PULONG                   BufferLength
);

NTSYSAPI
PVOID
NTAPI
RtlAllocateHeap (
    IN HANDLE  HeapHandle,
    IN ULONG   Flags,
    IN ULONG   Size
);

NTSYSAPI
NTSTATUS
NTAPI
RtlCompressBuffer (
    IN USHORT   CompressionFormatAndEngine,
    IN PUCHAR   UncompressedBuffer,
    IN ULONG    UncompressedBufferSize,
    OUT PUCHAR  CompressedBuffer,
    IN ULONG    CompressedBufferSize,
    IN ULONG    UncompressedChunkSize,
    OUT PULONG  FinalCompressedSize,
    IN PVOID    WorkSpace
);

NTSYSAPI
NTSTATUS
NTAPI
RtlCompressChunks (
    IN PUCHAR                       UncompressedBuffer,
    IN ULONG                        UncompressedBufferSize,
    OUT PUCHAR                      CompressedBuffer,
    IN ULONG                        CompressedBufferSize,
    IN OUT PCOMPRESSED_DATA_INFO    CompressedDataInfo,
    IN ULONG                        CompressedDataInfoLength,
    IN PVOID                        WorkSpace
);

NTSYSAPI
NTSTATUS
NTAPI
RtlConvertSidToUnicodeString (
    OUT PUNICODE_STRING DestinationString,
    IN PSID             Sid,
    IN BOOLEAN          AllocateDestinationString
);

NTSYSAPI
NTSTATUS
NTAPI
RtlCopySid (
    IN ULONG   Length,
    IN PSID    Destination,
    IN PSID    Source
);

NTSYSAPI
HANDLE
NTAPI
RtlCreateHeap (
    IN ULONG Flags,
    IN PVOID Base,
    IN ULONG Reserve, 
    IN ULONG Commit, 
    IN ULONG Lock, 
    IN PVOID RtlHeapParams
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressBuffer (
    IN USHORT   CompressionFormat,
    OUT PUCHAR  UncompressedBuffer,
    IN ULONG    UncompressedBufferSize,
    IN PUCHAR   CompressedBuffer,
    IN ULONG    CompressedBufferSize,
    OUT PULONG  FinalUncompressedSize
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressChunks (
    OUT PUCHAR                  UncompressedBuffer,
    IN ULONG                    UncompressedBufferSize,
    IN PUCHAR                   CompressedBuffer,
    IN ULONG                    CompressedBufferSize,
    IN PUCHAR                   CompressedTail,
    IN ULONG                    CompressedTailSize,
    IN PCOMPRESSED_DATA_INFO    CompressedDataInfo
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressFragment (
    IN USHORT   CompressionFormat,
    OUT PUCHAR  UncompressedFragment,
    IN ULONG    UncompressedFragmentSize,
    IN PUCHAR   CompressedBuffer,
    IN ULONG    CompressedBufferSize,
    IN ULONG    FragmentOffset,
    OUT PULONG  FinalUncompressedSize,
    IN PVOID    WorkSpace
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDescribeChunk (
    IN USHORT       CompressionFormat,
    IN OUT PUCHAR   *CompressedBuffer,
    IN PUCHAR       EndOfCompressedBufferPlus1,
    OUT PUCHAR      *ChunkBuffer,
    OUT PULONG      ChunkSize
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyHeap (
    IN HANDLE  HeapHandle
);

NTSYSAPI
BOOLEAN
NTAPI
RtlEqualSid (
    IN PSID Sid1,
    IN PSID Sid2
);

NTSYSAPI
VOID
NTAPI
RtlFillMemoryUlong (
    IN PVOID    Destination,
    IN ULONG    Length,
    IN ULONG    Fill
);

NTSYSAPI
BOOLEAN
NTAPI
RtlFreeHeap (
    IN HANDLE  HeapHandle,
    IN ULONG   Flags,
    IN PVOID   P
);

NTSYSAPI
VOID
NTAPI
RtlGenerate8dot3Name (
    IN PUNICODE_STRING              Name,
    IN BOOLEAN                      AllowExtendedCharacters,
    IN OUT PGENERATE_NAME_CONTEXT   Context,
    OUT PUNICODE_STRING             Name8dot3
);

