diff --git a/PInvoke/Security/AdvApi32/LsaLookup.cs b/PInvoke/Security/AdvApi32/LsaLookup.cs
index 8e532436..014b7a51 100644
--- a/PInvoke/Security/AdvApi32/LsaLookup.cs
+++ b/PInvoke/Security/AdvApi32/LsaLookup.cs
@@ -1,16 +1,32 @@
 using System;
 using System.Runtime.InteropServices;
 using Vanara.Extensions;
-using static Vanara.PInvoke.NetSecApi;
 
 namespace Vanara.PInvoke
 {
 	public static partial class AdvApi32
 	{
 		/// <summary>
-		/// The LSA_OBJECT_ATTRIBUTES structure is used with the LsaOpenPolicy function to specify the attributes of the connection to the Policy object. When
-		/// you call LsaOpenPolicy, initialize the members of this structure to NULL or zero because the function does not use the information.
+		/// <para>
+		/// The <c>LSA_OBJECT_ATTRIBUTES</c> structure is used with the LsaOpenPolicy function to specify the attributes of the connection to
+		/// the Policy object.
+		/// </para>
+		/// <para>
+		/// When you call LsaOpenPolicy, initialize the members of this structure to <c>NULL</c> or zero because the function does not use
+		/// the information.
+		/// </para>
 		/// </summary>
+		/// <remarks>
+		/// <para>The <c>LSA_OBJECT_ATTRIBUTES</c> structure is defined in the LsaLookup.h header file.</para>
+		/// <para>
+		/// <c>Windows Server 2008 with SP2 and earlier, Windows Vista with SP2 and earlier, Windows Server 2003, Windows XP/2000:</c> The
+		/// <c>LSA_OBJECT_ATTRIBUTES</c> structure is defined in the NTSecAPI.h header file.
+		/// </para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/lsalookup/ns-lsalookup-_lsa_object_attributes typedef struct
+		// _LSA_OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PLSA_UNICODE_STRING ObjectName; ULONG Attributes; PVOID
+		// SecurityDescriptor; PVOID SecurityQualityOfService; } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
+		[PInvokeData("lsalookup.h", MSDNShortId = "ad05cb52-8e58-46a9-b3e8-0c9c2a24a997")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_OBJECT_ATTRIBUTES
 		{
@@ -33,7 +49,8 @@ namespace Vanara.PInvoke
 			public IntPtr SecurityQualityOfService;
 
 			/// <summary>
-			/// Returns a completely empty reference. This value should be used when calling <see cref="LsaOpenPolicy(string, ref LSA_OBJECT_ATTRIBUTES, LsaPolicyRights, out SafeLsaPolicyHandle)"/>.
+			/// Returns a completely empty reference. This value should be used when calling <see cref="LsaOpenPolicy(string, ref
+			/// LSA_OBJECT_ATTRIBUTES, LsaPolicyRights, out SafeLsaPolicyHandle)"/>.
 			/// </summary>
 			/// <value>An <see cref="LSA_OBJECT_ATTRIBUTES"/> instance with all members set to <c>NULL</c> or zero.</value>
 			public static LSA_OBJECT_ATTRIBUTES Empty { get; } = new LSA_OBJECT_ATTRIBUTES();
@@ -48,13 +65,14 @@ namespace Vanara.PInvoke
 		public struct LSA_STRING
 		{
 			/// <summary>
-			/// Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating null character, if any.
+			/// Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating null character,
+			/// if any.
 			/// </summary>
 			public ushort length;
 
 			/// <summary>
-			/// Specifies the total size, in bytes, of the memory allocated for Buffer. Up to MaximumLength bytes can be written into the buffer without
-			/// trampling memory.
+			/// Specifies the total size, in bytes, of the memory allocated for Buffer. Up to MaximumLength bytes can be written into the
+			/// buffer without trampling memory.
 			/// </summary>
 			public ushort MaximumLength;
 
@@ -95,32 +113,49 @@ namespace Vanara.PInvoke
 			public static implicit operator string(LSA_STRING value) => value.ToString();
 		}
 
-		/// <summary>The LSA_TRANSLATED_NAME structure is used with the LsaLookupSids function to return information about the account identified by a SID.</summary>
+		/// <summary>
+		/// <para>
+		/// The <c>LSA_TRANSLATED_NAME</c> structure is used with the LsaLookupSids function to return information about the account
+		/// identified by a SID.
+		/// </para>
+		/// </summary>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/lsalookup/ns-lsalookup-_lsa_translated_name typedef struct
+		// _LSA_TRANSLATED_NAME { SID_NAME_USE Use; LSA_UNICODE_STRING Name; LONG DomainIndex; } LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
+		[PInvokeData("lsalookup.h", MSDNShortId = "edea8317-5cdf-4d1e-9e6d-fcf17b91adb7")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_TRANSLATED_NAME
 		{
-			/// <summary>
-			/// An SID_NAME_USE enumeration value that identifies the type of SID.
-			/// </summary>
+			/// <summary>An SID_NAME_USE enumeration value that identifies the type of SID.</summary>
 			public SID_NAME_USE Use;
 
-			/// <summary>An LSA_UNICODE_STRING structure that contains the isolated name of the translated SID. An isolated name is a user, group, or local group account name without the domain name (for example, user_name, rather than Acctg\user_name).</summary>
+			/// <summary>
+			/// An LSA_UNICODE_STRING structure that contains the isolated name of the translated SID. An isolated name is a user, group, or
+			/// local group account name without the domain name (for example, user_name, rather than Acctg\user_name).
+			/// </summary>
 			public LSA_UNICODE_STRING Name;
 
 			/// <summary>
-			/// The index of an entry in a related LSA_REFERENCED_DOMAIN_LIST data structure which describes the domain that owns the account. If there is no
-			/// corresponding reference domain for an entry, then DomainIndex will contain a negative value.
+			/// The index of an entry in a related LSA_REFERENCED_DOMAIN_LIST data structure which describes the domain that owns the
+			/// account. If there is no corresponding reference domain for an entry, then DomainIndex will contain a negative value.
 			/// </summary>
 			public int DomainIndex;
 		}
 
-		/// <summary>Contains SIDs that are retrieved based on account names. This structure is used by the LsaLookupNames2 function.</summary>
+		/// <summary>
+		/// <para>
+		/// The <c>LSA_TRANSLATED_SID2</c> structure contains SIDs that are retrieved based on account names. This structure is used by the
+		/// LsaLookupNames2 function.
+		/// </para>
+		/// </summary>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/lsalookup/ns-lsalookup-_lsa_translated_sid2 typedef struct
+		// _LSA_TRANSLATED_SID2 { SID_NAME_USE Use; PSID Sid; LONG DomainIndex; ULONG Flags; } LSA_TRANSLATED_SID2, *PLSA_TRANSLATED_SID2;
+		[PInvokeData("lsalookup.h", MSDNShortId = "792de958-8e24-46d8-b484-159435bc96e3")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_TRANSLATED_SID2
 		{
 			/// <summary>
-			/// An SID_NAME_USE enumeration value that identifies the use of the SID. If this value is SidTypeUnknown or SidTypeInvalid, the rest of the
-			/// information in the structure is not valid and should be ignored.
+			/// An SID_NAME_USE enumeration value that identifies the use of the SID. If this value is SidTypeUnknown or SidTypeInvalid, the
+			/// rest of the information in the structure is not valid and should be ignored.
 			/// </summary>
 			public SID_NAME_USE Use;
 
@@ -128,8 +163,8 @@ namespace Vanara.PInvoke
 			public IntPtr Sid;
 
 			/// <summary>
-			/// The index of an entry in a related LSA_REFERENCED_DOMAIN_LIST data structure which describes the domain that owns the account. If there is no
-			/// corresponding reference domain for an entry, then DomainIndex will contain a negative value.
+			/// The index of an entry in a related LSA_REFERENCED_DOMAIN_LIST data structure which describes the domain that owns the
+			/// account. If there is no corresponding reference domain for an entry, then DomainIndex will contain a negative value.
 			/// </summary>
 			public int DomainIndex;
 
diff --git a/PInvoke/Security/AdvApi32/NTSecApi.cs b/PInvoke/Security/AdvApi32/NTSecApi.cs
index 1d4423df..ba37cab1 100644
--- a/PInvoke/Security/AdvApi32/NTSecApi.cs
+++ b/PInvoke/Security/AdvApi32/NTSecApi.cs
@@ -6,7 +6,6 @@ using System.Security;
 using System.Text;
 using Vanara.Extensions;
 using Vanara.InteropServices;
-using static Vanara.PInvoke.NetSecApi;
 
 namespace Vanara.PInvoke
 {
@@ -18,15 +17,18 @@ namespace Vanara.PInvoke
 		public enum LsaPolicyRights : uint
 		{
 			/// <summary>
-			/// This access type is needed to read the target system's miscellaneous security policy information. This includes the default quota, auditing,
-			/// server state and role information, and trust information. This access type is also needed to enumerate trusted domains, accounts, and privileges.
+			/// This access type is needed to read the target system's miscellaneous security policy information. This includes the default
+			/// quota, auditing, server state and role information, and trust information. This access type is also needed to enumerate
+			/// trusted domains, accounts, and privileges.
 			/// </summary>
 			POLICY_VIEW_LOCAL_INFORMATION = 1,
 
 			/// <summary>This access type is needed to view audit trail or audit requirements information.</summary>
 			POLICY_VIEW_AUDIT_INFORMATION = 2,
 
-			/// <summary>This access type is needed to view sensitive information, such as the names of accounts established for trusted domain relationships.</summary>
+			/// <summary>
+			/// This access type is needed to view sensitive information, such as the names of accounts established for trusted domain relationships.
+			/// </summary>
 			POLICY_GET_PRIVATE_INFORMATION = 4,
 
 			/// <summary>This access type is needed to change the account domain or primary domain information.</summary>
@@ -48,14 +50,14 @@ namespace Vanara.PInvoke
 			POLICY_SET_AUDIT_REQUIREMENTS = 0x100,
 
 			/// <summary>
-			/// This access type is needed to change the characteristics of the audit trail such as its maximum size or the retention period for audit records,
-			/// or to clear the log.
+			/// This access type is needed to change the characteristics of the audit trail such as its maximum size or the retention period
+			/// for audit records, or to clear the log.
 			/// </summary>
 			POLICY_AUDIT_LOG_ADMIN = 0x200,
 
 			/// <summary>
-			/// This access type is needed to modify the server state or role (master/replica) information. It is also needed to change the replica source and
-			/// account name information.
+			/// This access type is needed to modify the server state or role (master/replica) information. It is also needed to change the
+			/// replica source and account name information.
 			/// </summary>
 			POLICY_SERVER_ADMIN = 0x400,
 
@@ -103,20 +105,23 @@ namespace Vanara.PInvoke
 		}
 
 		/// <summary>
-		/// The LsaAddAccountRights function assigns one or more privileges to an account. If the account does not exist, LsaAddAccountRights creates it.
+		/// The LsaAddAccountRights function assigns one or more privileges to an account. If the account does not exist, LsaAddAccountRights
+		/// creates it.
 		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. If the account identified by the AccountSid parameter does
-		/// not exist, the handle must have the POLICY_CREATE_ACCOUNT access right. For more information, see Opening a Policy Object Handle.
+		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. If the account identified by the
+		/// AccountSid parameter does not exist, the handle must have the POLICY_CREATE_ACCOUNT access right. For more information, see
+		/// Opening a Policy Object Handle.
 		/// </param>
 		/// <param name="pSID">Pointer to the SID of the account to which the function assigns privileges.</param>
 		/// <param name="UserRights">
-		/// Pointer to an array of strings. Each string contains the name of a privilege to add to the account. For a list of privilege names, see Privilege Constants.
+		/// Pointer to an array of strings. Each string contains the name of a privilege to add to the account. For a list of privilege
+		/// names, see Privilege Constants.
 		/// </param>
 		/// <param name="CountOfRights">Specifies the number of elements in the UserRights array.</param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which can be the following
-		/// value or one of the LSA Policy Function Return Values.
+		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which
+		/// can be the following value or one of the LSA Policy Function Return Values.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true), SuppressUnmanagedCodeSecurity]
 		[PInvokeData("ntsecapi.h", MSDNShortId = "ms721786")]
@@ -126,36 +131,54 @@ namespace Vanara.PInvoke
 			[In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringArrayMarshaler))]
 			string[] UserRights,
 			int CountOfRights);
+
 		/// <summary>Undocumented function for creating an account.</summary>
 		/// <param name="PolicyHandle">A handle to a Policy object. For more information, see Opening a Policy Object Handle.</param>
 		/// <param name="AccountSid">Pointer to the SID of the account for which to enumerate privileges.</param>
 		/// <param name="DesiredAccess">The desired access.</param>
 		/// <param name="AccountHandle">The account handle.</param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code.For more information, see
-		/// LSA Policy Function Return Values. You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
+		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code.For
+		/// more information, see LSA Policy Function Return Values. You can use the LsaNtStatusToWinError function to convert the NTSTATUS
+		/// code to a Windows error code.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
 		public static extern uint LsaCreateAccount(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, LsaAccountAccessMask DesiredAccess, out SafeLsaPolicyHandle AccountHandle);
 
-		/// <summary>The LsaEnumerateAccountRights function enumerates the privileges assigned to an account.</summary>
+		/// <summary>
+		/// <para>The <c>LsaEnumerateAccountRights</c> function enumerates the privileges assigned to an account.</para>
+		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle.
-		/// </param>
-		/// <param name="AccountSid">Pointer to the SID of the account for which to enumerate privileges.</param>
-		/// <param name="UserRights">
-		/// Receives a pointer to an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege held by the account. For a list of
-		/// privilege names, see Privilege Constants.
-		/// </param>
-		/// <param name="CountOfRights">Pointer to a variable that receives the number of privileges in the UserRights array.</param>
-		/// <returns>
-		/// If at least one account right is found, the function succeeds and returns STATUS_SUCCESS.
 		/// <para>
-		/// If no account rights are found or if the function fails for any other reason, the function returns an NTSTATUS code such as FILE_NOT_FOUND. For more
-		/// information, see LSA Policy Function Return Values. Use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
+		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a
+		/// Policy Object Handle.
+		/// </para>
+		/// </param>
+		/// <param name="AccountSid">
+		/// <para>Pointer to the SID of the account for which to enumerate privileges.</para>
+		/// </param>
+		/// <param name="UserRights">
+		/// <para>
+		/// Receives a pointer to an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege held by the
+		/// account. For a list of privilege names, see Privilege Constants
+		/// </para>
+		/// <para>When you no longer need the information, pass the returned pointer to LsaFreeMemory.</para>
+		/// </param>
+		/// <param name="CountOfRights">
+		/// <para>Pointer to a variable that receives the number of privileges in the UserRights array.</para>
+		/// </param>
+		/// <returns>
+		/// <para>If at least one account right is found, the function succeeds and returns STATUS_SUCCESS.</para>
+		/// <para>
+		/// If no account rights are found or if the function fails for any other reason, the function returns an NTSTATUS code such as
+		/// FILE_NOT_FOUND. For more information, see LSA Policy Function Return Values. Use the LsaNtStatusToWinError function to convert
+		/// the NTSTATUS code to a Windows error code.
 		/// </para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountrights NTSTATUS
+		// LsaEnumerateAccountRights( LSA_HANDLE PolicyHandle, PSID AccountSid, PLSA_UNICODE_STRING *UserRights, PULONG CountOfRights );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "3f4a4a9a-66ca-410a-8bdc-c390e8b966e3")]
 		public static extern uint LsaEnumerateAccountRights(
 			SafeLsaPolicyHandle PolicyHandle,
 			PSID AccountSid,
@@ -164,60 +187,103 @@ namespace Vanara.PInvoke
 
 		/// <summary>The LsaEnumerateAccountRights function enumerates the privileges assigned to an account.</summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle.
+		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a
+		/// Policy Object Handle.
 		/// </param>
 		/// <param name="AccountSid">Pointer to the SID of the account for which to enumerate privileges.</param>
-		/// <returns>An enumeration of strings containing the names of privileges held by the account. For a list of privilege names, see Privilege Constants.</returns>
+		/// <returns>
+		/// An enumeration of strings containing the names of privileges held by the account. For a list of privilege names, see Privilege Constants.
+		/// </returns>
 		public static IEnumerable<string> LsaEnumerateAccountRights(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid)
 		{
 			var ret = LsaEnumerateAccountRights(PolicyHandle, AccountSid, out SafeLsaMemoryHandle mem, out uint cnt);
 			var winErr = LsaNtStatusToWinError(ret);
 			if (winErr == Win32Error.ERROR_FILE_NOT_FOUND) return new string[0];
 			winErr.ThrowIfFailed();
-			return mem.DangerousGetHandle().ToIEnum<LSA_UNICODE_STRING>((int) cnt).Select(u => (string) u.ToString().Clone());
+			return mem.DangerousGetHandle().ToIEnum<LSA_UNICODE_STRING>((int)cnt).Select(u => (string)u.ToString().Clone());
 		}
 
