Bump systeminformer to b44c63a9e

[github-actions]

diff --git a/phnt/include/ntbcd.h b/phnt/include/ntbcd.h
index 5ff4e0890..fa9843fdf 100644
--- a/phnt/include/ntbcd.h
+++ b/phnt/include/ntbcd.h
@@ -571,7 +571,7 @@ NTSTATUS
 NTAPI
 BcdCopyObjects(
     _In_ HANDLE BcdStoreHandle,
-    _In_ BCD_OBJECT_DESCRIPTION Characteristics,
+    _In_ PBCD_OBJECT_DESCRIPTION Characteristics,
     _In_ BCD_COPY_FLAGS BcdCopyFlags,
     _In_ HANDLE TargetStoreHandle
     );
diff --git a/phnt/include/ntldr.h b/phnt/include/ntldr.h
index 74a310953..85028ccb8 100644
--- a/phnt/include/ntldr.h
+++ b/phnt/include/ntldr.h
@@ -625,9 +625,6 @@ typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP
     ULONG_PTR Map[3]; // 2 < 20H1
 } PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP;
 
-#define PS_SYSTEM_DLL_INIT_BLOCK_V1 0x0F0
-#define PS_SYSTEM_DLL_INIT_BLOCK_V2 0x128
-
 // private
 typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
 {
@@ -665,6 +662,14 @@ typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
 NTSYSAPI PS_SYSTEM_DLL_INIT_BLOCK LdrSystemDllInitBlock;
 #endif
 
+#define PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 \
+    RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, MitigationAuditOptionsMap)
+#define PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 \
+    RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, ScpArm64EcCfgCheckESFunction)
+
+//static_assert(PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 == 240, "PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 must equal 240");
+//static_assert(PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 == 296, "PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 must equal 296");
+
 // rev see also MEMORY_IMAGE_EXTENSION_INFORMATION
 typedef struct _RTL_SCPCFG_NTDLL_EXPORTS
 {
@@ -1230,6 +1235,7 @@ LdrRemoveDllDirectory(
 #endif
 
 // rev
+_Analysis_noreturn_
 DECLSPEC_NORETURN
 NTSYSAPI
 VOID
@@ -1239,6 +1245,7 @@ LdrShutdownProcess(
     );
 
 // rev
+_Analysis_noreturn_
 DECLSPEC_NORETURN
 NTSYSAPI
 VOID
diff --git a/phnt/include/ntmmapi.h b/phnt/include/ntmmapi.h
index 61c9e1aca..9bfd5152e 100644
--- a/phnt/include/ntmmapi.h
+++ b/phnt/include/ntmmapi.h
@@ -7,32 +7,36 @@
 #ifndef _NTMMAPI_H
 #define _NTMMAPI_H
 