NTSYSAPI
NTSTATUS
NTAPI
RtlGetCompressionWorkSpaceSize (
    IN USHORT   CompressionFormatAndEngine,
    OUT PULONG  CompressBufferWorkSpaceSize,
    OUT PULONG  CompressFragmentWorkSpaceSize
);

NTSYSAPI
NTSTATUS
NTAPI
RtlGetDaclSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    OUT PBOOLEAN            DaclPresent,
    OUT PACL                *Dacl,
    OUT PBOOLEAN            DaclDefaulted
);

NTSYSAPI
NTSTATUS
NTAPI
RtlGetGroupSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    OUT PSID                *Group,
    OUT PBOOLEAN            GroupDefaulted
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
ULONG
NTAPI
RtlGetNtGlobalFlags (
    VOID
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
RtlGetOwnerSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    OUT PSID                *Owner,
    OUT PBOOLEAN            OwnerDefaulted
);

//
// This function returns a PIMAGE_NT_HEADERS,
// see the standard include file winnt.h
//
NTSYSAPI
PVOID
NTAPI
RtlImageNtHeader (
    IN PVOID BaseAddress
);

NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeSid (
    IN OUT PSID                     Sid,
    IN PSID_IDENTIFIER_AUTHORITY    IdentifierAuthority,
    IN UCHAR                        SubAuthorityCount
);

NTSYSAPI
BOOLEAN
NTAPI
RtlIsNameLegalDOS8Dot3 (
    IN PUNICODE_STRING UnicodeName,
    IN PANSI_STRING    AnsiName,
    PBOOLEAN           Unknown
);

NTSYSAPI
ULONG
NTAPI
RtlLengthRequiredSid (
    IN UCHAR SubAuthorityCount
);

NTSYSAPI
ULONG
NTAPI
RtlLengthSid (
    IN PSID Sid
);

NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosError (
    IN NTSTATUS Status
);

#define RtlOemStringToCountedUnicodeSize(STRING) (                    \
    (ULONG)(RtlOemStringToUnicodeSize(STRING) - sizeof(UNICODE_NULL)) \
)

#define RtlOemStringToUnicodeSize(STRING) (                \
    NLS_MB_OEM_CODE_PAGE_TAG ?                             \
    RtlxOemStringToUnicodeSize(STRING) :                   \
    ((STRING)->Length + sizeof(ANSI_NULL)) * sizeof(WCHAR) \
)

NTSYSAPI
NTSTATUS
NTAPI
RtlOemStringToUnicodeString (
    OUT PUNICODE_STRING DestinationString,
    IN POEM_STRING      SourceString,
    IN BOOLEAN          AllocateDestinationString
);

NTSYSAPI
ULONG
NTAPI
RtlRandom (
    IN PULONG Seed
);

#if (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
ULONG
NTAPI
RtlRandomEx (
    IN PULONG Seed
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
RtlReserveChunk (
    IN USHORT       CompressionFormat,
    IN OUT PUCHAR   *CompressedBuffer,
    IN PUCHAR       EndOfCompressedBufferPlus1,
    OUT PUCHAR      *ChunkBuffer,
    IN ULONG        ChunkSize
);

NTSYSAPI
VOID
NTAPI
RtlSecondsSince1970ToTime (
    IN ULONG            SecondsSince1970,
    OUT PLARGE_INTEGER  Time
);

NTSYSAPI
VOID
NTAPI
RtlSecondsSince1980ToTime (
    IN ULONG            SecondsSince1980,
    OUT PLARGE_INTEGER  Time
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
RtlSelfRelativeToAbsoluteSD (
    IN PSECURITY_DESCRIPTOR     SelfRelativeSD,
    OUT PSECURITY_DESCRIPTOR    AbsoluteSD,
    IN PULONG                   AbsoluteSDSize,
    IN PACL                     Dacl,
    IN PULONG                   DaclSize,
    IN PACL                     Sacl,
    IN PULONG                   SaclSize,
    IN PSID                     Owner,
    IN PULONG                   OwnerSize,
    IN PSID                     PrimaryGroup,
    IN PULONG                   PrimaryGroupSize
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
RtlSetGroupSecurityDescriptor (
    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN PSID                     Group,
    IN BOOLEAN                  GroupDefaulted
);