 		/// <summary>
-		/// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a
-		/// specified privilege. The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership
-		/// to a group.
+		/// <para>
+		/// The <c>LsaEnumerateAccountsWithUserRight</c> function returns the accounts in the database of a Local Security Authority (LSA)
+		/// Policy object that hold a specified privilege. The accounts returned by this function hold the specified privilege directly
+		/// through the user account, not as part of membership to a group.
+		/// </para>
 		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more information, see
-		/// Opening a Policy Object Handle.
+		/// <para>
+		/// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more
+		/// information, see Opening a Policy Object Handle.
+		/// </para>
 		/// </param>
-		/// <param name="UserRights">
-		/// A string that specifies the name of a privilege. For a list of privileges, see Privilege Constants and Account Rights Constants.
-		/// <para>If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.</para>
+		/// <param name="UserRight">
+		/// <para>
+		/// Pointer to an LSA_UNICODE_STRING structure that specifies the name of a privilege. For a list of privileges, see Privilege
+		/// Constants and Account Rights Constants.
+		/// </para>
+		/// <para>
+		/// If this parameter is <c>NULL</c>, the function enumerates all accounts in the LSA database of the system associated with the
+		/// Policy object.
+		/// </para>
 		/// </param>
-		/// <param name="EnumerationBuffer">
-		/// Pointer to a variable that receives a pointer to an array of LSA_ENUMERATION_INFORMATION structures. The Sid member of each structure is a pointer to
-		/// the security identifier (SID) of an account that holds the specified privilege.
+		/// <param name="Buffer">
+		/// <para>
+		/// Pointer to a variable that receives a pointer to an array of LSA_ENUMERATION_INFORMATION structures. The <c>Sid</c> member of
+		/// each structure is a pointer to the security identifier (SID) of an account that holds the specified privilege.
+		/// </para>
+		/// <para>When you no longer need the information, free the memory by passing the returned pointer to the LsaFreeMemory function.</para>
+		/// </param>
+		/// <param name="CountReturned">
+		/// <para>Pointer to a variable that receives the number of entries returned in the EnumerationBuffer parameter.</para>
 		/// </param>
-		/// <param name="CountReturned">Pointer to a variable that receives the number of entries returned in the EnumerationBuffer parameter.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns STATUS_SUCCESS. If the function fails, it returns an NTSTATUS code, which can be one of the following
-		/// values or one of the LSA Policy Function Return Values.
+		/// <para>If the function succeeds, the function returns STATUS_SUCCESS.</para>
+		/// <para>
+		/// If the function fails, it returns an <c>NTSTATUS</c> code, which can be one of the following values or one of the LSA Policy
+		/// Function Return Values.
+		/// </para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_NO_SUCH_PRIVILEGE</term>
+		/// <term>The privilege string specified was not a valid privilege.</term>
+		/// </item>
+		/// <item>
+		/// <term>STATUS_NO_MORE_ENTRIES</term>
+		/// <term>There were no accounts with the specified privilege.</term>
+		/// </item>
+		/// </list>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the <c>NTSTATUS</c> code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaenumerateaccountswithuserright NTSTATUS
+		// LsaEnumerateAccountsWithUserRight( LSA_HANDLE PolicyHandle, PLSA_UNICODE_STRING UserRight, PVOID *Buffer, PULONG CountReturned );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "97e7180e-4edb-4edd-915e-0477e7e7a9ff")]
+		// public static extern NTSTATUS LsaEnumerateAccountsWithUserRight(LSA_HANDLE PolicyHandle, PLSA_UNICODE_STRING UserRight, ref IntPtr
+		// Buffer, ref uint CountReturned);
 		public static extern uint LsaEnumerateAccountsWithUserRight(
 			SafeLsaPolicyHandle PolicyHandle,
-			[In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringMarshaler))] string UserRights,
-			out SafeLsaMemoryHandle EnumerationBuffer,
+			[In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringMarshaler))] string UserRight,
+			out SafeLsaMemoryHandle Buffer,
 			out int CountReturned);
 
 		/// <summary>
-		/// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a
-		/// specified privilege. The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership
-		/// to a group.
+		/// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy
+		/// object that hold a specified privilege. The accounts returned by this function hold the specified privilege directly through the
+		/// user account, not as part of membership to a group.
 		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more information, see
-		/// Opening a Policy Object Handle.
+		/// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more
+		/// information, see Opening a Policy Object Handle.
 		/// </param>
 		/// <param name="UserRights">
 		/// A string that specifies the name of a privilege. For a list of privileges, see Privilege Constants and Account Rights Constants.
-		/// <para>If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.</para>
+		/// <para>
+		/// If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.
+		/// </para>
 		/// </param>
 		/// <returns>An enumeration of security identifiers (SID) of accounts that holds the specified privilege.</returns>
 		public static IEnumerable<PSID> LsaEnumerateAccountsWithUserRight(SafeLsaPolicyHandle PolicyHandle, string UserRights)
@@ -233,32 +299,160 @@ namespace Vanara.PInvoke
 		public static extern uint LsaGetSystemAccessAccount(SafeLsaPolicyHandle AccountHandle, out int SystemAccess);
 
 		/// <summary>
-		/// The LsaLookupNames2 function retrieves the security identifiers (SIDs) for specified account names. LsaLookupNames2 can look up the SID for any
-		/// account in any domain in a Windows forest.
+		/// <para>
+		/// The <c>LsaLookupNames2</c> function retrieves the security identifiers (SIDs) for specified account names. <c>LsaLookupNames2</c>
+		/// can look up the SID for any account in any domain in a Windows forest.
+		/// </para>
+		/// <para>
+		/// The LsaLookupNames function is superseded by the <c>LsaLookupNames2</c> function. Applications should use the
+		/// <c>LsaLookupNames2</c> function to ensure future compatibility.
+		/// </para>
+		/// <para>
+		/// This function differs from the LsaLookupNames function in that <c>LsaLookupNames2</c> returns each SID as a single element, while
+		/// <c>LsaLookupNames</c> divides each SID into an RID/domain pair.
+		/// </para>
 		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle.
+		/// <para>
+		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a
+		/// Policy Object Handle.
+		/// </para>
+		/// </param>
+		/// <param name="Flags">
+		/// <para>Values that control the behavior of this function. The following value is currently defined.</para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Meaning</term>
+		/// </listheader>
+		/// <item>
+		/// <term>LSA_LOOKUP_ISOLATED_AS_LOCAL 0x80000000</term>
+		/// <term>
+		/// The function searches only on the local systems for names that do not specify a domain. The function does search on remote
+		/// systems for names that do specify a domain.
+		/// </term>
+		/// </item>
+		/// </list>
+		/// </param>
+		/// <param name="Count">
+		/// <para>Specifies the number of names in the Names array. This is also the number of entries returned in the Sids array.</para>
 		/// </param>
-		/// <param name="Flags">Values that control the behavior of this function.</param>
-		/// <param name="Count">Specifies the number of names in the Names array. This is also the number of entries returned in the Sids array.</param>
 		/// <param name="Names">
-		/// An array of strings that contain the names to look up. These strings can be the names of user, group, or local group accounts, or the names of
-		/// domains. Domain names can be DNS domain names or NetBIOS domain names.
+		/// <para>
+		/// Pointer to an array of LSA_UNICODE_STRING structures that contain the names to look up. These strings can be the names of user,
+		/// group, or local group accounts, or the names of domains. Domain names can be DNS domain names or NetBIOS domain names.
+		/// </para>
+		/// <para>For more information about the format of the name strings, see Remarks.</para>
 		/// </param>
 		/// <param name="ReferencedDomains">
-		/// Receives a pointer to an LSA_REFERENCED_DOMAIN_LIST structure. The Domains member of this structure is an array that contains an entry for each
-		/// domain in which a name was found. The DomainIndex member of each entry in the Sids array is the index of the Domains array entry for the domain in
-		/// which the name was found.
+		/// <para>
+		/// Receives a pointer to an LSA_REFERENCED_DOMAIN_LIST structure. The <c>Domains</c> member of this structure is an array that
+		/// contains an entry for each domain in which a name was found. The <c>DomainIndex</c> member of each entry in the Sids array is the
+		/// index of the <c>Domains</c> array entry for the domain in which the name was found.
+		/// </para>
+		/// <para>
+		/// When you have finished using the returned pointer, free it by calling the LsaFreeMemory function. This memory must be freed even
+		/// when the function fails with the either of the error codes <c>STATUS_NONE_MAPPED</c> or <c>STATUS_SOME_NOT_MAPPED</c>
+		/// </para>
 		/// </param>
 		/// <param name="Sids">
-		/// Receives a pointer to an array of LSA_TRANSLATED_SID2 structures. Each entry in the Sids array contains the SID information for the corresponding
-		/// entry in the Names array.
+		/// <para>
+		/// Receives a pointer to an array of LSA_TRANSLATED_SID2 structures. Each entry in the Sids array contains the SID information for
+		/// the corresponding entry in the Names array.
+		/// </para>
+		/// <para>
+		/// When you have finished using the returned pointer, free it by calling the LsaFreeMemory function. This memory must be freed even
+		/// when the function fails with the either of the error codes <c>STATUS_NONE_MAPPED</c> or <c>STATUS_SOME_NOT_MAPPED</c>
+		/// </para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns one of the following NTSTATUS values. If the function fails, the return value is the following
-		/// NTSTATUS value or one of the LSA Policy Function Return Values.
+		/// <para>If the function succeeds, the function returns one of the following <c>NTSTATUS</c> values.</para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_SOME_NOT_MAPPED</term>
+		/// <term>Some of the names could not be translated. This is an informational-level return value.</term>
+		/// </item>
+		/// <item>
+		/// <term>STATUS_SUCCESS</term>
+		/// <term>All of the names were found and successfully translated.</term>
+		/// </item>
+		/// </list>
+		/// <para>
+		/// If the function fails, the return value is the following <c>NTSTATUS</c> value or one of the LSA Policy Function Return Values.
+		/// </para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_NONE_MAPPED</term>
+		/// <term>None of the names were translated.</term>
+		/// </item>
+		/// </list>
+		/// <para>Use the LsaNtStatusToWinError function to convert the <c>NTSTATUS</c> code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, CharSet = CharSet.Unicode, ExactSpelling = true)]
+		/// <remarks>
+		/// <para>
+		/// Use fully qualified account names (for example, DomainName&lt;i&gt;UserName) instead of isolated names (for example, UserName).
+		/// Fully qualified names are unambiguous and provide better performance when the lookup is performed. This function also supports
+		/// fully qualified DNS names (for example, Example.Example.com&lt;i&gt;UserName) and user principal names (UPN) (for example, Someone@Example.com).
+		/// </para>
+		/// <para>
+		/// Translation of isolated names introduces the possibility of name collisions because the same name may be used in multiple
+		/// domains. The <c>LsaLookupNames2</c> function uses the following algorithm to translate isolated names.
+		/// </para>
+		/// <para><c>To translate isolated names</c></para>
+		/// <list type="number">
+		/// <item>
+		/// <term>
+		/// If the name is a well-known name, such as Local or Interactive, the function returns the corresponding well-known security
+		/// identifier (SID).
+		/// </term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is the name of the built-in domain, the function returns the SID of that domain.</term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is the name of the account domain, the function returns the SID of that domain.</term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is the name of the primary domain, the function returns the SID of that domain.</term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is one of the names of the trusted domain, the function returns the SID of that domain.</term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is a user, group, or local group account in the built-in domain, the function returns the SID of that account.</term>
+		/// </item>
+		/// <item>
+		/// <term>
+		/// If the name is a user, group, or local group account in the account domain on the local system, the function returns the SID of
+		/// that account.
+		/// </term>
+		/// </item>
+		/// <item>
+		/// <term>If the name is a user, group, or a local group in the primary domain, the function returns the SID of that account.</term>
+		/// </item>
+		/// <item>
+		/// <term>After looking in the primary domain, the function looks in each of the primary domain's trusted domains.</term>
+		/// </item>
+		/// <item>
+		/// <term>Otherwise, the name is not translated.</term>
+		/// </item>
+		/// </list>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalookupnames2 NTSTATUS LsaLookupNames2( LSA_HANDLE
+		// PolicyHandle, ULONG Flags, ULONG Count, PLSA_UNICODE_STRING Names, PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
+		// PLSA_TRANSLATED_SID2 *Sids );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true, CharSet = CharSet.Unicode)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "fe219070-6a00-4b8c-b2e4-2ad290a1cb9c")]
+		// public static extern NTSTATUS LsaLookupNames2(LSA_HANDLE PolicyHandle, uint Flags, uint Count, PLSA_UNICODE_STRING Names, ref
+		// PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains, ref PLSA_TRANSLATED_SID2 Sids);
 		public static extern uint LsaLookupNames2(
 			SafeLsaPolicyHandle PolicyHandle,
 			LsaLookupNamesFlags Flags,
@@ -268,21 +462,158 @@ namespace Vanara.PInvoke
 			out SafeLsaMemoryHandle ReferencedDomains,
 			out SafeLsaMemoryHandle Sids);
 
-		/// <summary>The LsaLookupSids2 function looks up the names that correspond to an array of security identifiers (SIDs) and supports Internet provider identities. If LsaLookupSids2 cannot find a name that corresponds to a SID, the function returns the SID in character form. You should use this function instead of the LsaLookupSids function.</summary>
-		/// <param name="PolicyHandle">A handle to a Policy object. This handle must have the POLICY_LOOKUP_NAMES access right.</param>
-		/// <param name="LookupOptions">Flags that modify the lookup behavior.</param>
-		/// <param name="Count">Specifies the number of SIDs in the Sids array. This is also the number of entries returned in the Names array.</param>
-		/// <param name="Sids">Pointer to an array of SID pointers to look up. The SIDs can be well-known SIDs, user, group, or local group account SIDs, or domain SIDs.</param>
-		/// <param name="ReferencedDomains">Receives a pointer to a pointer to a LSA_REFERENCED_DOMAIN_LIST structure. The Domains member of this structure is an array that contains an entry for each domain in which a SID was found. The entry for each domain contains the SID and flat name of the domain. For Windows domains, the flat name is the NetBIOS name. For links with non–Windows domains, the flat name is the identifying name of that domain, or it is NULL.
-		/// <para>When you no longer need the information, pass the returned pointer to LsaFreeMemory. This memory must be freed even when the function fails with the either of the error codes STATUS_NONE_MAPPED or STATUS_SOME_NOT_MAPPED</para></param>
-		/// <param name="Names">Receives a pointer to an array of LSA_TRANSLATED_NAME structures. Each entry in the Names array contains the name information for the corresponding entry in the Sids array. For account SIDs, the Name member of each structure contains the isolated name of the account. For domain SIDs, the Name member is not valid.
-		/// <para>The DomainIndex member of each entry in the Names array is the index of an entry in the Domains array returned in the ReferencedDomains parameter. The index identifies the Domains array for the domain in which the SID was found.</para>
-		/// <para>When you no longer need the information, pass the returned pointer to LsaFreeMemory. This memory must be freed even when the function fails with the either of the error codes STATUS_NONE_MAPPED or STATUS_SOME_NOT_MAPPED</para></param>
+		/// <summary>
+		/// <para>
+		/// The <c>LsaLookupSids2</c> function looks up the names that correspond to an array of security identifiers (SIDs) and supports
+		/// Internet provider identities. If <c>LsaLookupSids2</c> cannot find a name that corresponds to a SID, the function returns the SID
+		/// in character form. You should use this function instead of the LsaLookupSids function.
+		/// </para>
+		/// </summary>
+		/// <param name="PolicyHandle">
+		/// <para>
+		/// A handle to a Policy object. This handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a
+		/// Policy Object Handle.
+		/// </para>
+		/// </param>
+		/// <param name="LookupOptions">
+		/// <para>Flags that modify the lookup behavior.</para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Meaning</term>
+		/// </listheader>
+		/// <item>
+		/// <term>LSA_LOOKUP_DISALLOW_CONNECTED_ACCOUNT_INTERNET_SID</term>
+		/// <term>
+		/// Internet SIDs from identity providers for connected accounts are disallowed. Connected accounts are those accounts which have a
+		/// corresponding shadow account in the local SAM database connected to an online identity provider. For example, MicrosoftAccount is
+		/// a connected account.
+		/// </term>
+		/// </item>
+		/// <item>
+		/// <term>LSA_LOOKUP_PREFER_INTERNET_NAMES</term>
+		/// <term>
+		/// Returns the internet names. Otherwise the NT4 style name (domain\username) is returned. The exception is if the Microsoft Account
+		/// internet SID is specified, in which case the internet name is returned unless LSA_LOOKUP_DISALLOW_NON_WINDOWS_INTERNET_SID is specified.
+		/// </term>
+		/// </item>
+		/// <item>
+		/// <term>LSA_LOOKUP_RETURN_LOCAL_NAMES</term>
+		/// <term>Always returns local SAM account names even for Internet provider identities.</term>
+		/// </item>
+		/// </list>
+		/// </param>
+		/// <param name="Count">
+		/// <para>Specifies the number of SIDs in the Sids array. This is also the number of entries returned in the Names array.</para>
+		/// </param>
+		/// <param name="Sids">
+		/// <para>
+		/// Pointer to an array of SID pointers to look up. The SIDs can be well-known SIDs, user, group, or local group account SIDs, or
+		/// domain SIDs.
+		/// </para>
+		/// </param>
+		/// <param name="ReferencedDomains">
+		/// <para>
+		/// Receives a pointer to a pointer to a LSA_REFERENCED_DOMAIN_LIST structure. The <c>Domains</c> member of this structure is an
+		/// array that contains an entry for each domain in which a SID was found. The entry for each domain contains the SID and flat name
+		/// of the domain. For Windows domains, the flat name is the NetBIOS name. For links with non–Windows domains, the flat name is the
+		/// identifying name of that domain, or it is <c>NULL</c>.
+		/// </para>
+		/// <para>
+		/// When you no longer need the information, pass the returned pointer to LsaFreeMemory. This memory must be freed even when the
+		/// function fails with the either of the error codes <c>STATUS_NONE_MAPPED</c> or <c>STATUS_SOME_NOT_MAPPED</c>
+		/// </para>
+		/// </param>
+		/// <param name="Names">
+		/// <para>
+		/// Receives a pointer to an array of LSA_TRANSLATED_NAME structures. Each entry in the Names array contains the name information for
+		/// the corresponding entry in the Sids array. For account SIDs, the <c>Name</c> member of each structure contains the isolated name
+		/// of the account. For domain SIDs, the <c>Name</c> member is not valid.
+		/// </para>
+		/// <para>
+		/// The <c>DomainIndex</c> member of each entry in the Names array is the index of an entry in the <c>Domains</c> array returned in
+		/// the ReferencedDomains parameter. The index identifies the <c>Domains</c> array for the domain in which the SID was found.
+		/// </para>
+		/// <para>
+		/// When you no longer need the information, pass the returned pointer to LsaFreeMemory. This memory must be freed even when the
+		/// function fails with the either of the error codes <c>STATUS_NONE_MAPPED</c> or <c>STATUS_SOME_NOT_MAPPED</c>
+		/// </para>
+		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns one of the following NTSTATUS values. If the function fails, the return value is the following
-		/// NTSTATUS value or one of the LSA Policy Function Return Values.
+		/// <para>If the function succeeds, the return value is one of the following <c>NTSTATUS</c> values.</para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Return code</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_SOME_NOT_MAPPED</term>
+		/// <term>Some of the SIDs could not be translated. This is an informational-level return value.</term>
+		/// </item>
+		/// <item>
+		/// <term>STATUS_SUCCESS</term>
+		/// <term>All of the SIDs were found and successfully translated.</term>
+		/// </item>
+		/// </list>
+		/// <para>
+		/// If the function fails, the return value is an <c>NTSTATUS</c> code, which can be one of the following values or one of the LSA
+		/// Policy Function Return Values.
+		/// </para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Return code</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_NONE_MAPPED</term>
+		/// <term>None of the SIDs were translated. This is an error-level return value.</term>
+		/// </item>
+		/// </list>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the <c>NTSTATUS</c> code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, CharSet = CharSet.Unicode, ExactSpelling = true)]
+		/// <remarks>
+		/// <para>
+		/// The flag LSA_LOOKUP_PREFER_INTERNET_NAMES should be used for internet accounts such as MicrosoftAccount and Azure Active
+		/// Directory accounts. When this flag is specified then SID-Name lookup returns the UPN of the account in the form
+		/// MicrosoftAccount\foo@outlook.com or AzureAD\foo@contoso.com. For Microsoft Accounts both the local SAM SID and the internet SID
+		/// result in the UPN being returned if this flag is specified. If LSA_LOOKUP_PREFER_INTERNET_NAMES is not specified then for AAD
+		/// accounts the NT4 style name of the form AzureAD\foo is returned. The NT4 style name is machine specific and its usage should be
+		/// carefully evaluated and if possible should be avoided. For MicrosoftAccounts if LSA_LOOKUP_PREFER_INTERNET_NAMES is not specified
+		/// then the local SID of the account translates to the local SAM name, and the internet SID translates to the UPN name.
+		/// </para>
+		/// <para>
+		/// For account SIDs, the string returned in the <c>Name</c> member is the isolated name of the account (for example, user_name). If
+		/// you need the composite name of the account (for example, Acctg\user_name), get the domain name from the ReferencedDomains buffer
+		/// and append a backslash and the isolated name.
+		/// </para>
+		/// <para>If the <c>LsaLookupSids2</c> function cannot translate a SID, the function uses the following algorithm:</para>
+		/// <list type="number">
+		/// <item>
+		/// <term>
+		/// If the SID's domain is known, the ReferencedDomains buffer contains an entry for the domain, and the string returned in the Names
+		/// parameter is a Unicode representation of the account's relative identifier (RID) from the SID.
+		/// </term>
+		/// </item>
+		/// <item>
+		/// <term>
+		/// If the SID's domain is not known, the string returned in the Names parameter is a Unicode representation of the entire SID, and
+		/// there is no domain record for this SID in the ReferencedDomains buffer.
+		/// </term>
+		/// </item>
+		/// </list>
+		/// <para>
+		/// In addition to looking up SIDs for local accounts, local domain accounts, and explicitly trusted domain accounts,
+		/// <c>LsaLookupSids2</c> can look up SIDs for any account in any domain in the Windows forest, including SIDs that appear only in
+		/// the <c>SIDhistory</c> field of an account in the forest. The <c>SIDhistory</c> field stores the former SIDs of an account that
+		/// has been moved from another domain. To perform these searches, the function queries the global catalog of the forest.
+		/// </para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsalookupsids2 NTSTATUS LsaLookupSids2( LSA_HANDLE
+		// PolicyHandle, ULONG LookupOptions, ULONG Count, PSID *Sids, PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, PLSA_TRANSLATED_NAME
+		// *Names ); public static extern NTSTATUS LsaLookupSids2(LSA_HANDLE PolicyHandle, uint LookupOptions, uint Count, ref PSID Sids, ref
+		// PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains, ref PLSA_TRANSLATED_NAME Names);
+		[PInvokeData("ntsecapi.h", MSDNShortId = "6B30D1FF-35DC-44E8-A765-36A5761EC0CE")]
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true, CharSet = CharSet.Unicode)]
 		public static extern uint LsaLookupSids2(
 			SafeLsaPolicyHandle PolicyHandle,
 			LsaLookupSidsFlags LookupOptions,
@@ -291,40 +622,75 @@ namespace Vanara.PInvoke
 			out SafeLsaMemoryHandle ReferencedDomains,
 			out SafeLsaMemoryHandle Names);
 