-// Protection constants
-
-#define PAGE_NOACCESS 0x01
-#define PAGE_READONLY 0x02
-#define PAGE_READWRITE 0x04
-#define PAGE_WRITECOPY 0x08
-#define PAGE_EXECUTE 0x10
-#define PAGE_EXECUTE_READ 0x20
-#define PAGE_EXECUTE_READWRITE 0x40
-#define PAGE_EXECUTE_WRITECOPY 0x80
-#define PAGE_GUARD 0x100
-#define PAGE_NOCACHE 0x200
-#define PAGE_WRITECOMBINE 0x400
-
-#define PAGE_REVERT_TO_FILE_MAP     0x80000000
-#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000
-#define PAGE_TARGETS_NO_UPDATE      0x40000000
-#define PAGE_TARGETS_INVALID        0x40000000
-#define PAGE_ENCLAVE_UNVALIDATED    0x20000000
+//
+// Memory Protection Constants
+//
+
+#define PAGE_NOACCESS 0x01              // Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation.
+#define PAGE_READONLY 0x02              // Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation.
+#define PAGE_READWRITE 0x04             // Enables read-only or read/write access to the committed region of pages.
+#define PAGE_WRITECOPY 0x08             // Enables read-only or copy-on-write access to a mapped view of a file mapping object. 
+#define PAGE_EXECUTE 0x10               // Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation.
+#define PAGE_EXECUTE_READ 0x20          // Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation.
+#define PAGE_EXECUTE_READWRITE 0x40     // Enables execute, read-only, or read/write access to the committed region of pages.
+#define PAGE_EXECUTE_WRITECOPY 0x80     // Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object.
+#define PAGE_GUARD 0x100                // Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception.
+#define PAGE_NOCACHE 0x200              // Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
+#define PAGE_WRITECOMBINE 0x400         // Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception.
+
+#define PAGE_REVERT_TO_FILE_MAP     0x80000000 // Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. 
+#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 // Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model.
+#define PAGE_TARGETS_NO_UPDATE      0x40000000 // Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG.
+#define PAGE_TARGETS_INVALID        0x40000000 // Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic.
+#define PAGE_ENCLAVE_UNVALIDATED    0x20000000 // Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model.
 #define PAGE_ENCLAVE_NO_CHANGE      0x20000000
 #define PAGE_ENCLAVE_MASK           0x10000000
 #define PAGE_ENCLAVE_DECOMMIT       (PAGE_ENCLAVE_MASK | 0)
 #define PAGE_ENCLAVE_SS_FIRST       (PAGE_ENCLAVE_MASK | 1)
 #define PAGE_ENCLAVE_SS_REST        (PAGE_ENCLAVE_MASK | 2)
 
-// Region and section constants
+//
+// Memory Region and Section Constants
+//
 
 #define MEM_COMMIT 0x00001000
 #define MEM_RESERVE 0x00002000
@@ -151,23 +155,33 @@ typedef enum _MEMORY_INFORMATION_CLASS
 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READWRITE 30
 #define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_COPYONWRITE 31
 
+/**
+ * The MEMORY_WORKING_SET_BLOCK structure contains working set information for a page.
+ *
+ * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_block
+ */
 typedef struct _MEMORY_WORKING_SET_BLOCK
 {
-    ULONG_PTR Protection : 5;
-    ULONG_PTR ShareCount : 3;
-    ULONG_PTR Shared : 1;
-    ULONG_PTR Node : 3;
+    ULONG_PTR Protection : 5;       // The protection attributes of the page. This member can be one of above MEMORY_BLOCK_* values.
+    ULONG_PTR ShareCount : 3;       // The number of processes that share this page. The maximum value of this member is 7.
+    ULONG_PTR Shared : 1;           // If this bit is 1, the page is sharable; otherwise, the page is not sharable.
+    ULONG_PTR Node : 3;             // The NUMA node where the physical memory should reside.
 #ifdef _WIN64
-    ULONG_PTR VirtualPage : 52;
+    ULONG_PTR VirtualPage : 52;     // The address of the page in the virtual address space.
 #else
-    ULONG VirtualPage : 20;
+    ULONG VirtualPage : 20;         // The address of the page in the virtual address space.
 #endif
 } MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK;
 
+/**
+ * The MEMORY_WORKING_SET_INFORMATION structure contains working set information for a process.
+ *
+ * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_information
+ */
 typedef struct _MEMORY_WORKING_SET_INFORMATION
 {
     ULONG_PTR NumberOfEntries;
-    _Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];
+    _Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[ANYSIZE_ARRAY];
 } MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION;
 
 // private
@@ -211,42 +225,47 @@ typedef enum _MEMORY_WORKING_SET_EX_LOCATION
     MemoryLocationReserved
 } MEMORY_WORKING_SET_EX_LOCATION;
 