NTSYSAPI
NTSTATUS
NTAPI
RtlSetOwnerSecurityDescriptor (
    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN PSID                     Owner,
    IN BOOLEAN                  OwnerDefaulted
);

NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor (
    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN BOOLEAN                  SaclPresent,
    IN PACL                     Sacl,
    IN BOOLEAN                  SaclDefaulted
);

NTSYSAPI
PUCHAR
NTAPI
RtlSubAuthorityCountSid (
    IN PSID Sid
);

NTSYSAPI
PULONG
NTAPI
RtlSubAuthoritySid (
    IN PSID    Sid,
    IN ULONG   SubAuthority
);

NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1970 (
    IN PLARGE_INTEGER   Time,
    OUT PULONG          SecondsSince1970
);

NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1980 (
    IN PLARGE_INTEGER   Time,
    OUT PULONG          SecondsSince1980
);

#define RtlUnicodeStringToOemSize(STRING) (                   \
    NLS_MB_OEM_CODE_PAGE_TAG ?                                \
    RtlxUnicodeStringToOemSize(STRING) :                      \
    ((STRING)->Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR) \
)

NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToOemString (
    OUT POEM_STRING     DestinationString,
    IN PUNICODE_STRING  SourceString,
    IN BOOLEAN          AllocateDestinationString
);

NTSYSAPI
BOOLEAN
NTAPI
RtlValidSid (
    IN PSID Sid
);

NTSYSAPI
ULONG
NTAPI
RtlxOemStringToUnicodeSize (
    IN POEM_STRING OemString
);

NTSYSAPI
ULONG
NTAPI
RtlxUnicodeStringToAnsiSize (
    IN PCUNICODE_STRING UnicodeString
);

NTSYSAPI
ULONG
NTAPI
RtlxUnicodeStringToOemSize (
    IN PUNICODE_STRING UnicodeString
);

NTKERNELAPI
NTSTATUS
SeAppendPrivileges (
    PACCESS_STATE   AccessState,
    PPRIVILEGE_SET  Privileges
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
SeAuditHardLinkCreation (
    IN PUNICODE_STRING  FileName,
    IN PUNICODE_STRING  LinkName,
    IN BOOLEAN          Success
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
SeAuditingFileEvents (
    IN BOOLEAN              AccessGranted,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor
);

NTKERNELAPI
BOOLEAN
SeAuditingFileOrGlobalEvents (
    IN BOOLEAN                      AccessGranted,
    IN PSECURITY_DESCRIPTOR         SecurityDescriptor,
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
BOOLEAN
SeAuditingHardLinkEvents (
    IN BOOLEAN              AccessGranted,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
SeCaptureSubjectContext (
    OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
);

NTKERNELAPI
NTSTATUS
SeCreateAccessState (
    OUT PACCESS_STATE   AccessState,
    IN PVOID            AuxData,
    IN ACCESS_MASK      AccessMask,
    IN PGENERIC_MAPPING Mapping
);

NTKERNELAPI
NTSTATUS
SeCreateClientSecurity (
    IN PETHREAD                     Thread,
    IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
    IN BOOLEAN                      RemoteClient,
    OUT PSECURITY_CLIENT_CONTEXT    ClientContext
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeCreateClientSecurityFromSubjectContext (
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext,
    IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
    IN BOOLEAN                      ServerIsRemote,
    OUT PSECURITY_CLIENT_CONTEXT    ClientContext
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
SeDeleteAccessState (
    IN PACCESS_STATE AccessState
);

#define SeDeleteClientSecurity(C)  {                                           \
            if (SeTokenType((C)->ClientToken) == TokenPrimary) {               \
                PsDereferencePrimaryToken( (C)->ClientToken );                 \
            } else {                                                           \
                PsDereferenceImpersonationToken( (C)->ClientToken );           \
            }                                                                  \
}

NTKERNELAPI
VOID
SeDeleteObjectAuditAlarm (
    IN PVOID    Object,
    IN HANDLE   Handle
);

#define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports;