-		/// <summary>The LsaNtStatusToWinError function converts an NTSTATUS code returned by an LSA function to a Windows error code.</summary>
-		/// <param name="NTSTATUS">An NTSTATUS code returned by an LSA function call. This value will be converted to a System error code.</param>
+		/// <summary>
+		/// <para>The <c>LsaNtStatusToWinError</c> function converts an NTSTATUS code returned by an LSA function to a Windows error code.</para>
+		/// </summary>
+		/// <param name="Status">
+		/// <para>An NTSTATUS code returned by an LSA function call. This value will be converted to a System error code.</para>
+		/// </param>
 		/// <returns>
-		/// The return value is the Windows error code that corresponds to the Status parameter. If there is no corresponding Windows error code, the return
-		/// value is ERROR_MR_MID_NOT_FOUND.
+		/// <para>
+		/// The return value is the Windows error code that corresponds to the Status parameter. If there is no corresponding Windows error
+		/// code, the return value is ERROR_MR_MID_NOT_FOUND.
+		/// </para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
-		public static extern Win32Error LsaNtStatusToWinError(uint NTSTATUS);
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsantstatustowinerror ULONG LsaNtStatusToWinError(
+		// NTSTATUS Status );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "fa91794c-c502-4b36-84cc-a8d77c8e9d9f")]
+		// public static extern uint LsaNtStatusToWinError(NTSTATUS Status);
+		public static extern Win32Error LsaNtStatusToWinError(uint Status);
 
 		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
 		public static extern uint LsaOpenAccount(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, LsaAccountAccessMask DesiredAccess, out SafeLsaPolicyHandle AccountHandle);
 
 		/// <summary>
-		/// The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system. You must run the process "As Administrator" so that the
-		/// call doesn't fail with ERROR_ACCESS_DENIED.
+		/// <para>The <c>LsaOpenPolicy</c> function opens a handle to the Policy object on a local or remote system.</para>
+		/// <para>You must run the process "As Administrator" so that the call doesn't fail with ERROR_ACCESS_DENIED.</para>
 		/// </summary>
 		/// <param name="SystemName">
-		/// Name of the target system. The name can have the form "ComputerName" or "\\ComputerName". If this parameter is NULL, the function opens the Policy
-		/// object on the local system.
+		/// <para>
+		/// A pointer to an LSA_UNICODE_STRING structure that contains the name of the target system. The name can have the form
+		/// "ComputerName" or "\ComputerName". If this parameter is <c>NULL</c>, the function opens the Policy object on the local system.
+		/// </para>
 		/// </param>
 		/// <param name="ObjectAttributes">
-		/// A pointer to an LSA_OBJECT_ATTRIBUTES structure that specifies the connection attributes. The structure members are not used; initialize them to NULL
-		/// or zero.
+		/// <para>
+		/// A pointer to an LSA_OBJECT_ATTRIBUTES structure that specifies the connection attributes. The structure members are not used;
+		/// initialize them to <c>NULL</c> or zero.
+		/// </para>
 		/// </param>
 		/// <param name="DesiredAccess">
-		/// An ACCESS_MASK that specifies the requested access rights. The function fails if the DACL of the target system does not allow the caller the
-		/// requested access. To determine the access rights that you need, see the documentation for the LSA functions with which you want to use the policy handle.
+		/// <para>
+		/// An ACCESS_MASK that specifies the requested access rights. The function fails if the DACL of the target system does not allow the
+		/// caller the requested access. To determine the access rights that you need, see the documentation for the LSA functions with which
+		/// you want to use the policy handle.
+		/// </para>
+		/// </param>
+		/// <param name="PolicyHandle">
+		/// <para>A pointer to an LSA_HANDLE variable that receives a handle to the Policy object.</para>
+		/// <para>When you no longer need this handle, pass it to the LsaClose function to close it.</para>
 		/// </param>
-		/// <param name="PolicyHandle">A pointer to an LSA_HANDLE variable that receives a handle to the Policy object.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns STATUS_SUCCESS. If the function fails, it returns an NTSTATUS code.For more information, see LSA
-		/// Policy Function Return Values.
+		/// <para>If the function succeeds, the function returns STATUS_SUCCESS.</para>
+		/// <para>If the function fails, it returns an <c>NTSTATUS</c> code. For more information, see LSA Policy Function Return Values.</para>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the <c>NTSTATUS</c> code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true), SuppressUnmanagedCodeSecurity]
+		/// <remarks>
+		/// <para>
+		/// To administer the local security policy of a local or remote system, you must call the <c>LsaOpenPolicy</c> function to establish
+		/// a session with that system's LSA subsystem. <c>LsaOpenPolicy</c> connects to the LSA of the target system and returns a handle to
+		/// the Policy object of that system. You can use this handle in subsequent LSA function calls to administer the local security
+		/// policy information of the target system.
+		/// </para>
+		/// <para>For an example that demonstrates calling this function see Opening a Policy Object Handle.</para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaopenpolicy NTSTATUS LsaOpenPolicy(
+		// PLSA_UNICODE_STRING SystemName, PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK DesiredAccess, PLSA_HANDLE PolicyHandle );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "361bc962-1e97-4606-a835-cbce37692c55")]
+		// public static extern NTSTATUS LsaOpenPolicy(PLSA_UNICODE_STRING SystemName, PLSA_OBJECT_ATTRIBUTES ObjectAttributes, ACCESS_MASK
+		// DesiredAccess, PLSA_HANDLE PolicyHandle);
 		public static extern uint LsaOpenPolicy(
 			[In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringMarshaler))] string SystemName,
 			ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
@@ -332,16 +698,17 @@ namespace Vanara.PInvoke
 			out SafeLsaPolicyHandle PolicyHandle);
 
 		/// <summary>
-		/// The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system. You must run the process "As Administrator" so that the
-		/// call doesn't fail with ERROR_ACCESS_DENIED.
+		/// The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system. You must run the process "As
+		/// Administrator" so that the call doesn't fail with ERROR_ACCESS_DENIED.
 		/// </summary>
 		/// <param name="DesiredAccess">
-		/// An ACCESS_MASK that specifies the requested access rights. The function fails if the DACL of the target system does not allow the caller the
-		/// requested access. To determine the access rights that you need, see the documentation for the LSA functions with which you want to use the policy handle.
+		/// An ACCESS_MASK that specifies the requested access rights. The function fails if the DACL of the target system does not allow the
+		/// caller the requested access. To determine the access rights that you need, see the documentation for the LSA functions with which
+		/// you want to use the policy handle.
 		/// </param>
 		/// <param name="SystemName">
-		/// Name of the target system. The name can have the form "ComputerName" or "\\ComputerName". If this parameter is NULL, the function opens the Policy
-		/// object on the local system.
+		/// Name of the target system. The name can have the form "ComputerName" or "\\ComputerName". If this parameter is NULL, the function
+		/// opens the Policy object on the local system.
 		/// </param>
 		/// <returns>A pointer to an LSA_HANDLE variable that receives a handle to the Policy object.</returns>
 		public static SafeLsaPolicyHandle LsaOpenPolicy(LsaPolicyRights DesiredAccess, string SystemName = null)
@@ -352,27 +719,64 @@ namespace Vanara.PInvoke
 		}
 
 		/// <summary>
-		/// The LsaRemoveAccountRights function removes one or more privileges from an account. You can specify the privileges to be removed, or you can set a
-		/// flag to remove all privileges. When you remove all privileges, the function deletes the account. If you specify privileges not held by the account,
-		/// the function ignores them.
+		/// <para>
+		/// The <c>LsaRemoveAccountRights</c> function removes one or more privileges from an account. You can specify the privileges to be
+		/// removed, or you can set a flag to remove all privileges. When you remove all privileges, the function deletes the account. If you
+		/// specify privileges not held by the account, the function ignores them.
+		/// </para>
 		/// </summary>
 		/// <param name="PolicyHandle">
-		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle.
+		/// <para>
+		/// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a
+		/// Policy Object Handle.
+		/// </para>
+		/// </param>
+		/// <param name="AccountSid">
+		/// <para>Pointer to the security identifier (SID) of the account from which the privileges are removed.</para>
 		/// </param>
-		/// <param name="AccountSid">Pointer to the security identifier (SID) of the account from which the privileges are removed.</param>
 		/// <param name="AllRights">
-		/// If TRUE, the function removes all privileges and deletes the account. In this case, the function ignores the UserRights parameter. If FALSE, the
-		/// function removes the privileges specified by the UserRights parameter.
+		/// <para>
+		/// If <c>TRUE</c>, the function removes all privileges and deletes the account. In this case, the function ignores the UserRights
+		/// parameter. If <c>FALSE</c>, the function removes the privileges specified by the UserRights parameter.
+		/// </para>
 		/// </param>
 		/// <param name="UserRights">
-		/// An array of strings. Each string contains the name of a privilege to be removed from the account. For a list of privilege names, see Privilege Constants.
+		/// <para>
+		/// Pointer to an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege to be removed from the
+		/// account. For a list of privilege names, see Privilege Constants.
+		/// </para>
+		/// </param>
+		/// <param name="CountOfRights">
+		/// <para>Specifies the number of elements in the UserRights array.</para>
 		/// </param>
-		/// <param name="CountOfRights">Specifies the number of elements in the UserRights array.</param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which can be one of the
-		/// following values or one of the LSA Policy Function Return Values.
+		/// <para>If the function succeeds, the return value is STATUS_SUCCESS.</para>
+		/// <para>
+		/// If the function fails, the return value is an NTSTATUS code, which can be one of the following values or one of the LSA Policy
+		/// Function Return Values.
+		/// </para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Value</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_NO_SUCH_PRIVILEGE</term>
+		/// <term>One of the privilege names is not valid.</term>
+		/// </item>
+		/// <item>
+		/// <term>STATUS_INVALID_PARAMETER</term>
+		/// <term>Indicates the UserRights parameter was NULL and the AllRights parameter was FALSE.</term>
+		/// </item>
+		/// </list>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaremoveaccountrights NTSTATUS LsaRemoveAccountRights(
+		// LSA_HANDLE PolicyHandle, PSID AccountSid, BOOLEAN AllRights, PLSA_UNICODE_STRING UserRights, ULONG CountOfRights );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "ad250a01-7a24-4fae-975c-aa3e65731c82")]
+		// public static extern NTSTATUS LsaRemoveAccountRights(LSA_HANDLE PolicyHandle, PSID AccountSid, [MarshalAs(UnmanagedType.U1)] bool
+		// AllRights, PLSA_UNICODE_STRING UserRights, uint CountOfRights);
 		public static extern uint LsaRemoveAccountRights(
 			SafeLsaPolicyHandle PolicyHandle,
 			PSID AccountSid,
@@ -385,44 +789,97 @@ namespace Vanara.PInvoke
 		/// <param name="AccountHandle">The account handle.</param>
 		/// <param name="SystemAccess">The system access.</param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which can be one of the
-		/// following values or one of the LSA Policy Function Return Values.
+		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which
+		/// can be one of the following values or one of the LSA Policy Function Return Values.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
 		public static extern uint LsaSetSystemAccessAccount(SafeLsaPolicyHandle AccountHandle, int SystemAccess);
 
-		/// <summary>The LsaClose function closes a handle to a Policy or TrustedDomain object.</summary>
+		/// <summary>
+		/// <para>The <c>LsaClose</c> function closes a handle to a Policy or TrustedDomain object.</para>
+		/// </summary>
 		/// <param name="ObjectHandle">
-		/// A handle to a Policy object returned by the LsaOpenPolicy function or to a TrustedDomain object returned by the LsaOpenTrustedDomainByName function.
-		/// Following the completion of this call, the handle is no longer valid.
+		/// <para>
+		/// A handle to a Policy object returned by the LsaOpenPolicy function or to a TrustedDomain object returned by the
+		/// LsaOpenTrustedDomainByName function. Following the completion of this call, the handle is no longer valid.
+		/// </para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code.For more information, see
-		/// LSA Policy Function Return Values. You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
+		/// <para>If the function succeeds, the return value is STATUS_SUCCESS.</para>
+		/// <para>If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.</para>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsaclose NTSTATUS LsaClose( LSA_HANDLE ObjectHandle );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "6283b1da-4ec3-48e1-91f6-321c6390befe")]
+		// public static extern NTSTATUS LsaClose(LSA_HANDLE ObjectHandle);
 		private static extern uint LsaClose(IntPtr ObjectHandle);
 
 		/// <summary>
-		/// The LsaFreeMemory function frees memory allocated for an output buffer by an LSA function call. LSA functions that return variable-length output
-		/// buffers always allocate the buffer on behalf of the caller. The caller must free this memory by passing the returned buffer pointer to LsaFreeMemory
-		/// when the memory is no longer required.
+		/// <para>
+		/// The <c>LsaFreeMemory</c> function frees memory allocated for an output buffer by an LSA function call. LSA functions that return
+		/// variable-length output buffers always allocate the buffer on behalf of the caller. The caller must free this memory by passing
+		/// the returned buffer pointer to <c>LsaFreeMemory</c> when the memory is no longer required.
+		/// </para>
 		/// </summary>
-		/// <param name="Buffer">Pointer to memory buffer that was allocated by an LSA function call. If LsaFreeMemory is successful, this buffer is freed.</param>
+		/// <param name="Buffer">
+		/// <para>
+		/// Pointer to memory buffer that was allocated by an LSA function call. If <c>LsaFreeMemory</c> is successful, this buffer is freed.
+		/// </para>
+		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code, which can be the following
-		/// value or one of the LSA Policy Function Return Values.
+		/// <para>If the function succeeds, the return value is STATUS_SUCCESS.</para>
+		/// <para>
+		/// If the function fails, the return value is an NTSTATUS code, which can be the following value or one of the LSA Policy Function
+		/// Return Values.
+		/// </para>
+		/// <list type="table">
+		/// <listheader>
+		/// <term>Return code</term>
+		/// <term>Description</term>
+		/// </listheader>
+		/// <item>
+		/// <term>STATUS_UNSUCCESSFUL</term>
+		/// <term>Memory could not be freed because it was not allocated by an LSA function call.</term>
+		/// </item>
+		/// </list>
+		/// <para>You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.</para>
 		/// </returns>
-		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsafreememory NTSTATUS LsaFreeMemory( PVOID Buffer );
+		[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "6eb3d18f-c54c-4e51-8a4b-b7a3f930cfa9")]
+		// public static extern NTSTATUS LsaFreeMemory(IntPtr Buffer);
 		private static extern uint LsaFreeMemory(IntPtr Buffer);
 
