[REISERFS] Import ReiserFS file system driver for Windows. It will be enabled later...
authorAmine Khaldi <amine.khaldi@reactos.org>
Sat, 26 Mar 2016 20:40:42 +0000 (20:40 +0000)
committerAmine Khaldi <amine.khaldi@reactos.org>
Sat, 26 Mar 2016 20:40:42 +0000 (20:40 +0000)
svn path=/trunk/; revision=71057

100 files changed:
reactos/drivers/filesystems/CMakeLists.txt
reactos/drivers/filesystems/reiserfs/CMakeLists.txt [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/gplntifs.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/bit_spinlock.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/bitops.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/config.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/errno.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/fs.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/jbd.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/journal-head.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/kernel.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/list.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/log2.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/module.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/nls.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/reiserfs_acl.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/reiserfs_fs.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/reiserfs_fs_i.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/reiserfs_fs_sb.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/reiserfs_xattr.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/slab.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/spinlock.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/stddef.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/string.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/types.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/linux/version.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/reiserfs.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/inc/rfsd.h [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/blockio.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/cleanup.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/close.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/cmcb.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/create.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/debug.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/devctl.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/dirctl.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/dispatch.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/except.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/fastio.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/fileinfo.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/flush.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/fsctl.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/init.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/lockctl.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/memory.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/misc.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_base.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_big5.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp1251.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp1255.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp437.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp737.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp775.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp850.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp852.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp855.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp857.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp860.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp861.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp862.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp863.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp864.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp865.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp866.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp869.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp874.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp932.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp936.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp949.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_cp950.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_euc-jp.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_euc-kr.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_gb2312.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-1.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-13.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-14.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-15.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-2.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-3.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-4.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-5.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-6.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-7.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-8.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_iso8859-9.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_koi8-r.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_koi8-ru.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_koi8-u.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_sjis.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_tis-620.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/nls/nls_utf8.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/pnp.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/read.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/rfsd.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/rfsd.rc [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/rfsdblock.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/shutdown.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/volinfo.c [new file with mode: 0644]
reactos/drivers/filesystems/reiserfs/src/write.c [new file with mode: 0644]

index ac42b35..c740b08 100644 (file)
@@ -9,4 +9,5 @@ add_subdirectory(msfs)
 add_subdirectory(mup)
 add_subdirectory(npfs)
 add_subdirectory(ntfs)
+#add_subdirectory(reiserfs)
 add_subdirectory(udfs)
diff --git a/reactos/drivers/filesystems/reiserfs/CMakeLists.txt b/reactos/drivers/filesystems/reiserfs/CMakeLists.txt
new file mode 100644 (file)
index 0000000..39737e6
--- /dev/null
@@ -0,0 +1,97 @@
+
+include_directories(${REACTOS_SOURCE_DIR}/include/drivers
+                    inc)
+
+list(APPEND SOURCE
+    src/nls/nls_base.c
+    src/nls/nls_big5.c
+    src/nls/nls_cp437.c
+    src/nls/nls_cp737.c
+    src/nls/nls_cp775.c
+    src/nls/nls_cp850.c
+    src/nls/nls_cp852.c
+    src/nls/nls_cp855.c
+    src/nls/nls_cp857.c
+    src/nls/nls_cp860.c
+    src/nls/nls_cp861.c
+    src/nls/nls_cp862.c
+    src/nls/nls_cp863.c
+    src/nls/nls_cp864.c
+    src/nls/nls_cp865.c
+    src/nls/nls_cp866.c
+    src/nls/nls_cp869.c
+    src/nls/nls_cp874.c
+    src/nls/nls_cp932.c
+    src/nls/nls_cp936.c
+    src/nls/nls_cp949.c
+    src/nls/nls_cp950.c
+    src/nls/nls_cp1251.c
+    src/nls/nls_cp1255.c
+    src/nls/nls_euc-jp.c
+    src/nls/nls_euc-kr.c
+    src/nls/nls_gb2312.c
+    src/nls/nls_iso8859-1.c
+    src/nls/nls_iso8859-2.c
+    src/nls/nls_iso8859-3.c
+    src/nls/nls_iso8859-4.c
+    src/nls/nls_iso8859-5.c
+    src/nls/nls_iso8859-6.c
+    src/nls/nls_iso8859-7.c
+    src/nls/nls_iso8859-8.c
+    src/nls/nls_iso8859-9.c
+    src/nls/nls_iso8859-13.c
+    src/nls/nls_iso8859-14.c
+    src/nls/nls_iso8859-15.c
+    src/nls/nls_koi8-r.c
+    src/nls/nls_koi8-ru.c
+    src/nls/nls_koi8-u.c
+    src/nls/nls_sjis.c
+    src/nls/nls_tis-620.c
+    src/nls/nls_utf8.c
+    src/blockio.c
+    src/cleanup.c
+    src/close.c
+    src/cmcb.c
+    src/create.c
+    src/debug.c
+    src/devctl.c
+    src/dirctl.c
+    src/dispatch.c
+    src/except.c
+    src/fastio.c
+    src/fileinfo.c
+    src/flush.c
+    src/fsctl.c
+    src/init.c
+    src/lockctl.c
+    src/memory.c
+    src/misc.c
+    src/nls.c
+    src/pnp.c
+    src/read.c
+    src/rfsd.c
+    src/rfsdblock.c
+    src/shutdown.c
+    src/volinfo.c
+    src/write.c
+    inc/rfsd.h)
+
+add_library(reiserfs SHARED ${SOURCE} src/rfsd.rc)
+
+if(NOT MSVC)
+    add_target_compile_flags(reiserfs "-Wno-pointer-sign -Wno-unused-function")
+    if(NOT CMAKE_C_COMPILER_ID STREQUAL "Clang")
+        add_target_compile_flags(reiserfs "-Wno-unused-but-set-variable -Wno-unused-variable -Wno-missing-braces")
+    endif()
+else()
+    #disable warnings: "unreferenced local variable", "initialized, but not used variable", "benign include"
+    replace_compile_flags("/we\"4189\"" " ")
+    add_target_compile_flags(reiserfs "/wd\"4189\" /wd\"4142\" /wd\"4101\"")
+endif()
+
+target_link_libraries(reiserfs memcmp ${PSEH_LIB})
+add_definitions(-D__KERNEL__)
+set_module_type(reiserfs kernelmodedriver)
+add_importlibs(reiserfs ntoskrnl hal)
+add_pch(reiserfs inc/rfsd.h SOURCE)
+add_cd_file(TARGET reiserfs DESTINATION system32/drivers NO_CAB FOR all)
diff --git a/reactos/drivers/filesystems/reiserfs/inc/gplntifs.h b/reactos/drivers/filesystems/reiserfs/inc/gplntifs.h
new file mode 100644 (file)
index 0000000..d4d9f3a
--- /dev/null
@@ -0,0 +1,9491 @@
+/*
+    This is a free version of the file ntifs.h, release 58.
+    The purpose of this include file is to build file system and
+    file system filter drivers for Windows.
+    Copyright (C) 1999-2015 Bo Brantén.
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+    The GNU General Public License is also available from:
+    http://www.gnu.org/copyleft/gpl.html
+
+    Windows and Windows NT are either registered trademarks or trademarks of
+    Microsoft Corporation in the United States and/or other countries.
+
+    DISCLAIMER: I do not encourage anyone to use this include file to build
+    drivers used in production. Some of the information in this file may not
+    be available in other publications intended for similar use. Some of the
+    information in this file may have different names than in other
+    publications even though they describe the same thing.
+
+    NOTE: This file should be used with the Microsoft® Windows® Driver
+    Development Kit (DDK) while the file wdkundoc.h is a subset of this
+    file that should be used with the Microsoft Windows Driver Kit (WDK).
+
+    Please send comments, corrections and contributions to bosse@acc.umu.se.
+
+    The most recent version of this file is available from:
+    http://www.acc.umu.se/~bosse/ntifs.h
+
+    The most recent version of the file wdkundoc.h is available from:
+    http://www.acc.umu.se/~bosse/wdkundoc.h
+
+    Thanks to:
+      Andrey Shedel, Luigi Mori, Louis Joubert, Itai Shaham, David Welch,
+      Emanuele Aliberti, Anton Altaparmakov, Dan Partelly, Mamaich, Yossi
+      Yaffe, Gunnar André Dalsnes, Vadim V Vorobev, Ashot Oganesyan K,
+      Oleg Nikityenko, Matt Wu, Tomas Olsson, Raaf, Anthony Choi, Alexey
+      Logachyov, Marc-Antoine Ruel, Vyacheslav I. Levtchenko, Yuri Polyakov,
+      Bruno Milot, Alex Vlasov, Dan Fulger, Petr Semerad, Sobame La Garompa,
+      Jérôme Hodé and Darja Isaksson.
+
+    Revision history:
+
+    58. 2015-06-11
+        Added:
+          Externals:
+            PsInitialSystemProcess
+            HalPrivateDispatchTable
+            KeLoaderBlock
+            KeI386MachineType
+            KiBugCheckData
+            InitSafeBootMode
+            KiEnableTimerWatchdog
+            KdComPortInUse
+            KdEnteredDebugger
+            MmBadPointer
+            NlsLeadByteInfo
+            NlsOemLeadByteInfo
+            NlsMbCodePageTag
+            NlsMbOemCodePageTag
+            NlsAnsiCodePage
+            NlsOemCodePage
+            IoStatisticsLock
+            IoReadOperationCount
+            IoWriteOperationCount
+            IoReadTransferCount
+            IoWriteTransferCount
+            KeDcacheFlushCount
+            KeIcacheFlushCount
+            CcFastMdlReadWait
+            CcFastReadNotPossible
+            CcFastReadWait
+            IoAdapterObjectType
+            IoDeviceObjectType
+            MmSectionObjectType
+            PsProcessType
+            PsThreadType
+            ExDesktopObjectType
+            ExWindowStationObjectType
+            IoDeviceHandlerObjectType
+            LpcPortObjectType
+            PsJobType
+            SeTokenObjectType
+            TmEnlistmentObjectType
+            TmResourceManagerObjectType
+            TmTransactionManagerObjectType
+            TmTransactionObjectType
+            CmKeyObjectType
+            IoDeviceHandlerObjectSize
+            POGOBuffer
+            psMUITest
+            PsUILanguageComitted
+
+    57. 2015-03-23
+        Corrected:
+          ObGetObjectPointerCount
+        Added:
+          Function prototypes:
+            FsRtlTeardownPerFileContexts
+            FsRtlTeardownPerStreamContexts
+
+    56. 2008-07-31
+        Corrected:
+          FSCTL_SET_SPARSE
+          FSRTL_COMMON_FCB_HEADER
+        Added:
+          Defines:
+            FSRTL_XXX
+            IO_REPARSE_TAG_XXX
+          Data types:
+            FSRTL_ADVANCED_FCB_HEADER
+          Function prototypes:
+            FsRtlSetupAdvancedHeader
+
+    55. 2006-05-15
+        Corrected:
+          TOKEN_OBJECT
+        Added:
+          Data types:
+            SEP_AUDIT_POLICY_VISTA
+            SID_AND_ATTRIBUTES_HASH
+
+    54. 2006-05-14
+        Corrected:
+          EXTENDED_IO_STACK_LOCATION
+
+    53. 2005-11-06
+        Added:
+          Function prototypes:
+            RtlRandom
+            RtlRandomEx
+            RtlSecondsSince1980ToTime
+            RtlTimeToSecondsSince1980
+
+    52. 2005-11-05
+        Corrected:
+          OBJECT_NAME
+          TOKEN_OBJECT
+
+    51. 2005-10-16
+        Corrected:
+          ETHREAD
+          GDI_TEB_BATCH
+          MMADDRESS_NODE
+          TEB
+
+    50. 2005-10-15
+        Added:
+          Data types:
+            READ_LIST
+          Function prototypes:
+            IoAttachDeviceToDeviceStackSafe
+            IoCheckQuerySetFileInformation
+            IoCheckQuerySetVolumeInformation
+            IoCreateFileSpecifyDeviceObjectHint
+            IoCreateStreamFileObjectEx
+            IoEnumerateDeviceObjectList
+            IoGetDeviceAttachmentBaseRef
+            IoGetDiskDeviceObject
+            IoGetLowerDeviceObject
+            IoIsFileOriginRemote
+            IoQueryFileDosDeviceName
+            IoQueueThreadIrp
+            IoSetFileOrigin
+            KeAcquireQueuedSpinLock
+            KeInitializeMutant
+            KeReadStateMutant
+            KeReleaseMutant
+            KeReleaseQueuedSpinLock
+            KeSetIdealProcessorThread
+            KeSetKernelStackSwapEnable
+            KeTryToAcquireQueuedSpinLock
+            MmPrefetchPages
+            ObDereferenceSecurityDescriptor
+            ObLogSecurityDescriptor
+            ObReferenceSecurityDescriptor
+            PoQueueShutdownWorkItem
+            RtlxUnicodeStringToAnsiSize
+            SeAuditHardLinkCreation
+            SeAuditingHardLinkEvents
+            SeFilterToken
+
+    49. 2005-10-09
+        Corrected:
+          EPROCESS
+          KTHREAD
+          MMSUPPORT_FLAGS
+          MMSUPPORT
+          OBJECT_HEADER
+          OBJECT_TYPE_INITIALIZER
+          OBJECT_TYPE
+          TEB
+          KeInsertQueueApc
+        Added:
+          Defines:
+            OB_FLAG_XXX
+            OB_SECURITY_CHARGE
+          Data types:
+            ACTIVATION_CONTEXT_STACK
+            GDI_TEB_BATCH
+            HANDLE_INFO
+            KGUARDED_MUTEX
+            MMADDRESS_NODE
+            MM_AVL_TABLE
+            OBJECT_CREATE_INFORMATION
+            OBJECT_CREATOR_INFO
+            OBJECT_DIRECTORY
+            OBJECT_DIRECTORY_ITEM
+            OBJECT_HANDLE_DB
+            OBJECT_HANDLE_DB_LIST
+            OBJECT_HEADER_FLAGS
+            OBJECT_NAME
+            OBJECT_QUOTA_CHARGES
+            OBJECT_QUOTA_INFO
+            QUOTA_BLOCK
+            RTL_ACTIVATION_CONTEXT_STACK_FRAME
+            TEB_ACTIVE_FRAME
+            TEB_ACTIVE_FRAME_CONTEXT
+            Wx86ThreadState
+          Function prototypes:
+            FsRtlAcquireFileExclusive
+            FsRtlBalanceReads
+            FsRtlDissectDbcs
+            FsRtlDoesDbcsContainWildCards
+            FsRtlIsDbcsInExpression
+            FsRtlIsFatDbcsLegal
+            FsRtlIsHpfsDbcsLegal
+            FsRtlIsPagingFile
+            FsRtlIsTotalDeviceFailure
+            FsRtlMdlReadDev
+            FsRtlPostPagingFileStackOverflow
+            FsRtlPostStackOverflow
+            FsRtlPrepareMdlWriteDev
+            FsRtlReleaseFile
+
+    48. 2005-04-16
+        Added:
+          Data types:
+            THREAD_BASIC_INFORMATION
+          Function prototypes:
+            ZwQueryInformationThread
+
+    47. 2005-03-08
+        Corrected:
+          SYSTEM_PROCESSES_INFORMATION
+          TOKEN_OBJECT
+          KeInsertQueueApc
+
+    46. 2004-06-08
+        Added:
+          Data types:
+            TOKEN_OBJECT
+
+    45. 2004-06-06
+        Corrected:
+          SERVICE_DESCRIPTOR_TABLE
+        Added:
+          Defines:
+            TOKEN_SESSION_NOT_REFERENCED
+            TOKEN_SANDBOX_INERT
+            TOKEN_HAS_IMPERSONATE_PRIVILEGE
+          Function prototypes:
+            FsRtlDissectName
+            RtlOemStringToCountedUnicodeSize
+            RtlOemStringToUnicodeSize
+            RtlOemStringToUnicodeString
+            RtlUnicodeStringToOemSize
+            RtlUnicodeStringToOemString
+            RtlxOemStringToUnicodeSize
+            RtlxUnicodeStringToOemSize
+
+    44. 2003-05-06
+        Added:
+          Function prototypes:
+            InbvAcquireDisplayOwnership
+            InbvCheckDisplayOwnership
+            InbvDisplayString
+            InbvEnableBootDriver
+            InbvEnableDisplayString
+            InbvInstallDisplayStringFilter
+            InbvIsBootDriverInstalled
+            InbvNotifyDisplayOwnershipLost
+            InbvResetDisplay
+            InbvSetScrollRegion
+            InbvSetTextColor
+            InbvSolidColorFill
+
+    43. 2003-04-07
+        Added:
+          Data types:
+            MCB
+          Function prototypes:
+            FsRtlAddMcbEntry
+            FsRtlInitializeMcb
+            FsRtlLookupLastMcbEntry
+            FsRtlLookupMcbEntry
+            FsRtlNotifyFilterChangeDirectory
+            FsRtlNotifyFilterReportChange
+            FsRtlNumberOfRunsInMcb
+            FsRtlRemoveMcbEntry
+            FsRtlTruncateMcb
+            FsRtlUninitializeMcb
+
+    42. 2003-03-30
+        Corrected:
+          SYSTEM_CACHE_INFORMATION
+          SYSTEM_INFORMATION_CLASS
+        Added:
+          Data types:
+            SYSTEM_XXX_INFORMATION
+            THREAD_STATE
+
+    41. 2003-01-03
+        Corrected:
+          CcMapData
+          PsDereferenceImpersonationToken
+          PsDereferencePrimaryToken
+          PsGetProcessExitTime
+          PsReferencePrimaryToken
+        Added:
+          Defines:
+            MAP_XXX
+          Function prototypes:
+            CcMdlWriteAbort
+            PsAssignImpersonationToken
+            PsChargeProcessNonPagedPoolQuota
+            PsChargeProcessPagedPoolQuota
+            PsChargeProcessPoolQuota
+            PsDisableImpersonation
+            PsImpersonateClient
+            PsIsSystemThread
+            PsRestoreImpersonation
+            SeDeleteAccessState
+            ZwOpenProcessTokenEx
+            ZwOpenThreadTokenEx
+
+    40. 2002-10-02
+        Corrected:
+          HANDLE_TABLE_ENTRY
+        Added:
+          Defines:
+            FSRTL_FLAG_ADVANCED_HEADER
+            FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
+            FSRTL_FLAG2_PURGE_WHEN_MAPPED
+          Data types:
+            FILE_ID_BOTH_DIR_INFORMATION
+            FILE_ID_FULL_DIR_INFORMATION
+
+    39. 2002-08-04
+        Added:
+          Data types:
+            LARGE_MCB
+          Function prototypes:
+            FsRtlAddLargeMcbEntry
+            FsRtlGetNextLargeMcbEntry
+            FsRtlInitializeLargeMcb
+            FsRtlLookupLargeMcbEntry
+            FsRtlLookupLastLargeMcbEntry
+            FsRtlLookupLastLargeMcbEntryAndIndex
+            FsRtlNumberOfRunsInLargeMcb
+            FsRtlRemoveLargeMcbEntry
+            FsRtlResetLargeMcb
+            FsRtlSplitLargeMcb
+            FsRtlTruncateLargeMcb
+            FsRtlUninitializeLargeMcb
+
+    38. 2002-06-30
+        Added:
+          Defines:
+            FILE_READ_ONLY_VOLUME
+          Function prototypes:
+            FsRtlAllocateResource
+            FsRtlIncrementCcFastReadNotPossible
+            FsRtlIncrementCcFastReadNoWait
+            FsRtlIncrementCcFastReadResourceMiss
+            FsRtlIncrementCcFastReadWait
+            KeIsAttachedProcess
+            KeIsExecutingDpc
+            KeRevertToUserAffinityThread
+            KeUpdateSystemTime
+            PsGetCurrentProcessSessionId
+            PsGetCurrentThreadPreviousMode
+            PsGetCurrentThreadStackBase
+            PsGetCurrentThreadStackLimit
+            RtlGetNtGlobalFlags
+
+    37. 2002-05-18
+        Uppdated for Windows XP:
+          EPROCESS
+          ETHREAD
+          KPROCESS
+          KTHREAD
+          MMSUPPORT_FLAGS
+          MMSUPPORT
+          PRIVATE_CACHE_MAP_FLAGS
+          PRIVATE_CACHE_MAP
+          SHARED_CACHE_MAP
+        Corrected:
+          VACB
+        Added:
+          Data types:
+            EPROCESS_QUOTA_ENTRY
+            EPROCESS_QUOTA_BLOCK
+            EX_FAST_REF
+            EX_PUSH_LOCK
+            EX_RUNDOWN_REF
+            PAGEFAULT_HISTORY
+            SE_AUDIT_PROCESS_CREATION_INFO
+            SECTION_OBJECT
+            TERMINATION_PORT
+
+    36. 2002-05-14
+        Corrected:
+          FILE_FS_FULL_SIZE_INFORMATION
+
+    35. 2002-03-23
+        Added:
+          Defines:
+            COMPRESSION_XXX
+          Data types:
+            COMPRESSED_DATA_INFO
+            OBJECT_HEADER
+            VAD_HEADER
+          Function prototypes:
+            CcWaitForCurrentLazyWriterActivity
+            FsRtlCheckOplock
+            FsRtlCurrentBatchOplock
+            FsRtlDeregisterUncProvider
+            FsRtlInitializeOplock
+            FsRtlOplockFsctrl
+            FsRtlOplockIsFastIoPossible
+            FsRtlRegisterUncProvider
+            FsRtlUninitializeOplock
+            RtlCompressBuffer
+            RtlCompressChunks
+            RtlDecompressBuffer
+            RtlDecompressChunks
+            RtlDecompressFragment
+            RtlDescribeChunk
+            RtlGetCompressionWorkSpaceSize
+            RtlReserveChunk
+
+    34. 2002-02-14
+        Corrected:
+          HARDWARE_PTE
+          Changed the use of _WIN32_WINNT to VER_PRODUCTBUILD since _WIN32_WINNT
+          is incorrectly defined in the Windows 2000 build environment included
+          in the Windows XP DDK.
+
+    33. 2002-01-20
+        Added:
+          Function prototypes:
+            PsDereferenceImpersonationToken
+            PsDereferencePrimaryToken
+
+    32. 2002-01-18
+        Corrected:
+          ObReferenceObjectByName
+          FILE_FS_OBJECT_ID_INFORMATION
+          FILE_OBJECTID_INFORMATION
+        Added:
+          Externals:
+            IoDriverObjectType
+            SeExports
+          Defines:
+            FILE_ACTION_XXX
+            FSCTL_XXX
+            IO_FILE_OBJECT_XXX
+            IRP_BEING_VERIFIED
+            TOKEN_XXX
+          Data types:
+            DEVICE_MAP
+            FILE_TRACKING_INFORMATION
+            SE_EXPORTS
+          Function prototypes:
+            SeEnableAccessToExports
+
+    31. 2001-12-23
+        Corrected:
+          QueryQuota in EXTENDED_IO_STACK_LOCATION
+          FILE_LOCK
+          CcPinMappedData
+          CcPinRead
+          CcPreparePinWrite
+          FsRtlFastUnlockAll
+          FsRtlFastUnlockAllByKey
+          FsRtlFastUnlockSingle
+          FsRtlInitializeFileLock
+          FsRtlPrivateLock
+          FsRtlProcessFileLock
+          MmForceSectionClosed
+          MmIsRecursiveIoFault
+          SeImpersonateClient
+          SeImpersonateClientEx
+        Added:
+          Defines:
+            More FSRTL_FLAG_XXX
+            PIN_XXX
+            VACB_XXX
+          Data types:
+            REPARSE_DATA_BUFFER
+          Function prototypes:
+            CcCopyWriteWontFlush
+            CcGetFileSizePointer
+            CcGetFlushedValidData
+            CcIsFileCached
+            CcRemapBcb
+            ExDisableResourceBoostLite
+            ExQueryPoolBlockSize
+            FsRtlAllocateFileLock
+            FsRtlAreThereCurrentFileLocks
+            FsRtlFastLock
+            FsRtlFreeFileLock
+            IoCheckDesiredAccess
+            IoCheckEaBufferValidity
+            IoCheckFunctionAccess
+            IoCheckQuotaBufferValidity
+            IoCreateStreamFileObjectLite
+            IoFastQueryNetworkAttributes
+            IoGetRequestorProcessId
+            IoIsFileOpenedExclusively
+            IoIsSystemThread
+            IoIsValidNameGraftingBuffer
+            IoSynchronousPageWrite
+            IoThreadToProcess
+            KeInitializeQueue
+            KeInsertHeadQueue
+            KeInsertQueue
+            KeReadStateQueue
+            KeRemoveQueue
+            KeRundownQueue
+            MmSetAddressRangeModified
+            ObGetObjectPointerCount
+            ObMakeTemporaryObject
+            ObQueryObjectAuditingByHandle
+            PsChargePoolQuota
+            PsReturnPoolQuota
+            SeAppendPrivileges
+            SeAuditingFileEvents
+            SeAuditingFileOrGlobalEvents
+            SeCreateClientSecurity
+            SeCreateClientSecurityFromSubjectContext
+            SeDeleteClientSecurity
+            SeDeleteObjectAuditAlarm
+            SeFreePrivileges
+            SeLockSubjectContext
+            SeOpenObjectAuditAlarm
+            SeOpenObjectForDeleteAuditAlarm
+            SePrivilegeCheck
+            SeQueryAuthenticationIdToken
+            SeQuerySecurityDescriptorInfo
+            SeQuerySessionIdToken
+            SeSetAccessStateGenericMapping
+            SeSetSecurityDescriptorInfo
+            SeSetSecurityDescriptorInfoEx
+            SeTokenIsAdmin
+            SeTokenIsRestricted
+            SeTokenType
+            SeUnlockSubjectContext
+
+    30. 2001-10-24
+        Corrected:
+          KINTERRUPT
+          OBJECT_TYPE
+        Added:
+          Defines:
+            More FSCTL_XXX
+          Data types:
+            BITMAP_RANGE
+            CreateMailslot in EXTENDED_IO_STACK_LOCATION
+            CreatePipe in EXTENDED_IO_STACK_LOCATION
+            QueryQuota in EXTENDED_IO_STACK_LOCATION
+            MAILSLOT_CREATE_PARAMETERS
+            MBCB
+            NAMED_PIPE_CREATE_PARAMETERS
+            PRIVATE_CACHE_MAP_FLAGS
+            PRIVATE_CACHE_MAP
+            SECURITY_CLIENT_CONTEXT
+            SHARED_CACHE_MAP
+            VACB
+          Function prototypes:
+            HalQueryRealTimeClock
+            HalSetRealTimeClock
+            PsGetProcessExitTime
+            PsIsThreadTerminating
+            PsLookupProcessThreadByCid
+            PsLookupThreadByThreadId
+            SeQueryAuthenticationIdToken
+          Externals:
+            KeServiceDescriptorTable
+            SePublicDefaultDacl
+            SeSystemDefaultDacl
+
+    29. 2001-10-06
+        Added:
+          Defines:
+            FSRTL_VOLUME_XXX
+          Function prototypes:
+            FsRtlNotifyChangeDirectory
+            FsRtlNotifyReportChange
+            FsRtlNotifyVolumeEvent
+
+    28. 2001-09-16
+        Added:
+          Function prototypes:
+            FsRtlNotifyInitializeSync
+            FsRtlNotifyUninitializeSync
+            SeImpersonateClientEx
+            SeReleaseSubjectContext
+
+    27. 2001-08-25
+        Corrected:
+          KPROCESS
+          FILE_LOCK_ANCHOR
+          FsRtlNormalizeNtstatus
+          RtlSecondsSince1970ToTime
+          RtlTimeToSecondsSince1970
+          SeQueryInformationToken
+        Added:
+          Defines:
+            FS_LFN_APIS
+          Data types:
+            FILE_LOCK_ENTRY
+            FILE_SHARED_LOCK_ENTRY
+            FILE_EXCLUSIVE_LOCK_ENTRY
+          Function prototypes:
+            FsRtlCheckLockForReadAccess
+            FsRtlCheckLockForWriteAccess
+            FsRtlFastUnlockAll
+            FsRtlFastUnlockAllByKey
+            FsRtlFastUnlockSingle
+            FsRtlGetFileSize
+            FsRtlGetNextFileLock
+            FsRtlInitializeFileLock
+            FsRtlPrivateLock
+            FsRtlProcessFileLock
+            FsRtlUninitializeFileLock
+            IoUnregisterFsRegistrationChange
+            PsLookupProcessByProcessId
+            SeQuerySubjectContextToken
+
+    26. 2001-04-28
+        Added:
+          Defines:
+            FSCTL_XXX
+          Data types:
+            RTL_SPLAY_LINKS
+            TUNNEL
+          Function prototypes:
+            FsRtlAddToTunnelCache
+            FsRtlDeleteKeyFromTunnelCache
+            FsRtlDeleteTunnelCache
+            FsRtlFindInTunnelCache
+            FsRtlInitializeTunnelCache
+            IoSetDeviceToVerify
+            KeInitializeApc
+            KeInsertQueueApc
+            SeQueryInformationToken
+
+    25. 2001-04-05
+        Corrected:
+          RtlImageNtHeader
+          LPC_XXX
+          OBJECT_BASIC_INFO
+        Added:
+          Defines:
+            SID_REVISION
+          Data types:
+            DIRECTORY_BASIC_INFORMATION
+            KINTERRUPT
+            OBJECT_HANDLE_ATTRIBUTE_INFO
+            PROCESS_PRIORITY_CLASS
+            SECTION_BASIC_INFORMATION
+            SECTION_IMAGE_INFORMATION
+            SECTION_INFORMATION_CLASS
+          Function prototypes:
+            RtlSecondsSince1970ToTime
+            RtlTimeToSecondsSince1970
+            ZwAdjustPrivilegesToken
+            ZwAlertThread
+            ZwAccessCheckAndAuditAlarm
+            ZwClearEvent
+            ZwCloseObjectAuditAlarm
+            ZwCreateSection
+            ZwCreateSymbolicLinkObject
+            ZwDuplicateToken
+            ZwFlushInstructionCache
+            ZwFlushVirtualMemory
+            ZwInitiatePowerAction
+            ZwLoadKey
+            ZwNotifyChangeKey
+            ZwOpenThread
+            ZwPowerInformation
+            ZwPulseEvent
+            ZwQueryDefaultLocale
+            ZwQueryDefaultUILanguage
+            ZwQueryInformationProcess
+            ZwQueryInstallUILanguage
+            ZwQuerySection
+            ZwReplaceKey
+            ZwResetEvent
+            ZwRestoreKey
+            ZwSaveKey
+            ZwSetDefaultLocale
+            ZwSetDefaultUILanguage
+            ZwSetEvent
+            ZwSetInformationObject
+            ZwSetInformationProcess
+            ZwSetSecurityObject
+            ZwSetSystemTime
+            ZwTerminateProcess
+            ZwUnloadKey
+            ZwWaitForSingleObject
+            ZwWaitForMultipleObjects
+            ZwYieldExecution
+        Removed functions that is not exported in kernel mode:
+          CcZeroEndOfLastPage
+          RtlAllocateAndInitializeSid
+          ZwAcceptConnectPort
+          ZwCompleteConnectPort
+          ZwCreatePort
+          ZwCreateProcess
+          ZwCreateThread
+          ZwFlushBuffersFile
+          ZwGetContextThread
+          ZwImpersonateClientOfPort
+          ZwListenPort
+          ZwLockFile
+          ZwNotifyChangeDirectoryFile
+          ZwQueryInformationPort
+          ZwReadRequestData
+          ZwReplyPort
+          ZwReplyWaitReceivePort
+          ZwReplyWaitReplyPort
+          ZwRequestPort
+          ZwUnlockFile
+          ZwWriteRequestData
+
+    24. 2001-03-08
+        Corrected:
+          EPROCESS
+          ETHREAD
+          FAST_IO_POSSIBLE
+          QueryEa in EXTENDED_IO_STACK_LOCATION
+        Added:
+          Defines:
+            Some more flags for FileSystemAttributes
+          Data types:
+            EXCEPTION_REGISTRATION_RECORD
+            FILE_FS_FULL_SIZE_INFORMATION
+            FILE_FS_OBJECT_ID_INFORMATION
+            HANDLE_TABLE_ENTRY
+            IO_CLIENT_EXTENSION
+            PS_IMPERSONATION_INFORMATION
+            SetEa and SetQuota in EXTENDED_IO_STACK_LOCATION
+          Function prototypes:
+            IoPageRead
+            KeStackAttachProcess
+            KeUnstackDetachProcess
+            MmMapViewOfSection
+            RtlSelfRelativeToAbsoluteSD
+            SeCreateAccessState
+
+    23. 2001-01-29
+        Corrected:
+          FSCTL_GET_VOLUME_INFORMATION
+          FSCTL_READ_MFT_RECORD
+          HARDWARE_PTE
+          EPROCESS
+          ETHREAD
+          KAPC_STATE
+          KPROCESS
+          KTHREAD
+          MMSUPPORT
+        Added:
+          Data types:
+            KGDTENTRY
+            KIDTENTRY
+            MMSUPPORT_FLAGS
+
+    22. 2000-12-23
+        Corrected:
+          EPROCESS
+          KPROCESS
+        Added:
+          Data types:
+            HARDWARE_PTE
+            MMSUPPORT
+
+    21. 2000-12-12
+        Added:
+          Defines:
+            IO_TYPE_XXX
+            OB_TYPE_XXX
+            THREAD_STATE_XXX
+          Data types:
+            EPROCESS
+            ETHREAD
+            KAPC_STATE
+            KEVENT_PAIR
+            KPROCESS
+            KTHREAD
+            KQUEUE
+            SERVICE_DESCRIPTOR_TABLE
+            TEB
+
+    20. 2000-12-03
+        Added:
+          Data types:
+            OBJECT_TYPE
+          Function prototypes:
+            ObCreateObject
+            ObInsertObject
+            ObReferenceObjectByName
+
+    19. 2000-11-25
+        Removed a name from credits since the person want to be anonymous.
+
+    18. 2000-10-13
+        Corrected:
+          PsReferenceImpersonationToken
+        Added:
+          Defines:
+            FILE_PIPE_XXX
+            LPC_XXX
+            MAILSLOT_XXX
+            PORT_XXX
+            FSCTL_GET_VOLUME_INFORMATION
+            FSCTL_READ_MFT_RECORD
+            FSCTL_MAILSLOT_PEEK
+            FSCTL_PIPE_XXX
+          Data types:
+            PORT_INFORMATION_CLASS
+            BITMAP_DESCRIPTOR
+            FILE_MAILSLOT_XXX
+            FILE_PIPE_XXX
+            MAPPING_PAIR
+            GET_RETRIEVAL_DESCRIPTOR
+            LPC_XXX
+            MOVEFILE_DESCRIPTOR
+          Function prototypes:
+            InitializeMessageHeader
+            MmForceSectionClosed
+            ZwAcceptConnectPort
+            ZwCompleteConnectPort
+            ZwConnectPort
+            ZwCreateEvent
+            ZwCreatePort
+            ZwImpersonateClientOfPort
+            ZwListenPort
+            ZwQueryInformationPort
+            ZwReadRequestData
+            ZwReplyPort
+            ZwReplyWaitReceivePort
+            ZwReplyWaitReplyPort
+            ZwRequestPort
+            ZwRequestWaitReplyPort
+            ZwWriteRequestData
+
+    17. 2000-05-21
+        Added:
+          Function prototypes:
+            PsRevertToSelf
+            SeCreateClientSecurity
+            SeImpersonateClient
+            ZwDuplicateObject
+
+    16. 2000-03-28
+        Added:
+          Defines:
+            FILE_STORAGE_TYPE_XXX
+            FILE_VC_XXX
+            IO_CHECK_CREATE_PARAMETERS
+            IO_ATTACH_DEVICE
+            IO_ATTACH_DEVICE_API
+            IO_COMPLETION_XXX
+          Data types:
+            IO_COMPLETION_INFORMATION_CLASS
+            OBJECT_INFO_CLASS
+            SYSTEM_INFORMATION_CLASS
+            FILE_LOCK_ANCHOR
+            IO_COMPLETION_BASIC_INFORMATION
+            OBJECT_BASIC_INFO
+            OBJECT_NAME_INFO
+            OBJECT_PROTECTION_INFO
+            OBJECT_TYPE_INFO
+            OBJECT_ALL_TYPES_INFO
+            SYSTEM_CACHE_INFORMATION
+          Function prototypes:
+            FsRtlAllocatePool
+            FsRtlAllocatePoolWithQuota
+            FsRtlAllocatePoolWithQuotaTag
+            FsRtlAllocatePoolWithTag
+            FsRtlAreNamesEqual
+            FsRtlFastCheckLockForRead
+            FsRtlFastCheckLockForWrite
+            FsRtlMdlReadComplete
+            FsRtlMdlWriteComplete
+            FsRtlNormalizeNtstatus
+            RtlAllocateHeap
+            RtlCreateHeap
+            RtlDestroyHeap
+            RtlFreeHeap
+            RtlImageNtHeader
+            ZwQueryObject
+            ZwQuerySystemInformation
+            ZwSetSystemInformation
+
+    15. 2000-03-15
+        Corrected:
+          Renamed IoQueryFileVolumeInformation to IoQueryVolumeInformation
+        Comment on:
+          CcZeroEndOfLastPage
+
+    14. 2000-03-12
+        Corrected:
+          IoCreateFile
+        Added:
+          #if (_WIN32_WINNT < 0x0500)/#endif around stuff that is included in
+          the Windows 2000 DDK but is missing in the Windows NT 4.0 DDK.