-// private
-typedef struct _MEMORY_WORKING_SET_EX_BLOCK
+/**
+ * The MEMORY_WORKING_SET_EX_BLOCK structure contains extended working set information for a page.
+ *
+ * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_block
+ */
+typedef union _MEMORY_WORKING_SET_EX_BLOCK
 {
+    ULONG_PTR Flags;
     union
     {
         struct
         {
-            ULONG_PTR Valid : 1;
-            ULONG_PTR ShareCount : 3;
-            ULONG_PTR Win32Protection : 11;
-            ULONG_PTR Shared : 1;
-            ULONG_PTR Node : 6;
-            ULONG_PTR Locked : 1;
-            ULONG_PTR LargePage : 1;
-            ULONG_PTR Priority : 3;
+            ULONG_PTR Valid : 1;                    // If this bit is 1, the subsequent members are valid; otherwise they should be ignored.
+            ULONG_PTR ShareCount : 3;               // The number of processes that share this page. The maximum value of this member is 7.
+            ULONG_PTR Win32Protection : 11;         // The memory protection attributes of the page.
+            ULONG_PTR Shared : 1;                   // If this bit is 1, the page can be shared.
+            ULONG_PTR Node : 6;                     // The NUMA node. The maximum value of this member is 63.
+            ULONG_PTR Locked : 1;                   // If this bit is 1, the virtual page is locked in physical memory.
+            ULONG_PTR LargePage : 1;                // If this bit is 1, the page is a large page.
+            ULONG_PTR Priority : 3;                 // The memory priority attributes of the page.
             ULONG_PTR Reserved : 3;
-            ULONG_PTR SharedOriginal : 1;
-            ULONG_PTR Bad : 1;
-            ULONG_PTR Win32GraphicsProtection : 4; // 19H1
+            ULONG_PTR SharedOriginal : 1;           // If this bit is 1, the page was not modified.
+            ULONG_PTR Bad : 1;                      // If this bit is 1, the page is has been reported as bad.
+            ULONG_PTR Win32GraphicsProtection : 4;  // The memory protection attributes of the page. // since 19H1
 #ifdef _WIN64
             ULONG_PTR ReservedUlong : 28;
 #endif
         };
         struct
         {
-            ULONG_PTR Valid : 1;
+            ULONG_PTR Valid : 1;                    // If this bit is 0, the subsequent members are valid; otherwise they should be ignored.
             ULONG_PTR Reserved0 : 14;
-            ULONG_PTR Shared : 1;
+            ULONG_PTR Shared : 1;                   // If this bit is 1, the page can be shared.
             ULONG_PTR Reserved1 : 5;
             ULONG_PTR PageTable : 1;
-            ULONG_PTR Location : 2;
-            ULONG_PTR Priority : 3;
+            ULONG_PTR Location : 2;                 // The memory location of the page.  MEMORY_WORKING_SET_EX_LOCATION
+            ULONG_PTR Priority : 3;                 // The memory priority of the page.
             ULONG_PTR ModifiedList : 1;
             ULONG_PTR Reserved2 : 2;
-            ULONG_PTR SharedOriginal : 1;
-            ULONG_PTR Bad : 1;
+            ULONG_PTR SharedOriginal : 1;           // If this bit is 1, the page was not modified.
+            ULONG_PTR Bad : 1;                      // If this bit is 1, the page is has been reported as bad.
 #ifdef _WIN64
             ULONG_PTR ReservedUlong : 32;
 #endif
@@ -254,15 +273,15 @@ typedef struct _MEMORY_WORKING_SET_EX_BLOCK
     };
 } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK;
 
-// private
+/**
+ * The MEMORY_WORKING_SET_EX_INFORMATION structure contains extended working set information for a process.
+ *
+ * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_information
+ */
 typedef struct _MEMORY_WORKING_SET_EX_INFORMATION
 {
-    PVOID VirtualAddress;
-    union
-    {
-        MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
-        ULONG_PTR Long;
-    } u1;
+    PVOID VirtualAddress;                             // The virtual address.
+    MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;    // The attributes of the page at VirtualAddress.
 } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION;
 
 // private
@@ -677,7 +696,9 @@ typedef enum _SECTION_INHERIT
 #define MEM_EXECUTE_OPTION_DISABLE_EXCEPTION_CHAIN_VALIDATION 0x40
 #define MEM_EXECUTE_OPTION_VALID_FLAGS 0x7f
 
+//
 // Virtual memory
+//
 
 #if (PHNT_MODE != PHNT_MODE_KERNEL)
 