-		/// <summary>The LsaFreeReturnBuffer function frees the memory used by a buffer previously allocated by the LSA.</summary>
-		/// <param name="Buffer">Pointer to the buffer to be freed.</param>
-		/// <returns>If the function succeeds, the return value is STATUS_SUCCESS. If the function fails, the return value is an NTSTATUS code.</returns>
-		[DllImport(Lib.Secur32, ExactSpelling = true)]
+		/// <summary>
+		/// <para>The <c>LsaFreeReturnBuffer</c> function frees the memory used by a buffer previously allocated by the LSA.</para>
+		/// </summary>
+		/// <param name="Buffer">
+		/// <para>Pointer to the buffer to be freed.</para>
+		/// </param>
+		/// <returns>
+		/// <para>If the function succeeds, the return value is STATUS_SUCCESS.</para>
+		/// <para>If the function fails, the return value is an NTSTATUS code. For more information, see LSA Policy Function Return Values.</para>
+		/// <para>The LsaNtStatusToWinError function converts an NTSTATUS code to a Windows error code.</para>
+		/// </returns>
+		/// <remarks>
+		/// <para>
+		/// Some of the LSA authentication functions allocate memory buffers to hold returned information, for example, LsaLogonUser and
+		/// LsaCallAuthenticationPackage. Your application should call <c>LsaFreeReturnBuffer</c> to free these buffers when they are no
+		/// longer needed.
+		/// </para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-lsafreereturnbuffer _IRQL_requires_same_ NTSTATUS
+		// LsaFreeReturnBuffer( PVOID Buffer );
+		[DllImport(Lib.Secur32, SetLastError = false, ExactSpelling = true)]
+		[PInvokeData("ntsecapi.h", MSDNShortId = "e814ed68-07e7-4936-ba96-5411086f43f6")]
+		// public static extern _IRQL_requires_same_ NTSTATUS LsaFreeReturnBuffer(IntPtr Buffer);
 		private static extern uint LsaFreeReturnBuffer(IntPtr Buffer);
 
 		/// <summary>Used with the LsaEnumerateAccountsWithUserRight function to return a pointer to a SID.</summary>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_lsa_enumeration_information typedef struct
+		// _LSA_ENUMERATION_INFORMATION { PSID Sid; } LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
+		[PInvokeData("ntsecapi.h", MSDNShortId = "7577548f-3ceb-43a5-b447-6f66a09963fe")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_ENUMERATION_INFORMATION
 		{
@@ -430,7 +887,10 @@ namespace Vanara.PInvoke
 			public IntPtr Sid;
 		}
 
-		/// <summary>Contains information about the domains referenced in a lookup operation.</summary>
+		/// <summary>The <c>LSA_REFERENCED_DOMAIN_LIST</c> structure contains information about the domains referenced in a lookup operation.</summary>
+		// typedef struct _LSA_REFERENCED_DOMAIN_LIST { ULONG Entries; PLSA_TRUST_INFORMATION Domains;} LSA_REFERENCED_DOMAIN_LIST,
+		// *PLSA_REFERENCED_DOMAIN_LIST; https://msdn.microsoft.com/en-us/library/windows/desktop/ms721834(v=vs.85).aspx
+		[PInvokeData("Ntsecapi.h", MSDNShortId = "ms721834")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_REFERENCED_DOMAIN_LIST
 		{
@@ -444,7 +904,19 @@ namespace Vanara.PInvoke
 			public IEnumerable<LSA_TRUST_INFORMATION> DomainList => Domains == IntPtr.Zero ? new LSA_TRUST_INFORMATION[0] : Domains.ToIEnum<LSA_TRUST_INFORMATION>((int)Entries);
 		}
 
-		/// <summary>Identifies a domain.</summary>
+		/// <summary>
+		/// <para>The <c>LSA_TRUST_INFORMATION</c> structure identifies a domain.</para>
+		/// </summary>
+		/// <remarks>
+		/// <para>TRUSTED_DOMAIN_INFORMATION_BASIC is an alias for this structure.</para>
+		/// <para>
+		/// The TRUSTED_DOMAIN_INFORMATION_BASIC structure identifies a domain. This structure is used by the LsaQueryTrustedDomainInfo
+		/// function when its InformationClass parameter is set to <c>TrustedDomainInformationBasic</c>.
+		/// </para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/lsalookup/ns-lsalookup-_lsa_trust_information typedef struct
+		// _LSA_TRUST_INFORMATION { LSA_UNICODE_STRING Name; PSID Sid; } LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
+		[PInvokeData("lsalookup.h", MSDNShortId = "2b5e6f79-b97a-4018-a45a-37c300c3dc0d")]
 		[StructLayout(LayoutKind.Sequential)]
 		public struct LSA_TRUST_INFORMATION
 		{
@@ -455,6 +927,66 @@ namespace Vanara.PInvoke
 			public IntPtr Sid;
 		}
 
+		/// <summary>
+		/// The LSA_UNICODE_STRING structure is used by various Local Security Authority (LSA) functions to specify a Unicode string. Also an
+		/// example of unnecessary over-engineering and re-engineering.
+		/// </summary>
+		[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode, Size = 8)]
+		[PInvokeData("Ntsecapi.h", MSDNShortId = "ms721841")]
+		public struct LSA_UNICODE_STRING
+		{
+			/// <summary>
+			/// Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating null character,
+			/// if any.
+			/// </summary>
+			public ushort length;
+
+			/// <summary>
+			/// Specifies the total size, in bytes, of the memory allocated for Buffer. Up to MaximumLength bytes can be written into the
+			/// buffer without trampling memory.
+			/// </summary>
+			public ushort MaximumLength;
+
+			/// <summary>
+			/// Pointer to a wide character string. Note that the strings returned by the various LSA functions might not be null-terminated.
+			/// </summary>
+			public string Buffer;
+
+			/// <summary>Initializes a new instance of the <see cref="LSA_UNICODE_STRING"/> struct from a string.</summary>
+			/// <param name="s">The string value.</param>
+			/// <exception cref="System.ArgumentException">String exceeds 32Kb of data.</exception>
+			public LSA_UNICODE_STRING(string s)
+			{
+				if (s == null)
+				{
+					length = MaximumLength = 0;
+					Buffer = null;
+				}
+				else
+				{
+					var l = s.Length * UnicodeEncoding.CharSize;
+					// Unicode strings max. 32KB
+					if (l >= ushort.MaxValue)
+						throw new ArgumentException("String too long");
+					Buffer = s;
+					length = (ushort)l;
+					MaximumLength = (ushort)(l + UnicodeEncoding.CharSize);
+				}
+			}
+
+			/// <summary>Gets the number of characters in the string.</summary>
+			public int Length => length / UnicodeEncoding.CharSize;
+
+			/// <summary>Returns a <see cref="string"/> that represents this instance.</summary>
+			/// <returns>A <see cref="string"/> that represents this instance.</returns>
+			public override string ToString() => Buffer;
+
+			/// <summary>Performs an implicit conversion from <see cref="LSA_UNICODE_STRING"/> to <see cref="string"/>.</summary>
+			/// <param name="value">The value.</param>
+			/// <returns>The result of the conversion.</returns>
+			public static implicit operator string(LSA_UNICODE_STRING value) => value.ToString();
+		}
+
 		/// <summary>A <see cref="SafeHandle"/> for values that must be freed using the <see cref="LsaFreeMemory(IntPtr)"/> function.</summary>
 		public sealed class SafeLsaMemoryHandle : GenericSafeHandle
 		{
@@ -505,63 +1037,6 @@ namespace Vanara.PInvoke
 			private static bool Free(IntPtr h) => LsaFreeReturnBuffer(h) == 0;
 		}
 
-		/// <summary>
-		/// The LSA_UNICODE_STRING structure is used by various Local Security Authority (LSA) functions to specify a Unicode string. Also an example of
-		/// unnecessary over-engineering and re-engineering.
-		/// </summary>
-		[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode, Size = 8)]
-		[PInvokeData("Ntsecapi.h", MSDNShortId = "ms721841")]
-		public struct LSA_UNICODE_STRING
-		{
-			/// <summary>
-			/// Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating null character, if any.
-			/// </summary>
-			public ushort length;
-
-			/// <summary>
-			/// Specifies the total size, in bytes, of the memory allocated for Buffer. Up to MaximumLength bytes can be written into the buffer without
-			/// trampling memory.
-			/// </summary>
-			public ushort MaximumLength;
-
-			/// <summary>Pointer to a wide character string. Note that the strings returned by the various LSA functions might not be null-terminated.</summary>
-			public string Buffer;
-
-			/// <summary>Initializes a new instance of the <see cref="LSA_UNICODE_STRING"/> struct from a string.</summary>
-			/// <param name="s">The string value.</param>
-			/// <exception cref="System.ArgumentException">String exceeds 32Kb of data.</exception>
-			public LSA_UNICODE_STRING(string s)
-			{
-				if (s == null)
-				{
-					length = MaximumLength = 0;
-					Buffer = null;
-				}
-				else
-				{
-					var l = s.Length * UnicodeEncoding.CharSize;
-					// Unicode strings max. 32KB
-					if (l >= ushort.MaxValue)
-						throw new ArgumentException("String too long");
-					Buffer = s;
-					length = (ushort)l;
-					MaximumLength = (ushort)(l + UnicodeEncoding.CharSize);
-				}
-			}
-
-			/// <summary>Gets the number of characters in the string.</summary>
-			public int Length => length / UnicodeEncoding.CharSize;
-
-			/// <summary>Returns a <see cref="string"/> that represents this instance.</summary>
-			/// <returns>A <see cref="string"/> that represents this instance.</returns>
-			public override string ToString() => Buffer;
-
-			/// <summary>Performs an implicit conversion from <see cref="LSA_UNICODE_STRING"/> to <see cref="string"/>.</summary>
-			/// <param name="value">The value.</param>
-			/// <returns>The result of the conversion.</returns>
-			public static implicit operator string(LSA_UNICODE_STRING value) => value.ToString();
-		}
-
 		/// <summary>A custom marshaler for functions using LSA_UNICODE_STRING arrays so that managed string arrays can be used.</summary>
 		/// <seealso cref="ICustomMarshaler"/>
 		internal class LsaUnicodeStringArrayMarshaler : ICustomMarshaler
diff --git a/PInvoke/Security/AdvApi32/WinBase.cs b/PInvoke/Security/AdvApi32/WinBase.cs
index 26e993a5..100732ee 100644
--- a/PInvoke/Security/AdvApi32/WinBase.cs
+++ b/PInvoke/Security/AdvApi32/WinBase.cs
@@ -14,8 +14,8 @@ namespace Vanara.PInvoke
 		public enum LogonUserProvider
 		{
 			/// <summary>
-			/// Use the standard logon provider for the system. The default security provider is negotiate, unless you pass NULL for the domain name and the user
-			/// name is not in UPN format. In this case, the default provider is NTLM.
+			/// Use the standard logon provider for the system. The default security provider is negotiate, unless you pass NULL for the
+			/// domain name and the user name is not in UPN format. In this case, the default provider is NTLM.
 			/// </summary>
 			LOGON32_PROVIDER_DEFAULT = 0,
 
@@ -36,21 +36,22 @@ namespace Vanara.PInvoke
 		public enum LogonUserType
 		{
 			/// <summary>
-			/// This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote
-			/// shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is
-			/// inappropriate for some client/server applications, such as a mail server.
+			/// This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a
+			/// terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information
+			/// for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
 			/// </summary>
 			LOGON32_LOGON_INTERACTIVE = 2,
 
 			/// <summary>
-			/// This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials
-			/// for this logon type.
+			/// This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not
+			/// cache credentials for this logon type.
 			/// </summary>
 			LOGON32_LOGON_NETWORK = 3,
 
 			/// <summary>
-			/// This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type
-			/// is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
+			/// This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct
+			/// intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time,
+			/// such as mail or web servers.
 			/// </summary>
 			LOGON32_LOGON_BATCH = 4,
 
@@ -60,67 +61,71 @@ namespace Vanara.PInvoke
 			/// <summary>
 			/// GINAs are no longer supported.
 			/// <para>
-			/// <c>Windows Server 2003 and Windows XP:</c> This logon type is for GINA DLLs that log on users who will be interactively using the computer. This
-			/// logon type can generate a unique audit record that shows when the workstation was unlocked.
+			/// <c>Windows Server 2003 and Windows XP:</c> This logon type is for GINA DLLs that log on users who will be interactively using
+			/// the computer. This logon type can generate a unique audit record that shows when the workstation was unlocked.
 			/// </para>
 			/// </summary>
 			LOGON32_LOGON_UNLOCK = 7,
 
 			/// <summary>
-			/// This logon type preserves the name and password in the authentication package, which allows the server to make connections to other network
-			/// servers while impersonating the client. A server can accept plain-text credentials from a client, call LogonUser, verify that the user can access
-			/// the system across the network, and still communicate with other servers.
+			/// This logon type preserves the name and password in the authentication package, which allows the server to make connections to
+			/// other network servers while impersonating the client. A server can accept plain-text credentials from a client, call
+			/// LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
 			/// </summary>
 			LOGON32_LOGON_NETWORK_CLEARTEXT = 8,
 
 			/// <summary>
-			/// This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the
-			/// same local identifier but uses different credentials for other network connections. This logon type is supported only by the
-			/// LOGON32_PROVIDER_WINNT50 logon provider.
+			/// This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new
+			/// logon session has the same local identifier but uses different credentials for other network connections. This logon type is
+			/// supported only by the LOGON32_PROVIDER_WINNT50 logon provider.
 			/// </summary>
 			LOGON32_LOGON_NEW_CREDENTIALS = 9
 		}
 
 		/// <summary>
-		/// The AdjustTokenPrivileges function enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token
-		/// requires TOKEN_ADJUST_PRIVILEGES access.
+		/// The AdjustTokenPrivileges function enables or disables privileges in the specified access token. Enabling or disabling privileges
+		/// in an access token requires TOKEN_ADJUST_PRIVILEGES access.
 		/// </summary>
 		/// <param name="objectHandle">
-		/// A handle to the access token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access to the token. If the
-		/// PreviousState parameter is not NULL, the handle must also have TOKEN_QUERY access.
+		/// A handle to the access token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access to
+		/// the token. If the PreviousState parameter is not NULL, the handle must also have TOKEN_QUERY access.
 		/// </param>
 		/// <param name="DisableAllPrivileges">
-		/// Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all privileges and ignores the
-		/// NewState parameter. If it is FALSE, the function modifies privileges based on the information pointed to by the NewState parameter.
+		/// Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all
+		/// privileges and ignores the NewState parameter. If it is FALSE, the function modifies privileges based on the information pointed
+		/// to by the NewState parameter.
 		/// </param>
 		/// <param name="NewState">
-		/// A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is TRUE, the function
-		/// ignores this parameter. If the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function enables, disables, or removes these
-		/// privileges for the token. The following table describes the action taken by the AdjustTokenPrivileges function, based on the privilege attribute.
+		/// A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is
+		/// TRUE, the function ignores this parameter. If the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function
+		/// enables, disables, or removes these privileges for the token. The following table describes the action taken by the
+		/// AdjustTokenPrivileges function, based on the privilege attribute.
 		/// </param>
 		/// <param name="BufferLength">
-		/// Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL.
+		/// Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the
+		/// PreviousState parameter is NULL.
 		/// </param>
 		/// <param name="PreviousState">
-		/// A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any privileges that the function
-		/// modifies. That is, if a privilege has been modified by this function, the privilege and its previous state are contained in the TOKEN_PRIVILEGES
-		/// structure referenced by PreviousState. If the PrivilegeCount member of TOKEN_PRIVILEGES is zero, then no privileges have been changed by this
-		/// function. This parameter can be NULL.
+		/// A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any
+		/// privileges that the function modifies. That is, if a privilege has been modified by this function, the privilege and its previous
+		/// state are contained in the TOKEN_PRIVILEGES structure referenced by PreviousState. If the PrivilegeCount member of
+		/// TOKEN_PRIVILEGES is zero, then no privileges have been changed by this function. This parameter can be NULL.
 		/// <para>
-		/// If you specify a buffer that is too small to receive the complete list of modified privileges, the function fails and does not adjust any privileges.
-		/// In this case, the function sets the variable pointed to by the ReturnLength parameter to the number of bytes required to hold the complete list of
-		/// modified privileges.
+		/// If you specify a buffer that is too small to receive the complete list of modified privileges, the function fails and does not
+		/// adjust any privileges. In this case, the function sets the variable pointed to by the ReturnLength parameter to the number of
+		/// bytes required to hold the complete list of modified privileges.
 		/// </para>
 		/// </param>
 		/// <param name="ReturnLength">
-		/// A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be
-		/// NULL if PreviousState is NULL.
+		/// A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This
+		/// parameter can be NULL if PreviousState is NULL.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. To determine whether the function adjusted all of the specified privileges, call GetLastError,
-		/// which returns either ERROR_SUCCESS, indicating that the function adjusted all specified privileges, or ERROR_NOT_ALL_ASSIGNED, indicating that the
-		/// token does not have one or more of the privileges specified in the NewState parameter. The function may succeed with this error value even if no
-		/// privileges were adjusted. The PreviousState parameter indicates the privileges that were adjusted.
+		/// If the function succeeds, the return value is nonzero. To determine whether the function adjusted all of the specified
+		/// privileges, call GetLastError, which returns either ERROR_SUCCESS, indicating that the function adjusted all specified
+		/// privileges, or ERROR_NOT_ALL_ASSIGNED, indicating that the token does not have one or more of the privileges specified in the
+		/// NewState parameter. The function may succeed with this error value even if no privileges were adjusted. The PreviousState
+		/// parameter indicates the privileges that were adjusted.
 		/// <para>If the function fails, the return value is zero. To get extended error information, call GetLastError.</para>
 		/// </returns>
 		[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail), DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
@@ -135,45 +140,49 @@ namespace Vanara.PInvoke
 			[In, Out] ref uint ReturnLength);
 
