Search notes:

PowerShell module NtObjectManager

The module NtObjectManager allows, among others, to inspect kernel objects.

NtObjectManager Provider and its Drives

The kernel objects are exposed through a special provider (NtObjectManager). This provider exposes four drives: 
PS C:\> (get-psProvider NtObjectManager).drives | select name, root

Name            Root
----            ----
NtObject        nt:
NtObjectSession nt:Sessions\1\BaseNamedObjects
NtKey           ntkey:
NtKeyUser       ntkey:User\S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1001
The kernel ob NTObject drive allows to list the kernel objects: 
PS C:\> ls NtObject:\
…

PS C:\> ls NtObject:\KernelObjects

Index