PS_PROTECTION - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTPSAPI_H
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// begin_private
typedef struct _PS_PROTECTION
{
union
{
UCHAR Level;
struct
{
UCHAR Type : 3;
UCHAR Audit : 1;
UCHAR Signer : 4;
};
};
} PS_PROTECTION, *PPS_PROTECTION;
View code on GitHubThis structure defines the protection level for fully- and light-protected processes.
NtQueryInformationProcess with ProcessProtectionInformation (61)PS_ATTRIBUTE_PROTECTION_LEVELRtlValidProcessProtectionRtlTestProtectedAccessThe numerical value of the protection level. You can use the PsProtectedValue macro to construct this value from the underlying fields.
The type of protection applied to the process. The values for this field come from the PS_PROTECTED_TYPE enumeration.
PsProtectedTypeNone (0) - the process is not running as protected.PsProtectedTypeProtectedLight (1) - the process is running as light-protected (PPL).PsProtectedTypeProtected (2) - the process is running as fully-protected.This flag indicates that the system should audit the operation instead of applying protection.
The strength and type of the signature for the process. The values for this field come from the PS_PROTECTED_SIGNER enumeration.
PsProtectedSignerNone (0) - the process has no signature that grants it protection.PsProtectedSignerAuthenticode (1) - the process has an Authenticode signature.PsProtectedSignerCodeGen (2) - the process has a Code Generation signature.PsProtectedSignerAntimalware (3) - the process has an Antimalware signature.PsProtectedSignerLsa (4) - the process has an LSA signature.PsProtectedSignerWindows (5) - the process has a Windows signature.PsProtectedSignerWinTcb (6) - the process has a WinTCB (trusted computer base) signature.PsProtectedSignerWinSystem (7) - the process has a WinSystem signature.PsProtectedSignerApp (8) - the process has a Store Application signature.This structure was introduced in Windows 8.1.