#if (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
NTSTATUS
SeFilterToken (
    IN PACCESS_TOKEN        ExistingToken,
    IN ULONG                Flags,
    IN PTOKEN_GROUPS        SidsToDisable OPTIONAL,
    IN PTOKEN_PRIVILEGES    PrivilegesToDelete OPTIONAL,
    IN PTOKEN_GROUPS        RestrictedSids OPTIONAL,
    OUT PACCESS_TOKEN       *FilteredToken
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTKERNELAPI
VOID
SeFreePrivileges (
    IN PPRIVILEGE_SET Privileges
);

NTKERNELAPI
VOID
SeImpersonateClient (
    IN PSECURITY_CLIENT_CONTEXT ClientContext,
    IN PETHREAD                 ServerThread OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeImpersonateClientEx (
    IN PSECURITY_CLIENT_CONTEXT ClientContext,
    IN PETHREAD                 ServerThread OPTIONAL
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
VOID
SeLockSubjectContext (
    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);

NTKERNELAPI
NTSTATUS
SeMarkLogonSessionForTerminationNotification (
    IN PLUID LogonId
);

NTKERNELAPI
VOID
SeOpenObjectAuditAlarm (
    IN PUNICODE_STRING      ObjectTypeName,
    IN PVOID                Object OPTIONAL,
    IN PUNICODE_STRING      AbsoluteObjectName OPTIONAL,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN PACCESS_STATE        AccessState,
    IN BOOLEAN              ObjectCreated,
    IN BOOLEAN              AccessGranted,
    IN KPROCESSOR_MODE      AccessMode,
    OUT PBOOLEAN            GenerateOnClose
);

NTKERNELAPI
VOID
SeOpenObjectForDeleteAuditAlarm (
    IN PUNICODE_STRING      ObjectTypeName,
    IN PVOID                Object OPTIONAL,
    IN PUNICODE_STRING      AbsoluteObjectName OPTIONAL,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN PACCESS_STATE        AccessState,
    IN BOOLEAN              ObjectCreated,
    IN BOOLEAN              AccessGranted,
    IN KPROCESSOR_MODE      AccessMode,
    OUT PBOOLEAN            GenerateOnClose
);

NTKERNELAPI
BOOLEAN
SePrivilegeCheck (
    IN OUT PPRIVILEGE_SET           RequiredPrivileges,
    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext,
    IN KPROCESSOR_MODE              AccessMode
);

NTKERNELAPI
NTSTATUS
SeQueryAuthenticationIdToken (
    IN PACCESS_TOKEN    Token,
    OUT PLUID           LogonId
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeQueryInformationToken (
    IN PACCESS_TOKEN           Token,
    IN TOKEN_INFORMATION_CLASS TokenInformationClass,
    OUT PVOID                  *TokenInformation
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeQuerySecurityDescriptorInfo (
    IN PSECURITY_INFORMATION    SecurityInformation,
    OUT PSECURITY_DESCRIPTOR    SecurityDescriptor,
    IN OUT PULONG               Length,
    IN PSECURITY_DESCRIPTOR     *ObjectsSecurityDescriptor
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeQuerySessionIdToken (
    IN PACCESS_TOKEN    Token,
    IN PULONG           SessionId
);

#endif // (VER_PRODUCTBUILD >= 2195)

#define SeQuerySubjectContextToken( SubjectContext )                \
    ( ARGUMENT_PRESENT(                                             \
        ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken   \
        ) ?                                                         \
    ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken :     \
    ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )

typedef NTSTATUS (*PSE_LOGON_SESSION_TERMINATED_ROUTINE) (
    IN PLUID LogonId
);

NTKERNELAPI
NTSTATUS
SeRegisterLogonSessionTerminatedRoutine (
    IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
);

NTKERNELAPI
VOID
SeReleaseSubjectContext (
    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);

NTKERNELAPI
VOID
SeSetAccessStateGenericMapping (
    PACCESS_STATE       AccessState,
    PGENERIC_MAPPING    GenericMapping
);

NTKERNELAPI
NTSTATUS
SeSetSecurityDescriptorInfo (
    IN PVOID                    Object OPTIONAL,
    IN PSECURITY_INFORMATION    SecurityInformation,
    IN PSECURITY_DESCRIPTOR     SecurityDescriptor,
    IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
    IN POOL_TYPE                PoolType,
    IN PGENERIC_MAPPING         GenericMapping
);