+          ZwOpenEvent
+
+    13. 2000-02-08
+        Corrected:
+          PsReferenceImpersonationToken
+        Comment on:
+          RtlAllocateAndInitializeSid
+
+    12. 1999-10-18
+        Corrected:
+          FILE_COMPRESSION_INFORMATION
+        Added:
+          Defines:
+            ACCESS_ALLOWED_ACE_TYPE
+            ACCESS_DENIED_ACE_TYPE
+            SYSTEM_AUDIT_ACE_TYPE
+            SYSTEM_ALARM_ACE_TYPE
+            ANSI_DOS_STAR/QM/DOT
+            DOS_STAR/QM/DOT
+            FILE_EA_TYPE_XXX
+            FILE_NEED_EA
+            FILE_OPBATCH_BREAK_UNDERWAY
+            SECURITY_WORLD_SID_AUTHORITY
+            SECURITY_WORLD_RID
+          Data types:
+            POBJECT
+            FILE_STORAGE_TYPE
+            FILE_COMPLETION_INFORMATION
+            FILE_COPY_ON_WRITE_INFORMATION
+            FILE_FS_CONTROL_INFORMATION
+            FILE_GET_EA_INFORMATION
+            FILE_GET_QUOTA_INFORMATION
+            FILE_OBJECTID_INFORMATION
+            FILE_OLE_CLASSID_INFORMATION
+            FILE_OLE_ALL_INFORMATION
+            FILE_OLE_DIR_INFORMATION
+            FILE_OLE_INFORMATION
+            FILE_OLE_STATE_BITS_INFORMATION
+            FILE_QUOTA_INFORMATION
+          Function prototypes:
+            HalDisplayString
+            HalMakeBeep
+            IoGetRequestorProcess
+            ObQueryNameString
+            ProbeForWrite
+            RtlAbsoluteToSelfRelativeSD
+            RtlGetDaclSecurityDescriptor
+            RtlGetGroupSecurityDescriptor
+            RtlGetOwnerSecurityDescriptor
+            RtlInitializeSid
+            RtlSetGroupSecurityDescriptor
+            RtlSetOwnerSecurityDescriptor
+            RtlSetSaclSecurityDescriptor
+            ZwDeleteValueKey
+            ZwDisplayString
+            ZwQueryDirectoryObject
+
+    11. 1999-10-13
+        Corrected:
+          ZwOpenProcessToken
+          ZwOpenThreadToken
+        Added:
+          Function prototypes:
+            RtlAllocateAndInitializeSid
+            RtlCopySid
+            RtlEqualSid
+            RtlFillMemoryUlong
+            RtlIsNameLegalDOS8Dot3
+            RtlLengthRequiredSid
+            RtlLengthSid
+            RtlNtStatusToDosError
+            RtlSubAuthorityCountSid
+            RtlSubAuthoritySid
+            RtlValidSid
+
+    10. 1999-07-15
+        Corrected:
+          RtlConvertSidToUnicodeString
+        Added:
+          Externals:
+            FsRtlLegalAnsiCharacterArray
+            NtBuildNumber
+          Defines:
+            FSRTL_WILD_CHARACTER
+            FlagOn
+            FsRtlIsUnicodeCharacterWild
+          Structures:
+            FILE_ACCESS_INFORMATION
+            FILE_MODE_INFORMATION
+            GENERATE_NAME_CONTEXT
+          Function prototypes:
+            FsRtlDoesNameContainWildCards
+            FsRtlIsNameInExpression
+            IoSetInformation
+            RtlGenerate8dot3Name
+            ZwQuerySecurityObject
+
+    9. 1999-07-12
+       Corrected:
+         EXTENDED_IO_STACK_LOCATION
+         QueryDirectory in EXTENDED_IO_STACK_LOCATION
+         ZwCreateThread
+       Added:
+         Structures:
+           INITIAL_TEB
+         Function prototypes:
+           ZwQuerySymbolicLinkObject
+
+    8. 1999-06-07
+       Corrected:
+         ZwOpenProcessToken
+         ZwOpenThreadToken
+       Added:
+         Defines:
+           FILE_OPLOCK_BROKEN_TO_LEVEL_2
+           FILE_OPLOCK_BROKEN_TO_NONE
+           FILE_CASE_SENSITIVE_SEARCH
+           FILE_CASE_PRESERVED_NAMES
+           FILE_UNICODE_ON_DISK
+           FILE_PERSISTENT_ACLS
+           FILE_FILE_COMPRESSION
+           FILE_VOLUME_IS_COMPRESSED
+           FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX
+           FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH
+           IOCTL_REDIR_QUERY_PATH
+         Structures:
+           FILE_FS_LABEL_INFORMATION
+           PATHNAME_BUFFER
+         In IO_STACK_LOCATION:
+           FileSystemControl
+           LockControl
+           SetVolume
+         Function prototypes:
+           FsRtlCopyRead
+           FsRtlCopyWrite
+           IoVerifyVolume
+
+    7. 1999-06-05
+       Added:
+         defines for TOKEN_XXX
+         SID_NAME_USE
+         TOKEN_INFORMATION_CLASS
+         TOKEN_TYPE
+         FILE_FS_ATTRIBUTE_INFORMATION
+         FILE_FS_SIZE_INFORMATION
+         SID_IDENTIFIER_AUTHORITY
+         SID
+         SID_AND_ATTRIBUTES
+         TOKEN_CONTROL
+         TOKEN_DEFAULT_DACL
+         TOKEN_GROUPS
+         TOKEN_OWNER
+         TOKEN_PRIMARY_GROUP
+         TOKEN_PRIVILEGES
+         TOKEN_SOURCE
+         TOKEN_STATISTICS
+         TOKEN_USER
+         IoCreateFile
+         IoGetAttachedDevice
+         IoGetBaseFileSystemDeviceObject
+         PsReferenceImpersonationToken
+         PsReferencePrimaryToken
+         RtlConvertSidToUnicodeString
+         SeCaptureSubjectContext
+         SeMarkLogonSessionForTerminationNotification
+         SeRegisterLogonSessionTerminatedRoutine
+         SeUnregisterLogonSessionTerminatedRoutine
+         ZwOpenProcessToken
+         ZwOpenThreadToken
+         ZwQueryInformationToken
+
+    6. 1999-05-10
+       Corrected declarations of Zw functions.
+       Added:
+         ZwCancelIoFile
+         ZwDeleteFile
+         ZwFlushBuffersFile
+         ZwFsControlFile
+         ZwLockFile
+         ZwNotifyChangeDirectoryFile
+         ZwOpenFile
+         ZwQueryEaFile
+         ZwSetEaFile
+         ZwSetVolumeInformationFile
+         ZwUnlockFile
+
+    5. 1999-05-09
+       Added:
+         defines for FILE_ACTION_XXX and FILE_NOTIFY_XXX
+         FILE_FS_VOLUME_INFORMATION
+         RETRIEVAL_POINTERS_BUFFER
+         STARTING_VCN_INPUT_BUFFER
+         FsRtlNotifyFullReportChange
+
+    4. 1999-04-11
+       Corrected:
+         ZwCreateThread
+       Added:
+         define _GNU_NTIFS_
+
+    3. 1999-03-30
+       Added:
+         defines for MAP_XXX, MEM_XXX and SEC_XXX
+         FILE_BOTH_DIR_INFORMATION
+         FILE_DIRECTORY_INFORMATION
+         FILE_FULL_DIR_INFORMATION
+         FILE_NAMES_INFORMATION
+         FILE_NOTIFY_INFORMATION
+         FsRtlNotifyCleanup
+         KeAttachProcess
+         KeDetachProcess
+         MmCreateSection
+         ZwCreateProcess
+         ZwCreateThread
+         ZwDeviceIoControlFile
+         ZwGetContextThread
+         ZwLoadDriver
+         ZwOpenDirectoryObject
+         ZwOpenProcess
+         ZwOpenSymbolicLinkObject
+         ZwQueryDirectoryFile
+         ZwUnloadDriver
+
+    2. 1999-03-15
+       Added:
+         FILE_COMPRESSION_INFORMATION
+         FILE_STREAM_INFORMATION
+         FILE_LINK_INFORMATION
+         FILE_RENAME_INFORMATION
+         EXTENDED_IO_STACK_LOCATION
+         IoQueryFileInformation
+         IoQueryFileVolumeInformation
+         ZwQueryVolumeInformationFile
+       Moved include of ntddk.h to inside extern "C" block.
+
+    1. 1999-03-11
+       Initial release.
+*/
+
+#ifndef _NTIFS_
+#define _NTIFS_
+#define _GNU_NTIFS_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <ntddk.h>
+#include <ntverp.h>
+
+// Available in Windows NT 3.1 and later versions.
+// Documented in the WDK.
+extern PEPROCESS PsInitialSystemProcess;
+
+// Available in Windows NT 3.5 and later versions.
+typedef struct _HAL_PRIVATE_DISPATCH *PHAL_PRIVATE_DISPATCH;
+extern PHAL_PRIVATE_DISPATCH HalPrivateDispatchTable;
+
+// Available in Windows NT 3.5 and later versions.
+typedef struct _LOADER_PARAMETER_BLOCK *PLOADER_PARAMETER_BLOCK;
+extern PLOADER_PARAMETER_BLOCK KeLoaderBlock;
+
+// Available in Windows NT 3.5 and later versions.
+typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
+extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
+
+// Available in Windows NT 3.5 and later versions.
+extern PSHORT NtBuildNumber;
+extern PULONG KeI386MachineType;
+
+// Available in Windows NT 4.0 and later versions.
+extern ULONG KiBugCheckData[5];
+
+// Available in Windows 2000 and later versions.
+extern PULONG InitSafeBootMode;
+
+// Available from Windows 2000 untill Windows Server 2003.
+extern PULONG KiEnableTimerWatchdog;
+
+// Available in Windows NT 3.5 and later versions.
+//
+// Set by the kernel debugger on the target system to the address of the
+// serial port used to communicate with the host.
+//
+extern PUCHAR *KdComPortInUse;
+
+// Available in Windows 2000 and later versions.
+extern PULONG KdEnteredDebugger;
+
+// Available in Windows Vista and later versions.
+// Documented in the WDK.
+extern PVOID MmBadPointer;
+
+// Available in Windows NT 3.5 and later versions.
+// Documented in the WDK.
+extern PUCHAR *FsRtlLegalAnsiCharacterArray;
+
+// Available in Windows NT 3.5 and later versions.
+extern PUSHORT *NlsLeadByteInfo;
+extern PUSHORT *NlsOemLeadByteInfo;
+extern PBOOLEAN NlsMbCodePageTag;
+extern PBOOLEAN NlsMbOemCodePageTag;
+
+// Available in Windows NT 4.0 and later versions.
+extern PUSHORT NlsAnsiCodePage;
+
+// Available in Windows 2000 and later versions.
+extern PUSHORT NlsOemCodePage;
+
+// Available in Windows NT 3.5 and later versions.
+// SeExports is documented in the WDK.
+typedef struct _SE_EXPORTS *PSE_EXPORTS;
+extern PSE_EXPORTS SeExports;
+extern PACL SePublicDefaultDacl;
+extern PACL SeSystemDefaultDacl;
+
+// Available in Windows NT 3.5 and later versions.
+// Documented in the WDK.
+extern KSPIN_LOCK IoStatisticsLock;
+extern ULONG IoReadOperationCount;
+extern ULONG IoWriteOperationCount;
+extern LARGE_INTEGER IoReadTransferCount;
+extern LARGE_INTEGER IoWriteTransferCount;
+
+// Available from Windows NT 3.5 untill Windows XP.
+extern ULONG KeDcacheFlushCount;
+extern ULONG KeIcacheFlushCount;
+
+// Available in Windows NT 4.0 and later versions.
+// Documented in the WDK.
+extern ULONG CcFastMdlReadWait;
+// Available from Windows NT 4.0 untill Windows Server 2003.
+extern ULONG CcFastReadNotPossible;
+extern ULONG CcFastReadWait;
+
+// The ExEventObjectType, ExSemaphoreObjectType and IoFileObjectType is
+// documented in the DDK and the WDK.
+//
+// The CmKeyObjectType, SeTokenObjectType, PsProcessType, PsThreadType,
+// TmEnlistmentObjectType, TmResourceManagerObjectType,
+// TmTransactionManagerObjectType and TmTransactionObjectType
+// is documented in the WDK.
+//
+// Available in Windows NT 3.5 and later versions.
+extern POBJECT_TYPE *IoAdapterObjectType;
+extern POBJECT_TYPE *IoDeviceObjectType;
+extern POBJECT_TYPE *IoDriverObjectType;
+extern POBJECT_TYPE *MmSectionObjectType;
+extern POBJECT_TYPE *PsProcessType;
+extern POBJECT_TYPE *PsThreadType;
+// Available in Windows NT 4.0 and later versions.
+extern POBJECT_TYPE *ExDesktopObjectType;
+extern POBJECT_TYPE *ExWindowStationObjectType;
+extern POBJECT_TYPE *IoDeviceHandlerObjectType;
+// Available in Windows 2000 and later versions.
+extern POBJECT_TYPE *LpcPortObjectType;
+extern POBJECT_TYPE *PsJobType;
+// Available in Windows XP and later versions.
+extern POBJECT_TYPE *SeTokenObjectType;
+// Available in Windows Vista and later versions.
+extern POBJECT_TYPE *TmEnlistmentObjectType;
+extern POBJECT_TYPE *TmResourceManagerObjectType;
+extern POBJECT_TYPE *TmTransactionManagerObjectType;
+extern POBJECT_TYPE *TmTransactionObjectType;
+// Available in Windows 7 and later versions.
+extern POBJECT_TYPE *CmKeyObjectType;
+
+// Available in Windows NT 4.0 and later versions.
+extern PULONG IoDeviceHandlerObjectSize;
+
+// Available in Windows Vista and later versions.
+extern PVOID POGOBuffer;
+extern PVOID psMUITest;
+extern PVOID PsUILanguageComitted;
+
+#define ACCESS_ALLOWED_ACE_TYPE         (0x0)
+#define ACCESS_DENIED_ACE_TYPE          (0x1)
+#define SYSTEM_AUDIT_ACE_TYPE           (0x2)
+#define SYSTEM_ALARM_ACE_TYPE           (0x3)
+
+#define ANSI_DOS_STAR                   ('<')
+#define ANSI_DOS_QM                     ('>')
+#define ANSI_DOS_DOT                    ('"')
+
+#define DOS_STAR                        (L'<')
+#define DOS_QM                          (L'>')
+#define DOS_DOT                         (L'"')
+
+#define COMPRESSION_FORMAT_NONE         (0x0000)
+#define COMPRESSION_FORMAT_DEFAULT      (0x0001)
+#define COMPRESSION_FORMAT_LZNT1        (0x0002)
+#define COMPRESSION_ENGINE_STANDARD     (0x0000)
+#define COMPRESSION_ENGINE_MAXIMUM      (0x0100)
+#define COMPRESSION_ENGINE_HIBER        (0x0200)
+
+#define FILE_ACTION_ADDED                   0x00000001
+#define FILE_ACTION_REMOVED                 0x00000002
+#define FILE_ACTION_MODIFIED                0x00000003
+#define FILE_ACTION_RENAMED_OLD_NAME        0x00000004
+#define FILE_ACTION_RENAMED_NEW_NAME        0x00000005
+#define FILE_ACTION_ADDED_STREAM            0x00000006
+#define FILE_ACTION_REMOVED_STREAM          0x00000007
+#define FILE_ACTION_MODIFIED_STREAM         0x00000008
+#define FILE_ACTION_REMOVED_BY_DELETE       0x00000009
+#define FILE_ACTION_ID_NOT_TUNNELLED        0x0000000A
+#define FILE_ACTION_TUNNELLED_ID_COLLISION  0x0000000B
+
+#define FILE_EA_TYPE_BINARY             0xfffe
+#define FILE_EA_TYPE_ASCII              0xfffd
+#define FILE_EA_TYPE_BITMAP             0xfffb
+#define FILE_EA_TYPE_METAFILE           0xfffa
+#define FILE_EA_TYPE_ICON               0xfff9
+#define FILE_EA_TYPE_EA                 0xffee
+#define FILE_EA_TYPE_MVMT               0xffdf
+#define FILE_EA_TYPE_MVST               0xffde
+#define FILE_EA_TYPE_ASN1               0xffdd
+#define FILE_EA_TYPE_FAMILY_IDS         0xff01
+
+#define FILE_NEED_EA                    0x00000080
+
+#define FILE_NOTIFY_CHANGE_FILE_NAME    0x00000001
+#define FILE_NOTIFY_CHANGE_DIR_NAME     0x00000002
+#define FILE_NOTIFY_CHANGE_NAME         0x00000003
+#define FILE_NOTIFY_CHANGE_ATTRIBUTES   0x00000004
+#define FILE_NOTIFY_CHANGE_SIZE         0x00000008
+#define FILE_NOTIFY_CHANGE_LAST_WRITE   0x00000010
+#define FILE_NOTIFY_CHANGE_LAST_ACCESS  0x00000020
+#define FILE_NOTIFY_CHANGE_CREATION     0x00000040
+#define FILE_NOTIFY_CHANGE_EA           0x00000080
+#define FILE_NOTIFY_CHANGE_SECURITY     0x00000100
+#define FILE_NOTIFY_CHANGE_STREAM_NAME  0x00000200
+#define FILE_NOTIFY_CHANGE_STREAM_SIZE  0x00000400
+#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
+#define FILE_NOTIFY_VALID_MASK          0x00000fff
+
+#define FILE_OPLOCK_BROKEN_TO_LEVEL_2   0x00000007
+#define FILE_OPLOCK_BROKEN_TO_NONE      0x00000008
+
+#define FILE_OPBATCH_BREAK_UNDERWAY     0x00000009
+
+#define FILE_CASE_SENSITIVE_SEARCH      0x00000001
+#define FILE_CASE_PRESERVED_NAMES       0x00000002
+#define FILE_UNICODE_ON_DISK            0x00000004
+#define FILE_PERSISTENT_ACLS            0x00000008
+#define FILE_FILE_COMPRESSION           0x00000010
+#define FILE_VOLUME_QUOTAS              0x00000020
+#define FILE_SUPPORTS_SPARSE_FILES      0x00000040
+#define FILE_SUPPORTS_REPARSE_POINTS    0x00000080
+#define FILE_SUPPORTS_REMOTE_STORAGE    0x00000100
+#define FS_LFN_APIS                     0x00004000
+#define FILE_VOLUME_IS_COMPRESSED       0x00008000
+#define FILE_SUPPORTS_OBJECT_IDS        0x00010000
+#define FILE_SUPPORTS_ENCRYPTION        0x00020000
+#define FILE_NAMED_STREAMS              0x00040000
+#define FILE_READ_ONLY_VOLUME           0x00080000
+
+#define FILE_PIPE_BYTE_STREAM_TYPE      0x00000000
+#define FILE_PIPE_MESSAGE_TYPE          0x00000001
+
+#define FILE_PIPE_BYTE_STREAM_MODE      0x00000000
+#define FILE_PIPE_MESSAGE_MODE          0x00000001
+
+#define FILE_PIPE_QUEUE_OPERATION       0x00000000
+#define FILE_PIPE_COMPLETE_OPERATION    0x00000001
+
+#define FILE_PIPE_INBOUND               0x00000000
+#define FILE_PIPE_OUTBOUND              0x00000001
+#define FILE_PIPE_FULL_DUPLEX           0x00000002
+
+#define FILE_PIPE_DISCONNECTED_STATE    0x00000001
+#define FILE_PIPE_LISTENING_STATE       0x00000002
+#define FILE_PIPE_CONNECTED_STATE       0x00000003
+#define FILE_PIPE_CLOSING_STATE         0x00000004
+
+#define FILE_PIPE_CLIENT_END            0x00000000
+#define FILE_PIPE_SERVER_END            0x00000001
+
+#define FILE_PIPE_READ_DATA             0x00000000
+#define FILE_PIPE_WRITE_SPACE           0x00000001
+
+#define FILE_STORAGE_TYPE_SPECIFIED             0x00000041  // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
+#define FILE_STORAGE_TYPE_DEFAULT               (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_DIRECTORY             (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_FILE                  (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_DOCFILE               (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_JUNCTION_POINT        (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_CATALOG               (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_STRUCTURED_STORAGE    (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_EMBEDDING             (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_STORAGE_TYPE_STREAM                (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
+#define FILE_MINIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_DEFAULT
+#define FILE_MAXIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_STREAM
+#define FILE_STORAGE_TYPE_MASK                  0x000f0000
+#define FILE_STORAGE_TYPE_SHIFT                 16
+
+#define FILE_VC_QUOTA_NONE              0x00000000
+#define FILE_VC_QUOTA_TRACK             0x00000001
+#define FILE_VC_QUOTA_ENFORCE           0x00000002
+#define FILE_VC_QUOTA_MASK              0x00000003
+
+#define FILE_VC_QUOTAS_LOG_VIOLATIONS   0x00000004
+#define FILE_VC_CONTENT_INDEX_DISABLED  0x00000008
+
+#define FILE_VC_LOG_QUOTA_THRESHOLD     0x00000010
+#define FILE_VC_LOG_QUOTA_LIMIT         0x00000020
+#define FILE_VC_LOG_VOLUME_THRESHOLD    0x00000040
+#define FILE_VC_LOG_VOLUME_LIMIT        0x00000080
+
+#define FILE_VC_QUOTAS_INCOMPLETE       0x00000100
+#define FILE_VC_QUOTAS_REBUILDING       0x00000200
+
+#define FILE_VC_VALID_MASK              0x000003ff
+
+#define FSRTL_FCB_HEADER_V0             (0x00)
+#define FSRTL_FCB_HEADER_V1             (0x01)
+
+#define FSRTL_FLAG_FILE_MODIFIED        (0x01)
+#define FSRTL_FLAG_FILE_LENGTH_CHANGED  (0x02)
+#define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
+#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
+#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
+#define FSRTL_FLAG_USER_MAPPED_FILE     (0x20)
+#define FSRTL_FLAG_ADVANCED_HEADER      (0x40)
+#define FSRTL_FLAG_EOF_ADVANCE_ACTIVE   (0x80)
+
+#define FSRTL_FLAG2_DO_MODIFIED_WRITE           (0x01)
+#define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS    (0x02)
+#define FSRTL_FLAG2_PURGE_WHEN_MAPPED           (0x04)
+#define FSRTL_FLAG2_IS_PAGING_FILE              (0x08)
+
+#define FSRTL_FSP_TOP_LEVEL_IRP         (0x01)
+#define FSRTL_CACHE_TOP_LEVEL_IRP       (0x02)
+#define FSRTL_MOD_WRITE_TOP_LEVEL_IRP   (0x03)
+#define FSRTL_FAST_IO_TOP_LEVEL_IRP     (0x04)
+#define FSRTL_MAX_TOP_LEVEL_IRP_FLAG    (0x04)
+
+#define FSRTL_VOLUME_DISMOUNT           1
+#define FSRTL_VOLUME_DISMOUNT_FAILED    2
+#define FSRTL_VOLUME_LOCK               3
+#define FSRTL_VOLUME_LOCK_FAILED        4
+#define FSRTL_VOLUME_UNLOCK             5
+#define FSRTL_VOLUME_MOUNT              6
+
+#define FSRTL_WILD_CHARACTER            0x08
+
+#ifdef _X86_
+#define HARDWARE_PTE    HARDWARE_PTE_X86
+#define PHARDWARE_PTE   PHARDWARE_PTE_X86
+#else
+#define HARDWARE_PTE    ULONG
+#define PHARDWARE_PTE   PULONG
+#endif
+
+#define IO_CHECK_CREATE_PARAMETERS      0x0200
+#define IO_ATTACH_DEVICE                0x0400
+
+#define IO_ATTACH_DEVICE_API            0x80000000
+
+#define IO_COMPLETION_QUERY_STATE       0x0001
+#define IO_COMPLETION_MODIFY_STATE      0x0002
+#define IO_COMPLETION_ALL_ACCESS        (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
+
+#define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE    64
+#define IO_FILE_OBJECT_PAGED_POOL_CHARGE        1024
+
+#define IO_REPARSE_TAG_RESERVED_ZERO    (0)
+#define IO_REPARSE_TAG_RESERVED_ONE     (1)
+
+#define IO_TYPE_APC                     18
+#define IO_TYPE_DPC                     19
+#define IO_TYPE_DEVICE_QUEUE            20
+#define IO_TYPE_EVENT_PAIR              21
+#define IO_TYPE_INTERRUPT               22
+#define IO_TYPE_PROFILE                 23
+
+#define IRP_BEING_VERIFIED              0x10
+
+#define MAILSLOT_CLASS_FIRSTCLASS       1
+#define MAILSLOT_CLASS_SECONDCLASS      2
+
+#define MAILSLOT_SIZE_AUTO              0
+
+#define MAP_PROCESS                     1L
+#define MAP_SYSTEM                      2L
+
+#define MEM_DOS_LIM                     0x40000000
+#define MEM_IMAGE                       SEC_IMAGE
+
+#define OB_FLAG_CREATE_INFO     0x01 /* Object header has OBJECT_CREATE_INFO */
+#define OB_FLAG_KERNEL_MODE     0x02 /* Created by kernel */
+#define OB_FLAG_CREATOR_INFO    0x04 /* Object header has OBJECT_CREATOR_INFO */
+#define OB_FLAG_EXCLUSIVE       0x08 /* OBJ_EXCLUSIVE */
+#define OB_FLAG_PERMAMENT       0x10 /* OBJ_PERMAMENT */
+#define OB_FLAG_SECURITY        0x20 /* Object header has SecurityDescriptor != NULL */
+#define OB_FLAG_SINGLE_PROCESS  0x40 /* absent HandleDBList */
+
+#define OB_SECURITY_CHARGE      0x00000800
+
+#define OB_TYPE_TYPE                    1
+#define OB_TYPE_DIRECTORY               2
+#define OB_TYPE_SYMBOLIC_LINK           3
+#define OB_TYPE_TOKEN                   4
+#define OB_TYPE_PROCESS                 5
+#define OB_TYPE_THREAD                  6
+#define OB_TYPE_EVENT                   7
+#define OB_TYPE_EVENT_PAIR              8
+#define OB_TYPE_MUTANT                  9
+#define OB_TYPE_SEMAPHORE               10
+#define OB_TYPE_TIMER                   11
+#define OB_TYPE_PROFILE                 12
+#define OB_TYPE_WINDOW_STATION          13
+#define OB_TYPE_DESKTOP                 14
+#define OB_TYPE_SECTION                 15
+#define OB_TYPE_KEY                     16
+#define OB_TYPE_PORT                    17
+#define OB_TYPE_ADAPTER                 18
+#define OB_TYPE_CONTROLLER              19
+#define OB_TYPE_DEVICE                  20
+#define OB_TYPE_DRIVER                  21
+#define OB_TYPE_IO_COMPLETION           22
+#define OB_TYPE_FILE                    23
+
+#define PIN_WAIT                        (1)
+#define PIN_EXCLUSIVE                   (2)
+#define PIN_NO_READ                     (4)
+#define PIN_IF_BCB                      (8)
+
+#define MAP_WAIT                        (1)
+#define MAP_NO_READ                     (16)
+
+#define PORT_CONNECT                    0x0001
+#define PORT_ALL_ACCESS                 (STANDARD_RIGHTS_ALL |\
+                                         PORT_CONNECT)
+
+#define SEC_BASED                       0x00200000
+#define SEC_NO_CHANGE                   0x00400000
+#define SEC_FILE                        0x00800000
+#define SEC_IMAGE                       0x01000000
+#define SEC_COMMIT                      0x08000000
+#define SEC_NOCACHE                     0x10000000
+
+#define SECURITY_WORLD_SID_AUTHORITY    {0,0,0,0,0,1}
+#define SECURITY_WORLD_RID              (0x00000000L)
+
+#define SID_REVISION                    1
+
+#define THREAD_STATE_INITIALIZED        0
+#define THREAD_STATE_READY              1
+#define THREAD_STATE_RUNNING            2
+#define THREAD_STATE_STANDBY            3
+#define THREAD_STATE_TERMINATED         4
+#define THREAD_STATE_WAIT               5
+#define THREAD_STATE_TRANSITION         6
+#define THREAD_STATE_UNKNOWN            7
+
+#define TOKEN_ASSIGN_PRIMARY            (0x0001)
+#define TOKEN_DUPLICATE                 (0x0002)
+#define TOKEN_IMPERSONATE               (0x0004)
+#define TOKEN_QUERY                     (0x0008)
+#define TOKEN_QUERY_SOURCE              (0x0010)
+#define TOKEN_ADJUST_PRIVILEGES         (0x0020)
+#define TOKEN_ADJUST_GROUPS             (0x0040)
+#define TOKEN_ADJUST_DEFAULT            (0x0080)
+
+#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
+                          TOKEN_ASSIGN_PRIMARY     |\
+                          TOKEN_DUPLICATE          |\
+                          TOKEN_IMPERSONATE        |\
+                          TOKEN_QUERY              |\
+                          TOKEN_QUERY_SOURCE       |\
+                          TOKEN_ADJUST_PRIVILEGES  |\
+                          TOKEN_ADJUST_GROUPS      |\
+                          TOKEN_ADJUST_DEFAULT)
+
+#define TOKEN_READ       (STANDARD_RIGHTS_READ     |\
+                          TOKEN_QUERY)
+
+#define TOKEN_WRITE      (STANDARD_RIGHTS_WRITE    |\
+                          TOKEN_ADJUST_PRIVILEGES  |\
+                          TOKEN_ADJUST_GROUPS      |\
+                          TOKEN_ADJUST_DEFAULT)
+
+#define TOKEN_EXECUTE    (STANDARD_RIGHTS_EXECUTE)
+
+#define TOKEN_SOURCE_LENGTH 8
+
+#define TOKEN_HAS_TRAVERSE_PRIVILEGE    0x01
+#define TOKEN_HAS_BACKUP_PRIVILEGE      0x02
+#define TOKEN_HAS_RESTORE_PRIVILEGE     0x04
+#define TOKEN_HAS_ADMIN_GROUP           0x08
+#define TOKEN_IS_RESTRICTED             0x10
+#define TOKEN_SESSION_NOT_REFERENCED    0x20
+#define TOKEN_SANDBOX_INERT             0x40
+#define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x80
+
+#define VACB_MAPPING_GRANULARITY        (0x40000)
+#define VACB_OFFSET_SHIFT               (18)
+
+#define FSCTL_REQUEST_OPLOCK_LEVEL_1    CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  0, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_REQUEST_OPLOCK_LEVEL_2    CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  1, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_REQUEST_BATCH_OPLOCK      CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  2, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE  CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  3, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  4, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_OPLOCK_BREAK_NOTIFY       CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  5, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_LOCK_VOLUME               CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  6, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_UNLOCK_VOLUME             CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  7, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_DISMOUNT_VOLUME           CTL_CODE(FILE_DEVICE_FILE_SYSTEM,  8, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define FSCTL_IS_VOLUME_MOUNTED         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_IS_PATHNAME_VALID         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_MARK_VOLUME_DIRTY         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define FSCTL_QUERY_RETRIEVAL_POINTERS  CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_GET_COMPRESSION           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_SET_COMPRESSION           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
+
+
+#define FSCTL_MARK_AS_SYSTEM_HIVE       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_OPLOCK_BREAK_ACK_NO_2     CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_INVALIDATE_VOLUMES        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_QUERY_FAT_BPB             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_REQUEST_FILTER_OPLOCK     CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+#define FSCTL_GET_NTFS_VOLUME_DATA      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_GET_NTFS_FILE_RECORD      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_GET_VOLUME_BITMAP         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_GET_RETRIEVAL_POINTERS    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_MOVE_FILE                 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_IS_VOLUME_DIRTY           CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_GET_HFS_INFORMATION       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_ALLOW_EXTENDED_DASD_IO    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER,  FILE_ANY_ACCESS)
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+#define FSCTL_READ_PROPERTY_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_WRITE_PROPERTY_DATA       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_FIND_FILES_BY_SID         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS)
+
+#define FSCTL_DUMP_PROPERTY_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_SET_OBJECT_ID             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_GET_OBJECT_ID             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_DELETE_OBJECT_ID          CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_SET_REPARSE_POINT         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_GET_REPARSE_POINT         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_DELETE_REPARSE_POINT      CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_ENUM_USN_DATA             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_SECURITY_ID_CHECK         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_READ_USN_JOURNAL          CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_SET_OBJECT_ID_EXTENDED    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_CREATE_OR_GET_OBJECT_ID   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_SET_SPARSE                CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define FSCTL_SET_ZERO_DATA             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_QUERY_ALLOCATED_RANGES    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_ENABLE_UPGRADE            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_SET_ENCRYPTION            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_ENCRYPTION_FSCTL_IO       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_WRITE_RAW_ENCRYPTED       CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_READ_RAW_ENCRYPTED        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56,  METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_CREATE_USN_JOURNAL        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_READ_FILE_USN_DATA        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_WRITE_USN_CLOSE_RECORD    CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59,  METHOD_NEITHER, FILE_READ_DATA)
+#define FSCTL_EXTEND_VOLUME             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_QUERY_USN_JOURNAL         CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_DELETE_USN_JOURNAL        CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_MARK_HANDLE               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_SIS_COPYFILE              CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_SIS_LINK_FILES            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
+#define FSCTL_HSM_MSG                   CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
+#define FSCTL_NSS_CONTROL               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_HSM_DATA                  CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
+#define FSCTL_RECALL_FILE               CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_NSS_RCONTROL              CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA)
+#define FSCTL_READ_FROM_PLEX            CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA)
+#define FSCTL_FILE_PREFETCH             CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#define FSCTL_MAILSLOT_PEEK             CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA)
+
+#define FSCTL_NETWORK_SET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_GET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_GET_CONNECTION_INFO       CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_ENUMERATE_CONNECTIONS     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_DELETE_CONNECTION         CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_GET_STATISTICS            CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_SET_DOMAIN_NAME           CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define FSCTL_PIPE_ASSIGN_EVENT         CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_DISCONNECT           CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_LISTEN               CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_PEEK                 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
+#define FSCTL_PIPE_QUERY_EVENT          CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_TRANSCEIVE           CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER,  FILE_READ_DATA | FILE_WRITE_DATA)
+#define FSCTL_PIPE_WAIT                 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_IMPERSONATE          CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_SET_CLIENT_PROCESS   CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define FSCTL_PIPE_INTERNAL_READ        CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
+#define FSCTL_PIPE_INTERNAL_WRITE       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
+#define FSCTL_PIPE_INTERNAL_TRANSCEIVE  CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
+#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
+
+#define IOCTL_REDIR_QUERY_PATH          CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS)
+
+typedef PVOID PEJOB;
+typedef PVOID PNOTIFY_SYNC;
+typedef PVOID OPLOCK, *POPLOCK;
+typedef PVOID PWOW64_PROCESS;
+
+typedef ULONG LBN;
+typedef LBN *PLBN;
+
+typedef ULONG VBN;
+typedef VBN *PVBN;
+
+typedef struct _CACHE_MANAGER_CALLBACKS         *PCACHE_MANAGER_CALLBACKS;
+typedef struct _EPROCESS_QUOTA_BLOCK            *PEPROCESS_QUOTA_BLOCK;
+typedef struct _FILE_GET_QUOTA_INFORMATION      *PFILE_GET_QUOTA_INFORMATION;
+typedef struct _HANDLE_TABLE                    *PHANDLE_TABLE;
+typedef struct _KEVENT_PAIR                     *PKEVENT_PAIR;
+typedef struct _KPROCESS                        *PKPROCESS;
+typedef struct _KQUEUE                          *PKQUEUE;
+typedef struct _KTRAP_FRAME                     *PKTRAP_FRAME;
+typedef struct _LPC_MESSAGE                     *PLPC_MESSAGE;
+typedef struct _MAILSLOT_CREATE_PARAMETERS      *PMAILSLOT_CREATE_PARAMETERS;
+typedef struct _MMWSL                           *PMMWSL;
+typedef struct _NAMED_PIPE_CREATE_PARAMETERS    *PNAMED_PIPE_CREATE_PARAMETERS;