@@ -692,11 +713,10 @@ NtAllocateVirtualMemory(
     _In_ ULONG_PTR ZeroBits,
     _Inout_ PSIZE_T RegionSize,
     _In_ ULONG AllocationType,
-    _In_ ULONG Protect
+    _In_ ULONG PageProtection
     );
 
 #if (PHNT_VERSION >= PHNT_REDSTONE5)
-
 _Must_inspect_result_
 _When_(return == 0, __drv_allocatesMem(mem))
 NTSYSCALLAPI
@@ -711,9 +731,17 @@ NtAllocateVirtualMemoryEx(
     _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
     _In_ ULONG ExtendedParameterCount
     );
-
 #endif
 
+/**
+ * Frees virtual memory allocated for a process.
+ *
+ * @param ProcessHandle A handle to the process whose virtual memory is to be freed.
+ * @param BaseAddress A pointer to the base address of the region of pages to be freed.
+ * @param RegionSize A pointer to a variable that specifies the size of the region of memory to be freed.
+ * @param FreeType The type of free operation. This parameter can be MEM_DECOMMIT or MEM_RELEASE.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -724,6 +752,16 @@ NtFreeVirtualMemory(
     _In_ ULONG FreeType
     );
 
+/**
+ * Reads virtual memory from a process.
+ *
+ * @param ProcessHandle A handle to the process whose memory is to be read.
+ * @param BaseAddress A pointer to the base address in the specified process from which to read.
+ * @param Buffer A pointer to a buffer that receives the contents from the address space of the specified process.
+ * @param NumberOfBytesToRead The number of bytes to be read from the specified process.
+ * @param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -748,7 +786,17 @@ NtWow64ReadVirtualMemory64(
     );
 
 #if (PHNT_VERSION >= PHNT_WIN11)
-// rev
+/**
+ * Reads virtual memory from a process with extended options.
+ *
+ * @param ProcessHandle A handle to the process whose memory is to be read.
+ * @param BaseAddress A pointer to the base address in the specified process from which to read.
+ * @param Buffer A pointer to a buffer that receives the contents from the address space of the specified process.
+ * @param NumberOfBytesToRead The number of bytes to be read from the specified process.
+ * @param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer.
+ * @param Flags Additional flags for the read operation.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -762,6 +810,16 @@ NtReadVirtualMemoryEx(
     );
 #endif
 
+/**
+ * Writes virtual memory to a process.
+ *
+ * @param ProcessHandle A handle to the process whose memory is to be written.
+ * @param BaseAddress A pointer to the base address in the specified process to which to write.
+ * @param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process.
+ * @param NumberOfBytesToWrite The number of bytes to be written to the specified process.
+ * @param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -774,6 +832,16 @@ NtWriteVirtualMemory(
     );
 
 // rev
+/**
+ * Writes virtual memory to a 64-bit process from a 32-bit process.
+ *
+ * @param ProcessHandle A handle to the process whose memory is to be written.
+ * @param BaseAddress A pointer to the base address in the specified process to which to write.
+ * @param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process.
+ * @param NumberOfBytesToWrite The number of bytes to be written to the specified process.
+ * @param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -785,6 +853,16 @@ NtWow64WriteVirtualMemory64(
     _Out_opt_ PULONGLONG NumberOfBytesWritten
     );
 
+/**
+ * Changes the protection on a region of virtual memory.
+ *
+ * @param ProcessHandle A handle to the process whose memory protection is to be changed.
+ * @param BaseAddress A pointer to the base address of the region of pages whose access protection attributes are to be changed.
+ * @param RegionSize A pointer to a variable that specifies the size of the region whose access protection attributes are to be changed.
+ * @param NewProtection The memory protection option. This parameter can be one of the memory protection constants.
+ * @param OldProtection A pointer to a variable that receives the previous access protection of the first page in the specified region of pages.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -792,10 +870,21 @@ NtProtectVirtualMemory(
     _In_ HANDLE ProcessHandle,
     _Inout_ PVOID *BaseAddress,
     _Inout_ PSIZE_T RegionSize,
-    _In_ ULONG NewProtect,
-    _Out_ PULONG OldProtect
+    _In_ ULONG NewProtection,
+    _Out_ PULONG OldProtection
     );
 