#if (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
NTSTATUS
SeSetSecurityDescriptorInfoEx (
    IN PVOID                    Object OPTIONAL,
    IN PSECURITY_INFORMATION    SecurityInformation,
    IN PSECURITY_DESCRIPTOR     ModificationDescriptor,
    IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
    IN ULONG                    AutoInheritFlags,
    IN POOL_TYPE                PoolType,
    IN PGENERIC_MAPPING         GenericMapping
);

NTKERNELAPI
BOOLEAN
SeTokenIsAdmin (
    IN PACCESS_TOKEN Token
);

NTKERNELAPI
BOOLEAN
SeTokenIsRestricted (
    IN PACCESS_TOKEN Token
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTKERNELAPI
TOKEN_TYPE
SeTokenType (
    IN PACCESS_TOKEN Token
);

NTKERNELAPI
VOID
SeUnlockSubjectContext (
    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);

NTKERNELAPI
NTSTATUS
SeUnregisterLogonSessionTerminatedRoutine (
    IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwAdjustPrivilegesToken (
    IN HANDLE               TokenHandle,
    IN BOOLEAN              DisableAllPrivileges,
    IN PTOKEN_PRIVILEGES    NewState,
    IN ULONG                BufferLength,
    OUT PTOKEN_PRIVILEGES   PreviousState OPTIONAL,
    OUT PULONG              ReturnLength
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread (
    IN HANDLE ThreadHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateVirtualMemory (
    IN HANDLE       ProcessHandle,
    IN OUT PVOID    *BaseAddress,
    IN ULONG        ZeroBits,
    IN OUT PSIZE_T  RegionSize,
    IN ULONG        AllocationType,
    IN ULONG        Protect
);

NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm (
    IN PUNICODE_STRING      SubsystemName,
    IN PVOID                HandleId,
    IN PUNICODE_STRING      ObjectTypeName,
    IN PUNICODE_STRING      ObjectName,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ACCESS_MASK          DesiredAccess,
    IN PGENERIC_MAPPING     GenericMapping,
    IN BOOLEAN              ObjectCreation,
    OUT PACCESS_MASK        GrantedAccess,
    OUT PBOOLEAN            AccessStatus,
    OUT PBOOLEAN            GenerateOnClose
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwCancelIoFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwClearEvent (
    IN HANDLE EventHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwConnectPort (
    OUT PHANDLE                     ClientPortHandle,
    IN PUNICODE_STRING              ServerPortName,
    IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
    IN OUT PLPC_SECTION_WRITE       ClientSharedMemory OPTIONAL,
    IN OUT PLPC_SECTION_READ        ServerSharedMemory OPTIONAL,
    OUT PULONG                      MaximumMessageLength OPTIONAL,
    IN OUT PVOID                    ConnectionInfo OPTIONAL,
    IN OUT PULONG                   ConnectionInfoLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCloseObjectAuditAlarm (
    IN PUNICODE_STRING  SubsystemName,
    IN PVOID            HandleId,
    IN BOOLEAN          GenerateOnClose
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEvent (
    OUT PHANDLE             EventHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN EVENT_TYPE           EventType,
    IN BOOLEAN              InitialState
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSection (
    OUT PHANDLE             SectionHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN PLARGE_INTEGER       MaximumSize OPTIONAL,
    IN ULONG                SectionPageProtection,
    IN ULONG                AllocationAttributes,
    IN HANDLE               FileHandle OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSymbolicLinkObject (
    OUT PHANDLE             SymbolicLinkHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN PUNICODE_STRING      TargetName
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteFile (
    IN POBJECT_ATTRIBUTES ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey (
    IN HANDLE           Handle,
    IN PUNICODE_STRING  Name
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDeviceIoControlFile (
    IN HANDLE               FileHandle,
    IN HANDLE               Event OPTIONAL,
    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
    IN PVOID                ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN ULONG                IoControlCode,
    IN PVOID                InputBuffer OPTIONAL,
    IN ULONG                InputBufferLength,
    OUT PVOID               OutputBuffer OPTIONAL,
    IN ULONG                OutputBufferLength
);