+typedef struct _OBJECT_DIRECTORY                *POBJECT_DIRECTORY;
+typedef struct _PAGEFAULT_HISTORY               *PPAGEFAULT_HISTORY;
+typedef struct _PEB                             *PPEB;
+typedef struct _PS_IMPERSONATION_INFORMATION    *PPS_IMPERSONATION_INFORMATION;
+typedef struct _SECTION_OBJECT                  *PSECTION_OBJECT;
+typedef struct _SERVICE_DESCRIPTOR_TABLE        *PSERVICE_DESCRIPTOR_TABLE;
+typedef struct _SHARED_CACHE_MAP                *PSHARED_CACHE_MAP;
+typedef struct _TERMINATION_PORT                *PTERMINATION_PORT;
+typedef struct _VACB                            *PVACB;
+typedef struct _VAD_HEADER                      *PVAD_HEADER;
+
+#if (VER_PRODUCTBUILD < 2195)
+typedef ULONG SIZE_T, *PSIZE_T;
+#endif
+
+typedef enum _FAST_IO_POSSIBLE {
+    FastIoIsNotPossible,
+    FastIoIsPossible,
+    FastIoIsQuestionable
+} FAST_IO_POSSIBLE;
+
+typedef enum _FILE_STORAGE_TYPE {
+    StorageTypeDefault = 1,
+    StorageTypeDirectory,
+    StorageTypeFile,
+    StorageTypeJunctionPoint,
+    StorageTypeCatalog,
+    StorageTypeStructuredStorage,
+    StorageTypeEmbedding,
+    StorageTypeStream
+} FILE_STORAGE_TYPE;
+
+typedef enum _IO_COMPLETION_INFORMATION_CLASS {
+    IoCompletionBasicInformation
+} IO_COMPLETION_INFORMATION_CLASS;
+
+#if (VER_PRODUCTBUILD == 2195)
+
+typedef enum _KSPIN_LOCK_QUEUE_NUMBER {
+    LockQueueDispatcherLock,
+    LockQueueContextSwapLock,
+    LockQueuePfnLock,
+    LockQueueSystemSpaceLock,
+    LockQueueVacbLock,
+    LockQueueMasterLock,
+    LockQueueNonPagedPoolLock,
+    LockQueueIoCancelLock,
+    LockQueueWorkQueueLock,
+    LockQueueIoVpbLock,
+    LockQueueIoDatabaseLock,
+    LockQueueIoCompletionLock,
+    LockQueueNtfsStructLock,
+    LockQueueAfdWorkQueueLock,
+    LockQueueBcbLock,
+    LockQueueMaximumLock
+} KSPIN_LOCK_QUEUE_NUMBER;
+
+#endif // (VER_PRODUCTBUILD == 2195)
+
+typedef enum _LPC_TYPE {
+    LPC_NEW_MESSAGE,
+    LPC_REQUEST,
+    LPC_REPLY,
+    LPC_DATAGRAM,
+    LPC_LOST_REPLY,
+    LPC_PORT_CLOSED,
+    LPC_CLIENT_DIED,
+    LPC_EXCEPTION,
+    LPC_DEBUG_EVENT,
+    LPC_ERROR_EVENT,
+    LPC_CONNECTION_REQUEST
+} LPC_TYPE;
+
+typedef enum _MMFLUSH_TYPE {
+    MmFlushForDelete,
+    MmFlushForWrite
+} MMFLUSH_TYPE;
+
+typedef enum _OBJECT_INFO_CLASS {
+    ObjectBasicInfo,
+    ObjectNameInfo,
+    ObjectTypeInfo,
+    ObjectAllTypesInfo,
+    ObjectProtectionInfo
+} OBJECT_INFO_CLASS;
+
+typedef enum _PORT_INFORMATION_CLASS {
+    PortNoInformation
+} PORT_INFORMATION_CLASS;
+
+typedef enum _SECTION_INFORMATION_CLASS {
+    SectionBasicInformation,
+    SectionImageInformation
+} SECTION_INFORMATION_CLASS;
+
+typedef enum _SID_NAME_USE {
+    SidTypeUser = 1,
+    SidTypeGroup,
+    SidTypeDomain,
+    SidTypeAlias,
+    SidTypeWellKnownGroup,
+    SidTypeDeletedAccount,
+    SidTypeInvalid,
+    SidTypeUnknown
+} SID_NAME_USE;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+    SystemBasicInformation,
+    SystemProcessorInformation,
+    SystemPerformanceInformation,
+    SystemTimeOfDayInformation,
+    SystemNotImplemented1,
+    SystemProcessesAndThreadsInformation,
+    SystemCallCounts,
+    SystemConfigurationInformation,
+    SystemProcessorTimes,
+    SystemGlobalFlag,
+    SystemNotImplemented2,
+    SystemModuleInformation,
+    SystemLockInformation,
+    SystemNotImplemented3,
+    SystemNotImplemented4,
+    SystemNotImplemented5,
+    SystemHandleInformation,
+    SystemObjectInformation,
+    SystemPagefileInformation,
+    SystemInstructionEmulationCounts,
+    SystemInvalidInfoClass1,
+    SystemCacheInformation,
+    SystemPoolTagInformation,
+    SystemProcessorStatistics,
+    SystemDpcInformation,
+    SystemNotImplemented6,
+    SystemLoadImage,
+    SystemUnloadImage,
+    SystemTimeAdjustment,
+    SystemNotImplemented7,
+    SystemNotImplemented8,
+    SystemNotImplemented9,
+    SystemCrashDumpInformation,
+    SystemExceptionInformation,
+    SystemCrashDumpStateInformation,
+    SystemKernelDebuggerInformation,
+    SystemContextSwitchInformation,
+    SystemRegistryQuotaInformation,
+    SystemLoadAndCallImage,
+    SystemPrioritySeparation,
+    SystemNotImplemented10,
+    SystemNotImplemented11,
+    SystemInvalidInfoClass2,
+    SystemInvalidInfoClass3,
+    SystemTimeZoneInformation,
+    SystemLookasideInformation,
+    SystemSetTimeSlipEvent,
+    SystemCreateSession,
+    SystemDeleteSession,
+    SystemInvalidInfoClass4,
+    SystemRangeStartInformation,
+    SystemVerifierInformation,
+    SystemAddVerifier,
+    SystemSessionProcessesInformation
+} SYSTEM_INFORMATION_CLASS;
+
+typedef enum _THREAD_STATE {
+    StateInitialized,
+    StateReady,
+    StateRunning,
+    StateStandby,
+    StateTerminated,
+    StateWait,
+    StateTransition,
+    StateUnknown
+} THREAD_STATE;
+
+typedef enum _TOKEN_INFORMATION_CLASS {
+    TokenUser = 1,
+    TokenGroups,
+    TokenPrivileges,
+    TokenOwner,
+    TokenPrimaryGroup,
+    TokenDefaultDacl,
+    TokenSource,
+    TokenType,
+    TokenImpersonationLevel,
+    TokenStatistics,
+    TokenRestrictedSids
+} TOKEN_INFORMATION_CLASS;
+
+typedef enum _TOKEN_TYPE {
+    TokenPrimary = 1,
+    TokenImpersonation
+} TOKEN_TYPE;
+
+typedef struct _HARDWARE_PTE_X86 {
+    ULONG Valid             : 1;
+    ULONG Write             : 1;
+    ULONG Owner             : 1;
+    ULONG WriteThrough      : 1;
+    ULONG CacheDisable      : 1;
+    ULONG Accessed          : 1;
+    ULONG Dirty             : 1;
+    ULONG LargePage         : 1;
+    ULONG Global            : 1;
+    ULONG CopyOnWrite       : 1;
+    ULONG Prototype         : 1;
+    ULONG reserved          : 1;
+    ULONG PageFrameNumber   : 20;
+} HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;
+
+typedef struct _KAPC_STATE {
+    LIST_ENTRY  ApcListHead[2];
+    PKPROCESS   Process;
+    BOOLEAN     KernelApcInProgress;
+    BOOLEAN     KernelApcPending;
+    BOOLEAN     UserApcPending;
+} KAPC_STATE, *PKAPC_STATE;
+
+typedef struct _KGDTENTRY {
+    USHORT LimitLow;
+    USHORT BaseLow;
+    union {
+        struct {
+            UCHAR BaseMid;
+            UCHAR Flags1;
+            UCHAR Flags2;
+            UCHAR BaseHi;
+        } Bytes;
+        struct {
+            ULONG BaseMid       : 8;
+            ULONG Type          : 5;
+            ULONG Dpl           : 2;
+            ULONG Pres          : 1;
+            ULONG LimitHi       : 4;
+            ULONG Sys           : 1;
+            ULONG Reserved_0    : 1;
+            ULONG Default_Big   : 1;
+            ULONG Granularity   : 1;
+            ULONG BaseHi        : 8;
+        } Bits;
+    } HighWord;
+} KGDTENTRY, *PKGDTENTRY;
+
+typedef struct _KIDTENTRY {
+    USHORT Offset;
+    USHORT Selector;
+    USHORT Access;
+    USHORT ExtendedOffset;
+} KIDTENTRY, *PKIDTENTRY;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _KPROCESS {
+    DISPATCHER_HEADER   Header;
+    LIST_ENTRY          ProfileListHead;
+    ULONG               DirectoryTableBase[2];
+    KGDTENTRY           LdtDescriptor;
+    KIDTENTRY           Int21Descriptor;
+    USHORT              IopmOffset;
+    UCHAR               Iopl;
+    UCHAR               Unused;
+    ULONG               ActiveProcessors;
+    ULONG               KernelTime;
+    ULONG               UserTime;
+    LIST_ENTRY          ReadyListHead;  
+    SINGLE_LIST_ENTRY   SwapListEntry;
+    PVOID               VdmTrapcHandler;
+    LIST_ENTRY          ThreadListHead;
+    KSPIN_LOCK          ProcessLock;
+    KAFFINITY           Affinity;
+    USHORT              StackCount;
+    CHAR                BasePriority;
+    CHAR                ThreadQuantum;
+    BOOLEAN             AutoAlignment;
+    UCHAR               State;
+    UCHAR               ThreadSeed;
+    BOOLEAN             DisableBoost;
+    UCHAR               PowerState;
+    BOOLEAN             DisableQuantum;
+    UCHAR               IdealNode;
+    UCHAR               Spare;
+} KPROCESS, *PKPROCESS;
+
+#else
+
+typedef struct _KPROCESS {
+    DISPATCHER_HEADER   Header;
+    LIST_ENTRY          ProfileListHead;
+    ULONG               DirectoryTableBase[2];
+    KGDTENTRY           LdtDescriptor;
+    KIDTENTRY           Int21Descriptor;
+    USHORT              IopmOffset;
+    UCHAR               Iopl;
+    UCHAR               VdmFlag;
+    ULONG               ActiveProcessors;
+    ULONG               KernelTime;
+    ULONG               UserTime;
+    LIST_ENTRY          ReadyListHead;  
+    SINGLE_LIST_ENTRY   SwapListEntry;
+    PVOID               Reserved1;
+    LIST_ENTRY          ThreadListHead;
+    KSPIN_LOCK          ProcessLock;
+    KAFFINITY           Affinity;
+    USHORT              StackCount;
+    UCHAR               BasePriority;
+    UCHAR               ThreadQuantum;
+    BOOLEAN             AutoAlignment;
+    UCHAR               State;
+    UCHAR               ThreadSeed;
+    BOOLEAN             DisableBoost;
+#if (VER_PRODUCTBUILD >= 2195)
+    UCHAR               PowerState;
+    BOOLEAN             DisableQuantum;
+    UCHAR               IdealNode;
+    UCHAR               Spare;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} KPROCESS, *PKPROCESS;
+
+#endif
+
+#if (VER_PRODUCTBUILD >= 3790)
+
+typedef struct _KTHREAD {
+    DISPATCHER_HEADER           Header;
+    LIST_ENTRY                  MutantListHead; // 0x10
+    PVOID                       InitialStack; // 0x18
+    PVOID                       StackLimit; // 0x1c
+    PVOID                       KernelStack; // 0x20
+    ULONG                       ThreadLock; // 0x24
+    ULONG                       ContextSwitches; // 0x28
+    UCHAR                       State; // 0x2c
+    UCHAR                       NpxState; // 0x2d
+    UCHAR                       WaitIrql; // 0x2e
+    CHAR                        WaitMode; // 0x2f
+    struct _TEB                 *Teb; // 0x30
+    KAPC_STATE                  ApcState; // 0x34
+    KSPIN_LOCK                  ApcQueueLock; // 0x4c
+    NTSTATUS                    WaitStatus; // 0x50
+    PKWAIT_BLOCK                WaitBlockList; // 0x54
+    BOOLEAN                     Alertable; // 0x58
+    UCHAR                       WaitNext; // 0x59
+    UCHAR                       WaitReason; // 0x5a
+    CHAR                        Priority; // 0x5b
+    BOOLEAN                     EnableStackSwap; // 0x5c
+    BOOLEAN                     SwapBusy; // 0x5d
+    UCHAR                       Alerted[2]; // 0x5e
+    union {
+        LIST_ENTRY              WaitListEntry; // 0x60
+        SINGLE_LIST_ENTRY       SwapListEntry; // 0x60
+    };
+    PKQUEUE                     Queue; // 0x68
+    ULONG                       WaitTime; // 0x6c
+    union {
+        struct {
+            USHORT              KernelApcDisable; // 0x70
+            USHORT              SpecialApcDisable; // 0x72
+        };
+        USHORT                  CombinedApcDisable; // 0x70
+    };
+    KTIMER                      Timer; // 0x78
+    KWAIT_BLOCK                 WaitBlock[4]; // 0xa0
+    LIST_ENTRY                  QueueListEntry; // 0x100
+    UCHAR                       ApcStateIndex; // 0x108
+    BOOLEAN                     ApcQueueable; // 0x109
+    BOOLEAN                     Preempted; // 0x10a
+    BOOLEAN                     ProcessReadyQueue; // 0x10b
+    BOOLEAN                     KernelStackResident; // 0x10c
+    CHAR                        Saturation; // 0x10d
+    UCHAR                       IdealProcessor; // 0x10e
+    UCHAR                       NextProcessor; // 0x10f
+    CHAR                        BasePriority; // 0x110
+    UCHAR                       Spare4; // 0x111
+    CHAR                        PriorityDecrement; // 0x112
+    CHAR                        Quantum; // 0x113
+    BOOLEAN                     SystemAffinityActive; // 0x114
+    CHAR                        PreviousMode; // 0x115
+    UCHAR                       ResourceIndex; // 0x116
+    BOOLEAN                     DisableBoost; // 0x117
+    ULONG                       UserAffinity; // 0x118
+    PKPROCESS                   Process; // 0x11c
+    ULONG                       Affinity; // 0x120
+    PSERVICE_DESCRIPTOR_TABLE   ServiceTable; // 0x124
+    PKAPC_STATE                 ApcStatePointer[2]; // 0x128
+    KAPC_STATE                  SavedApcState; // 0x130
+    PVOID                       CallbackStack; // 0x148
+    PVOID                       Win32Thread; // 0x14c
+    PKTRAP_FRAME                TrapFrame; // 0x150
+    ULONG                       KernelTime; // 0x154
+    ULONG                       UserTime; // 0x158
+    PVOID                       StackBase; // 0x15c
+    KAPC                        SuspendApc; // 0x160
+    KSEMAPHORE                  SuspendSemaphore; // 0x190
+    PVOID                       TlsArray; // 0x1a4
+    PVOID                       LegoData; // 0x1a8
+    LIST_ENTRY                  ThreadListEntry; // 0x1ac
+    BOOLEAN                     LargeStack; // 0x1b4
+    UCHAR                       PowerState; // 0x1b5
+    UCHAR                       NpxIrql; // 0x1b6
+    UCHAR                       Spare5; // 0x1b7
+    BOOLEAN                     AutoAlignment; // 0x1b8
+    UCHAR                       Iopl; // 0x1b9
+    CHAR                        FreezeCount; // 0x1ba
+    CHAR                        SuspendCount; // 0x1bb
+    UCHAR                       Spare0[1]; // 0x1bc
+    UCHAR                       UserIdealProcessor; // 0x1bd
+    UCHAR                       DeferredProcessor; // 0x1be
+    UCHAR                       AdjustReason; // 0x1bf
+    CHAR                        AdjustIncrement; // 0x1c0
+    UCHAR                       Spare2[3]; // 0x1c1
+} KTHREAD, *PKTHREAD;
+
+#elif (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _KTHREAD {
+    DISPATCHER_HEADER           Header;
+    LIST_ENTRY                  MutantListHead;
+    PVOID                       InitialStack;
+    PVOID                       StackLimit;
+    struct _TEB                 *Teb;
+    PVOID                       TlsArray;
+    PVOID                       KernelStack;
+    BOOLEAN                     DebugActive;
+    UCHAR                       State;
+    UCHAR                       Alerted[2];
+    UCHAR                       Iopl;
+    UCHAR                       NpxState;
+    CHAR                        Saturation;
+    CHAR                        Priority;
+    KAPC_STATE                  ApcState;
+    ULONG                       ContextSwitches;
+    UCHAR                       IdleSwapBlock;
+    UCHAR                       Spare0[3];
+    NTSTATUS                    WaitStatus;
+    UCHAR                       WaitIrql;
+    CHAR                        WaitMode;
+    UCHAR                       WaitNext;
+    UCHAR                       WaitReason;
+    PKWAIT_BLOCK                WaitBlockList;
+    union {
+        LIST_ENTRY              WaitListEntry;
+        SINGLE_LIST_ENTRY       SwapListEntry;
+    };
+    ULONG                       WaitTime;
+    CHAR                        BasePriority;
+    UCHAR                       DecrementCount;
+    CHAR                        PriorityDecrement;
+    CHAR                        Quantum;
+    KWAIT_BLOCK                 WaitBlock[4];
+    PVOID                       LegoData;
+    ULONG                       KernelApcDisable;
+    ULONG                       UserAffinity;
+    BOOLEAN                     SystemAffinityActive;
+    UCHAR                       PowerState;
+    UCHAR                       NpxIrql;
+    UCHAR                       InitialNode;
+    PSERVICE_DESCRIPTOR_TABLE   ServiceTable;
+    PKQUEUE                     Queue;
+    KSPIN_LOCK                  ApcQueueLock;
+    KTIMER                      Timer;
+    LIST_ENTRY                  QueueListEntry;
+    ULONG                       SoftAffinity;
+    ULONG                       Affinity;
+    BOOLEAN                     Preempted;
+    BOOLEAN                     ProcessReadyQueue;
+    BOOLEAN                     KernelStackResident;
+    UCHAR                       NextProcessor;
+    PVOID                       CallbackStack;
+    PVOID                       Win32Thread;
+    PKTRAP_FRAME                TrapFrame;
+    PKAPC_STATE                 ApcStatePointer[2];
+    CHAR                        PreviousMode;
+    BOOLEAN                     EnableStackSwap;
+    BOOLEAN                     LargeStack;
+    UCHAR                       ResourceIndex;
+    ULONG                       KernelTime;
+    ULONG                       UserTime;
+    KAPC_STATE                  SavedApcState;
+    BOOLEAN                     Alertable;
+    UCHAR                       ApcStateIndex;
+    BOOLEAN                     ApcQueueable;
+    BOOLEAN                     AutoAlignment;
+    PVOID                       StackBase;
+    KAPC                        SuspendApc;
+    KSEMAPHORE                  SuspendSemaphore;
+    LIST_ENTRY                  ThreadListEntry;
+    CHAR                        FreezeCount;
+    CHAR                        SuspendCount;
+    UCHAR                       IdealProcessor;
+    BOOLEAN                     DisableBoost;
+} KTHREAD, *PKTHREAD;
+
+#else
+
+typedef struct _KTHREAD {
+    DISPATCHER_HEADER           Header;
+    LIST_ENTRY                  MutantListHead;
+    PVOID                       InitialStack;
+    PVOID                       StackLimit;
+    struct _TEB                 *Teb;
+    PVOID                       TlsArray;
+    PVOID                       KernelStack;
+    BOOLEAN                     DebugActive;
+    UCHAR                       State;
+    USHORT                      Alerted;
+    UCHAR                       Iopl;
+    UCHAR                       NpxState;
+    UCHAR                       Saturation;
+    UCHAR                       Priority;
+    KAPC_STATE                  ApcState;
+    ULONG                       ContextSwitches;
+    NTSTATUS                    WaitStatus;
+    UCHAR                       WaitIrql;
+    UCHAR                       WaitMode;
+    UCHAR                       WaitNext;
+    UCHAR                       WaitReason;
+    PKWAIT_BLOCK                WaitBlockList;
+    LIST_ENTRY                  WaitListEntry;
+    ULONG                       WaitTime;
+    UCHAR                       BasePriority;
+    UCHAR                       DecrementCount;
+    UCHAR                       PriorityDecrement;
+    UCHAR                       Quantum;
+    KWAIT_BLOCK                 WaitBlock[4];
+    ULONG                       LegoData;
+    ULONG                       KernelApcDisable;
+    ULONG                       UserAffinity;
+    BOOLEAN                     SystemAffinityActive;
+#if (VER_PRODUCTBUILD < 2195)
+    UCHAR                       Pad[3];
+#else // (VER_PRODUCTBUILD >= 2195)
+    UCHAR                       PowerState;
+    UCHAR                       NpxIrql;
+    UCHAR                       Pad[1];
+#endif // (VER_PRODUCTBUILD >= 2195)
+    PSERVICE_DESCRIPTOR_TABLE   ServiceDescriptorTable;
+    PKQUEUE                     Queue;
+    KSPIN_LOCK                  ApcQueueLock;
+    KTIMER                      Timer;
+    LIST_ENTRY                  QueueListEntry;
+    ULONG                       Affinity;
+    BOOLEAN                     Preempted;
+    BOOLEAN                     ProcessReadyQueue;
+    BOOLEAN                     KernelStackResident;
+    UCHAR                       NextProcessor;
+    PVOID                       CallbackStack;
+    PVOID                       Win32Thread;
+    PKTRAP_FRAME                TrapFrame;
+    PKAPC_STATE                 ApcStatePointer[2];
+#if (VER_PRODUCTBUILD >= 2195)
+    UCHAR                       PreviousMode;
+#endif // (VER_PRODUCTBUILD >= 2195)
+    BOOLEAN                     EnableStackSwap;
+    BOOLEAN                     LargeStack;
+    UCHAR                       ResourceIndex;
+#if (VER_PRODUCTBUILD < 2195)
+    UCHAR                       PreviousMode;
+#endif // (VER_PRODUCTBUILD < 2195)
+    ULONG                       KernelTime;
+    ULONG                       UserTime;
+    KAPC_STATE                  SavedApcState;
+    BOOLEAN                     Alertable;
+    UCHAR                       ApcStateIndex;
+    BOOLEAN                     ApcQueueable;
+    BOOLEAN                     AutoAlignment;
+    PVOID                       StackBase;
+    KAPC                        SuspendApc;
+    KSEMAPHORE                  SuspendSemaphore;
+    LIST_ENTRY                  ThreadListEntry;
+    UCHAR                       FreezeCount;
+    UCHAR                       SuspendCount;
+    UCHAR                       IdealProcessor;
+    BOOLEAN                     DisableBoost;
+} KTHREAD, *PKTHREAD;
+
+#endif
+
+#if (VER_PRODUCTBUILD >= 3790)
+
+typedef struct _MMSUPPORT_FLAGS {
+    ULONG SessionSpace              : 1;
+    ULONG BeingTrimmed              : 1;
+    ULONG SessionLeader             : 1;
+    ULONG TrimHard                  : 1;
+    ULONG MaximumWorkingSetHard     : 1;
+    ULONG ForceTrim                 : 1;
+    ULONG MinimumWorkingSetHard     : 1;
+    ULONG Available0                : 1;
+    ULONG MemoryPriority            : 8;
+    ULONG GrowWsleHash              : 1;
+    ULONG AcquiredUnsafe            : 1;
+    ULONG Available                 : 14;
+} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
+
+#elif (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _MMSUPPORT_FLAGS {
+    ULONG SessionSpace              : 1;
+    ULONG BeingTrimmed              : 1;
+    ULONG SessionLeader             : 1;
+    ULONG TrimHard                  : 1;
+    ULONG WorkingSetHard            : 1;
+    ULONG AddressSpaceBeingDeleted  : 1;
+    ULONG Available                 : 10;
+    ULONG AllowWorkingSetAdjustment : 8;
+    ULONG MemoryPriority            : 8;
+} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
+
+#else
+
+typedef struct _MMSUPPORT_FLAGS {
+    ULONG SessionSpace      : 1;
+    ULONG BeingTrimmed      : 1;
+    ULONG ProcessInSession  : 1;
+    ULONG SessionLeader     : 1;
+    ULONG TrimHard          : 1;
+    ULONG WorkingSetHard    : 1;
+    ULONG WriteWatch        : 1;
+    ULONG Filler            : 25;
+} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
+
+#endif
+
+#if (VER_PRODUCTBUILD >= 3790)
+/*
+typedef struct _KGUARDED_MUTEX {
+    LONG            Count;
+    PKTHREAD        Owner; // 0x4
+    ULONG           Contention; // 0x8
+    KEVENT          Event; // 0xc
+    union {
+        struct {
+            USHORT  KernelApcDisable; // 0x1c
+            USHORT  SpecialApcDisable; // 0x1e
+        };
+        USHORT      CombinedApcDisable; // 0x1c
+    };
+} KGUARDED_MUTEX, *PKGUARDED_MUTEX;
+*/
+typedef struct _MMSUPPORT {
+    LIST_ENTRY      WorkingSetExpansionLinks;
+    LARGE_INTEGER   LastTrimTime; // 0x8
+    MMSUPPORT_FLAGS Flags; // 0x10
+    ULONG           PageFaultCount; // 0x14
+    ULONG           PeakWorkingSetSize; // 0x18
+    ULONG           GrowthSinceLastEstimate; // 0x1c
+    ULONG           MinimumWorkingSetSize; // 0x20
+    ULONG           MaximumWorkingSetSize; // 0x24
+    PMMWSL          VmWorkingSetList; // 0x28 
+    ULONG           Claim; // 0x2c
+    ULONG           NextEstimationSlot; // 0x30
+    ULONG           NextAgingSlot; // 0x34
+    ULONG           EstimatedAvailable; // 0x38
+    ULONG           WorkingSetSize;  //0x3c
+    KGUARDED_MUTEX  Mutex; // 0x40
+} MMSUPPORT, *PMMSUPPORT;
+
+#elif (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _MMSUPPORT {
+    LARGE_INTEGER   LastTrimTime;
+    MMSUPPORT_FLAGS Flags;
+    ULONG           PageFaultCount;
+    ULONG           PeakWorkingSetSize;
+    ULONG           WorkingSetSize;
+    ULONG           MinimumWorkingSetSize;
+    ULONG           MaximumWorkingSetSize;
+    PMMWSL          VmWorkingSetList;
+    LIST_ENTRY      WorkingSetExpansionLinks;
+    ULONG           Claim;
+    ULONG           NextEstimationSlot;
+    ULONG           NextAgingSlot;
+    ULONG           EstimatedAvailable;
+    ULONG           GrowthSinceLastEstimate;
+} MMSUPPORT, *PMMSUPPORT;
+
+#else
+
+typedef struct _MMSUPPORT {
+    LARGE_INTEGER   LastTrimTime;
+    ULONG           LastTrimFaultCount;
+    ULONG           PageFaultCount;
+    ULONG           PeakWorkingSetSize;
+    ULONG           WorkingSetSize;
+    ULONG           MinimumWorkingSetSize;
+    ULONG           MaximumWorkingSetSize;
+    PMMWSL          VmWorkingSetList;
+    LIST_ENTRY      WorkingSetExpansionLinks;
+    BOOLEAN         AllowWorkingSetAdjustment;
+    BOOLEAN         AddressSpaceBeingDeleted;
+    UCHAR           ForegroundSwitchCount;
+    UCHAR           MemoryPriority;
+#if (VER_PRODUCTBUILD >= 2195)
+    union {
+        ULONG           LongFlags;
+        MMSUPPORT_FLAGS Flags;
+    } u;
+    ULONG           Claim;
+    ULONG           NextEstimationSlot;
+    ULONG           NextAgingSlot;
+    ULONG           EstimatedAvailable;
+    ULONG           GrowthSinceLastEstimate;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} MMSUPPORT, *PMMSUPPORT;
+
+#endif
+
+typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
+    POBJECT_NAME_INFORMATION ImageFileName;
+} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;
+
+typedef struct _SID_IDENTIFIER_AUTHORITY {
+    UCHAR Value[6];
+} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
+
+typedef struct _SID {
+    UCHAR                       Revision;
+    UCHAR                       SubAuthorityCount;
+    SID_IDENTIFIER_AUTHORITY    IdentifierAuthority;
+    ULONG                       SubAuthority[1];
+} SID, *PREAL_SID;
+
+typedef struct _BITMAP_DESCRIPTOR {
+    ULONGLONG   StartLcn;
+    ULONGLONG   ClustersToEndOfVol;
+    UCHAR       Map[1];
+} BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR; 
+
+typedef struct _BITMAP_RANGE {
+    LIST_ENTRY      Links;
+    LARGE_INTEGER   BasePage;
+    ULONG           FirstDirtyPage;
+    ULONG           LastDirtyPage;
+    ULONG           DirtyPages;
+    PULONG          Bitmap;
+} BITMAP_RANGE, *PBITMAP_RANGE;
+
+typedef struct _CACHE_UNINITIALIZE_EVENT {
+    struct _CACHE_UNINITIALIZE_EVENT    *Next;
+    KEVENT                              Event;
+} CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT;
+
+typedef struct _CC_FILE_SIZES {
+    LARGE_INTEGER AllocationSize;
+    LARGE_INTEGER FileSize;
+    LARGE_INTEGER ValidDataLength;
+} CC_FILE_SIZES, *PCC_FILE_SIZES;
+
+typedef struct _COMPRESSED_DATA_INFO {
+    USHORT  CompressionFormatAndEngine;
+    UCHAR   CompressionUnitShift;
+    UCHAR   ChunkShift;
+    UCHAR   ClusterShift;
+    UCHAR   Reserved;
+    USHORT  NumberOfChunks;
+    ULONG   CompressedChunkSizes[ANYSIZE_ARRAY];
+} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
+
+typedef struct _DEVICE_MAP {
+    POBJECT_DIRECTORY   DosDevicesDirectory;
+    POBJECT_DIRECTORY   GlobalDosDevicesDirectory;
+    ULONG               ReferenceCount;
+    ULONG               DriveMap;
+    UCHAR               DriveType[32];
+} DEVICE_MAP, *PDEVICE_MAP; 
+
+typedef struct _DIRECTORY_BASIC_INFORMATION {
+    UNICODE_STRING ObjectName;
+    UNICODE_STRING ObjectTypeName;
+} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _EX_FAST_REF {
+    union {
+        PVOID Object;
+        ULONG RefCnt : 3;
+        ULONG Value;
+    };
+} EX_FAST_REF, *PEX_FAST_REF;
+
+typedef struct _EX_PUSH_LOCK {
+    union {
+        struct {
+            ULONG   Waiting     : 1;
+            ULONG   Exclusive   : 1;
+            ULONG   Shared      : 30;
+        };
+        ULONG   Value;
+        PVOID   Ptr;
+    };
+} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+#if (VER_PRODUCTBUILD == 2600)
+
+typedef struct _EX_RUNDOWN_REF {
+    union {
+        ULONG Count;
+        PVOID Ptr;
+    };
+} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
+
+#endif // (VER_PRODUCTBUILD == 2600)
+
+#if (VER_PRODUCTBUILD >= 3790)
+
+typedef struct _MM_ADDRESS_NODE {
+    union {
+        ULONG                   Balance : 2;
+        struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
+    };
+    struct _MM_ADDRESS_NODE     *LeftChild;
+    struct _MM_ADDRESS_NODE     *RightChild;
+    ULONG_PTR                   StartingVpn;
+    ULONG_PTR                   EndingVpn;
+} MMADDRESS_NODE, *PMMADDRESS_NODE;
+
+typedef struct _MM_AVL_TABLE {
+    MMADDRESS_NODE  BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
+    ULONG           DepthOfTree : 5; // 0x14
+    ULONG           Unused : 3;
+    ULONG           NumberGenericTableElements : 24; // total number of nodes
+    PVOID           NodeHint; // 0x18 (0x270 in _EPROCESS)
+    PVOID           NodeFreeHint; // 0x1c
+} MM_AVL_TABLE, *PMM_AVL_TABLE;
+
+typedef struct _EPROCESS {
+    KPROCESS                        Pcb; // +0x000
+    EX_PUSH_LOCK                    ProcessLock; // +0x06c
+    LARGE_INTEGER                   CreateTime; // +0x070
+    LARGE_INTEGER                   ExitTime; // +0x078
+    EX_RUNDOWN_REF                  RundownProtect; // +0x080
+    ULONG                           UniqueProcessId; // +0x084
+    LIST_ENTRY                      ActiveProcessLinks; // +0x088
+    ULONG                           QuotaUsage[3]; // +0x090
+    ULONG                           QuotaPeak[3]; // +0x09c
+    ULONG                           CommitCharge; // +0x0a8
+    ULONG                           PeakVirtualSize; // +0x0ac
+    ULONG                           VirtualSize; // +0x0b0
+    LIST_ENTRY                      SessionProcessLinks; // +0x0b4
+    PVOID                           DebugPort; // +0x0bc
+    PVOID                           ExceptionPort; // +0x0c0
+    PHANDLE_TABLE                   ObjectTable; // +0x0c4
+    EX_FAST_REF                     Token; // +0x0c8
+    ULONG                           WorkingSetPage; // +0x0cc
+    KGUARDED_MUTEX                  AddressCreationLock; // +0x0d0
+    ULONG                           HyperSpaceLock; // +0x0f0
+    PETHREAD                        ForkInProgress; // +0x0f4
+    ULONG                           HardwareTrigger; // +0x0f8
+    PMM_AVL_TABLE                   PhysicalVadRoot; // +0x0fc
+    PVOID                           CloneRoot; // +0x100
+    ULONG                           NumberOfPrivatePages; // +0x104
+    ULONG                           NumberOfLockedPages; // +0x108
+    PVOID                           Win32Process; // +0x10c
+    PEJOB                           Job; // +0x110
+    PVOID                           SectionObject; // +0x114
+    PVOID                           SectionBaseAddress; // +0x118
+    PEPROCESS_QUOTA_BLOCK           QuotaBlock; // +0x11c
+    PPAGEFAULT_HISTORY              WorkingSetWatch; // +0x120
+    PVOID                           Win32WindowStation; // +0x124
+    ULONG                           InheritedFromUniqueProcessId; // +0x128
+    PVOID                           LdtInformation; // +0x12c
+    PVOID                           VadFreeHint; // +0x130
+    PVOID                           VdmObjects; // +0x134
+    PVOID                           DeviceMap; // +0x138
+    PVOID                           Spare0[3]; // +0x13c
+    union {
+        HARDWARE_PTE                PageDirectoryPte; // +0x148
+        UINT64                      Filler; // +0x148
+    };
+    PVOID                           Session; // +0x150
+    UCHAR                           ImageFileName[16]; // +0x154
+    LIST_ENTRY                      JobLinks; // +0x164
+    PVOID                           LockedPagesList; // +0x16c
+    LIST_ENTRY                      ThreadListHead; // +0x170
+    PVOID                           SecurityPort; // +0x178
+    PVOID                           PaeTop; // +0x17c
+    ULONG                           ActiveThreads; // +0x180
+    ULONG                           GrantedAccess; // +0x184
+    ULONG                           DefaultHardErrorProcessing; // +0x188
+    SHORT                           LastThreadExitStatus; // +0x18c
+    PPEB                            Peb; // +0x190
+    EX_FAST_REF                     PrefetchTrace; // +0x194
+    LARGE_INTEGER                   ReadOperationCount; // +0x198
+    LARGE_INTEGER                   WriteOperationCount; // +0x1a0
+    LARGE_INTEGER                   OtherOperationCount; // +0x1a8
+    LARGE_INTEGER                   ReadTransferCount; // +0x1b0
+    LARGE_INTEGER                   WriteTransferCount; // +0x1b8
+    LARGE_INTEGER                   OtherTransferCount; // +0x1c0
+    ULONG                           CommitChargeLimit; // +0x1c8
+    ULONG                           CommitChargePeak; // +0x1cc
+    PVOID                           AweInfo; // +0x1d0
+    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo; // +0x1d4
+    MMSUPPORT                       Vm; // +0x1d8
+    LIST_ENTRY                      MmProcessLinks; // +0x238
+    ULONG                           ModifiedPageCount; // +0x240
+    ULONG                           JobStatus; // +0x244
+    union {
+        ULONG                       Flags; // 0x248
+        struct {
+            ULONG                   CreateReported              : 1;
+            ULONG                   NoDebugInherit              : 1;
+            ULONG                   ProcessExiting              : 1;
+            ULONG                   ProcessDelete               : 1;
+            ULONG                   Wow64SplitPages             : 1;
+            ULONG                   VmDeleted                   : 1;
+            ULONG                   OutswapEnabled              : 1;
+            ULONG                   Outswapped                  : 1;
+            ULONG                   ForkFailed                  : 1;
+            ULONG                   Wow64VaSpace4Gb             : 1;
+            ULONG                   AddressSpaceInitialized     : 2;
+            ULONG                   SetTimerResolution          : 1;
+            ULONG                   BreakOnTermination          : 1;
+            ULONG                   SessionCreationUnderway     : 1;
+            ULONG                   WriteWatch                  : 1;
