RtlQueryPackageIdentity - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryPackageIdentity(
_In_ HANDLE TokenHandle,
_Out_writes_bytes_to_(*PackageSize, *PackageSize) PWSTR PackageFullName,
_Inout_ PSIZE_T PackageSize,
_Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId,
_Inout_opt_ PSIZE_T AppIdSize,
_Out_opt_ PBOOLEAN Packaged
);
View code on GitHub// ntifs.h
NTSYSAPI NTSTATUS RtlQueryPackageIdentity(
PVOID TokenObject,
PWSTR PackageFullName,
PSIZE_T PackageSize,
PWSTR AppId,
PSIZE_T AppIdSize,
PBOOLEAN Packaged
);
View the official Windows Driver Kit DDI referenceQueries package identity information for a token. This function is documented in Windows Driver Kit.
TokenHandle - a handle to a token or one of the supported pseudo-handles (see below). The handle must grant TOKEN_QUERY access.PackageFullName - an optional pointer to user-allocated buffer that receives the full name of the package.PackageSize - an optional pointer to a variable that specifies the size of the PackageFullName buffer in bytes and receives the number of bytes written.AppId - an optional pointer to user-allocated buffer that receives the relative application user model ID of the package.AppIdSize - an optional pointer to a variable that specifies the size of the AppId buffer in bytes and receives the number of bytes written.Packaged - an optional pointer to a variable that receives whether the token has any package claim flags.This function supports the following pseudo-handle values:
NtCurrentProcessToken - performs the query on the primary token of the calling process.NtCurrentThreadToken - performs the query on the impersonation token of the calling thread. The function fails if the thread is not impersonating.NtCurrentThreadEffectiveToken - performs the query on the impersonation token of the calling thread, if present. Otherwise, the function uses the primary token of the calling process.STATUS_NOT_FOUND - the token doesn't have package identity attributes.This function calls NtQuerySecurityAttributesToken and reads the values of the WIN://SYSAPPID and WIN://PKG attributes.
Alternatively to using NtQuerySecurityAttributesToken, you can also enumerate all security attributes via NtQueryInformationToken with TokenSecurityAttributes and retrieve the values from there.
This function was introduced in Windows 8.
RtlQueryPackageIdentity returns the associated full package name. It can optionally also return the package relative application name, and whether an application is considered packaged. See also RtlQueryPackageIdentityEx.
TokenObjectHandle to a token object (user mode) that was opened with TOKEN_QUERY access, or to a raw token object (kernel mode).
PackageFullNamePointer to a wide character buffer that will receive the unique package key. The buffer will be null terminated upon success.
PackageSizePointer to the value that defines the size of the buffer that PackageFullName points to. On output, it will contain the written size including the terminating null.
AppIdPointer to a wide character buffer that may receive the package relative application identifier. AppId is optional and can be NULL.
AppIdSizePointer to the value that defines the size of the buffer that AppId points to. On output, it will contain the written size including the terminating null. If AppId is not NULL, AppIdSize must point to a valid value; otherwise AppIdSize should set to NULL.
PackagedPointer to a value that receives a BOOLEAN flag indicating whether the application is packaged. Packaged is optional and can be NULL.
RtlQueryPackageIdentity returns STATUS_SUCCESS upon successful completion; otherwise it returns a code such as one of the following.
| Error Code | Meaning |
|---|---|
| STATUS_INVALID_PARAMETER | A parameter contains an invalid value; for example, a size value was not provided for a non-NULL buffer. This is an error code. |
| STATUS_NOT_FOUND | A package identity does not exist. |