 		/// <summary>
-		/// The AdjustTokenPrivileges function enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token
-		/// requires TOKEN_ADJUST_PRIVILEGES access.
+		/// The AdjustTokenPrivileges function enables or disables privileges in the specified access token. Enabling or disabling privileges
+		/// in an access token requires TOKEN_ADJUST_PRIVILEGES access.
 		/// </summary>
 		/// <param name="objectHandle">
-		/// A handle to the access token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access to the token. If the
-		/// PreviousState parameter is not NULL, the handle must also have TOKEN_QUERY access.
+		/// A handle to the access token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access to
+		/// the token. If the PreviousState parameter is not NULL, the handle must also have TOKEN_QUERY access.
 		/// </param>
 		/// <param name="DisableAllPrivileges">
-		/// Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all privileges and ignores the
-		/// NewState parameter. If it is FALSE, the function modifies privileges based on the information pointed to by the NewState parameter.
+		/// Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all
+		/// privileges and ignores the NewState parameter. If it is FALSE, the function modifies privileges based on the information pointed
+		/// to by the NewState parameter.
 		/// </param>
 		/// <param name="NewState">
-		/// A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is TRUE, the function
-		/// ignores this parameter. If the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function enables, disables, or removes these
-		/// privileges for the token. The following table describes the action taken by the AdjustTokenPrivileges function, based on the privilege attribute.
+		/// A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is
+		/// TRUE, the function ignores this parameter. If the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function
+		/// enables, disables, or removes these privileges for the token. The following table describes the action taken by the
+		/// AdjustTokenPrivileges function, based on the privilege attribute.
 		/// </param>
 		/// <param name="BufferLength">
-		/// Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL.
+		/// Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the
+		/// PreviousState parameter is NULL.
 		/// </param>
 		/// <param name="PreviousState">
-		/// A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any privileges that the function
-		/// modifies. That is, if a privilege has been modified by this function, the privilege and its previous state are contained in the TOKEN_PRIVILEGES
-		/// structure referenced by PreviousState. If the PrivilegeCount member of TOKEN_PRIVILEGES is zero, then no privileges have been changed by this
-		/// function. This parameter can be NULL.
+		/// A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any
+		/// privileges that the function modifies. That is, if a privilege has been modified by this function, the privilege and its previous
+		/// state are contained in the TOKEN_PRIVILEGES structure referenced by PreviousState. If the PrivilegeCount member of
+		/// TOKEN_PRIVILEGES is zero, then no privileges have been changed by this function. This parameter can be NULL.
 		/// <para>
-		/// If you specify a buffer that is too small to receive the complete list of modified privileges, the function fails and does not adjust any privileges.
-		/// In this case, the function sets the variable pointed to by the ReturnLength parameter to the number of bytes required to hold the complete list of
-		/// modified privileges.
+		/// If you specify a buffer that is too small to receive the complete list of modified privileges, the function fails and does not
+		/// adjust any privileges. In this case, the function sets the variable pointed to by the ReturnLength parameter to the number of
+		/// bytes required to hold the complete list of modified privileges.
 		/// </para>
 		/// </param>
 		/// <param name="ReturnLength">
-		/// A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be
-		/// NULL if PreviousState is NULL.
+		/// A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This
+		/// parameter can be NULL if PreviousState is NULL.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. To determine whether the function adjusted all of the specified privileges, call GetLastError,
-		/// which returns either ERROR_SUCCESS, indicating that the function adjusted all specified privileges, or ERROR_NOT_ALL_ASSIGNED, indicating that the
-		/// token does not have one or more of the privileges specified in the NewState parameter. The function may succeed with this error value even if no
-		/// privileges were adjusted. The PreviousState parameter indicates the privileges that were adjusted.
+		/// If the function succeeds, the return value is nonzero. To determine whether the function adjusted all of the specified
+		/// privileges, call GetLastError, which returns either ERROR_SUCCESS, indicating that the function adjusted all specified
+		/// privileges, or ERROR_NOT_ALL_ASSIGNED, indicating that the token does not have one or more of the privileges specified in the
+		/// NewState parameter. The function may succeed with this error value even if no privileges were adjusted. The PreviousState
+		/// parameter indicates the privileges that were adjusted.
 		/// <para>If the function fails, the return value is zero. To get extended error information, call GetLastError.</para>
 		/// </returns>
 		[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail), DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
@@ -192,13 +201,16 @@ namespace Vanara.PInvoke
 
 		/// <summary>The DuplicateToken function creates a new access token that duplicates one already in existence.</summary>
 		/// <param name="existingObjectHandle">A handle to an access token opened with TOKEN_DUPLICATE access.</param>
-		/// <param name="ImpersonationLevel">Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the new token.</param>
+		/// <param name="ImpersonationLevel">
+		/// Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the new token.
+		/// </param>
 		/// <param name="duplicateObjectHandle">
-		/// A pointer to a variable that receives a handle to the duplicate token. This handle has TOKEN_IMPERSONATE and TOKEN_QUERY access to the new token.
-		/// When you have finished using the new token, call the CloseHandle function to close the token handle.
+		/// A pointer to a variable that receives a handle to the duplicate token. This handle has TOKEN_IMPERSONATE and TOKEN_QUERY access
+		/// to the new token. When you have finished using the new token, call the CloseHandle function to close the token handle.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -206,31 +218,35 @@ namespace Vanara.PInvoke
 			SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, out SafeTokenHandle duplicateObjectHandle);
 
 		/// <summary>
-		/// The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a primary token or an
-		/// impersonation token.
+		/// The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a
+		/// primary token or an impersonation token.
 		/// </summary>
 		/// <param name="hExistingToken">A handle to an access token opened with TOKEN_DUPLICATE access.</param>
 		/// <param name="dwDesiredAccess">
-		/// Specifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested access rights with the existing token's
-		/// discretionary access control list (DACL) to determine which rights are granted or denied. To request the same access rights as the existing token,
-		/// specify zero. To request all access rights that are valid for the caller, specify MAXIMUM_ALLOWED.
+		/// Specifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested access rights with
+		/// the existing token's discretionary access control list (DACL) to determine which rights are granted or denied. To request the
+		/// same access rights as the existing token, specify zero. To request all access rights that are valid for the caller, specify MAXIMUM_ALLOWED.
 		/// </param>
 		/// <param name="lpTokenAttributes">
-		/// A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether child processes can
-		/// inherit the token. If lpTokenAttributes is NULL, the token gets a default security descriptor and the handle cannot be inherited. If the security
-		/// descriptor contains a system access control list (SACL), the token gets ACCESS_SYSTEM_SECURITY access right, even if it was not requested in dwDesiredAccess.
-		/// <para>To set the owner in the security descriptor for the new token, the caller's process token must have the SE_RESTORE_NAME privilege set.</para>
+		/// A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether child
+		/// processes can inherit the token. If lpTokenAttributes is NULL, the token gets a default security descriptor and the handle cannot
+		/// be inherited. If the security descriptor contains a system access control list (SACL), the token gets ACCESS_SYSTEM_SECURITY
+		/// access right, even if it was not requested in dwDesiredAccess.
+		/// <para>
+		/// To set the owner in the security descriptor for the new token, the caller's process token must have the SE_RESTORE_NAME privilege set.
+		/// </para>
 		/// </param>
 		/// <param name="ImpersonationLevel">
 		/// Specifies a value from the SECURITY_IMPERSONATION_LEVEL enumeration that indicates the impersonation level of the new token.
 		/// </param>
 		/// <param name="TokenType">Specifies one of the values from the TOKEN_TYPE enumeration.</param>
 		/// <param name="phNewToken">
-		/// A pointer to a HANDLE variable that receives the new token. When you have finished using the new token, call the CloseHandle function to close the
-		/// token handle.
+		/// A pointer to a HANDLE variable that receives the new token. When you have finished using the new token, call the CloseHandle
+		/// function to close the token handle.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail), DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -240,11 +256,13 @@ namespace Vanara.PInvoke
 		/// <summary>The GetAce function obtains a pointer to an access control entry (ACE) in an access control list (ACL).</summary>
 		/// <param name="pAcl">A pointer to an ACL that contains the ACE to be retrieved.</param>
 		/// <param name="dwAceIndex">
-		/// The index of the ACE to be retrieved. A value of zero corresponds to the first ACE in the ACL, a value of one to the second ACE, and so on.
+		/// The index of the ACE to be retrieved. A value of zero corresponds to the first ACE in the ACL, a value of one to the second ACE,
+		/// and so on.
 		/// </param>
 		/// <param name="pAce">A pointer to a pointer that the function sets to the address of the ACE.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -256,26 +274,30 @@ namespace Vanara.PInvoke
 		/// A pointer to an ACL. The function retrieves information about this ACL. If a null value is passed, the function causes an access violation.
 		/// </param>
 		/// <param name="pAclInformation">
-		/// A pointer to a buffer to receive the requested information. The structure that is placed into the buffer depends on the information class requested
-		/// in the dwAclInformationClass parameter.
+		/// A pointer to a buffer to receive the requested information. The structure that is placed into the buffer depends on the
+		/// information class requested in the dwAclInformationClass parameter.
 		/// </param>
 		/// <param name="nAclInformationLength">The size, in bytes, of the buffer pointed to by the pAclInformation parameter.</param>
 		/// <param name="dwAclInformationClass">
-		/// A value of the ACL_INFORMATION_CLASS enumeration that indicates the class of information requested. This parameter can be one of two values from this enumeration:
+		/// A value of the ACL_INFORMATION_CLASS enumeration that indicates the class of information requested. This parameter can be one of
+		/// two values from this enumeration:
 		/// <list type="bullet">
 		/// <listItem>
 		/// <para>
-		/// If the value is AclRevisionInformation, the function fills the buffer pointed to by the pAclInformation parameter with an ACL_REVISION_INFORMATION structure.
+		/// If the value is AclRevisionInformation, the function fills the buffer pointed to by the pAclInformation parameter with an
+		/// ACL_REVISION_INFORMATION structure.
 		/// </para>
 		/// </listItem><listItem>
 		/// <para>
-		/// If the value is AclSizeInformation, the function fills the buffer pointed to by the pAclInformation parameter with an ACL_SIZE_INFORMATION structure.
+		/// If the value is AclSizeInformation, the function fills the buffer pointed to by the pAclInformation parameter with an
+		/// ACL_SIZE_INFORMATION structure.
 		/// </para>
 		/// </listItem>
 		/// </list>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[PInvokeData("Winbase.h", MSDNShortId = "aa446635")]
@@ -286,26 +308,30 @@ namespace Vanara.PInvoke
 		/// A pointer to an ACL. The function retrieves information about this ACL. If a null value is passed, the function causes an access violation.
 		/// </param>
 		/// <param name="pAclInformation">
-		/// A pointer to a buffer to receive the requested information. The structure that is placed into the buffer depends on the information class requested
-		/// in the dwAclInformationClass parameter.
+		/// A pointer to a buffer to receive the requested information. The structure that is placed into the buffer depends on the
+		/// information class requested in the dwAclInformationClass parameter.
 		/// </param>
 		/// <param name="nAclInformationLength">The size, in bytes, of the buffer pointed to by the pAclInformation parameter.</param>
 		/// <param name="dwAclInformationClass">
-		/// A value of the ACL_INFORMATION_CLASS enumeration that indicates the class of information requested. This parameter can be one of two values from this enumeration:
+		/// A value of the ACL_INFORMATION_CLASS enumeration that indicates the class of information requested. This parameter can be one of
+		/// two values from this enumeration:
 		/// <list type="bullet">
 		/// <listItem>
 		/// <para>
-		/// If the value is AclRevisionInformation, the function fills the buffer pointed to by the pAclInformation parameter with an ACL_REVISION_INFORMATION structure.
+		/// If the value is AclRevisionInformation, the function fills the buffer pointed to by the pAclInformation parameter with an
+		/// ACL_REVISION_INFORMATION structure.
 		/// </para>
 		/// </listItem><listItem>
 		/// <para>
-		/// If the value is AclSizeInformation, the function fills the buffer pointed to by the pAclInformation parameter with an ACL_SIZE_INFORMATION structure.
+		/// If the value is AclSizeInformation, the function fills the buffer pointed to by the pAclInformation parameter with an
+		/// ACL_SIZE_INFORMATION structure.
 		/// </para>
 		/// </listItem>
 		/// </list>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[PInvokeData("Winbase.h", MSDNShortId = "aa446635")]
@@ -314,21 +340,23 @@ namespace Vanara.PInvoke
 		/// <summary>The GetPrivateObjectSecurity function retrieves information from a private object's security descriptor.</summary>
 		/// <param name="ObjectDescriptor">A pointer to a SECURITY_DESCRIPTOR structure. This is the security descriptor to be queried.</param>
 		/// <param name="SecurityInformation">
-		/// A set of bit flags that indicate the parts of the security descriptor to retrieve. This parameter can be a combination of the SECURITY_INFORMATION
-		/// bit flags.
+		/// A set of bit flags that indicate the parts of the security descriptor to retrieve. This parameter can be a combination of the
+		/// SECURITY_INFORMATION bit flags.
 		/// </param>
 		/// <param name="ResultantDescriptor">
-		/// A pointer to a buffer that receives a copy of the requested information from the specified security descriptor. The SECURITY_DESCRIPTOR structure is
-		/// returned in self-relative format.
+		/// A pointer to a buffer that receives a copy of the requested information from the specified security descriptor. The
+		/// SECURITY_DESCRIPTOR structure is returned in self-relative format.
 		/// </param>
 		/// <param name="DescriptorLength">Specifies the size, in bytes, of the buffer pointed to by the ResultantDescriptor parameter.</param>
 		/// <param name="ReturnLength">
-		/// A pointer to a variable the function sets to zero if the descriptor is copied successfully. If the buffer is too small for the security descriptor,
-		/// this variable receives the number of bytes required. If this variable's value is greater than the value of the DescriptorLength parameter when the
-		/// function returns, the function returns FALSE and none of the security descriptor is copied to the buffer.
+		/// A pointer to a variable the function sets to zero if the descriptor is copied successfully. If the buffer is too small for the
+		/// security descriptor, this variable receives the number of bytes required. If this variable's value is greater than the value of
+		/// the DescriptorLength parameter when the function returns, the function returns FALSE and none of the security descriptor is
+		/// copied to the buffer.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -336,33 +364,42 @@ namespace Vanara.PInvoke
 		public static extern bool GetPrivateObjectSecurity(IntPtr ObjectDescriptor, SECURITY_INFORMATION SecurityInformation,
 			IntPtr ResultantDescriptor, uint DescriptorLength, out uint ReturnLength);
 
-		/// <summary>The GetSecurityDescriptorDacl function retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor.</summary>
-		/// <param name="pSecurityDescriptor">A pointer to the SECURITY_DESCRIPTOR structure that contains the DACL. The function retrieves a pointer to it.</param>
+		/// <summary>
+		/// The GetSecurityDescriptorDacl function retrieves a pointer to the discretionary access control list (DACL) in a specified
+		/// security descriptor.
+		/// </summary>
+		/// <param name="pSecurityDescriptor">
+		/// A pointer to the SECURITY_DESCRIPTOR structure that contains the DACL. The function retrieves a pointer to it.
+		/// </param>
 		/// <param name="lpbDaclPresent">
-		/// A pointer to a value that indicates the presence of a DACL in the specified security descriptor. If lpbDaclPresent is TRUE, the security descriptor
-		/// contains a DACL, and the remaining output parameters in this function receive valid values. If lpbDaclPresent is FALSE, the security descriptor does
-		/// not contain a DACL, and the remaining output parameters do not receive valid values.
+		/// A pointer to a value that indicates the presence of a DACL in the specified security descriptor. If lpbDaclPresent is TRUE, the
+		/// security descriptor contains a DACL, and the remaining output parameters in this function receive valid values. If lpbDaclPresent
+		/// is FALSE, the security descriptor does not contain a DACL, and the remaining output parameters do not receive valid values.
 		/// <para>
-		/// A value of TRUE for lpbDaclPresent does not mean that pDacl is not NULL. That is, lpbDaclPresent can be TRUE while pDacl is NULL, meaning that a NULL
-		/// DACL is in effect. A NULL DACL implicitly allows all access to an object and is not the same as an empty DACL. An empty DACL permits no access to an
-		/// object. For information about creating a proper DACL, see Creating a DACL.
+		/// A value of TRUE for lpbDaclPresent does not mean that pDacl is not NULL. That is, lpbDaclPresent can be TRUE while pDacl is NULL,
+		/// meaning that a NULL DACL is in effect. A NULL DACL implicitly allows all access to an object and is not the same as an empty
+		/// DACL. An empty DACL permits no access to an object. For information about creating a proper DACL, see Creating a DACL.
 		/// </para>
 		/// </param>
 		/// <param name="pDacl">
-		/// A pointer to a pointer to an access control list (ACL). If a DACL exists, the function sets the pointer pointed to by pDacl to the address of the
-		/// security descriptor's DACL. If a DACL does not exist, no value is stored.
+		/// A pointer to a pointer to an access control list (ACL). If a DACL exists, the function sets the pointer pointed to by pDacl to
+		/// the address of the security descriptor's DACL. If a DACL does not exist, no value is stored.
 		/// <para>
-		/// If the function stores a NULL value in the pointer pointed to by pDacl, the security descriptor has a NULL DACL. A NULL DACL implicitly allows all
-		/// access to an object.
+		/// If the function stores a NULL value in the pointer pointed to by pDacl, the security descriptor has a NULL DACL. A NULL DACL
+		/// implicitly allows all access to an object.
+		/// </para>
+		/// <para>
+		/// If an application expects a non-NULL DACL but encounters a NULL DACL, the application should fail securely and not allow access.
 		/// </para>
-		/// <para>If an application expects a non-NULL DACL but encounters a NULL DACL, the application should fail securely and not allow access.</para>
 		/// </param>
 		/// <param name="lpbDaclDefaulted">
-		/// A pointer to a flag set to the value of the SE_DACL_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure if a DACL exists for the security
-		/// descriptor. If this flag is TRUE, the DACL was retrieved by a default mechanism; if FALSE, the DACL was explicitly specified by a user.
+		/// A pointer to a flag set to the value of the SE_DACL_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure if a DACL exists
+		/// for the security descriptor. If this flag is TRUE, the DACL was retrieved by a default mechanism; if FALSE, the DACL was
+		/// explicitly specified by a user.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -372,10 +409,19 @@ namespace Vanara.PInvoke
 