+            ULONG                   ProcessInSession            : 1;
+            ULONG                   OverrideAddressSpace        : 1;
+            ULONG                   HasAddressSpace             : 1;
+            ULONG                   LaunchPrefetched            : 1;
+            ULONG                   InjectInpageErrors          : 1;
+            ULONG                   VmTopDown                   : 1;
+            ULONG                   ImageNotifyDone             : 1;
+            ULONG                   PdeUpdateNeeded             : 1;
+            ULONG                   VdmAllowed                  : 1;
+            ULONG                   Unused                      : 7;
+        };
+    };
+    NTSTATUS                        ExitStatus; // +0x24c
+    USHORT                          NextPageColor; // +0x250
+    union {
+        struct {
+            UCHAR                   SubSystemMinorVersion; // +0x252
+            UCHAR                   SubSystemMajorVersion; // +0x253
+        };
+        USHORT                      SubSystemVersion; // +0x252
+    };
+    UCHAR                           PriorityClass; // +0x254
+    MM_AVL_TABLE                    VadRoot; // +0x258
+} EPROCESS, *PEPROCESS; // 0x278 in total
+
+#elif (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _EPROCESS {
+    KPROCESS                        Pcb;
+    EX_PUSH_LOCK                    ProcessLock;
+    LARGE_INTEGER                   CreateTime;
+    LARGE_INTEGER                   ExitTime;
+    EX_RUNDOWN_REF                  RundownProtect;
+    ULONG                           UniqueProcessId;
+    LIST_ENTRY                      ActiveProcessLinks;
+    ULONG                           QuotaUsage[3];
+    ULONG                           QuotaPeak[3];
+    ULONG                           CommitCharge;
+    ULONG                           PeakVirtualSize;
+    ULONG                           VirtualSize;
+    LIST_ENTRY                      SessionProcessLinks;
+    PVOID                           DebugPort;
+    PVOID                           ExceptionPort;
+    PHANDLE_TABLE                   ObjectTable;
+    EX_FAST_REF                     Token;
+    FAST_MUTEX                      WorkingSetLock;
+    ULONG                           WorkingSetPage;
+    FAST_MUTEX                      AddressCreationLock;
+    KSPIN_LOCK                      HyperSpaceLock;
+    PETHREAD                        ForkInProgress;
+    ULONG                           HardwareTrigger;
+    PVOID                           VadRoot;
+    PVOID                           VadHint;
+    PVOID                           CloneRoot;
+    ULONG                           NumberOfPrivatePages;
+    ULONG                           NumberOfLockedPages;
+    PVOID                           Win32Process;
+    PEJOB                           Job;
+    PSECTION_OBJECT                 SectionObject;
+    PVOID                           SectionBaseAddress;
+    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
+    PPAGEFAULT_HISTORY              WorkingSetWatch;
+    PVOID                           Win32WindowStation;
+    PVOID                           InheritedFromUniqueProcessId;
+    PVOID                           LdtInformation;
+    PVOID                           VadFreeHint;
+    PVOID                           VdmObjects;
+    PDEVICE_MAP                     DeviceMap;
+    LIST_ENTRY                      PhysicalVadList;
+    union {
+        HARDWARE_PTE                PageDirectoryPte;
+        ULONGLONG                   Filler;
+    };
+    PVOID                           Session;
+    UCHAR                           ImageFileName[16];
+    LIST_ENTRY                      JobLinks;
+    PVOID                           LockedPageList;
+    LIST_ENTRY                      ThreadListHead;
+    PVOID                           SecurityPort;
+    PVOID                           PaeTop;
+    ULONG                           ActiveThreads;
+    ULONG                           GrantedAccess;
+    ULONG                           DefaultHardErrorProcessing;
+    NTSTATUS                        LastThreadExitStatus;
+    PPEB                            Peb;
+    EX_FAST_REF                     PrefetchTrace;
+    LARGE_INTEGER                   ReadOperationCount;
+    LARGE_INTEGER                   WriteOperationCount;
+    LARGE_INTEGER                   OtherOperationCount;
+    LARGE_INTEGER                   ReadTransferCount;
+    LARGE_INTEGER                   WriteTransferCount;
+    LARGE_INTEGER                   OtherTransferCount;
+    ULONG                           CommitChargeLimit;
+    ULONG                           CommitChargePeek;
+    PVOID                           AweInfo;
+    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo;
+    MMSUPPORT                       Vm;
+    ULONG                           LastFaultCount;
+    ULONG                           ModifiedPageCount;
+    ULONG                           NumberOfVads;
+    ULONG                           JobStatus;
+    union {
+        ULONG                       Flags;
+        struct {
+            ULONG                   CreateReported              : 1;
+            ULONG                   NoDebugInherit              : 1;
+            ULONG                   ProcessExiting              : 1;
+            ULONG                   ProcessDelete               : 1;
+            ULONG                   Wow64SplitPages             : 1;
+            ULONG                   VmDeleted                   : 1;
+            ULONG                   OutswapEnabled              : 1;
+            ULONG                   Outswapped                  : 1;
+            ULONG                   ForkFailed                  : 1;
+            ULONG                   HasPhysicalVad              : 1;
+            ULONG                   AddressSpaceInitialized     : 2;
+            ULONG                   SetTimerResolution          : 1;
+            ULONG                   BreakOnTermination          : 1;
+            ULONG                   SessionCreationUnderway     : 1;
+            ULONG                   WriteWatch                  : 1;
+            ULONG                   ProcessInSession            : 1;
+            ULONG                   OverrideAddressSpace        : 1;
+            ULONG                   HasAddressSpace             : 1;
+            ULONG                   LaunchPrefetched            : 1;
+            ULONG                   InjectInpageErrors          : 1;
+            ULONG                   Unused                      : 11;
+        };
+    };
+    NTSTATUS                        ExitStatus;
+    USHORT                          NextPageColor;
+    union {
+        struct {
+            UCHAR                   SubSystemMinorVersion;
+            UCHAR                   SubSystemMajorVersion;
+        };
+        USHORT                      SubSystemVersion;
+    };
+    UCHAR                           PriorityClass;
+    BOOLEAN                         WorkingSetAcquiredUnsafe;
+} EPROCESS, *PEPROCESS;
+
+#else
+
+typedef struct _EPROCESS {
+    KPROCESS                        Pcb;
+    NTSTATUS                        ExitStatus;
+    KEVENT                          LockEvent;
+    ULONG                           LockCount;
+    LARGE_INTEGER                   CreateTime;
+    LARGE_INTEGER                   ExitTime;
+    PKTHREAD                        LockOwner;
+    ULONG                           UniqueProcessId;
+    LIST_ENTRY                      ActiveProcessLinks;
+    ULONGLONG                       QuotaPeakPoolUsage;
+    ULONGLONG                       QuotaPoolUsage;
+    ULONG                           PagefileUsage;
+    ULONG                           CommitCharge;
+    ULONG                           PeakPagefileUsage;
+    ULONG                           PeakVirtualSize;
+    ULONGLONG                       VirtualSize;
+    MMSUPPORT                       Vm;
+#if (VER_PRODUCTBUILD < 2195)
+    ULONG                           LastProtoPteFault;
+#else // (VER_PRODUCTBUILD >= 2195)
+    LIST_ENTRY                      SessionProcessLinks;
+#endif // (VER_PRODUCTBUILD >= 2195)
+    ULONG                           DebugPort;
+    ULONG                           ExceptionPort;
+    PHANDLE_TABLE                   ObjectTable;
+    PACCESS_TOKEN                   Token;
+    FAST_MUTEX                      WorkingSetLock;
+    ULONG                           WorkingSetPage;
+    BOOLEAN                         ProcessOutswapEnabled;
+    BOOLEAN                         ProcessOutswapped;
+    BOOLEAN                         AddressSpaceInitialized;
+    BOOLEAN                         AddressSpaceDeleted;
+    FAST_MUTEX                      AddressCreationLock;
+    KSPIN_LOCK                      HyperSpaceLock;
+    PETHREAD                        ForkInProgress;
+    USHORT                          VmOperation;
+    BOOLEAN                         ForkWasSuccessful;
+    UCHAR                           MmAgressiveWsTrimMask;
+    PKEVENT                         VmOperationEvent;
+#if (VER_PRODUCTBUILD < 2195)
+    HARDWARE_PTE                    PageDirectoryPte;
+#else // (VER_PRODUCTBUILD >= 2195)
+    PVOID                           PaeTop;
+#endif // (VER_PRODUCTBUILD >= 2195)
+    ULONG                           LastFaultCount;
+    ULONG                           ModifiedPageCount;
+    PVOID                           VadRoot;
+    PVOID                           VadHint;
+    ULONG                           CloneRoot;
+    ULONG                           NumberOfPrivatePages;
+    ULONG                           NumberOfLockedPages;
+    USHORT                          NextPageColor;
+    BOOLEAN                         ExitProcessCalled;
+    BOOLEAN                         CreateProcessReported;
+    HANDLE                          SectionHandle;
+    PPEB                            Peb;
+    PVOID                           SectionBaseAddress;
+    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
+    NTSTATUS                        LastThreadExitStatus;
+    PPROCESS_WS_WATCH_INFORMATION   WorkingSetWatch;
+    HANDLE                          Win32WindowStation;
+    HANDLE                          InheritedFromUniqueProcessId;
+    ACCESS_MASK                     GrantedAccess;
+    ULONG                           DefaultHardErrorProcessing;
+    PVOID                           LdtInformation;
+    PVOID                           VadFreeHint;
+    PVOID                           VdmObjects;
+#if (VER_PRODUCTBUILD < 2195)
+    KMUTANT                         ProcessMutant;
+#else // (VER_PRODUCTBUILD >= 2195)
+    PDEVICE_MAP                     DeviceMap;
+    ULONG                           SessionId;
+    LIST_ENTRY                      PhysicalVadList;
+    HARDWARE_PTE                    PageDirectoryPte;
+    ULONG                           Filler;
+    ULONG                           PaePageDirectoryPage;
+#endif // (VER_PRODUCTBUILD >= 2195)
+    UCHAR                           ImageFileName[16];
+    ULONG                           VmTrimFaultValue;
+    UCHAR                           SetTimerResolution;
+    UCHAR                           PriorityClass;
+    union {
+        struct {
+            UCHAR                   SubSystemMinorVersion;
+            UCHAR                   SubSystemMajorVersion;
+        };
+        USHORT                      SubSystemVersion;
+    };
+    PVOID                           Win32Process;
+#if (VER_PRODUCTBUILD >= 2195)
+    PEJOB                           Job;
+    ULONG                           JobStatus;
+    LIST_ENTRY                      JobLinks;
+    PVOID                           LockedPageList;
+    PVOID                           SecurityPort;
+    PWOW64_PROCESS                  Wow64Process;
+    LARGE_INTEGER                   ReadOperationCount;
+    LARGE_INTEGER                   WriteOperationCount;
+    LARGE_INTEGER                   OtherOperationCount;
+    LARGE_INTEGER                   ReadTransferCount;
+    LARGE_INTEGER                   WriteTransferCount;
+    LARGE_INTEGER                   OtherTransferCount;
+    ULONG                           CommitChargeLimit;
+    ULONG                           CommitChargePeek;
+    LIST_ENTRY                      ThreadListHead;
+    PRTL_BITMAP                     VadPhysicalPagesBitMap;
+    ULONG                           VadPhysicalPages;
+    ULONG                           AweLock;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} EPROCESS, *PEPROCESS;
+
+#endif
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _ETHREAD {
+    KTHREAD                         Tcb;
+    union {
+        LARGE_INTEGER               CreateTime;
+        struct {
+            ULONG                   NestedFaultCount    : 2;
+            ULONG                   ApcNeeded           : 1;
+        };
+    };
+    union {
+        LARGE_INTEGER               ExitTime;
+        LIST_ENTRY                  LpcReplyChain;
+        LIST_ENTRY                  KeyedWaitChain;
+    };
+    union {
+        NTSTATUS                    ExitStatus;
+        PVOID                       OfsChain;
+    };
+    LIST_ENTRY                      PostBlockList;
+    union {
+        PTERMINATION_PORT           TerminationPort;
+        PETHREAD                    ReaperLink;
+        PVOID                       KeyedWaitValue;
+    };
+    KSPIN_LOCK                      ActiveTimerListLock;
+    LIST_ENTRY                      ActiveTimerListHead;
+    CLIENT_ID                       Cid;
+    union {
+        KSEMAPHORE                  LpcReplySemaphore;
+        KSEMAPHORE                  KeyedWaitSemaphore;
+    };
+    union {
+        PLPC_MESSAGE                LpcReplyMessage;
+        PVOID                       LpcWaitingOnPort;
+    };
+    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
+    LIST_ENTRY                      IrpList;
+    ULONG                           TopLevelIrp;
+    PDEVICE_OBJECT                  DeviceToVerify;
+    PEPROCESS                       ThreadsProcess;
+    PKSTART_ROUTINE                 StartAddress;
+    union {
+        PVOID                       Win32StartAddress;
+        ULONG                       LpcReceivedMessageId;
+    };
+    LIST_ENTRY                      ThreadListEntry;
+    EX_RUNDOWN_REF                  RundownProtect;
+    EX_PUSH_LOCK                    ThreadLock;
+    ULONG                           LpcReplyMessageId;
+    ULONG                           ReadClusterSize;
+    ACCESS_MASK                     GrantedAccess;
+    union {
+        ULONG                       CrossThreadFlags;
+        struct {
+            ULONG                   Terminated              : 1;
+            ULONG                   DeadThread              : 1;
+            ULONG                   HideFromDebugger        : 1;
+            ULONG                   ActiveImpersonationInfo : 1;
+            ULONG                   SystemThread            : 1;
+            ULONG                   HardErrorsAreDisabled   : 1;
+            ULONG                   BreakOnTermination      : 1;
+            ULONG                   SkipCreationMsg         : 1;
+            ULONG                   SkipTerminationMsg      : 1;
+        };
+    };
+    union {
+        ULONG                       SameThreadPassiveFlags;
+        struct {
+            ULONG                   ActiveExWorker          : 1;
+            ULONG                   ExWorkerCanWaitUser     : 1;
+            ULONG                   MemoryMaker             : 1;
+            ULONG                   KeyedEventInUse         : 1;
+        };
+    };
+    union {
+        ULONG                       SameThreadApcFlags;
+        struct {
+            BOOLEAN                 LpcReceivedMsgIdValid   : 1;
+            BOOLEAN                 LpcExitThreadCalled     : 1;
+            BOOLEAN                 AddressSpaceOwner       : 1;
+        };
+    };
+    BOOLEAN                         ForwardClusterOnly;
+    BOOLEAN                         DisablePageFaultClustering;
+} ETHREAD, *PETHREAD;
+
+#else
+
+typedef struct _ETHREAD {
+    KTHREAD                         Tcb;
+    LARGE_INTEGER                   CreateTime;
+    union {
+        LARGE_INTEGER               ExitTime;
+        LIST_ENTRY                  LpcReplyChain;
+    };
+    union {
+        NTSTATUS                    ExitStatus;
+        PVOID                       OfsChain;
+    };
+    LIST_ENTRY                      PostBlockList;
+    LIST_ENTRY                      TerminationPortList;
+    KSPIN_LOCK                      ActiveTimerListLock;
+    LIST_ENTRY                      ActiveTimerListHead;
+    CLIENT_ID                       Cid;
+    KSEMAPHORE                      LpcReplySemaphore;
+    PLPC_MESSAGE                    LpcReplyMessage;
+    ULONG                           LpcReplyMessageId;
+    ULONG                           PerformanceCountLow;
+    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
+    LIST_ENTRY                      IrpList;
+    PVOID                           TopLevelIrp;
+    PDEVICE_OBJECT                  DeviceToVerify;
+    ULONG                           ReadClusterSize;
+    BOOLEAN                         ForwardClusterOnly;
+    BOOLEAN                         DisablePageFaultClustering;
+    BOOLEAN                         DeadThread;
+#if (VER_PRODUCTBUILD >= 2195)
+    BOOLEAN                         HideFromDebugger;
+#endif // (VER_PRODUCTBUILD >= 2195)
+#if (VER_PRODUCTBUILD < 2195)
+    BOOLEAN                         HasTerminated;
+#else // (VER_PRODUCTBUILD >= 2195)
+    ULONG                           HasTerminated;
+#endif // (VER_PRODUCTBUILD >= 2195)
+#if (VER_PRODUCTBUILD < 2195)
+    PKEVENT_PAIR                    EventPair;
+#endif // (VER_PRODUCTBUILD < 2195)
+    ACCESS_MASK                     GrantedAccess;
+    PEPROCESS                       ThreadsProcess;
+    PKSTART_ROUTINE                 StartAddress;
+    union {
+        PVOID                       Win32StartAddress;
+        ULONG                       LpcReceivedMessageId;
+    };
+    BOOLEAN                         LpcExitThreadCalled;
+    BOOLEAN                         HardErrorsAreDisabled;
+    BOOLEAN                         LpcReceivedMsgIdValid;
+    BOOLEAN                         ActiveImpersonationInfo;
+    ULONG                           PerformanceCountHigh;
+#if (VER_PRODUCTBUILD >= 2195)
+    LIST_ENTRY                      ThreadListEntry;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} ETHREAD, *PETHREAD;
+
+#endif
+
+typedef struct _EPROCESS_QUOTA_ENTRY {
+    ULONG Usage;
+    ULONG Limit;
+    ULONG Peak;
+    ULONG Return;
+} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
+
+typedef struct _EPROCESS_QUOTA_BLOCK {
+    EPROCESS_QUOTA_ENTRY    QuotaEntry[3];
+    LIST_ENTRY              QuotaList;
+    ULONG                   ReferenceCount;
+    ULONG                   ProcessCount;
+} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
+
+typedef struct _EXCEPTION_REGISTRATION_RECORD {
+   struct _EXCEPTION_REGISTRATION_RECORD    *Next;
+   PVOID                                    Handler;
+} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
+
+/*
+ * When needing these parameters cast your PIO_STACK_LOCATION to
+ * PEXTENDED_IO_STACK_LOCATION
+ */
+#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
+#include <pshpack4.h>
+#endif
+typedef struct _EXTENDED_IO_STACK_LOCATION {
+
+    /* Included for padding */
+    UCHAR MajorFunction;
+    UCHAR MinorFunction;
+    UCHAR Flags;
+    UCHAR Control;
+
+    union {
+
+       struct {
+          PIO_SECURITY_CONTEXT              SecurityContext;
+          ULONG                             Options;
+          USHORT                            Reserved;
+          USHORT                            ShareAccess;
+          PMAILSLOT_CREATE_PARAMETERS       Parameters;
+       } CreateMailslot;
+
+        struct {
+            PIO_SECURITY_CONTEXT            SecurityContext;
+            ULONG                           Options;
+            USHORT                          Reserved;
+            USHORT                          ShareAccess;
+            PNAMED_PIPE_CREATE_PARAMETERS   Parameters;
+        } CreatePipe;
+
+        struct {
+            ULONG                           OutputBufferLength;
+            ULONG                           InputBufferLength;
+            ULONG                           FsControlCode;
+            PVOID                           Type3InputBuffer;
+        } FileSystemControl;
+
+        struct {
+            PLARGE_INTEGER                  Length;
+            ULONG                           Key;
+            LARGE_INTEGER                   ByteOffset;
+        } LockControl;
+
+        struct {
+            ULONG                           Length;
+            ULONG                           CompletionFilter;
+        } NotifyDirectory;
+
+        struct {
+            ULONG                           Length;
+            PUNICODE_STRING                 FileName;
+            FILE_INFORMATION_CLASS          FileInformationClass;
+            ULONG                           FileIndex;
+        } QueryDirectory;
+
+        struct {
+            ULONG                           Length;
+            PVOID                           EaList;
+            ULONG                           EaListLength;
+            ULONG                           EaIndex;
+        } QueryEa;
+
+        struct {
+            ULONG                           Length;
+            PSID                            StartSid;
+            PFILE_GET_QUOTA_INFORMATION     SidList;
+            ULONG                           SidListLength;
+        } QueryQuota;
+
+        struct {
+            ULONG                           Length;
+        } SetEa;
+
+        struct {
+            ULONG                           Length;
+        } SetQuota;
+
+        struct {
+            ULONG                           Length;
+            FS_INFORMATION_CLASS            FsInformationClass;
+        } SetVolume;
+
+    } Parameters;
+
+} EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
+#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
+#include <poppack.h>
+#endif
+
+typedef struct _FILE_ACCESS_INFORMATION {
+    ACCESS_MASK AccessFlags;
+} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
+
+typedef struct _FILE_ALLOCATION_INFORMATION {
+    LARGE_INTEGER AllocationSize;
+} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
+
+typedef struct _FILE_BOTH_DIR_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           FileIndex;
+    LARGE_INTEGER   CreationTime;
+    LARGE_INTEGER   LastAccessTime;
+    LARGE_INTEGER   LastWriteTime;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   EndOfFile;
+    LARGE_INTEGER   AllocationSize;
+    ULONG           FileAttributes;
+    ULONG           FileNameLength;
+    ULONG           EaSize;
+    CCHAR           ShortNameLength;
+    WCHAR           ShortName[12];
+    WCHAR           FileName[1];
+} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_COMPLETION_INFORMATION {
+    HANDLE  Port;
+    ULONG   Key;
+} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
+
+typedef struct _FILE_COMPRESSION_INFORMATION {
+    LARGE_INTEGER   CompressedFileSize;
+    USHORT          CompressionFormat;
+    UCHAR           CompressionUnitShift;
+    UCHAR           ChunkShift;
+    UCHAR           ClusterShift;
+    UCHAR           Reserved[3];
+} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
+
+typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
+    BOOLEAN ReplaceIfExists;
+    HANDLE  RootDirectory;
+    ULONG   FileNameLength;
+    WCHAR   FileName[1];
+} FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;
+
+typedef struct _FILE_DIRECTORY_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           FileIndex;
+    LARGE_INTEGER   CreationTime;
+    LARGE_INTEGER   LastAccessTime;
+    LARGE_INTEGER   LastWriteTime;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   EndOfFile;
+    LARGE_INTEGER   AllocationSize;
+    ULONG           FileAttributes;
+    ULONG           FileNameLength;
+    WCHAR           FileName[1];
+} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
+
+typedef struct _FILE_EA_INFORMATION {
+    ULONG EaSize;
+} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
+
+typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
+    ULONG   FileSystemAttributes;
+    ULONG   MaximumComponentNameLength;
+    ULONG   FileSystemNameLength;
+    WCHAR   FileSystemName[1];
+} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
+
+typedef struct _FILE_FS_CONTROL_INFORMATION {
+    LARGE_INTEGER   FreeSpaceStartFiltering;
+    LARGE_INTEGER   FreeSpaceThreshold;
+    LARGE_INTEGER   FreeSpaceStopFiltering;
+    LARGE_INTEGER   DefaultQuotaThreshold;
+    LARGE_INTEGER   DefaultQuotaLimit;
+    ULONG           FileSystemControlFlags;
+} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
+
+typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
+    LARGE_INTEGER   TotalAllocationUnits;
+    LARGE_INTEGER   CallerAvailableAllocationUnits;
+    LARGE_INTEGER   ActualAvailableAllocationUnits;
+    ULONG           SectorsPerAllocationUnit;
+    ULONG           BytesPerSector;
+} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
+
+typedef struct _FILE_FS_LABEL_INFORMATION {
+    ULONG VolumeLabelLength;
+    WCHAR VolumeLabel[1];
+} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
+    UCHAR ObjectId[16];
+    UCHAR ExtendedInfo[48];
+} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+typedef struct _FILE_FS_SIZE_INFORMATION {
+    LARGE_INTEGER   TotalAllocationUnits;
+    LARGE_INTEGER   AvailableAllocationUnits;
+    ULONG           SectorsPerAllocationUnit;
+    ULONG           BytesPerSector;
+} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
+
+typedef struct _FILE_FS_VOLUME_INFORMATION {
+    LARGE_INTEGER   VolumeCreationTime;
+    ULONG           VolumeSerialNumber;
+    ULONG           VolumeLabelLength;
+    BOOLEAN         SupportsObjects;
+    WCHAR           VolumeLabel[1];
+} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
+
+typedef struct _FILE_FULL_DIR_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           FileIndex;
+    LARGE_INTEGER   CreationTime;
+    LARGE_INTEGER   LastAccessTime;
+    LARGE_INTEGER   LastWriteTime;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   EndOfFile;
+    LARGE_INTEGER   AllocationSize;
+    ULONG           FileAttributes;
+    ULONG           FileNameLength;
+    ULONG           EaSize;
+    WCHAR           FileName[1];
+} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_GET_EA_INFORMATION {
+    ULONG   NextEntryOffset;
+    UCHAR   EaNameLength;
+    CHAR    EaName[1];
+} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
+
+typedef struct _FILE_GET_QUOTA_INFORMATION {
+    ULONG   NextEntryOffset;
+    ULONG   SidLength;
+    SID     Sid;
+} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
+
+typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           FileIndex;
+    LARGE_INTEGER   CreationTime;
+    LARGE_INTEGER   LastAccessTime;
+    LARGE_INTEGER   LastWriteTime;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   EndOfFile;
+    LARGE_INTEGER   AllocationSize;
+    ULONG           FileAttributes;
+    ULONG           FileNameLength;
+    ULONG           EaSize;
+    CCHAR           ShortNameLength;
+    WCHAR           ShortName[12];
+    LARGE_INTEGER   FileId;
+    WCHAR           FileName[1];
+} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_ID_FULL_DIR_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           FileIndex;
+    LARGE_INTEGER   CreationTime;
+    LARGE_INTEGER   LastAccessTime;
+    LARGE_INTEGER   LastWriteTime;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   EndOfFile;
+    LARGE_INTEGER   AllocationSize;
+    ULONG           FileAttributes;
+    ULONG           FileNameLength;
+    ULONG           EaSize;
+    LARGE_INTEGER   FileId;
+    WCHAR           FileName[1];
+} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_INTERNAL_INFORMATION {
+    LARGE_INTEGER IndexNumber;
+} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
+
+typedef struct _FILE_LINK_INFORMATION {
+    BOOLEAN ReplaceIfExists;
+    HANDLE  RootDirectory;
+    ULONG   FileNameLength;
+    WCHAR   FileName[1];
+} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
+
+typedef struct _FILE_LOCK_INFO {
+    LARGE_INTEGER   StartingByte;
+    LARGE_INTEGER   Length;
+    BOOLEAN         ExclusiveLock;
+    ULONG           Key;
+    PFILE_OBJECT    FileObject;
+    PEPROCESS       Process;
+    LARGE_INTEGER   EndingByte;
+} FILE_LOCK_INFO, *PFILE_LOCK_INFO;
+
+// raw internal file lock struct returned from FsRtlGetNextFileLock
+typedef struct _FILE_SHARED_LOCK_ENTRY {
+    PVOID           Unknown1;
+    PVOID           Unknown2;
+    FILE_LOCK_INFO  FileLock;
+} FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;
+
+// raw internal file lock struct returned from FsRtlGetNextFileLock
+typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
+    LIST_ENTRY      ListEntry;
+    PVOID           Unknown1;
+    PVOID           Unknown2;
+    FILE_LOCK_INFO  FileLock;
+} FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;
+
+typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) (
+    IN PVOID    Context,
+    IN PIRP     Irp
+);
+
+typedef VOID (*PUNLOCK_ROUTINE) (
+    IN PVOID            Context,
+    IN PFILE_LOCK_INFO  FileLockInfo
+);
+
+typedef struct _FILE_LOCK {
+    PCOMPLETE_LOCK_IRP_ROUTINE  CompleteLockIrpRoutine;
+    PUNLOCK_ROUTINE             UnlockRoutine;
+    BOOLEAN                     FastIoIsQuestionable;
+    BOOLEAN                     Pad[3];
+    PVOID                       LockInformation;
+    FILE_LOCK_INFO              LastReturnedLockInfo;
+    PVOID                       LastReturnedLock;
+} FILE_LOCK, *PFILE_LOCK;
+
+typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
+    ULONG ReadDataAvailable;
+    ULONG NumberOfMessages;
+    ULONG MessageLength;
+} FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;
+
+typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
+    ULONG           MaximumMessageSize;
+    ULONG           MailslotQuota;
+    ULONG           NextMessageSize;
+    ULONG           MessagesAvailable;
+    LARGE_INTEGER   ReadTimeout;
+} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
+
+typedef struct _FILE_MAILSLOT_SET_INFORMATION {
+    PLARGE_INTEGER ReadTimeout;
+} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
+
+typedef struct _FILE_MODE_INFORMATION {
+    ULONG Mode;
+} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
+
+// This structure is included in the Windows 2000 DDK but is missing in the
+// Windows NT 4.0 DDK
+#if (VER_PRODUCTBUILD < 2195)
+typedef struct _FILE_NAME_INFORMATION {
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+#endif // (VER_PRODUCTBUILD < 2195)
+
+typedef struct _FILE_ALL_INFORMATION {
+    FILE_BASIC_INFORMATION      BasicInformation;
+    FILE_STANDARD_INFORMATION   StandardInformation;
+    FILE_INTERNAL_INFORMATION   InternalInformation;
+    FILE_EA_INFORMATION         EaInformation;
+    FILE_ACCESS_INFORMATION     AccessInformation;
+    FILE_POSITION_INFORMATION   PositionInformation;
+    FILE_MODE_INFORMATION       ModeInformation;
+    FILE_ALIGNMENT_INFORMATION  AlignmentInformation;
+    FILE_NAME_INFORMATION       NameInformation;
+} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
+
+typedef struct _FILE_NAMES_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
+
+typedef struct _FILE_NOTIFY_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG Action;
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;
+
+typedef struct _FILE_OBJECTID_INFORMATION {
+    LONGLONG        FileReference;
+    UCHAR           ObjectId[16];
+    union {
+        struct {
+            UCHAR   BirthVolumeId[16];
+            UCHAR   BirthObjectId[16];
+            UCHAR   DomainId[16];
+        } ;
+        UCHAR       ExtendedInfo[48];
+    };
+} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
+
+typedef struct _FILE_OLE_CLASSID_INFORMATION {
+    GUID ClassId;
+} FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;
+
+typedef struct _FILE_OLE_ALL_INFORMATION {
+    FILE_BASIC_INFORMATION          BasicInformation;
+    FILE_STANDARD_INFORMATION       StandardInformation;
+    FILE_INTERNAL_INFORMATION       InternalInformation;
+    FILE_EA_INFORMATION             EaInformation;
+    FILE_ACCESS_INFORMATION         AccessInformation;
+    FILE_POSITION_INFORMATION       PositionInformation;
+    FILE_MODE_INFORMATION           ModeInformation;
+    FILE_ALIGNMENT_INFORMATION      AlignmentInformation;
+    USN                             LastChangeUsn;
+    USN                             ReplicationUsn;
+    LARGE_INTEGER                   SecurityChangeTime;
+    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
+    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
+    FILE_STORAGE_TYPE               StorageType;
+    ULONG                           OleStateBits;
+    ULONG                           OleId;
+    ULONG                           NumberOfStreamReferences;
+    ULONG                           StreamIndex;
+    ULONG                           SecurityId;
+    BOOLEAN                         ContentIndexDisable;
+    BOOLEAN                         InheritContentIndexDisable;
+    FILE_NAME_INFORMATION           NameInformation;
+} FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;
+
+typedef struct _FILE_OLE_DIR_INFORMATION {
+    ULONG               NextEntryOffset;
+    ULONG               FileIndex;
+    LARGE_INTEGER       CreationTime;
+    LARGE_INTEGER       LastAccessTime;
+    LARGE_INTEGER       LastWriteTime;
+    LARGE_INTEGER       ChangeTime;
+    LARGE_INTEGER       EndOfFile;
+    LARGE_INTEGER       AllocationSize;