//
// If using ZwDisplayString during boot on Windows 2000 or later you must
// first call InbvEnableDisplayString.
//
NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString (
    IN PUNICODE_STRING String
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject (
    IN HANDLE       SourceProcessHandle,
    IN HANDLE       SourceHandle,
    IN HANDLE       TargetProcessHandle OPTIONAL,
    OUT PHANDLE     TargetHandle OPTIONAL,
    IN ACCESS_MASK  DesiredAccess,
    IN ULONG        HandleAttributes,
    IN ULONG        Options
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateToken (
    IN HANDLE               ExistingTokenHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN BOOLEAN              EffectiveOnly,
    IN TOKEN_TYPE           TokenType,
    OUT PHANDLE             NewTokenHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwFlushInstructionCache (
    IN HANDLE   ProcessHandle,
    IN PVOID    BaseAddress OPTIONAL,
    IN ULONG    FlushSize
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwFlushVirtualMemory (
    IN HANDLE               ProcessHandle,
    IN OUT PVOID            *BaseAddress,
    IN OUT PSIZE_T          RegionSize,
    OUT PIO_STATUS_BLOCK    IoStatusBlock
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwFreeVirtualMemory (
    IN HANDLE       ProcessHandle,
    IN OUT PVOID    *BaseAddress,
    IN OUT PSIZE_T  RegionSize,
    IN ULONG        FreeType
);

NTSYSAPI
NTSTATUS
NTAPI
ZwFsControlFile (
    IN HANDLE               FileHandle,
    IN HANDLE               Event OPTIONAL,
    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
    IN PVOID                ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN ULONG                FsControlCode,
    IN PVOID                InputBuffer OPTIONAL,
    IN ULONG                InputBufferLength,
    OUT PVOID               OutputBuffer OPTIONAL,
    IN ULONG                OutputBufferLength
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwInitiatePowerAction (
    IN POWER_ACTION         SystemAction,
    IN SYSTEM_POWER_STATE   MinSystemState,
    IN ULONG                Flags,
    IN BOOLEAN              Asynchronous
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwLoadDriver (
    // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
    IN PUNICODE_STRING RegistryPath
);

NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey (
    IN POBJECT_ATTRIBUTES KeyObjectAttributes,
    IN POBJECT_ATTRIBUTES FileObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwNotifyChangeKey (
    IN HANDLE               KeyHandle,
    IN HANDLE               EventHandle OPTIONAL,
    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
    IN PVOID                ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN ULONG                NotifyFilter,
    IN BOOLEAN              WatchSubtree,
    IN PVOID                Buffer,
    IN ULONG                BufferLength,
    IN BOOLEAN              Asynchronous
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenDirectoryObject (
    OUT PHANDLE             DirectoryHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEvent (
    OUT PHANDLE             EventHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess (
    OUT PHANDLE             ProcessHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN PCLIENT_ID           ClientId OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessToken (
    IN HANDLE       ProcessHandle,
    IN ACCESS_MASK  DesiredAccess,
    OUT PHANDLE     TokenHandle
);

#if (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessTokenEx (
    IN HANDLE       ProcessHandle,
    IN ACCESS_MASK  DesiredAccess,
    IN ULONG        HandleAttributes,
    OUT PHANDLE     TokenHandle
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread (
    OUT PHANDLE             ThreadHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN PCLIENT_ID           ClientId
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken (
    IN HANDLE       ThreadHandle,
    IN ACCESS_MASK  DesiredAccess,
    IN BOOLEAN      OpenAsSelf,
    OUT PHANDLE     TokenHandle
);

#if (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx (
    IN HANDLE       ThreadHandle,
    IN ACCESS_MASK  DesiredAccess,
    IN BOOLEAN      OpenAsSelf,
    IN ULONG        HandleAttributes,
    OUT PHANDLE     TokenHandle
);

#endif // (VER_PRODUCTBUILD >= 2600)

