RtlQueryPackageIdentityEx - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
#if (PHNT_VERSION >= PHNT_WINBLUE)
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryPackageIdentityEx(
_In_ HANDLE TokenHandle,
_Out_writes_bytes_to_(*PackageSize, *PackageSize) PWSTR PackageFullName,
_Inout_ PSIZE_T PackageSize,
_Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId,
_Inout_opt_ PSIZE_T AppIdSize,
_Out_opt_ PGUID DynamicId,
_Out_opt_ PULONG64 Flags
);
View code on GitHubQueries package identity information for a token. This function is documented in Windows Driver Kit.
TokenHandle - a handle to a token or one of the supported pseudo-handles (see below). The handle must grant TOKEN_QUERY access.PackageFullName - an optional pointer to user-allocated buffer that receives the full name of the package.PackageSize - an optional pointer to a variable that specifies the size of the PackageFullName buffer in bytes and receives the number of bytes written.AppId - an optional pointer to user-allocated buffer that receives the relative application user model ID of the package.AppIdSize - an optional pointer to a variable that specifies the size of the AppId buffer in bytes and receives the number of bytes written.DynamicId - an optional pointer to a variable that receives the dynamic ID of the application.Flags - an optional pointer to a variable that receives package claim flags. To interpret this value, cast it to PS_PKG_CLAIM.This function supports the following pseudo-handle values:
NtCurrentProcessToken - performs the query on the primary token of the calling process.NtCurrentThreadToken - performs the query on the impersonation token of the calling thread. The function fails if the thread is not impersonating.NtCurrentThreadEffectiveToken - performs the query on the impersonation token of the calling thread, if present. Otherwise, the function uses the primary token of the calling process.STATUS_NOT_FOUND - the token doesn't have package identity attributes.This function calls NtQuerySecurityAttributesToken and reads the values of the WIN://SYSAPPID and WIN://PKG attributes.
Alternatively to using NtQuerySecurityAttributesToken, you can also enumerate all security attributes via NtQueryInformationToken with TokenSecurityAttributes and retrieve the values from there.
This function was introduced in Windows 8.1.