 		/// <summary>The GetSecurityDescriptorOwner function retrieves the owner information from a security descriptor.</summary>
 		/// <param name="pSecurityDescriptor">A pointer to a SECURITY_DESCRIPTOR structure whose owner information the function retrieves.</param>
-		/// <param name="pOwner">A pointer to a pointer to a security identifier (SID) that identifies the owner when the function returns. If the security descriptor does not contain an owner, the function sets the pointer pointed to by pOwner to NULL and ignores the remaining output parameter, lpbOwnerDefaulted. If the security descriptor contains an owner, the function sets the pointer pointed to by pOwner to the address of the security descriptor's owner SID and provides a valid value for the variable pointed to by lpbOwnerDefaulted.</param>
-		/// <param name="lpbOwnerDefaulted">A pointer to a flag that is set to the value of the SE_OWNER_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure when the function returns. If the value stored in the variable pointed to by the pOwner parameter is NULL, no value is set.</param>
+		/// <param name="pOwner">
+		/// A pointer to a pointer to a security identifier (SID) that identifies the owner when the function returns. If the security
+		/// descriptor does not contain an owner, the function sets the pointer pointed to by pOwner to NULL and ignores the remaining output
+		/// parameter, lpbOwnerDefaulted. If the security descriptor contains an owner, the function sets the pointer pointed to by pOwner to
+		/// the address of the security descriptor's owner SID and provides a valid value for the variable pointed to by lpbOwnerDefaulted.
+		/// </param>
+		/// <param name="lpbOwnerDefaulted">
+		/// A pointer to a flag that is set to the value of the SE_OWNER_DEFAULTED flag in the SECURITY_DESCRIPTOR_CONTROL structure when the
+		/// function returns. If the value stored in the variable pointed to by the pOwner parameter is NULL, no value is set.
+		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -384,35 +430,39 @@ namespace Vanara.PInvoke
 			out IntPtr pOwner, [MarshalAs(UnmanagedType.Bool)] out bool lpbOwnerDefaulted);
 
 		/// <summary>
-		/// The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access
-		/// rights to obtain the information.
+		/// The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have
+		/// appropriate access rights to obtain the information.
 		/// </summary>
 		/// <param name="hObject">
-		/// A handle to an access token from which information is retrieved. If TokenInformationClass specifies TokenSource, the handle must have
-		/// TOKEN_QUERY_SOURCE access. For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.
+		/// A handle to an access token from which information is retrieved. If TokenInformationClass specifies TokenSource, the handle must
+		/// have TOKEN_QUERY_SOURCE access. For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.
 		/// </param>
 		/// <param name="tokenInfoClass">
-		/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves. Any callers who check
-		/// the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the current
-		/// token is not an application container but is an identity level token, you should return AccessDenied.
+		/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves.
+		/// Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify
+		/// level impersonation token. If the current token is not an application container but is an identity level token, you should return AccessDenied.
 		/// </param>
 		/// <param name="pTokenInfo">
-		/// A pointer to a buffer the function fills with the requested information. The structure put into this buffer depends upon the type of information
-		/// specified by the TokenInformationClass parameter.
+		/// A pointer to a buffer the function fills with the requested information. The structure put into this buffer depends upon the type
+		/// of information specified by the TokenInformationClass parameter.
 		/// </param>
 		/// <param name="tokenInfoLength">
-		/// Specifies the size, in bytes, of the buffer pointed to by the TokenInformation parameter. If TokenInformation is NULL, this parameter must be zero.
+		/// Specifies the size, in bytes, of the buffer pointed to by the TokenInformation parameter. If TokenInformation is NULL, this
+		/// parameter must be zero.
 		/// </param>
 		/// <param name="returnLength">
-		/// A pointer to a variable that receives the number of bytes needed for the buffer pointed to by the TokenInformation parameter. If this value is larger
-		/// than the value specified in the TokenInformationLength parameter, the function fails and stores no data in the buffer.
+		/// A pointer to a variable that receives the number of bytes needed for the buffer pointed to by the TokenInformation parameter. If
+		/// this value is larger than the value specified in the TokenInformationLength parameter, the function fails and stores no data in
+		/// the buffer.
 		/// <para>
-		/// If the value of the TokenInformationClass parameter is TokenDefaultDacl and the token has no default DACL, the function sets the variable pointed to
-		/// by ReturnLength to sizeof(TOKEN_DEFAULT_DACL) and sets the DefaultDacl member of the TOKEN_DEFAULT_DACL structure to NULL.
+		/// If the value of the TokenInformationClass parameter is TokenDefaultDacl and the token has no default DACL, the function sets the
+		/// variable pointed to by ReturnLength to sizeof(TOKEN_DEFAULT_DACL) and sets the DefaultDacl member of the TOKEN_DEFAULT_DACL
+		/// structure to NULL.
 		/// </para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -425,32 +475,32 @@ namespace Vanara.PInvoke
 		/// <para>If the function succeeds, the return value is nonzero.</para>
 		/// <para>If the function fails, the return value is zero. To get extended error information, call <c>GetLastError</c>.</para>
 		/// </returns>
-		// BOOL WINAPI ImpersonateNamedPipeClient( _In_ HANDLE hNamedPipe);
-		// https://msdn.microsoft.com/en-us/library/windows/desktop/aa378618(v=vs.85).aspx
+		// BOOL WINAPI ImpersonateNamedPipeClient( _In_ HANDLE hNamedPipe); https://msdn.microsoft.com/en-us/library/windows/desktop/aa378618(v=vs.85).aspx
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
 		[PInvokeData("Winbase.h", MSDNShortId = "aa378618")]
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool ImpersonateNamedPipeClient(IntPtr hNamedPipe);
 
 		/// <summary>
-		/// The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser was called. You
-		/// cannot use LogonUser to log on to a remote computer. You specify the user with a user name and domain and authenticate the user with a plain-text
-		/// password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to
-		/// impersonate the specified user or, in most cases, to create a process that runs in the context of the specified user.
+		/// The LogonUser function attempts to log a user on to the local computer. The local computer is the computer from which LogonUser
+		/// was called. You cannot use LogonUser to log on to a remote computer. You specify the user with a user name and domain and
+		/// authenticate the user with a plain-text password. If the function succeeds, you receive a handle to a token that represents the
+		/// logged-on user. You can then use this token handle to impersonate the specified user or, in most cases, to create a process that
+		/// runs in the context of the specified user.
 		/// </summary>
 		/// <param name="lpszUserName">
-		/// A pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log on to. If you use the user
-		/// principal name (UPN) format, User@DNSDomainName, the lpszDomain parameter must be NULL.
+		/// A pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log on to. If
+		/// you use the user principal name (UPN) format, User@DNSDomainName, the lpszDomain parameter must be NULL.
 		/// </param>
 		/// <param name="lpszDomain">
-		/// A pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the lpszUsername account. If
-		/// this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the function validates the account by using only the
-		/// local account database.
+		/// A pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the
+		/// lpszUsername account. If this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the
+		/// function validates the account by using only the local account database.
 		/// </param>
 		/// <param name="lpszPassword">
-		/// A pointer to a null-terminated string that specifies the plain-text password for the user account specified by lpszUsername. When you have finished
-		/// using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see
-		/// Handling Passwords.
+		/// A pointer to a null-terminated string that specifies the plain-text password for the user account specified by lpszUsername. When
+		/// you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more
+		/// information about protecting passwords, see Handling Passwords.
 		/// </param>
 		/// <param name="dwLogonType">The type of logon operation to perform.</param>
 		/// <param name="dwLogonProvider">Specifies the logon provider.</param>
@@ -458,14 +508,15 @@ namespace Vanara.PInvoke
 		/// A pointer to a handle variable that receives a handle to a token that represents the specified user.
 		/// <para>You can use the returned handle in calls to the ImpersonateLoggedOnUser function.</para>
 		/// <para>
-		/// In most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser function. However, if you specify the
-		/// LOGON32_LOGON_NETWORK flag, LogonUser returns an impersonation token that you cannot use in CreateProcessAsUser unless you call DuplicateTokenEx to
-		/// convert it to a primary token.
+		/// In most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser function. However, if
+		/// you specify the LOGON32_LOGON_NETWORK flag, LogonUser returns an impersonation token that you cannot use in CreateProcessAsUser
+		/// unless you call DuplicateTokenEx to convert it to a primary token.
 		/// </para>
 		/// <para>When you no longer need this handle, close it by calling the CloseHandle function.</para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false, ThrowOnUnmappableChar = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -474,24 +525,25 @@ namespace Vanara.PInvoke
 			out SafeTokenHandle phObject);
 
 		/// <summary>
-		/// The LogonUserEx function attempts to log a user on to the local computer. The local computer is the computer from which LogonUserEx was called. You
-		/// cannot use LogonUserEx to log on to a remote computer. You specify the user with a user name and domain and authenticate the user with a plaintext
-		/// password. If the function succeeds, you receive a handle to a token that represents the logged-on user. You can then use this token handle to
-		/// impersonate the specified user or, in most cases, to create a process that runs in the context of the specified user.
+		/// The LogonUserEx function attempts to log a user on to the local computer. The local computer is the computer from which
+		/// LogonUserEx was called. You cannot use LogonUserEx to log on to a remote computer. You specify the user with a user name and
+		/// domain and authenticate the user with a plaintext password. If the function succeeds, you receive a handle to a token that
+		/// represents the logged-on user. You can then use this token handle to impersonate the specified user or, in most cases, to create
+		/// a process that runs in the context of the specified user.
 		/// </summary>
 		/// <param name="lpszUserName">
-		/// A pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log on to. If you use the user
-		/// principal name (UPN) format, user@DNS_domain_name, the lpszDomain parameter must be NULL.
+		/// A pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log on to. If
+		/// you use the user principal name (UPN) format, user@DNS_domain_name, the lpszDomain parameter must be NULL.
 		/// </param>
 		/// <param name="lpszDomain">
-		/// A pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the lpszUsername account. If
-		/// this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the function validates the account by using only the
-		/// local account database.
+		/// A pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the
+		/// lpszUsername account. If this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the
+		/// function validates the account by using only the local account database.
 		/// </param>
 		/// <param name="lpszPassword">
-		/// A pointer to a null-terminated string that specifies the plaintext password for the user account specified by lpszUsername. When you have finished
-		/// using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see
-		/// Handling Passwords.
+		/// A pointer to a null-terminated string that specifies the plaintext password for the user account specified by lpszUsername. When
+		/// you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more
+		/// information about protecting passwords, see Handling Passwords.
 		/// </param>
 		/// <param name="dwLogonType">The type of logon operation to perform.</param>
 		/// <param name="dwLogonProvider">The logon provider.</param>
@@ -499,9 +551,9 @@ namespace Vanara.PInvoke
 		/// A pointer to a handle variable that receives a handle to a token that represents the specified user.
 		/// <para>You can use the returned handle in calls to the ImpersonateLoggedOnUser function.</para>
 		/// <para>
-		/// In most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser function. However, if you specify the
-		/// LOGON32_LOGON_NETWORK flag, LogonUser returns an impersonation token that you cannot use in CreateProcessAsUser unless you call DuplicateTokenEx to
-		/// convert it to a primary token.
+		/// In most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser function. However, if
+		/// you specify the LOGON32_LOGON_NETWORK flag, LogonUser returns an impersonation token that you cannot use in CreateProcessAsUser
+		/// unless you call DuplicateTokenEx to convert it to a primary token.
 		/// </para>
 		/// <para>When you no longer need this handle, close it by calling the CloseHandle function.</para>
 		/// </param>
@@ -509,11 +561,16 @@ namespace Vanara.PInvoke
 		/// A pointer to a pointer to a security identifier (SID) that receives the SID of the user logged on.
 		/// <para>When you have finished using the SID, free it by calling the LocalFree function.</para>
 		/// </param>
-		/// <param name="ppProfileBuffer">A pointer to a pointer that receives the address of a buffer that contains the logged on user's profile.</param>
+		/// <param name="ppProfileBuffer">
+		/// A pointer to a pointer that receives the address of a buffer that contains the logged on user's profile.
+		/// </param>
 		/// <param name="pdwProfileLength">A pointer to a DWORD that receives the length of the profile buffer.</param>
-		/// <param name="pQuotaLimits">A pointer to a QUOTA_LIMITS structure that receives information about the quotas for the logged on user.</param>
+		/// <param name="pQuotaLimits">
+		/// A pointer to a QUOTA_LIMITS structure that receives information about the quotas for the logged on user.
+		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false, ThrowOnUnmappableChar = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -522,39 +579,43 @@ namespace Vanara.PInvoke
 			out SafeTokenHandle phObject, out PSID ppLogonSid, out SafeLsaReturnBufferHandle ppProfileBuffer, out uint pdwProfileLength, out QUOTA_LIMITS pQuotaLimits);
 
 		/// <summary>
-		/// The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the
-		/// name of the domain on which the account was found.
+		/// The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for
+		/// the account and the name of the domain on which the account was found.
 		/// </summary>
 		/// <param name="lpSystemName">
-		/// A pointer to a null-terminated character string that specifies the name of the system. This string can be the name of a remote computer. If this
-		/// string is NULL, the account name translation begins on the local system. If the name cannot be resolved on the local system, this function will try
-		/// to resolve the name using domain controllers trusted by the local system. Generally, specify a value for lpSystemName only when the account is in an
-		/// untrusted domain and the name of a computer in that domain is known.
+		/// A pointer to a null-terminated character string that specifies the name of the system. This string can be the name of a remote
+		/// computer. If this string is NULL, the account name translation begins on the local system. If the name cannot be resolved on the
+		/// local system, this function will try to resolve the name using domain controllers trusted by the local system. Generally, specify
+		/// a value for lpSystemName only when the account is in an untrusted domain and the name of a computer in that domain is known.
 		/// </param>
 		/// <param name="lpAccountName">
 		/// A pointer to a null-terminated string that specifies the account name.
-		/// <para>Use a fully qualified string in the domain_name\user_name format to ensure that LookupAccountName finds the account in the desired domain.</para>
+		/// <para>
+		/// Use a fully qualified string in the domain_name\user_name format to ensure that LookupAccountName finds the account in the
+		/// desired domain.
+		/// </para>
 		/// </param>
 		/// <param name="Sid">
-		/// A pointer to a buffer that receives the SID structure that corresponds to the account name pointed to by the lpAccountName parameter. If this
-		/// parameter is NULL, cbSid must be zero.
+		/// A pointer to a buffer that receives the SID structure that corresponds to the account name pointed to by the lpAccountName
+		/// parameter. If this parameter is NULL, cbSid must be zero.
 		/// </param>
 		/// <param name="cbSid">
-		/// A pointer to a variable. On input, this value specifies the size, in bytes, of the Sid buffer. If the function fails because the buffer is too small
-		/// or if cbSid is zero, this variable receives the required buffer size.
+		/// A pointer to a variable. On input, this value specifies the size, in bytes, of the Sid buffer. If the function fails because the
+		/// buffer is too small or if cbSid is zero, this variable receives the required buffer size.
 		/// </param>
 		/// <param name="ReferencedDomainName">
-		/// A pointer to a buffer that receives the name of the domain where the account name is found. For computers that are not joined to a domain, this
-		/// buffer receives the computer name. If this parameter is NULL, the function returns the required buffer size.
+		/// A pointer to a buffer that receives the name of the domain where the account name is found. For computers that are not joined to
+		/// a domain, this buffer receives the computer name. If this parameter is NULL, the function returns the required buffer size.
 		/// </param>
 		/// <param name="cchReferencedDomainName">
-		/// A pointer to a variable. On input, this value specifies the size, in TCHARs, of the ReferencedDomainName buffer. If the function fails because the
-		/// buffer is too small, this variable receives the required buffer size, including the terminating null character. If the ReferencedDomainName parameter
-		/// is NULL, this parameter must be zero.
+		/// A pointer to a variable. On input, this value specifies the size, in TCHARs, of the ReferencedDomainName buffer. If the function
+		/// fails because the buffer is too small, this variable receives the required buffer size, including the terminating null character.
+		/// If the ReferencedDomainName parameter is NULL, this parameter must be zero.
 		/// </param>
 		/// <param name="peUse">A pointer to a SID_NAME_USE enumerated type that indicates the type of the account when the function returns.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. For extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. For extended error information,
+		/// call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -563,27 +624,31 @@ namespace Vanara.PInvoke
 			StringBuilder ReferencedDomainName, ref int cchReferencedDomainName, ref SID_NAME_USE peUse);
 