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwPowerInformation (
    IN POWER_INFORMATION_LEVEL  PowerInformationLevel,
    IN PVOID                    InputBuffer OPTIONAL,
    IN ULONG                    InputBufferLength,
    OUT PVOID                   OutputBuffer OPTIONAL,
    IN ULONG                    OutputBufferLength
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwPulseEvent (
    IN HANDLE   EventHandle,
    OUT PULONG  PreviousState OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultLocale (
    IN BOOLEAN  ThreadOrSystem,
    OUT PLCID   Locale
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage (
    OUT LANGID *LanguageId
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile (
    IN HANDLE                   FileHandle,
    IN HANDLE                   Event OPTIONAL,
    IN PIO_APC_ROUTINE          ApcRoutine OPTIONAL,
    IN PVOID                    ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK        IoStatusBlock,
    OUT PVOID                   FileInformation,
    IN ULONG                    Length,
    IN FILE_INFORMATION_CLASS   FileInformationClass,
    IN BOOLEAN                  ReturnSingleEntry,
    IN PUNICODE_STRING          FileName OPTIONAL,
    IN BOOLEAN                  RestartScan
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject (
    IN HANDLE       DirectoryHandle,
    OUT PVOID       Buffer,
    IN ULONG        Length,
    IN BOOLEAN      ReturnSingleEntry,
    IN BOOLEAN      RestartScan,
    IN OUT PULONG   Context,
    OUT PULONG      ReturnLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryEaFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    OUT PVOID               Buffer,
    IN ULONG                Length,
    IN BOOLEAN              ReturnSingleEntry,
    IN PVOID                EaList OPTIONAL,
    IN ULONG                EaListLength,
    IN PULONG               EaIndex OPTIONAL,
    IN BOOLEAN              RestartScan
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID           ProcessInformation,
    IN ULONG            ProcessInformationLength,
    OUT PULONG          ReturnLength OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread (
    IN HANDLE           ThreadHandle,
    IN THREADINFOCLASS  ThreadInformationClass,
    OUT PVOID           ThreadInformation,
    IN ULONG            ThreadInformationLength,
    OUT PULONG          ReturnLength OPTIONAL
);

#endif // (VER_PRODUCTBUILD >= 2600)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationToken (
    IN HANDLE                   TokenHandle,
    IN TOKEN_INFORMATION_CLASS  TokenInformationClass,
    OUT PVOID                   TokenInformation,
    IN ULONG                    TokenInformationLength,
    OUT PULONG                  ReturnLength
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage (
    OUT LANGID *LanguageId
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject (
    IN HANDLE               ObjectHandle,
    IN OBJECT_INFO_CLASS    ObjectInformationClass,
    OUT PVOID               ObjectInformation,
    IN ULONG                Length,
    OUT PULONG              ResultLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySection (
    IN HANDLE                       SectionHandle,
    IN SECTION_INFORMATION_CLASS    SectionInformationClass,
    OUT PVOID                       SectionInformation,
    IN ULONG                        SectionInformationLength,
    OUT PULONG                      ResultLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySecurityObject (
    IN HANDLE                   FileHandle,
    IN SECURITY_INFORMATION     SecurityInformation,
    OUT PSECURITY_DESCRIPTOR    SecurityDescriptor,
    IN ULONG                    Length,
    OUT PULONG                  ResultLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID                   SystemInformation,
    IN ULONG                    Length,
    OUT PULONG                  ReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryVolumeInformationFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    OUT PVOID               FsInformation,
    IN ULONG                Length,
    IN FS_INFORMATION_CLASS FsInformationClass
);

NTSYSAPI
NTSTATUS
NTAPI
ZwReplaceKey (
    IN POBJECT_ATTRIBUTES   NewFileObjectAttributes,
    IN HANDLE               KeyHandle,
    IN POBJECT_ATTRIBUTES   OldFileObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwRequestWaitReplyPort (
    IN HANDLE           PortHandle,
    IN PLPC_MESSAGE     Request,
    OUT PLPC_MESSAGE    Reply
);