+    ULONG               FileAttributes;
+    ULONG               FileNameLength;
+    FILE_STORAGE_TYPE   StorageType;
+    GUID                OleClassId;
+    ULONG               OleStateBits;
+    BOOLEAN             ContentIndexDisable;
+    BOOLEAN             InheritContentIndexDisable;
+    WCHAR               FileName[1];
+} FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;
+
+typedef struct _FILE_OLE_INFORMATION {
+    LARGE_INTEGER                   SecurityChangeTime;
+    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
+    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
+    FILE_STORAGE_TYPE               StorageType;
+    ULONG                           OleStateBits;
+    BOOLEAN                         ContentIndexDisable;
+    BOOLEAN                         InheritContentIndexDisable;
+} FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;
+
+typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
+    ULONG StateBits;
+    ULONG StateBitsMask;
+} FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;
+
+typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER {
+    HANDLE  EventHandle;
+    ULONG   KeyValue;
+} FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER;
+
+typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER {
+    PVOID ClientSession;
+    PVOID ClientProcess;
+} FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER;
+
+typedef struct _FILE_PIPE_EVENT_BUFFER {
+    ULONG NamedPipeState;
+    ULONG EntryType;
+    ULONG ByteCount;
+    ULONG KeyValue;
+    ULONG NumberRequests;
+} FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER;
+
+typedef struct _FILE_PIPE_INFORMATION {
+    ULONG ReadMode;
+    ULONG CompletionMode;
+} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
+
+typedef struct _FILE_PIPE_LOCAL_INFORMATION {
+    ULONG NamedPipeType;
+    ULONG NamedPipeConfiguration;
+    ULONG MaximumInstances;
+    ULONG CurrentInstances;
+    ULONG InboundQuota;
+    ULONG ReadDataAvailable;
+    ULONG OutboundQuota;
+    ULONG WriteQuotaAvailable;
+    ULONG NamedPipeState;
+    ULONG NamedPipeEnd;
+} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
+
+typedef struct _FILE_PIPE_PEEK_BUFFER {
+    ULONG   NamedPipeState;
+    ULONG   ReadDataAvailable;
+    ULONG   NumberOfMessages;
+    ULONG   MessageLength;
+    CHAR    Data[1];
+} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;
+
+typedef struct _FILE_PIPE_REMOTE_INFORMATION {
+    LARGE_INTEGER   CollectDataTime;
+    ULONG           MaximumCollectionCount;
+} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
+
+typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
+    LARGE_INTEGER   Timeout;
+    ULONG           NameLength;
+    BOOLEAN         TimeoutSpecified;
+    WCHAR           Name[1];
+} FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;
+
+typedef struct _FILE_QUOTA_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           SidLength;
+    LARGE_INTEGER   ChangeTime;
+    LARGE_INTEGER   QuotaUsed;
+    LARGE_INTEGER   QuotaThreshold;
+    LARGE_INTEGER   QuotaLimit;
+    SID             Sid;
+} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
+
+typedef struct _FILE_RENAME_INFORMATION {
+    BOOLEAN ReplaceIfExists;
+    HANDLE  RootDirectory;
+    ULONG   FileNameLength;
+    WCHAR   FileName[1];
+} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
+
+typedef struct _FILE_STREAM_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           StreamNameLength;
+    LARGE_INTEGER   StreamSize;
+    LARGE_INTEGER   StreamAllocationSize;
+    WCHAR           StreamName[1];
+} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
+
+typedef struct _FILE_TRACKING_INFORMATION {
+    HANDLE  DestinationFile;
+    ULONG   ObjectInformationLength;
+    CHAR    ObjectInformation[1];
+} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
+
+typedef struct _FSRTL_COMMON_FCB_HEADER {
+    CSHORT          NodeTypeCode;
+    CSHORT          NodeByteSize;
+    UCHAR           Flags;
+    UCHAR           IsFastIoPossible;
+#if (VER_PRODUCTBUILD >= 1381)
+    UCHAR           Flags2;
+    UCHAR           Reserved : 4;
+    UCHAR           Version : 4;
+#endif // (VER_PRODUCTBUILD >= 1381)
+    PERESOURCE      Resource;
+    PERESOURCE      PagingIoResource;
+    LARGE_INTEGER   AllocationSize;
+    LARGE_INTEGER   FileSize;
+    LARGE_INTEGER   ValidDataLength;
+} FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+#ifdef __cplusplus
+typedef struct _FSRTL_ADVANCED_FCB_HEADER:FSRTL_COMMON_FCB_HEADER {
+#else   // __cplusplus
+typedef struct _FSRTL_ADVANCED_FCB_HEADER {
+    FSRTL_COMMON_FCB_HEADER;
+#endif  // __cplusplus
+    PFAST_MUTEX     FastMutex;
+    LIST_ENTRY      FilterContexts;
+    EX_PUSH_LOCK    PushLock;
+    PVOID           *FileContextSupportPointer;
+} FSRTL_ADVANCED_FCB_HEADER, *PFSRTL_ADVANCED_FCB_HEADER;
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _GENERATE_NAME_CONTEXT {
+    USHORT  Checksum;
+    BOOLEAN CheckSumInserted;
+    UCHAR   NameLength;
+    WCHAR   NameBuffer[8];
+    ULONG   ExtensionLength;
+    WCHAR   ExtensionBuffer[4];
+    ULONG   LastIndexValue;
+} GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;
+
+typedef struct _HANDLE_INFO {       // Information about open handles
+    union {
+        PEPROCESS   Process;        // Pointer to PEPROCESS owning the Handle
+        ULONG       Count;          // Count of HANDLE_INFO structures following this structure
+    } HandleInfo;
+    USHORT          HandleCount;
+} HANDLE_INFO, *PHANDLE_INFO;
+
+typedef struct _HANDLE_TABLE_ENTRY_INFO {
+    ULONG AuditMask;
+} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _HANDLE_TABLE_ENTRY {
+    union {
+        PVOID                       Object;
+        ULONG                       ObAttributes;
+        PHANDLE_TABLE_ENTRY_INFO    InfoTable;
+        ULONG                       Value;
+    };
+    union {
+        ULONG                       GrantedAccess;
+        USHORT                      GrantedAccessIndex;
+        LONG                        NextFreeTableEntry;
+    };
+    USHORT                          CreatorBackTraceIndex;
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+
+typedef struct _MAPPING_PAIR {
+    ULONGLONG Vcn;
+    ULONGLONG Lcn;
+} MAPPING_PAIR, *PMAPPING_PAIR;
+
+typedef struct _GET_RETRIEVAL_DESCRIPTOR {
+    ULONG           NumberOfPairs;
+    ULONGLONG       StartVcn;
+    MAPPING_PAIR    Pair[1];
+} GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;
+
+typedef struct _INITIAL_TEB {
+    ULONG Unknown_1;
+    ULONG Unknown_2;
+    PVOID StackTop;
+    PVOID StackBase;
+    PVOID Unknown_3;
+} INITIAL_TEB, *PINITIAL_TEB;
+
+typedef struct _IO_CLIENT_EXTENSION {
+    struct _IO_CLIENT_EXTENSION *NextExtension;
+    PVOID                       ClientIdentificationAddress;
+} IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;
+
+typedef struct _IO_COMPLETION_BASIC_INFORMATION {
+    LONG Depth;
+} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
+
+typedef struct _KEVENT_PAIR {
+    USHORT Type;
+    USHORT Size;
+    KEVENT Event1;
+    KEVENT Event2;
+} KEVENT_PAIR, *PKEVENT_PAIR;
+
+typedef struct _KINTERRUPT {
+    CSHORT              Type;
+    CSHORT              Size;
+    LIST_ENTRY          InterruptListEntry;
+    PKSERVICE_ROUTINE   ServiceRoutine;
+    PVOID               ServiceContext;
+    KSPIN_LOCK          SpinLock;
+    ULONG               TickCount;
+    PKSPIN_LOCK         ActualLock;
+    PVOID               DispatchAddress;
+    ULONG               Vector;
+    KIRQL               Irql;
+    KIRQL               SynchronizeIrql;
+    BOOLEAN             FloatingSave;
+    BOOLEAN             Connected;
+    CHAR                Number;
+    UCHAR               ShareVector;
+    KINTERRUPT_MODE     Mode;
+    ULONG               ServiceCount;
+    ULONG               DispatchCount;
+    ULONG               DispatchCode[106];
+} KINTERRUPT, *PKINTERRUPT;
+
+typedef struct _KQUEUE {
+    DISPATCHER_HEADER   Header;
+    LIST_ENTRY          EntryListHead;
+    ULONG               CurrentCount;
+    ULONG               MaximumCount;
+    LIST_ENTRY          ThreadListHead;
+} KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE;
+
+typedef struct _LARGE_MCB {
+    PFAST_MUTEX FastMutex;
+    ULONG       MaximumPairCount;
+    ULONG       PairCount;
+    POOL_TYPE   PoolType;
+    PVOID       Mapping;
+} LARGE_MCB, *PLARGE_MCB;
+
+typedef struct _LPC_MESSAGE {
+    USHORT      DataSize;
+    USHORT      MessageSize;
+    USHORT      MessageType;
+    USHORT      VirtualRangesOffset;
+    CLIENT_ID   ClientId;
+    ULONG       MessageId;
+    ULONG       SectionSize;
+    UCHAR       Data[1];
+} LPC_MESSAGE, *PLPC_MESSAGE;
+
+typedef struct _LPC_SECTION_READ {
+    ULONG Length;
+    ULONG ViewSize;
+    PVOID ViewBase;
+} LPC_SECTION_READ, *PLPC_SECTION_READ;
+
+typedef struct _LPC_SECTION_WRITE {
+    ULONG   Length;
+    HANDLE  SectionHandle;
+    ULONG   SectionOffset;
+    ULONG   ViewSize;
+    PVOID   ViewBase;
+    PVOID   TargetViewBase;
+} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;
+
+typedef struct _MAILSLOT_CREATE_PARAMETERS {
+    ULONG           MailslotQuota;
+    ULONG           MaximumMessageSize;
+    LARGE_INTEGER   ReadTimeout;
+    BOOLEAN         TimeoutSpecified;
+} MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;
+
+typedef struct _MBCB {
+    CSHORT          NodeTypeCode;
+    CSHORT          NodeIsInZone;
+    ULONG           PagesToWrite;
+    ULONG           DirtyPages;
+    ULONG           Reserved;
+    LIST_ENTRY      BitmapRanges;
+    LONGLONG        ResumeWritePage;
+    BITMAP_RANGE    BitmapRange1;
+    BITMAP_RANGE    BitmapRange2;
+    BITMAP_RANGE    BitmapRange3;
+} MBCB, *PMBCB;
+
+typedef struct _MCB {
+    LARGE_MCB LargeMcb;
+} MCB, *PMCB;
+
+typedef struct _MOVEFILE_DESCRIPTOR {
+     HANDLE         FileHandle; 
+     ULONG          Reserved;   
+     LARGE_INTEGER  StartVcn; 
+     LARGE_INTEGER  TargetLcn;
+     ULONG          NumVcns; 
+     ULONG          Reserved1;  
+} MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;
+
+typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
+    ULONG           NamedPipeType;
+    ULONG           ReadMode;
+    ULONG           CompletionMode;
+    ULONG           MaximumInstances;
+    ULONG           InboundQuota;
+    ULONG           OutboundQuota;
+    LARGE_INTEGER   DefaultTimeout;
+    BOOLEAN         TimeoutSpecified;
+} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
+
+typedef struct _QUOTA_BLOCK {
+    KSPIN_LOCK  QuotaLock;
+    ULONG       ReferenceCount; // Number of processes using this block
+    ULONG       PeakNonPagedPoolUsage;
+    ULONG       PeakPagedPoolUsage;
+    ULONG       NonPagedpoolUsage;
+    ULONG       PagedPoolUsage;
+    ULONG       NonPagedPoolLimit;
+    ULONG       PagedPoolLimit;
+    ULONG       PeakPagefileUsage;
+    ULONG       PagefileUsage;
+    ULONG       PageFileLimit;
+} QUOTA_BLOCK, *PQUOTA_BLOCK;
+
+typedef struct _OBJECT_BASIC_INFO {
+    ULONG           Attributes;
+    ACCESS_MASK     GrantedAccess;
+    ULONG           HandleCount;
+    ULONG           ReferenceCount;
+    ULONG           PagedPoolUsage;
+    ULONG           NonPagedPoolUsage;
+    ULONG           Reserved[3];
+    ULONG           NameInformationLength;
+    ULONG           TypeInformationLength;
+    ULONG           SecurityDescriptorLength;
+    LARGE_INTEGER   CreateTime;
+} OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;
+
+typedef struct _OBJECT_CREATE_INFORMATION {
+    ULONG                           Attributes;
+    HANDLE                          RootDirectory; // 0x4
+    PVOID                           ParseContext; // 0x8
+    KPROCESSOR_MODE                 ProbeMode; // 0xc
+    ULONG                           PagedPoolCharge; // 0x10
+    ULONG                           NonPagedPoolCharge; // 0x14
+    ULONG                           SecurityDescriptorCharge; // 0x18
+    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x1c
+    PSECURITY_QUALITY_OF_SERVICE    SecurityQos; // 0x20
+    SECURITY_QUALITY_OF_SERVICE     SecurityQualityOfService; // 0x24
+} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
+
+typedef struct _OBJECT_CREATOR_INFO {
+    LIST_ENTRY  Creator;
+    ULONG       UniqueProcessId; // Creator's Process ID
+    ULONG       Reserved; // Alignment
+} OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;
+
+typedef struct _OBJECT_DIRECTORY_ITEM {
+    struct _OBJECT_DIRECTORY_ITEM   *Next;
+    PVOID                           Object;
+} OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;
+
+typedef struct _OBJECT_DIRECTORY {
+    POBJECT_DIRECTORY_ITEM  HashEntries[0x25];
+    POBJECT_DIRECTORY_ITEM  LastHashAccess;
+    ULONG                   LastHashResult;
+} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
+
+typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
+    BOOLEAN Inherit;
+    BOOLEAN ProtectFromClose;
+} OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO;
+
+typedef struct _OBJECT_HANDLE_DB {
+    union {
+        struct _EPROCESS                *Process;
+        struct _OBJECT_HANDLE_DB_LIST   *HandleDBList;
+    };
+    ULONG                               HandleCount;
+} OBJECT_HANDLE_DB, *POBJECT_HANDLE_DB;
+
+typedef struct _OBJECT_HANDLE_DB_LIST {
+    ULONG               Count;
+    OBJECT_HANDLE_DB    Entries[1];
+} OBJECT_HANDLE_DB_LIST, *POBJECT_HANDLE_DB_LIST;
+
+typedef struct _OBJECT_HEADER_FLAGS {
+    ULONG NameInfoOffset     : 8;
+    ULONG HandleInfoOffset   : 8;
+    ULONG QuotaInfoOffset    : 8;
+    ULONG QuotaBlock         : 1;   // QuotaBlock/ObjectInfo
+    ULONG KernelMode         : 1;   // UserMode/KernelMode
+    ULONG CreatorInfo        : 1;
+    ULONG Exclusive          : 1;
+    ULONG Permanent          : 1;
+    ULONG SecurityDescriptor : 1;
+    ULONG HandleInfo         : 1;
+    ULONG Reserved           : 1;
+} OBJECT_HEADER_FLAGS, *POBJECT_HEADER_FLAGS;
+
+typedef struct _OBJECT_HEADER {
+    ULONG                           ReferenceCount;
+    union {
+        ULONG                       HandleCount;
+        PSINGLE_LIST_ENTRY          NextToFree;
+    }; // 0x4
+    POBJECT_TYPE                    ObjectType; // 0x8
+    OBJECT_HEADER_FLAGS             Flags; // 0xc
+    union {
+        POBJECT_CREATE_INFORMATION  ObjectCreateInfo;
+        PQUOTA_BLOCK                QuotaBlock;
+    }; // 0x10
+    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x14
+    QUAD                            Body; // 0x18
+} OBJECT_HEADER, *POBJECT_HEADER;
+
+typedef struct _OBJECT_NAME {
+    POBJECT_DIRECTORY   Directory; 
+    UNICODE_STRING      ObjectName;
+    ULONG               Reserved;
+} OBJECT_NAME, *POBJECT_NAME;
+
+typedef struct _OBJECT_NAME_INFO {
+    UNICODE_STRING  ObjectName;
+    WCHAR           ObjectNameBuffer[1];
+} OBJECT_NAME_INFO, *POBJECT_NAME_INFO;
+
+typedef struct _OBJECT_PROTECTION_INFO {
+    BOOLEAN Inherit;
+    BOOLEAN ProtectHandle;
+} OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO;
+
+typedef struct _OBJECT_QUOTA_CHARGES {
+    ULONG PagedPoolCharge;
+    ULONG NonPagedPoolCharge;
+    ULONG SecurityCharge;
+    ULONG Reserved;
+} OBJECT_QUOTA_CHARGES, *POBJECT_QUOTA_CHARGES;
+
+typedef struct _OBJECT_QUOTA_INFO {
+    ULONG       PagedPoolQuota;
+    ULONG       NonPagedPoolQuota;
+    ULONG       QuotaInformationSize;
+    PEPROCESS   Process; // Owning process
+} OBJECT_QUOTA_INFO, *POBJECT_QUOTA_INFO;
+
+typedef struct _OBJECT_TYPE_INITIALIZER {
+    USHORT          Length;
+    BOOLEAN         UseDefaultObject;
+    BOOLEAN         Reserved1;
+    ULONG           InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ACCESS_MASK     ValidAccessMask;
+    BOOLEAN         SecurityRequired;
+    BOOLEAN         MaintainHandleCount;  /* OBJECT_HANDLE_DB */
+    BOOLEAN         MaintainTypeList;     /* OBJECT_CREATOR_INFO */
+    UCHAR           Reserved2;
+    BOOLEAN         PagedPool;
+    ULONG           DefaultPagedPoolCharge;
+    ULONG           DefaultNonPagedPoolCharge;
+    PVOID           DumpProcedure;
+    PVOID           OpenProcedure;
+    PVOID           CloseProcedure;
+    PVOID           DeleteProcedure;
+    PVOID           ParseProcedure;
+    PVOID           SecurityProcedure;    /* SeDefaultObjectMethod */
+    PVOID           QueryNameProcedure;
+    PVOID           OkayToCloseProcedure;
+} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
+
+typedef struct _OBJECT_TYPE {
+    ERESOURCE               Lock;
+    LIST_ENTRY              ObjectListHead; /* OBJECT_CREATOR_INFO */
+    UNICODE_STRING          ObjectTypeName;
+    union {
+        PVOID               DefaultObject;  /* ObpDefaultObject */
+        ULONG               Code; /* File: 5C, WaitablePort: A0 */
+    };
+    ULONG                   ObjectTypeIndex; /* OB_TYPE_INDEX_* */
+    ULONG                   ObjectCount;
+    ULONG                   HandleCount;
+    ULONG                   PeakObjectCount;
+    ULONG                   PeakHandleCount;
+    OBJECT_TYPE_INITIALIZER TypeInfo;
+    ULONG                   ObjectTypeTag;   /* OB_TYPE_TAG_* */
+} OBJECT_TYPE, *POBJECT_TYPE;
+
+typedef struct _OBJECT_TYPE_INFO {
+    UNICODE_STRING  ObjectTypeName;
+    UCHAR           Unknown[0x58];
+    WCHAR           ObjectTypeNameBuffer[1];
+} OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO;
+
+typedef struct _OBJECT_ALL_TYPES_INFO {
+    ULONG               NumberOfObjectTypes;
+    OBJECT_TYPE_INFO    ObjectsTypeInfo[1];
+} OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO;
+
+typedef struct _PAGEFAULT_HISTORY {
+    ULONG                           CurrentIndex;
+    ULONG                           MaxIndex;
+    KSPIN_LOCK                      SpinLock;
+    PVOID                           Reserved;
+    PROCESS_WS_WATCH_INFORMATION    WatchInfo[1];
+} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
+
+typedef struct _PATHNAME_BUFFER {
+    ULONG PathNameLength;
+    WCHAR Name[1];
+} PATHNAME_BUFFER, *PPATHNAME_BUFFER;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _PRIVATE_CACHE_MAP_FLAGS {
+    ULONG DontUse           : 16;
+    ULONG ReadAheadActive   : 1;
+    ULONG ReadAheadEnabled  : 1;
+    ULONG Available         : 14;
+} PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS;
+
+typedef struct _PRIVATE_CACHE_MAP {
+    union {
+        CSHORT                  NodeTypeCode;
+        PRIVATE_CACHE_MAP_FLAGS Flags;
+        ULONG                   UlongFlags;
+    };
+    ULONG                       ReadAheadMask;
+    PFILE_OBJECT                FileObject;
+    LARGE_INTEGER               FileOffset1;
+    LARGE_INTEGER               BeyondLastByte1;
+    LARGE_INTEGER               FileOffset2;
+    LARGE_INTEGER               BeyondLastByte2;
+    LARGE_INTEGER               ReadAheadOffset[2];
+    ULONG                       ReadAheadLength[2];
+    KSPIN_LOCK                  ReadAheadSpinLock;
+    LIST_ENTRY                  PrivateLinks;
+} PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP;
+
+#endif
+
+typedef struct _PROCESS_PRIORITY_CLASS {
+    BOOLEAN Foreground;
+    UCHAR   PriorityClass;
+} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
+
+typedef struct _PS_IMPERSONATION_INFORMATION {
+    PACCESS_TOKEN                   Token;
+    BOOLEAN                         CopyOnOpen;
+    BOOLEAN                         EffectiveOnly;
+    SECURITY_IMPERSONATION_LEVEL    ImpersonationLevel;
+} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
+
+typedef struct _PUBLIC_BCB {
+    CSHORT          NodeTypeCode;
+    CSHORT          NodeByteSize;
+    ULONG           MappedLength;
+    LARGE_INTEGER   MappedFileOffset;
+} PUBLIC_BCB, *PPUBLIC_BCB;
+
+typedef struct _QUERY_PATH_REQUEST {
+    ULONG                   PathNameLength;
+    PIO_SECURITY_CONTEXT    SecurityContext;
+    WCHAR                   FilePathName[1];
+} QUERY_PATH_REQUEST, *PQUERY_PATH_REQUEST;
+
+typedef struct _QUERY_PATH_RESPONSE {
+    ULONG LengthAccepted;
+} QUERY_PATH_RESPONSE, *PQUERY_PATH_RESPONSE;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _READ_LIST {
+    PFILE_OBJECT            FileObject;
+    ULONG                   NumberOfEntries;
+    LOGICAL                 IsImage;
+    FILE_SEGMENT_ELEMENT    List[ANYSIZE_ARRAY];
+} READ_LIST, *PREAD_LIST;
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _REPARSE_DATA_BUFFER {
+
+    ULONG  ReparseTag;
+    USHORT ReparseDataLength;
+    USHORT Reserved;
+
+    union {
+
+        struct {
+            USHORT  SubstituteNameOffset;
+            USHORT  SubstituteNameLength;
+            USHORT  PrintNameOffset;
+            USHORT  PrintNameLength;
+            WCHAR   PathBuffer[1];
+        } SymbolicLinkReparseBuffer;
+
+        struct {
+            USHORT  SubstituteNameOffset;
+            USHORT  SubstituteNameLength;
+            USHORT  PrintNameOffset;
+            USHORT  PrintNameLength;
+            WCHAR   PathBuffer[1];
+        } MountPointReparseBuffer;
+
+        struct {
+            UCHAR   DataBuffer[1];
+        } GenericReparseBuffer;
+    };
+
+} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
+
+typedef struct _RETRIEVAL_POINTERS_BUFFER {
+    ULONG               ExtentCount;
+    LARGE_INTEGER       StartingVcn;
+    struct {
+        LARGE_INTEGER   NextVcn;
+        LARGE_INTEGER   Lcn;
+    } Extents[1];
+} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
+
+typedef struct _RTL_SPLAY_LINKS {
+    struct _RTL_SPLAY_LINKS *Parent;
+    struct _RTL_SPLAY_LINKS *LeftChild;
+    struct _RTL_SPLAY_LINKS *RightChild;
+} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
+
+typedef struct _SE_EXPORTS {
+
+    LUID    SeCreateTokenPrivilege;
+    LUID    SeAssignPrimaryTokenPrivilege;
+    LUID    SeLockMemoryPrivilege;
+    LUID    SeIncreaseQuotaPrivilege;
+    LUID    SeUnsolicitedInputPrivilege;
+    LUID    SeTcbPrivilege;
+    LUID    SeSecurityPrivilege;
+    LUID    SeTakeOwnershipPrivilege;
+    LUID    SeLoadDriverPrivilege;
+    LUID    SeCreatePagefilePrivilege;
+    LUID    SeIncreaseBasePriorityPrivilege;
+    LUID    SeSystemProfilePrivilege;
+    LUID    SeSystemtimePrivilege;
+    LUID    SeProfileSingleProcessPrivilege;
+    LUID    SeCreatePermanentPrivilege;
+    LUID    SeBackupPrivilege;
+    LUID    SeRestorePrivilege;
+    LUID    SeShutdownPrivilege;
+    LUID    SeDebugPrivilege;
+    LUID    SeAuditPrivilege;
+    LUID    SeSystemEnvironmentPrivilege;
+    LUID    SeChangeNotifyPrivilege;
+    LUID    SeRemoteShutdownPrivilege;
+
+    PSID    SeNullSid;
+    PSID    SeWorldSid;
+    PSID    SeLocalSid;
+    PSID    SeCreatorOwnerSid;
+    PSID    SeCreatorGroupSid;
+
+    PSID    SeNtAuthoritySid;
+    PSID    SeDialupSid;
+    PSID    SeNetworkSid;
+    PSID    SeBatchSid;
+    PSID    SeInteractiveSid;
+    PSID    SeLocalSystemSid;
+    PSID    SeAliasAdminsSid;
+    PSID    SeAliasUsersSid;
+    PSID    SeAliasGuestsSid;
+    PSID    SeAliasPowerUsersSid;
+    PSID    SeAliasAccountOpsSid;
+    PSID    SeAliasSystemOpsSid;
+    PSID    SeAliasPrintOpsSid;
+    PSID    SeAliasBackupOpsSid;
+
+    PSID    SeAuthenticatedUsersSid;
+
+    PSID    SeRestrictedSid;
+    PSID    SeAnonymousLogonSid;
+
+    LUID    SeUndockPrivilege;
+    LUID    SeSyncAgentPrivilege;
+    LUID    SeEnableDelegationPrivilege;
+
+} SE_EXPORTS, *PSE_EXPORTS;
+
+typedef struct _SECTION_BASIC_INFORMATION {
+    PVOID           BaseAddress;
+    ULONG           Attributes;
+    LARGE_INTEGER   Size;
+} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+
+typedef struct _SECTION_IMAGE_INFORMATION {
+    PVOID   EntryPoint;
+    ULONG   Unknown1;
+    ULONG   StackReserve;
+    ULONG   StackCommit;
+    ULONG   Subsystem;
+    USHORT  MinorSubsystemVersion;
+    USHORT  MajorSubsystemVersion;
+    ULONG   Unknown2;
+    ULONG   Characteristics;
+    USHORT  ImageNumber;
+    BOOLEAN Executable;
+    UCHAR   Unknown3;
+    ULONG   Unknown4[3];
+} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
+
+typedef struct _SECTION_OBJECT {
+    PVOID                   StartingVa;
+    PVOID                   EndingVa;
+    struct _SECTION_OBJECT  *Parent;
+    struct _SECTION_OBJECT  *LeftChild;
+    struct _SECTION_OBJECT  *RightChild;
+    PVOID                   Segment;
+} SECTION_OBJECT, *PSECTION_OBJECT;
+
+typedef struct _SEP_AUDIT_POLICY {
+    // _SEP_AUDIT_POLICY_CATEGORIES
+    ULONGLONG System                    : 4;
+    ULONGLONG Logon                     : 4;
+    ULONGLONG ObjectAccess              : 4;
+    ULONGLONG PrivilegeUse              : 4;
+    ULONGLONG DetailedTracking          : 4;
+    ULONGLONG PolicyChange              : 4;
+    ULONGLONG AccountManagement         : 4;
+    ULONGLONG DirectoryServiceAccess    : 4;
+    ULONGLONG AccountLogon              : 4;
+    // _SEP_AUDIT_POLICY_OVERLAY
+    ULONGLONG SetBit                    : 1;
+} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;
+
+/* size 0x1C */
+typedef struct _SEP_AUDIT_POLICY_VISTA {
+    UCHAR   PerUserPolicy[25];  /* +0x000 */
+    UCHAR   PolicySetStatus;    /* +0x019 */
+    USHORT  Alignment;          /* +0x01A */
+} SEP_AUDIT_POLICY_VISTA, *PSEP_AUDIT_POLICY_VISTA;
+
+typedef struct _SERVICE_DESCRIPTOR_TABLE {
+    /*
+     * Table containing cServices elements of pointers to service handler
+     * functions, indexed by service ID.
+     */
+    PVOID   *ServiceTable;
+    /*
+     * Table that counts how many times each service is used. This table
+     * is only updated in checked builds.
+     */
+    PULONG  CounterTable;
+    /*
+     * Number of services contained in this table.
+     */
+    ULONG   TableSize;
+    /*
+     * Table containing the number of bytes of parameters the handler
+     * function takes.
+     */
+    PUCHAR  ArgumentTable;
+} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _SHARED_CACHE_MAP {
+    CSHORT                      NodeTypeCode;
+    CSHORT                      NodeByteSize;
+    ULONG                       OpenCount;
+    LARGE_INTEGER               FileSize;
+    LIST_ENTRY                  BcbList;
+    LARGE_INTEGER               SectionSize;
+    LARGE_INTEGER               ValidDataLength;
+    LARGE_INTEGER               ValidDataGoal;
+    PVACB                       InitialVacbs[4];
+    PVACB                       *Vacbs;
+    PFILE_OBJECT                FileObject;
+    PVACB                       ActiveVacb;
+    PVOID                       NeedToZero;
+    ULONG                       ActivePage;
+    ULONG                       NeedToZeroPage;
+    KSPIN_LOCK                  ActiveVacbSpinLock;
+    ULONG                       VacbActiveCount;
+    ULONG                       DirtyPages;
+    LIST_ENTRY                  SharedCacheMapLinks;
+    ULONG                       Flags;
+    NTSTATUS                    Status;
+    PMBCB                       Mbcb;
+    PVOID                       Section;
+    PKEVENT                     CreateEvent;
+    PKEVENT                     WaitOnActiveCount;
+    ULONG                       PagesToWrite;
+    LONGLONG                    BeyondLastFlush;
+    PCACHE_MANAGER_CALLBACKS    Callbacks;
+    PVOID                       LazyWriteContext;
+    LIST_ENTRY                  PrivateList;
+    PVOID                       LogHandle;
+    PVOID                       FlushToLsnRoutine;
+    ULONG                       DirtyPageThreshold;
+    ULONG                       LazyWritePassCount;
+    PCACHE_UNINITIALIZE_EVENT   UninitializeEvent;
+    PVACB                       NeedToZeroVacb;
+    KSPIN_LOCK                  BcbSpinLock;
+    PVOID                       Reserved;
+    KEVENT                      Event;
+    EX_PUSH_LOCK                VacbPushLock;
+    PRIVATE_CACHE_MAP           PrivateCacheMap;
+} SHARED_CACHE_MAP, *PSHARED_CACHE_MAP;
+
+#endif
+
+typedef struct _SID_AND_ATTRIBUTES {
+    PSID    Sid;
+    ULONG   Attributes;
+} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;
+
+typedef struct _SID_AND_ATTRIBUTES_HASH {
+    ULONG               SidCount;   /* +0x000 */
+    PSID_AND_ATTRIBUTES SidAttr;    /* +0x004 */
+    ULONG               Hash[32];   /* +0x008 */
+} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH;
+
+typedef struct _STARTING_VCN_INPUT_BUFFER {
+    LARGE_INTEGER StartingVcn;
+} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;
+
+// SystemBasicInformation
+typedef struct _SYSTEM_BASIC_INFORMATION {
+    ULONG Unknown;
+    ULONG MaximumIncrement;
+    ULONG PhysicalPageSize;
+    ULONG NumberOfPhysicalPages;
+    ULONG LowestPhysicalPage;
+    ULONG HighestPhysicalPage;
+    ULONG AllocationGranularity;
+    ULONG LowestUserAddress;
+    ULONG HighestUserAddress;
+    ULONG ActiveProcessors;
+    UCHAR NumberProcessors;
+} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
+
+// SystemProcessorInformation
+typedef struct _SYSTEM_PROCESSOR_INFORMATION {
+    USHORT  ProcessorArchitecture;
+    USHORT  ProcessorLevel;
+    USHORT  ProcessorRevision;
+    USHORT  Unknown;
+    ULONG   FeatureBits;
+} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
+
+// SystemPerformanceInformation
+typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
+    LARGE_INTEGER   IdleTime;
+    LARGE_INTEGER   ReadTransferCount;
+    LARGE_INTEGER   WriteTransferCount;
+    LARGE_INTEGER   OtherTransferCount;
+    ULONG           ReadOperationCount;
+    ULONG           WriteOperationCount;
+    ULONG           OtherOperationCount;
+    ULONG           AvailablePages;
+    ULONG           TotalCommittedPages;
+    ULONG           TotalCommitLimit;
+    ULONG           PeakCommitment;
+    ULONG           PageFaults;
+    ULONG           WriteCopyFaults;
+    ULONG           TransistionFaults;
+    ULONG           Reserved1;
+    ULONG           DemandZeroFaults;
+    ULONG           PagesRead;
+    ULONG           PageReadIos;
+    ULONG           Reserved2[2];
+    ULONG           PagefilePagesWritten;
+    ULONG           PagefilePageWriteIos;
+    ULONG           MappedFilePagesWritten;
+    ULONG           MappedFilePageWriteIos;
+    ULONG           PagedPoolUsage;
+    ULONG           NonPagedPoolUsage;
+    ULONG           PagedPoolAllocs;
+    ULONG           PagedPoolFrees;
+    ULONG           NonPagedPoolAllocs;
+    ULONG           NonPagedPoolFrees;
+    ULONG           TotalFreeSystemPtes;
+    ULONG           SystemCodePage;
+    ULONG           TotalSystemDriverPages;
+    ULONG           TotalSystemCodePages;
+    ULONG           SmallNonPagedLookasideListAllocateHits;
+    ULONG           SmallPagedLookasideListAllocateHits;
+    ULONG           Reserved3;
+    ULONG           MmSystemCachePage;
+    ULONG           PagedPoolPage;
+    ULONG           SystemDriverPage;
+    ULONG           FastReadNoWait;
+    ULONG           FastReadWait;
+    ULONG           FastReadResourceMiss;
+    ULONG           FastReadNotPossible;
+    ULONG           FastMdlReadNoWait;
+    ULONG           FastMdlReadWait;
+    ULONG           FastMdlReadResourceMiss;
+    ULONG           FastMdlReadNotPossible;
+    ULONG           MapDataNoWait;
+    ULONG           MapDataWait;
+    ULONG           MapDataNoWaitMiss;
+    ULONG           MapDataWaitMiss;
+    ULONG           PinMappedDataCount;
+    ULONG           PinReadNoWait;
+    ULONG           PinReadWait;
+    ULONG           PinReadNoWaitMiss;
+    ULONG           PinReadWaitMiss;
+    ULONG           CopyReadNoWait;
+    ULONG           CopyReadWait;
+    ULONG           CopyReadNoWaitMiss;
+    ULONG           CopyReadWaitMiss;
+    ULONG           MdlReadNoWait;
+    ULONG           MdlReadWait;
+    ULONG           MdlReadNoWaitMiss;
+    ULONG           MdlReadWaitMiss;
+    ULONG           ReadAheadIos;
+    ULONG           LazyWriteIos;
+    ULONG           LazyWritePages;
+    ULONG           DataFlushes;
+    ULONG           DataPages;
+    ULONG           ContextSwitches;
+    ULONG           FirstLevelTbFills;
+    ULONG           SecondLevelTbFills;
+    ULONG           SystemCalls;
+} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
+
+// SystemTimeOfDayInformation
+typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
+    LARGE_INTEGER   BootTime;
+    LARGE_INTEGER   CurrentTime;
+    LARGE_INTEGER   TimeZoneBias;
+    ULONG           CurrentTimeZoneId;
+} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;
+
+typedef struct _SYSTEM_THREADS_INFORMATION {
+    LARGE_INTEGER   KernelTime;
+    LARGE_INTEGER   UserTime;
+    LARGE_INTEGER   CreateTime;
+    ULONG           WaitTime;
+    PVOID           StartAddress;
+    CLIENT_ID       ClientId;
+    KPRIORITY       Priority;
+    KPRIORITY       BasePriority;
+    ULONG           ContextSwitchCount;
+    THREAD_STATE    State;
+    KWAIT_REASON    WaitReason;
+} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;
+
+// SystemProcessesAndThreadsInformation
+typedef struct _SYSTEM_PROCESSES_INFORMATION {
+    ULONG                       NextEntryDelta;
+    ULONG                       ThreadCount;
+    ULONG                       Reserved1[6];
+    LARGE_INTEGER               CreateTime;
+    LARGE_INTEGER               UserTime;
+    LARGE_INTEGER               KernelTime;
+    UNICODE_STRING              ProcessName;
+    KPRIORITY                   BasePriority;
+    ULONG                       ProcessId;
+    ULONG                       InheritedFromProcessId;
+    ULONG                       HandleCount;
+    ULONG                       SessionId;
+    ULONG                       Reserved2;
+    VM_COUNTERS                 VmCounters;
+#if (VER_PRODUCTBUILD >= 2195)
+    IO_COUNTERS                 IoCounters;
+#endif // (VER_PRODUCTBUILD >= 2195)
+    SYSTEM_THREADS_INFORMATION  Threads[1];
+} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
+
+// SystemCallCounts
+typedef struct _SYSTEM_CALL_COUNTS {
+    ULONG Size;
+    ULONG NumberOfDescriptorTables;
+    ULONG NumberOfRoutinesInTable[1];
+    // On checked build this is followed by a ULONG CallCounts[1] variable length array.