 		/// <summary>
-		/// The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the
-		/// name of the domain on which the account was found.
+		/// The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for
+		/// the account and the name of the domain on which the account was found.
 		/// </summary>
 		/// <param name="systemName">
-		/// A string that specifies the name of the system. This string can be the name of a remote computer. If this string is NULL, the account name
-		/// translation begins on the local system. If the name cannot be resolved on the local system, this function will try to resolve the name using domain
-		/// controllers trusted by the local system. Generally, specify a value for lpSystemName only when the account is in an untrusted domain and the name of
-		/// a computer in that domain is known.
+		/// A string that specifies the name of the system. This string can be the name of a remote computer. If this string is NULL, the
+		/// account name translation begins on the local system. If the name cannot be resolved on the local system, this function will try
+		/// to resolve the name using domain controllers trusted by the local system. Generally, specify a value for lpSystemName only when
+		/// the account is in an untrusted domain and the name of a computer in that domain is known.
 		/// </param>
 		/// <param name="accountName">
 		/// A string that specifies the account name.
-		/// <para>Use a fully qualified string in the domain_name\user_name format to ensure that LookupAccountName finds the account in the desired domain.</para>
+		/// <para>
+		/// Use a fully qualified string in the domain_name\user_name format to ensure that LookupAccountName finds the account in the
+		/// desired domain.
+		/// </para>
 		/// </param>
 		/// <param name="sid">A PSID class that corresponds to the account name pointed to by the lpAccountName parameter.</param>
 		/// <param name="domainName">
-		/// A string that receives the name of the domain where the account name is found. For computers that are not joined to a domain, this buffer receives
-		/// the computer name.
+		/// A string that receives the name of the domain where the account name is found. For computers that are not joined to a domain,
+		/// this buffer receives the computer name.
 		/// </param>
 		/// <param name="snu">A SID_NAME_USE enumerated type that indicates the type of the account when the function returns.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. For extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. For extended error information,
+		/// call GetLastError.
 		/// </returns>
 		[PInvokeData("Winbase.h", MSDNShortId = "aa379159")]
 		public static bool LookupAccountName(string systemName, string accountName, out PSID sid, out string domainName, out SID_NAME_USE snu)
@@ -600,43 +665,45 @@ namespace Vanara.PInvoke
 		}
 
 		/// <summary>
-		/// The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the
-		/// first domain on which this SID is found.
+		/// The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and
+		/// the name of the first domain on which this SID is found.
 		/// </summary>
 		/// <param name="lpSystemName">
-		/// A pointer to a null-terminated character string that specifies the target computer. This string can be the name of a remote computer. If this
-		/// parameter is NULL, the account name translation begins on the local system. If the name cannot be resolved on the local system, this function will
-		/// try to resolve the name using domain controllers trusted by the local system. Generally, specify a value for lpSystemName only when the account is in
-		/// an untrusted domain and the name of a computer in that domain is known.
+		/// A pointer to a null-terminated character string that specifies the target computer. This string can be the name of a remote
+		/// computer. If this parameter is NULL, the account name translation begins on the local system. If the name cannot be resolved on
+		/// the local system, this function will try to resolve the name using domain controllers trusted by the local system. Generally,
+		/// specify a value for lpSystemName only when the account is in an untrusted domain and the name of a computer in that domain is known.
 		/// </param>
 		/// <param name="lpSid">A pointer to the SID to look up.</param>
 		/// <param name="lpName">
 		/// A pointer to a buffer that receives a null-terminated string that contains the account name that corresponds to the lpSid parameter.
 		/// </param>
 		/// <param name="cchName">
-		/// On input, specifies the size, in TCHARs, of the lpName buffer. If the function fails because the buffer is too small or if cchName is zero, cchName
-		/// receives the required buffer size, including the terminating null character.
+		/// On input, specifies the size, in TCHARs, of the lpName buffer. If the function fails because the buffer is too small or if
+		/// cchName is zero, cchName receives the required buffer size, including the terminating null character.
 		/// </param>
 		/// <param name="lpReferencedDomainName">
 		/// A pointer to a buffer that receives a null-terminated string that contains the name of the domain where the account name was found.
 		/// <para>
-		/// On a server, the domain name returned for most accounts in the security database of the local computer is the name of the domain for which the server
-		/// is a domain controller.
+		/// On a server, the domain name returned for most accounts in the security database of the local computer is the name of the domain
+		/// for which the server is a domain controller.
 		/// </para>
 		/// <para>
-		/// On a workstation, the domain name returned for most accounts in the security database of the local computer is the name of the computer as of the
-		/// last start of the system (backslashes are excluded). If the name of the computer changes, the old name continues to be returned as the domain name
-		/// until the system is restarted.
+		/// On a workstation, the domain name returned for most accounts in the security database of the local computer is the name of the
+		/// computer as of the last start of the system (backslashes are excluded). If the name of the computer changes, the old name
+		/// continues to be returned as the domain name until the system is restarted.
 		/// </para>
 		/// <para>Some accounts are predefined by the system. The domain name returned for these accounts is BUILTIN.</para>
 		/// </param>
 		/// <param name="cchReferencedDomainName">
-		/// On input, specifies the size, in TCHARs, of the lpReferencedDomainName buffer. If the function fails because the buffer is too small or if
-		/// cchReferencedDomainName is zero, cchReferencedDomainName receives the required buffer size, including the terminating null character.
+		/// On input, specifies the size, in TCHARs, of the lpReferencedDomainName buffer. If the function fails because the buffer is too
+		/// small or if cchReferencedDomainName is zero, cchReferencedDomainName receives the required buffer size, including the terminating
+		/// null character.
 		/// </param>
 		/// <param name="peUse">A pointer to a variable that receives a SID_NAME_USE value that indicates the type of the account.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -645,43 +712,45 @@ namespace Vanara.PInvoke
 			StringBuilder lpReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
 
 		/// <summary>
-		/// The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the
-		/// first domain on which this SID is found.
+		/// The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and
+		/// the name of the first domain on which this SID is found.
 		/// </summary>
 		/// <param name="lpSystemName">
-		/// A pointer to a null-terminated character string that specifies the target computer. This string can be the name of a remote computer. If this
-		/// parameter is NULL, the account name translation begins on the local system. If the name cannot be resolved on the local system, this function will
-		/// try to resolve the name using domain controllers trusted by the local system. Generally, specify a value for lpSystemName only when the account is in
-		/// an untrusted domain and the name of a computer in that domain is known.
+		/// A pointer to a null-terminated character string that specifies the target computer. This string can be the name of a remote
+		/// computer. If this parameter is NULL, the account name translation begins on the local system. If the name cannot be resolved on
+		/// the local system, this function will try to resolve the name using domain controllers trusted by the local system. Generally,
+		/// specify a value for lpSystemName only when the account is in an untrusted domain and the name of a computer in that domain is known.
 		/// </param>
 		/// <param name="lpSid">A pointer to the SID to look up.</param>
 		/// <param name="lpName">
 		/// A pointer to a buffer that receives a null-terminated string that contains the account name that corresponds to the lpSid parameter.
 		/// </param>
 		/// <param name="cchName">
-		/// On input, specifies the size, in TCHARs, of the lpName buffer. If the function fails because the buffer is too small or if cchName is zero, cchName
-		/// receives the required buffer size, including the terminating null character.
+		/// On input, specifies the size, in TCHARs, of the lpName buffer. If the function fails because the buffer is too small or if
+		/// cchName is zero, cchName receives the required buffer size, including the terminating null character.
 		/// </param>
 		/// <param name="lpReferencedDomainName">
 		/// A pointer to a buffer that receives a null-terminated string that contains the name of the domain where the account name was found.
 		/// <para>
-		/// On a server, the domain name returned for most accounts in the security database of the local computer is the name of the domain for which the server
-		/// is a domain controller.
+		/// On a server, the domain name returned for most accounts in the security database of the local computer is the name of the domain
+		/// for which the server is a domain controller.
 		/// </para>
 		/// <para>
-		/// On a workstation, the domain name returned for most accounts in the security database of the local computer is the name of the computer as of the
-		/// last start of the system (backslashes are excluded). If the name of the computer changes, the old name continues to be returned as the domain name
-		/// until the system is restarted.
+		/// On a workstation, the domain name returned for most accounts in the security database of the local computer is the name of the
+		/// computer as of the last start of the system (backslashes are excluded). If the name of the computer changes, the old name
+		/// continues to be returned as the domain name until the system is restarted.
 		/// </para>
 		/// <para>Some accounts are predefined by the system. The domain name returned for these accounts is BUILTIN.</para>
 		/// </param>
 		/// <param name="cchReferencedDomainName">
-		/// On input, specifies the size, in TCHARs, of the lpReferencedDomainName buffer. If the function fails because the buffer is too small or if
-		/// cchReferencedDomainName is zero, cchReferencedDomainName receives the required buffer size, including the terminating null character.
+		/// On input, specifies the size, in TCHARs, of the lpReferencedDomainName buffer. If the function fails because the buffer is too
+		/// small or if cchReferencedDomainName is zero, cchReferencedDomainName receives the required buffer size, including the terminating
+		/// null character.
 		/// </param>
 		/// <param name="peUse">A pointer to a variable that receives a SID_NAME_USE value that indicates the type of the account.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -690,126 +759,189 @@ namespace Vanara.PInvoke
 			StringBuilder lpReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
 
 		/// <summary>
-		/// The LookupPrivilegeName function retrieves the name that corresponds to the privilege represented on a specific system by a specified locally unique
-		/// identifier (LUID).
+		/// <para>
+		/// The <c>LookupPrivilegeName</c> function retrieves the name that corresponds to the privilege represented on a specific system by
+		/// a specified locally unique identifier (LUID).
+		/// </para>
 		/// </summary>
 		/// <param name="lpSystemName">
-		/// A pointer to a null-terminated string that specifies the name of the system on which the privilege name is retrieved. If a null string is specified,
-		/// the function attempts to find the privilege name on the local system.
+		/// <para>
+		/// A pointer to a null-terminated string that specifies the name of the system on which the privilege name is retrieved. If a null
+		/// string is specified, the function attempts to find the privilege name on the local system.
+		/// </para>
+		/// </param>
+		/// <param name="lpLuid">
+		/// <para>A pointer to the LUID by which the privilege is known on the target system.</para>
 		/// </param>
-		/// <param name="lpLuid">A pointer to the LUID by which the privilege is known on the target system.</param>
 		/// <param name="lpName">
-		/// A pointer to a buffer that receives a null-terminated string that represents the privilege name. For example, this string could be "SeSecurityPrivilege".
+		/// <para>
+		/// A pointer to a buffer that receives a null-terminated string that represents the privilege name. For example, this string could
+		/// be "SeSecurityPrivilege".
+		/// </para>
 		/// </param>
 		/// <param name="cchName">
-		/// A pointer to a variable that specifies the size, in a TCHAR value, of the lpName buffer. When the function returns, this parameter contains the
-		/// length of the privilege name, not including the terminating null character. If the buffer pointed to by the lpName parameter is too small, this
-		/// variable contains the required size.
+		/// <para>
+		/// A pointer to a variable that specifies the size, in a <c>TCHAR</c> value, of the lpName buffer. When the function returns, this
+		/// parameter contains the length of the privilege name, not including the terminating null character. If the buffer pointed to by
+		/// the lpName parameter is too small, this variable contains the required size.
+		/// </para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero.To get extended error information, call GetLastError.
+		/// <para>If the function succeeds, the function returns nonzero.</para>
+		/// <para>If the function fails, it returns zero. To get extended error information, call GetLastError.</para>
 		/// </returns>
+		/// <remarks>
+		/// <para>
+		/// The <c>LookupPrivilegeName</c> function supports only the privileges specified in the Defined Privileges section of Winnt.h. For
+		/// a list of values, see Privilege Constants.
+		/// </para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupprivilegenamea BOOL LookupPrivilegeNameA( LPCSTR
+		// lpSystemName, PLUID lpLuid, LPSTR lpName, LPDWORD cchName );
 		[DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+		[PInvokeData("winbase.h", MSDNShortId = "580fb58f-1470-4389-9f07-8f37403e2bdf")]
+		// [return: MarshalAs(UnmanagedType.Bool)] public static extern bool LookupPrivilegeName( string lpSystemName, PLUID lpLuid,
+		// StringBuilder lpName, ref uint cchName);
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool LookupPrivilegeName(string lpSystemName, ref LUID lpLuid, StringBuilder lpName, ref int cchName);
 
 		/// <summary>
-		/// The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified
-		/// privilege name.
+		/// <para>
+		/// The <c>LookupPrivilegeValue</c> function retrieves the locally unique identifier (LUID) used on a specified system to locally
+		/// represent the specified privilege name.
+		/// </para>
 		/// </summary>
 		/// <param name="lpSystemName">
-		/// A pointer to a null-terminated string that specifies the name of the system on which the privilege name is retrieved. If a null string is specified,
-		/// the function attempts to find the privilege name on the local system.
+		/// <para>
+		/// A pointer to a null-terminated string that specifies the name of the system on which the privilege name is retrieved. If a null
+		/// string is specified, the function attempts to find the privilege name on the local system.
+		/// </para>
 		/// </param>
 		/// <param name="lpName">
-		/// A pointer to a null-terminated string that specifies the name of the privilege, as defined in the Winnt.h header file. For example, this parameter
-		/// could specify the constant, SE_SECURITY_NAME, or its corresponding string, "SeSecurityPrivilege".
+		/// <para>
+		/// A pointer to a null-terminated string that specifies the name of the privilege, as defined in the Winnt.h header file. For
+		/// example, this parameter could specify the constant, SE_SECURITY_NAME, or its corresponding string, "SeSecurityPrivilege".
+		/// </para>
 		/// </param>
 		/// <param name="lpLuid">
+		/// <para>
 		/// A pointer to a variable that receives the LUID by which the privilege is known on the system specified by the lpSystemName parameter.
+		/// </para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// <para>If the function succeeds, the function returns nonzero.</para>
+		/// <para>If the function fails, it returns zero. To get extended error information, call GetLastError.</para>
 		/// </returns>
+		/// <remarks>
+		/// <para>
+		/// The <c>LookupPrivilegeValue</c> function supports only the privileges specified in the Defined Privileges section of Winnt.h. For
+		/// a list of values, see Privilege Constants.
+		/// </para>
+		/// <para>Examples</para>
+		/// <para>For an example that uses this function, see Enabling and Disabling Privileges.</para>
+		/// </remarks>
+		// https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupprivilegevaluea BOOL LookupPrivilegeValueA( LPCSTR
+		// lpSystemName, LPCSTR lpName, PLUID lpLuid );
 		[DllImport(Lib.AdvApi32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+		[PInvokeData("winbase.h", MSDNShortId = "334b8ba8-101d-43a1-a8bf-1c7e0448c272")]
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);
 
 		/// <summary>
-		/// The MapGenericMask function maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping
-		/// supplied in a <see cref="GENERIC_MAPPING"/> structure.
+		/// The MapGenericMask function maps the generic access rights in an access mask to specific and standard access rights. The function
+		/// applies a mapping supplied in a <see cref="GENERIC_MAPPING"/> structure.
 		/// </summary>
 		/// <param name="AccessMask">A pointer to an access mask.</param>
 		/// <param name="GenericMapping">
-		/// A pointer to a <see cref="GENERIC_MAPPING"/> structure specifying a mapping of generic access types to specific and standard access types.
+		/// A pointer to a <see cref="GENERIC_MAPPING"/> structure specifying a mapping of generic access types to specific and standard
+		/// access types.
 		/// </param>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true)]
 		[PInvokeData("Winbase.h", MSDNShortId = "aa379266")]
 		public static extern void MapGenericMask(ref uint AccessMask, ref GENERIC_MAPPING GenericMapping);
 
 		/// <summary>The OpenProcessToken function opens the access token associated with a process.</summary>
-		/// <param name="ProcessHandle">A handle to the process whose access token is opened. The process must have the PROCESS_QUERY_INFORMATION access permission.</param>
+		/// <param name="ProcessHandle">
+		/// A handle to the process whose access token is opened. The process must have the PROCESS_QUERY_INFORMATION access permission.
+		/// </param>
 		/// <param name="DesiredAccess">
-		/// Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the
-		/// discretionary access control list (DACL) of the token to determine which accesses are granted or denied.
+		/// Specifies an access mask that specifies the requested types of access to the access token. These requested access types are
+		/// compared with the discretionary access control list (DACL) of the token to determine which accesses are granted or denied.
 		/// </param>
 		/// <param name="TokenHandle">A pointer to a handle that identifies the newly opened access token when the function returns.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
 		[PInvokeData("winbase.h", MSDNShortId = "aa379295")]
 		public static extern bool OpenProcessToken([In] IntPtr ProcessHandle, TokenAccess DesiredAccess, out SafeTokenHandle TokenHandle);
 