NTSYSAPI
NTSTATUS
NTAPI
ZwResetEvent (
    IN HANDLE   EventHandle,
    OUT PULONG  PreviousState OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwRestoreKey (
    IN HANDLE   KeyHandle,
    IN HANDLE   FileHandle,
    IN ULONG    Flags
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey (
    IN HANDLE KeyHandle,
    IN HANDLE FileHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultLocale (
    IN BOOLEAN  ThreadOrSystem,
    IN LCID     Locale
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage (
    IN LANGID LanguageId
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetEaFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    OUT PVOID               Buffer,
    IN ULONG                Length
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetEvent (
    IN HANDLE   EventHandle,
    OUT PULONG  PreviousState OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationObject (
    IN HANDLE               ObjectHandle,
    IN OBJECT_INFO_CLASS    ObjectInformationClass,
    IN PVOID                ObjectInformation,
    IN ULONG                ObjectInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess (
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    IN PVOID            ProcessInformation,
    IN ULONG            ProcessInformationLength
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetSecurityObject (
    IN HANDLE               Handle,
    IN SECURITY_INFORMATION SecurityInformation,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    IN PVOID                    SystemInformation,
    IN ULONG                    Length
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemTime (
    IN PLARGE_INTEGER   NewTime,
    OUT PLARGE_INTEGER  OldTime OPTIONAL
);

#if (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetVolumeInformationFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN PVOID                FsInformation,
    IN ULONG                Length,
    IN FS_INFORMATION_CLASS FsInformationClass
);

#endif // (VER_PRODUCTBUILD >= 2195)

NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
    IN HANDLE   ProcessHandle OPTIONAL,
    IN NTSTATUS ExitStatus
);

NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadDriver (
    // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
    IN PUNICODE_STRING RegistryPath
);

NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKey (
    IN POBJECT_ATTRIBUTES KeyObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForSingleObject (
    IN HANDLE           Handle,
    IN BOOLEAN          Alertable,
    IN PLARGE_INTEGER   Timeout OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects (
    IN ULONG            HandleCount,
    IN PHANDLE          Handles,
    IN WAIT_TYPE        WaitType,
    IN BOOLEAN          Alertable,
    IN PLARGE_INTEGER   Timeout OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution (
    VOID
);

//
// Below is stuff that is included in the Windows 2000 DDK but is missing in
// the Windows NT 4.0 DDK
//

#if (VER_PRODUCTBUILD < 2195)

NTSYSAPI
VOID
NTAPI
HalMakeBeep (
    IN ULONG Frequency
);

#ifndef IoCopyCurrentIrpStackLocationToNext
#define IoCopyCurrentIrpStackLocationToNext( Irp ) { \
    PIO_STACK_LOCATION irpSp; \
    PIO_STACK_LOCATION nextIrpSp; \
    irpSp = IoGetCurrentIrpStackLocation( (Irp) ); \
    nextIrpSp = IoGetNextIrpStackLocation( (Irp) ); \
    RtlCopyMemory( \
        nextIrpSp, \
        irpSp, \
        FIELD_OFFSET(IO_STACK_LOCATION, CompletionRoutine) \
        ); \
    nextIrpSp->Control = 0; }
#endif


NTKERNELAPI
NTSTATUS
IoCreateFile (
    OUT PHANDLE             FileHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN PLARGE_INTEGER       AllocationSize OPTIONAL,
    IN ULONG                FileAttributes,
    IN ULONG                ShareAccess,
    IN ULONG                CreateDisposition,
    IN ULONG                CreateOptions,
    IN PVOID                EaBuffer OPTIONAL,
    IN ULONG                EaLength,
    IN CREATE_FILE_TYPE     CreateFileType,
    IN PVOID                ExtraCreateParameters,
    IN ULONG                Options
);

#ifndef IoSkipCurrentIrpStackLocation
#define IoSkipCurrentIrpStackLocation( Irp ) \
    (Irp)->CurrentLocation++; \
    (Irp)->Tail.Overlay.CurrentStackLocation++;
#endif


NTSYSAPI
VOID
NTAPI
ProbeForWrite (
    IN PVOID Address,
    IN ULONG Length,
    IN ULONG Alignment
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile (
    OUT PHANDLE             FileHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    OUT PIO_STATUS_BLOCK    IoStatusBlock,
    IN ULONG                ShareAccess,
    IN ULONG                OpenOptions
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSymbolicLinkObject (
    OUT PHANDLE             SymbolicLinkHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySymbolicLinkObject (
    IN HANDLE               LinkHandle,
    IN OUT PUNICODE_STRING  LinkTarget,
    OUT PULONG              ReturnedLength OPTIONAL
);

#endif // (VER_PRODUCTBUILD < 2195)

#ifdef __cplusplus
}
#endif


#endif // _NTIFS_

Generated by GNU enscript 1.6.1.