+/**
+ * Queries information about a region of virtual memory in a process.
+ *
+ * @param ProcessHandle A handle to the process whose memory information is to be queried.
+ * @param BaseAddress A pointer to the base address of the region of pages to be queried.
+ * @param MemoryInformationClass The type of information to be queried.
+ * @param MemoryInformation A pointer to a buffer that receives the memory information.
+ * @param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter.
+ * @param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -809,6 +898,17 @@ NtQueryVirtualMemory(
     );
 
 // rev
+/**
+ * Queries information about a region of virtual memory in a 64-bit process from a 32-bit process.
+ *
+ * @param ProcessHandle A handle to the process whose memory information is to be queried.
+ * @param BaseAddress A pointer to the base address of the region of pages to be queried.
+ * @param MemoryInformationClass The type of information to be queried.
+ * @param MemoryInformation A pointer to a buffer that receives the memory information.
+ * @param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter.
+ * @param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -823,6 +923,15 @@ NtWow64QueryVirtualMemory64(
 
 typedef struct _IO_STATUS_BLOCK* PIO_STATUS_BLOCK;
 
+/**
+ * Flushes the instruction cache for a specified process.
+ *
+ * @param ProcessHandle A handle to the process whose instruction cache is to be flushed.
+ * @param BaseAddress A pointer to the base address of the region of memory to be flushed.
+ * @param RegionSize A pointer to a variable that specifies the size of the region to be flushed.
+ * @param IoStatus A pointer to an IO_STATUS_BLOCK structure that receives the status of the flush operation.
+ * @return NTSTATUS Successful or errant status.
+ */
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@@ -986,7 +1095,7 @@ NtMapViewOfSection(
     _Inout_ PSIZE_T ViewSize,
     _In_ SECTION_INHERIT InheritDisposition,
     _In_ ULONG AllocationType,
-    _In_ ULONG Win32Protect
+    _In_ ULONG PageProtection
     );
 
 #if (PHNT_VERSION >= PHNT_REDSTONE5)
@@ -1060,8 +1169,7 @@ NtAreMappedFilesTheSame(
 #define MEMORY_PARTITION_QUERY_ACCESS 0x0001
 #define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
 #define MEMORY_PARTITION_ALL_ACCESS \
-    (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
-     MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS)
+    (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS)
 #endif
 
 #if (PHNT_MODE != PHNT_MODE_KERNEL)
diff --git a/phnt/include/ntpebteb.h b/phnt/include/ntpebteb.h
index 6006a020e..0ccaa1a5d 100644
--- a/phnt/include/ntpebteb.h
+++ b/phnt/include/ntpebteb.h
@@ -131,7 +131,7 @@ typedef struct _WER_MEMORY
 typedef struct _WER_GATHER
 {
     PVOID Next;
-    USHORT Flags;    
+    USHORT Flags;
     union
     {
       WER_FILE File;
diff --git a/phnt/include/ntpsapi.h b/phnt/include/ntpsapi.h
index 719e6f378..f412a69cd 100644
--- a/phnt/include/ntpsapi.h
+++ b/phnt/include/ntpsapi.h
@@ -364,16 +364,16 @@ typedef enum _THREADINFOCLASS
 #endif
 
 #if (PHNT_MODE != PHNT_MODE_KERNEL)
+
 // Use with both ProcessPagePriority and ThreadPagePriority
 typedef struct _PAGE_PRIORITY_INFORMATION
 {
     ULONG PagePriority;
 } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION;
-#endif
 