-		/// <summary>The OpenThreadToken function opens the access token associated with a thread.</summary>
+		/// <summary>The <c>OpenThreadToken</c> function opens the access token associated with a thread.</summary>
 		/// <param name="ThreadHandle">A handle to the thread whose access token is opened.</param>
 		/// <param name="DesiredAccess">
-		/// Specifies an access mask that specifies the requested types of access to the access token. These requested access types are reconciled against the
-		/// token's discretionary access control list (DACL) to determine which accesses are granted or denied.
+		/// <para>
+		/// Specifies an access mask that specifies the requested types of access to the access token. These requested access types are
+		/// reconciled against the token's discretionary access control list (DACL) to determine which accesses are granted or denied.
+		/// </para>
 		/// <para>For a list of access rights for access tokens, see Access Rights for Access-Token Objects.</para>
 		/// </param>
 		/// <param name="OpenAsSelf">
-		/// TRUE if the access check is to be made against the process-level security context.
-		/// <para>FALSE if the access check is to be made against the current security context of the thread calling the OpenThreadToken function.</para>
+		/// <para>TRUE if the access check is to be made against the process-level security context.</para>
 		/// <para>
-		/// The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token
-		/// at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is
-		/// impossible to open executive-level objects by using the SecurityIdentification impersonation level.
+		/// <c>FALSE</c> if the access check is to be made against the current security context of the thread calling the
+		/// <c>OpenThreadToken</c> function.
+		/// </para>
+		/// <para>
+		/// The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is
+		/// impersonating a token at <c>SecurityIdentification</c> level. Without this parameter, the calling thread cannot open the access
+		/// token on the specified thread because it is impossible to open executive-level objects by using the <c>SecurityIdentification</c>
+		/// impersonation level.
 		/// </para>
 		/// </param>
 		/// <param name="TokenHandle">A pointer to a variable that receives the handle to the newly opened access token.</param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// <para>If the function succeeds, the return value is nonzero.</para>
+		/// <para>
+		/// If the function fails, the return value is zero. To get extended error information, call <c>GetLastError</c>. If the token has
+		/// the anonymous impersonation level, the token will not be opened and <c>OpenThreadToken</c> sets ERROR_CANT_OPEN_ANONYMOUS as the error.
+		/// </para>
 		/// </returns>
+		// BOOL WINAPI OpenThreadToken( _In_ HANDLE ThreadHandle, _In_ DWORD DesiredAccess, _In_ BOOL OpenAsSelf, _Out_ PHANDLE TokenHandle); https://msdn.microsoft.com/en-us/library/windows/desktop/aa379296(v=vs.85).aspx
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
+		[PInvokeData("Winbase.h", MSDNShortId = "aa379296")]
+		// [return: MarshalAs(UnmanagedType.Bool)] public static extern bool WINAPI OpenThreadToken([In] IntPtr ThreadHandle, [In] uint
+		// DesiredAccess, [In] [MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf, [Out] ref IntPtr TokenHandle);
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool OpenThreadToken([In] IntPtr ThreadHandle, TokenAccess DesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf, out SafeTokenHandle TokenHandle);
 
 		/// <summary>
-		/// The PrivilegeCheck function determines whether a specified set of privileges are enabled in an access token. The PrivilegeCheck function is typically
-		/// called by a server application to check the privileges of a client's access token.
+		/// The PrivilegeCheck function determines whether a specified set of privileges are enabled in an access token. The PrivilegeCheck
+		/// function is typically called by a server application to check the privileges of a client's access token.
 		/// </summary>
 		/// <param name="ClientToken">
-		/// A handle to an access token representing a client process. This handle must have been obtained by opening the token of a thread impersonating the
-		/// client. The token must be open for TOKEN_QUERY access.
+		/// A handle to an access token representing a client process. This handle must have been obtained by opening the token of a thread
+		/// impersonating the client. The token must be open for TOKEN_QUERY access.
 		/// </param>
 		/// <param name="RequiredPrivileges">
-		/// A pointer to a PRIVILEGE_SET structure. The Privilege member of this structure is an array of LUID_AND_ATTRIBUTES structures. Before calling
-		/// PrivilegeCheck, use the Privilege array to indicate the set of privileges to check. Set the Control member to PRIVILEGE_SET_ALL_NECESSARY if all of
-		/// the privileges must be enabled; or set it to zero if it is sufficient that any one of the privileges be enabled.
+		/// A pointer to a PRIVILEGE_SET structure. The Privilege member of this structure is an array of LUID_AND_ATTRIBUTES structures.
+		/// Before calling PrivilegeCheck, use the Privilege array to indicate the set of privileges to check. Set the Control member to
+		/// PRIVILEGE_SET_ALL_NECESSARY if all of the privileges must be enabled; or set it to zero if it is sufficient that any one of the
+		/// privileges be enabled.
 		/// <para>
-		/// When PrivilegeCheck returns, the Attributes member of each LUID_AND_ATTRIBUTES structure is set to SE_PRIVILEGE_USED_FOR_ACCESS if the corresponding
-		/// privilege is enabled.
+		/// When PrivilegeCheck returns, the Attributes member of each LUID_AND_ATTRIBUTES structure is set to SE_PRIVILEGE_USED_FOR_ACCESS
+		/// if the corresponding privilege is enabled.
 		/// </para>
 		/// </param>
 		/// <param name="pfResult">
-		/// A pointer to a value the function sets to indicate whether any or all of the specified privileges are enabled in the access token. If the Control
-		/// member of the PRIVILEGE_SET structure specifies PRIVILEGE_SET_ALL_NECESSARY, this value is TRUE only if all the privileges are enabled; otherwise,
-		/// this value is TRUE if any of the privileges are enabled.
+		/// A pointer to a value the function sets to indicate whether any or all of the specified privileges are enabled in the access
+		/// token. If the Control member of the PRIVILEGE_SET structure specifies PRIVILEGE_SET_ALL_NECESSARY, this value is TRUE only if all
+		/// the privileges are enabled; otherwise, this value is TRUE if any of the privileges are enabled.
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[PInvokeData("Winbase.h", MSDNShortId = "aa379304")]
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
@@ -852,15 +984,16 @@ namespace Vanara.PInvoke
 		/// <para>Examples</para>
 		/// <para>For an example, see Reporting an Event.</para>
 		/// </remarks>
-		// https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-registereventsourcea
-		// HANDLE RegisterEventSourceA( LPCSTR lpUNCServerName, LPCSTR lpSourceName );
+		// https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-registereventsourcea HANDLE RegisterEventSourceA( LPCSTR
+		// lpUNCServerName, LPCSTR lpSourceName );
 		[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)]
 		[PInvokeData("winbase.h", MSDNShortId = "53706f83-6bc9-45d6-981c-bd0680d7bc08")]
 		public static extern IntPtr RegisterEventSource(string lpUNCServerName, string lpSourceName);
 
 		/// <summary>The RevertToSelf function terminates the impersonation of a client application.</summary>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[DllImport(Lib.AdvApi32, ExactSpelling = true, SetLastError = true)]
 		[return: MarshalAs(UnmanagedType.Bool)]
@@ -868,27 +1001,35 @@ namespace Vanara.PInvoke
 		public static extern bool RevertToSelf();
 
 		/// <summary>
-		/// The SetThreadToken function assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.
+		/// The <c>SetThreadToken</c> function assigns an impersonation token to a thread. The function can also cause a thread to stop using
+		/// an impersonation token.
 		/// </summary>
 		/// <param name="Thread">
-		/// A pointer to a handle to the thread to which the function assigns the impersonation token. If Thread is NULL, the function assigns the impersonation
-		/// token to the calling thread.
+		/// <para>A pointer to a handle to the thread to which the function assigns the impersonation token.</para>
+		/// <para>If Thread is <c>NULL</c>, the function assigns the impersonation token to the calling thread.</para>
 		/// </param>
 		/// <param name="Token">
-		/// A handle to the impersonation token to assign to the thread. This handle must have been opened with TOKEN_IMPERSONATE access rights. For more
-		/// information, see Access Rights for Access-Token Objects. If Token is NULL, the function causes the thread to stop using an impersonation token.
+		/// <para>
+		/// A handle to the impersonation token to assign to the thread. This handle must have been opened with TOKEN_IMPERSONATE access
+		/// rights. For more information, see Access Rights for Access-Token Objects.
+		/// </para>
+		/// <para>If Token is <c>NULL</c>, the function causes the thread to stop using an impersonation token.</para>
 		/// </param>
 		/// <returns>
-		/// If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get extended error information, call GetLastError.
+		/// <para>If the function succeeds, the return value is nonzero.</para>
+		/// <para>If the function fails, the return value is zero. To get extended error information, call <c>GetLastError</c>.</para>
 		/// </returns>
+		// BOOL WINAPI SetThreadToken( _In_opt_ PHANDLE Thread, _In_opt_ HANDLE Token); https://msdn.microsoft.com/en-us/library/windows/desktop/aa379590(v=vs.85).aspx
 		[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
+		[PInvokeData("Winbase.h", MSDNShortId = "aa379590")]
 		[return: MarshalAs(UnmanagedType.Bool)]
 		public static extern bool SetThreadToken(IntPtr Thread, SafeTokenHandle Token);
 
 		/// <summary>Closes an open object handle.</summary>
 		/// <param name="hObject">A valid handle to an open object.</param>
 		/// <returns>
-		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero.To get extended error information, call GetLastError.
+		/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero.To get extended error
+		/// information, call GetLastError.
 		/// </returns>
 		[PInvokeData("WinBase.h", MSDNShortId = "ms724211")]
 		[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success), DllImport(Lib.Kernel32, ExactSpelling = true, SetLastError = true)]
@@ -898,27 +1039,65 @@ namespace Vanara.PInvoke
 		/// <summary>Represents a safe handle for HTOKEN.</summary>
 		public class SafeTokenHandle : GenericSafeHandle
 		{
-			/// <summary>Retrieves a pseudo-handle that you can use as a shorthand way to refer to the access token associated with a process.</summary>
-			/// <remarks>A pseudo-handle is a special constant that can function as the access token for the current process. The calling process can use a pseudo-handle to specify the access token for that process whenever a token handle is required. Child processes do not inherit pseudo-handles.
+			/// <summary>
+			/// Retrieves a pseudo-handle that you can use as a shorthand way to refer to the access token associated with a process.
+			/// </summary>
+			/// <remarks>
+			/// A pseudo-handle is a special constant that can function as the access token for the current process. The calling process can
+			/// use a pseudo-handle to specify the access token for that process whenever a token handle is required. Child processes do not
+			/// inherit pseudo-handles.
 			/// <para>Starting in Windows 8, this pseudo-handle has only TOKEN_QUERY and TOKEN_QUERY_SOURCE access rights.</para>
-			/// <para>A process can create a standard handle that is valid in the context of other processes and can be inherited by other processes. To create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.</para>
-			/// <para>You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must close the duplicate handle.</para>
+			/// <para>
+			/// A process can create a standard handle that is valid in the context of other processes and can be inherited by other
+			/// processes. To create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.
+			/// </para>
+			/// <para>
+			/// You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a
+			/// pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must
+			/// close the duplicate handle.
+			/// </para>
 			/// </remarks>
 			public static readonly SafeTokenHandle CurrentProcessToken = new SafeTokenHandle((IntPtr)4, false);
 
-			/// <summary>Retrieves a pseudo-handle that you can use as a shorthand way to refer to the token that is currently in effect for the thread, which is the thread token if one exists and the process token otherwise.</summary>
-			/// <remarks>A pseudo-handle is a special constant that can function as the access token for the current thread. The calling thread can use a pseudo-handle to specify the access token for that thread whenever a token handle is required. Child threads do not inherit pseudo-handles.
+			/// <summary>
+			/// Retrieves a pseudo-handle that you can use as a shorthand way to refer to the token that is currently in effect for the
+			/// thread, which is the thread token if one exists and the process token otherwise.
+			/// </summary>
+			/// <remarks>
+			/// A pseudo-handle is a special constant that can function as the access token for the current thread. The calling thread can
+			/// use a pseudo-handle to specify the access token for that thread whenever a token handle is required. Child threads do not
+			/// inherit pseudo-handles.
 			/// <para>Starting in Windows 8, this pseudo-handle has only TOKEN_QUERY and TOKEN_QUERY_SOURCE access rights.</para>
-			/// <para>A thread can create a standard handle that is valid in the context of other threads and can be inherited by other threads. To create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.</para>
-			/// <para>You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must close the duplicate handle.</para>
+			/// <para>
+			/// A thread can create a standard handle that is valid in the context of other threads and can be inherited by other threads. To
+			/// create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.
+			/// </para>
+			/// <para>
+			/// You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a
+			/// pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must
+			/// close the duplicate handle.
+			/// </para>
 			/// </remarks>
 			public static readonly SafeTokenHandle CurrentThreadEffectiveToken = new SafeTokenHandle((IntPtr)6, false);
 
-			/// <summary>Retrieves a pseudo-handle that you can use as a shorthand way to refer to the impersonation token that was assigned to the current thread.</summary>
-			/// <remarks>A pseudo-handle is a special constant that can function as the impersonation token for the current thread. The calling thread can use a pseudo-handle to specify the impersonation token for that thread whenever a token handle is required. Child threads do not inherit pseudo-handles.
+			/// <summary>
+			/// Retrieves a pseudo-handle that you can use as a shorthand way to refer to the impersonation token that was assigned to the
+			/// current thread.
+			/// </summary>
+			/// <remarks>
+			/// A pseudo-handle is a special constant that can function as the impersonation token for the current thread. The calling thread
+			/// can use a pseudo-handle to specify the impersonation token for that thread whenever a token handle is required. Child threads
+			/// do not inherit pseudo-handles.
 			/// <para>Starting in Windows 8, this pseudo-handle has only TOKEN_QUERY and TOKEN_QUERY_SOURCE access rights.</para>
-			/// <para>A thread can create a standard handle that is valid in the context of other threads and can be inherited by other threads. To create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.</para>
-			/// <para>You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must close the duplicate handle.</para>
+			/// <para>
+			/// A thread can create a standard handle that is valid in the context of other threads and can be inherited by other threads. To
+			/// create this standard handle, call the DuplicateHandle function and specify the pseudo-handle as the source handle.
+			/// </para>
+			/// <para>
+			/// You do not need to close the pseudo-handle when you no longer need it. If you call the CloseHandle function with a
+			/// pseudo-handle, the function has no effect. If you call DuplicateHandle to duplicate the pseudo-handle, however, you must
+			/// close the duplicate handle.
+			/// </para>
 			/// </remarks>
 			public static readonly SafeTokenHandle CurrentThreadToken = new SafeTokenHandle((IntPtr)5, false);
 
@@ -934,6 +1113,7 @@ namespace Vanara.PInvoke
 
 			/// <summary>Gets an instance that is equivalent to NULL HTOKEN.</summary>
 			public static SafeTokenHandle Null { get; } = new SafeTokenHandle(IntPtr.Zero, false);
+
 			/// <summary>Gets a value indicating whether this token is elevated.</summary>
 			/// <value><c>true</c> if this instance is elevated; otherwise, <c>false</c>.</value>
 			public bool IsElevated => GetInfo<TOKEN_ELEVATION>(TOKEN_INFORMATION_CLASS.TokenElevation).TokenIsElevated;
@@ -942,7 +1122,7 @@ namespace Vanara.PInvoke
 			/// <param name="hProcess">The process handle.</param>
 			/// <param name="desiredAccess">The desired access. TOKEN_DUPLICATE must usually be included.</param>
 			/// <returns>Resulting token handle.</returns>
-			public static SafeTokenHandle FromProcess(IntPtr hProcess, TokenAccess desiredAccess = TokenAccess.TOKEN_DUPLICATE) => 
+			public static SafeTokenHandle FromProcess(IntPtr hProcess, TokenAccess desiredAccess = TokenAccess.TOKEN_DUPLICATE) =>
 				!OpenProcessToken(hProcess, desiredAccess, out SafeTokenHandle val) ? throw new Win32Exception() : val;
 
 			/// <summary>Get the token handle instance from a process handle.</summary>
@@ -969,14 +1149,15 @@ namespace Vanara.PInvoke
 			}
 
 			/// <summary>
-			/// Retrieves a specified type of information about an access token cast to supplied <typeparamref name="T"/> type. The calling process must have
-			/// appropriate access rights to obtain the information. <note type="note">The caller is responsible for ensuring that the type requested by
-			/// <typeparamref name="T"/> matches the type information requested by <paramref name="tokenInfoClass"/>.</note>
+			/// Retrieves a specified type of information about an access token cast to supplied <typeparamref name="T"/> type. The calling
+			/// process must have appropriate access rights to obtain the information. <note type="note">The caller is responsible for
+			/// ensuring that the type requested by <typeparamref name="T"/> matches the type information requested by <paramref name="tokenInfoClass"/>.</note>
 			/// </summary>
 			/// <param name="tokenInfoClass">
-			/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves. Any callers who
-			/// check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the
-			/// current token is not an application container but is an identity level token, you should return AccessDenied.
+			/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function
+			/// retrieves. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not
+			/// an identify level impersonation token. If the current token is not an application container but is an identity level token,
+			/// you should return AccessDenied.
 			/// </param>
 			public T GetInfo<T>(TOKEN_INFORMATION_CLASS tokenInfoClass)
 			{
@@ -1004,9 +1185,9 @@ namespace Vanara.PInvoke
 						case TOKEN_INFORMATION_CLASS.TokenOrigin:
 						case TOKEN_INFORMATION_CLASS.TokenElevationType:
 						case TOKEN_INFORMATION_CLASS.TokenUIAccess:
-							var i = Marshal.ReadInt32((IntPtr) pType);
+							var i = Marshal.ReadInt32((IntPtr)pType);
 							if (typeof(T).IsEnum)
-								return (T) Enum.ToObject(typeof(T), i);
+								return (T)Enum.ToObject(typeof(T), i);
 							return (T)Convert.ChangeType(i, typeof(T));
 
 						case TOKEN_INFORMATION_CLASS.TokenLinkedToken:
@@ -1038,7 +1219,7 @@ namespace Vanara.PInvoke
 							return pType.ToStructure<T>();
 
 						case TOKEN_INFORMATION_CLASS.TokenPrivileges:
-							return (T)Convert.ChangeType(PTOKEN_PRIVILEGES.FromPtr((IntPtr) pType), typeof(T));
+							return (T)Convert.ChangeType(PTOKEN_PRIVILEGES.FromPtr((IntPtr)pType), typeof(T));
 
 						default:
 							return default(T);
@@ -1047,12 +1228,14 @@ namespace Vanara.PInvoke
 			}
 
 			/// <summary>
-			/// Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
+			/// Retrieves a specified type of information about an access token. The calling process must have appropriate access rights to
+			/// obtain the information.
 			/// </summary>
 			/// <param name="tokenInfoClass">
-			/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves. Any callers who
-			/// check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the
-			/// current token is not an application container but is an identity level token, you should return AccessDenied.
+			/// Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function
+			/// retrieves. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not
+			/// an identify level impersonation token. If the current token is not an application container but is an identity level token,
+			/// you should return AccessDenied.
 			/// </param>
 			/// <returns>The block of memory containing the requested information.</returns>
 			public SafeCoTaskMemHandle GetInfo(TOKEN_INFORMATION_CLASS tokenInfoClass)
@@ -1074,4 +1257,4 @@ namespace Vanara.PInvoke
 			}
 		}
 	}
-}
+}
\ No newline at end of file