+} SYSTEM_CALL_COUNTS, *PSYSTEM_CALL_COUNTS;
+
+// SystemConfigurationInformation
+typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
+    ULONG DiskCount;
+    ULONG FloppyCount;
+    ULONG CdRomCount;
+    ULONG TapeCount;
+    ULONG SerialCount;
+    ULONG ParallelCount;
+} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
+
+// SystemProcessorTimes
+typedef struct _SYSTEM_PROCESSOR_TIMES {
+    LARGE_INTEGER   IdleTime;
+    LARGE_INTEGER   KernelTime;
+    LARGE_INTEGER   UserTime;
+    LARGE_INTEGER   DpcTime;
+    LARGE_INTEGER   InterruptTime;
+    ULONG           InterruptCount;
+} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;
+
+// SystemGlobalFlag
+typedef struct _SYSTEM_GLOBAL_FLAG {
+    ULONG GlobalFlag;
+} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
+
+// SystemModuleInformation
+typedef struct _SYSTEM_MODULE_INFORMATION {
+    ULONG   Reserved[2];
+    PVOID   Base;
+    ULONG   Size;
+    ULONG   Flags;
+    USHORT  Index;
+    USHORT  Unknown;
+    USHORT  LoadCount;
+    USHORT  ModuleNameOffset;
+    CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+// SystemLockInformation
+typedef struct _SYSTEM_LOCK_INFORMATION {
+    PVOID   Address;
+    USHORT  Type;
+    USHORT  Reserved1;
+    ULONG   ExclusiveOwnerThreadId;
+    ULONG   ActiveCount;
+    ULONG   ContentionCount;
+    ULONG   Reserved2[2];
+    ULONG   NumberOfSharedWaiters;
+    ULONG   NumberOfExclusiveWaiters;
+} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
+
+// SystemHandleInformation
+typedef struct _SYSTEM_HANDLE_INFORMATION {
+    ULONG       ProcessId;
+    UCHAR       ObjectTypeNumber;
+    UCHAR       Flags;
+    USHORT      Handle;
+    PVOID       Object;
+    ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+// SystemObjectInformation
+typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           ObjectCount;
+    ULONG           HandleCount;
+    ULONG           TypeNumber;
+    ULONG           InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ACCESS_MASK     ValidAccessMask;
+    POOL_TYPE       PoolType;
+    UCHAR           Unknown;
+    UNICODE_STRING  Name;
+} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;
+
+typedef struct _SYSTEM_OBJECT_INFORMATION {
+    ULONG                   NextEntryOffset;
+    PVOID                   Object;
+    ULONG                   CreatorProcessId;
+    USHORT                  Unknown;
+    USHORT                  Flags;
+    ULONG                   PointerCount;
+    ULONG                   HandleCount;
+    ULONG                   PagedPoolUsage;
+    ULONG                   NonPagedPoolUsage;
+    ULONG                   ExclusiveProcessId;
+    PSECURITY_DESCRIPTOR    SecurityDescriptor;
+    UNICODE_STRING          Name;
+} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
+
+// SystemPagefileInformation
+typedef struct _SYSTEM_PAGEFILE_INFORMATION {
+    ULONG           NextEntryOffset;
+    ULONG           CurrentSize;
+    ULONG           TotalUsed;
+    ULONG           PeakUsed;
+    UNICODE_STRING  FileName;
+} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;
+
+// SystemInstructionEmulationCounts
+typedef struct _SYSTEM_INSTRUCTION_EMULATION_COUNTS {
+    ULONG GenericInvalidOpcode;
+    ULONG TwoByteOpcode;
+    ULONG ESprefix;
+    ULONG CSprefix;
+    ULONG SSprefix;
+    ULONG DSprefix;
+    ULONG FSPrefix;
+    ULONG GSprefix;
+    ULONG OPER32prefix;
+    ULONG ADDR32prefix;
+    ULONG INSB;
+    ULONG INSW;
+    ULONG OUTSB;
+    ULONG OUTSW;
+    ULONG PUSHFD;
+    ULONG POPFD;
+    ULONG INTnn;
+    ULONG INTO;
+    ULONG IRETD;
+    ULONG FloatingPointOpcode;
+    ULONG INBimm;
+    ULONG INWimm;
+    ULONG OUTBimm;
+    ULONG OUTWimm;
+    ULONG INB;
+    ULONG INW;
+    ULONG OUTB;
+    ULONG OUTW;
+    ULONG LOCKprefix;
+    ULONG REPNEprefix;
+    ULONG REPprefix;
+    ULONG CLI;
+    ULONG STI;
+    ULONG HLT;
+} SYSTEM_INSTRUCTION_EMULATION_COUNTS, *PSYSTEM_INSTRUCTION_EMULATION_COUNTS;
+
+// SystemCacheInformation
+typedef struct _SYSTEM_CACHE_INFORMATION {
+    ULONG SystemCacheWsSize;
+    ULONG SystemCacheWsPeakSize;
+    ULONG SystemCacheWsFaults;
+    ULONG SystemCacheWsMinimum;
+    ULONG SystemCacheWsMaximum;
+    ULONG TransitionSharedPages;
+    ULONG TransitionSharedPagesPeak;
+    ULONG Reserved[2];
+} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;
+
+// SystemPoolTagInformation
+typedef struct _SYSTEM_POOL_TAG_INFORMATION {
+    CHAR    Tag[4];
+    ULONG   PagedPoolAllocs;
+    ULONG   PagedPoolFrees;
+    ULONG   PagedPoolUsage;
+    ULONG   NonPagedPoolAllocs;
+    ULONG   NonPagedPoolFrees;
+    ULONG   NonPagedPoolUsage;
+} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;
+
+// SystemProcessorStatistics
+typedef struct _SYSTEM_PROCESSOR_STATISTICS {
+    ULONG ContextSwitches;
+    ULONG DpcCount;
+    ULONG DpcRequestRate;
+    ULONG TimeIncrement;
+    ULONG DpcBypassCount;
+    ULONG ApcBypassCount;
+} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;
+
+// SystemDpcInformation
+typedef struct _SYSTEM_DPC_INFORMATION {
+    ULONG Reserved;
+    ULONG MaximumDpcQueueDepth;
+    ULONG MinimumDpcRate;
+    ULONG AdjustDpcThreshold;
+    ULONG IdealDpcRate;
+} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;
+
+// SystemLoadImage
+typedef struct _SYSTEM_LOAD_IMAGE {
+    UNICODE_STRING  ModuleName;
+    PVOID           ModuleBase;
+    PVOID           Unknown;
+    PVOID           EntryPoint;
+    PVOID           ExportDirectory;
+} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;
+
+// SystemUnloadImage
+typedef struct _SYSTEM_UNLOAD_IMAGE {
+    PVOID ModuleBase;
+} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;
+
+// SystemTimeAdjustment
+typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
+    ULONG   TimeAdjustment;
+    ULONG   MaximumIncrement;
+    BOOLEAN TimeSynchronization;
+} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;
+
+// SystemTimeAdjustment
+typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
+    ULONG   TimeAdjustment;
+    BOOLEAN TimeSynchronization;
+} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;
+
+// SystemCrashDumpInformation
+typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
+    HANDLE CrashDumpSectionHandle;
+#if (VER_PRODUCTBUILD >= 2195)
+    HANDLE Unknown;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
+
+// SystemExceptionInformation
+typedef struct _SYSTEM_EXCEPTION_INFORMATION {
+    ULONG AlignmentFixupCount;
+    ULONG ExceptionDispatchCount;
+    ULONG FloatingEmulationCount;
+    ULONG Reserved;
+} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
+
+// SystemCrashDumpStateInformation
+typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
+    ULONG ValidCrashDump;
+#if (VER_PRODUCTBUILD >= 2195)
+    ULONG Unknown;
+#endif // (VER_PRODUCTBUILD >= 2195)
+} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
+
+// SystemKernelDebuggerInformation
+typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
+    BOOLEAN DebuggerEnabled;
+    BOOLEAN DebuggerNotPresent;
+} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
+
+// SystemContextSwitchInformation
+typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
+    ULONG ContextSwitches;
+    ULONG ContextSwitchCounters[11];
+} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;
+
+// SystemRegistryQuotaInformation
+typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
+    ULONG RegistryQuota;
+    ULONG RegistryQuotaInUse;
+    ULONG PagedPoolSize;
+} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
+
+// SystemLoadAndCallImage
+typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
+    UNICODE_STRING ModuleName;
+} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
+
+// SystemPrioritySeparation
+typedef struct _SYSTEM_PRIORITY_SEPARATION {
+    ULONG PrioritySeparation;
+} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;
+
+// SystemTimeZoneInformation
+typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
+    LONG        Bias;
+    WCHAR       StandardName[32];
+    TIME_FIELDS StandardDate;
+    LONG        StandardBias;
+    WCHAR       DaylightName[32];
+    TIME_FIELDS DaylightDate;
+    LONG        DaylightBias;
+} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;
+
+// SystemLookasideInformation
+typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
+    USHORT      Depth;
+    USHORT      MaximumDepth;
+    ULONG       TotalAllocates;
+    ULONG       AllocateMisses;
+    ULONG       TotalFrees;
+    ULONG       FreeMisses;
+    POOL_TYPE   Type;
+    ULONG       Tag;
+    ULONG       Size;
+} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;
+
+// SystemSetTimeSlipEvent
+typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
+    HANDLE TimeSlipEvent;
+} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;
+
+// SystemCreateSession
+typedef struct _SYSTEM_CREATE_SESSION {
+    ULONG Session;
+} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;
+
+// SystemDeleteSession
+typedef struct _SYSTEM_DELETE_SESSION {
+    ULONG Session;
+} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;
+
+// SystemRangeStartInformation
+typedef struct _SYSTEM_RANGE_START_INFORMATION {
+    PVOID SystemRangeStart;
+} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;
+
+// SystemSessionProcessesInformation
+typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION {
+    ULONG SessionId;
+    ULONG BufferSize;
+    PVOID Buffer;
+} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
+
+typedef struct _GDI_TEB_BATCH {
+    ULONG Offset;
+    ULONG HDC;
+    ULONG Buffer[(VER_PRODUCTBUILD >= 2195) ? 0x133 : 0x136];
+} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
+    struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
+    struct _ACTIVATION_CONTEXT*                 ActivationContext; // 0x4
+    ULONG                                       Flags; // 0x8
+} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
+
+typedef struct _ACTIVATION_CONTEXT_STACK {
+    ULONG                               Flags;
+    ULONG                               NextCookieSequenceNumber;
+    PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; // 0x8
+    LIST_ENTRY                          FrameListCache; // 0xc
+} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+typedef struct _Wx86ThreadState {
+    PULONG  CallBx86Eip;
+    PVOID   DeallocationCpu;
+    UCHAR   UseKnownWx86Dll; // 0x8
+    UCHAR   OleStubInvoked; // 0x9
+} Wx86ThreadState, *PWx86ThreadState;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
+    ULONG Flags;
+    PCHAR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME {
+    ULONG                       Flags;
+    struct _TEB_ACTIVE_FRAME    *Previous;
+    PTEB_ACTIVE_FRAME_CONTEXT   Context;
+} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
+
+typedef struct _TEB // from Reactos, Native API; checked and corrected for 2003 and nt 4.0
+                    // should also work on XP and 2000
+                    // the reactos version was probably from NT 3.51 SP3
+{
+   NT_TIB Tib;                         /* 00h */
+   PVOID EnvironmentPointer;           /* 1Ch */
+   CLIENT_ID Cid;                      /* 20h */
+   HANDLE RpcHandle;                   /* 28h */
+   PVOID *ThreadLocalStorage;          /* 2Ch */
+   PPEB Peb;                           /* 30h */
+   ULONG LastErrorValue;               /* 34h */
+   ULONG CountOfOwnedCriticalSections; /* 38h */
+   PVOID CsrClientThread;              /* 3Ch */
+   struct _W32THREAD* Win32ThreadInfo; /* 40h */    
+   ULONG User32Reserved[26];           /* 44h */
+   ULONG UserReserved[5];              /* ACh */
+   PVOID WOW32Reserved;                /* C0h */
+   LCID CurrentLocale;                 /* C4h */
+   ULONG FpSoftwareStatusRegister;     /* C8h */
+   PVOID SystemReserved1[0x36];        /* CCh */
+#if (VER_PRODUCTBUILD <= 1381)
+   PVOID Spare1;                       /* 1A4h */
+#endif
+   LONG ExceptionCode;                 /* 1A4h */
+#if (VER_PRODUCTBUILD >= 2600)
+   ACTIVATION_CONTEXT_STACK 
+        ActivationContextStack;        /* 1A8h */
+   UCHAR SpareBytes1[24];              /* 1BCh */
+#elif (VER_PRODUCTBUILD >= 2195)
+   UCHAR SpareBytes1[0x2c];            /* 1A8h */
+#else /* nt 4.0 */
+   ULONG SpareBytes1[0x14];            /* 1ACh */
+#endif
+   GDI_TEB_BATCH GdiTebBatch;          /* 1D4h */ /* 1FC for nt 4.0 */
+   ULONG gdiRgn;                       /* 6A8h */ /* 6DCh for nt 4.0 */
+   ULONG gdiPen;                       /* 6ACh */
+   ULONG gdiBrush;                     /* 6B0h */
+   CLIENT_ID RealClientId;             /* 6B4h */ /* 6E8h for nt 4.0 */
+   PVOID GdiCachedProcessHandle;       /* 6BCh */
+   ULONG GdiClientPID;                 /* 6C0h */
+   ULONG GdiClientTID;                 /* 6C4h */
+   PVOID GdiThreadLocaleInfo;          /* 6C8h */
+#if (VER_PRODUCTBUILD == 1381)
+   PVOID Win32ClientInfo[5];           /* 700h */
+   PVOID glDispatchTable[0x118];       /* 714h */
+   ULONG glReserved1[0x1a];            /* B74h */   
+#else
+   PVOID Win32ClientInfo[0x3e];        /* 6CCh */
+   PVOID glDispatchTable[0xe9];        /* 7C4h */
+   ULONG glReserved1[0x1d];            /* B68h */
+#endif
+   PVOID glReserved2;                  /* BDCh */
+   PVOID glSectionInfo;                /* BE0h */
+   PVOID glSection;                    /* BE4h */
+   PVOID glTable;                      /* BE8h */
+   PVOID glCurrentRC;                  /* BECh */
+   PVOID glContext;                    /* BF0h */
+   NTSTATUS LastStatusValue;           /* BF4h */
+   UNICODE_STRING StaticUnicodeString; /* BF8h */
+   WCHAR StaticUnicodeBuffer[0x105];   /* C00h */
+   PVOID DeallocationStack;            /* E0Ch */
+   PVOID TlsSlots[0x40];               /* E10h */
+   LIST_ENTRY TlsLinks;                /* F10h */
+   PVOID Vdm;                          /* F18h */
+   PVOID ReservedForNtRpc;             /* F1Ch */
+   PVOID DbgSsReserved[0x2];           /* F20h */
+   ULONG HardErrorDisabled;            /* F28h */
+   PVOID Instrumentation[0x10];        /* F2Ch */
+   PVOID WinSockData;                  /* F6Ch */
+   ULONG GdiBatchCount;                /* F70h */
+   BOOLEAN InDbgPrint;                 /* F74h */
+   BOOLEAN FreeStackOnTermination;     /* F75h */
+   BOOLEAN HasFiberData;               /* F76h */
+   UCHAR IdealProcessor;               /* F77h */
+   ULONG Spare3;                       /* F78h */
+   ULONG ReservedForPerf;              /* F7Ch */
+   PVOID ReservedForOle;               /* F80h */
+   ULONG WaitingOnLoaderLock;          /* F84h */
+#if (VER_PRODUCTBUILD >= 2195)
+   Wx86ThreadState Wx86Thread;         /* F88h */
+   PVOID* TlsExpansionSlots;           /* F94h */
+   ULONG ImpersonationLocale;          /* F98h */
+   ULONG IsImpersonating;              /* F9Ch */
+   PVOID NlsCache;                     /* FA0h */
+   PVOID pShimData;                    /* FA4h */
+   ULONG HeapVirtualAffinity;          /* FA8h */
+   PVOID CurrentTransactionHandle;     /* FACh */
+   PTEB_ACTIVE_FRAME ActiveFrame;      /* FB0h*/
+   PVOID FlsSlots;                     /* FB4h */
+#endif
+} TEB, *PTEB;
+
+typedef struct _TERMINATION_PORT {
+    struct _TERMINATION_PORT*   Next;
+    PVOID                       Port;
+} TERMINATION_PORT, *PTERMINATION_PORT;
+
+typedef struct _THREAD_BASIC_INFORMATION {
+    NTSTATUS    ExitStatus;
+    PVOID       TebBaseAddress;
+    ULONG       UniqueProcessId;
+    ULONG       UniqueThreadId;
+    KAFFINITY   AffinityMask;
+    KPRIORITY   BasePriority;
+    ULONG       DiffProcessPriority;
+} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
+
+typedef struct _TOKEN_SOURCE {
+    CCHAR   SourceName[TOKEN_SOURCE_LENGTH];
+    LUID    SourceIdentifier;
+} TOKEN_SOURCE, *PTOKEN_SOURCE;
+
+typedef struct _TOKEN_CONTROL {
+    LUID            TokenId;
+    LUID            AuthenticationId;
+    LUID            ModifiedId;
+    TOKEN_SOURCE    TokenSource;
+} TOKEN_CONTROL, *PTOKEN_CONTROL;
+
+typedef struct _TOKEN_DEFAULT_DACL {
+    PACL DefaultDacl;
+} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
+
+typedef struct _TOKEN_GROUPS {
+    ULONG               GroupCount;
+    SID_AND_ATTRIBUTES  Groups[1];
+} TOKEN_GROUPS, *PTOKEN_GROUPS;
+
+/* XP SP2 has same TOKEN_OBJECT structure as Windows Server 2003 (stucture K23 in union). */
+#include <pshpack1.h>
+typedef union
+{
+  struct
+   {
+    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10, *SYSTEM* id == 0 */
+    LUID TokenId;         /* 0x10: */
+    LUID AuthenticationId;    /* 0x18: */
+    LARGE_INTEGER ExpirationTime; /* 0x20: -1 no expired. *SYSTEM* has expired? */
+    LUID ModifiedId;          /* 0x28: */
+    ULONG UserAndGroupCount;      /* 0x30: 3 */
+    ULONG PrivilegeCount;     /* 0x34: 14 */
+    ULONG VariableLength;     /* 0x38: 0x37C */
+    ULONG DynamicCharged;     /* 0x3C: 0x1F4 */
+    ULONG DynamicAvailable;   /* 0x40: 0x1A4 */
+    ULONG DefaultOwnerIndex;      /* 0x44: 1 */
+    PSID_AND_ATTRIBUTES UserAndGroups;/* 0x48: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
+    PSID  PrimaryGroup;       /* 0x4C: */
+    PLUID_AND_ATTRIBUTES Privileges;/* 0x50: */
+    PULONG DynamicPart;       /* 0x54: */
+    PACL   DefaultDacl;       /* 0x58: */
+    TOKEN_TYPE TokenType;     /* 0x5C: TokenPrimary | TokenImpersonation */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x60: 0 */
+    UCHAR   TokenFlags;       /* 0x64: 1 */
+    BOOLEAN TokenInUse;       /* 0x65: 1 */
+    USHORT  Alignment;        /* 0x66: 0 */
+    PVOID   ProxyData;        /* 0x68: 0 */
+    PVOID   AuditData;        /* 0x6C: 0 */
+    ULONG VariablePart;       /* 0x70: */
+   } NT;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
+    LUID TokenId;         /* 0x10: */
+    LUID AuthenticationId;    /* 0x18: */
+    LUID ParentTokenId;       /* 0x20: 0 */
+    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
+    LUID ModifiedId;          /* 0x30: */
+    ULONG SessionId;          /* 0x38: 0 */
+    ULONG UserAndGroupCount;      /* 0x3C: 9 */
+    ULONG RestrictedSidCount;     /*+0x40: 0 */
+    ULONG PrivilegeCount;     /* 0x44: 11 */
+    ULONG VariableLength;     /* 0x48: 0x1F0 */
+    ULONG DynamicCharged;     /* 0x4C: 0x1F4 */
+    ULONG DynamicAvailable;   /* 0x50: 0x1A4 */
+    ULONG DefaultOwnerIndex;      /* 0x54: 3 */
+    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x58: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
+    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x5C: 0 */
+    PSID  PrimaryGroup;       /* 0x60: */
+    PLUID_AND_ATTRIBUTES Privileges;/* 0x64: */
+    PULONG DynamicPart;       /* 0x68: */
+    PACL   DefaultDacl;       /* 0x6C: */
+    TOKEN_TYPE TokenType;     /* 0x70: TokenPrimary | TokenImpersonation */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x74: 0 */
+    UCHAR   TokenFlags;       /* 0x78: 9 */
+    BOOLEAN TokenInUse;       /* 0x79: 1 */
+    USHORT  Alignment;        /* 0x7A: 0 */
+    PVOID   ProxyData;        /* 0x7C: 0 */
+    PVOID   AuditData;        /* 0x80: 0 */
+    ULONG VariablePart;           /* 0x84: */
+   } K2;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
+    LUID TokenId;         /* 0x10: 0x6F68 */
+    LUID AuthenticationId;    /* 0x18: */
+    LUID ParentTokenId;       /* 0x20: 0 */
+    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
+    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
+    LUID ModifiedId;          /* 0x34: */
+    ULONG SessionId;          /* 0x3C: 0x6F6A */
+    ULONG UserAndGroupCount;      /* 0x40: 4 */
+    ULONG RestrictedSidCount;     /*+0x44: 0 */
+    ULONG VariableLength;     /* 0x48: 0x160 */
+    ULONG DynamicCharged;     /* 0x4C: 0x164 */
+    ULONG DynamicAvailable;   /* 0x50: 0x1F4 */
+    ULONG PrivilegeCount;     /* 0x54: 0 */
+    ULONG DefaultOwnerIndex;      /* 0x58: 1 */
+    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x5C: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
+    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x60: 0 */
+    PSID  PrimaryGroup;       /* 0x64: */
+    PLUID_AND_ATTRIBUTES Privileges;/* 0x68: */
+    PULONG DynamicPart;       /* 0x6C: */
+    PACL   DefaultDacl;       /* 0x70: */
+    TOKEN_TYPE TokenType;     /* 0x74: TokenPrimary | TokenImpersonation */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x78: 0 */
+    UCHAR   TokenFlags;       /* 0x7C: 9 */
+    BOOLEAN TokenInUse;       /* 0x7D: 1 */
+    USHORT  Alignment;        /* 0x7E: 4BB4 */
+    PVOID   ProxyData;        /* 0x80: 0 */
+    PVOID   AuditData;        /* 0x84: 0 */
+    ULONG VariablePart;       /* 0x88: */
+   } XP;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
+    LUID TokenId;         /* 0x10: 0x6F68 */
+    LUID AuthenticationId;    /* 0x18: */
+    LUID ParentTokenId;       /* 0x20: 0 */
+    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
+    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
+    ULONG Padding64;          /*+0x34: 0xXxxxxxxxx */
+    SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
+    LUID ModifiedId;          /*+0x040: 0x6F6A */
+    ULONG SessionId;          /*+0x048: */
+    ULONG UserAndGroupCount;      /* 0x4C: 4 */
+    ULONG RestrictedSidCount;     /*+0x50: 0 */
+    ULONG VariableLength;     /* 0x54: 0x18 */
+    ULONG DynamicCharged;     /* 0x58: 0x17C */
+    ULONG DynamicAvailable;   /* 0x5C: 0x1F4 */
+    ULONG PrivilegeCount;     /* 0x60: 0 */
+    ULONG DefaultOwnerIndex;      /* 0x64: 1 */
+    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
+    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
+    PSID  PrimaryGroup;       /* 0x70: */
+    PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
+    PULONG DynamicPart;       /* 0x78: */
+    PACL   DefaultDacl;       /* 0x7C: */
+    TOKEN_TYPE TokenType;     /* 0x80: TokenPrimary | TokenImpersonation */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
+    UCHAR   TokenFlags;       /* 0x88: 9 */
+    BOOLEAN TokenInUse;       /* 0x89: 1 */
+    USHORT  Alignment;        /* 0x8A: 4BB4 */
+    PVOID   ProxyData;        /* 0x8C: 0x8xxxxxxxx */
+    PVOID   AuditData;        /* 0x90: 0 */
+    ULONG VariablePart;       /* 0x94: */
+   } K23;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;       /* +0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
+    LUID     TokenId;       /* +0x10: 0x6F68 */
+    LUID     AuthenticationId;  /* +0x18: */
+    LUID     ParentTokenId;     /* +0x20: 0 */
+    LARGE_INTEGER ExpirationTime;   /* +0x28: -1 no expired */
+    PERESOURCE   TokenLock;     /* +0x30: 0x8xxxxxxxx */
+    ULONG    Padding64;     /* +0x34: 0xXxxxxxxxx */
+    SEP_AUDIT_POLICY AuditPolicy;   /* +0x38: */
+    LUID     ModifiedId;        /* +0x040: 0x6F6A */
+    ULONG    SessionId;     /* +0x048: */
+    ULONG    UserAndGroupCount; /* +0x04c: 4 */
+    ULONG    RestrictedSidCount;    /* +0x050: 0 */
+    ULONG    PrivilegeCount;    /* +0x054: 0x18 */
+    ULONG    VariableLength;    /* +0x058: 0x17C */
+    ULONG    DynamicCharged;    /* +0x05c: 0x1F4 */
+    ULONG    DynamicAvailable;  /* +0x060: 0 */
+    ULONG    DefaultOwnerIndex; /* +0x064: 1 */
+    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
+    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x6C: 0 */
+    PSID     PrimaryGroup;      /* +0x70: */
+    PLUID_AND_ATTRIBUTES Privileges;    /* +0x74: */
+    PULONG   DynamicPart;       /* +0x78: */
+    PACL     DefaultDacl;       /* +0x7C: */
+    TOKEN_TYPE   TokenType;     /* +0x80: TokenPrimary | TokenImpersonation */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x84: 0 */
+    UCHAR    TokenFlags;        /* +0x88: 9 */
+    BOOLEAN  TokenInUse;        /* +0x89: 1 */
+    USHORT   Alignment;     /* +0x8A: 4BB4 */
+    PVOID    ProxyData;     /* +0x8C: 0x8xxxxxxxx */
+    PVOID    AuditData;     /* +0x90: 0 */
+    PVOID    LogonSession;      /* +0x94: */
+    LUID     OriginatingLogonSession;/* +0x98: */
+    ULONG    VariablePart;      /* +0xa0: */
+   } K23SP1;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;       /* +0x000 */
+    LUID     TokenId;       /* +0x010 */
+    LUID     AuthenticationId;  /* +0x018 */
+    LUID     ParentTokenId;     /* +0x020 */
+    LARGE_INTEGER ExpirationTime;   /* +0x028 */
+    PERESOURCE   TokenLock;     /* +0x030 */
+    LUID     ModifiedId;        /* +0x034 */
+    SEP_AUDIT_POLICY_VISTA AuditPolicy; /* +0x03c */
+    ULONG    SessionId;     /* +0x058 */
+    ULONG    UserAndGroupCount; /* +0x05c */
+    ULONG    RestrictedSidCount;    /* +0x060 */
+    ULONG    PrivilegeCount;    /* +0x064 */
+    ULONG    VariableLength;    /* +0x068 */
+    ULONG    DynamicCharged;    /* +0x06c */
+    ULONG    DynamicAvailable;  /* +0x070 */
+    ULONG    DefaultOwnerIndex; /* +0x074 */
+    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x078 */
+    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x07c */
+    PSID     PrimaryGroup;      /* +0x080 */
+    PLUID_AND_ATTRIBUTES Privileges;    /* +0x084 */
+    PULONG   DynamicPart;       /* +0x088 */
+    PACL     DefaultDacl;       /* +0x08c */
+    TOKEN_TYPE   TokenType;     /* +0x090 */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x094 */
+    ULONG    TokenFlags;        /* +0x098 */
+    BOOLEAN  TokenInUse;        /* +0x09c */
+    BOOLEAN  WriterPresent;     /* +0x09d */
+    USHORT   Alignment;     /* +0x09e */
+    ULONG    IntegrityLevelIndex;   /* +0x0a0 */
+    ULONG    DesktopIntegrityLevelIndex;/* +0x0a4 */
+    ULONG    MandatoryPolicy;   /* +0x0a8 */
+    PVOID    ProxyData;     /* +0x0ac */
+    PVOID    AuditData;     /* +0x0b0 */
+    PVOID    LogonSession;      /* +0x0b4 */
+    LUID     OriginatingLogonSession;/* +0x0b8 */
+    SID_AND_ATTRIBUTES_HASH SidHash;    /* +0x0c0 */
+    SID_AND_ATTRIBUTES_HASH RestrictedSidHash;/* +0x148 */
+    ULONG    VariablePart;      /* +0x1d0 */
+   } VISTA;
+  struct
+   {
+    TOKEN_SOURCE TokenSource;       /* +0x000 */
+    LUID     TokenId;       /* +0x010 */
+    LUID     AuthenticationId;  /* +0x018 */
+    LUID     ParentTokenId;     /* +0x020 */
+    LARGE_INTEGER ExpirationTime;   /* +0x028 */
+    PERESOURCE   TokenLock;     /* +0x030 */
+    SEP_AUDIT_POLICY AuditPolicy;   /* +0x038 */
+    LUID     ModifiedId;        /* +0x040 */
+    ULONG    SessionId;     /* +0x048 */
+    ULONG    UserAndGroupCount; /* +0x04c */
+    ULONG    RestrictedSidCount;    /* +0x050 */
+    ULONG    PrivilegeCount;    /* +0x054 */
+    ULONG    VariableLength;    /* +0x058 */
+    ULONG    DynamicCharged;    /* +0x05c */
+    ULONG    DynamicAvailable;  /* +0x060 */
+    ULONG    DefaultOwnerIndex; /* +0x064 */
+    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x068 */
+    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x070 */
+    PSID     PrimaryGroup;      /* +0x078 */
+    PLUID_AND_ATTRIBUTES Privileges;    /* +0x080 */
+    PULONG   DynamicPart;       /* +0x088 */
+    PACL     DefaultDacl;       /* +0x090 */
+    TOKEN_TYPE   TokenType;     /* +0x098 */
+    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; /* +0x09c */
+    UCHAR    TokenFlags;        /* +0x0a0 */
+    BOOLEAN  TokenInUse;        /* +0x0a1 */
+    UCHAR    Padding64 [6];     /* +0x0a2 */
+    PVOID    ProxyData;     /* +0x0a8 */
+    PVOID    AuditData;     /* +0x0b0 */
+    PVOID    LogonSession;      /* +0x0b8 */
+    LUID     OriginatingLogonSession;/* +0x0c0 */
+    ULONG    VariablePart;      /* +0x0c8 */
+   } XP64; /* equial 2K3SP1x64 */
+  /* VariablePart */
+} TOKEN_OBJECT, *PTOKEN_OBJECT;
+#include <poppack.h>
+
+typedef struct _TOKEN_OWNER {
+    PSID Owner;
+} TOKEN_OWNER, *PTOKEN_OWNER;
+
+typedef struct _TOKEN_PRIMARY_GROUP {
+    PSID PrimaryGroup;
+} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
+
+typedef struct _TOKEN_PRIVILEGES {
+    ULONG               PrivilegeCount;
+    LUID_AND_ATTRIBUTES Privileges[1];
+} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
+
+typedef struct _TOKEN_STATISTICS {
+    LUID                            TokenId;
+    LUID                            AuthenticationId;
+    LARGE_INTEGER                   ExpirationTime;
+    TOKEN_TYPE                      TokenType;
+    SECURITY_IMPERSONATION_LEVEL    ImpersonationLevel;
+    ULONG                           DynamicCharged;
+    ULONG                           DynamicAvailable;
+    ULONG                           GroupCount;
+    ULONG                           PrivilegeCount;
+    LUID                            ModifiedId;
+} TOKEN_STATISTICS, *PTOKEN_STATISTICS;
+
+typedef struct _TOKEN_USER {
+    SID_AND_ATTRIBUTES User;
+} TOKEN_USER, *PTOKEN_USER;
+
+typedef struct _SECURITY_CLIENT_CONTEXT {
+    SECURITY_QUALITY_OF_SERVICE SecurityQos;
+    PACCESS_TOKEN               ClientToken;
+    BOOLEAN                     DirectlyAccessClientToken;
+    BOOLEAN                     DirectAccessEffectiveOnly;
+    BOOLEAN                     ServerIsRemote;
+    TOKEN_CONTROL               ClientTokenControl;
+} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
+
+typedef struct _TUNNEL {
+    FAST_MUTEX          Mutex;
+    PRTL_SPLAY_LINKS    Cache;
+    LIST_ENTRY          TimerQueue;
+    USHORT              NumEntries;
+} TUNNEL, *PTUNNEL;
+
+typedef struct _VACB {
+    PVOID               BaseAddress;
+    PSHARED_CACHE_MAP   SharedCacheMap;
+    union {
+        LARGE_INTEGER   FileOffset;
+        USHORT          ActiveCount;
+    } Overlay;
+    LIST_ENTRY          LruList;
+} VACB, *PVACB;
+
+typedef struct _VAD_HEADER {
+    PVOID       StartVPN;
+    PVOID       EndVPN;
+    PVAD_HEADER ParentLink;
+    PVAD_HEADER LeftLink;
+    PVAD_HEADER RightLink;
+    ULONG       Flags;          // LSB = CommitCharge
+    PVOID       ControlArea;
+    PVOID       FirstProtoPte;
+    PVOID       LastPTE;
+    ULONG       Unknown;
+    LIST_ENTRY  Secured;
+} VAD_HEADER, *PVAD_HEADER;
+
+NTKERNELAPI
+BOOLEAN
+CcCanIWrite (
+    IN PFILE_OBJECT FileObject,
+    IN ULONG        BytesToWrite,
+    IN BOOLEAN      Wait,
+    IN BOOLEAN      Retrying
+);
+
+NTKERNELAPI
+BOOLEAN
+CcCopyRead (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    IN BOOLEAN              Wait,
+    OUT PVOID               Buffer,
+    OUT PIO_STATUS_BLOCK    IoStatus
+);
+
+NTKERNELAPI
+BOOLEAN
+CcCopyWrite (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+    IN BOOLEAN          Wait,
+    IN PVOID            Buffer
+);
+
+#define CcCopyWriteWontFlush(FO, FOFF, LEN) ((LEN) <= 0x10000)
+
+typedef VOID (*PCC_POST_DEFERRED_WRITE) (
+    IN PVOID Context1,
+    IN PVOID Context2
+);
+
+NTKERNELAPI
+VOID
+CcDeferWrite (
+    IN PFILE_OBJECT             FileObject,
+    IN PCC_POST_DEFERRED_WRITE  PostRoutine,
+    IN PVOID                    Context1,
+    IN PVOID                    Context2,
+    IN ULONG                    BytesToWrite,
+    IN BOOLEAN                  Retrying
+);
+
+NTKERNELAPI
+VOID
+CcFastCopyRead (
+    IN PFILE_OBJECT         FileObject,
+    IN ULONG                FileOffset,
+    IN ULONG                Length,
+    IN ULONG                PageCount,
+    OUT PVOID               Buffer,
+    OUT PIO_STATUS_BLOCK    IoStatus
+);
+
+NTKERNELAPI
+VOID
+CcFastCopyWrite (
+    IN PFILE_OBJECT FileObject,
+    IN ULONG        FileOffset,
+    IN ULONG        Length,
+    IN PVOID        Buffer
+);
+
+NTKERNELAPI
+VOID
+CcFlushCache (
+    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
+    IN PLARGE_INTEGER           FileOffset OPTIONAL,
+    IN ULONG                    Length,
+    OUT PIO_STATUS_BLOCK        IoStatus OPTIONAL
+);
+
+typedef VOID (*PDIRTY_PAGE_ROUTINE) (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+    IN PLARGE_INTEGER   OldestLsn,
+    IN PLARGE_INTEGER   NewestLsn,
+    IN PVOID            Context1,
+    IN PVOID            Context2
+);
+
+NTKERNELAPI
+LARGE_INTEGER
+CcGetDirtyPages (
+    IN PVOID                LogHandle,
+    IN PDIRTY_PAGE_ROUTINE  DirtyPageRoutine,
+    IN PVOID                Context1,
+    IN PVOID                Context2
+);
+
+NTKERNELAPI
+PFILE_OBJECT
+CcGetFileObjectFromBcb (
+    IN PVOID Bcb
+);
+
+NTKERNELAPI
+PFILE_OBJECT
+CcGetFileObjectFromSectionPtrs (
+    IN PSECTION_OBJECT_POINTERS SectionObjectPointer
+);
+
+#define CcGetFileSizePointer(FO) (                                     \
+    ((PLARGE_INTEGER)((FO)->SectionObjectPointer->SharedCacheMap) + 1) \
+)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+LARGE_INTEGER
+CcGetFlushedValidData (
+    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
+    IN BOOLEAN                  BcbListHeld
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+LARGE_INTEGER
+CcGetLsnForFileObject (
+    IN PFILE_OBJECT     FileObject,
+    OUT PLARGE_INTEGER  OldestLsn OPTIONAL
+);
+
+typedef BOOLEAN (*PACQUIRE_FOR_LAZY_WRITE) (
+    IN PVOID    Context,
+    IN BOOLEAN  Wait
+);
+
+typedef VOID (*PRELEASE_FROM_LAZY_WRITE) (
+    IN PVOID Context
+);
+
+typedef BOOLEAN (*PACQUIRE_FOR_READ_AHEAD) (
+    IN PVOID    Context,
+    IN BOOLEAN  Wait
+);
+
+typedef VOID (*PRELEASE_FROM_READ_AHEAD) (
+    IN PVOID Context
+);
+
+typedef struct _CACHE_MANAGER_CALLBACKS {
+    PACQUIRE_FOR_LAZY_WRITE     AcquireForLazyWrite;
+    PRELEASE_FROM_LAZY_WRITE    ReleaseFromLazyWrite;
+    PACQUIRE_FOR_READ_AHEAD     AcquireForReadAhead;
+    PRELEASE_FROM_READ_AHEAD    ReleaseFromReadAhead;
+} CACHE_MANAGER_CALLBACKS, *PCACHE_MANAGER_CALLBACKS;
+
+NTKERNELAPI
+VOID
+CcInitializeCacheMap (
+    IN PFILE_OBJECT             FileObject,
+    IN PCC_FILE_SIZES           FileSizes,
+    IN BOOLEAN                  PinAccess,
+    IN PCACHE_MANAGER_CALLBACKS Callbacks,
+    IN PVOID                    LazyWriteContext
+);
+
+#define CcIsFileCached(FO) (                                                         \
+    ((FO)->SectionObjectPointer != NULL) &&                                          \
+    (((PSECTION_OBJECT_POINTERS)(FO)->SectionObjectPointer)->SharedCacheMap != NULL) \
+)
+
+NTKERNELAPI
+BOOLEAN
+CcIsThereDirtyData (
+    IN PVPB Vpb
+);
+
+NTKERNELAPI
+BOOLEAN
+CcMapData (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+#if (VER_PRODUCTBUILD >= 2600)
+    IN ULONG            Flags,
+#else
+    IN BOOLEAN          Wait,
+#endif
+    OUT PVOID           *Bcb,
+    OUT PVOID           *Buffer
+);
+
+NTKERNELAPI
+VOID
+CcMdlRead (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    OUT PMDL                *MdlChain,
+    OUT PIO_STATUS_BLOCK    IoStatus
+);
+
+NTKERNELAPI
+VOID
+CcMdlReadComplete (
+    IN PFILE_OBJECT FileObject,
+    IN PMDL         MdlChain
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+CcMdlWriteAbort (
+    IN PFILE_OBJECT FileObject,
+    IN PMDL         MdlChain
+);
+
+#endif
+
+NTKERNELAPI
+VOID
+CcMdlWriteComplete (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN PMDL             MdlChain
+);
+
+NTKERNELAPI
+BOOLEAN
+CcPinMappedData (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+#if (VER_PRODUCTBUILD >= 2195)
+    IN ULONG            Flags,
+#else
+    IN BOOLEAN          Wait,
+#endif
+    IN OUT PVOID        *Bcb
+);
+
+NTKERNELAPI
+BOOLEAN
+CcPinRead (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+#if (VER_PRODUCTBUILD >= 2195)
+    IN ULONG            Flags,
+#else
+    IN BOOLEAN          Wait,
+#endif
+    OUT PVOID           *Bcb,
+    OUT PVOID           *Buffer
+);
+
+NTKERNELAPI
+VOID
+CcPrepareMdlWrite (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    OUT PMDL                *MdlChain,
+    OUT PIO_STATUS_BLOCK    IoStatus
+);
+
+NTKERNELAPI
+BOOLEAN
+CcPreparePinWrite (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length,
+    IN BOOLEAN          Zero,
+#if (VER_PRODUCTBUILD >= 2195)
+    IN ULONG            Flags,
+#else
+    IN BOOLEAN          Wait,
+#endif
+    OUT PVOID           *Bcb,
+    OUT PVOID           *Buffer
+);
+
+NTKERNELAPI
+BOOLEAN
+CcPurgeCacheSection (
+    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
+    IN PLARGE_INTEGER           FileOffset OPTIONAL,
+    IN ULONG                    Length,
+    IN BOOLEAN                  UninitializeCacheMaps
+);
+
+#define CcReadAhead(FO, FOFF, LEN) (                \
+    if ((LEN) >= 256) {                             \
+        CcScheduleReadAhead((FO), (FOFF), (LEN));   \
+    }                                               \
+)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PVOID
+CcRemapBcb (
+    IN PVOID Bcb
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+CcRepinBcb (
+    IN PVOID Bcb
+);
+
+NTKERNELAPI
+VOID
+CcScheduleReadAhead (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN ULONG            Length
+);
+
+NTKERNELAPI
+VOID
+CcSetAdditionalCacheAttributes (
+    IN PFILE_OBJECT FileObject,
+    IN BOOLEAN      DisableReadAhead,
+    IN BOOLEAN      DisableWriteBehind
+);
+
+NTKERNELAPI
+VOID
+CcSetBcbOwnerPointer (
+    IN PVOID Bcb,
+    IN PVOID OwnerPointer
+);
+
+NTKERNELAPI
+VOID
+CcSetDirtyPageThreshold (
+    IN PFILE_OBJECT FileObject,
+    IN ULONG        DirtyPageThreshold
+);
+
+NTKERNELAPI
+VOID
+CcSetDirtyPinnedData (
+    IN PVOID            BcbVoid,
+    IN PLARGE_INTEGER   Lsn OPTIONAL
+);
+
+NTKERNELAPI
+VOID
+CcSetFileSizes (
+    IN PFILE_OBJECT     FileObject,
+    IN PCC_FILE_SIZES   FileSizes
+);
+
+typedef VOID (*PFLUSH_TO_LSN) (
+    IN PVOID            LogHandle,
+    IN PLARGE_INTEGER   Lsn
+);
+
+NTKERNELAPI
+VOID
+CcSetLogHandleForFile (
+    IN PFILE_OBJECT     FileObject,
+    IN PVOID            LogHandle,
+    IN PFLUSH_TO_LSN    FlushToLsnRoutine
+);
+
+NTKERNELAPI
+VOID
+CcSetReadAheadGranularity (
+    IN PFILE_OBJECT FileObject,
+    IN ULONG        Granularity     // default: PAGE_SIZE
+                                    // allowed: 2^n * PAGE_SIZE
+);
+
+NTKERNELAPI
+BOOLEAN
+CcUninitializeCacheMap (
+    IN PFILE_OBJECT                 FileObject,
+    IN PLARGE_INTEGER               TruncateSize OPTIONAL,
+    IN PCACHE_UNINITIALIZE_EVENT    UninitializeCompleteEvent OPTIONAL
+);
+
+NTKERNELAPI
+VOID
+CcUnpinData (
+    IN PVOID Bcb
+);
+
+NTKERNELAPI
+VOID
+CcUnpinDataForThread (
+    IN PVOID            Bcb,
+    IN ERESOURCE_THREAD ResourceThreadId
+);
+
+NTKERNELAPI
+VOID
+CcUnpinRepinnedBcb (
+    IN PVOID                Bcb,
+    IN BOOLEAN              WriteThrough,
+    OUT PIO_STATUS_BLOCK    IoStatus
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+CcWaitForCurrentLazyWriterActivity (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+CcZeroData (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   StartOffset,
+    IN PLARGE_INTEGER   EndOffset,
+    IN BOOLEAN          Wait
+);
+
+NTKERNELAPI
+VOID
+ExDisableResourceBoostLite (
+    IN PERESOURCE Resource
+);
+
+NTKERNELAPI
+ULONG
+ExQueryPoolBlockSize (
+    IN PVOID        PoolBlock,
+    OUT PBOOLEAN    QuotaCharged
+);
+
+#define FlagOn(x, f) ((x) & (f))
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+FsRtlAcquireFileExclusive (
+    IN PFILE_OBJECT FileObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlAddLargeMcbEntry (
+    IN PLARGE_MCB   Mcb,
+    IN LONGLONG     Vbn,
+    IN LONGLONG     Lbn,
+    IN LONGLONG     SectorCount
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlAddMcbEntry (
+    IN PMCB     Mcb,
+    IN VBN      Vbn,
+    IN LBN      Lbn,
+    IN ULONG    SectorCount
+);
+
+NTKERNELAPI
+VOID
+FsRtlAddToTunnelCache (
+    IN PTUNNEL          Cache,
+    IN ULONGLONG        DirectoryKey,
+    IN PUNICODE_STRING  ShortName,
+    IN PUNICODE_STRING  LongName,
+    IN BOOLEAN          KeyByShortName,
+    IN ULONG            DataLength,
+    IN PVOID            Data
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+PFILE_LOCK
+FsRtlAllocateFileLock (
+    IN PCOMPLETE_LOCK_IRP_ROUTINE   CompleteLockIrpRoutine OPTIONAL,
+    IN PUNLOCK_ROUTINE              UnlockRoutine OPTIONAL
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PVOID
+FsRtlAllocatePool (
+    IN POOL_TYPE    PoolType,
+    IN ULONG        NumberOfBytes
+);
+
+NTKERNELAPI
+PVOID
+FsRtlAllocatePoolWithQuota (
+    IN POOL_TYPE    PoolType,
+    IN ULONG        NumberOfBytes
+);
+
+NTKERNELAPI
+PVOID
+FsRtlAllocatePoolWithQuotaTag (
+    IN POOL_TYPE    PoolType,
+    IN ULONG        NumberOfBytes,
+    IN ULONG        Tag
+);
+
+NTKERNELAPI
+PVOID
+FsRtlAllocatePoolWithTag (
+    IN POOL_TYPE    PoolType,
+    IN ULONG        NumberOfBytes,
+    IN ULONG        Tag
+);
+
+NTKERNELAPI
+PVOID
+FsRtlAllocateResource (
+    VOID
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlAreNamesEqual (
+    IN PUNICODE_STRING  Name1,
+    IN PUNICODE_STRING  Name2,
+    IN BOOLEAN          IgnoreCase,
+    IN PWCHAR           UpcaseTable OPTIONAL
+);
+
+#define FsRtlAreThereCurrentFileLocks(FL) ( \
+    ((FL)->FastIoIsQuestionable)            \
+)
+
+NTKERNELAPI
+NTSTATUS
+FsRtlBalanceReads (
+    IN PDEVICE_OBJECT TargetDevice
+);
+
+/*
+  FsRtlCheckLockForReadAccess:
+
+  All this really does is pick out the lock parameters from the irp (io stack
+  location?), get IoGetRequestorProcess, and pass values on to
+  FsRtlFastCheckLockForRead.
+*/
+NTKERNELAPI
+BOOLEAN
+FsRtlCheckLockForReadAccess (
+    IN PFILE_LOCK   FileLock,
+    IN PIRP         Irp
+);
+
+/*
+  FsRtlCheckLockForWriteAccess:
+
+  All this really does is pick out the lock parameters from the irp (io stack
+  location?), get IoGetRequestorProcess, and pass values on to
+  FsRtlFastCheckLockForWrite.