+//
 // Process information structures
-
-#if (PHNT_MODE != PHNT_MODE_KERNEL)
+//
 
 typedef struct _PROCESS_BASIC_INFORMATION
 {
@@ -387,7 +387,7 @@ typedef struct _PROCESS_BASIC_INFORMATION
 
 typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
 {
-    SIZE_T Size; // set to sizeof structure on input
+    _In_ SIZE_T Size;
     union
     {
         PROCESS_BASIC_INFORMATION BasicInfo;
@@ -560,6 +560,9 @@ typedef struct _PROCESS_PRIORITY_CLASS_EX
     BOOLEAN Foreground;
 } PROCESS_PRIORITY_CLASS_EX, *PPROCESS_PRIORITY_CLASS_EX;
 
+/**
+ * The PROCESS_FOREGROUND_BACKGROUND structure is used to manage the the priority class of a process, specifically whether it runs in the foreground or background.
+ */
 typedef struct _PROCESS_FOREGROUND_BACKGROUND
 {
     BOOLEAN Foreground;
@@ -576,48 +579,56 @@ typedef struct _PROCESS_FOREGROUND_BACKGROUND
 #define DRIVE_CDROM       5
 #define DRIVE_RAMDISK     6
 
+/**
+ * The PROCESS_DEVICEMAP_INFORMATION structure contains information about a process's device map.
+ */
 typedef struct _PROCESS_DEVICEMAP_INFORMATION
 {
     union
     {
         struct
         {
-            HANDLE DirectoryHandle; // needs DIRECTORY_TRAVERSE access
+            HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access.
         } Set;
         struct
         {
-            ULONG DriveMap; // bit mask
-            UCHAR DriveType[32]; // DRIVE_* WinBase.h
+            ULONG DriveMap;         // A bitmask that indicates which drive letters are currently in use in the process's device map.
+            UCHAR DriveType[32];    // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h
         } Query;
     };
 } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
 
 #define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001
 
+/**
+ * The _PROCESS_DEVICEMAP_INFORMATION_EX structure contains information about a process's device map.
+ */
 typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
 {
     union
     {
         struct
         {
-            HANDLE DirectoryHandle; // needs DIRECTORY_TRAVERSE access
+            HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access.
         } Set;
         struct
         {
-            ULONG DriveMap; // bit mask
-            UCHAR DriveType[32]; // DRIVE_* WinBase.h
+            ULONG DriveMap;         // A bitmask that indicates which drive letters are currently in use in the process's device map.
+            UCHAR DriveType[32];    // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h
         } Query;
     };
     ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY
 } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX;
 
+/**
+ * The PROCESS_SESSION_INFORMATION structure is used to store information about the session ID of a process.
+ */
 typedef struct _PROCESS_SESSION_INFORMATION
 {
     ULONG SessionId;
 } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
 
 #define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001
-
 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000
 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001
 
@@ -1270,9 +1281,9 @@ typedef struct _SCHEDULER_SHARED_DATA_SLOT_INFORMATION
 
 typedef struct _THREAD_TEB_INFORMATION
 {
-    PVOID TebInformation; // buffer to place data in
-    ULONG TebOffset; // offset in TEB to begin reading from
-    ULONG BytesToRead; // number of bytes to read
+    _Inout_bytecount_(BytesToRead) PVOID TebInformation; // Buffer to write data into.
+    _In_ ULONG TebOffset;                                // Offset in TEB to begin reading from.
+    _In_ ULONG BytesToRead;                              // Number of bytes to read.
 } THREAD_TEB_INFORMATION, *PTHREAD_TEB_INFORMATION;
 
