This structure defines the protection level for fully- and light-protected processes.
NtQueryInformationProcesswithProcessProtectionInformation(61)PS_ATTRIBUTE_PROTECTION_LEVELRtlValidProcessProtectionRtlTestProtectedAccess
The numerical value of the protection level. You can use the PsProtectedValue macro to construct this value from the underlying fields.
The type of protection applied to the process. The values for this field come from the PS_PROTECTED_TYPE enumeration.
PsProtectedTypeNone(0) - the process is not running as protected.PsProtectedTypeProtectedLight(1) - the process is running as light-protected (PPL).PsProtectedTypeProtected(2) - the process is running as fully-protected.
This flag indicates that the system should audit the operation instead of applying protection.
The strength and type of the signature for the process. The values for this field come from the PS_PROTECTED_SIGNER enumeration.
PsProtectedSignerNone(0) - the process has no signature that grants it protection.PsProtectedSignerAuthenticode(1) - the process has an Authenticode signature.PsProtectedSignerCodeGen(2) - the process has a Code Generation signature.PsProtectedSignerAntimalware(3) - the process has an Antimalware signature.PsProtectedSignerLsa(4) - the process has an LSA signature.PsProtectedSignerWindows(5) - the process has a Windows signature.PsProtectedSignerWinTcb(6) - the process has a WinTCB (trusted computer base) signature.PsProtectedSignerWinSystem(7) - the process has a WinSystem signature.PsProtectedSignerApp(8) - the process has a Store Application signature.
InitializePsProtection
This structure was introduced in Windows 8.1.