+*/
+NTKERNELAPI
+BOOLEAN
+FsRtlCheckLockForWriteAccess (
+    IN PFILE_LOCK   FileLock,
+    IN PIRP         Irp
+);
+
+typedef
+VOID
+(*POPLOCK_WAIT_COMPLETE_ROUTINE) (
+    IN PVOID    Context,
+    IN PIRP     Irp
+);
+
+typedef
+VOID
+(*POPLOCK_FS_PREPOST_IRP) (
+    IN PVOID    Context,
+    IN PIRP     Irp
+);
+
+NTKERNELAPI
+NTSTATUS
+FsRtlCheckOplock (
+    IN POPLOCK                          Oplock,
+    IN PIRP                             Irp,
+    IN PVOID                            Context,
+    IN POPLOCK_WAIT_COMPLETE_ROUTINE    CompletionRoutine OPTIONAL,
+    IN POPLOCK_FS_PREPOST_IRP           PostIrpRoutine OPTIONAL
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlCopyRead (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    IN BOOLEAN              Wait,
+    IN ULONG                LockKey,
+    OUT PVOID               Buffer,
+    OUT PIO_STATUS_BLOCK    IoStatus,
+    IN PDEVICE_OBJECT       DeviceObject
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlCopyWrite (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    IN BOOLEAN              Wait,
+    IN ULONG                LockKey,
+    IN PVOID                Buffer,
+    OUT PIO_STATUS_BLOCK    IoStatus,
+    IN PDEVICE_OBJECT       DeviceObject
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlCurrentBatchOplock (
+    IN POPLOCK Oplock
+);
+
+NTKERNELAPI
+VOID
+FsRtlDeleteKeyFromTunnelCache (
+    IN PTUNNEL      Cache,
+    IN ULONGLONG    DirectoryKey
+);
+
+NTKERNELAPI
+VOID
+FsRtlDeleteTunnelCache (
+    IN PTUNNEL Cache
+);
+
+NTKERNELAPI
+VOID
+FsRtlDeregisterUncProvider (
+    IN HANDLE Handle
+);
+
+NTKERNELAPI
+VOID
+FsRtlDissectDbcs (
+    IN ANSI_STRING      InputName,
+    OUT PANSI_STRING    FirstPart,
+    OUT PANSI_STRING    RemainingPart
+);
+
+NTKERNELAPI
+VOID
+FsRtlDissectName (
+    IN UNICODE_STRING   Path,
+    OUT PUNICODE_STRING FirstName,
+    OUT PUNICODE_STRING RemainingName
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlDoesDbcsContainWildCards (
+    IN PANSI_STRING Name
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlDoesNameContainWildCards (
+    IN PUNICODE_STRING Name
+);
+
+#define FsRtlEnterFileSystem    KeEnterCriticalRegion
+
+#define FsRtlExitFileSystem     KeLeaveCriticalRegion
+
+NTKERNELAPI
+BOOLEAN
+FsRtlFastCheckLockForRead (
+    IN PFILE_LOCK           FileLock,
+    IN PLARGE_INTEGER       FileOffset,
+    IN PLARGE_INTEGER       Length,
+    IN ULONG                Key,
+    IN PFILE_OBJECT         FileObject,
+    IN PEPROCESS            Process
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlFastCheckLockForWrite (
+    IN PFILE_LOCK           FileLock,
+    IN PLARGE_INTEGER       FileOffset,
+    IN PLARGE_INTEGER       Length,
+    IN ULONG                Key,
+    IN PFILE_OBJECT         FileObject,
+    IN PEPROCESS            Process
+);
+
+#define FsRtlFastLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11) (       \
+     FsRtlPrivateLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, NULL, A10, A11)   \
+)
+
+NTKERNELAPI
+NTSTATUS
+FsRtlFastUnlockAll (
+    IN PFILE_LOCK           FileLock,
+    IN PFILE_OBJECT         FileObject,
+    IN PEPROCESS            Process,
+    IN PVOID                Context OPTIONAL
+);
+//ret: STATUS_RANGE_NOT_LOCKED
+
+NTKERNELAPI
+NTSTATUS
+FsRtlFastUnlockAllByKey (
+    IN PFILE_LOCK           FileLock,
+    IN PFILE_OBJECT         FileObject,
+    IN PEPROCESS            Process,
+    IN ULONG                Key,
+    IN PVOID                Context OPTIONAL
+);  
+//ret: STATUS_RANGE_NOT_LOCKED
+
+NTKERNELAPI
+NTSTATUS
+FsRtlFastUnlockSingle (
+    IN PFILE_LOCK           FileLock,
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN PLARGE_INTEGER       Length,
+    IN PEPROCESS            Process,
+    IN ULONG                Key,
+    IN PVOID                Context OPTIONAL,
+    IN BOOLEAN              AlreadySynchronized
+);                      
+//ret:  STATUS_RANGE_NOT_LOCKED
+
+NTKERNELAPI
+BOOLEAN
+FsRtlFindInTunnelCache (
+    IN PTUNNEL          Cache,
+    IN ULONGLONG        DirectoryKey,
+    IN PUNICODE_STRING  Name,
+    OUT PUNICODE_STRING ShortName,
+    OUT PUNICODE_STRING LongName,
+    IN OUT PULONG       DataLength,
+    OUT PVOID           Data
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+VOID
+FsRtlFreeFileLock (
+    IN PFILE_LOCK FileLock
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+FsRtlGetFileSize (
+    IN PFILE_OBJECT         FileObject,
+    IN OUT PLARGE_INTEGER   FileSize
+);
+
+/*
+  FsRtlGetNextFileLock:
+
+  ret: NULL if no more locks
+
+  Internals:
+    FsRtlGetNextFileLock uses FileLock->LastReturnedLockInfo and
+    FileLock->LastReturnedLock as storage.
+    LastReturnedLock is a pointer to the 'raw' lock inkl. double linked
+    list, and FsRtlGetNextFileLock needs this to get next lock on subsequent
+    calls with Restart = FALSE.
+*/
+NTKERNELAPI
+PFILE_LOCK_INFO
+FsRtlGetNextFileLock (
+    IN PFILE_LOCK   FileLock,
+    IN BOOLEAN      Restart
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlGetNextLargeMcbEntry (
+    IN PLARGE_MCB   Mcb,
+    IN ULONG        RunIndex,
+    OUT PLONGLONG   Vbn,
+    OUT PLONGLONG   Lbn,
+    OUT PLONGLONG   SectorCount
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlGetNextMcbEntry (
+    IN PMCB     Mcb,
+    IN ULONG    RunIndex,
+    OUT PVBN    Vbn,
+    OUT PLBN    Lbn,
+    OUT PULONG  SectorCount
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+FsRtlIncrementCcFastReadNotPossible (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+FsRtlIncrementCcFastReadNoWait (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+FsRtlIncrementCcFastReadResourceMiss (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+FsRtlIncrementCcFastReadWait (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+FsRtlInitializeFileLock (
+    IN PFILE_LOCK                   FileLock,
+    IN PCOMPLETE_LOCK_IRP_ROUTINE   CompleteLockIrpRoutine OPTIONAL,
+    IN PUNLOCK_ROUTINE              UnlockRoutine OPTIONAL
+);
+
+NTKERNELAPI
+VOID
+FsRtlInitializeLargeMcb (
+    IN PLARGE_MCB   Mcb,
+    IN POOL_TYPE    PoolType
+);
+
+NTKERNELAPI
+VOID
+FsRtlInitializeMcb (
+    IN PMCB         Mcb,
+    IN POOL_TYPE    PoolType
+);
+
+NTKERNELAPI
+VOID
+FsRtlInitializeOplock (
+    IN OUT POPLOCK Oplock
+);
+
+NTKERNELAPI
+VOID
+FsRtlInitializeTunnelCache (
+    IN PTUNNEL Cache
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsDbcsInExpression (
+    IN PANSI_STRING Expression,
+    IN PANSI_STRING Name
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsFatDbcsLegal (
+    IN ANSI_STRING  DbcsName,
+    IN BOOLEAN      WildCardsPermissible,
+    IN BOOLEAN      PathNamePermissible,
+    IN BOOLEAN      LeadingBackslashPermissible
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsHpfsDbcsLegal (
+    IN ANSI_STRING  DbcsName,
+    IN BOOLEAN      WildCardsPermissible,
+    IN BOOLEAN      PathNamePermissible,
+    IN BOOLEAN      LeadingBackslashPermissible
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsNameInExpression (
+    IN PUNICODE_STRING  Expression,
+    IN PUNICODE_STRING  Name,
+    IN BOOLEAN          IgnoreCase,
+    IN PWCHAR           UpcaseTable OPTIONAL
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsNtstatusExpected (
+    IN NTSTATUS Ntstatus
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsPagingFile (
+    IN PFILE_OBJECT FileObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlIsTotalDeviceFailure (
+    IN NTSTATUS Status
+);
+
+#define FsRtlIsUnicodeCharacterWild(C) (                                    \
+    (((C) >= 0x40) ?                                                        \
+    FALSE :                                                                 \
+    FlagOn((*FsRtlLegalAnsiCharacterArray)[(C)], FSRTL_WILD_CHARACTER ))    \
+)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlLookupLargeMcbEntry (
+    IN PLARGE_MCB   Mcb,
+    IN LONGLONG     Vbn,
+    OUT PLONGLONG   Lbn OPTIONAL,
+    OUT PLONGLONG   SectorCountFromLbn OPTIONAL,
+    OUT PLONGLONG   StartingLbn OPTIONAL,
+    OUT PLONGLONG   SectorCountFromStartingLbn OPTIONAL,
+    OUT PULONG      Index OPTIONAL
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlLookupLastLargeMcbEntry (
+    IN PLARGE_MCB Mcb,
+    OUT PLONGLONG Vbn,
+    OUT PLONGLONG Lbn
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlLookupLastLargeMcbEntryAndIndex (
+    IN PLARGE_MCB   OpaqueMcb,
+    OUT PLONGLONG   LargeVbn,
+    OUT PLONGLONG   LargeLbn,
+    OUT PULONG      Index
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlLookupLastMcbEntry (
+    IN PMCB     Mcb,
+    OUT PVBN    Vbn,
+    OUT PLBN    Lbn
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlLookupMcbEntry (
+    IN PMCB     Mcb,
+    IN VBN      Vbn,
+    OUT PLBN    Lbn,
+    OUT PULONG  SectorCount OPTIONAL,
+    OUT PULONG  Index
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlMdlReadComplete (
+    IN PFILE_OBJECT     FileObject,
+    IN PMDL             MdlChain
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlMdlReadCompleteDev (
+    IN PFILE_OBJECT     FileObject,
+    IN PMDL             MdlChain,
+    IN PDEVICE_OBJECT   DeviceObject
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlMdlReadDev (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    IN ULONG                LockKey,
+    OUT PMDL                *MdlChain,
+    OUT PIO_STATUS_BLOCK    IoStatus,
+    IN PDEVICE_OBJECT       DeviceObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlMdlWriteComplete (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN PMDL             MdlChain
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlMdlWriteCompleteDev (
+    IN PFILE_OBJECT     FileObject,
+    IN PLARGE_INTEGER   FileOffset,
+    IN PMDL             MdlChain,
+    IN PDEVICE_OBJECT   DeviceObject
+);
+
+NTKERNELAPI
+NTSTATUS
+FsRtlNormalizeNtstatus (
+    IN NTSTATUS Exception,
+    IN NTSTATUS GenericException
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyChangeDirectory (
+    IN PNOTIFY_SYNC NotifySync,
+    IN PVOID        FsContext,
+    IN PSTRING      FullDirectoryName,
+    IN PLIST_ENTRY  NotifyList,
+    IN BOOLEAN      WatchTree,
+    IN ULONG        CompletionFilter,
+    IN PIRP         NotifyIrp
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyCleanup (
+    IN PNOTIFY_SYNC NotifySync,
+    IN PLIST_ENTRY  NotifyList,
+    IN PVOID        FsContext
+);
+
+typedef BOOLEAN (*PCHECK_FOR_TRAVERSE_ACCESS) (
+    IN PVOID                        NotifyContext,
+    IN PVOID                        TargetContext,
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+typedef BOOLEAN (*PFILTER_REPORT_CHANGE) (
+    IN PVOID NotifyContext,
+    IN PVOID FilterContext
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyFilterChangeDirectory (
+    IN PNOTIFY_SYNC                 NotifySync,
+    IN PLIST_ENTRY                  NotifyList,
+    IN PVOID                        FsContext,
+    IN PSTRING                      FullDirectoryName,
+    IN BOOLEAN                      WatchTree,
+    IN BOOLEAN                      IgnoreBuffer,
+    IN ULONG                        CompletionFilter,
+    IN PIRP                         NotifyIrp,
+    IN PCHECK_FOR_TRAVERSE_ACCESS   TraverseCallback OPTIONAL,
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext OPTIONAL,
+    IN PFILTER_REPORT_CHANGE        FilterCallback OPTIONAL
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyFilterReportChange (
+    IN PNOTIFY_SYNC NotifySync,
+    IN PLIST_ENTRY  NotifyList,
+    IN PSTRING      FullTargetName,
+    IN USHORT       TargetNameOffset,
+    IN PSTRING      StreamName OPTIONAL,
+    IN PSTRING      NormalizedParentName OPTIONAL,
+    IN ULONG        FilterMatch,
+    IN ULONG        Action,
+    IN PVOID        TargetContext,
+    IN PVOID        FilterContext
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+FsRtlNotifyFullChangeDirectory (
+    IN PNOTIFY_SYNC                 NotifySync,
+    IN PLIST_ENTRY                  NotifyList,
+    IN PVOID                        FsContext,
+    IN PSTRING                      FullDirectoryName,
+    IN BOOLEAN                      WatchTree,
+    IN BOOLEAN                      IgnoreBuffer,
+    IN ULONG                        CompletionFilter,
+    IN PIRP                         NotifyIrp,
+    IN PCHECK_FOR_TRAVERSE_ACCESS   TraverseCallback OPTIONAL,
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext OPTIONAL
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyFullReportChange (
+    IN PNOTIFY_SYNC NotifySync,
+    IN PLIST_ENTRY  NotifyList,
+    IN PSTRING      FullTargetName,
+    IN USHORT       TargetNameOffset,
+    IN PSTRING      StreamName OPTIONAL,
+    IN PSTRING      NormalizedParentName OPTIONAL,
+    IN ULONG        FilterMatch,
+    IN ULONG        Action,
+    IN PVOID        TargetContext
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyInitializeSync (
+    IN PNOTIFY_SYNC *NotifySync
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyReportChange (
+    IN PNOTIFY_SYNC NotifySync,
+    IN PLIST_ENTRY  NotifyList,
+    IN PSTRING      FullTargetName,
+    IN PUSHORT      FileNamePartLength,
+    IN ULONG        FilterMatch
+);
+
+NTKERNELAPI
+VOID
+FsRtlNotifyUninitializeSync (
+    IN PNOTIFY_SYNC *NotifySync
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+FsRtlNotifyVolumeEvent (
+    IN PFILE_OBJECT FileObject,
+    IN ULONG        EventCode
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+ULONG
+FsRtlNumberOfRunsInLargeMcb (
+    IN PLARGE_MCB Mcb
+);
+
+NTKERNELAPI
+ULONG
+FsRtlNumberOfRunsInMcb (
+    IN PMCB Mcb
+);
+
+NTKERNELAPI
+NTSTATUS
+FsRtlOplockFsctrl (
+    IN POPLOCK  Oplock,
+    IN PIRP     Irp,
+    IN ULONG    OpenCount
+);
+
+NTKERNELAPI
+BOOLEAN
+FsRtlOplockIsFastIoPossible (
+    IN POPLOCK Oplock
+);
+
+typedef
+VOID
+(*PFSRTL_STACK_OVERFLOW_ROUTINE) (
+    IN PVOID    Context,
+    IN PKEVENT  Event
+    );
+
+NTKERNELAPI
+VOID
+FsRtlPostPagingFileStackOverflow (
+    IN PVOID                            Context,
+    IN PKEVENT                          Event,
+    IN PFSRTL_STACK_OVERFLOW_ROUTINE    StackOverflowRoutine
+);
+
+NTKERNELAPI
+VOID
+FsRtlPostStackOverflow (
+    IN PVOID                            Context,
+    IN PKEVENT                          Event,
+    IN PFSRTL_STACK_OVERFLOW_ROUTINE    StackOverflowRoutine
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlPrepareMdlWriteDev (
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN ULONG                Length,
+    IN ULONG                LockKey,
+    OUT PMDL                *MdlChain,
+    OUT PIO_STATUS_BLOCK    IoStatus,
+    IN PDEVICE_OBJECT       DeviceObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+/*
+  FsRtlPrivateLock:
+
+  ret: IoStatus->Status: STATUS_PENDING, STATUS_LOCK_NOT_GRANTED
+
+  Internals: 
+    -Calls IoCompleteRequest if Irp
+    -Uses exception handling / ExRaiseStatus with STATUS_INSUFFICIENT_RESOURCES
+*/
+NTKERNELAPI
+BOOLEAN
+FsRtlPrivateLock (
+    IN PFILE_LOCK           FileLock,
+    IN PFILE_OBJECT         FileObject,
+    IN PLARGE_INTEGER       FileOffset,
+    IN PLARGE_INTEGER       Length,
+    IN PEPROCESS            Process,
+    IN ULONG                Key,
+    IN BOOLEAN              FailImmediately, 
+    IN BOOLEAN              ExclusiveLock,
+    OUT PIO_STATUS_BLOCK    IoStatus, 
+    IN PIRP                 Irp OPTIONAL,
+    IN PVOID                Context,
+    IN BOOLEAN              AlreadySynchronized
+);
+
+/*
+  FsRtlProcessFileLock:
+
+  ret:
+    -STATUS_INVALID_DEVICE_REQUEST
+    -STATUS_RANGE_NOT_LOCKED from unlock routines.
+    -STATUS_PENDING, STATUS_LOCK_NOT_GRANTED from FsRtlPrivateLock
+    (redirected IoStatus->Status).
+
+  Internals: 
+    -switch ( Irp->CurrentStackLocation->MinorFunction )
+        lock: return FsRtlPrivateLock;
+        unlocksingle: return FsRtlFastUnlockSingle;
+        unlockall: return FsRtlFastUnlockAll;
+        unlockallbykey: return FsRtlFastUnlockAllByKey;
+        default: IofCompleteRequest with STATUS_INVALID_DEVICE_REQUEST;
+                 return STATUS_INVALID_DEVICE_REQUEST;
+
+    -'AllwaysZero' is passed thru as 'AllwaysZero' to lock / unlock routines.
+    -'Irp' is passet thru as 'Irp' to FsRtlPrivateLock.
+*/
+NTKERNELAPI
+NTSTATUS
+FsRtlProcessFileLock (
+    IN PFILE_LOCK   FileLock,
+    IN PIRP         Irp,
+    IN PVOID        Context OPTIONAL
+);
+
+NTKERNELAPI
+NTSTATUS
+FsRtlRegisterUncProvider (
+    IN OUT PHANDLE      MupHandle,
+    IN PUNICODE_STRING  RedirectorDeviceName,
+    IN BOOLEAN          MailslotsSupported
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+FsRtlReleaseFile (
+    IN PFILE_OBJECT FileObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+FsRtlRemoveLargeMcbEntry (
+    IN PLARGE_MCB   Mcb,
+    IN LONGLONG     Vbn,
+    IN LONGLONG     SectorCount
+);
+
+NTKERNELAPI
+VOID
+FsRtlRemoveMcbEntry (
+    IN PMCB     Mcb,
+    IN VBN      Vbn,
+    IN ULONG    SectorCount
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+FsRtlResetLargeMcb (
+    IN PLARGE_MCB   Mcb,
+    IN BOOLEAN      SelfSynchronized
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+#define FsRtlSetupAdvancedHeader( _advhdr, _fmutx )                         \
+{                                                                           \
+    SetFlag( (_advhdr)->Flags, FSRTL_FLAG_ADVANCED_HEADER );                \
+    SetFlag( (_advhdr)->Flags2, FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS );     \
+    (_advhdr)->Version = FSRTL_FCB_HEADER_V1;                               \
+    InitializeListHead( &(_advhdr)->FilterContexts );                       \
+    if ((_fmutx) != NULL) {                                                 \
+        (_advhdr)->FastMutex = (_fmutx);                                    \
+    }                                                                       \
+    *((PULONG_PTR)(&(_advhdr)->PushLock)) = 0;                              \
+    (_advhdr)->FileContextSupportPointer = NULL;                            \
+}
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+FsRtlSplitLargeMcb (
+    IN PLARGE_MCB   Mcb,
+    IN LONGLONG     Vbn,
+    IN LONGLONG     Amount
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+FsRtlTeardownPerFileContexts (
+    IN PVOID *PerFileContextPointer
+);
+
+NTKERNELAPI
+VOID
+FsRtlTeardownPerStreamContexts (
+    IN PFSRTL_ADVANCED_FCB_HEADER AdvancedHeader
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+FsRtlTruncateLargeMcb (
+    IN PLARGE_MCB   Mcb,
+    IN LONGLONG     Vbn
+);
+
+NTKERNELAPI
+VOID
+FsRtlTruncateMcb (
+    IN PMCB Mcb,
+    IN VBN  Vbn
+);
+
+NTKERNELAPI
+VOID
+FsRtlUninitializeFileLock (
+    IN PFILE_LOCK FileLock
+);
+
+NTKERNELAPI
+VOID
+FsRtlUninitializeLargeMcb (
+    IN PLARGE_MCB Mcb
+);
+
+NTKERNELAPI
+VOID
+FsRtlUninitializeMcb (
+    IN PMCB Mcb
+);
+
+NTKERNELAPI
+VOID
+FsRtlUninitializeOplock (
+    IN OUT POPLOCK Oplock
+);
+
+//
+// If using HalDisplayString during boot on Windows 2000 or later you must
+// first call InbvEnableDisplayString.
+//
+NTSYSAPI
+VOID
+NTAPI
+HalDisplayString (
+    IN PCHAR String
+);
+
+NTSYSAPI
+VOID
+NTAPI
+HalQueryRealTimeClock (
+    IN OUT PTIME_FIELDS TimeFields
+);
+
+NTSYSAPI
+VOID
+NTAPI
+HalSetRealTimeClock (
+    IN PTIME_FIELDS TimeFields
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+InbvAcquireDisplayOwnership (
+    VOID
+);
+
+NTKERNELAPI
+BOOLEAN
+InbvCheckDisplayOwnership (
+    VOID
+);
+
+NTKERNELAPI
+BOOLEAN
+InbvDisplayString (
+    IN PCHAR String
+);
+
+NTKERNELAPI
+VOID
+InbvEnableBootDriver (
+    IN BOOLEAN Enable
+);
+
+NTKERNELAPI
+BOOLEAN
+InbvEnableDisplayString (
+    IN BOOLEAN Enable
+);
+
+NTKERNELAPI
+VOID
+InbvInstallDisplayStringFilter (
+    IN PVOID Unknown
+);
+
+NTKERNELAPI
+BOOLEAN
+InbvIsBootDriverInstalled (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+InbvNotifyDisplayOwnershipLost (
+    IN PVOID Callback
+);
+
+NTKERNELAPI
+BOOLEAN
+InbvResetDisplay (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+InbvSetScrollRegion (
+    IN ULONG Left,
+    IN ULONG Top,
+    IN ULONG Width,
+    IN ULONG Height
+);
+
+NTKERNELAPI
+VOID
+InbvSetTextColor (
+    IN ULONG Color
+);
+
+NTKERNELAPI
+VOID
+InbvSolidColorFill (
+    IN ULONG Left,
+    IN ULONG Top,
+    IN ULONG Width,
+    IN ULONG Height,
+    IN ULONG Color
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#define InitializeMessageHeader(m, l, t) {                  \
+    (m)->Length = (USHORT)(l);                              \
+    (m)->DataLength = (USHORT)(l - sizeof( LPC_MESSAGE ));  \
+    (m)->MessageType = (USHORT)(t);                         \
+    (m)->DataInfoOffset = 0;                                \
+}
+
+NTKERNELAPI
+VOID
+IoAcquireVpbSpinLock (
+    OUT PKIRQL Irql
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoAttachDeviceToDeviceStackSafe (
+    IN PDEVICE_OBJECT   SourceDevice,
+    IN PDEVICE_OBJECT   TargetDevice,
+    OUT PDEVICE_OBJECT  *AttachedToDeviceObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoCheckDesiredAccess (
+    IN OUT PACCESS_MASK DesiredAccess,
+    IN ACCESS_MASK      GrantedAccess
+);
+
+NTKERNELAPI
+NTSTATUS
+IoCheckEaBufferValidity (
+    IN PFILE_FULL_EA_INFORMATION    EaBuffer,
+    IN ULONG                        EaLength,
+    OUT PULONG                      ErrorOffset
+);
+
+NTKERNELAPI
+NTSTATUS
+IoCheckFunctionAccess (
+    IN ACCESS_MASK              GrantedAccess,
+    IN UCHAR                    MajorFunction,
+    IN UCHAR                    MinorFunction,
+    IN ULONG                    IoControlCode,
+    IN PFILE_INFORMATION_CLASS  FileInformationClass OPTIONAL,
+    IN PFS_INFORMATION_CLASS    FsInformationClass OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+IoCheckQuerySetFileInformation (
+    IN FILE_INFORMATION_CLASS   FileInformationClass,
+    IN ULONG                    Length,
+    IN BOOLEAN                  SetOperation
+);
+
+NTKERNELAPI
+NTSTATUS
+IoCheckQuerySetVolumeInformation (
+    IN FS_INFORMATION_CLASS     FsInformationClass,
+    IN ULONG                    Length,
+    IN BOOLEAN                  SetOperation
+);
+
+NTKERNELAPI
+NTSTATUS
+IoCheckQuotaBufferValidity (
+    IN PFILE_QUOTA_INFORMATION  QuotaBuffer,
+    IN ULONG                    QuotaLength,
+    OUT PULONG                  ErrorOffset
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoCreateFileSpecifyDeviceObjectHint (
+    OUT PHANDLE             FileHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    IN PLARGE_INTEGER       AllocationSize OPTIONAL,
+    IN ULONG                FileAttributes,
+    IN ULONG                ShareAccess,
+    IN ULONG                Disposition,
+    IN ULONG                CreateOptions,
+    IN PVOID                EaBuffer OPTIONAL,
+    IN ULONG                EaLength,
+    IN CREATE_FILE_TYPE     CreateFileType,
+    IN PVOID                ExtraCreateParameters OPTIONAL,
+    IN ULONG                Options,
+    IN PVOID                DeviceObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+PFILE_OBJECT
+IoCreateStreamFileObject (
+    IN PFILE_OBJECT     FileObject OPTIONAL,
+    IN PDEVICE_OBJECT   DeviceObject OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+PFILE_OBJECT
+IoCreateStreamFileObjectEx (
+    IN PFILE_OBJECT     FileObject OPTIONAL,
+    IN PDEVICE_OBJECT   DeviceObject OPTIONAL,
+    OUT PHANDLE         FileObjectHandle OPTIONAL
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PFILE_OBJECT
+IoCreateStreamFileObjectLite (
+    IN PFILE_OBJECT     FileObject OPTIONAL,
+    IN PDEVICE_OBJECT   DeviceObject OPTIONAL
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoEnumerateDeviceObjectList (
+    IN PDRIVER_OBJECT   DriverObject,
+    IN PDEVICE_OBJECT   *DeviceObjectList,
+    IN ULONG            DeviceObjectListSize,
+    OUT PULONG          ActualNumberDeviceObjects
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+IoFastQueryNetworkAttributes (
+    IN POBJECT_ATTRIBUTES               ObjectAttributes,
+    IN ACCESS_MASK                      DesiredAccess,
+    IN ULONG                            OpenOptions,
+    OUT PIO_STATUS_BLOCK                IoStatus,
+    OUT PFILE_NETWORK_OPEN_INFORMATION  Buffer
+);
+
+NTKERNELAPI
+PDEVICE_OBJECT
+IoGetAttachedDevice (
+    IN PDEVICE_OBJECT DeviceObject
+);
+
+NTKERNELAPI
+PDEVICE_OBJECT
+IoGetBaseFileSystemDeviceObject (
+    IN PFILE_OBJECT FileObject
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+PDEVICE_OBJECT
+IoGetDeviceAttachmentBaseRef (
+    IN PDEVICE_OBJECT DeviceObject
+);
+
+NTKERNELAPI
+NTSTATUS
+IoGetDiskDeviceObject (
+    IN PDEVICE_OBJECT   FileSystemDeviceObject,
+    OUT PDEVICE_OBJECT  *DiskDeviceObject
+);
+
+NTKERNELAPI
+PDEVICE_OBJECT
+IoGetLowerDeviceObject (
+    IN PDEVICE_OBJECT DeviceObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+PEPROCESS
+IoGetRequestorProcess (
+    IN PIRP Irp
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+ULONG
+IoGetRequestorProcessId (
+    IN PIRP Irp
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PIRP
+IoGetTopLevelIrp (
+    VOID
+);
+
+#define IoIsFileOpenedExclusively(FileObject) ( \
+    (BOOLEAN) !(                                \
+    (FileObject)->SharedRead ||                 \
+    (FileObject)->SharedWrite ||                \
+    (FileObject)->SharedDelete                  \
+    )                                           \
+)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+IoIsFileOriginRemote (
+    IN PFILE_OBJECT FileObject
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+IoIsOperationSynchronous (
+    IN PIRP Irp
+);
+
+NTKERNELAPI
+BOOLEAN
+IoIsSystemThread (
+    IN PETHREAD Thread
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+IoIsValidNameGraftingBuffer (
+    IN PIRP                 Irp,
+    IN PREPARSE_DATA_BUFFER ReparseBuffer
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+IoPageRead (
+    IN PFILE_OBJECT         FileObject,
+    IN PMDL                 Mdl,
+    IN PLARGE_INTEGER       Offset,
+    IN PKEVENT              Event,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoQueryFileDosDeviceName (
+    IN PFILE_OBJECT                 FileObject,
+    OUT POBJECT_NAME_INFORMATION    *ObjectNameInformation
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+IoQueryFileInformation (
+    IN PFILE_OBJECT             FileObject,
+    IN FILE_INFORMATION_CLASS   FileInformationClass,
+    IN ULONG                    Length,
+    OUT PVOID                   FileInformation,
+    OUT PULONG                  ReturnedLength
+);
+
+NTKERNELAPI
+NTSTATUS
+IoQueryVolumeInformation (
+    IN PFILE_OBJECT         FileObject,
+    IN FS_INFORMATION_CLASS FsInformationClass,
+    IN ULONG                Length,
+    OUT PVOID               FsInformation,
+    OUT PULONG              ReturnedLength
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+VOID
+IoQueueThreadIrp (
+    IN PIRP Irp
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+VOID
+IoRegisterFileSystem (
+    IN OUT PDEVICE_OBJECT DeviceObject
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+typedef VOID (*PDRIVER_FS_NOTIFICATION) (
+    IN PDEVICE_OBJECT DeviceObject,
+    IN BOOLEAN        DriverActive
+);
+
+NTKERNELAPI
+NTSTATUS
+IoRegisterFsRegistrationChange (
+    IN PDRIVER_OBJECT           DriverObject,
+    IN PDRIVER_FS_NOTIFICATION  DriverNotificationRoutine
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+VOID
+IoReleaseVpbSpinLock (
+    IN KIRQL Irql
+);
+
+NTKERNELAPI
+VOID
+IoSetDeviceToVerify (
+    IN PETHREAD         Thread,
+    IN PDEVICE_OBJECT   DeviceObject
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+IoSetFileOrigin (
+    IN PFILE_OBJECT FileObject,
+    IN BOOLEAN      Remote
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+IoSetInformation (
+    IN PFILE_OBJECT             FileObject,
+    IN FILE_INFORMATION_CLASS   FileInformationClass,
+    IN ULONG                    Length,
+    IN PVOID                    FileInformation
+);
+
+NTKERNELAPI
+VOID
+IoSetTopLevelIrp (
+    IN PIRP Irp
+);
+
+NTKERNELAPI
+NTSTATUS
+IoSynchronousPageWrite (
+    IN PFILE_OBJECT         FileObject,
+    IN PMDL                 Mdl,
+    IN PLARGE_INTEGER       FileOffset,
+    IN PKEVENT              Event,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock
+);
+
+NTKERNELAPI
+PEPROCESS
+IoThreadToProcess (
+    IN PETHREAD Thread
+);
+
+NTKERNELAPI
+VOID
+IoUnregisterFileSystem (
+    IN OUT PDEVICE_OBJECT DeviceObject
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+NTSTATUS
+IoUnregisterFsRegistrationChange (
+    IN PDRIVER_OBJECT           DriverObject,
+    IN PDRIVER_FS_NOTIFICATION  DriverNotificationRoutine
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+NTSTATUS
+IoVerifyVolume (
+    IN PDEVICE_OBJECT   DeviceObject,
+    IN BOOLEAN          AllowRawMount
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+KIRQL
+FASTCALL
+KeAcquireQueuedSpinLock (
+    IN KSPIN_LOCK_QUEUE_NUMBER Number
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+KeAttachProcess (
+    IN PEPROCESS Process
+);
+
+NTKERNELAPI
+VOID
+KeDetachProcess (
+    VOID
+);
+
+NTKERNELAPI
+VOID
+KeInitializeApc (
+    PKAPC               Apc,
+    PKTHREAD            Thread,
+    UCHAR               StateIndex,
+    PKKERNEL_ROUTINE    KernelRoutine,
+    PKRUNDOWN_ROUTINE   RundownRoutine,
+    PKNORMAL_ROUTINE    NormalRoutine,
+    KPROCESSOR_MODE     ApcMode,
+    PVOID               NormalContext
+);
+
+NTKERNELAPI
+VOID
+KeInitializeMutant (
+    IN PRKMUTANT    Mutant,
+    IN BOOLEAN      InitialOwner
+);
+
+NTKERNELAPI
+VOID
+KeInitializeQueue (
+    IN PRKQUEUE Queue,
+    IN ULONG    Count OPTIONAL
+);
+
+NTKERNELAPI
+LONG
+KeInsertHeadQueue (
+    IN PRKQUEUE     Queue,
+    IN PLIST_ENTRY  Entry
+);
+
+NTKERNELAPI
+LONG
+KeInsertQueue (
+    IN PRKQUEUE     Queue,
+    IN PLIST_ENTRY  Entry
+);
+
+NTKERNELAPI
+BOOLEAN
+KeInsertQueueApc (
+    IN PKAPC        Apc,
+    IN PVOID        SystemArgument1,
+    IN PVOID        SystemArgument2,
+    IN KPRIORITY    Increment
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+KeIsAttachedProcess (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+KeIsExecutingDpc (
+    VOID
+);
+
+NTKERNELAPI
+LONG
+KeReadStateMutant (
+    IN PRKMUTANT Mutant
+);
+
+NTKERNELAPI
+LONG
+KeReadStateQueue (
+    IN PRKQUEUE Queue
+);
+
+NTKERNELAPI
+LONG
+KeReleaseMutant (
+    IN PRKMUTANT    Mutant,
+    IN KPRIORITY    Increment,
+    IN BOOLEAN      Abandoned,
+    IN BOOLEAN      Wait
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+FASTCALL
+KeReleaseQueuedSpinLock (
+    IN KSPIN_LOCK_QUEUE_NUMBER  Number,
+    IN KIRQL                    OldIrql
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PLIST_ENTRY
+KeRemoveQueue (
+    IN PRKQUEUE         Queue,
+    IN KPROCESSOR_MODE  WaitMode,
+    IN PLARGE_INTEGER   Timeout OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+KeRevertToUserAffinityThread (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+PLIST_ENTRY
+KeRundownQueue (
+    IN PRKQUEUE Queue
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+CCHAR
+KeSetIdealProcessorThread (
+    IN PKTHREAD Thread,
+    IN CCHAR    Processor
+);
+
+NTKERNELAPI
+BOOLEAN
+KeSetKernelStackSwapEnable (
+    IN BOOLEAN Enable
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+KeStackAttachProcess (
+    IN PKPROCESS    Process,
+    OUT PKAPC_STATE ApcState
+);
+
+NTKERNELAPI
+LOGICAL
+FASTCALL
+KeTryToAcquireQueuedSpinLock (
+    IN KSPIN_LOCK_QUEUE_NUMBER  Number,
+    IN PKIRQL                   OldIrql
+);
+
+NTKERNELAPI
+VOID
+KeUnstackDetachProcess (
+    IN PKAPC_STATE ApcState
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+KeUpdateSystemTime (
+    VOID
+);
+
+NTKERNELAPI
+BOOLEAN
+MmCanFileBeTruncated (
+    IN PSECTION_OBJECT_POINTERS     SectionObjectPointer,
+    IN PLARGE_INTEGER               NewFileSize
+);
+
+NTKERNELAPI
+NTSTATUS
+MmCreateSection (
+    OUT PVOID               *SectionObject,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+    IN PLARGE_INTEGER       MaximumSize,
+    IN ULONG                SectionPageProtection,
+    IN ULONG                AllocationAttributes,
+    IN HANDLE               FileHandle OPTIONAL,
+    IN PFILE_OBJECT         FileObject OPTIONAL
+);
+
+NTKERNELAPI
+BOOLEAN
+MmFlushImageSection (
+    IN PSECTION_OBJECT_POINTERS     SectionObjectPointer,
+    IN MMFLUSH_TYPE                 FlushType
+);
+
+NTKERNELAPI
+BOOLEAN
+MmForceSectionClosed (
+    IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
+    IN BOOLEAN                  DelayClose
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+BOOLEAN
+MmIsRecursiveIoFault (
+    VOID
+);
+
+#else
+
+#define MmIsRecursiveIoFault() (                            \
+    (PsGetCurrentThread()->DisablePageFaultClustering) |    \
+    (PsGetCurrentThread()->ForwardClusterOnly)              \
+)
+
+#endif
+
+NTKERNELAPI
+NTSTATUS
+MmMapViewOfSection (
+    IN PVOID                SectionObject,
+    IN PEPROCESS            Process,
+    IN OUT PVOID            *BaseAddress,
+    IN ULONG                ZeroBits,
+    IN ULONG                CommitSize,
+    IN OUT PLARGE_INTEGER   SectionOffset OPTIONAL,
+    IN OUT PULONG           ViewSize,
+    IN SECTION_INHERIT      InheritDisposition,
+    IN ULONG                AllocationType,
+    IN ULONG                Protect
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+MmPrefetchPages (
+    IN ULONG        NumberOfLists,
+    IN PREAD_LIST   *ReadLists
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+MmSetAddressRangeModified (
+    IN PVOID    Address,
+    IN SIZE_T   Length
+);
+
+NTKERNELAPI
+NTSTATUS
+ObCreateObject (
+    IN KPROCESSOR_MODE      ObjectAttributesAccessMode OPTIONAL,
+    IN POBJECT_TYPE         ObjectType,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+    IN KPROCESSOR_MODE      AccessMode,
+    IN OUT PVOID            ParseContext OPTIONAL,
+    IN ULONG                ObjectSize,
+    IN ULONG                PagedPoolCharge OPTIONAL,
+    IN ULONG                NonPagedPoolCharge OPTIONAL,
+    OUT PVOID               *Object
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+ObDereferenceSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN ULONG                Count
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+#if (VER_PRODUCTBUILD <= 2195)
+
+NTKERNELAPI
+ULONG
+ObGetObjectPointerCount (
+    IN PVOID Object
+);
+
+#endif // (VER_PRODUCTBUILD <= 2195)
+
+NTKERNELAPI
+NTSTATUS
+ObInsertObject (
+    IN PVOID            Object,
+    IN PACCESS_STATE    PassedAccessState OPTIONAL,
+    IN ACCESS_MASK      DesiredAccess,
+    IN ULONG            AdditionalReferences,
+    OUT PVOID           *ReferencedObject OPTIONAL,
+    OUT PHANDLE         Handle
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+ObLogSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR     InputSecurityDescriptor,
+    OUT PSECURITY_DESCRIPTOR    *OutputSecurityDescriptor,
+    IN ULONG                    RefBias
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+ObMakeTemporaryObject (
+    IN PVOID Object
+);
+
+NTKERNELAPI
+NTSTATUS
+ObOpenObjectByPointer (
+    IN PVOID            Object,
+    IN ULONG            HandleAttributes,
+    IN PACCESS_STATE    PassedAccessState OPTIONAL,
+    IN ACCESS_MASK      DesiredAccess OPTIONAL,
+    IN POBJECT_TYPE     ObjectType OPTIONAL,
+    IN KPROCESSOR_MODE  AccessMode,
+    OUT PHANDLE         Handle
+);
+
+NTKERNELAPI
+NTSTATUS
+ObQueryNameString (
+    IN PVOID                        Object,
+    OUT POBJECT_NAME_INFORMATION    ObjectNameInfo,
+    IN ULONG                        Length,
+    OUT PULONG                      ReturnLength
+);
+
+NTKERNELAPI
+NTSTATUS
+ObQueryObjectAuditingByHandle (
+    IN HANDLE       Handle,
+    OUT PBOOLEAN    GenerateOnClose
+);
+
+NTKERNELAPI
+NTSTATUS
+ObReferenceObjectByName (
+    IN PUNICODE_STRING  ObjectName,
+    IN ULONG            Attributes,
+    IN PACCESS_STATE    PassedAccessState OPTIONAL,
+    IN ACCESS_MASK      DesiredAccess OPTIONAL,
+    IN POBJECT_TYPE     ObjectType,
+    IN KPROCESSOR_MODE  AccessMode,
+    IN OUT PVOID        ParseContext OPTIONAL,
+    OUT PVOID           *Object
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+ObReferenceSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN ULONG                Count
+);
+
+NTKERNELAPI
+NTSTATUS
+PoQueueShutdownWorkItem (
+    IN PWORK_QUEUE_ITEM WorkItem
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+PsAssignImpersonationToken (
+    IN PETHREAD Thread,
+    IN HANDLE   Token
+);
+
+NTKERNELAPI
+VOID
+PsChargePoolQuota (
+    IN PEPROCESS    Process,
+    IN POOL_TYPE    PoolType,
+    IN ULONG        Amount
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+PsChargeProcessNonPagedPoolQuota (
+    IN PEPROCESS Process,
+    IN ULONG_PTR Amount
+);
+
+NTKERNELAPI
+NTSTATUS
+PsChargeProcessPagedPoolQuota (
+    IN PEPROCESS Process,
+    IN ULONG_PTR Amount
+);
+
+NTKERNELAPI
+NTSTATUS
+PsChargeProcessPoolQuota (
+    IN PEPROCESS Process,
+    IN POOL_TYPE PoolType,
+    IN ULONG_PTR Amount
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+PsDereferenceImpersonationToken (
+    IN PACCESS_TOKEN ImpersonationToken
+);
+
+NTKERNELAPI
+VOID
+PsDereferencePrimaryToken (
+    IN PACCESS_TOKEN PrimaryToken
+);
+
+#else
+
+#define PsDereferenceImpersonationToken(T)  \
+            {if (ARGUMENT_PRESENT(T)) {     \
+                (ObDereferenceObject((T))); \
+            } else {                        \
+                ;                           \
+            }                               \
+}
+
+#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))
+
+#endif
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+PsDisableImpersonation (
+    IN PETHREAD                 Thread,
+    IN PSE_IMPERSONATION_STATE  ImpersonationState
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+ULONG
+PsGetCurrentProcessSessionId (
+    VOID
+);
+
+NTKERNELAPI
+KPROCESSOR_MODE
+PsGetCurrentThreadPreviousMode (
+    VOID
+);
+
+NTKERNELAPI
+PVOID
+PsGetCurrentThreadStackBase (
+    VOID
+);
+
+NTKERNELAPI
+PVOID
+PsGetCurrentThreadStackLimit (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+LARGE_INTEGER
+PsGetProcessExitTime (
+    VOID
+);
+
+NTKERNELAPI
+NTSTATUS
+PsImpersonateClient (
+    IN PETHREAD                     Thread,
+    IN PACCESS_TOKEN                Token,
+    IN BOOLEAN                      CopyOnOpen,
+    IN BOOLEAN                      EffectiveOnly,
+    IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+PsIsSystemThread (
+    IN PETHREAD Thread
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+BOOLEAN
+PsIsThreadTerminating (
+    IN PETHREAD Thread
+);
+
+//
+// PsLookupProcessByProcessId returns a referenced pointer to the process
+// that should be dereferenced after use with a call to ObDereferenceObject.