 /**
@@ -1300,15 +1311,15 @@ typedef struct _COUNTER_READING
 typedef struct _THREAD_PERFORMANCE_DATA
 {
     USHORT Size;                                    // The size of the structure.
-    USHORT Version;                                 // The version of the structure. Must be set to PERFORMANCE_DATA_VERSION.
+    USHORT Version;                                 // The version of the structure. Must be set to \ref THREAD_PERFORMANCE_DATA_VERSION.
     PROCESSOR_NUMBER ProcessorNumber;               // The processor number that identifies where the thread is running.
     ULONG ContextSwitches;                          // The number of context switches that occurred from the time profiling was enabled.
     ULONG HwCountersCount;                          // The number of array elements in the HwCounters array that contain hardware counter data.
     ULONG64 UpdateCount;                            // The number of times that the read operation read the data to ensure a consistent snapshot of the data.
-    ULONG64 WaitReasonBitMap;                       // A bitmask of KWAIT_REASON that identifies the reasons for the context switches that occurred since the last time the data was read.
+    ULONG64 WaitReasonBitMap;                       // A bitmask of \ref KWAIT_REASON that identifies the reasons for the context switches that occurred since the last time the data was read.
     ULONG64 HardwareCounters;                       // A bitmask of hardware counters used to collect counter data.
     COUNTER_READING CycleTime;                      // The cycle time of the thread (excludes the time spent interrupted) from the time profiling was enabled.
-    COUNTER_READING HwCounters[MAX_HW_COUNTERS];    // The COUNTER_READING structure that contains hardware counter data.
+    COUNTER_READING HwCounters[MAX_HW_COUNTERS];    // The \ref COUNTER_READING structure that contains hardware counter data.
 } THREAD_PERFORMANCE_DATA, *PTHREAD_PERFORMANCE_DATA;
 
 #ifndef THREAD_PROFILING_FLAG_DISPATCH
@@ -1331,7 +1342,7 @@ typedef struct _THREAD_PROFILING_INFORMATION
     // performance counters that you configured. Set to zero if you are not collecting hardware counter data.
     // If you set a bit for a hardware counter that has not been configured, the counter value that is read for that counter is zero.
     ULONG64 HardwareCounters;
-    // To receive thread profiling data such as context switch count, set this parameter to THREAD_PROFILING_FLAG_DISPATCH.
+    // To receive thread profiling data such as context switch count, set this parameter to \ref THREAD_PROFILING_FLAG_DISPATCH.
     ULONG Flags;
     // Enable or disable thread profiling on the specified thread.
     ULONG Enable;
diff --git a/phnt/include/ntrtl.h b/phnt/include/ntrtl.h
index bf2cb20a2..61ce5f172 100644
--- a/phnt/include/ntrtl.h
+++ b/phnt/include/ntrtl.h
@@ -10208,7 +10208,7 @@ NTSTATUS
 NTAPI 
 RtlProcessFlsData(
     _In_ HANDLE ProcessHandle,
-    _Out_ PPVOID FlsData
+    _Out_ PVOID* FlsData
     );
 #endif
 
diff --git a/phnt/include/phnt.h b/phnt/include/phnt.h
index 1035858aa..1acd674ec 100644
--- a/phnt/include/phnt.h
+++ b/phnt/include/phnt.h
@@ -117,4 +117,7 @@ extern "C" {
 }
 #endif
 
+static_assert(__alignof(LARGE_INTEGER) == 8, "Windows headers require the default packing option. Changing the packing can lead to memory corruption.");
+static_assert(__alignof(PROCESS_CYCLE_TIME_INFORMATION) == 8, "PHNT headers require the default packing option. Changing the packing can lead to memory corruption.");
+
 #endif
diff --git a/phnt/include/winsta.h b/phnt/include/winsta.h
index c0cf702ee..f5a9b0ec6 100644
--- a/phnt/include/winsta.h
+++ b/phnt/include/winsta.h
@@ -1051,6 +1051,8 @@ WinStationEnumerateProcesses(
     _Out_ PVOID *Processes
     );
 
+#define WINSTATION_PROCESS_LEVEL 0
+
 // rev
 NTSYSAPI
 BOOLEAN
@@ -1249,7 +1251,7 @@ WinStationQuerySessionVirtualIP(
     _In_ ADDRESS_FAMILY Family,
     _Out_ TS_SESSION_VIRTUAL_ADDRESS* SessionVirtualIP
     );
-    
+
 // rev
 NTSYSAPI
 BOOLEAN
@@ -1260,7 +1262,7 @@ WinStationGetDeviceId(
     _Out_ PCHAR* Buffer, // CHAR DeviceId[MAX_PATH + 1];
     _In_ SIZE_T BufferLength
     );
-        
+
 // rev
 NTSYSAPI
 BOOLEAN