+//
+NTKERNELAPI
+NTSTATUS
+PsLookupProcessByProcessId (
+    IN PVOID        ProcessId,
+    OUT PEPROCESS   *Process
+);
+
+NTKERNELAPI
+NTSTATUS
+PsLookupProcessThreadByCid (
+    IN PCLIENT_ID   Cid,
+    OUT PEPROCESS   *Process OPTIONAL,
+    OUT PETHREAD    *Thread
+);
+
+NTKERNELAPI
+NTSTATUS
+PsLookupThreadByThreadId (
+    IN PVOID        UniqueThreadId,
+    OUT PETHREAD    *Thread
+);
+
+NTKERNELAPI
+PACCESS_TOKEN
+PsReferenceImpersonationToken (
+    IN PETHREAD                         Thread,
+    OUT PBOOLEAN                        CopyOnOpen,
+    OUT PBOOLEAN                        EffectiveOnly,
+    OUT PSECURITY_IMPERSONATION_LEVEL   ImpersonationLevel
+);
+
+NTKERNELAPI
+PACCESS_TOKEN
+PsReferencePrimaryToken (
+    IN PEPROCESS Process
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+PsRestoreImpersonation (
+    IN PETHREAD                 Thread,
+    IN PSE_IMPERSONATION_STATE  ImpersonationState
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+PsReturnPoolQuota (
+    IN PEPROCESS    Process,
+    IN POOL_TYPE    PoolType,
+    IN ULONG        Amount
+);
+
+#if (VER_PRODUCTBUILD >= 1381)
+
+NTKERNELAPI
+VOID
+PsRevertToSelf (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 1381)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAbsoluteToSelfRelativeSD (
+    IN PSECURITY_DESCRIPTOR     AbsoluteSecurityDescriptor,
+    IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+    IN PULONG                   BufferLength
+);
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlAllocateHeap (
+    IN HANDLE  HeapHandle,
+    IN ULONG   Flags,
+    IN ULONG   Size
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCompressBuffer (
+    IN USHORT   CompressionFormatAndEngine,
+    IN PUCHAR   UncompressedBuffer,
+    IN ULONG    UncompressedBufferSize,
+    OUT PUCHAR  CompressedBuffer,
+    IN ULONG    CompressedBufferSize,
+    IN ULONG    UncompressedChunkSize,
+    OUT PULONG  FinalCompressedSize,
+    IN PVOID    WorkSpace
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCompressChunks (
+    IN PUCHAR                       UncompressedBuffer,
+    IN ULONG                        UncompressedBufferSize,
+    OUT PUCHAR                      CompressedBuffer,
+    IN ULONG                        CompressedBufferSize,
+    IN OUT PCOMPRESSED_DATA_INFO    CompressedDataInfo,
+    IN ULONG                        CompressedDataInfoLength,
+    IN PVOID                        WorkSpace
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlConvertSidToUnicodeString (
+    OUT PUNICODE_STRING DestinationString,
+    IN PSID             Sid,
+    IN BOOLEAN          AllocateDestinationString
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCopySid (
+    IN ULONG   Length,
+    IN PSID    Destination,
+    IN PSID    Source
+);
+
+NTSYSAPI
+HANDLE
+NTAPI
+RtlCreateHeap (
+    IN ULONG Flags,
+    IN PVOID Base,
+    IN ULONG Reserve, 
+    IN ULONG Commit, 
+    IN ULONG Lock, 
+    IN PVOID RtlHeapParams
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDecompressBuffer (
+    IN USHORT   CompressionFormat,
+    OUT PUCHAR  UncompressedBuffer,
+    IN ULONG    UncompressedBufferSize,
+    IN PUCHAR   CompressedBuffer,
+    IN ULONG    CompressedBufferSize,
+    OUT PULONG  FinalUncompressedSize
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDecompressChunks (
+    OUT PUCHAR                  UncompressedBuffer,
+    IN ULONG                    UncompressedBufferSize,
+    IN PUCHAR                   CompressedBuffer,
+    IN ULONG                    CompressedBufferSize,
+    IN PUCHAR                   CompressedTail,
+    IN ULONG                    CompressedTailSize,
+    IN PCOMPRESSED_DATA_INFO    CompressedDataInfo
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDecompressFragment (
+    IN USHORT   CompressionFormat,
+    OUT PUCHAR  UncompressedFragment,
+    IN ULONG    UncompressedFragmentSize,
+    IN PUCHAR   CompressedBuffer,
+    IN ULONG    CompressedBufferSize,
+    IN ULONG    FragmentOffset,
+    OUT PULONG  FinalUncompressedSize,
+    IN PVOID    WorkSpace
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDescribeChunk (
+    IN USHORT       CompressionFormat,
+    IN OUT PUCHAR   *CompressedBuffer,
+    IN PUCHAR       EndOfCompressedBufferPlus1,
+    OUT PUCHAR      *ChunkBuffer,
+    OUT PULONG      ChunkSize
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDestroyHeap (
+    IN HANDLE  HeapHandle
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlEqualSid (
+    IN PSID Sid1,
+    IN PSID Sid2
+);
+
+NTSYSAPI
+VOID
+NTAPI
+RtlFillMemoryUlong (
+    IN PVOID    Destination,
+    IN ULONG    Length,
+    IN ULONG    Fill
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlFreeHeap (
+    IN HANDLE  HeapHandle,
+    IN ULONG   Flags,
+    IN PVOID   P
+);
+
+NTSYSAPI
+VOID
+NTAPI
+RtlGenerate8dot3Name (
+    IN PUNICODE_STRING              Name,
+    IN BOOLEAN                      AllowExtendedCharacters,
+    IN OUT PGENERATE_NAME_CONTEXT   Context,
+    OUT PUNICODE_STRING             Name8dot3
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetCompressionWorkSpaceSize (
+    IN USHORT   CompressionFormatAndEngine,
+    OUT PULONG  CompressBufferWorkSpaceSize,
+    OUT PULONG  CompressFragmentWorkSpaceSize
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetDaclSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    OUT PBOOLEAN            DaclPresent,
+    OUT PACL                *Dacl,
+    OUT PBOOLEAN            DaclDefaulted
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetGroupSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    OUT PSID                *Group,
+    OUT PBOOLEAN            GroupDefaulted
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetNtGlobalFlags (
+    VOID
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetOwnerSecurityDescriptor (
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    OUT PSID                *Owner,
+    OUT PBOOLEAN            OwnerDefaulted
+);
+
+//
+// This function returns a PIMAGE_NT_HEADERS,
+// see the standard include file winnt.h
+//
+NTSYSAPI
+PVOID
+NTAPI
+RtlImageNtHeader (
+    IN PVOID BaseAddress
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlInitializeSid (
+    IN OUT PSID                     Sid,
+    IN PSID_IDENTIFIER_AUTHORITY    IdentifierAuthority,
+    IN UCHAR                        SubAuthorityCount
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlIsNameLegalDOS8Dot3 (
+    IN PUNICODE_STRING UnicodeName,
+    IN PANSI_STRING    AnsiName,
+    PBOOLEAN           Unknown
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthRequiredSid (
+    IN UCHAR SubAuthorityCount
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthSid (
+    IN PSID Sid
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlNtStatusToDosError (
+    IN NTSTATUS Status
+);
+
+#define RtlOemStringToCountedUnicodeSize(STRING) (                    \
+    (ULONG)(RtlOemStringToUnicodeSize(STRING) - sizeof(UNICODE_NULL)) \
+)
+
+#define RtlOemStringToUnicodeSize(STRING) (                \
+    NLS_MB_OEM_CODE_PAGE_TAG ?                             \
+    RtlxOemStringToUnicodeSize(STRING) :                   \
+    ((STRING)->Length + sizeof(ANSI_NULL)) * sizeof(WCHAR) \
+)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlOemStringToUnicodeString (
+    OUT PUNICODE_STRING DestinationString,
+    IN POEM_STRING      SourceString,
+    IN BOOLEAN          AllocateDestinationString
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlRandom (
+    IN PULONG Seed
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlRandomEx (
+    IN PULONG Seed
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlReserveChunk (
+    IN USHORT       CompressionFormat,
+    IN OUT PUCHAR   *CompressedBuffer,
+    IN PUCHAR       EndOfCompressedBufferPlus1,
+    OUT PUCHAR      *ChunkBuffer,
+    IN ULONG        ChunkSize
+);
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSecondsSince1970ToTime (
+    IN ULONG            SecondsSince1970,
+    OUT PLARGE_INTEGER  Time
+);
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSecondsSince1980ToTime (
+    IN ULONG            SecondsSince1980,
+    OUT PLARGE_INTEGER  Time
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSelfRelativeToAbsoluteSD (
+    IN PSECURITY_DESCRIPTOR     SelfRelativeSD,
+    OUT PSECURITY_DESCRIPTOR    AbsoluteSD,
+    IN PULONG                   AbsoluteSDSize,
+    IN PACL                     Dacl,
+    IN PULONG                   DaclSize,
+    IN PACL                     Sacl,
+    IN PULONG                   SaclSize,
+    IN PSID                     Owner,
+    IN PULONG                   OwnerSize,
+    IN PSID                     PrimaryGroup,
+    IN PULONG                   PrimaryGroupSize
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetGroupSecurityDescriptor (
+    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN PSID                     Group,
+    IN BOOLEAN                  GroupDefaulted
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetOwnerSecurityDescriptor (
+    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN PSID                     Owner,
+    IN BOOLEAN                  OwnerDefaulted
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetSaclSecurityDescriptor (
+    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN BOOLEAN                  SaclPresent,
+    IN PACL                     Sacl,
+    IN BOOLEAN                  SaclDefaulted
+);
+
+NTSYSAPI
+PUCHAR
+NTAPI
+RtlSubAuthorityCountSid (
+    IN PSID Sid
+);
+
+NTSYSAPI
+PULONG
+NTAPI
+RtlSubAuthoritySid (
+    IN PSID    Sid,
+    IN ULONG   SubAuthority
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTimeToSecondsSince1970 (
+    IN PLARGE_INTEGER   Time,
+    OUT PULONG          SecondsSince1970
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTimeToSecondsSince1980 (
+    IN PLARGE_INTEGER   Time,
+    OUT PULONG          SecondsSince1980
+);
+
+#define RtlUnicodeStringToOemSize(STRING) (                   \
+    NLS_MB_OEM_CODE_PAGE_TAG ?                                \
+    RtlxUnicodeStringToOemSize(STRING) :                      \
+    ((STRING)->Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR) \
+)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUnicodeStringToOemString (
+    OUT POEM_STRING     DestinationString,
+    IN PUNICODE_STRING  SourceString,
+    IN BOOLEAN          AllocateDestinationString
+);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidSid (
+    IN PSID Sid
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlxOemStringToUnicodeSize (
+    IN POEM_STRING OemString
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlxUnicodeStringToAnsiSize (
+    IN PUNICODE_STRING UnicodeString
+);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlxUnicodeStringToOemSize (
+    IN PUNICODE_STRING UnicodeString
+);
+
+NTKERNELAPI
+NTSTATUS
+SeAppendPrivileges (
+    PACCESS_STATE   AccessState,
+    PPRIVILEGE_SET  Privileges
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+SeAuditHardLinkCreation (
+    IN PUNICODE_STRING  FileName,
+    IN PUNICODE_STRING  LinkName,
+    IN BOOLEAN          Success
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+SeAuditingFileEvents (
+    IN BOOLEAN              AccessGranted,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor
+);
+
+NTKERNELAPI
+BOOLEAN
+SeAuditingFileOrGlobalEvents (
+    IN BOOLEAN                      AccessGranted,
+    IN PSECURITY_DESCRIPTOR         SecurityDescriptor,
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+BOOLEAN
+SeAuditingHardLinkEvents (
+    IN BOOLEAN              AccessGranted,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+SeCaptureSubjectContext (
+    OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
+);
+
+NTKERNELAPI
+NTSTATUS
+SeCreateAccessState (
+    OUT PACCESS_STATE   AccessState,
+    IN PVOID            AuxData,
+    IN ACCESS_MASK      AccessMask,
+    IN PGENERIC_MAPPING Mapping
+);
+
+NTKERNELAPI
+NTSTATUS
+SeCreateClientSecurity (
+    IN PETHREAD                     Thread,
+    IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
+    IN BOOLEAN                      RemoteClient,
+    OUT PSECURITY_CLIENT_CONTEXT    ClientContext
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeCreateClientSecurityFromSubjectContext (
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext,
+    IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
+    IN BOOLEAN                      ServerIsRemote,
+    OUT PSECURITY_CLIENT_CONTEXT    ClientContext
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+SeDeleteAccessState (
+    IN PACCESS_STATE AccessState
+);
+
+#define SeDeleteClientSecurity(C)  {                                           \
+            if (SeTokenType((C)->ClientToken) == TokenPrimary) {               \
+                PsDereferencePrimaryToken( (C)->ClientToken );                 \
+            } else {                                                           \
+                PsDereferenceImpersonationToken( (C)->ClientToken );           \
+            }                                                                  \
+}
+
+NTKERNELAPI
+VOID
+SeDeleteObjectAuditAlarm (
+    IN PVOID    Object,
+    IN HANDLE   Handle
+);
+
+#define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports;
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+NTSTATUS
+SeFilterToken (
+    IN PACCESS_TOKEN        ExistingToken,
+    IN ULONG                Flags,
+    IN PTOKEN_GROUPS        SidsToDisable OPTIONAL,
+    IN PTOKEN_PRIVILEGES    PrivilegesToDelete OPTIONAL,
+    IN PTOKEN_GROUPS        RestrictedSids OPTIONAL,
+    OUT PACCESS_TOKEN       *FilteredToken
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTKERNELAPI
+VOID
+SeFreePrivileges (
+    IN PPRIVILEGE_SET Privileges
+);
+
+NTKERNELAPI
+VOID
+SeImpersonateClient (
+    IN PSECURITY_CLIENT_CONTEXT ClientContext,
+    IN PETHREAD                 ServerThread OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeImpersonateClientEx (
+    IN PSECURITY_CLIENT_CONTEXT ClientContext,
+    IN PETHREAD                 ServerThread OPTIONAL
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+VOID
+SeLockSubjectContext (
+    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
+);
+
+NTKERNELAPI
+NTSTATUS
+SeMarkLogonSessionForTerminationNotification (
+    IN PLUID LogonId
+);
+
+NTKERNELAPI
+VOID
+SeOpenObjectAuditAlarm (
+    IN PUNICODE_STRING      ObjectTypeName,
+    IN PVOID                Object OPTIONAL,
+    IN PUNICODE_STRING      AbsoluteObjectName OPTIONAL,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN PACCESS_STATE        AccessState,
+    IN BOOLEAN              ObjectCreated,
+    IN BOOLEAN              AccessGranted,
+    IN KPROCESSOR_MODE      AccessMode,
+    OUT PBOOLEAN            GenerateOnClose
+);
+
+NTKERNELAPI
+VOID
+SeOpenObjectForDeleteAuditAlarm (
+    IN PUNICODE_STRING      ObjectTypeName,
+    IN PVOID                Object OPTIONAL,
+    IN PUNICODE_STRING      AbsoluteObjectName OPTIONAL,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN PACCESS_STATE        AccessState,
+    IN BOOLEAN              ObjectCreated,
+    IN BOOLEAN              AccessGranted,
+    IN KPROCESSOR_MODE      AccessMode,
+    OUT PBOOLEAN            GenerateOnClose
+);
+
+NTKERNELAPI
+BOOLEAN
+SePrivilegeCheck (
+    IN OUT PPRIVILEGE_SET           RequiredPrivileges,
+    IN PSECURITY_SUBJECT_CONTEXT    SubjectContext,
+    IN KPROCESSOR_MODE              AccessMode
+);
+
+NTKERNELAPI
+NTSTATUS
+SeQueryAuthenticationIdToken (
+    IN PACCESS_TOKEN    Token,
+    OUT PLUID           LogonId
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeQueryInformationToken (
+    IN PACCESS_TOKEN           Token,
+    IN TOKEN_INFORMATION_CLASS TokenInformationClass,
+    OUT PVOID                  *TokenInformation
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeQuerySecurityDescriptorInfo (
+    IN PSECURITY_INFORMATION    SecurityInformation,
+    OUT PSECURITY_DESCRIPTOR    SecurityDescriptor,
+    IN OUT PULONG               Length,
+    IN PSECURITY_DESCRIPTOR     *ObjectsSecurityDescriptor
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeQuerySessionIdToken (
+    IN PACCESS_TOKEN    Token,
+    IN PULONG           SessionId
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+#define SeQuerySubjectContextToken( SubjectContext )                \
+    ( ARGUMENT_PRESENT(                                             \
+        ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken   \
+        ) ?                                                         \
+    ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken :     \
+    ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )
+
+typedef NTSTATUS (*PSE_LOGON_SESSION_TERMINATED_ROUTINE) (
+    IN PLUID LogonId
+);
+
+NTKERNELAPI
+NTSTATUS
+SeRegisterLogonSessionTerminatedRoutine (
+    IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
+);
+
+NTKERNELAPI
+VOID
+SeReleaseSubjectContext (
+    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
+);
+
+NTKERNELAPI
+VOID
+SeSetAccessStateGenericMapping (
+    PACCESS_STATE       AccessState,
+    PGENERIC_MAPPING    GenericMapping
+);
+
+NTKERNELAPI
+NTSTATUS
+SeSetSecurityDescriptorInfo (
+    IN PVOID                    Object OPTIONAL,
+    IN PSECURITY_INFORMATION    SecurityInformation,
+    IN PSECURITY_DESCRIPTOR     SecurityDescriptor,
+    IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+    IN POOL_TYPE                PoolType,
+    IN PGENERIC_MAPPING         GenericMapping
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+NTSTATUS
+SeSetSecurityDescriptorInfoEx (
+    IN PVOID                    Object OPTIONAL,
+    IN PSECURITY_INFORMATION    SecurityInformation,
+    IN PSECURITY_DESCRIPTOR     ModificationDescriptor,
+    IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+    IN ULONG                    AutoInheritFlags,
+    IN POOL_TYPE                PoolType,
+    IN PGENERIC_MAPPING         GenericMapping
+);
+
+NTKERNELAPI
+BOOLEAN
+SeTokenIsAdmin (
+    IN PACCESS_TOKEN Token
+);
+
+NTKERNELAPI
+BOOLEAN
+SeTokenIsRestricted (
+    IN PACCESS_TOKEN Token
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTKERNELAPI
+TOKEN_TYPE
+SeTokenType (
+    IN PACCESS_TOKEN Token
+);
+
+NTKERNELAPI
+VOID
+SeUnlockSubjectContext (
+    IN PSECURITY_SUBJECT_CONTEXT SubjectContext
+);
+
+NTKERNELAPI
+NTSTATUS
+SeUnregisterLogonSessionTerminatedRoutine (
+    IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwAdjustPrivilegesToken (
+    IN HANDLE               TokenHandle,
+    IN BOOLEAN              DisableAllPrivileges,
+    IN PTOKEN_PRIVILEGES    NewState,
+    IN ULONG                BufferLength,
+    OUT PTOKEN_PRIVILEGES   PreviousState OPTIONAL,
+    OUT PULONG              ReturnLength
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwAlertThread (
+    IN HANDLE ThreadHandle
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwAllocateVirtualMemory (
+    IN HANDLE       ProcessHandle,
+    IN OUT PVOID    *BaseAddress,
+    IN ULONG        ZeroBits,
+    IN OUT PSIZE_T  RegionSize,
+    IN ULONG        AllocationType,
+    IN ULONG        Protect
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwAccessCheckAndAuditAlarm (
+    IN PUNICODE_STRING      SubsystemName,
+    IN PVOID                HandleId,
+    IN PUNICODE_STRING      ObjectTypeName,
+    IN PUNICODE_STRING      ObjectName,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+    IN ACCESS_MASK          DesiredAccess,
+    IN PGENERIC_MAPPING     GenericMapping,
+    IN BOOLEAN              ObjectCreation,
+    OUT PACCESS_MASK        GrantedAccess,
+    OUT PBOOLEAN            AccessStatus,
+    OUT PBOOLEAN            GenerateOnClose
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwCancelIoFile (
+    IN HANDLE               FileHandle,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwClearEvent (
+    IN HANDLE EventHandle
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwConnectPort (
+    OUT PHANDLE                     ClientPortHandle,
+    IN PUNICODE_STRING              ServerPortName,
+    IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+    IN OUT PLPC_SECTION_WRITE       ClientSharedMemory OPTIONAL,
+    IN OUT PLPC_SECTION_READ        ServerSharedMemory OPTIONAL,
+    OUT PULONG                      MaximumMessageLength OPTIONAL,
+    IN OUT PVOID                    ConnectionInfo OPTIONAL,
+    IN OUT PULONG                   ConnectionInfoLength OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwCloseObjectAuditAlarm (
+    IN PUNICODE_STRING  SubsystemName,
+    IN PVOID            HandleId,
+    IN BOOLEAN          GenerateOnClose
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwCreateEvent (
+    OUT PHANDLE             EventHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+    IN EVENT_TYPE           EventType,
+    IN BOOLEAN              InitialState
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwCreateSection (
+    OUT PHANDLE             SectionHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+    IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+    IN ULONG                SectionPageProtection,
+    IN ULONG                AllocationAttributes,
+    IN HANDLE               FileHandle OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwCreateSymbolicLinkObject (
+    OUT PHANDLE             SymbolicLinkHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes,
+    IN PUNICODE_STRING      TargetName
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDeleteFile (
+    IN POBJECT_ATTRIBUTES ObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDeleteValueKey (
+    IN HANDLE           Handle,
+    IN PUNICODE_STRING  Name
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDeviceIoControlFile (
+    IN HANDLE               FileHandle,
+    IN HANDLE               Event OPTIONAL,
+    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+    IN PVOID                ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    IN ULONG                IoControlCode,
+    IN PVOID                InputBuffer OPTIONAL,
+    IN ULONG                InputBufferLength,
+    OUT PVOID               OutputBuffer OPTIONAL,
+    IN ULONG                OutputBufferLength
+);
+
+//
+// If using ZwDisplayString during boot on Windows 2000 or later you must
+// first call InbvEnableDisplayString.
+//
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDisplayString (
+    IN PUNICODE_STRING String
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDuplicateObject (
+    IN HANDLE       SourceProcessHandle,
+    IN HANDLE       SourceHandle,
+    IN HANDLE       TargetProcessHandle OPTIONAL,
+    OUT PHANDLE     TargetHandle OPTIONAL,
+    IN ACCESS_MASK  DesiredAccess,
+    IN ULONG        HandleAttributes,
+    IN ULONG        Options
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwDuplicateToken (
+    IN HANDLE               ExistingTokenHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes,
+    IN BOOLEAN              EffectiveOnly,
+    IN TOKEN_TYPE           TokenType,
+    OUT PHANDLE             NewTokenHandle
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwFlushInstructionCache (
+    IN HANDLE   ProcessHandle,
+    IN PVOID    BaseAddress OPTIONAL,
+    IN ULONG    FlushSize
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwFlushVirtualMemory (
+    IN HANDLE               ProcessHandle,
+    IN OUT PVOID            *BaseAddress,
+    IN OUT PSIZE_T          RegionSize,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwFreeVirtualMemory (
+    IN HANDLE       ProcessHandle,
+    IN OUT PVOID    *BaseAddress,
+    IN OUT PSIZE_T  RegionSize,
+    IN ULONG        FreeType
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwFsControlFile (
+    IN HANDLE               FileHandle,
+    IN HANDLE               Event OPTIONAL,
+    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+    IN PVOID                ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    IN ULONG                FsControlCode,
+    IN PVOID                InputBuffer OPTIONAL,
+    IN ULONG                InputBufferLength,
+    OUT PVOID               OutputBuffer OPTIONAL,
+    IN ULONG                OutputBufferLength
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwInitiatePowerAction (
+    IN POWER_ACTION         SystemAction,
+    IN SYSTEM_POWER_STATE   MinSystemState,
+    IN ULONG                Flags,
+    IN BOOLEAN              Asynchronous
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwLoadDriver (
+    // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
+    IN PUNICODE_STRING RegistryPath
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwLoadKey (
+    IN POBJECT_ATTRIBUTES KeyObjectAttributes,
+    IN POBJECT_ATTRIBUTES FileObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwNotifyChangeKey (
+    IN HANDLE               KeyHandle,
+    IN HANDLE               EventHandle OPTIONAL,
+    IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+    IN PVOID                ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    IN ULONG                NotifyFilter,
+    IN BOOLEAN              WatchSubtree,
+    IN PVOID                Buffer,
+    IN ULONG                BufferLength,
+    IN BOOLEAN              Asynchronous
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenDirectoryObject (
+    OUT PHANDLE             DirectoryHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenEvent (
+    OUT PHANDLE             EventHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenProcess (
+    OUT PHANDLE             ProcessHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes,
+    IN PCLIENT_ID           ClientId OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenProcessToken (
+    IN HANDLE       ProcessHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    OUT PHANDLE     TokenHandle
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenProcessTokenEx (
+    IN HANDLE       ProcessHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN ULONG        HandleAttributes,
+    OUT PHANDLE     TokenHandle
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenThread (
+    OUT PHANDLE             ThreadHandle,
+    IN ACCESS_MASK          DesiredAccess,
+    IN POBJECT_ATTRIBUTES   ObjectAttributes,
+    IN PCLIENT_ID           ClientId
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenThreadToken (
+    IN HANDLE       ThreadHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN BOOLEAN      OpenAsSelf,
+    OUT PHANDLE     TokenHandle
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwOpenThreadTokenEx (
+    IN HANDLE       ThreadHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN BOOLEAN      OpenAsSelf,
+    IN ULONG        HandleAttributes,
+    OUT PHANDLE     TokenHandle
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwPowerInformation (
+    IN POWER_INFORMATION_LEVEL  PowerInformationLevel,
+    IN PVOID                    InputBuffer OPTIONAL,
+    IN ULONG                    InputBufferLength,
+    OUT PVOID                   OutputBuffer OPTIONAL,
+    IN ULONG                    OutputBufferLength
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwPulseEvent (
+    IN HANDLE   EventHandle,
+    OUT PULONG  PreviousState OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryDefaultLocale (
+    IN BOOLEAN  ThreadOrSystem,
+    OUT PLCID   Locale
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryDefaultUILanguage (
+    OUT LANGID *LanguageId
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryDirectoryFile (
+    IN HANDLE                   FileHandle,
+    IN HANDLE                   Event OPTIONAL,
+    IN PIO_APC_ROUTINE          ApcRoutine OPTIONAL,
+    IN PVOID                    ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK        IoStatusBlock,
+    OUT PVOID                   FileInformation,
+    IN ULONG                    Length,
+    IN FILE_INFORMATION_CLASS   FileInformationClass,
+    IN BOOLEAN                  ReturnSingleEntry,
+    IN PUNICODE_STRING          FileName OPTIONAL,
+    IN BOOLEAN                  RestartScan
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryDirectoryObject (
+    IN HANDLE       DirectoryHandle,
+    OUT PVOID       Buffer,
+    IN ULONG        Length,
+    IN BOOLEAN      ReturnSingleEntry,
+    IN BOOLEAN      RestartScan,
+    IN OUT PULONG   Context,
+    OUT PULONG      ReturnLength OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryEaFile (
+    IN HANDLE               FileHandle,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    OUT PVOID               Buffer,
+    IN ULONG                Length,
+    IN BOOLEAN              ReturnSingleEntry,
+    IN PVOID                EaList OPTIONAL,
+    IN ULONG                EaListLength,
+    IN PULONG               EaIndex OPTIONAL,
+    IN BOOLEAN              RestartScan
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationProcess (
+    IN HANDLE           ProcessHandle,
+    IN PROCESSINFOCLASS ProcessInformationClass,
+    OUT PVOID           ProcessInformation,
+    IN ULONG            ProcessInformationLength,
+    OUT PULONG          ReturnLength OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationThread (
+    IN HANDLE           ThreadHandle,
+    IN THREADINFOCLASS  ThreadInformationClass,
+    OUT PVOID           ThreadInformation,
+    IN ULONG            ThreadInformationLength,
+    OUT PULONG          ReturnLength OPTIONAL
+);
+
+#endif // (VER_PRODUCTBUILD >= 2600)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationToken (
+    IN HANDLE                   TokenHandle,
+    IN TOKEN_INFORMATION_CLASS  TokenInformationClass,
+    OUT PVOID                   TokenInformation,
+    IN ULONG                    TokenInformationLength,
+    OUT PULONG                  ReturnLength
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryInstallUILanguage (
+    OUT LANGID *LanguageId
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryObject (
+    IN HANDLE               ObjectHandle,
+    IN OBJECT_INFO_CLASS    ObjectInformationClass,
+    OUT PVOID               ObjectInformation,
+    IN ULONG                Length,
+    OUT PULONG              ResultLength
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQuerySection (
+    IN HANDLE                       SectionHandle,
+    IN SECTION_INFORMATION_CLASS    SectionInformationClass,
+    OUT PVOID                       SectionInformation,
+    IN ULONG                        SectionInformationLength,
+    OUT PULONG                      ResultLength OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQuerySecurityObject (
+    IN HANDLE                   FileHandle,
+    IN SECURITY_INFORMATION     SecurityInformation,
+    OUT PSECURITY_DESCRIPTOR    SecurityDescriptor,
+    IN ULONG                    Length,
+    OUT PULONG                  ResultLength
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQuerySystemInformation (
+    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+    OUT PVOID                   SystemInformation,
+    IN ULONG                    Length,
+    OUT PULONG                  ReturnLength
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwQueryVolumeInformationFile (
+    IN HANDLE               FileHandle,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    OUT PVOID               FsInformation,
+    IN ULONG                Length,
+    IN FS_INFORMATION_CLASS FsInformationClass
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwReplaceKey (
+    IN POBJECT_ATTRIBUTES   NewFileObjectAttributes,
+    IN HANDLE               KeyHandle,
+    IN POBJECT_ATTRIBUTES   OldFileObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwRequestWaitReplyPort (
+    IN HANDLE           PortHandle,
+    IN PLPC_MESSAGE     Request,
+    OUT PLPC_MESSAGE    Reply
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwResetEvent (
+    IN HANDLE   EventHandle,
+    OUT PULONG  PreviousState OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwRestoreKey (
+    IN HANDLE   KeyHandle,
+    IN HANDLE   FileHandle,
+    IN ULONG    Flags
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSaveKey (
+    IN HANDLE KeyHandle,
+    IN HANDLE FileHandle
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetDefaultLocale (
+    IN BOOLEAN  ThreadOrSystem,
+    IN LCID     Locale
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetDefaultUILanguage (
+    IN LANGID LanguageId
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetEaFile (
+    IN HANDLE               FileHandle,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    OUT PVOID               Buffer,
+    IN ULONG                Length
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetEvent (
+    IN HANDLE   EventHandle,
+    OUT PULONG  PreviousState OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetInformationObject (
+    IN HANDLE               ObjectHandle,
+    IN OBJECT_INFO_CLASS    ObjectInformationClass,
+    IN PVOID                ObjectInformation,
+    IN ULONG                ObjectInformationLength
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetInformationProcess (
+    IN HANDLE           ProcessHandle,
+    IN PROCESSINFOCLASS ProcessInformationClass,
+    IN PVOID            ProcessInformation,
+    IN ULONG            ProcessInformationLength
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetSecurityObject (
+    IN HANDLE               Handle,
+    IN SECURITY_INFORMATION SecurityInformation,
+    IN PSECURITY_DESCRIPTOR SecurityDescriptor
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetSystemInformation (
+    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+    IN PVOID                    SystemInformation,
+    IN ULONG                    Length
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetSystemTime (
+    IN PLARGE_INTEGER   NewTime,
+    OUT PLARGE_INTEGER  OldTime OPTIONAL
+);
+
+#if (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwSetVolumeInformationFile (
+    IN HANDLE               FileHandle,
+    OUT PIO_STATUS_BLOCK    IoStatusBlock,
+    IN PVOID                FsInformation,
+    IN ULONG                Length,
+    IN FS_INFORMATION_CLASS FsInformationClass
+);
+
+#endif // (VER_PRODUCTBUILD >= 2195)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwTerminateProcess (
+    IN HANDLE   ProcessHandle OPTIONAL,
+    IN NTSTATUS ExitStatus
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwUnloadDriver (
+    // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
+    IN PUNICODE_STRING RegistryPath
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwUnloadKey (
+    IN POBJECT_ATTRIBUTES KeyObjectAttributes
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwWaitForSingleObject (
+    IN HANDLE           Handle,
+    IN BOOLEAN          Alertable,
+    IN PLARGE_INTEGER   Timeout OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwWaitForMultipleObjects (
+    IN ULONG            HandleCount,
+    IN PHANDLE          Handles,
+    IN WAIT_TYPE        WaitType,
+    IN BOOLEAN          Alertable,
+    IN PLARGE_INTEGER   Timeout OPTIONAL
+);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwYieldExecution (
+    VOID
+);
+
+//
+// Below is stuff that is included in the Windows 2000 DDK but is missing in
+// the Windows NT 4.0 DDK
+//
+
+#if (VER_PRODUCTBUILD < 2195)
+
+NTSYSAPI
+VOID
+NTAPI
+HalMakeBeep (
+    IN ULONG Frequency
+);
+
+#ifndef IoCopyCurrentIrpStackLocationToNext
+#define IoCopyCurrentIrpStackLocationToNext( Irp ) { \
+    PIO_STACK_LOCATION irpSp; \
+    PIO_STACK_LOCATION nextIrpSp; \
+    irpSp = IoGetCurrentIrpStackLocation( (Irp) ); \
+    nextIrpSp = IoGetNextIrpStackLocation( (Irp) ); \